aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Merge branch 'aurore-dev' into 'master'

Browse source 
Aurore dev

See merge request aurore/ansible!47
This commit is contained in:
Alexandre IOOSS 2020-05-03 16:11:29 +02:00
commit e42bdd53a8
31 changed files with 1023 additions and 325 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,2 +1,2 @@
*.retry
__pycache__
ldap-password.txt

3
README.md
View file

@ -88,8 +88,7 @@ Dans la configuration SSH :
```
# Use a proxy jump server to log on all Aurore inventory
Host 10.128.0.* *.adm.auro.re
IdentityFile ~/.ssh/id_rsa
ProxyJump auro.re
ProxyJump passerelle.auro.re
```
Il faut sa clé SSH configurée sur le serveur que l'on déploit.

1
ansible.cfg
View file

@ -33,3 +33,4 @@ become_ask_pass = True
# TO know what changed
always = yes
scp_if_ssh = True

6
base.yml
View file

@ -12,6 +12,6 @@
# Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA
# - hosts: ldap-replica
# roles:
# - ldap-replica
#- hosts: ldap-replica
# roles:
# - ldap-replica

17
copy-keys.sh Executable file
View file

@ -0,0 +1,17 @@
#!/bin/bash
set -e
# Grab valid unique hostnames from the Ansible inventory.
HOSTS=$(grep -ve '^[#\[]' hosts \
| grep -ve '^$' \
| grep -F adm.auro.re \
| grep -vf ssh-blacklist.txt \
| sort -u)
for host in $HOSTS; do
echo "Handling host $host"
# sshpass can be used for non-interactive password authentication.
# place your password in ldap-password.txt.
sshpass -f ldap-password.txt ssh-copy-id "$host"
done

17
group_vars/all/vars.yml
View file

@ -6,7 +6,7 @@ ansible_python_interpreter: /usr/bin/python3
# You can hash LDAP passwords with `slappasswd` tool
ldap_base: 'dc=auro,dc=re'
ldap_master_ipv4: '10.128.0.11'
ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
ldap_master_uri: "ldap://re2o-ldap.adm.auro.re"
ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
@ -36,3 +36,18 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org'
matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}"
matrix_discord_client_id: "559305991494303747"
matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}"
###
# DNS
###
# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque
# résidence.
dns_host_suffix_main: 253
dns_host_suffix_backup: 153
backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
mtu: 1400

4
group_vars/dhcp/vars.yml Normal file
View file

@ -0,0 +1,4 @@
---
dhcp_failover:
primary_host: dhcp-{{ apartment_block }}.adm.auro.re
secondary_host: dhcp-{{ apartment_block }}-backup.adm.auro.re

4
group_vars/edc/ldap_local_replica.yml Normal file
View file

@ -0,0 +1,4 @@
---
ldap_local_replica_uri:
- 'ldap://ldap-replica-edc.adm.auro.re'

8
group_vars/fleming/main.yml Normal file
View file

@ -0,0 +1,8 @@
---
apartment_block: fleming
subnet_ids:
ap: 141
users_wired: 10
users_wifi: 11

7
group_vars/pacaterie/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
apartment_block: pacaterie
subnet_ids:
ap: 142
users_wired: 20
users_wifi: 21

375
hosts
View file

@ -4,146 +4,56 @@
# > We name servers according to location, then type.
# > Then we regroup everything in global geographic and type groups.
[ovh_physical]
horus.adm.auro.re
[aurore_pve]
#merlin.adm.auro.re
[aurore_vm]
#radius-aurore.adm.auro.re
[ovh_pve]
#horus.adm.auro.re
[ovh_container]
synapse.adm.auro.re
services-bdd.adm.auro.re
phabricator.adm.auro.re
wiki.adm.auro.re
www.adm.auro.re
proxy.adm.auro.re
matrix-services.adm.auro.re
#synapse.adm.auro.re
#services-bdd.adm.auro.re
#phabricator.adm.auro.re
#wiki.adm.auro.re
#www.adm.auro.re
#proxy.adm.auro.re
#matrix-services.adm.auro.re
[ovh_vm]
re2o-server.adm.auro.re
re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
serge.adm.auro.re
passbolt.adm.auro.re
vpn-ovh.adm.auro.re
docker-ovh.adm.auro.re
switchs-manager.adm.auro.re
#re2o-server.adm.auro.re
#re2o-ldap.adm.auro.re
#re2o-db.adm.auro.re
#serge.adm.auro.re
#passbolt.adm.auro.re
#vpn-ovh.adm.auro.re
#docker-ovh.adm.auro.re
#switchs-manager.adm.auro.re
#radius-aurore.adm.auro.re
[fleming_physical]
[ovh_testing_vm]
#re2o-test.adm.auro.re
[fleming_pve]
freya.adm.auro.re
marki.adm.auro.re
[fleming_vm]
ldap-replica-fleming1.adm.auro.re
#ldap-replica-fleming-fo.adm.auro.re
ldap-replica-fleming.adm.auro.re
ldap-replica-fleming-backup.adm.auro.re
dhcp-fleming.adm.auro.re
#dhcp-fleming-fo.adm.auro.re
dhcp-fleming-backup.adm.auro.re
dns-fleming.adm.auro.re
#dns-fleming-fo.adm.auro.re
dns-fleming-backup.adm.auro.re
prometheus-fleming.adm.auro.re
#prometheus-fleming-fo.adm.auro.re
radius-fleming.adm.auro.re
#radius-fleming-fo.adm.auro.re
radius-fleming-backup.adm.auro.re
unifi-fleming.adm.auro.re
routeur-fleming.adm.auro.re
#routeur-fleming-fo.adm.auro.re
[fleming_unifi]
fa-0-1.borne.auro.re
fa-1-1.borne.auro.re
fa-2-1.borne.auro.re
#fa-2-2.borne.auro.re
fa-3-1.borne.auro.re
fa-4-1.borne.auro.re
fb-0-1.borne.auro.re
fb-1-1.borne.auro.re
#fb-1-2.borne.auro.re
fb-2-1.borne.auro.re
#fb-2-2.borne.auro.re
fb-3-1.borne.auro.re
#fb-3-2.borne.auro.re
fb-4-1.borne.auro.re
#fb-4-2.borne.auro.re
fc-0-1.borne.auro.re
fc-1-1.borne.auro.re
fc-2-1.borne.auro.re
fc-3-1.borne.auro.re
fc-4-1.borne.auro.re
fd-0-1.borne.auro.re
fd-1-1.borne.auro.re
fd-2-1.borne.auro.re
fd-3-1.borne.auro.re
#fd-4-1.borne.auro.re
fe-0-1.borne.auro.re
fe-1-1.borne.auro.re
fe-1-2.borne.auro.re
fe-2-1.borne.auro.re
fe-2-2.borne.auro.re
fe-3-1.borne.auro.re
fe-3-2.borne.auro.re
fe-4-1.borne.auro.re
fe-4-2.borne.auro.re
ff-0-1.borne.auro.re
ff-0-f.borne.auro.re
ff-1-1.borne.auro.re
ff-1-2.borne.auro.re
ff-2-1.borne.auro.re
ff-2-2.borne.auro.re
ff-3-1.borne.auro.re
ff-3-2.borne.auro.re
ff-4-1.borne.auro.re
ff-4-2.borne.auro.re
fg-0-1.borne.auro.re
fg-1-1.borne.auro.re
#fg-1-2.borne.auro.re
fg-2-1.borne.auro.re
fg-2-2.borne.auro.re
fg-3-1.borne.auro.re
fg-3-2.borne.auro.re
fg-4-1.borne.auro.re
#fg-4-2.borne.auro.re
fh-0-1.borne.auro.re
fh-1-1.borne.auro.re
fh-1-2.borne.auro.re
fh-2-1.borne.auro.re
fh-2-2.borne.auro.re
fh-3-1.borne.auro.re
fh-3-2.borne.auro.re
fh-4-1.borne.auro.re
fh-4-2.borne.auro.re
fi-0-1.borne.auro.re
fi-1-1.borne.auro.re
fi-1-2.borne.auro.re
fi-2-1.borne.auro.re
fi-2-2.borne.auro.re
fi-3-1.borne.auro.re
fi-3-2.borne.auro.re
fi-4-1.borne.auro.re
fi-4-2.borne.auro.re
fj-0-1.borne.auro.re
fj-1-1.borne.auro.re
fj-1-2.borne.auro.re
fj-2-1.borne.auro.re
fj-2-2.borne.auro.re
fj-3-1.borne.auro.re
fj-3-2.borne.auro.re
fj-4-1.borne.auro.re
fj-4-2.borne.auro.re
fk-0-1.borne.auro.re
fk-1-1.borne.auro.re
fk-1-2.borne.auro.re
fk-2-1.borne.auro.re
fk-2-2.borne.auro.re
fk-3-1.borne.auro.re
fk-3-2.borne.auro.re
fk-4-1.borne.auro.re
fk-4-2.borne.auro.re
fl-0-1.borne.auro.re
fl-1-1.borne.auro.re
fl-1-2.borne.auro.re
fl-2-1.borne.auro.re
fl-2-2.borne.auro.re
fl-3-1.borne.auro.re
fl-3-2.borne.auro.re
fl-4-1.borne.auro.re
fl-4-2.borne.auro.re
routeur-fleming-backup.adm.auro.re
[pacaterie_physical]
mordred.adm.auro.re
@ -151,130 +61,43 @@ titan.adm.auro.re
[pacaterie_vm]
ldap-replica-pacaterie.adm.auro.re
#ldap-replica-pacaterie-fo.adm.auro.re
ldap-replica-pacaterie-backup.adm.auro.re
dhcp-pacaterie.adm.auro.re
#dhcp-pacaterie-fo.adm.auro.re
dhcp-pacaterie-backup.adm.auro.re
dns-pacaterie.adm.auro.re
#dns-pacaterie-fo.adm.auro.re
dns-pacaterie-backup.adm.auro.re
prometheus-pacaterie.adm.auro.re
#prometheus-pacaterie-fo.adm.auro.re
radius-pacaterie.adm.auro.re
#radius-pacaterie-fo.adm.auro.re
radius-pacaterie-backup.adm.auro.re
unifi-pacaterie.adm.auro.re
routeur-pacaterie.adm.auro.re
#routeur-pacaterie-fo.adm.auro.re
routeur-pacaterie-backup.adm.auro.re
[pacaterie_unifi]
pc-1-1.borne.auro.re
pn-0-1.borne.auro.re
pn-0-2.borne.auro.re
pn-0-3.borne.auro.re
pn-1-1.borne.auro.re
pn-1-2.borne.auro.re
pn-1-3.borne.auro.re
pn-2-1.borne.auro.re
pn-2-2.borne.auro.re
pn-2-3.borne.auro.re
pn-3-1.borne.auro.re
pn-3-2.borne.auro.re
pn-3-3.borne.auro.re
pn-4-1.borne.auro.re
pn-4-2.borne.auro.re
pn-4-3.borne.auro.re
ps-0-1.borne.auro.re
ps-0-2.borne.auro.re
ps-0-3.borne.auro.re
ps-1-1.borne.auro.re
ps-1-2.borne.auro.re
ps-1-3.borne.auro.re
ps-2-1.borne.auro.re
ps-2-2.borne.auro.re
ps-2-3.borne.auro.re
ps-3-1.borne.auro.re
ps-3-2.borne.auro.re
ps-4-1.borne.auro.re
ps-4-2.borne.auro.re
ps-4-3.borne.auro.re
[edc_physical]
[edc_pve]
chapalux.adm.auro.re
[edc_vm]
ldap-replica-edc.adm.auro.re
ldap-replica-edc-fo.adm.auro.re
dhcp-edc.adm.auro.re
dhcp-edc-fo.adm.auro.re
dns-edc.adm.auro.re
dns-edc-fo.adm.auro.re
prometheus-edc.adm.auro.re
prometheus-edc-fo.adm.auro.re
radius-edc.adm.auro.re
radius-edc-fo.adm.auro.re
unifi-edc.adm.auro.re
routeur-edc.adm.auro.re
routeur-edc-fo.adm.auro.re
dns-edc.adm.auro.re
dhcp-edc.adm.auro.re
unifi-edc.adm.auro.re
radius-edc.adm.auro.re
routeur-aurore.adm.auro.re
ldap-replica-edc.adm.auro.re
#ldap-replica-edc-backup.adm.auro.re
[edc_unifi]
ep-0-1.borne.auro.re
[gs_pve]
#perceval.adm.auro.re
[georgesand_physical]
perceval.adm.auro.re
[georgesand_vm]
ldap-replica-georgesand.adm.auro.re
ldap-replica-georgesand-fo.adm.auro.re
dhcp-georgesand.adm.auro.re
dhcp-georgesand-fo.adm.auro.re
dns-georgesand.adm.auro.re
dns-georgesand-fo.adm.auro.re
prometheus-georgesand.adm.auro.re
prometheus-georgesand-fo.adm.auro.re
radius-georgesand.adm.auro.re
radius-georgesand-fo.adm.auro.re
unifi-georgesand.adm.auro.re
routeur-georgesand.adm.auro.re
routeur-georgesand-fo.adm.auro.re
[georgesand_unifi]
ga-0-1.borne.auro.re
ga-1-1.borne.auro.re
ga-2-1.borne.auro.re
ga-3-1.borne.auro.re
ga-4-1.borne.auro.re
ga-5-1.borne.auro.re
ga-5-2.borne.auro.re
gb-1-1.borne.auro.re
gb-2-1.borne.auro.re
gb-3-1.borne.auro.re
gb-4-1.borne.auro.re
gb-5-1.borne.auro.re
gc-1-1.borne.auro.re
gc-2-1.borne.auro.re
gc-3-1.borne.auro.re
gc-4-1.borne.auro.re
gc-5-1.borne.auro.re
gd-1-1.borne.auro.re
gd-2-1.borne.auro.re
gd-3-1.borne.auro.re
gd-4-1.borne.auro.re
gd-5-1.borne.auro.re
gd-garage-1.borne.auro.re
ge-0-1.borne.auro.re
ge-1-1.borne.auro.re
ge-2-1.borne.auro.re
ge-3-1.borne.auro.re
ge-4-1.borne.auro.re
ge-5-1.borne.auro.re
gf-0-1.borne.auro.re
gf-1-1.borne.auro.re
gf-2-1.borne.auro.re
gf-3-1.borne.auro.re
gf-4-1.borne.auro.re
gf-5-1.borne.auro.re
#####################
# Geographic groups #
#####################
[gs_vm]
routeur-gs.adm.auro.re
unifi-gs.adm.auro.re
radius-gs.adm.auro.re
dns-gs.adm.auro.re
dhcp-gs.adm.auro.re
#ldap-replica-gs.adm.auro.re
#ldap-replica-gs-backup.adm.auro.re
# everything at ovh
[ovh:children]
@ -296,19 +119,13 @@ pacaterie_unifi
# everything at edc
[edc:children]
edc_physical
edc_pve
edc_vm
edc_unifi
# everything at georgesand
[georgesand:children]
georgesand_physical
georgesand_vm
georgesand_unifi
#####################
# Type groups #
#####################
[gs:children]
gs_pve
gs_vm
# every LXC container
[container:children]
@ -320,23 +137,59 @@ ovh_vm
fleming_vm
pacaterie_vm
edc_vm
georgesand_vm
gs_vm
# every physical
[physical:children]
ovh_physical
fleming_physical
pacaterie_physical
edc_physical
georgesand_physical
# every PVE
[pve:children]
ovh_pve
fleming_pve
pacaterie_pve
edc_pve
gs_pve
# every unifi access point
[unifi:children]
fleming_unifi
pacaterie_unifi
edc_unifi
georgesand_unifi
[dhcp]
dhcp-fleming.adm.auro.re
dhcp-fleming-backup.adm.auro.re
#dhcp-pacaterie.adm.auro.re
#dhcp-pacaterie-backup.adm.auro.re
#dhcp-edc.adm.auro.re
#dhcp-gs.adm.auro.re
[all:vars]
# Force remote to use Python 3
ansible_python_interpreter=/usr/bin/python3
[recursive_dns:children]
rdns_main
rdns_backup
[rdns_main]
dns-fleming.adm.auro.re
dns-pacaterie.adm.auro.re
[rdns_backup]
dns-fleming-backup.adm.auro.re
dns-pacaterie-backup.adm.auro.re
# FIXME:
#dns-edc.adm.auro.re
#dns-gs.adm.auro.re
[ldap_replica:children]
ldap_replica_fleming
ldap_replica_pacaterie
ldap_replica_edc
ldap_replica_gs
[ldap_replica_fleming]
ldap-replica-fleming.adm.auro.re
ldap-replica-fleming-backup.adm.auro.re
[ldap_replica_pacaterie]
ldap-replica-pacaterie.adm.auro.re
ldap-replica-pacaterie-backup.adm.auro.re
[ldap_replica_edc]
ldap-replica-edc.adm.auro.re
ldap-replica-edc-backup.adm.auro.re
[ldap_replica_gs]
ldap-replica-gs.adm.auro.re
ldap-replica-gs-backup.adm.auro.re

131
hosts.save Normal file
View file

@ -0,0 +1,131 @@
# Aurore servers inventory
# How to name your server ?
# > We name servers according to location, then type.
# > So all containers at OVH are in ovh-container.
# > Then we regroup everything in global geographic and type groups.
[ovh_pve]
#horus.adm.auro.re
[ovh_container]
#synapse.adm.auro.re
#services-bdd.adm.auro.re
#phabricator.adm.auro.re
#wiki.adm.auro.re
#www.adm.auro.re
#proxy.adm.auro.re
#matrix-services.adm.auro.re
[ovh_vm]
#re2o-server.adm.auro.re
#re2o-ldap.adm.auro.re
#re2o-db.adm.auro.re
#serge.adm.auro.re
#passbolt.adm.auro.re
#vpn-ovh.adm.auro.re
#docker-ovh.adm.auro.re
#switchs-manager.adm.auro.re
#radius-aurore.adm.auro.re
[ovh_testing_vm]
#re2o-test.adm.auro.re
[fleming_pve]
#freya.adm.auro.re
[fleming_vm]
#ldap-replica-fleming1.adm.auro.re
#ldap-replica-fleming2.adm.auro.re
#dhcp-fleming.adm.auro.re
#dhcp-fleming-backup.adm.auro.re
#dns-fleming.adm.auro.re
#dns-fleming-backup.adm.auro.re
#radius-fleming.adm.auro.re
#radius-fleming-backup.adm.auro.re
#routeur-fleming.adm.auro.re
#routeur-fleming-backup.adm.auro.re
#unifi-fleming.adm.auro.re
#prometheus
[pacaterie_pve]
#mordred.adm.auro.re
[pacaterie_vm]
#ldap-replica-pacaterie.adm.auro.re
#dhcp-pacaterie.adm.auro.re
#dns-pacaterie.adm.auro.re
#prometheus-pacaterie.adm.auro.re
#radius-pacaterie.adm.auro.re
#unifi-pacaterie.adm.auro.re
#routeur-pacaterie.adm.auro.re
[edc_pve]
#chapalux.adm.auro.re
[edc_vm]
#routeur-edc.adm.auro.re
#dns-edc.adm.auro.re
#dhcp-edc.adm.auro.re
#unifi-edc.adm.auro.re
#radius-edc.adm.auro.re
#routeur-aurore.adm.auro.re
#10.128.0.254
[georgesand_pve]
#perceval.adm.auro.re
[georgesand_vm]
#routeur-gs.adm.auro.re
#unifi-gs.adm.auro.re
#radius-gs.adm.auro.re
#dns-gs.adm.auro.re
#dhcp-gs.adm.auro.re
# everything at ovh
[ovh:children]
ovh_pve
ovh_container
ovh_vm
# everything at ovh_testing
[ovh_testing:children]
ovh_testing_vm
# everything at fleming
[fleming:children]
fleming_pve
fleming_vm
# everything at pacaterie
[pacaterie:children]
pacaterie_pve
pacaterie_vm
# everything at edc
[edc:children]
edc_pve
edc_vm
# everything at georgesand
[georgesand:children]
georgesand_pve
georgesand_vm
# every LXC container
[container:children]
ovh_container
# every virtual machine
[vm:children]
ovh_vm
fleming_vm
pacaterie_vm
# every PVE
[pve:children]
ovh_pve
fleming_pve
pacaterie_pve
edc_pve
georgesand_pve

165
hosts.save.1 Normal file
View file

@ -0,0 +1,165 @@
# Aurore servers inventory
# How to name your server ?
# > We name servers according to location, then type.
# > So all containers at OVH are in ovh-container.
# > Then we regroup everything in global geographic and type groups.
[aurore_pve]
merlin.adm.auro.re
[aurore_vm]
radius-aurore.adm.auro.re
[ovh_pve]
horus.adm.auro.re
[ovh_container]
synapse.adm.auro.re
services-bdd.adm.auro.re
phabricator.adm.auro.re
wiki.adm.auro.re
www.adm.auro.re
proxy.adm.auro.re
matrix-services.adm.auro.re
[ovh_vm]
re2o-server.adm.auro.re
re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
serge.adm.auro.re
passbolt.adm.auro.re
vpn-ovh.adm.auro.re
docker-ovh.adm.auro.re
switchs-manager.adm.auro.re
radius-aurore.adm.auro.re
[ovh_testing_vm]
re2o-test.adm.auro.re
[fleming_pve]
freya.adm.auro.re
marki.adm.auro.re
[fleming_vm]
ldap-replica-fleming.adm.auro.re
ldap-replica-fleming-backup.adm.auro.re
dhcp-fleming.adm.auro.re
dhcp-fleming-backup.adm.auro.re
dns-fleming.adm.auro.re
dns-fleming-backup.adm.auro.re
prometheus-fleming.adm.auro.re
radius-fleming.adm.auro.re
radius-fleming-backup.adm.auro.re
unifi-fleming.adm.auro.re
routeur-fleming.adm.auro.re
routeur-fleming-backup.adm.auro.re
[pacaterie_pve]
mordred.adm.auro.re
titan.adm.auro.re
[pacaterie_vm]
ldap-replica-pacaterie.adm.auro.re
ldap-replica-pacaterie-backup.adm.auro.re
dhcp-pacaterie.adm.auro.re
dhcp-pacaterie-backup.adm.auro.re
dns-pacaterie.adm.auro.re
dns-pacaterie-backup.adm.auro.re
prometheus-pacaterie.adm.auro.re
radius-pacaterie.adm.auro.re
radius-pacaterie-backup.adm.auro.re
unifi-pacaterie.adm.auro.re
routeur-pacaterie.adm.auro.re
routeur-pacaterie-backup.adm.auro.re
[edc_pve]
chapalux.adm.auro.re
[edc_vm]
routeur-edc.adm.auro.re
dns-edc.adm.auro.re
dhcp-edc.adm.auro.re
unifi-edc.adm.auro.re
radius-edc.adm.auro.re
routeur-aurore.adm.auro.re
[gs_pve]
perceval.adm.auro.re
[gs_vm]
routeur-gs.adm.auro.re
unifi-gs.adm.auro.re
radius-gs.adm.auro.re
dns-gs.adm.auro.re
dhcp-gs.adm.auro.re
# everything at ovh
[ovh:children]
ovh_pve
ovh_container
ovh_vm
# everything at ovh_testing
[ovh_testing:children]
ovh_testing_vm
# everything at fleming
[fleming:children]
fleming_pve
fleming_vm
# everything at pacaterie
[pacaterie:children]
pacaterie_pve
pacaterie_vm
# everything at edc
[edc:children]
edc_pve
edc_vm
# everything at georgesand
[gs:children]
gs_pve
gs_vm
# every LXC container
[container:children]
ovh_container
# every virtual machine
[vm:children]
ovh_vm
fleming_vm
pacaterie_vm
gs_vm
# every PVE
[pve:children]
ovh_pve
fleming_pve
pacaterie_pve
edc_pve
gs_pve
[dhcp]
dhcp-fleming.adm.auro.re
dhcp-fleming-backup.adm.auro.re
dhcp-pacaterie.adm.auro.re
dhcp-pacaterie-backup.adm.auro.re
dhcp-edc.adm.auro.re
dhcp-gs.adm.auro.re
[dns]
dns-fleming.adm.auro.re
dns-fleming-backup.adm.auro.re
dns-pacaterie.adm.auro.re
dns-pacaterie-backup.adm.auro.re
dns-edc.adm.auro.re
dns-gs.adm.auro.re
[ldap-replica]
ldap-replica-fleming.adm.auro.re
ldap-replica-fleming-backup.adm.auro.re
ldap-replica-pacaterie-backup.adm.auro.re

67
network.yml
View file

@ -1,47 +1,54 @@
---
# Deploy DHCP
- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re
# Set up DHCP servers.
- hosts: dhcp
vars:
service_repo: https://gitlab.federez.net/re2o/dhcp.git
service_name: dhcp
service_version: master
service_config:
hostname: re2o-server.adm.auro.re
hostname: re2o.auro.re
username: service-user
password: "{{ vault_serviceuser_passwd }}"
dhcp:
authoritative: yes
roles:
- re2o-service
- isc-dhcp-server
# Deploy DNS
- hosts: serge.adm.auro.re
vars:
service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
service_name: dns
service_version: crans
service_config:
hostname: re2o-server.adm.auro.re
username: service-user
password: "{{ vault_serviceuser_passwd }}"
# Deploy unbound DNS server (recursive).
- hosts: recursive_dns
roles:
- re2o-service
- unbound
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service
# Deploy Unifi Controller
- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
roles:
- unifi-controller
#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller
# Deploy Re2o switch service
- hosts: switchs-manager.adm.auro.re
vars:
service_repo: https://gitlab.federez.net/re2o/switchs.git
service_name: switchs
service_version: master
service_config:
hostname: re2o-server.adm.auro.re
username: service-user
password: "{{ vault_serviceuser_passwd }}"
roles:
- re2o-service
#- hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service

155
proxmox.yml
View file

@ -3,6 +3,161 @@
- hosts: proxy.adm.auro.re # Host with python-proxmoxer and python-requests
become: false # We do not need root as we use Proxmox API
vars:
vm_definitions:
# Réseau Pacaterie
- name: ldap-replica-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau Fleming
- name: ldap-replica-fleming1
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau EdC
- name: ldap-replica-edc1
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau George Sand
- name: ldap-replica-gs1
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
vars_prompt:
- name: "password"
prompt: "Enter LDAP password for your user"

58
roles/isc-dhcp-server/tasks/main.yml
View file

@ -8,14 +8,58 @@
retries: 3
until: apt_result is succeeded
- name: Configure isc-dhcp-server
- name: Ensure dhcp log directory exists
file:
path: /var/log/dhcp
owner: root
group: root
mode: u=rwx,g=rx,a=rx
state: directory
- name: Ensure rsyslog knows where to send dhcp logs
lineinfile:
path: /etc/rsyslog.conf
line: "local7.* /var/log/dhcp/dhcpd.log"
- name: Configure dhcp log rotation
template:
src: logrotate.d/dhcp.j2
dest: /etc/logrotate.d/dhcp
mode: 0644
- name: set up cron to reload dhcp re2o service
cron:
# Do not change this name or idempotence *might* be lost.
name: dhcp-re2o-service
cron_file: re2o-services
minute: "*"
hour: "*"
day: "*"
weekday: "*"
month: "*"
user: root
job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py"
- name: restart rsyslog
systemd:
name: rsyslog
state: restarted
- name: Configure /etc/default/isc-dhcp-server
template:
src: default/isc-dhcp-server.j2
dest: /etc/default/isc-dhcp-server
mode: 0644
- name: Configure dhcp-failover.conf
template:
src: dhcp/dhcp-failover.conf.j2
dest: /etc/dhcp/dhcp-failover.conf
mode: 0600
when: dhcp_failover is defined
- name: Configure dhcpd.conf
template:
src: dhcp/dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf
mode: 0600
- name: Ensure that isc-dhcp-server is started
systemd:
name: isc-dhcp-server
state: started
enabled: true

4
roles/isc-dhcp-server/templates/cron.d/re2o-services Normal file
View file

@ -0,0 +1,4 @@
# Régénération des services re2o
# Régénération du dhcp
* * * * * root /usr/bin/python3 /var/local/re2o-services/dhcp/main.py

18
roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 Normal file
View file

@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="ens19 ens20 ens21"
INTERFACESv6=""

31
roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 Normal file
View file

@ -0,0 +1,31 @@
failover peer "dhcp-failover" {
{% if inventory_hostname == dhcp_failover.primary_host %}
primary;
# MCLT = Maximum Client Lead Time.
# Must be specified on the primary, forbidden on the secondary.
mclt 3600;
# Address or DNS name on which this node listens for connections
# from its failover peer.
address {{ dhcp_failover.primary_host }};
peer address {{ dhcp_failover.secondary_host }};
# Load balancing.
split 128;
{% endif %}
{% if inventory_hostname == dhcp_failover.secondary_host %}
secondary;
# Address and peer address are reversed on the secondary node.
address {{ dhcp_failover.secondary_host }};
peer address {{ dhcp_failover.primary_host }};
{% endif %}
# The following options can be shared between primary and
# secondary failover peers.
port 647;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}

79
roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
View file

@ -1,15 +1,12 @@
# dhcpd.conf
# {{ ansible_managed }}
# option definitions common to all supported networks...
#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 86400;
max-lease-time 86400;
# We have tagged network so use last 4 bytes for tag (1500 max)
option interface-mtu 1496;
# Option definitions common to all supported networks.
default-lease-time 600;
max-lease-time 7200;
option interface-mtu {{ mtu }};
option root-path "/";
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
@ -19,15 +16,65 @@ ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
{% if dhcp.authoritative %}
authoritative;
{% else %}
#authoritative;
log-facility local7;
{% if dhcp_failover is defined %}
include "/etc/dhcp/dhcp-failover.conf";
{% endif %}
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# Bornes WiFi
subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 {
interface "ens19";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.ap }}.255.255;
option routers 10.{{ subnet_ids.ap }}.0.250;
option domain-name "borne.auro.re";
option domain-search "borne.auro.re";
option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list";
deny unknown-clients;
}
# Users filaire
subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 {
interface "ens20";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255;
option routers 10.{{ subnet_ids.users_wired }}.0.240;
option domain-name "fil.{{ apartment_block }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list";
deny unknown-clients;
}
# Users WiFi
subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 {
interface "ens21";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255;
option routers 10.{{ subnet_ids.users_wifi }}.0.240;
option domain-name "wifi.{{ apartment_block }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list";
pool {
range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255;
{% if dhcp_failover is defined %}
failover peer "dhcp-failover";
{% endif %}
}
}
# Aurore topology
# TODO

11
roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 Normal file
View file

@ -0,0 +1,11 @@
/var/log/dhcp/dhcpd.log {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
copytruncate
}

22
roles/ldap-client/templates/nslcd.conf.j2
View file

@ -5,9 +5,24 @@ uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
{% if ldap_local_replica_uri is defined %}
{% for uri in ldap_local_replica_uri %}
uri {{ uri }}
{% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %}
{% for uri in groups['ldap_replica_fleming'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %}
{% for uri in groups['ldap_replica_pacaterie'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'edc_vm' in group_names or 'edc_pve' in group_names %}
{% for uri in groups['ldap_replica_edc'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'gs_vm' in group_names or 'gs_pve' in group_names %}
{% for uri in groups['ldap_replica_gs'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
uri {{ ldap_master_uri }}
@ -35,4 +50,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub

1
roles/re2o-service/tasks/main.yml
View file

@ -9,6 +9,7 @@
repo: "{{ service_repo }}"
dest: "{{ service_homedir }}/{{ service_name }}"
version: "{{ service_version }}"
force: true
become: true
become_user: "{{ service_user }}"

7
roles/unbound/handlers/main.yml Normal file
View file

@ -0,0 +1,7 @@
- name: restart unbound
systemd:
state: restarted
name: unbound
- name: read unbound apparmor config
command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound

62
roles/unbound/tasks/main.yml Normal file
View file

@ -0,0 +1,62 @@
---
# This is used to let unbound bind to the right IP addresses.
- name: set dns_host_suffix (main)
set_fact:
dns_host_suffix: "{{ dns_host_suffix_main }}"
when: "'rdns_main' in group_names"
- name: set dns_host_suffix (backup)
set_fact:
dns_host_suffix: "{{ dns_host_suffix_backup }}"
when: "'rdns_backup' in group_names"
- name: install unbound
apt:
update_cache: true
name: unbound
state: present
register: unbound_install
- name: add unbound-control configuration
template:
src: unbound-control.conf.j2
dest: /etc/unbound/unbound.conf.d/unbound-control.conf
mode: 0644
notify: restart unbound
- name: setup main unbound config file
template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
mode: 0644
notify: restart unbound
- name: ensure unbound log directory exists
file:
path: /var/log/unbound
state: directory
mode: '0755'
owner: unbound
group: unbound
- name: ask apparmor to allow unbound to write to log file
template:
src: unbound-apparmor-config
dest: /etc/apparmor.d/local/usr.sbin.unbound
mode: '0644'
notify: read unbound apparmor config
- name: setup unbound log rotation
template:
src: unbound-logrotate.j2
dest: /etc/logrotate.d/unbound
mode: 0644
- name: setup recursive DNS server config
template:
src: recursive.conf.j2
dest: /etc/unbound/unbound.conf.d/recursive.conf
mode: 0644
notify: restart unbound

48
roles/unbound/templates/recursive.conf.j2 Normal file
View file

@ -0,0 +1,48 @@
# {{ ansible_managed }}
server:
# Timestamps use UTC ASCII instead of UNIX epoch.
log-time-ascii: yes
# Only log errors.
verbosity: 0
log-servfail: yes
logfile: "/var/log/unbound/unbound.log"
do-ip4: yes
# FIXME: IPv6 deployment... someday...
do-ip6: no
# IP addresses on which to listen.
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
# By default, anything other than localhost is refused.
# Whitelist some subnets:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
num-threads: {{ ansible_processor_vcpus }}
private-address: 10.0.0.0/8
# The host cache TTL affects blacklisting of supposedly bogus hosts.
# The default was 900 (15 minutes).
infra-host-ttl: 60
# The following is vital, we were having issues
# with DNSSEC that turned out to be due to UDP responses that were too
# large.
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
edns-buffer-size: {{ mtu }}
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
max-udp-size: {{ mtu }}

1
roles/unbound/templates/unbound-apparmor-config Normal file
View file

@ -0,0 +1 @@
/var/log/unbound/unbound.log rw,

15
roles/unbound/templates/unbound-control.conf.j2 Normal file
View file

@ -0,0 +1,15 @@
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
control-enable: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
control-interface: 127.0.0.1
# port number for remote control operations.
control-port: 8953
# Disable the use of certificates for unbound-control.
# It's only listening locally, there's no need for the added complexity.
control-use-cert: "no"

13
roles/unbound/templates/unbound-logrotate.j2 Normal file
View file

@ -0,0 +1,13 @@
/var/log/unbound/*.log {
daily
rotate 30
missingok
notifempty
compress
delaycompress
sharedscripts
create 644
postrotate
/usr/local/sbin/unbound-control log_reopen
endscript
}

12
roles/unbound/templates/unbound.conf.j2 Normal file
View file

@ -0,0 +1,12 @@
# {{ ansible_managed }}
#
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

4
ssh-blacklist.txt Normal file
View file

@ -0,0 +1,4 @@
ldap-replica-edc-backup.adm.auro.re
ldap-replica-fleming-backup.adm.auro.re
ldap-replica-gs.adm.auro.re
ldap-replica-gs-backup.adm.auro.re