diff --git a/.gitignore b/.gitignore index fc586ce..ea2eabf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.retry +tmp ldap-password.txt diff --git a/README.md b/README.md index 6b7d611..00897a4 100644 --- a/README.md +++ b/README.md @@ -118,3 +118,23 @@ for ip in `cat hosts|grep .adm.auro.re`; do ssh-copy-id -i ~/.ssh/id_rsa.pub $ip done ``` + + +### Passage à Ansible 2.10 (release: 30 juillet) + +Installez la version de développement d'ansible pour faire fonctionner les +playbooks de ce repo, ainsi que les collections suivantes : + +```bash +ansible-galaxy collection install community.general +ansible-galaxy collection install ansible.posix +``` + + +Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un +workaround est le suivant : + +`$ export ANSIBLE_BECOME_PASS=''` + +Notez l'espace au début pour ne pas log la commande dans votre historique +shell. diff --git a/ansible.cfg b/ansible.cfg index 8d528bd..e2d6a32 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,3 +33,6 @@ become_ask_pass = True # TO know what changed always = yes + +[ssh_connection] +pipelining = True diff --git a/base.yml b/base.yml index 935f60e..2e26b95 100755 --- a/base.yml +++ b/base.yml @@ -11,8 +11,3 @@ roles: - ldap-client -# Clone LDAP on local geographic location -# DON'T DO THIS AS IT RECREATES THE REPLICA -#- hosts: ldap_replica -# roles: -# - ldap-replica diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index eb846b4..2b53213 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -50,8 +50,13 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) -# Misc -mtu: 1400 +# Finally raised! +mtu: 1500 + +subnet_ids: + ap: "14{{ apartment_block_id }}" + users_wired: "{{ apartment_block_id }}0" + users_wifi: "{{ apartment_block_id }}1" # Keepalived @@ -67,3 +72,15 @@ re2o_aes_key: "{{ vault_re2o_aes_key }}" radius_secret_aurore: "{{ vault_radius_secrets.aurore }}" radius_secret_wifi: "{{ vault_radius_secrets.wifi }}" radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" + +radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" +radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" + + +apartment_block_dhcp: "{{ apartment_block }}" + + + +# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28). +# However, we ALWAYS keep the trailing 0 to have byte alignment. +ipv6_base_prefix: "2a09:6840" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 1443e22..c9330fd 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,162 +1,170 @@ $ANSIBLE_VAULT;1.1;AES256 -61336339613837303864333338376131306234356334366237613038323565363539656161643663 -3630396462363834616166383634323735386461653430330a353861386131386130613733663465 -66363639336164303137326133373364643539663032303237633831333764376534366464313030 -6161663162613636660a393262663061656235333836356331366638313263333364306262636631 -62393434336561313630343366626136393933383966613463353135643334666432366433383038 -39306538616266656536373435363963336463366635653433666566343162623065323738336339 -38346632383039663666623137393431313931656538326136356433386261303638616165626336 -63326134336330646236336631306266306532366435323830333233363565366134373236623263 -62653836386362613166643762633865303239666662313138363866373335333566353033613732 -38663634313962373264393763303733616236346230393665633366316538666334333537306536 -61643061356633646133616138396163346538633065313935666639623531303861303663666466 -63346531666362386363383534303436376338653034633565383361386430386636336664626431 -62613263306132633336363562323030613832373363646464303263616264353431386664626137 -36633434343536346333383530343965313262353639363266656562633132343036656137383938 -63333165333835636634336336343732383865306634393939343332396565643661313666656239 -61633635623236383764646664356539383834303437636338633138343465656337643962616365 -37633032303161616664333264336331626531613031363066323137313539373637646533623663 -66313662356438666566313364653933316335376438313939313430643865643432356139353231 -31356236663234383564383162633431376436396331613838613039343762336562343562653738 -33383163653535373538646237623865356462626665613136316365623036396536373633363536 -30613932656534313966633664303661336366336561656434373438373361643532623335643234 -61353466323636663463643262616635653639633463373235636432616561623662393838636335 -30646164633962353138396164303666633366363364373039393339383063316238393332623139 -62333166393831636232373738643962613063396530633132366536663839333136656338336464 -37633039626138666261343863363232633936323234386362373463353737343330656430643966 -30633037613033383134653133653232373236353535663033323634633564656636316636383537 -65373663393235323561386232613634663962653564373634333034373530353264333037663431 -32326438613436333935346335313364363361383732323362383437626234663533396235333935 -31333132366534373832636637333664346365393236353366363937306138333961393939626138 -33333036653839623138373832613233326262633836363562346261323639383536353433613764 -63323434663437653236383334346634633765636339646665653638333938303665643132643735 -63393838363732646339343937323732653939656466313637383738626131396261303838326565 -34393934333738323137646264666633386661343637613462393864613134383538653966383732 -64383738653833306266663431623162643333616537656136373439373462626266383663303031 -63666265373664653334373266616437653764623765616539343139373934356133613338376239 -63393735613066636432663466353865666661316232393361306438623036643438346130383937 -36373762316263643764303638383633373161383862373630386465643462396432656134313764 -61666534636565366136653438666339346539303238613135613261333431336361346138333161 -33393130333765326361336239373365366332626566396639643966313434666561626262646664 -37386534316136613061343333656630303839356366623835656239306562646436656131366366 -36346635393235663630633331646231313737363535643663333162616135316566396530303030 -33346331303935326631646563663833663266323937383134396162353131396231323837656631 -66373864316332646433316131633435386133373239333261616136613632613162346366643366 -30363030393736343438643866343363366331393031633638333731393732646132393165383361 -31303637386535366535386332666133316564366463313465313637393663623662373431646234 -62663461353961626237343663356664623731376432343538656332613866323135373637313831 -34396132343961656266656430663838643464353362393732623739393938353764323065303464 -66656435303333616432313232333431326535613635396536663835626361643733363461653831 -33313634656632633831313866306233363633316330313037313035366537373034326231383463 -34633062353635396261353438633564623564346536356131353166353835336135316662343262 -34386333353731313335333339323936643862386264363565373737383364623366663265353339 -62663730623430303535333138653636323864383039653361383435383062336537633865356466 -64303532303338383365326635353363363161613962336166663764353562666236336133353538 -35343733343338346666366139363261313662633866306263666331313336336330326537636538 -37326330393732636163333161643831356533393238303039643663663766613634376336303062 -66316138396433356365623437323932663632393831613835366632653138656530336236383063 -31376433343664643863396537663730663335656262306663303961333832343366343835616362 -34393032363862636639656338656462636436343238616663616634393365353432623361323763 -66323937643936636537323866353461653232653136663631313231613731353231313130353565 -31373336643261336535663739316366626634323635616537666131653534333164353836336531 -36613763353135346630323138643039383634393234656330306664346136346238343762646639 -38383466356332383063613565383765313931356235363330366138333064383938316538373933 -32353836663535613339636130303832323231633832353366393166373235306538656364633666 -62386134643738363830613130353565666337343861653538366530373966626330343032393531 -64373162626336353631306661623837353036663364383930303633613561373432303366323463 -37633963633835363565643131343962656463376163336366383531303164303263663034303530 -30616337373466663939333666313761313334626335376236363436376563626534626666383230 -35373537633135346138323231316565633862666432626430386231653532663132333532373837 -38316161316565346663323138623538356130303564306638623461323765366634633161356234 -39313862336532326161346436363865353833663663376566303865616264303035323864633739 -30383435653961303861646365356462376261663634383433383137363734616337643836333730 -37643737626339646434386638326439663264373362333165623637306664396330303164363366 -66353234386137343136363764633463666137653438393131393436613563313934313736303165 -33633638373561623933623033333036346339346533373435336262346164656162303561366638 -30383035623338653430343731353766653164616139616638636563643630313735333463376662 -62666661623438333936323762616433373236396439636563646237313535343866333064393432 -64336139623933323265333633616131396661656264396262646662303633346262356662633535 -31333038666163316132613365386662396330366630313562663561313962366261323131623939 -33626634303663353466306631653439633430383138643534386430623238326332303232623965 -61653165323132303335353338353366323462633763623062616335663831653266323463353364 -61303339336162663235303837643432383333343466333365333535633763396664353636613165 -38306536656665333731376339383061383232346437643564346134396265633362616161306339 -63333264656235393639386435353631333438376166646662656631353838326338656438326231 -65326563363431653266623034393435383061333533316235363236393131333231366665343964 -65376438653165633265646233343131373133313939666163313735336564333038333765623766 -38633061303731623832353638396566373238393535383631396566343035656137353461613838 -65363239303664613132363466383336313038653962343939616363323339333866343036613238 -34656537663765346430623332656266323035343435616361343537306263363466373665306361 -39663066633833306330336334306437323430643764306266626634633139396231353638633665 -66336364633536323931343930623832306331393533626539306361333961306663353266303631 -30326633326332353861383735656362306334646238656137656533323835633937313439356538 -38653130656465656531623635343565663739306665313932356562313131373934393435623932 -38663737306135306332373730613466386631353463633261663532393933663034633634343934 -34353437393934663866323236346236383664343963383239636332643639623131376466656363 -32336363616661303535633037303334343861616263616334626430396334633934303162633839 -65613163303037653963353535343132323431326262643862393365356437316566393130383866 -32666133333166656566373532373064373138333335313563633963393938383363396464396532 -61303037326665316634363536653537393933666532396339366531636362306537626638623634 -32383363663134623133626332343132333335356133646134656330376339306538633165353634 -65663731313832613264633430393531633765353233363766386137306364303138373339633438 -62323837653531393738636531303130653530656632393535393739363565666162376436376138 -65656131656165626636386435346132623030626664656437633261383037396332323534653664 -31306137313162356638653064363236336434626134313966613335653633623338356230323133 -61653437663537376561633235646361633233316662313331303962303161393937346565333366 -31326362303735353937313734363738636439323338646531383235626137393334306363393031 -32383861643734396132626231333537656431656165316261376237333734623635623837623366 -61346566663433366364326561313663333732303737346533363536313365353863333632386232 -63363639656230373639336636333464336136343839353835616565313165336537613666613233 -33313130373838633736306237326666383736616663343838323137663632626630313334623063 -34313737613334343331613864343062663130633963386466626233386332633233663762306237 -35316635396439333934363836353134363538643430363066616636343634643230383630626138 -65623931383631396465353163636161376337346335303738326433363835346162643732393464 -32346462383432636530636166633466393239316631663834653562353436636637393136663933 -36326538646331333436316262373037343065656662623563313465643832626539326261333738 -62353063373461373835333662626465303030366535303332336362663166633736316237313535 -32336533333536626461383737643161373738616539396339336165333162333830633661363162 -38626365616633363431303333613237343538393734653533663831613336346164343734313435 -62366264323738383038393938663366613533666438393261636336363266393736636634323436 -37643262316663663938353338343338373162356337313566376134313464643336326138313838 -36366136306163306265663836663235623231306334633734633736306239316334616132303531 -39663562373762653634666438333861626563353366396231356232663737396436633934363734 -33353738656430383066373463313336623231613530313830633965356361323138396139353664 -38393339613064303365343766663536643061393864313466343966356666633231353765376364 -37636439356164646633313231346365376566663930386563633062633234303163333131663332 -38653431303264636266326665633465303635373762363663303164636330356636616137626633 -30366466626164333332613933396362666135623137636537653838646664643235626233303531 -64373833646434653530613935336434323737313061333930316563653331643938623438626632 -34386236633462616231353063353330346663323535333335383465366135653064343535616233 -31613236303238663331613739623261366231613661653033626562376664336161303134646535 -36393461626237666466353862303564306333356635303035346237653062663238323030313866 -37613530346335623031316165666137626631653965333236396162323966356633306630633934 -66323465643834396635363131343735643365363163646132373537383233663830643330643666 -38316461313830326433643566366566343966376362373661373839353933353231653539393534 -61373437663937616237353064653934333330306230373034376631633963316236626232643136 -36633865343363373530646566313636326130323136346235636430346561333030393361623161 -38636531626632633632616139613861363332383030396338356461623865323262663763303564 -33643661353230336430383930643433613938646133316636666463626363396264643638363762 -30343135643530356633373330353565373264383665333237663331373035613336653135333133 -37386439303763616138313661333335626532633731373939633966323332646364383665333331 -35623133303865346464313761396462613435613262383339663735386639393536646634323935 -34646661613839386639313733333036623439666536396463336663393737383130383962366336 -37656431653533333338633162663938646432306163376438396134376565353531353832663439 -34366435326364356464366633356332656231623164646361653737333331653636353136626465 -63353233396234386630643864333364373562643333343036386639333036326362383264313431 -62636362663631376666383034303337393562613135376537376335343939343630343766356362 -63326435646163663737633133313735316663386337363830646261396333636431363938623062 -63363338373334343634366139363866343731626561626565663339643164633731396363353435 -32663634366532343939366130363233373634323664313765636235383638613061323034663364 -65646665653732326530383962313762313035353866636362363835613261643331666135336365 -35353161663966643564383935386331633730386134343837613164623537393462313130636235 -66653539396639623264303733636232343131373339303034633337333930393061306139373638 -30363139386238636436316239366537663662363432366132346361666436353337663830363037 -38643365366339343961383234313830623138316235383464346439396166363739623937653166 -31323639383838323362323663316265333162393664346262323562646232613134626335366231 -63366230623733643336373132383633356530653766653834663430383538366366363966393237 -64633436653332646336343037303665306465323162643863336235623435666131636661616635 -34336562393961383737393632623035633362383763666138343533363166363731323832343534 -31343038666533343130396264613836396434323363396434653938353131336262373936353333 -65373265306132623235316439373936353834376639386364383763643438373039393263383538 -30366532313335306332306261333434613733383430356633626338643537373030336434383231 -39656162643264316239646339643835343934323639623334303931613938363531 +61623264646363313062633131306234666436616566383936616431653033303531333738666639 +6137653535623535333435383862306361376564396562370a366166373232343137363662356463 +34383636393830386465323534373534336462333937316530666139633835356635356562353134 +3234333736333831390a663033313531363838303566666530373432346536306137393561393734 +32613234373363333233333630666464386437333337623434356161303834656662366661343363 +62326164363764323365643166636664343032613835656663363636383963663138633837646466 +33373838343439663830626432353332666138356564383864616632353063376634393032613231 +38336233396263316563363332316131323439363664646237383731363930613563343763653537 +66383137353633653931616564616365366564626431626439383661666535663430353463346232 +31613536343566373437353738323133646439373465376632656530393033373037383864663937 +66623563393138653437353437373138386365653433313166353231653530613935333038653830 +61306239356433346438663239646162633838623036653439376362336636633862383266633239 +33363666383934633665303537396663363339323761356439636331656163363436333865306338 +63656166343835646262393634613865623936633566356531366663326431353836363238656631 +31333862346266653933663236626234663865373936623334323433643661343634653334316662 +36313262626230356531393661303834653263666138613435333538373330633432366338363131 +33336566633030346136613566353366653333666661336463336333333634643433393333353061 +65653236653362636564653932306131346532343738333361646563623865373538636662643932 +37373961313935373964376336333337396135623764376563623431326266633434336665303864 +34383836333762336665313635366166316339396437656330636432353064343836616362326432 +34353532626362636661363631666335316564636237646336323666636661336532313266616264 +37353637626636613161396430623139323662303862393439643235653833386166363332616438 +62653439363861626437663736313436386138363466333566333335323265333930366337386537 +63353931353165666337666330636363386463616463376336323834343666393331653863633430 +64626636373363626335303234306662323335363130623763333835373438373733353136306463 +31646363663463623635363537636338376131623766386339623763376532343733613061343736 +31653764383737646132353537633631643265336539316332636465353638346163613036653038 +64653238363661303032666330623334376130383365386334313137376339623164313538643637 +32323539346664663237306630346365646364663231633162393265376433313633336661326137 +35366662386235616531323264326632353635646337303830663364643336653039643865313036 +36343634613563353965643330306134393664336238653361616631623837313764653835333464 +31303835653265343466303363623331376631383064643336306166386632353566633231303031 +64646338333961373237323563633462363236626134366430323334373864633731323838383562 +65356137323234653932373438306335383666386433386563343136343934623936653565663135 +61353366393735663064383234343435633738623233643535393337326531356131643131646562 +34623862626430343464663230323561313736646135323339656562323332306265323765626130 +31333531626236393165663236393464303338623937646331663563636336316166303462396562 +66643638383432333035373431393463343831643731636133343538346431613236663266643639 +39346332303537393031353231626433393165386437343361663335646165623165336337643237 +30643466666462373937346162383032386361383439613332653162613765326237643038613665 +38633134653934346464346233323563623139386235343766386661643861313638643936636439 +34393039626163336636323862643237363633373339353263303035386636393232613536633038 +32656335396564623133373439333065633638373032323161383436363966386535393135623931 +62313838353034343033653130633666336433656565373836336331363339636330663836343835 +64656461376235323133316135396464353239316438386466323964326139316564313938333363 +66636337613362633639623265336434313938366666626434393532373534303865376632313830 +32353861306165383133633132623939386338343364623132386135316361336238616432383662 +31663763306431623932323930373637363633346139663539666236363032386535363932393264 +63306437616635343263643162393462653835643038373961336531313635663732343062613164 +63316463376239383634373461343533393730613235633765356166313131613230326562303863 +38626365383035363130326365353366316635323832333630343934346632643566373062313963 +38356165646438383936336431326566386564306636386432643537666434613434343235323666 +32366432393663333632383333333837646237643730383438336364376235353463656238393431 +34656561613566383761386233366637343230613634333062636239626639343132353837656363 +63373264646631336664303662386531386635303861333662313633613933353063363832623462 +35656536616333333861383930623237363062363335636231383033316465323339396530353166 +61613935366233326532366135623939353135323336346630303933633731316461626463643936 +64393430386430343362346334633036316464656561356132376365323463316631336530346663 +65373432666436323364316633623734353464393036383065643832653838323730643163393033 +37383639343061616563623365383564336132356162373937346338356562313262366261646434 +65656631326334336230333862303766633363653863666330373530343132336262653763336331 +31303535393231373833633631323265383435666665353461306638633031376339613230343966 +31306134383164333763656262636537343563386336393734626139646136643635313038663830 +65376366656465653165663762313738303438346136646638633962646466626339653566343530 +33353061643730663138383662663233383864626631626238306266653734306161383431653530 +38353262386439663331633465313262386630363465646661643366336438356163393564653565 +65346637346533323338383233313434346361383139666363336435633535326434373438366533 +64303737336631643735376130653031303533646464313562623036643762653937613735316162 +61396336376534393738323830333864383533343834616432373731633431316662656137363030 +36313566633863383162643432396235306661393563303138386339343462636566323135313631 +32336365393662633932383665623561373164353963646464323163303039333035366562363634 +34643731343931656239326165323962613630636132353334643866393933653631393134326635 +61353538633337343935396566396437663137326161323032336665356531373433643231326164 +38663463633863643636336337316162666339343630373366396634666363306137323161626561 +33336332383330383761623636366464353163386633356132656364373962316437626664333439 +38393137356364383535383231613431343261613036666238323431663532663333336563306239 +31313931623665623661323433346138383430366433623738356366373337383263316435393330 +30356131333132343333623732383263353330346635613833626562613536376232386663663265 +39636239663139393761303363313862333834336265616330353933333935616637646639326461 +34323231616662306366616665346239313839616435393738303833653138353135353161393830 +34653163386161653536666330353431356133623639653539316166313661343136643565393735 +33343966613534653034333261383136323135613032613063653363303437633832653834393063 +63623738333361636638646234363665616563633534626638613938613933343638386165346537 +61316261663039633462333637636561656166663430353037336530663036353564353530323663 +61386164636461363831303231353733646431313334323761633835373832333663306336633836 +63363838613434303066333732333237343264363238313962393230633165396135643431626664 +35316663333439326437343331303639616365633938393039633362303135393230313261376531 +62343533383034363331343661333036646530366665336431303561653138626262336239303864 +30643131356538316434313665353466383539383034623830363264343736396130623265306564 +30666535393839306333616134323333326535336564313735323864346139393762336265623137 +33653734393464353833333939363766656436393639626161383666613263643064323933663834 +63663761356233633134646561353631396364343761386631323764643631663564653265303330 +38333466666634383666326132356132303363666136666132373161383863653434333633386238 +36333361383663396238643433383338646461386363396563643133303166356538666435646639 +65353034373263316139363464343434326362366531666233323366383331353131383634396538 +65313631363564303133396462353934623939663739343431346465386430353030363235343032 +33653065643334663737643961396530316336633562323733626261376462303366313462353464 +38666235366365633833336630316564643132633839313465636164393439626635653739346166 +61343765653037656533313663333139663364666239626263393261353732363639623966623961 +62643266313734363064333063633030383865653665313832623535636666623364333635643238 +64623233393962313032343938666363333533653331303334643032636561303030633066636634 +35363864613430356264633936663833373739643562343631623336316263373939353563393634 +35376466376161383563646430363432626639363436633365323137346338306161636230323934 +38383238646366343766333032633038663037386339333038636136343732613838306130303539 +61303963333035366330646636336530396331333739306666396333333839613536343337323230 +31326461623731653461376132356165343130333235336130323361616333333762623131393265 +36636335313539613565326537373565313036306465326631326332373364313565333834373232 +36346166373433313033363533346565316535666538363538303134616365326336613461633931 +39333633383939623633386263346637386465326139363336663738393538393039376338366461 +64336138643166663362376339366537653463386265316434346532663633643765663339333062 +34303739366634383330356161333031313465323235666437363136643964623431336133633031 +62373462623531373665653137383833643332366562396134386536666666356139663631323965 +33633266353062363339613139666534393737393765383830643731616366316164626335373564 +38613533356661626163646138316163343938666366353964623131383063353534326637323162 +66633139633861623765316631323933363662383234616238336333383135326166656530376331 +30613534613636333533356666333864326438646462383862616338323864336136323566393231 +64323339386363623063373237346362366665666662306266323338653561396535323766316233 +30383036326331323563663533333166366130326262393732343135643463643064313364393530 +39326332346635343333376636316363393230336563333261616263343833386334376636623233 +65396330613837636139636132303530316236666132646266383466306663313038343833373734 +35376339666664393533666134353330626163306432363634653364343934343336306264646439 +66383138626232343639623033383565626232323830626362313733666663633037343737623333 +34653665666262303236616534343436333334393837326661383932623430303038623538313463 +38373233373730633937306638333966653433626666373565623866646665643231323065383230 +38353961396438373236393038626237346162653966383364626366666335656465346336323830 +63343937363732326239396664663963633733643036396164343038613136373037383664646130 +36386564333734643336303661336230363865323936343732646564336136653732363334316135 +38383935396161653132396661373636353761616661616635303465653266623337303534353038 +61333937393534336533363933383461303539303964353164376134653134356439356462376161 +62356333363238376139356231373835386139363637336566356132363932313639643334396334 +36326630663532313536393139386336303833653833323532653230613166376233633739623738 +35336138343434343064616335373836363032376537386439323165336365626230316435623766 +33653434633766323864343031346565323936373133396436623036353563653236393230653065 +63616336316339393034643063376137663565396137356461303061626336343437316462653437 +64383765376439616232663936616564366136666139343663336634366530303561303163373339 +66616233613532636138613836636666323237646566356538376566626639356436376230306130 +64623430613962333537366235616631323833626163383138393662623539643864346436346561 +64326636396235613534666534306639363864303539623563333934353766306130356564333538 +65386338616639663338636337303038316633383866346362633636653162353433366131333866 +38643037646531643633333334626163353833623833616338373863373533316561313361616462 +36323533343932376633653138363162646362313332353065633561666664663436376230376432 +31373461613033306434313136373532303666306130353064326436373961633534656462643866 +65623238396163646336343461303137366135306263313035663461653465346638383835666362 +30306431396136616334666631646662386533343238323962353837306139316335386234366333 +63343564386630356566363234636466303162643438653561323263336464633964616162616366 +30376532313739306339336366306262663230366337313662313036303436666563326236333961 +61373231653433613861633363333633626366643133633933333363636635656530643464653834 +61306633333032316531396165366462386230336330376239653436313836643435316533613331 +66623261396262316133326233316361656634333936353531623964313235333739376137633961 +31656631643966393164323463373832363538653235333165333061653163333436633335633632 +31613930333061653331303863303233376431306361613230383763623231636330343566323237 +65306430366133393332386631356135663134306264633536636134623230386635313231343661 +31383638616565363364373561613162393133363538626332363964663139336466336538333139 +61613939653866333037393564383464663331306439643163343464373766313139656264316163 +35383461663231613539613462336162353635333030323663333139653337663932633035666336 +65376264306639316137383730626561396365316661396564623335313865313263646536613233 +39313365333736363861666363383537376666346533383865636535343764326635343061366535 +33323336303861393862623832353936383537363238623932643035323863303865383233633432 +39366637656264656463393664336565366465333766643437623164636565346364623730633234 +66663432383765643161356533633564626463383237373330663836346232636635373330363161 +36303039393035396364666366373664623031363836646233616565346634356130646639313432 +33323736373133383666613565356133343266343432633737313030663466636135326364623639 +33633337383762333634613637383731613031353834663262313230303166376361373931623836 +33663232633661373663376163303131373363313036666262613866633237373261393130626364 +63343535396462316536356334356463323466656633373439656161356162386666386461336163 +33373233616539653634663136623630626137663832313361313663306438643737393262653862 +38313233396334353433313162316434653162653739663935396539326330383439366364343532 +38336266353964656163346537333166366431626239356465313634623035373861333663633862 +3164 diff --git a/group_vars/aurore/main.yml b/group_vars/aurore/main.yml new file mode 100644 index 0000000..7cf0189 --- /dev/null +++ b/group_vars/aurore/main.yml @@ -0,0 +1,4 @@ +--- +apartment_block: aurore +apartment_block_id: 0 +router_ip_suffix: 254 diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index 88e6c2b..942e068 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -2,11 +2,6 @@ apartment_block: edc apartment_block_id: 4 -subnet_ids: - ap: 144 - users_wired: 40 - users_wifi: 41 - router_ip_suffix: 254 mtu: 1500 diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index 1913a87..94f9cc8 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -2,9 +2,6 @@ apartment_block: fleming apartment_block_id: 1 -subnet_ids: - ap: 141 - users_wired: 10 - users_wifi: 11 - router_ip_suffix: 254 + +mtu: 1500 diff --git a/group_vars/georgesand/main.yml b/group_vars/georgesand/main.yml deleted file mode 100644 index 0161c8a..0000000 --- a/group_vars/georgesand/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apartment_block: gs -apartment_block_id: 5 - -router_ip_suffix: 240 diff --git a/group_vars/gs/main.yml b/group_vars/gs/main.yml new file mode 100644 index 0000000..25c3139 --- /dev/null +++ b/group_vars/gs/main.yml @@ -0,0 +1,7 @@ +--- +apartment_block: gs +apartment_block_dhcp: sand + +apartment_block_id: 5 + +router_ip_suffix: 254 diff --git a/group_vars/georgesand/sudo_location_group.yml b/group_vars/gs/sudo_location_group.yml similarity index 100% rename from group_vars/georgesand/sudo_location_group.yml rename to group_vars/gs/sudo_location_group.yml diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml index 7d6e30c..8ddb5ff 100644 --- a/group_vars/pacaterie/main.yml +++ b/group_vars/pacaterie/main.yml @@ -2,11 +2,6 @@ apartment_block: pacaterie apartment_block_id: 2 -subnet_ids: - ap: 142 - users_wired: 20 - users_wifi: 21 - router_ip_suffix: 254 mtu: 1500 diff --git a/hosts b/hosts index b688b50..c8f971e 100644 --- a/hosts +++ b/hosts @@ -8,16 +8,22 @@ ############################################################################### # Aurore : main services +viviane.adm.auro.re + [aurore_pve] merlin.adm.auro.re [aurore_vm] +routeur-aurore.adm.auro.re +routeur-aurore-backup.adm.auro.re radius-aurore.adm.auro.re dhcp-aurore.adm.auro.re dns-aurore.adm.auro.re docker-worker1-aurore.adm.auro.re proxy-backup.adm.auro.re - +camelot.adm.auro.re +gitea.adm.auro.re +nextcloud.adm.auro.re ############################################################################### # OVH @@ -111,7 +117,6 @@ dhcp-edc-backup.adm.auro.re unifi-edc.adm.auro.re radius-edc.adm.auro.re radius-edc-backup.adm.auro.re -routeur-aurore.adm.auro.re ldap-replica-edc.adm.auro.re ldap-replica-edc-backup.adm.auro.re @@ -121,21 +126,40 @@ ldap-replica-edc-backup.adm.auro.re [gs_pve] perceval.adm.auro.re +lancelot.adm.auro.re +odin.adm.auro.re [gs_vm] dhcp-gs.adm.auro.re +dhcp-gs-backup.adm.auro.re dns-gs.adm.auro.re +dns-gs-backup.adm.auro.re routeur-gs.adm.auro.re +routeur-gs-backup.adm.auro.re unifi-gs.adm.auro.re radius-gs.adm.auro.re +radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re -#inexistant : ldap-replica-gs.adm.auro.re -#inexistant : ldap-replica-gs-backup.adm.auro.re +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re + +############################################################################### +# Les Rives +[rives_pve] +thor.adm.auro.re + + + ############################################################################### # Groups by location +# -aurore services +[aurore:children] +aurore_vm + + # everything at ovh [ovh:children] ovh_pve @@ -164,6 +188,10 @@ edc_vm gs_pve gs_vm +# everything at Les Rives +[rives:children] +rives_pve + ############################################################################### # Groups by type @@ -187,6 +215,7 @@ fleming_pve pacaterie_pve edc_pve gs_pve +rives_pve ############################################################################### diff --git a/ldap_replica.yml b/ldap_replica.yml new file mode 100755 index 0000000..1686293 --- /dev/null +++ b/ldap_replica.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +# Clone LDAP on local geographic location +# DON'T DO THIS AS IT RECREATES THE REPLICA +- hosts: ldap_replica + roles: + - ldap-replica diff --git a/network.yml b/network.yml index 300c0d2..25e0920 100755 --- a/network.yml +++ b/network.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Set up DHCP servers. -- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re,!dhcp-gs*.adm.auro.re +- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -16,19 +16,27 @@ # Deploy unbound DNS server (recursive). -- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re,!dns-gs*.adm.auro.re +- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re roles: - unbound # Déploiement du service re2o aurore-firewall et keepalived -- hosts: ~routeur-(pacaterie|edc|fleming).*\.adm\.auro\.re +# radvd: IPv6 SLAAC (/64 subnets, private IPs). +# Must NOT be on routeur-aurore-*, or will with DHCPv6! +- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re + roles: + - router + - radvd + +# No radvd here +- hosts: ~routeur-aurore.*\.adm\.auro\.re roles: - router # Radius (backup only for now) -- hosts: radius-edc-backup.adm.auro.re +- hosts: ~radius-(edc|fleming|pacaterie|gs).* roles: - radius diff --git a/nuke-radius-dbs.yml b/nuke-radius-dbs.yml new file mode 100755 index 0000000..b23f08f --- /dev/null +++ b/nuke-radius-dbs.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: ~radius-(edc|fleming|pacaterie|gs).* + roles: + - radius + vars: + nuke_radius: true diff --git a/roles/baseconfig/templates/resolv.conf b/roles/baseconfig/templates/resolv.conf index c94128f..935eeeb 100644 --- a/roles/baseconfig/templates/resolv.conf +++ b/roles/baseconfig/templates/resolv.conf @@ -1,3 +1,4 @@ domain adm.auro.re nameserver 10.128.0.253 +nameserver 2a09:6840:128::253 nameserver 80.67.169.12 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index f4150e7..cde8d25 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -43,12 +43,12 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }}; - option domain-name "fil.{{ apartment_block }}.auro.re"; + option domain-name "fil.{{ apartment_block_dhcp }}.auro.re"; option domain-search "auro.re"; option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list"; deny unknown-clients; } @@ -60,12 +60,12 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }}; - option domain-name "wifi.{{ apartment_block }}.auro.re"; + option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re"; option domain-search "auro.re"; option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list"; pool { range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index 8477ac4..06664e6 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -1,6 +1,7 @@ --- # Filter SSH on groups - name: Filter SSH on groups + when: ansible_facts['hostname'] != "camelot" # Camelot is accessible for everyone lineinfile: dest: /etc/ssh/sshd_config regexp: ^AllowGroups diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 9820e4b..e7943f0 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -5,6 +5,7 @@ - "deb" - "deb-src" + - name: Ensure /var/www exists file: name: "/var/www" @@ -14,14 +15,16 @@ git: repo: "https://gitlab.federez.net/re2o/re2o.git" dest: "/var/www/re2o" - version: "master_freeradius_python3" + version: "dev" force: true -- name: Template local settings +- name: Template local re2o settings template: - src: settings_local.py.j2 - dest: "/var/www/re2o/re2o/settings_local.py" - + src: "{{ item }}.j2" + dest: "/var/www/re2o/re2o/{{ item }}" + loop: + - settings_local.py + - local_routers.py # What follows is a hideous abomination. @@ -30,14 +33,22 @@ - name: try to install freeradius-python3 (this will fail on post-install) apt: name: freeradius-python3 + default_release: buster-backports + update_cache: yes ignore_errors: yes - no_log: yes - name: fix freeradius-python3 postinstall script template: src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst +- name: reinstall broken package (this might fail too, for different reasons) + apt: + name: freeradius-python3 + default_release: buster-backports + force: yes + ignore_errors: yes + - name: Setup radius symlinks file: src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" @@ -54,7 +65,7 @@ - local_prefix: freeradius3/ filename: mods-enabled/eap -- name: Configure radius clients.conf +- name: Configure freeradius template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" @@ -64,10 +75,6 @@ - sites-enabled/inner-tunnel - proxy.conf -- name: reinstall broken backpage - apt: - name: freeradius-python3 - force: yes - name: Install radius requirements (except freeradius-python3) shell: @@ -79,3 +86,149 @@ # End of hideousness (hopefully). + +- name: Configure log rotation + template: + src: "freeradius-logrotate.j2" + dest: "/etc/logrotate.d/freeradius" + + +# Database setup + + +- name: Install postgresql + apt: + name: + - postgresql + - postgresql-client + +- name: Install postgresql ansible module requirement(s) + pip: + name: psycopg2 + +- name: Create read-only user + community.general.postgresql_user: + name: re2o_ro + password: "{{ radius_pg_re2o_ro_password }}" + become_user: postgres + +- name: Create replication user + community.general.postgresql_user: + name: replication + password: "{{ radius_pg_replication_password }}" + become_user: postgres + + +- name: Nuking - Stop freeradius + systemd: + name: freeradius + state: stopped + when: nuke_radius|default(false) + +- name: Nuking - Remove old subscription if it exists + community.general.postgresql_subscription: + name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" + db: re2o + state: absent + become_user: postgres + when: nuke_radius|default(false) + ignore_errors: yes + +- name: Nuking - Destroy old local DB if it exists + community.general.postgresql_db: + name: re2o + state: absent + become_user: postgres + when: nuke_radius|default(false) + +- name: Create local DB + community.general.postgresql_db: + name: re2o + owner: replication + state: present + encoding: "UTF8" + lc_collate: 'fr_FR.UTF-8' + lc_ctype: 'fr_FR.UTF-8' + become_user: postgres + +- name: Dump radius re2o PostgreSQL database schema from master + community.general.postgresql_db: + name: re2o + state: dump + target: /tmp/re2o-schema.sql + target_opts: '-s' + login_host: 10.128.0.12 + login_user: replication + login_password: "{{ radius_pg_replication_password }}" + + +- name: Restore DB + tags: + - restore + community.general.postgresql_db: + name: re2o + state: restore + target: /tmp/re2o-schema.sql + target_opts: "-s" + login_host: localhost + login_user: replication + login_password: "{{ radius_pg_replication_password }}" + + +- name: Grant select permissions on all tables to read-only user + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: SELECT + objs: ALL_IN_SCHEMA + schema: public + roles: re2o_ro + become_user: postgres + +- name: Grant usage permission on schema to read-only user + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: USAGE + objs: public + type: schema + roles: re2o_ro + become_user: postgres + +- name: Set default privileges in schema + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: SELECT + schema: public + objs: TABLES + type: default_privs + roles: re2o_ro + become_user: postgres + + +- name: Set up subscription to main database + tags: + - sub + community.general.postgresql_subscription: + name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" + connparams: + host: re2o-db.adm.auro.re + user: replication + password: "{{ radius_pg_replication_password }}" + dbname: re2o + db: re2o + publications: + - re2o_pub + become_user: postgres + + +- name: Restart freeradius, ensure enabled + systemd: + name: freeradius + enabled: yes + state: restarted + daemon_reload: yes diff --git a/roles/radius/templates/freeradius-logrotate.j2 b/roles/radius/templates/freeradius-logrotate.j2 new file mode 100644 index 0000000..91d5df4 --- /dev/null +++ b/roles/radius/templates/freeradius-logrotate.j2 @@ -0,0 +1,50 @@ +# The main server log +/var/log/freeradius/radius.log { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + copytruncate +} + +# (in order) +# Session monitoring utilities +# Session database modules +# SQL log files +/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log +/var/log/freeradius/radutmp /var/log/freeradius/radwtmp +/var/log/freeradius/sqllog.sql +{ + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + nocreate +} + +# There are different detail-rotating strategies you can use. One is +# to write to a single detail file per IP and use the rotate config +# below. Another is to write to a daily detail file per IP with: +# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail +# (or similar) in radiusd.conf, without rotation. If you go with the +# second technique, you will need another cron job that removes old +# detail files. You do not need to comment out the below for method #2. +/var/log/freeradius/radacct/*/detail { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + nocreate +} diff --git a/roles/radius/templates/local_routers.py.j2 b/roles/radius/templates/local_routers.py.j2 new file mode 100644 index 0000000..ce42020 --- /dev/null +++ b/roles/radius/templates/local_routers.py.j2 @@ -0,0 +1,28 @@ +class DbRouter(object): + """ + A router to control all database operations on models in the + auth application. + """ + def db_for_read(self, model, **hints): + """ + Attempts to read remote models go to local database. + """ + return 'default' + + def db_for_write(self, model, **hints): + """ + Attempts to write remote models go to the remote database. + """ + return 'master' + + def allow_relation(self, obj1, obj2, **hints): + """ + Allow relations involving the remote database + """ + return True + + def allow_migrate(self, db, app_label, model_name=None, **hints): + """ + Allow migrations on the remote database + """ + return True diff --git a/roles/radius/templates/settings_local.py.j2 b/roles/radius/templates/settings_local.py.j2 index 1a6308e..01d9043 100644 --- a/roles/radius/templates/settings_local.py.j2 +++ b/roles/radius/templates/settings_local.py.j2 @@ -44,14 +44,14 @@ DEBUG = False ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')] # The list of hostname the server will respond to. -ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re'] +ALLOWED_HOSTS = ['{{ inventory_hostname }}'] # The time zone the server is runned in TIME_ZONE = 'Europe/Paris' # The storage systems parameters to use DATABASES = { - 'default': { # The DB + 'master': { 'ENGINE': 'django.db.backends.postgresql_psycopg2', 'NAME': 're2o', 'USER': 're2o', @@ -62,7 +62,18 @@ DATABASES = { 'COLLATION': 'utf8_general_ci' } }, - 'ldap': { # The LDAP + 'default': { + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'NAME': 're2o', + 'USER': 're2o_ro', + 'PASSWORD': "{{ radius_pg_re2o_ro_password }}", + 'HOST': 'localhost', + 'TEST': { + 'CHARSET': 'utf8', + 'COLLATION': 'utf8_general_ci' + } + }, + 'ldap': { 'ENGINE': 'ldapdb.backends.ldap', 'NAME': 'ldap://10.128.0.11/', 'USER': 'cn=admin,dc=auro,dc=re', @@ -114,3 +125,5 @@ OPTIONNAL_APPS_RE2O = () # Some Django apps you want to add in you local project OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + () + +LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"] diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml new file mode 100644 index 0000000..f2ce52c --- /dev/null +++ b/roles/radvd/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart radvd + systemd: + state: restarted + name: radvd + enabled: yes diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml new file mode 100644 index 0000000..75c72c1 --- /dev/null +++ b/roles/radvd/tasks/main.yml @@ -0,0 +1,22 @@ +--- + + +# Warning: radvd installation seems to fail if the configuration +# file doesn't already exist when the package is installed, +# so the order is important. +- name: Configure radvd + template: + src: radvd.conf.j2 + dest: /etc/radvd.conf + mode: 0644 + notify: restart radvd + tags: + - radconf + +- name: Install radvd + apt: + update_cache: true + name: radvd + state: present + notify: restart radvd + diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 new file mode 100644 index 0000000..300f50b --- /dev/null +++ b/roles/radvd/templates/radvd.conf.j2 @@ -0,0 +1,80 @@ +# -*- mode: conf-unix; coding: utf-8 -*- + +## +# Bornes Wi-Fi +## + +# # Need to add an interface for this VLAN on "routeur-*" hosts. +# +# interface ens19 { +# AdvSendAdvert on; +# AdvLinkMTU {{ mtu }}; +# AdvDefaultPreference high; +# MaxRtrAdvInterval 30; +# +# AdvRASrcAddress { +# {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller +# }; +# +# prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { +# AdvRouterAddr on; +# }; +# +# # La zone DNS +# DNSSL borne.auro.re {}; +# +# # Les DNS récursifs +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +# }; + +## +# Utilisateurs filaire +## +interface ens20 { + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + AdvRASrcAddress { + fe80::1; # link-local virtual IP used with keepalived + }; + + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { + AdvRouterAddr on; + }; + + DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; +}; + + +## +# Utilisateurs wifi +## +interface ens21 { + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + AdvRASrcAddress { + fe80::1; + }; + + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { + AdvRouterAddr on; + }; + + DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; +}; + + + +# For public IPs: will use DHCPv6, deployed on routeur-aurore alone. diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 5b7d039..68e963c 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -21,8 +21,8 @@ become: true become_user: "{{ service_user }}" -- name: Configure re2o {{ service_name }} project - ini_file: +- name: "Configure re2o {{ service_name }} project" + community.general.ini_file: path: "{{ service_homedir }}/config.ini" section: Re2o option: "{{ item.key }}" diff --git a/roles/router/handlers/main.yml b/roles/router/handlers/main.yml index 11ba484..b095c21 100644 --- a/roles/router/handlers/main.yml +++ b/roles/router/handlers/main.yml @@ -2,6 +2,7 @@ systemd: state: restarted name: keepalived + enabled: yes - name: run aurore-firewall command: python3 main.py --force diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 6073afe..a686a6e 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -1,11 +1,35 @@ --- +# XXX: YES, this is ugly as fuck. +- name: set IP suffix (main) + set_fact: + router_hard_ip_suffix: 240 + when: "'backup' not in ansible_hostname" + +- name: set IP suffix (backup) + set_fact: + router_hard_ip_suffix: 140 + when: "'backup' in ansible_hostname" + - name: Enable IPv4 packet forwarding - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes +- name: Enable IPv6 packet forwarding + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: '1' + sysctl_set: yes + +- name: Configure /etc/network/interfaces for routeur-aurore* + template: + src: interfaces-aurore + dest: /etc/network/interfaces + mode: 0644 + when: "'routeur-aurore' in ansible_hostname" + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service @@ -19,12 +43,21 @@ password: "{{ vault_serviceuser_passwd }}" notify: run aurore-firewall -- name: Configure aurore-firewall +- name: Configure aurore-firewall for local router template: src: firewall_config.py dest: /var/local/re2o-services/aurore-firewall/firewall_config.py mode: 0644 notify: run aurore-firewall + when: "'routeur-aurore' not in ansible_hostname" + +- name: Configure aurore-firewall for routeur-aurore* + template: + src: firewall_config_aurore.py + dest: /var/local/re2o-services/aurore-firewall/firewall_config.py + mode: 0644 + notify: run aurore-firewall + when: "'routeur-aurore' in ansible_hostname" - name: Install keepalived apt: @@ -34,13 +67,21 @@ retries: 3 until: apt_result is succeeded -- name: Configure keepalived +- name: configure keepalived for local router template: src: keepalived.conf dest: /etc/keepalived/keepalived.conf mode: 0644 notify: restart keepalived + when: "'routeur-aurore' not in ansible_hostname" +- name: configure keepalived for routeur-aurore* + template: + src: keepalived-aurore.conf + dest: /etc/keepalived/keepalived.conf + mode: 0644 + notify: restart keepalived + when: "'routeur-aurore' in ansible_hostname" - name: Configure cron template: diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index bd013d3..4f6b755 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -24,8 +24,8 @@ ### Give me a role -# routeur4 = routeur IPv4 -role = ['routeur4'] +# previously: routeur4 = routeur IPv4 +role = ['routeur'] ### Specify each interface role diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py new file mode 100644 index 0000000..c41fd92 --- /dev/null +++ b/roles/router/templates/firewall_config_aurore.py @@ -0,0 +1,49 @@ +# -*- mode: python; coding: utf-8 -*- +# Re2o est un logiciel d'administration développé initiallement au rezometz. Il +# se veut agnostique au réseau considéré, de manière à être installable en +# quelques clics. +# +# Copyright © 2017 Gabriel Détraz +# Copyright © 2017 Goulven Kermarec +# Copyright © 2017 Augustin Lemesle +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +### Give me a role + +role = ['routeur'] + +### Specify each interface role + +interfaces_type = { + 'routable' : ['ens21', 'ens22'], + 'sortie' : ['ens18', 'ens1'], + 'admin' : ['ens19', 'ens20', 'ens23'] +} + +### Specify nat settings: name, interfaces with range, and global range for nat +### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST +### contain /16 range + +nat = [ + { + 'name' : 'AdminVlans', + 'extra_nat' : { + '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', + '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', + '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}' + } + } +] diff --git a/roles/router/templates/interfaces-aurore b/roles/router/templates/interfaces-aurore new file mode 100644 index 0000000..440392f --- /dev/null +++ b/roles/router/templates/interfaces-aurore @@ -0,0 +1,84 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# VLAN 129: routage +auto ens18 +iface ens18 inet static + address 10.129.0.{{ router_hard_ip_suffix }}/16 + gateway 10.129.0.1 + +iface ens18 inet6 static + address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64 + + post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18 + post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18 + + post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18 + post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18 + + post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18 + post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18 + + post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18 + post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18 + + +# The primary network interface +allow-hotplug ens19 +iface ens19 inet static + address 10.128.0.{{ router_hard_ip_suffix }}/16 + gateway 10.128.0.254 + dns-search adm.auro.re + +iface ens19 inet6 static + address 2a09:6840:128::0:{{ router_hard_ip_suffix }}/64 + + # Ensures internet connectivity when running as keepalived backup. + gateway 2a09:6840:128::0:254 + +# VlAN 130: switches +auto ens20 +iface ens20 inet static + address 10.130.0.{{ router_hard_ip_suffix }}/16 + +iface ens20 inet6 static + address 2a09:6840:130::0:{{ router_hard_ip_suffix }}/64 + +# VLAN 111: IPs publiques serveurs +auto ens21 +iface ens21 inet static + address 45.66.111.{{ router_hard_ip_suffix }}/24 + + # Nécessaire pour contacter re2o et bootstrap le firewall. + # Ces directives sont _aussi_ set par aurore-firewall ! + up iptables -t nat -A POSTROUTING -s 10.129.0.{{ router_hard_ip_suffix }}/32 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + up iptables -t nat -A POSTROUTING -s 10.128.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + up iptables -t nat -A POSTROUTING -s 10.130.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + +iface ens21 inet6 static + address 2a09:6840:111::{{ router_hard_ip_suffix }}/48 + +# VLAN 110: IP publiques adhérents +auto ens22 +iface ens22 inet static + address 45.66.110.{{ router_hard_ip_suffix }}/24 + +iface ens22 inet6 static + address 2a09:6840:110::{{ router_hard_ip_suffix }}/48 + +# VLAN 131: onduleurs et PDU +auto ens23 +iface ens23 inet static + address 10.131.0.{{ router_hard_ip_suffix }}/16 + +iface ens23 inet6 static + address 2a09:6840:131::0:{{ router_hard_ip_suffix }}/64 + +auto ens1 +iface ens1 inet6 manual diff --git a/roles/router/templates/keepalived-aurore.conf b/roles/router/templates/keepalived-aurore.conf new file mode 100644 index 0000000..6687229 --- /dev/null +++ b/roles/router/templates/keepalived-aurore.conf @@ -0,0 +1,121 @@ +global_defs { + notification_email { + monitoring.aurore@lists.crans.org + } + notification_email_from routeur-aurore{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re + smtp_server smtp.crans.org +} + + +vrrp_instance VI_ROUT_aurore_IPv4 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens19 + + # Shared by MASTER and BACKUP + virtual_router_id 40 + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing + 10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global + + # Adm + 10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global + + # Switches + 10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global + + # IPs publiques serveurs + 45.66.111.254/24 brd 45.66.111.255 dev ens21 scope global + + # IPs publiques adhérents + 45.66.110.254/24 brd 45.66.110.255 dev ens22 scope global + + # VLAN 131: Onduleurs et PDUs + 10.131.0.254/16 brd 10.131.255.255 dev ens23 scope global + } + + + virtual_routes { + # IPv4 gateway: yggdrasil + src 10.129.0.254 to 0.0.0.0/0 via 10.129.0.1 dev ens18 + } +} + +vrrp_instance VI_ROUT_aurore_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens19 + + # Shared by MASTER and BACKUP + virtual_router_id 60 + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Hello zayo + 2001:1b48:2:103::d7:2/126 dev ens1 scope global + + # Routing + 2a09:6840:129::254/64 dev ens18 scope global + + # Adm + 2a09:6840:128::254/64 dev ens19 scope global + + # Switches + 2a09:6840:130::254/64 dev ens20 scope global + + # IPs publiques serveurs + 2a09:6840:111::254/64 dev ens21 scope global + + # IPs publiques adhérents + 2a09:6840:110::254/64 dev ens22 scope global + + # VLAN 131: Onduleurs et PDUs + 2a09:6840:131::254/64 dev ens23 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src 2001:1b48:2:103::d7:2/126 to ::/0 via 2001:1b48:2:103::d7:1 dev ens1 + } +} + diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 6e51fd9..cd217f3 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -2,12 +2,12 @@ global_defs { notification_email { monitoring.aurore@lists.crans.org } - notification_email_from routeur-edc-backup@auro.re + notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re smtp_server smtp.crans.org } -vrrp_instance VI_ROUT_{{ apartment_block }} { +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 { {% if 'backup' in inventory_hostname %} state BACKUP priority 100 @@ -21,12 +21,11 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { interface ens18 # Shared by MASTER and BACKUP - virtual_router_id {{ apartment_block_id }} + virtual_router_id 4{{ apartment_block_id }} # Timeout in seconds before failover kicks in. advert_int 2 - # Used to authenticate VRRP communication between master and backup. authentication { auth_type PASS @@ -39,19 +38,72 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global - # Public subnet: wired + + # NATed subnet: wired 45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global - # Public subnet: wifi + + # NATed subnet: wifi 45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global + # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global } + virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 } } + +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens18 + + # Shared by MASTER and BACKUP + virtual_router_id 6{{ apartment_block_id }} + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing subnet + fe80::1/64 dev ens19 scope global + {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global + + # Wired + fe80::1/64 dev ens20 scope global + + # Wifi + fe80::1/64 dev ens21 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19 + } +} + + diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 62c93be..efdebe1 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -11,20 +11,32 @@ server: logfile: "/var/log/unbound/unbound.log" do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no + do-ip6: yes # IP addresses on which to listen. + # + # Note: dns_host_suffix is dynamically set in this role's tasks, + # and changes depending on whether we're handling the main or backup + # recursive DNS node. + + # IPv4 interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + # IPv6 + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} + # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }}