From 99070ed5efaf7c865ad47bc780a8354094164536 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 18:06:37 +0200 Subject: [PATCH 01/31] radius: step 2 of deployment (WIP) --- README.md | 13 + group_vars/all/vars.yml | 3 + group_vars/all/vault.yml | 326 +++++++++--------- network.yml | 2 +- roles/radius/tasks/main.yml | 134 ++++++- .../radius/templates/freeradius-logrotate.j2 | 50 +++ roles/re2o-service/tasks/main.yml | 4 +- roles/router/tasks/main.yml | 2 +- 8 files changed, 363 insertions(+), 171 deletions(-) create mode 100644 roles/radius/templates/freeradius-logrotate.j2 diff --git a/README.md b/README.md index 6b7d611..d52b7aa 100644 --- a/README.md +++ b/README.md @@ -118,3 +118,16 @@ for ip in `cat hosts|grep .adm.auro.re`; do ssh-copy-id -i ~/.ssh/id_rsa.pub $ip done ``` + + +### Passage à Ansible 2.10 (release: 30 juillet) + +```bash +ansible-galaxy collection install community.general +ansible-galaxy collection install ansible.posix +``` + +Erreur avec sudo ? +Workaround: `$ export ANSIBLE_BECOME_PASS=''` +(notez l'espace au début pour ne pas log la commande dans votre historique +shell) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index eb846b4..3b0c131 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -67,3 +67,6 @@ re2o_aes_key: "{{ vault_re2o_aes_key }}" radius_secret_aurore: "{{ vault_radius_secrets.aurore }}" radius_secret_wifi: "{{ vault_radius_secrets.wifi }}" radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" + +radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" +radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 1443e22..ff1c922 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,162 +1,166 @@ $ANSIBLE_VAULT;1.1;AES256 -61336339613837303864333338376131306234356334366237613038323565363539656161643663 -3630396462363834616166383634323735386461653430330a353861386131386130613733663465 -66363639336164303137326133373364643539663032303237633831333764376534366464313030 -6161663162613636660a393262663061656235333836356331366638313263333364306262636631 -62393434336561313630343366626136393933383966613463353135643334666432366433383038 -39306538616266656536373435363963336463366635653433666566343162623065323738336339 -38346632383039663666623137393431313931656538326136356433386261303638616165626336 -63326134336330646236336631306266306532366435323830333233363565366134373236623263 -62653836386362613166643762633865303239666662313138363866373335333566353033613732 -38663634313962373264393763303733616236346230393665633366316538666334333537306536 -61643061356633646133616138396163346538633065313935666639623531303861303663666466 -63346531666362386363383534303436376338653034633565383361386430386636336664626431 -62613263306132633336363562323030613832373363646464303263616264353431386664626137 -36633434343536346333383530343965313262353639363266656562633132343036656137383938 -63333165333835636634336336343732383865306634393939343332396565643661313666656239 -61633635623236383764646664356539383834303437636338633138343465656337643962616365 -37633032303161616664333264336331626531613031363066323137313539373637646533623663 -66313662356438666566313364653933316335376438313939313430643865643432356139353231 -31356236663234383564383162633431376436396331613838613039343762336562343562653738 -33383163653535373538646237623865356462626665613136316365623036396536373633363536 -30613932656534313966633664303661336366336561656434373438373361643532623335643234 -61353466323636663463643262616635653639633463373235636432616561623662393838636335 -30646164633962353138396164303666633366363364373039393339383063316238393332623139 -62333166393831636232373738643962613063396530633132366536663839333136656338336464 -37633039626138666261343863363232633936323234386362373463353737343330656430643966 -30633037613033383134653133653232373236353535663033323634633564656636316636383537 -65373663393235323561386232613634663962653564373634333034373530353264333037663431 -32326438613436333935346335313364363361383732323362383437626234663533396235333935 -31333132366534373832636637333664346365393236353366363937306138333961393939626138 -33333036653839623138373832613233326262633836363562346261323639383536353433613764 -63323434663437653236383334346634633765636339646665653638333938303665643132643735 -63393838363732646339343937323732653939656466313637383738626131396261303838326565 -34393934333738323137646264666633386661343637613462393864613134383538653966383732 -64383738653833306266663431623162643333616537656136373439373462626266383663303031 -63666265373664653334373266616437653764623765616539343139373934356133613338376239 -63393735613066636432663466353865666661316232393361306438623036643438346130383937 -36373762316263643764303638383633373161383862373630386465643462396432656134313764 -61666534636565366136653438666339346539303238613135613261333431336361346138333161 -33393130333765326361336239373365366332626566396639643966313434666561626262646664 -37386534316136613061343333656630303839356366623835656239306562646436656131366366 -36346635393235663630633331646231313737363535643663333162616135316566396530303030 -33346331303935326631646563663833663266323937383134396162353131396231323837656631 -66373864316332646433316131633435386133373239333261616136613632613162346366643366 -30363030393736343438643866343363366331393031633638333731393732646132393165383361 -31303637386535366535386332666133316564366463313465313637393663623662373431646234 -62663461353961626237343663356664623731376432343538656332613866323135373637313831 -34396132343961656266656430663838643464353362393732623739393938353764323065303464 -66656435303333616432313232333431326535613635396536663835626361643733363461653831 -33313634656632633831313866306233363633316330313037313035366537373034326231383463 -34633062353635396261353438633564623564346536356131353166353835336135316662343262 -34386333353731313335333339323936643862386264363565373737383364623366663265353339 -62663730623430303535333138653636323864383039653361383435383062336537633865356466 -64303532303338383365326635353363363161613962336166663764353562666236336133353538 -35343733343338346666366139363261313662633866306263666331313336336330326537636538 -37326330393732636163333161643831356533393238303039643663663766613634376336303062 -66316138396433356365623437323932663632393831613835366632653138656530336236383063 -31376433343664643863396537663730663335656262306663303961333832343366343835616362 -34393032363862636639656338656462636436343238616663616634393365353432623361323763 -66323937643936636537323866353461653232653136663631313231613731353231313130353565 -31373336643261336535663739316366626634323635616537666131653534333164353836336531 -36613763353135346630323138643039383634393234656330306664346136346238343762646639 -38383466356332383063613565383765313931356235363330366138333064383938316538373933 -32353836663535613339636130303832323231633832353366393166373235306538656364633666 -62386134643738363830613130353565666337343861653538366530373966626330343032393531 -64373162626336353631306661623837353036663364383930303633613561373432303366323463 -37633963633835363565643131343962656463376163336366383531303164303263663034303530 -30616337373466663939333666313761313334626335376236363436376563626534626666383230 -35373537633135346138323231316565633862666432626430386231653532663132333532373837 -38316161316565346663323138623538356130303564306638623461323765366634633161356234 -39313862336532326161346436363865353833663663376566303865616264303035323864633739 -30383435653961303861646365356462376261663634383433383137363734616337643836333730 -37643737626339646434386638326439663264373362333165623637306664396330303164363366 -66353234386137343136363764633463666137653438393131393436613563313934313736303165 -33633638373561623933623033333036346339346533373435336262346164656162303561366638 -30383035623338653430343731353766653164616139616638636563643630313735333463376662 -62666661623438333936323762616433373236396439636563646237313535343866333064393432 -64336139623933323265333633616131396661656264396262646662303633346262356662633535 -31333038666163316132613365386662396330366630313562663561313962366261323131623939 -33626634303663353466306631653439633430383138643534386430623238326332303232623965 -61653165323132303335353338353366323462633763623062616335663831653266323463353364 -61303339336162663235303837643432383333343466333365333535633763396664353636613165 -38306536656665333731376339383061383232346437643564346134396265633362616161306339 -63333264656235393639386435353631333438376166646662656631353838326338656438326231 -65326563363431653266623034393435383061333533316235363236393131333231366665343964 -65376438653165633265646233343131373133313939666163313735336564333038333765623766 -38633061303731623832353638396566373238393535383631396566343035656137353461613838 -65363239303664613132363466383336313038653962343939616363323339333866343036613238 -34656537663765346430623332656266323035343435616361343537306263363466373665306361 -39663066633833306330336334306437323430643764306266626634633139396231353638633665 -66336364633536323931343930623832306331393533626539306361333961306663353266303631 -30326633326332353861383735656362306334646238656137656533323835633937313439356538 -38653130656465656531623635343565663739306665313932356562313131373934393435623932 -38663737306135306332373730613466386631353463633261663532393933663034633634343934 -34353437393934663866323236346236383664343963383239636332643639623131376466656363 -32336363616661303535633037303334343861616263616334626430396334633934303162633839 -65613163303037653963353535343132323431326262643862393365356437316566393130383866 -32666133333166656566373532373064373138333335313563633963393938383363396464396532 -61303037326665316634363536653537393933666532396339366531636362306537626638623634 -32383363663134623133626332343132333335356133646134656330376339306538633165353634 -65663731313832613264633430393531633765353233363766386137306364303138373339633438 -62323837653531393738636531303130653530656632393535393739363565666162376436376138 -65656131656165626636386435346132623030626664656437633261383037396332323534653664 -31306137313162356638653064363236336434626134313966613335653633623338356230323133 -61653437663537376561633235646361633233316662313331303962303161393937346565333366 -31326362303735353937313734363738636439323338646531383235626137393334306363393031 -32383861643734396132626231333537656431656165316261376237333734623635623837623366 -61346566663433366364326561313663333732303737346533363536313365353863333632386232 -63363639656230373639336636333464336136343839353835616565313165336537613666613233 -33313130373838633736306237326666383736616663343838323137663632626630313334623063 -34313737613334343331613864343062663130633963386466626233386332633233663762306237 -35316635396439333934363836353134363538643430363066616636343634643230383630626138 -65623931383631396465353163636161376337346335303738326433363835346162643732393464 -32346462383432636530636166633466393239316631663834653562353436636637393136663933 -36326538646331333436316262373037343065656662623563313465643832626539326261333738 -62353063373461373835333662626465303030366535303332336362663166633736316237313535 -32336533333536626461383737643161373738616539396339336165333162333830633661363162 -38626365616633363431303333613237343538393734653533663831613336346164343734313435 -62366264323738383038393938663366613533666438393261636336363266393736636634323436 -37643262316663663938353338343338373162356337313566376134313464643336326138313838 -36366136306163306265663836663235623231306334633734633736306239316334616132303531 -39663562373762653634666438333861626563353366396231356232663737396436633934363734 -33353738656430383066373463313336623231613530313830633965356361323138396139353664 -38393339613064303365343766663536643061393864313466343966356666633231353765376364 -37636439356164646633313231346365376566663930386563633062633234303163333131663332 -38653431303264636266326665633465303635373762363663303164636330356636616137626633 -30366466626164333332613933396362666135623137636537653838646664643235626233303531 -64373833646434653530613935336434323737313061333930316563653331643938623438626632 -34386236633462616231353063353330346663323535333335383465366135653064343535616233 -31613236303238663331613739623261366231613661653033626562376664336161303134646535 -36393461626237666466353862303564306333356635303035346237653062663238323030313866 -37613530346335623031316165666137626631653965333236396162323966356633306630633934 -66323465643834396635363131343735643365363163646132373537383233663830643330643666 -38316461313830326433643566366566343966376362373661373839353933353231653539393534 -61373437663937616237353064653934333330306230373034376631633963316236626232643136 -36633865343363373530646566313636326130323136346235636430346561333030393361623161 -38636531626632633632616139613861363332383030396338356461623865323262663763303564 -33643661353230336430383930643433613938646133316636666463626363396264643638363762 -30343135643530356633373330353565373264383665333237663331373035613336653135333133 -37386439303763616138313661333335626532633731373939633966323332646364383665333331 -35623133303865346464313761396462613435613262383339663735386639393536646634323935 -34646661613839386639313733333036623439666536396463336663393737383130383962366336 -37656431653533333338633162663938646432306163376438396134376565353531353832663439 -34366435326364356464366633356332656231623164646361653737333331653636353136626465 -63353233396234386630643864333364373562643333343036386639333036326362383264313431 -62636362663631376666383034303337393562613135376537376335343939343630343766356362 -63326435646163663737633133313735316663386337363830646261396333636431363938623062 -63363338373334343634366139363866343731626561626565663339643164633731396363353435 -32663634366532343939366130363233373634323664313765636235383638613061323034663364 -65646665653732326530383962313762313035353866636362363835613261643331666135336365 -35353161663966643564383935386331633730386134343837613164623537393462313130636235 -66653539396639623264303733636232343131373339303034633337333930393061306139373638 -30363139386238636436316239366537663662363432366132346361666436353337663830363037 -38643365366339343961383234313830623138316235383464346439396166363739623937653166 -31323639383838323362323663316265333162393664346262323562646232613134626335366231 -63366230623733643336373132383633356530653766653834663430383538366366363966393237 -64633436653332646336343037303665306465323162643863336235623435666131636661616635 -34336562393961383737393632623035633362383763666138343533363166363731323832343534 -31343038666533343130396264613836396434323363396434653938353131336262373936353333 -65373265306132623235316439373936353834376639386364383763643438373039393263383538 -30366532313335306332306261333434613733383430356633626338643537373030336434383231 -39656162643264316239646339643835343934323639623334303931613938363531 +62663038646261303939313365653235313039653639333833663661336439363961633861346332 +6236636666353436383264333661303737653131333031360a633432616130616665623732633332 +31346339633935366164316539393134343864376265333336393863356438313638393563656635 +3765386136656566350a663032663462646337616365313966373735663062323766653935336638 +64396235383663633066643039613630383266663430356639366635333334653035653932386238 +39323937646437306435656464653833383139656138393861653836653435316265623764393739 +61626636646335633238333337393163653465333136626238373931363561663034633035623335 +66653531623235633535363363373333356366636438643666636133336166313839373836333436 +36333831306261376363663633306432656361326133663732633161636633323439343830613863 +32333036373463343138656639303762396237396365613665643231393837616531626261663439 +36363165313033366365383134303333316336363264663966393637393933363931353766363264 +64383363316361663939396463373938396562313434626235653532666237613035313734343764 +33303339653038656632316538653337653330326261653037626165323533363335306635613133 +61346234613266646538636465323231623830363264336465626436373434613339646236326335 +33633036663663303633326136613838653662653165643832666365656561313064313138643061 +37653664343666386138306164626263313634366232633033396238323737373230346261376436 +65643433613465333230356366383333653665653361663262326530653930303637303565333936 +39613130356165363731343037303630376438613533396235313161333366303235373561386261 +64656562373031323031363933663966663362303534643965616162616436393037346563393864 +66663438616139323137663466383338323833393030366162353430613233323366356537356335 +62636137393338326136353532386130366362346366316538386139663832386534643664306561 +62646362306265333532666364303364373334613139386438306439643235346630363631396661 +61643265666337303437633535353833353866633234343262353330383232373932623134623164 +31353566313861376334613665343838626432303130383537613235316261633664613865376430 +30386265353461626232626339316232333561346139346165623531353732313033636530363634 +35626334633734623132626534393134306366356535623739303364383865306135393338653862 +33303435323864376335356162343634383361363066386335636337363138353337613061666165 +36363439393130323234666630303239613735633633306534376135363832613331633766623433 +32633761663361643164613036333266653037363361646538636162343535306463643461643663 +36353062303636616563393535656163316364623832393863393738383532366234326139643635 +35626339663238613566616163336565383963393734663131396438353633363936393965633363 +33366131636563623537656634613439643732373532333238626364373631303534376134306237 +31643163306663353164616234303061366163623434393137373432316565386133363865633036 +37396334383364393238666331386663386433613134316231636431653464623639346266323363 +37333033663738313061303339626539343632303235363032346362393462313866363363623366 +34353432383630663765643138613936653538376464333737626437353939393637333038356161 +66353663363730613633616431636237363961306661343638656164666165656338313465663463 +31313037353665396338663233386266346231333366373464623163353036363832336463633731 +39373665666231396136393462633163333738633362633464646263643237646663633730616163 +38653632333638396138656531653438643731636530313034656237313830366336383037343162 +66313835303432616437613931643165643763636333363163643864613531313339353765313864 +61643234326633316564326135633036656234336131353166643236643362343565646264346635 +38313063613238316432363830383334636261643537303338343362376131373661316634633936 +62646237326638343338613163373562643232366231626166616338326532396465366461343732 +34663366653837666339633931303735326437396562306534613366336137373361323563346333 +64363730633033316630613832356633613637646362653039393462636530363532633930323934 +63376136313339393530323538633831356432353338393365363432363639373064383761336362 +62346261343135643430666662643762656361613736356537616636613337363462366530313833 +63656439303162373830643231313432613166663036616564613966333562363063376565363132 +62323562353665343837393966646366396538656562646264653265383737386265626265656635 +37613331623763363638383331626364353666396330306666366633363264333166393038393537 +38326263313534643763313064386437653835373831356531653633336636383336323438346531 +62303162306362396464653663363162343734613538653163343533383431346661363230323264 +30393661306661336266396361616637373334343535656564363962386262336234346133306233 +62366261666238363238336536636564303635363131643235636537656233303862363132316138 +30373631326635653437616464326436666462393564343834313464663230303538393937343066 +61346439626337663230393962623261333638373534623935396265633364373334383434613664 +63646338326239333365646335666232316265653338373836373435343966653464393163323464 +66616466653130343566336432313465313664313938636535343330633331383435346265386463 +37363864663561363334633864303534393434363237383032353636373261303566633461666138 +39333234313838663837616664353634666435323134663436366665326262333863356337313363 +32313839666232616133636363326661316133396533386639316166353831663361393130396438 +38396161633031333736353636366130613439376163626664386366656335636235303537323462 +38316233373664666531326566323738613635393035336139663164313333323464396439623264 +38383738373866303462336533633238303731633531613338653132393436626137323066363861 +61653333383637623638643533633039303734666466666566353638393564643361643630613638 +30633964346337613235366230393337653337633837303032613465623339373838336432623236 +34316365653964313235373337323534316330396363303365313037383064323430656534613033 +36623366373335613766336339633535396364356130306365366634306463336630323365653932 +36666664393739303631353438353466383332633662346364313466303839356632316537306139 +61363037633933343131643365343565396532326631643738336635333430306365383563666462 +38616439363131366637333533326162663030313535643664643130613535666135653263313031 +37316465343839613231656135383734663163343232303930376131323239353838393464336163 +36616233396266663637383439313239383834353465666634363739323565633934353734666135 +37393231323066313161616331343537663462356339323136363463383833316637663931633931 +38336331646365303461663362663839306566396666323834376562326134663765393161373866 +38396232663036343362326364303230353762376562306230653966633132393837633464323761 +35653339373861303763333131636464373031386333633036663635313234663639356238376665 +32626265653637626663336531383964636232376334666365373330353337386333653665323263 +38636233393837626131663161643532623836306339303464346166376431616435323363333864 +32383161656331306539363130653633313561326230653234396464326333613431383537376464 +65393862386532363465343266393231306566316464366537316631653764356638336138663331 +63656361383165303463326536383039616438646362303632643334613336323266616136613435 +64373533313266363861363938306565363734353135393734303231313539386239323538316164 +37376139333839343135613465376335663466383663623131346437356639373335396666323265 +62376561353436653832636639383265663961343661346365616536653737343132396333393966 +33376465396666316230616635313463386439623862373332656161333739656236386131636436 +66336439613537326439333862353032316238343736386236343932636165663766313765333665 +37303630383339323464663061333663346438656663383737643862333761373834613435353830 +38303937613136323666643266393032376137376438616261326563383862356436616230613331 +65316234616334353365353930326536623836313833643236636437323735363832383638373162 +37636466636339326163613164306365356334616437643565306339303262633539363234363261 +39346433656635373635343731393039633261643332313735373930633030613938383530373935 +63656633623931616530306661353261386462393365646536393733323731616462653465356161 +34626134653532653265393839346438613639643264666236393532643764643066333462353936 +39373431656363303831626230353037353139323834633266353663386635306335346166633065 +64386366333531363530393531326438633937373238303730383261616163663962383263633561 +38613764303439643361373832356266363539326162643462653661366666353234353631383761 +38623433393766633965323062303964663331353863663063396365313631643464656138656131 +34393362313366313737633032663763336462373134316439663635363563346332333335363937 +36613837363430663961396439313462326435323639616363303638313566373266373830633261 +34393434616438636231303331666331396162383332646139636362373630363731396134373930 +36383030333061353532653338383735623634623232316333663133393934666339343763366231 +31323738626637353230356633336165303466333666616534653330303634643532353264373236 +32613833623935383162346263633330356633613565626539326662333035376533373962306237 +34333936336264656533373062366332623937333031396237616331383039356539343036613735 +35323061393233343662616231313235383635326237383435363031306137343465386438623635 +39303331613862643533313363333036383866646534346331313133333339616665633236393031 +63323737633065323465653964393162663337633238643764346362623437653739333438666237 +32366230353736323866343436363335653761663931613239333131646565376430376162326164 +65343136313434303332373464363339363564306564353061643432653566653562643633653439 +66356339313934663534613161316137653638613862613439313762353035653861626230336461 +65663733616339313830316266633738333662623466336333333065623533393734353064363332 +31326165343834376265396634623739356334383762353135333863373437353936333034313562 +64626238393339636538633233313364303837356531356237373930393864663733646539626639 +66383966653333626264663732326635326232393334646464303364643531333831366638666263 +30636433353439343463656636326565393733616339623635326362303739356331316334303732 +62323964643961326465323964383763663337643961366634306439343337616361393661613938 +38376338363834366339663630363464633665336364326133323631326561623935316134366237 +65636137326164346238363630633337626231633836623235323636623033323031383031653466 +34333431386338626265356538366335396531333839343461633164383831326337663236653166 +64383834326362633238653537643362663561323337316339633038383731643538326466636364 +31383530396565393464313130336565653963306563306531636639373236306165383365663036 +37303162663261633236376666393533616661643530333731333637356431326438333665303334 +64613363653635643336323462353733346330643030653434643165346165303332646165346665 +63646663366165313064636433303034613366356437383438353734353565366638353930383530 +62323537356136306635623630623239346464353064666538373565366162316466303261623866 +65303663313231343864656434306239663564356465636632316466346236383862393966613534 +39343631303732393764316436366264326133336537383131626261343265333034383037633165 +64313933653665396535616266633933613061393838386262336135303166663464363134323764 +31386261373937373765613935323964386232653135353038653766396531363663383039393431 +38623465316231313162383666383239306263303035613465313463396133613939666664613237 +30343265383163646531623837303662343463323431343337656331643664633639626635313232 +62386333656538326634663935646330386662376136373362616630303431346235313364613661 +35383533613432343238653536333736303537333063366262313136343032323061636239313261 +30616164373265663636646162366235363733386431623766636331396431316664303837383362 +64346631643033623731623863393037623865306531336338393166313561353436396561646464 +62653534303735623830663432316636303533353866336234613166616664643738363862623665 +38313661313266663163363936636631303437356634316337663936613935333834626631643335 +33356632396438333530316236333639303562646539663533613637613338663661376161336164 +66316232336365306330616434623837356438373435323136363363623737373837623264363765 +39373862633865333566643134626139316231323331363930626462373331653433613932316632 +64616630356631643862623436303533323665313965396532363537313263313463643662323230 +31393662633663323964363262643563396435323038626261366631323465613366633562393938 +39653661356432366466616166643034653835643263383961323161373764656334303031356264 +35366165666234343031646463303038323261653765366332326137356564306637663633376333 +61633361313765666638336135326632613434323131346464646632303064396335653334613732 +66616136393638313038313365393838366163656264326466666636656162323135613761376336 +31333533383632376339383761393537333339623735393133373463613965343631626530313661 +30623637356436323636363537363730376462643133343039303932663763336435616561346461 +66383431353530393039613437323334366238333464336261656434616666633863663061353665 +33303166653364303538653938393465356330386665313639383232666261653638333065346362 +38663037303339306439373166666637663965613839666334383237663133663831373139653166 +65663931353066633262396662393234366361363361333034303836343939663030363732323536 +32376565316639353434343163653066646162643130393332373766336564613139316263386631 +65343563326261333962363536323438666536373861386365396366646439653564393263653332 +32663434653339363939616231383933613331393539333264633739383239336464633437643631 +32303961366333646130653036366661373062613832373362306439363338313737343232313264 +65333138333561353031326266633564326331643532363563613131383235653663376464636365 +38386465353431386331626633306162386334313331353634313631393066613233656431656235 +33316534663934346636316134616664623633376266633535386264383961383665666262346439 +32343133316332636338363732646630656637623565363836656432366538663261666663323864 +36626430383765353437653030356566396263363238333635386237353535663238356132646464 +65326266616533666231333336353430303663666630643435613763376534666663653434373061 +64633863343439323932616231333030633038366135393761396134343665363238 diff --git a/network.yml b/network.yml index 300c0d2..4958116 100755 --- a/network.yml +++ b/network.yml @@ -28,7 +28,7 @@ # Radius (backup only for now) -- hosts: radius-edc-backup.adm.auro.re +- hosts: ~radius-(edc|fleming)-backup\.adm\.auro\.re roles: - radius diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 9820e4b..574a3ef 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -5,6 +5,7 @@ - "deb" - "deb-src" + - name: Ensure /var/www exists file: name: "/var/www" @@ -17,7 +18,7 @@ version: "master_freeradius_python3" force: true -- name: Template local settings +- name: Template local re2o settings template: src: settings_local.py.j2 dest: "/var/www/re2o/re2o/settings_local.py" @@ -30,6 +31,8 @@ - name: try to install freeradius-python3 (this will fail on post-install) apt: name: freeradius-python3 + default_release: buster-backports + update_cache: yes ignore_errors: yes no_log: yes @@ -38,6 +41,12 @@ src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst +- name: reinstall broken backpage + apt: + name: freeradius-python3 + default_release: buster-backports + force: yes + - name: Setup radius symlinks file: src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" @@ -54,7 +63,7 @@ - local_prefix: freeradius3/ filename: mods-enabled/eap -- name: Configure radius clients.conf +- name: Configure freeradius template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" @@ -64,10 +73,6 @@ - sites-enabled/inner-tunnel - proxy.conf -- name: reinstall broken backpage - apt: - name: freeradius-python3 - force: yes - name: Install radius requirements (except freeradius-python3) shell: @@ -79,3 +84,120 @@ # End of hideousness (hopefully). + +- name: Configure log rotation + template: + src: "freeradius-logrotate.j2" + dest: "/etc/logrotate.d/freeradius" + + + +# Database setup + + +- name: Install postgresql + apt: + name: + - postgresql + - postgresql-client + +- name: Install postgresql ansible module requirement(s) + pip: + name: psycopg2 + +- name: Create read-only user + community.general.postgresql_user: + name: re2o_ro + password: "{{ radius_pg_re2o_ro_password }}" + become_user: postgres + +- name: Create replication user + community.general.postgresql_user: + name: replication + password: "{{ radius_pg_replication_password }}" + become_user: postgres + +- name: Create local DB + community.general.postgresql_db: + name: re2o + owner: replication + state: present + encoding: "UTF8" + lc_collate: 'fr_FR.UTF-8' + lc_ctype: 'fr_FR.UTF-8' + become_user: postgres + + +- name: Dump radius re2o PostgreSQL database schema from master + community.general.postgresql_db: + name: re2o + state: dump + target: /tmp/re2o-schema.sql + target_opts: '-s' + login_host: 10.128.0.12 + login_user: replication + login_password: "{{ radius_pg_replication_password }}" + + +- name: Restore DB + tags: + - restore + community.general.postgresql_db: + name: re2o + state: restore + target: /tmp/re2o-schema.sql + target_opts: "-s" + login_host: localhost + login_user: replication + login_password: "{{ radius_pg_replication_password }}" + + +- name: Grant select permissions on all tables to read-only user + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: SELECT + objs: ALL_IN_SCHEMA + schema: public + roles: re2o_ro + become_user: postgres + +- name: Grant usage permission on schema to read-only user + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: USAGE + objs: public + type: schema + roles: re2o_ro + become_user: postgres + +- name: Set default privileges in schema + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: SELECT + schema: public + objs: TABLES + type: default_privs + roles: re2o_ro + become_user: postgres + + +- name: Set up subscription to main database + tags: + - sub + community.general.postgresql_subscription: + name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" + connparams: + host: re2o-db.adm.auro.re + user: replication + password: "{{ radius_pg_replication_password }}" + dbname: re2o + db: re2o + publications: + - re2o_pub + become_user: postgres diff --git a/roles/radius/templates/freeradius-logrotate.j2 b/roles/radius/templates/freeradius-logrotate.j2 new file mode 100644 index 0000000..91d5df4 --- /dev/null +++ b/roles/radius/templates/freeradius-logrotate.j2 @@ -0,0 +1,50 @@ +# The main server log +/var/log/freeradius/radius.log { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + copytruncate +} + +# (in order) +# Session monitoring utilities +# Session database modules +# SQL log files +/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log +/var/log/freeradius/radutmp /var/log/freeradius/radwtmp +/var/log/freeradius/sqllog.sql +{ + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + nocreate +} + +# There are different detail-rotating strategies you can use. One is +# to write to a single detail file per IP and use the rotate config +# below. Another is to write to a daily detail file per IP with: +# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail +# (or similar) in radiusd.conf, without rotation. If you go with the +# second technique, you will need another cron job that removes old +# detail files. You do not need to comment out the below for method #2. +/var/log/freeradius/radacct/*/detail { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + nocreate +} diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 5b7d039..68e963c 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -21,8 +21,8 @@ become: true become_user: "{{ service_user }}" -- name: Configure re2o {{ service_name }} project - ini_file: +- name: "Configure re2o {{ service_name }} project" + community.general.ini_file: path: "{{ service_homedir }}/config.ini" section: Re2o option: "{{ item.key }}" diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 6073afe..dd7f865 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Enable IPv4 packet forwarding - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes From 8ce63d14b6e7d46ed6b31d7cd1a32a1e102f406b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 18:08:20 +0200 Subject: [PATCH 02/31] radius: fix settings_local.py --- roles/radius/tasks/main.yml | 8 +++--- roles/radius/templates/local_routers.py.j2 | 28 +++++++++++++++++++++ roles/radius/templates/settings_local.py.j2 | 19 +++++++++++--- 3 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 roles/radius/templates/local_routers.py.j2 diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 574a3ef..dfdeac8 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -20,9 +20,11 @@ - name: Template local re2o settings template: - src: settings_local.py.j2 - dest: "/var/www/re2o/re2o/settings_local.py" - + src: "{{ item }}.j2" + dest: "/var/www/re2o/re2o/{{ item }}" + loop: + - settings_local.py + - local_routers.py # What follows is a hideous abomination. diff --git a/roles/radius/templates/local_routers.py.j2 b/roles/radius/templates/local_routers.py.j2 new file mode 100644 index 0000000..ce42020 --- /dev/null +++ b/roles/radius/templates/local_routers.py.j2 @@ -0,0 +1,28 @@ +class DbRouter(object): + """ + A router to control all database operations on models in the + auth application. + """ + def db_for_read(self, model, **hints): + """ + Attempts to read remote models go to local database. + """ + return 'default' + + def db_for_write(self, model, **hints): + """ + Attempts to write remote models go to the remote database. + """ + return 'master' + + def allow_relation(self, obj1, obj2, **hints): + """ + Allow relations involving the remote database + """ + return True + + def allow_migrate(self, db, app_label, model_name=None, **hints): + """ + Allow migrations on the remote database + """ + return True diff --git a/roles/radius/templates/settings_local.py.j2 b/roles/radius/templates/settings_local.py.j2 index 1a6308e..01d9043 100644 --- a/roles/radius/templates/settings_local.py.j2 +++ b/roles/radius/templates/settings_local.py.j2 @@ -44,14 +44,14 @@ DEBUG = False ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')] # The list of hostname the server will respond to. -ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re'] +ALLOWED_HOSTS = ['{{ inventory_hostname }}'] # The time zone the server is runned in TIME_ZONE = 'Europe/Paris' # The storage systems parameters to use DATABASES = { - 'default': { # The DB + 'master': { 'ENGINE': 'django.db.backends.postgresql_psycopg2', 'NAME': 're2o', 'USER': 're2o', @@ -62,7 +62,18 @@ DATABASES = { 'COLLATION': 'utf8_general_ci' } }, - 'ldap': { # The LDAP + 'default': { + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'NAME': 're2o', + 'USER': 're2o_ro', + 'PASSWORD': "{{ radius_pg_re2o_ro_password }}", + 'HOST': 'localhost', + 'TEST': { + 'CHARSET': 'utf8', + 'COLLATION': 'utf8_general_ci' + } + }, + 'ldap': { 'ENGINE': 'ldapdb.backends.ldap', 'NAME': 'ldap://10.128.0.11/', 'USER': 'cn=admin,dc=auro,dc=re', @@ -114,3 +125,5 @@ OPTIONNAL_APPS_RE2O = () # Some Django apps you want to add in you local project OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + () + +LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"] From fe62055cdd625ec5bab692be0b1a8c57584d629e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 19:25:30 +0200 Subject: [PATCH 03/31] radius: enable service, fix details --- network.yml | 2 +- roles/radius/tasks/main.yml | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/network.yml b/network.yml index 4958116..d16893d 100755 --- a/network.yml +++ b/network.yml @@ -28,7 +28,7 @@ # Radius (backup only for now) -- hosts: ~radius-(edc|fleming)-backup\.adm\.auro\.re +- hosts: ~radius-(edc|fleming|pacaterie).* roles: - radius diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index dfdeac8..9172c79 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -36,18 +36,18 @@ default_release: buster-backports update_cache: yes ignore_errors: yes - no_log: yes - name: fix freeradius-python3 postinstall script template: src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst -- name: reinstall broken backpage +- name: reinstall broken package (this might fail too, for different reasons) apt: name: freeradius-python3 default_release: buster-backports force: yes + ignore_errors: yes - name: Setup radius symlinks file: @@ -93,7 +93,6 @@ dest: "/etc/logrotate.d/freeradius" - # Database setup @@ -203,3 +202,11 @@ publications: - re2o_pub become_user: postgres + + +- name: Restart freeradius, ensure enabled + systemd: + name: freeradius + enabled: yes + state: restarted + daemon_reload: yes From 63b4425a27ade122ed98f3a0f78945a57035fc20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 19:45:35 +0200 Subject: [PATCH 04/31] gs: fix vars --- group_vars/all/vault.yml | 332 +++++++++--------- group_vars/{georgesand => gs}/main.yml | 5 + .../sudo_location_group.yml | 0 network.yml | 2 +- 4 files changed, 173 insertions(+), 166 deletions(-) rename group_vars/{georgesand => gs}/main.yml (54%) rename group_vars/{georgesand => gs}/sudo_location_group.yml (100%) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index ff1c922..093dc63 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,166 +1,168 @@ $ANSIBLE_VAULT;1.1;AES256 -62663038646261303939313365653235313039653639333833663661336439363961633861346332 -6236636666353436383264333661303737653131333031360a633432616130616665623732633332 -31346339633935366164316539393134343864376265333336393863356438313638393563656635 -3765386136656566350a663032663462646337616365313966373735663062323766653935336638 -64396235383663633066643039613630383266663430356639366635333334653035653932386238 -39323937646437306435656464653833383139656138393861653836653435316265623764393739 -61626636646335633238333337393163653465333136626238373931363561663034633035623335 -66653531623235633535363363373333356366636438643666636133336166313839373836333436 -36333831306261376363663633306432656361326133663732633161636633323439343830613863 -32333036373463343138656639303762396237396365613665643231393837616531626261663439 -36363165313033366365383134303333316336363264663966393637393933363931353766363264 -64383363316361663939396463373938396562313434626235653532666237613035313734343764 -33303339653038656632316538653337653330326261653037626165323533363335306635613133 -61346234613266646538636465323231623830363264336465626436373434613339646236326335 -33633036663663303633326136613838653662653165643832666365656561313064313138643061 -37653664343666386138306164626263313634366232633033396238323737373230346261376436 -65643433613465333230356366383333653665653361663262326530653930303637303565333936 -39613130356165363731343037303630376438613533396235313161333366303235373561386261 -64656562373031323031363933663966663362303534643965616162616436393037346563393864 -66663438616139323137663466383338323833393030366162353430613233323366356537356335 -62636137393338326136353532386130366362346366316538386139663832386534643664306561 -62646362306265333532666364303364373334613139386438306439643235346630363631396661 -61643265666337303437633535353833353866633234343262353330383232373932623134623164 -31353566313861376334613665343838626432303130383537613235316261633664613865376430 -30386265353461626232626339316232333561346139346165623531353732313033636530363634 -35626334633734623132626534393134306366356535623739303364383865306135393338653862 -33303435323864376335356162343634383361363066386335636337363138353337613061666165 -36363439393130323234666630303239613735633633306534376135363832613331633766623433 -32633761663361643164613036333266653037363361646538636162343535306463643461643663 -36353062303636616563393535656163316364623832393863393738383532366234326139643635 -35626339663238613566616163336565383963393734663131396438353633363936393965633363 -33366131636563623537656634613439643732373532333238626364373631303534376134306237 -31643163306663353164616234303061366163623434393137373432316565386133363865633036 -37396334383364393238666331386663386433613134316231636431653464623639346266323363 -37333033663738313061303339626539343632303235363032346362393462313866363363623366 -34353432383630663765643138613936653538376464333737626437353939393637333038356161 -66353663363730613633616431636237363961306661343638656164666165656338313465663463 -31313037353665396338663233386266346231333366373464623163353036363832336463633731 -39373665666231396136393462633163333738633362633464646263643237646663633730616163 -38653632333638396138656531653438643731636530313034656237313830366336383037343162 -66313835303432616437613931643165643763636333363163643864613531313339353765313864 -61643234326633316564326135633036656234336131353166643236643362343565646264346635 -38313063613238316432363830383334636261643537303338343362376131373661316634633936 -62646237326638343338613163373562643232366231626166616338326532396465366461343732 -34663366653837666339633931303735326437396562306534613366336137373361323563346333 -64363730633033316630613832356633613637646362653039393462636530363532633930323934 -63376136313339393530323538633831356432353338393365363432363639373064383761336362 -62346261343135643430666662643762656361613736356537616636613337363462366530313833 -63656439303162373830643231313432613166663036616564613966333562363063376565363132 -62323562353665343837393966646366396538656562646264653265383737386265626265656635 -37613331623763363638383331626364353666396330306666366633363264333166393038393537 -38326263313534643763313064386437653835373831356531653633336636383336323438346531 -62303162306362396464653663363162343734613538653163343533383431346661363230323264 -30393661306661336266396361616637373334343535656564363962386262336234346133306233 -62366261666238363238336536636564303635363131643235636537656233303862363132316138 -30373631326635653437616464326436666462393564343834313464663230303538393937343066 -61346439626337663230393962623261333638373534623935396265633364373334383434613664 -63646338326239333365646335666232316265653338373836373435343966653464393163323464 -66616466653130343566336432313465313664313938636535343330633331383435346265386463 -37363864663561363334633864303534393434363237383032353636373261303566633461666138 -39333234313838663837616664353634666435323134663436366665326262333863356337313363 -32313839666232616133636363326661316133396533386639316166353831663361393130396438 -38396161633031333736353636366130613439376163626664386366656335636235303537323462 -38316233373664666531326566323738613635393035336139663164313333323464396439623264 -38383738373866303462336533633238303731633531613338653132393436626137323066363861 -61653333383637623638643533633039303734666466666566353638393564643361643630613638 -30633964346337613235366230393337653337633837303032613465623339373838336432623236 -34316365653964313235373337323534316330396363303365313037383064323430656534613033 -36623366373335613766336339633535396364356130306365366634306463336630323365653932 -36666664393739303631353438353466383332633662346364313466303839356632316537306139 -61363037633933343131643365343565396532326631643738336635333430306365383563666462 -38616439363131366637333533326162663030313535643664643130613535666135653263313031 -37316465343839613231656135383734663163343232303930376131323239353838393464336163 -36616233396266663637383439313239383834353465666634363739323565633934353734666135 -37393231323066313161616331343537663462356339323136363463383833316637663931633931 -38336331646365303461663362663839306566396666323834376562326134663765393161373866 -38396232663036343362326364303230353762376562306230653966633132393837633464323761 -35653339373861303763333131636464373031386333633036663635313234663639356238376665 -32626265653637626663336531383964636232376334666365373330353337386333653665323263 -38636233393837626131663161643532623836306339303464346166376431616435323363333864 -32383161656331306539363130653633313561326230653234396464326333613431383537376464 -65393862386532363465343266393231306566316464366537316631653764356638336138663331 -63656361383165303463326536383039616438646362303632643334613336323266616136613435 -64373533313266363861363938306565363734353135393734303231313539386239323538316164 -37376139333839343135613465376335663466383663623131346437356639373335396666323265 -62376561353436653832636639383265663961343661346365616536653737343132396333393966 -33376465396666316230616635313463386439623862373332656161333739656236386131636436 -66336439613537326439333862353032316238343736386236343932636165663766313765333665 -37303630383339323464663061333663346438656663383737643862333761373834613435353830 -38303937613136323666643266393032376137376438616261326563383862356436616230613331 -65316234616334353365353930326536623836313833643236636437323735363832383638373162 -37636466636339326163613164306365356334616437643565306339303262633539363234363261 -39346433656635373635343731393039633261643332313735373930633030613938383530373935 -63656633623931616530306661353261386462393365646536393733323731616462653465356161 -34626134653532653265393839346438613639643264666236393532643764643066333462353936 -39373431656363303831626230353037353139323834633266353663386635306335346166633065 -64386366333531363530393531326438633937373238303730383261616163663962383263633561 -38613764303439643361373832356266363539326162643462653661366666353234353631383761 -38623433393766633965323062303964663331353863663063396365313631643464656138656131 -34393362313366313737633032663763336462373134316439663635363563346332333335363937 -36613837363430663961396439313462326435323639616363303638313566373266373830633261 -34393434616438636231303331666331396162383332646139636362373630363731396134373930 -36383030333061353532653338383735623634623232316333663133393934666339343763366231 -31323738626637353230356633336165303466333666616534653330303634643532353264373236 -32613833623935383162346263633330356633613565626539326662333035376533373962306237 -34333936336264656533373062366332623937333031396237616331383039356539343036613735 -35323061393233343662616231313235383635326237383435363031306137343465386438623635 -39303331613862643533313363333036383866646534346331313133333339616665633236393031 -63323737633065323465653964393162663337633238643764346362623437653739333438666237 -32366230353736323866343436363335653761663931613239333131646565376430376162326164 -65343136313434303332373464363339363564306564353061643432653566653562643633653439 -66356339313934663534613161316137653638613862613439313762353035653861626230336461 -65663733616339313830316266633738333662623466336333333065623533393734353064363332 -31326165343834376265396634623739356334383762353135333863373437353936333034313562 -64626238393339636538633233313364303837356531356237373930393864663733646539626639 -66383966653333626264663732326635326232393334646464303364643531333831366638666263 -30636433353439343463656636326565393733616339623635326362303739356331316334303732 -62323964643961326465323964383763663337643961366634306439343337616361393661613938 -38376338363834366339663630363464633665336364326133323631326561623935316134366237 -65636137326164346238363630633337626231633836623235323636623033323031383031653466 -34333431386338626265356538366335396531333839343461633164383831326337663236653166 -64383834326362633238653537643362663561323337316339633038383731643538326466636364 -31383530396565393464313130336565653963306563306531636639373236306165383365663036 -37303162663261633236376666393533616661643530333731333637356431326438333665303334 -64613363653635643336323462353733346330643030653434643165346165303332646165346665 -63646663366165313064636433303034613366356437383438353734353565366638353930383530 -62323537356136306635623630623239346464353064666538373565366162316466303261623866 -65303663313231343864656434306239663564356465636632316466346236383862393966613534 -39343631303732393764316436366264326133336537383131626261343265333034383037633165 -64313933653665396535616266633933613061393838386262336135303166663464363134323764 -31386261373937373765613935323964386232653135353038653766396531363663383039393431 -38623465316231313162383666383239306263303035613465313463396133613939666664613237 -30343265383163646531623837303662343463323431343337656331643664633639626635313232 -62386333656538326634663935646330386662376136373362616630303431346235313364613661 -35383533613432343238653536333736303537333063366262313136343032323061636239313261 -30616164373265663636646162366235363733386431623766636331396431316664303837383362 -64346631643033623731623863393037623865306531336338393166313561353436396561646464 -62653534303735623830663432316636303533353866336234613166616664643738363862623665 -38313661313266663163363936636631303437356634316337663936613935333834626631643335 -33356632396438333530316236333639303562646539663533613637613338663661376161336164 -66316232336365306330616434623837356438373435323136363363623737373837623264363765 -39373862633865333566643134626139316231323331363930626462373331653433613932316632 -64616630356631643862623436303533323665313965396532363537313263313463643662323230 -31393662633663323964363262643563396435323038626261366631323465613366633562393938 -39653661356432366466616166643034653835643263383961323161373764656334303031356264 -35366165666234343031646463303038323261653765366332326137356564306637663633376333 -61633361313765666638336135326632613434323131346464646632303064396335653334613732 -66616136393638313038313365393838366163656264326466666636656162323135613761376336 -31333533383632376339383761393537333339623735393133373463613965343631626530313661 -30623637356436323636363537363730376462643133343039303932663763336435616561346461 -66383431353530393039613437323334366238333464336261656434616666633863663061353665 -33303166653364303538653938393465356330386665313639383232666261653638333065346362 -38663037303339306439373166666637663965613839666334383237663133663831373139653166 -65663931353066633262396662393234366361363361333034303836343939663030363732323536 -32376565316639353434343163653066646162643130393332373766336564613139316263386631 -65343563326261333962363536323438666536373861386365396366646439653564393263653332 -32663434653339363939616231383933613331393539333264633739383239336464633437643631 -32303961366333646130653036366661373062613832373362306439363338313737343232313264 -65333138333561353031326266633564326331643532363563613131383235653663376464636365 -38386465353431386331626633306162386334313331353634313631393066613233656431656235 -33316534663934346636316134616664623633376266633535386264383961383665666262346439 -32343133316332636338363732646630656637623565363836656432366538663261666663323864 -36626430383765353437653030356566396263363238333635386237353535663238356132646464 -65326266616533666231333336353430303663666630643435613763376534666663653434373061 -64633863343439323932616231333030633038366135393761396134343665363238 +30303466313332386663653437633162366435303931386433386437393133326338653433383838 +6536366261346666303239313536353263616235363761640a306262643931333035653162333839 +31343430386661623938333332393336313564353435633961323532623037333535333966643539 +6138306433636235390a353464616630376261613839643263613063386437313766666165613336 +37353431623631363662346134386466346163616432353361356632313861323130633338353264 +65353230643532343036353736623065383635333662363263663063363163656633646235613336 +36323466353530303434363037623964303931643462323437313733366636303766633262303465 +64333066313562313733356365636530316533633532636632626637626462636133666133353338 +37333866333337353162386139376463313030346636336231626166663231626130343738633166 +65343833316632643532393531363037313936656364356630616137373734356631333464396464 +66643237393039633461363433386432373935626631313465656539656538663931313866343863 +37626261373737666630623966333436336163636338336439653363356632656463346662333234 +64663936323634373733333262646531333437393562376232633266343738643266353633663437 +61656166363763333933323961666637653464396533356635643835643566633938363762313065 +63396566313830393935653339666262346463626266373734356532306461633961333930336261 +61383762643464396131653838376337353462396533336231353230306431373162306437633266 +32626365363031646233663632353730366234366539326137623331386263396435386433396232 +61633664636164373734623138306563643263363839313434643036396437653832343334613365 +66643433393831646338363830653739316234356632666365306364653262613836653933636636 +61623038303063376137633531386531386634313536323466623636313334393661636634373638 +63383139343061643634346166303037636531396636366165306266346131326532306537663963 +30666532376462306435383735643439313739343039613533653231353338393439376638646565 +38323162343435643033336532353636663831313433626534653334343939623864656138653035 +62383566396663653037623866633934363863646538306562636531373762613863343937383531 +63303932363739306131643331323032626466636535613966663631646436353830356439393361 +32353764383239386437303363323337666339663966653332303230653236616339353930336137 +66646533366666663632383530373663653335303161623664633932356636343664393865336137 +63313766313831346661656134353736666463336561343162326263376239373934373163393035 +64303630663537623435356136336237386666313331666138366530356130306139323538353833 +63633230333432636433393635383061656265376535313038316461363561363733316231386234 +33366262343866323936623266353061613931396663386638306466343636626133393561636536 +63653833393633346463643737346334646338383835646364633235393037643462653662353039 +37323436633231303464386530303434636130336561653833666536303166373030353633656238 +66663562393164303563653935333438336231613064393765653030373064663462363030356561 +64303934663362633436636633613538353664633361353566623663643961663432386530376538 +66643735383038366436323865383563353132626331336339393666333164396631376562396636 +39316435343261656266643232643931356566333336303666623331316236346265383230333835 +30636165316461393936633566346438616464333031343163636462326630653061353332353565 +37323032333633653463383338333265386434306666333930326664363863663636366666643438 +36346662326562366163303665376234336633646435313834616335313363363332653962316662 +64376463356430613266626535353563326530626330356235346537656633313964383932356465 +34336664353861363436306361336337323565376238373439626130393866663134396135643136 +32346333386266636437333631363330663065613036303437353631303131373430386234316538 +36373934373064366664653139336265646361363631333863383731363737323230613931353333 +31666436653361333931316463643730366636303932333730623939323533613532396238306238 +62353066646435663365336635393030346233333138333766613661613039393161333234613066 +39663537353562313035363036343064323263623537646632393362613839383836643166366635 +31656662663665383238656634363062393133343033343933353938326633343061313732346562 +39376561633939616538303833383235663338636164613336333036353334313332666531366230 +32373135336136343934356264656664653730313963363733313833306361613139643434646430 +64343235366437363931623731353239623764343931633330343737626163623632353864646639 +61636430373637316635323533373162633536393439393338623331303662333962613532323133 +33343336626462626132376235303165643164313761313136376631653731356535363465666661 +33363737363338366534333835363837393565653562623436333835653936663834376664333864 +36643333353263303533623531373732616365333030643735363533366463333035363136616139 +37386532373336663264643433633432653631313262333735353265373161353463303362353630 +38666363336539633564306132376565616463643662343136623461363230356564386335643732 +39653132646431636436383437366166373465336435356638643865346265643335383864363037 +63303633616233333233343962343037363465623635653831656539363662373035663163383238 +39643833356331323764386264373062306435383132656236313734643564396432396363363366 +65663630336539353261323739633765653036356632303739373239323334356133373133383631 +31343462323032393434326133343135653938353534666339356334636134363937363835646630 +38326561623264616439386264646635373063353966373936346634316239323464313531353035 +36656533333232313261316334323534336538626430363363353363363631386362363864616661 +34656462373230633364663963313662343334633235643034663231626362646163333563386638 +31363831363137353862613337323036626338653634653664303262656333663538633566646137 +31333264383535323336613262643636323733336461313339643665356134376161323262363331 +39353237653931316662393538383463373636653834333334303137643037353436303131353466 +62393037363565616564393732326334633035353337616638366537633238353465346234643134 +37303961343837636638303761313536663862333864663733663266623931353863323466636461 +37353764353034383833383533626430376537376233346539663966323061386135663463323665 +33333038363138663264326432313432666632333234376366663963356534623137333831353632 +31623038653034666236333934646539653361343839333533636563303636303434336434363932 +31376639336130353666363361633535323932376535626230376632613734653633323334633464 +33616532336363346632356662396631633133616337663161646531386632353433613864386331 +36356337346539313963396238346333323266366332353863653363396335383935343436656263 +63613634643461333434623062333232623135626665623731366536346532613063653566386133 +31336239663964643662373964643665616134653235666164656236306565623638623330353630 +64396139343463383732336536623561363639366663636163643236336635323538323336666137 +38373334393837393563333331336638376162303532393066343839343633616162326665313738 +62643731626666336634303639376337366666306238663235636265303833646231616239316665 +37336132303462306462386334306132353930643461303664666563613261643633636635363731 +66633638313230363136343632626464336335643833613162383930346439313637646139623631 +36376661346265333334666535323063656430306463613938366632306366363631663232663433 +38313663663937336435643338623837653731333961356264663965373234353938623232353065 +64633039316663343139666338363662393362643966613466316664323437396532356465616639 +61326364663565643537633633316163646362613063653562646165326435353632396566626530 +62343732356437613334363361373237643839323431366238316434376562326334343431353466 +61396636396636326466386131653133316437306263303630363830306366666636323937653533 +61616634616161333035303132353664393333316263313863656463393736356533636535623035 +35363734393465326263383862613062613235663538386166333235653765306663383332653338 +62323031303932626331633162393062643833383631333265303431653836336563313561303533 +33643236663930653766303930646132383064663031373466633732376438323238383035626232 +35356533613133326239353537383866306338616538643839343162623932613439623538643130 +33363130366463356434623265326664353064656233373536353235663936363266623562663362 +35613436333363376438643331353536666134303561613239626634656135303862323432303761 +32326438313162633262653163643534393934353337393262333461313166373339333532373635 +39326535303239386135326138666133363531353865663934326332356161356364313561613364 +61363133336165646462373932643135653438626130643364626531346339656237373935386563 +39313830396631366466363066653464316165306261306461343636656562653234313933316331 +37323335653538663537646332616665303138346138363134393631336566326562346265343138 +35316666333336663231373963383265633832656462313961376430613338616238613562323931 +33353931666538383134373230353830633136376134326131386435353834366335666566396634 +63363930366631313661363538616261363532373332613966363030363662356132373261343637 +34303038653531383134326231333562643639666638653631633436323234643931653734333338 +30343938323534353063643664663536353733343430616336383161643633616337383734366162 +38363838633334343232353737303239643733646166323263363039353939633136616362393662 +65653765353566616430373632383137386331313966393731393861353763323633643163663065 +37613266326361656666653662303131343036383133646435656362623439313733323638623633 +63366236326634643133656131363061353632386438336435313062653961363563653065346265 +64613762393830616336346362373232623234303330613034326236636163616364303366313163 +36613930616663643438373238336661663962616330383635653564353366383234653735656231 +65393866653535616230376464653030346334343865303439636236656432396433663534333434 +31336332303535386237333336636436396235653265323361393935323937393336336232303531 +64303732303365333962356464663134303237326133333464616638303131306138626132633962 +36353866313635373230316262326263623531316135663631363838633362316664626438313461 +38613862376435383961376436643630653436343461336165656331393764646161376164666462 +37633030383361393864643063353232366161353934343461393366356538373261333663656638 +36663830633266663938333736366234376564646539356462393930643062666538306632393237 +61356632633561386565613730613131343261386662656333313363336432383637386133346261 +30396666646434666466626236666365323039313037636466636331373137366663623339643261 +35643937666362316538613830346138363437376664633233666230663131353437666435613466 +30346131373462356232613761356564363264646338313537366637396230313634653430323061 +39386435666631373339666236623661633631623635313366383139636361356231393462613437 +34373862646130636261663831376332316133396262316437633739383437646435633236333661 +30336366306564393538623431396665626537313130656334636234313464376564613434633831 +33633737613130643334376131356330646634333834303062613736393534313065623834346562 +35393564383962636133346461313131363864373334653264633561326136323361313936653734 +31383130663239333063623837373139633031363331663535633832653831303264336265666463 +39353434383866666439633936353462303231663936633862303961386630636535656331373535 +35366263646665623236656463653063383233306262396461363639303563383736323038663164 +36363161346262306362366236656433353337316437373631363832303437633933386538366430 +33313366616161646264333235623864626238646263636461393037373234333437363534363532 +32386363656664303138623134396338316638346531366538636239303638626462396132373437 +31653131313335306239393431353533633362303966353938623237356131386237616366346638 +66623434313831366333323265653131323233373862383530633538623965393765323034323934 +34326131303562646433343961626139356263396462626534336639623534663465613338636337 +66363137313033373765626136616131363832653063616131666538666263646133613562383830 +39336630636666386364666262623235386134353063323331376238616133336666306161383830 +36353131316263633933356336653166313334363365383562373233356461383533326661663331 +39353665363365333835383034393136353466323438633933363062393134613365633532613131 +38626530353431636363626131333633626139616465643963306262333639356431313362363332 +38386661343731393437393566613961383463646434653038323063396666653461663932376366 +39663738323537363630363666323062623339633266303862376435393762303363366162313565 +34616464613065383639633865373764363230306437303236616261333766363738343131623765 +61373962343236333361396635363562343565386266383063633331366131306262643130653037 +66383562326438383562656535373835353335316639663166343163623365613263343364383435 +32336162356561313737333665383732643565393030643132333934373339643535383033313263 +37333365386663353437636236303339633631613266343238636638613634336233353462653335 +32316538646339663435363962626537373632303631653339306633336266623264396665376165 +61623963366336306230333937636466383035383262356664323361326234343561336338616237 +30373461343465646366373564363838326266326566356166333935356261633066613438613331 +31363232653831636634643765323036663266643862363431373465313465316630313261353538 +31356233363435323937393439333838373462313033336338356666343432656162626461643238 +66386464316262303433363231376535363437653562326264313135643737383462656365666361 +64366234633535333434373163333164643666653638386639616436373739353431313730346461 +64366665336561313830393036616239376234343239383833376138323261633831303735303330 +61643462353839633934326639663839386565353736356535383836626231323430366136626535 +65366332383438343235623034636234613566653137386163626634653065626163376139313938 +33646366626234663934666235393661663435336334333362626633353730633538346231643034 +32303964363134336163356537663535306235363664623938323339643663336365373035393235 +36313731376534356166333266383163663264646634396334303166343637626233333162326536 +38343430396136663231343834373535336632666532313037373336383233306634306566396230 +35653264643339613634343538336439356539346462663336316361663435376332323330373461 +34313537646234383536633239363734356564336334633434383333393733323466336231666362 +65353562623565656462316462643466386432303063363461373836316236616433646334666561 +323965343133626434643938396633643338 diff --git a/group_vars/georgesand/main.yml b/group_vars/gs/main.yml similarity index 54% rename from group_vars/georgesand/main.yml rename to group_vars/gs/main.yml index 0161c8a..10a85ab 100644 --- a/group_vars/georgesand/main.yml +++ b/group_vars/gs/main.yml @@ -2,4 +2,9 @@ apartment_block: gs apartment_block_id: 5 +subnet_ids: + ap: 145 + users_wired: 50 + users_wifi: 51 + router_ip_suffix: 240 diff --git a/group_vars/georgesand/sudo_location_group.yml b/group_vars/gs/sudo_location_group.yml similarity index 100% rename from group_vars/georgesand/sudo_location_group.yml rename to group_vars/gs/sudo_location_group.yml diff --git a/network.yml b/network.yml index d16893d..4b4a9dc 100755 --- a/network.yml +++ b/network.yml @@ -28,7 +28,7 @@ # Radius (backup only for now) -- hosts: ~radius-(edc|fleming|pacaterie).* +- hosts: ~radius-(edc|fleming|pacaterie|gs).* roles: - radius From 4866ce915c6b468c8693c501876f704a70f96a5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 19:46:39 +0200 Subject: [PATCH 05/31] clean up README for ansible(devel) --- README.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d52b7aa..00897a4 100644 --- a/README.md +++ b/README.md @@ -122,12 +122,19 @@ done ### Passage à Ansible 2.10 (release: 30 juillet) +Installez la version de développement d'ansible pour faire fonctionner les +playbooks de ce repo, ainsi que les collections suivantes : + ```bash ansible-galaxy collection install community.general ansible-galaxy collection install ansible.posix ``` -Erreur avec sudo ? -Workaround: `$ export ANSIBLE_BECOME_PASS=''` -(notez l'espace au début pour ne pas log la commande dans votre historique -shell) + +Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un +workaround est le suivant : + +`$ export ANSIBLE_BECOME_PASS=''` + +Notez l'espace au début pour ne pas log la commande dans votre historique +shell. From a6b15c0e10249f1ddbe2d7a246b4b45496e797d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 20:06:47 +0200 Subject: [PATCH 06/31] vars: use apartment block id for subnets --- group_vars/all/vars.yml | 9 +++++++++ group_vars/edc/main.yml | 5 ----- group_vars/fleming/main.yml | 5 ----- group_vars/gs/main.yml | 5 ----- group_vars/pacaterie/main.yml | 5 ----- 5 files changed, 9 insertions(+), 20 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 3b0c131..572a607 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -53,6 +53,11 @@ backup_dns_servers: # Misc mtu: 1400 +subnet_ids: + ap: "14{{ apartment_block_id }}" + users_wired: "{{ apartment_block_id }}0" + users_wifi: "{{ apartment_block_id }}1" + # Keepalived keepalived_password: "{{ vault_keepalived_password[apartment_block] }}" @@ -70,3 +75,7 @@ radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" + + + + diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index 88e6c2b..942e068 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -2,11 +2,6 @@ apartment_block: edc apartment_block_id: 4 -subnet_ids: - ap: 144 - users_wired: 40 - users_wifi: 41 - router_ip_suffix: 254 mtu: 1500 diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index 1913a87..c01bc59 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -2,9 +2,4 @@ apartment_block: fleming apartment_block_id: 1 -subnet_ids: - ap: 141 - users_wired: 10 - users_wifi: 11 - router_ip_suffix: 254 diff --git a/group_vars/gs/main.yml b/group_vars/gs/main.yml index 10a85ab..0161c8a 100644 --- a/group_vars/gs/main.yml +++ b/group_vars/gs/main.yml @@ -2,9 +2,4 @@ apartment_block: gs apartment_block_id: 5 -subnet_ids: - ap: 145 - users_wired: 50 - users_wifi: 51 - router_ip_suffix: 240 diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml index 7d6e30c..8ddb5ff 100644 --- a/group_vars/pacaterie/main.yml +++ b/group_vars/pacaterie/main.yml @@ -2,11 +2,6 @@ apartment_block: pacaterie apartment_block_id: 2 -subnet_ids: - ap: 142 - users_wired: 20 - users_wifi: 21 - router_ip_suffix: 254 mtu: 1500 From 337906c6c0ff413a6062dcca402544246f510a63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Jul 2020 18:40:54 +0200 Subject: [PATCH 07/31] add gs dhcp, dns, routing and add thor to inventory --- .gitignore | 1 + group_vars/all/vars.yml | 3 +-- group_vars/gs/main.yml | 4 +++- hosts | 19 +++++++++++++++++++ network.yml | 6 +++--- .../templates/dhcp/dhcpd.conf.j2 | 8 ++++---- 6 files changed, 31 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index fc586ce..ea2eabf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.retry +tmp ldap-password.txt diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 572a607..c3f0502 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -77,5 +77,4 @@ radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" - - +apartment_block_dhcp: "{{ apartment_block }}" diff --git a/group_vars/gs/main.yml b/group_vars/gs/main.yml index 0161c8a..25c3139 100644 --- a/group_vars/gs/main.yml +++ b/group_vars/gs/main.yml @@ -1,5 +1,7 @@ --- apartment_block: gs +apartment_block_dhcp: sand + apartment_block_id: 5 -router_ip_suffix: 240 +router_ip_suffix: 254 diff --git a/hosts b/hosts index b688b50..bbc392f 100644 --- a/hosts +++ b/hosts @@ -121,17 +121,31 @@ ldap-replica-edc-backup.adm.auro.re [gs_pve] perceval.adm.auro.re +lancelot.adm.auro.re +odin.adm.auro.re [gs_vm] dhcp-gs.adm.auro.re +dhcp-gs-backup.adm.auro.re dns-gs.adm.auro.re +dns-gs-backup.adm.auro.re routeur-gs.adm.auro.re +routeur-gs-backup.adm.auro.re unifi-gs.adm.auro.re radius-gs.adm.auro.re +radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re #inexistant : ldap-replica-gs.adm.auro.re #inexistant : ldap-replica-gs-backup.adm.auro.re +############################################################################### +# Les Rives +[rives_pve] +thor.adm.auro.re + + + + ############################################################################### # Groups by location @@ -164,6 +178,10 @@ edc_vm gs_pve gs_vm +# everything at Les Rives +[rives:children] +rives_pve + ############################################################################### # Groups by type @@ -187,6 +205,7 @@ fleming_pve pacaterie_pve edc_pve gs_pve +rives_pve ############################################################################### diff --git a/network.yml b/network.yml index 4b4a9dc..bca43c0 100755 --- a/network.yml +++ b/network.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Set up DHCP servers. -- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re,!dhcp-gs*.adm.auro.re +- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -16,13 +16,13 @@ # Deploy unbound DNS server (recursive). -- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re,!dns-gs*.adm.auro.re +- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re roles: - unbound # Déploiement du service re2o aurore-firewall et keepalived -- hosts: ~routeur-(pacaterie|edc|fleming).*\.adm\.auro\.re +- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index f4150e7..cde8d25 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -43,12 +43,12 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }}; - option domain-name "fil.{{ apartment_block }}.auro.re"; + option domain-name "fil.{{ apartment_block_dhcp }}.auro.re"; option domain-search "auro.re"; option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list"; deny unknown-clients; } @@ -60,12 +60,12 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }}; - option domain-name "wifi.{{ apartment_block }}.auro.re"; + option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re"; option domain-search "auro.re"; option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list"; pool { range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; From f7617c4478b28ce131290b526be8cd72a4bc6965 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Mon, 6 Jul 2020 18:52:46 +0200 Subject: [PATCH 08/31] added ldap-replica-gs to hosts --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index bbc392f..dee3e1e 100644 --- a/hosts +++ b/hosts @@ -135,7 +135,7 @@ unifi-gs.adm.auro.re radius-gs.adm.auro.re radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re -#inexistant : ldap-replica-gs.adm.auro.re +ldap-replica-gs.adm.auro.re #inexistant : ldap-replica-gs-backup.adm.auro.re ############################################################################### From 511734a978eb8abb87efe85f82fa2ecd56567285 Mon Sep 17 00:00:00 2001 From: TinyLinux Date: Mon, 6 Jul 2020 22:06:16 +0200 Subject: [PATCH 09/31] Add ldap-replica-gs-backup to hosts --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index dee3e1e..1f41aab 100644 --- a/hosts +++ b/hosts @@ -136,7 +136,7 @@ radius-gs.adm.auro.re radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re ldap-replica-gs.adm.auro.re -#inexistant : ldap-replica-gs-backup.adm.auro.re +ldap-replica-gs-backup.adm.auro.re ############################################################################### # Les Rives From 354a5e7d632fd6df6c0b4091b1d4e1f902895879 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Mon, 6 Jul 2020 22:27:53 +0200 Subject: [PATCH 10/31] created a dedicated ldap_replica role --- base.yml | 5 ----- ldap_replica.yml | 7 +++++++ 2 files changed, 7 insertions(+), 5 deletions(-) create mode 100755 ldap_replica.yml diff --git a/base.yml b/base.yml index 935f60e..2e26b95 100755 --- a/base.yml +++ b/base.yml @@ -11,8 +11,3 @@ roles: - ldap-client -# Clone LDAP on local geographic location -# DON'T DO THIS AS IT RECREATES THE REPLICA -#- hosts: ldap_replica -# roles: -# - ldap-replica diff --git a/ldap_replica.yml b/ldap_replica.yml new file mode 100755 index 0000000..1686293 --- /dev/null +++ b/ldap_replica.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +# Clone LDAP on local geographic location +# DON'T DO THIS AS IT RECREATES THE REPLICA +- hosts: ldap_replica + roles: + - ldap-replica From a32116131d2f4f5adc1a066b645b073ac5cb30ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 12:02:37 +0200 Subject: [PATCH 11/31] raise MTU at fleming already been deployed for a while, forgot to push --- group_vars/fleming/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index c01bc59..94f9cc8 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -3,3 +3,5 @@ apartment_block: fleming apartment_block_id: 1 router_ip_suffix: 254 + +mtu: 1500 From a4841e6947f38943f686c4c0efd3175f6b8989c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 12:56:23 +0200 Subject: [PATCH 12/31] add radvd role, deploy in routers --- network.yml | 1 + roles/radvd/handlers/main.yml | 4 ++ roles/radvd/tasks/main.yml | 20 +++++++++ roles/radvd/templates/radvd.conf.j2 | 67 +++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 roles/radvd/handlers/main.yml create mode 100644 roles/radvd/tasks/main.yml create mode 100644 roles/radvd/templates/radvd.conf.j2 diff --git a/network.yml b/network.yml index bca43c0..fec4170 100755 --- a/network.yml +++ b/network.yml @@ -25,6 +25,7 @@ - hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router + - radvd # Radius (backup only for now) diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml new file mode 100644 index 0000000..0bc0b9d --- /dev/null +++ b/roles/radvd/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart radvd + systemd: + state: restarted + name: radvd diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml new file mode 100644 index 0000000..7b68b76 --- /dev/null +++ b/roles/radvd/tasks/main.yml @@ -0,0 +1,20 @@ +--- + + +# Warning: radvd installation seems to fail if the configuration +# file doesn't already exist when the package is installed, +# so the order is important. +- name: Configure radvd + template: + src: radvd.conf.j2 + dest: /etc/radvd.conf + mode: 0644 + notify: restart radvd + +- name: Install radvd + apt: + update_cache: true + name: radvd + state: present + notify: restart radvd + diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 new file mode 100644 index 0000000..e2f91e2 --- /dev/null +++ b/roles/radvd/templates/radvd.conf.j2 @@ -0,0 +1,67 @@ +# -*- mode: conf-unix; coding: utf-8 -*- + +## +# Bornes Wi-Fi +## + +interface ens19 { # XXX - FIX THE INTERFACE NAME + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + + prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { + AdvRouterAddr on; + }; + + # La zone DNS + DNSSL borne.auro.re {}; + + # Les DNS récursifs + RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +}; + + + + +## +# Utilisateurs filaire +## +interface ens20 { # XXX + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + prefix 2a09:6840:{{ subnet_ids.users_wired }}::/64 { + AdvRouterAddr on; + }; + + DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; +}; + + +## +# Utilisateurs wifi +## +interface ens20 { # XXX: interface name + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + prefix 2a09:6840:{{ subnet_ids.users_wifi }}::/64 { + AdvRouterAddr on; + }; + + DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; +}; + From f09b0906c6a73ed7c6f68fd21ec829160eb9326b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:20:08 +0200 Subject: [PATCH 13/31] radvd: fix wifi interface, comment out APs for now --- roles/radvd/templates/radvd.conf.j2 | 46 ++++++++++++++++------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index e2f91e2..f773514 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -4,32 +4,33 @@ # Bornes Wi-Fi ## -interface ens19 { # XXX - FIX THE INTERFACE NAME - AdvSendAdvert on; - AdvLinkMTU {{ mtu }}; - AdvDefaultPreference high; - MaxRtrAdvInterval 30; - - - prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { - AdvRouterAddr on; - }; - - # La zone DNS - DNSSL borne.auro.re {}; - - # Les DNS récursifs - RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; -}; - +# Not deployed yet! +# Need to add an interface for this VLAN on "routeur-*" hosts. +# interface ens19 { # XXX - FIX THE INTERFACE NAME +# AdvSendAdvert on; +# AdvLinkMTU {{ mtu }}; +# AdvDefaultPreference high; +# MaxRtrAdvInterval 30; +# +# +# prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { +# AdvRouterAddr on; +# }; +# +# # La zone DNS +# DNSSL borne.auro.re {}; +# +# # Les DNS récursifs +# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; +# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +# }; ## # Utilisateurs filaire ## -interface ens20 { # XXX +interface ens20 { AdvSendAdvert on; AdvLinkMTU {{ mtu }}; AdvDefaultPreference high; @@ -49,7 +50,7 @@ interface ens20 { # XXX ## # Utilisateurs wifi ## -interface ens20 { # XXX: interface name +interface ens21 { AdvSendAdvert on; AdvLinkMTU {{ mtu }}; AdvDefaultPreference high; @@ -65,3 +66,6 @@ interface ens20 { # XXX: interface name RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; }; + + +# For public IPs: will use DHCPv6, deployed on routeur-aurore alone. From 468bb9abded364757acf44e56c8d2879ececd777 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:22:30 +0200 Subject: [PATCH 14/31] add radvd comment --- network.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network.yml b/network.yml index fec4170..43f2297 100755 --- a/network.yml +++ b/network.yml @@ -22,6 +22,8 @@ # Déploiement du service re2o aurore-firewall et keepalived +# radvd: IPv6 SLAAC (/64 subnets, private IPs). +# Must NOT be on routeur-aurore-*, or will with DHCPv6! - hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router From d54da8d2b91d1da97150ee7eef67b7728d6bf262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:31:49 +0200 Subject: [PATCH 15/31] add ipv6_base_prefix variable --- group_vars/all/vars.yml | 6 ++++++ roles/radvd/templates/radvd.conf.j2 | 18 +++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index c3f0502..cc30765 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -78,3 +78,9 @@ radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" apartment_block_dhcp: "{{ apartment_block }}" + + + +# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28). +# However, we ALWAYS keep the trailing 0 to have byte alignment. +ipv6_base_prefix: "2a09:6840" diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index f773514..bf301a9 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -14,7 +14,7 @@ # MaxRtrAdvInterval 30; # # -# prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { +# prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; # @@ -22,8 +22,8 @@ # DNSSL borne.auro.re {}; # # # Les DNS récursifs -# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; -# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; # }; @@ -36,14 +36,14 @@ interface ens20 { AdvDefaultPreference high; MaxRtrAdvInterval 30; - prefix 2a09:6840:{{ subnet_ids.users_wired }}::/64 { + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { AdvRouterAddr on; }; DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. - RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; }; @@ -56,14 +56,14 @@ interface ens21 { AdvDefaultPreference high; MaxRtrAdvInterval 30; - prefix 2a09:6840:{{ subnet_ids.users_wifi }}::/64 { + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { AdvRouterAddr on; }; DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. - RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; }; From 713c93ac44256336358105276c4df633137ff3e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:32:02 +0200 Subject: [PATCH 16/31] update unbound role for IPv6 --- roles/unbound/templates/recursive.conf.j2 | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 62c93be..47ad938 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -11,20 +11,32 @@ server: logfile: "/var/log/unbound/unbound.log" do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no + do-ip6: yes # IP addresses on which to listen. + # + # Note: dns_host_suffix is dynamically set in this role's tasks, + # and changes depending on whether we're handling the main or backup + # recursive DNS node. + + # IPv4 interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + # IPv6 + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} + # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} From 194c19fbf33efe1769f7710622569231bb16ae7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 15:34:49 +0200 Subject: [PATCH 17/31] fix wrong hardcoded email for keepalived monitoring --- roles/router/templates/keepalived.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 6e51fd9..1bb305e 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -2,7 +2,7 @@ global_defs { notification_email { monitoring.aurore@lists.crans.org } - notification_email_from routeur-edc-backup@auro.re + notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re smtp_server smtp.crans.org } From 56808e4e60392acbf80c2ae51d29505f06a1c412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 15:46:41 +0200 Subject: [PATCH 18/31] wip: begin updating 'router' role for IPv6 pending: update virtual routes --- roles/router/tasks/main.yml | 6 ++++++ roles/router/templates/firewall_config.py | 2 +- roles/router/templates/keepalived.conf | 13 ++++++++++--- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index dd7f865..06595a2 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -6,6 +6,12 @@ value: '1' sysctl_set: yes +- name: Enable IPv6 packet forwarding + ansible.posix.sysctl: + name: net.ipv6.ip_forward + value: '1' + sysctl_set: yes + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index bd013d3..1a3579c 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,7 +25,7 @@ ### Give me a role # routeur4 = routeur IPv4 -role = ['routeur4'] +role = ['routeur4', 'routeur6'] ### Specify each interface role diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 1bb305e..875c132 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -26,7 +26,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Timeout in seconds before failover kicks in. advert_int 2 - # Used to authenticate VRRP communication between master and backup. authentication { auth_type PASS @@ -38,18 +37,26 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_ipaddress { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global + {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global - # Public subnet: wired + + # NATed subnet: wired 45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global - # Public subnet: wifi + + # NATed subnet: wifi 45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global + {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global + # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global + {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global } + + # FIXME: update for IPv6 virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 From 2e6306b61e9e71b8ef9f1e87570e5b60c845234f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 16:05:41 +0200 Subject: [PATCH 19/31] radvd: advertise keepalived VIP --- roles/radvd/templates/radvd.conf.j2 | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index bf301a9..ab63ea8 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -12,8 +12,11 @@ # AdvLinkMTU {{ mtu }}; # AdvDefaultPreference high; # MaxRtrAdvInterval 30; -# -# +# +# AdvRASrcAddress { +# {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller +# }; +# # prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; @@ -26,7 +29,6 @@ # RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; # }; - ## # Utilisateurs filaire ## @@ -36,6 +38,10 @@ interface ens20 { AdvDefaultPreference high; MaxRtrAdvInterval 30; + AdvRASrcAddress { + {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }}; + }; + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { AdvRouterAddr on; }; @@ -56,6 +62,10 @@ interface ens21 { AdvDefaultPreference high; MaxRtrAdvInterval 30; + AdvRASrcAddress { + {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }}; + }; + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { AdvRouterAddr on; }; From 361fd54414d34d677b2862da98cf02a2feeb2c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 16:07:27 +0200 Subject: [PATCH 20/31] keepalived: add IPv6 virtual route --- roles/router/templates/keepalived.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 875c132..a07ec07 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -60,5 +60,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 + + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19 } } From 3a8112bf0d70d7ce64bb7cbfccb4c76473f7bda1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 17:48:39 +0200 Subject: [PATCH 21/31] roll out (private) IPv6 on George Sand --- group_vars/all/vars.yml | 4 +- roles/radvd/tasks/main.yml | 2 + roles/radvd/templates/radvd.conf.j2 | 4 +- roles/router/tasks/main.yml | 2 +- roles/router/templates/firewall_config.py | 4 +- roles/router/templates/keepalived.conf | 61 +++++++++++++++++++---- roles/unbound/templates/recursive.conf.j2 | 2 +- 7 files changed, 61 insertions(+), 18 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index cc30765..2b53213 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -50,8 +50,8 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) -# Misc -mtu: 1400 +# Finally raised! +mtu: 1500 subnet_ids: ap: "14{{ apartment_block_id }}" diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml index 7b68b76..75c72c1 100644 --- a/roles/radvd/tasks/main.yml +++ b/roles/radvd/tasks/main.yml @@ -10,6 +10,8 @@ dest: /etc/radvd.conf mode: 0644 notify: restart radvd + tags: + - radconf - name: Install radvd apt: diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index ab63ea8..94720f5 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -39,7 +39,7 @@ interface ens20 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { @@ -63,7 +63,7 @@ interface ens21 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 06595a2..d09a2c8 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -8,7 +8,7 @@ - name: Enable IPv6 packet forwarding ansible.posix.sysctl: - name: net.ipv6.ip_forward + name: net.ipv6.conf.all.forwarding value: '1' sysctl_set: yes diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 1a3579c..4f6b755 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -24,8 +24,8 @@ ### Give me a role -# routeur4 = routeur IPv4 -role = ['routeur4', 'routeur6'] +# previously: routeur4 = routeur IPv4 +role = ['routeur'] ### Specify each interface role diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index a07ec07..cd217f3 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -7,7 +7,7 @@ global_defs { } -vrrp_instance VI_ROUT_{{ apartment_block }} { +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 { {% if 'backup' in inventory_hostname %} state BACKUP priority 100 @@ -21,7 +21,7 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { interface ens18 # Shared by MASTER and BACKUP - virtual_router_id {{ apartment_block_id }} + virtual_router_id 4{{ apartment_block_id }} # Timeout in seconds before failover kicks in. advert_int 2 @@ -37,7 +37,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_ipaddress { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global - {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global # NATed subnet: wired @@ -48,21 +47,63 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global } - # FIXME: update for IPv6 virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 - - # For IPv6, the master router is routeur-aurore, NOT yggdrasil, - # because yggdrasil doesn't support BGPv6 announcements. - src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19 } } + +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens18 + + # Shared by MASTER and BACKUP + virtual_router_id 6{{ apartment_block_id }} + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing subnet + fe80::1/64 dev ens19 scope global + {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global + + # Wired + fe80::1/64 dev ens20 scope global + + # Wifi + fe80::1/64 dev ens21 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19 + } +} + + diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 47ad938..efdebe1 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -36,7 +36,7 @@ server: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow - access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) + access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} From 8360e212cc038515027756f7d6658f01aea8e94c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:14:57 +0200 Subject: [PATCH 22/31] enable SSH pipelining (THE SPEED!) --- ansible.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 8d528bd..e2d6a32 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,3 +33,6 @@ become_ask_pass = True # TO know what changed always = yes + +[ssh_connection] +pipelining = True From de36a3bb9538fc9f0e114b5eb465f7e35a9c0a78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:15:15 +0200 Subject: [PATCH 23/31] announce IPv6 recursive resolver (untested) --- roles/baseconfig/templates/resolv.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/baseconfig/templates/resolv.conf b/roles/baseconfig/templates/resolv.conf index c94128f..935eeeb 100644 --- a/roles/baseconfig/templates/resolv.conf +++ b/roles/baseconfig/templates/resolv.conf @@ -1,3 +1,4 @@ domain adm.auro.re nameserver 10.128.0.253 +nameserver 2a09:6840:128::253 nameserver 80.67.169.12 From e7620914356f5ae41ce9fba6133a519f7a692571 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:15:27 +0200 Subject: [PATCH 24/31] explain fe80::1 keepalived/radvd magic --- roles/radvd/templates/radvd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index 94720f5..dc5f1a2 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -39,7 +39,7 @@ interface ens20 { MaxRtrAdvInterval 30; AdvRASrcAddress { - fe80::1; + fe80::1; # link-local virtual IP used with keepalived }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { From 30e503458ef2e7e63b092d622928fd006c061c42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 6 Aug 2020 09:57:54 +0200 Subject: [PATCH 25/31] add ability to nuke radius DBs --- nuke-radius-dbs.yml | 7 +++++++ roles/radius/tasks/main.yml | 26 ++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100755 nuke-radius-dbs.yml diff --git a/nuke-radius-dbs.yml b/nuke-radius-dbs.yml new file mode 100755 index 0000000..b23f08f --- /dev/null +++ b/nuke-radius-dbs.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: ~radius-(edc|fleming|pacaterie|gs).* + roles: + - radius + vars: + nuke_radius: true diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 9172c79..ba3024e 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -15,7 +15,7 @@ git: repo: "https://gitlab.federez.net/re2o/re2o.git" dest: "/var/www/re2o" - version: "master_freeradius_python3" + version: "dev" force: true - name: Template local re2o settings @@ -118,6 +118,29 @@ password: "{{ radius_pg_replication_password }}" become_user: postgres + +- name: Nuking - Stop freeradius + systemd: + name: freeradius + state: stopped + when: nuke_radius|bool + +- name: Nuking - Remove old subscription if it exists + community.general.postgresql_subscription: + name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" + db: re2o + state: absent + become_user: postgres + when: nuke_radius|bool + ignore_errors: yes + +- name: Nuking - Destroy old local DB if it exists + community.general.postgresql_db: + name: re2o + state: absent + become_user: postgres + when: nuke_radius|bool + - name: Create local DB community.general.postgresql_db: name: re2o @@ -128,7 +151,6 @@ lc_ctype: 'fr_FR.UTF-8' become_user: postgres - - name: Dump radius re2o PostgreSQL database schema from master community.general.postgresql_db: name: re2o From af3c3dc132ed4889a3c54604fcf4b8572f51b560 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 11:19:16 +0200 Subject: [PATCH 26/31] enable radvd service --- roles/radvd/handlers/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml index 0bc0b9d..f2ce52c 100644 --- a/roles/radvd/handlers/main.yml +++ b/roles/radvd/handlers/main.yml @@ -2,3 +2,4 @@ systemd: state: restarted name: radvd + enabled: yes From b199c45d97d0e1757ac754c62701b1aaad47a0b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 11:32:06 +0200 Subject: [PATCH 27/31] fix broken radius role Would crash if called from anything other than the nuke radius DBs playbook --- roles/radius/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index ba3024e..e7943f0 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -123,7 +123,7 @@ systemd: name: freeradius state: stopped - when: nuke_radius|bool + when: nuke_radius|default(false) - name: Nuking - Remove old subscription if it exists community.general.postgresql_subscription: @@ -131,7 +131,7 @@ db: re2o state: absent become_user: postgres - when: nuke_radius|bool + when: nuke_radius|default(false) ignore_errors: yes - name: Nuking - Destroy old local DB if it exists @@ -139,7 +139,7 @@ name: re2o state: absent become_user: postgres - when: nuke_radius|bool + when: nuke_radius|default(false) - name: Create local DB community.general.postgresql_db: From 12b0bc91dc403efaf112d3029550657830823078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 11:32:34 +0200 Subject: [PATCH 28/31] radvd: cosmetic changes --- roles/radvd/templates/radvd.conf.j2 | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index dc5f1a2..300f50b 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -4,19 +4,18 @@ # Bornes Wi-Fi ## -# Not deployed yet! -# Need to add an interface for this VLAN on "routeur-*" hosts. - -# interface ens19 { # XXX - FIX THE INTERFACE NAME +# # Need to add an interface for this VLAN on "routeur-*" hosts. +# +# interface ens19 { # AdvSendAdvert on; # AdvLinkMTU {{ mtu }}; # AdvDefaultPreference high; # MaxRtrAdvInterval 30; -# +# # AdvRASrcAddress { # {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller # }; -# +# # prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; From 646ebd3ba9c01b0c1706e7901ea071dbb53071de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 17:10:01 +0200 Subject: [PATCH 29/31] router: ansibilize routeur-aurore{,backup} --- group_vars/all/vault.yml | 336 +++++++++--------- group_vars/aurore/main.yml | 4 + hosts | 8 +- network.yml | 5 + roles/router/handlers/main.yml | 1 + roles/router/tasks/main.yml | 39 +- .../templates/firewall_config_aurore.py | 49 +++ roles/router/templates/interfaces-aurore | 84 +++++ roles/router/templates/keepalived-aurore.conf | 121 +++++++ 9 files changed, 477 insertions(+), 170 deletions(-) create mode 100644 group_vars/aurore/main.yml create mode 100644 roles/router/templates/firewall_config_aurore.py create mode 100644 roles/router/templates/interfaces-aurore create mode 100644 roles/router/templates/keepalived-aurore.conf diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 093dc63..c9330fd 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,168 +1,170 @@ $ANSIBLE_VAULT;1.1;AES256 -30303466313332386663653437633162366435303931386433386437393133326338653433383838 -6536366261346666303239313536353263616235363761640a306262643931333035653162333839 -31343430386661623938333332393336313564353435633961323532623037333535333966643539 -6138306433636235390a353464616630376261613839643263613063386437313766666165613336 -37353431623631363662346134386466346163616432353361356632313861323130633338353264 -65353230643532343036353736623065383635333662363263663063363163656633646235613336 -36323466353530303434363037623964303931643462323437313733366636303766633262303465 -64333066313562313733356365636530316533633532636632626637626462636133666133353338 -37333866333337353162386139376463313030346636336231626166663231626130343738633166 -65343833316632643532393531363037313936656364356630616137373734356631333464396464 -66643237393039633461363433386432373935626631313465656539656538663931313866343863 -37626261373737666630623966333436336163636338336439653363356632656463346662333234 -64663936323634373733333262646531333437393562376232633266343738643266353633663437 -61656166363763333933323961666637653464396533356635643835643566633938363762313065 -63396566313830393935653339666262346463626266373734356532306461633961333930336261 -61383762643464396131653838376337353462396533336231353230306431373162306437633266 -32626365363031646233663632353730366234366539326137623331386263396435386433396232 -61633664636164373734623138306563643263363839313434643036396437653832343334613365 -66643433393831646338363830653739316234356632666365306364653262613836653933636636 -61623038303063376137633531386531386634313536323466623636313334393661636634373638 -63383139343061643634346166303037636531396636366165306266346131326532306537663963 -30666532376462306435383735643439313739343039613533653231353338393439376638646565 -38323162343435643033336532353636663831313433626534653334343939623864656138653035 -62383566396663653037623866633934363863646538306562636531373762613863343937383531 -63303932363739306131643331323032626466636535613966663631646436353830356439393361 -32353764383239386437303363323337666339663966653332303230653236616339353930336137 -66646533366666663632383530373663653335303161623664633932356636343664393865336137 -63313766313831346661656134353736666463336561343162326263376239373934373163393035 -64303630663537623435356136336237386666313331666138366530356130306139323538353833 -63633230333432636433393635383061656265376535313038316461363561363733316231386234 -33366262343866323936623266353061613931396663386638306466343636626133393561636536 -63653833393633346463643737346334646338383835646364633235393037643462653662353039 -37323436633231303464386530303434636130336561653833666536303166373030353633656238 -66663562393164303563653935333438336231613064393765653030373064663462363030356561 -64303934663362633436636633613538353664633361353566623663643961663432386530376538 -66643735383038366436323865383563353132626331336339393666333164396631376562396636 -39316435343261656266643232643931356566333336303666623331316236346265383230333835 -30636165316461393936633566346438616464333031343163636462326630653061353332353565 -37323032333633653463383338333265386434306666333930326664363863663636366666643438 -36346662326562366163303665376234336633646435313834616335313363363332653962316662 -64376463356430613266626535353563326530626330356235346537656633313964383932356465 -34336664353861363436306361336337323565376238373439626130393866663134396135643136 -32346333386266636437333631363330663065613036303437353631303131373430386234316538 -36373934373064366664653139336265646361363631333863383731363737323230613931353333 -31666436653361333931316463643730366636303932333730623939323533613532396238306238 -62353066646435663365336635393030346233333138333766613661613039393161333234613066 -39663537353562313035363036343064323263623537646632393362613839383836643166366635 -31656662663665383238656634363062393133343033343933353938326633343061313732346562 -39376561633939616538303833383235663338636164613336333036353334313332666531366230 -32373135336136343934356264656664653730313963363733313833306361613139643434646430 -64343235366437363931623731353239623764343931633330343737626163623632353864646639 -61636430373637316635323533373162633536393439393338623331303662333962613532323133 -33343336626462626132376235303165643164313761313136376631653731356535363465666661 -33363737363338366534333835363837393565653562623436333835653936663834376664333864 -36643333353263303533623531373732616365333030643735363533366463333035363136616139 -37386532373336663264643433633432653631313262333735353265373161353463303362353630 -38666363336539633564306132376565616463643662343136623461363230356564386335643732 -39653132646431636436383437366166373465336435356638643865346265643335383864363037 -63303633616233333233343962343037363465623635653831656539363662373035663163383238 -39643833356331323764386264373062306435383132656236313734643564396432396363363366 -65663630336539353261323739633765653036356632303739373239323334356133373133383631 -31343462323032393434326133343135653938353534666339356334636134363937363835646630 -38326561623264616439386264646635373063353966373936346634316239323464313531353035 -36656533333232313261316334323534336538626430363363353363363631386362363864616661 -34656462373230633364663963313662343334633235643034663231626362646163333563386638 -31363831363137353862613337323036626338653634653664303262656333663538633566646137 -31333264383535323336613262643636323733336461313339643665356134376161323262363331 -39353237653931316662393538383463373636653834333334303137643037353436303131353466 -62393037363565616564393732326334633035353337616638366537633238353465346234643134 -37303961343837636638303761313536663862333864663733663266623931353863323466636461 -37353764353034383833383533626430376537376233346539663966323061386135663463323665 -33333038363138663264326432313432666632333234376366663963356534623137333831353632 -31623038653034666236333934646539653361343839333533636563303636303434336434363932 -31376639336130353666363361633535323932376535626230376632613734653633323334633464 -33616532336363346632356662396631633133616337663161646531386632353433613864386331 -36356337346539313963396238346333323266366332353863653363396335383935343436656263 -63613634643461333434623062333232623135626665623731366536346532613063653566386133 -31336239663964643662373964643665616134653235666164656236306565623638623330353630 -64396139343463383732336536623561363639366663636163643236336635323538323336666137 -38373334393837393563333331336638376162303532393066343839343633616162326665313738 -62643731626666336634303639376337366666306238663235636265303833646231616239316665 -37336132303462306462386334306132353930643461303664666563613261643633636635363731 -66633638313230363136343632626464336335643833613162383930346439313637646139623631 -36376661346265333334666535323063656430306463613938366632306366363631663232663433 -38313663663937336435643338623837653731333961356264663965373234353938623232353065 -64633039316663343139666338363662393362643966613466316664323437396532356465616639 -61326364663565643537633633316163646362613063653562646165326435353632396566626530 -62343732356437613334363361373237643839323431366238316434376562326334343431353466 -61396636396636326466386131653133316437306263303630363830306366666636323937653533 -61616634616161333035303132353664393333316263313863656463393736356533636535623035 -35363734393465326263383862613062613235663538386166333235653765306663383332653338 -62323031303932626331633162393062643833383631333265303431653836336563313561303533 -33643236663930653766303930646132383064663031373466633732376438323238383035626232 -35356533613133326239353537383866306338616538643839343162623932613439623538643130 -33363130366463356434623265326664353064656233373536353235663936363266623562663362 -35613436333363376438643331353536666134303561613239626634656135303862323432303761 -32326438313162633262653163643534393934353337393262333461313166373339333532373635 -39326535303239386135326138666133363531353865663934326332356161356364313561613364 -61363133336165646462373932643135653438626130643364626531346339656237373935386563 -39313830396631366466363066653464316165306261306461343636656562653234313933316331 -37323335653538663537646332616665303138346138363134393631336566326562346265343138 -35316666333336663231373963383265633832656462313961376430613338616238613562323931 -33353931666538383134373230353830633136376134326131386435353834366335666566396634 -63363930366631313661363538616261363532373332613966363030363662356132373261343637 -34303038653531383134326231333562643639666638653631633436323234643931653734333338 -30343938323534353063643664663536353733343430616336383161643633616337383734366162 -38363838633334343232353737303239643733646166323263363039353939633136616362393662 -65653765353566616430373632383137386331313966393731393861353763323633643163663065 -37613266326361656666653662303131343036383133646435656362623439313733323638623633 -63366236326634643133656131363061353632386438336435313062653961363563653065346265 -64613762393830616336346362373232623234303330613034326236636163616364303366313163 -36613930616663643438373238336661663962616330383635653564353366383234653735656231 -65393866653535616230376464653030346334343865303439636236656432396433663534333434 -31336332303535386237333336636436396235653265323361393935323937393336336232303531 -64303732303365333962356464663134303237326133333464616638303131306138626132633962 -36353866313635373230316262326263623531316135663631363838633362316664626438313461 -38613862376435383961376436643630653436343461336165656331393764646161376164666462 -37633030383361393864643063353232366161353934343461393366356538373261333663656638 -36663830633266663938333736366234376564646539356462393930643062666538306632393237 -61356632633561386565613730613131343261386662656333313363336432383637386133346261 -30396666646434666466626236666365323039313037636466636331373137366663623339643261 -35643937666362316538613830346138363437376664633233666230663131353437666435613466 -30346131373462356232613761356564363264646338313537366637396230313634653430323061 -39386435666631373339666236623661633631623635313366383139636361356231393462613437 -34373862646130636261663831376332316133396262316437633739383437646435633236333661 -30336366306564393538623431396665626537313130656334636234313464376564613434633831 -33633737613130643334376131356330646634333834303062613736393534313065623834346562 -35393564383962636133346461313131363864373334653264633561326136323361313936653734 -31383130663239333063623837373139633031363331663535633832653831303264336265666463 -39353434383866666439633936353462303231663936633862303961386630636535656331373535 -35366263646665623236656463653063383233306262396461363639303563383736323038663164 -36363161346262306362366236656433353337316437373631363832303437633933386538366430 -33313366616161646264333235623864626238646263636461393037373234333437363534363532 -32386363656664303138623134396338316638346531366538636239303638626462396132373437 -31653131313335306239393431353533633362303966353938623237356131386237616366346638 -66623434313831366333323265653131323233373862383530633538623965393765323034323934 -34326131303562646433343961626139356263396462626534336639623534663465613338636337 -66363137313033373765626136616131363832653063616131666538666263646133613562383830 -39336630636666386364666262623235386134353063323331376238616133336666306161383830 -36353131316263633933356336653166313334363365383562373233356461383533326661663331 -39353665363365333835383034393136353466323438633933363062393134613365633532613131 -38626530353431636363626131333633626139616465643963306262333639356431313362363332 -38386661343731393437393566613961383463646434653038323063396666653461663932376366 -39663738323537363630363666323062623339633266303862376435393762303363366162313565 -34616464613065383639633865373764363230306437303236616261333766363738343131623765 -61373962343236333361396635363562343565386266383063633331366131306262643130653037 -66383562326438383562656535373835353335316639663166343163623365613263343364383435 -32336162356561313737333665383732643565393030643132333934373339643535383033313263 -37333365386663353437636236303339633631613266343238636638613634336233353462653335 -32316538646339663435363962626537373632303631653339306633336266623264396665376165 -61623963366336306230333937636466383035383262356664323361326234343561336338616237 -30373461343465646366373564363838326266326566356166333935356261633066613438613331 -31363232653831636634643765323036663266643862363431373465313465316630313261353538 -31356233363435323937393439333838373462313033336338356666343432656162626461643238 -66386464316262303433363231376535363437653562326264313135643737383462656365666361 -64366234633535333434373163333164643666653638386639616436373739353431313730346461 -64366665336561313830393036616239376234343239383833376138323261633831303735303330 -61643462353839633934326639663839386565353736356535383836626231323430366136626535 -65366332383438343235623034636234613566653137386163626634653065626163376139313938 -33646366626234663934666235393661663435336334333362626633353730633538346231643034 -32303964363134336163356537663535306235363664623938323339643663336365373035393235 -36313731376534356166333266383163663264646634396334303166343637626233333162326536 -38343430396136663231343834373535336632666532313037373336383233306634306566396230 -35653264643339613634343538336439356539346462663336316361663435376332323330373461 -34313537646234383536633239363734356564336334633434383333393733323466336231666362 -65353562623565656462316462643466386432303063363461373836316236616433646334666561 -323965343133626434643938396633643338 +61623264646363313062633131306234666436616566383936616431653033303531333738666639 +6137653535623535333435383862306361376564396562370a366166373232343137363662356463 +34383636393830386465323534373534336462333937316530666139633835356635356562353134 +3234333736333831390a663033313531363838303566666530373432346536306137393561393734 +32613234373363333233333630666464386437333337623434356161303834656662366661343363 +62326164363764323365643166636664343032613835656663363636383963663138633837646466 +33373838343439663830626432353332666138356564383864616632353063376634393032613231 +38336233396263316563363332316131323439363664646237383731363930613563343763653537 +66383137353633653931616564616365366564626431626439383661666535663430353463346232 +31613536343566373437353738323133646439373465376632656530393033373037383864663937 +66623563393138653437353437373138386365653433313166353231653530613935333038653830 +61306239356433346438663239646162633838623036653439376362336636633862383266633239 +33363666383934633665303537396663363339323761356439636331656163363436333865306338 +63656166343835646262393634613865623936633566356531366663326431353836363238656631 +31333862346266653933663236626234663865373936623334323433643661343634653334316662 +36313262626230356531393661303834653263666138613435333538373330633432366338363131 +33336566633030346136613566353366653333666661336463336333333634643433393333353061 +65653236653362636564653932306131346532343738333361646563623865373538636662643932 +37373961313935373964376336333337396135623764376563623431326266633434336665303864 +34383836333762336665313635366166316339396437656330636432353064343836616362326432 +34353532626362636661363631666335316564636237646336323666636661336532313266616264 +37353637626636613161396430623139323662303862393439643235653833386166363332616438 +62653439363861626437663736313436386138363466333566333335323265333930366337386537 +63353931353165666337666330636363386463616463376336323834343666393331653863633430 +64626636373363626335303234306662323335363130623763333835373438373733353136306463 +31646363663463623635363537636338376131623766386339623763376532343733613061343736 +31653764383737646132353537633631643265336539316332636465353638346163613036653038 +64653238363661303032666330623334376130383365386334313137376339623164313538643637 +32323539346664663237306630346365646364663231633162393265376433313633336661326137 +35366662386235616531323264326632353635646337303830663364643336653039643865313036 +36343634613563353965643330306134393664336238653361616631623837313764653835333464 +31303835653265343466303363623331376631383064643336306166386632353566633231303031 +64646338333961373237323563633462363236626134366430323334373864633731323838383562 +65356137323234653932373438306335383666386433386563343136343934623936653565663135 +61353366393735663064383234343435633738623233643535393337326531356131643131646562 +34623862626430343464663230323561313736646135323339656562323332306265323765626130 +31333531626236393165663236393464303338623937646331663563636336316166303462396562 +66643638383432333035373431393463343831643731636133343538346431613236663266643639 +39346332303537393031353231626433393165386437343361663335646165623165336337643237 +30643466666462373937346162383032386361383439613332653162613765326237643038613665 +38633134653934346464346233323563623139386235343766386661643861313638643936636439 +34393039626163336636323862643237363633373339353263303035386636393232613536633038 +32656335396564623133373439333065633638373032323161383436363966386535393135623931 +62313838353034343033653130633666336433656565373836336331363339636330663836343835 +64656461376235323133316135396464353239316438386466323964326139316564313938333363 +66636337613362633639623265336434313938366666626434393532373534303865376632313830 +32353861306165383133633132623939386338343364623132386135316361336238616432383662 +31663763306431623932323930373637363633346139663539666236363032386535363932393264 +63306437616635343263643162393462653835643038373961336531313635663732343062613164 +63316463376239383634373461343533393730613235633765356166313131613230326562303863 +38626365383035363130326365353366316635323832333630343934346632643566373062313963 +38356165646438383936336431326566386564306636386432643537666434613434343235323666 +32366432393663333632383333333837646237643730383438336364376235353463656238393431 +34656561613566383761386233366637343230613634333062636239626639343132353837656363 +63373264646631336664303662386531386635303861333662313633613933353063363832623462 +35656536616333333861383930623237363062363335636231383033316465323339396530353166 +61613935366233326532366135623939353135323336346630303933633731316461626463643936 +64393430386430343362346334633036316464656561356132376365323463316631336530346663 +65373432666436323364316633623734353464393036383065643832653838323730643163393033 +37383639343061616563623365383564336132356162373937346338356562313262366261646434 +65656631326334336230333862303766633363653863666330373530343132336262653763336331 +31303535393231373833633631323265383435666665353461306638633031376339613230343966 +31306134383164333763656262636537343563386336393734626139646136643635313038663830 +65376366656465653165663762313738303438346136646638633962646466626339653566343530 +33353061643730663138383662663233383864626631626238306266653734306161383431653530 +38353262386439663331633465313262386630363465646661643366336438356163393564653565 +65346637346533323338383233313434346361383139666363336435633535326434373438366533 +64303737336631643735376130653031303533646464313562623036643762653937613735316162 +61396336376534393738323830333864383533343834616432373731633431316662656137363030 +36313566633863383162643432396235306661393563303138386339343462636566323135313631 +32336365393662633932383665623561373164353963646464323163303039333035366562363634 +34643731343931656239326165323962613630636132353334643866393933653631393134326635 +61353538633337343935396566396437663137326161323032336665356531373433643231326164 +38663463633863643636336337316162666339343630373366396634666363306137323161626561 +33336332383330383761623636366464353163386633356132656364373962316437626664333439 +38393137356364383535383231613431343261613036666238323431663532663333336563306239 +31313931623665623661323433346138383430366433623738356366373337383263316435393330 +30356131333132343333623732383263353330346635613833626562613536376232386663663265 +39636239663139393761303363313862333834336265616330353933333935616637646639326461 +34323231616662306366616665346239313839616435393738303833653138353135353161393830 +34653163386161653536666330353431356133623639653539316166313661343136643565393735 +33343966613534653034333261383136323135613032613063653363303437633832653834393063 +63623738333361636638646234363665616563633534626638613938613933343638386165346537 +61316261663039633462333637636561656166663430353037336530663036353564353530323663 +61386164636461363831303231353733646431313334323761633835373832333663306336633836 +63363838613434303066333732333237343264363238313962393230633165396135643431626664 +35316663333439326437343331303639616365633938393039633362303135393230313261376531 +62343533383034363331343661333036646530366665336431303561653138626262336239303864 +30643131356538316434313665353466383539383034623830363264343736396130623265306564 +30666535393839306333616134323333326535336564313735323864346139393762336265623137 +33653734393464353833333939363766656436393639626161383666613263643064323933663834 +63663761356233633134646561353631396364343761386631323764643631663564653265303330 +38333466666634383666326132356132303363666136666132373161383863653434333633386238 +36333361383663396238643433383338646461386363396563643133303166356538666435646639 +65353034373263316139363464343434326362366531666233323366383331353131383634396538 +65313631363564303133396462353934623939663739343431346465386430353030363235343032 +33653065643334663737643961396530316336633562323733626261376462303366313462353464 +38666235366365633833336630316564643132633839313465636164393439626635653739346166 +61343765653037656533313663333139663364666239626263393261353732363639623966623961 +62643266313734363064333063633030383865653665313832623535636666623364333635643238 +64623233393962313032343938666363333533653331303334643032636561303030633066636634 +35363864613430356264633936663833373739643562343631623336316263373939353563393634 +35376466376161383563646430363432626639363436633365323137346338306161636230323934 +38383238646366343766333032633038663037386339333038636136343732613838306130303539 +61303963333035366330646636336530396331333739306666396333333839613536343337323230 +31326461623731653461376132356165343130333235336130323361616333333762623131393265 +36636335313539613565326537373565313036306465326631326332373364313565333834373232 +36346166373433313033363533346565316535666538363538303134616365326336613461633931 +39333633383939623633386263346637386465326139363336663738393538393039376338366461 +64336138643166663362376339366537653463386265316434346532663633643765663339333062 +34303739366634383330356161333031313465323235666437363136643964623431336133633031 +62373462623531373665653137383833643332366562396134386536666666356139663631323965 +33633266353062363339613139666534393737393765383830643731616366316164626335373564 +38613533356661626163646138316163343938666366353964623131383063353534326637323162 +66633139633861623765316631323933363662383234616238336333383135326166656530376331 +30613534613636333533356666333864326438646462383862616338323864336136323566393231 +64323339386363623063373237346362366665666662306266323338653561396535323766316233 +30383036326331323563663533333166366130326262393732343135643463643064313364393530 +39326332346635343333376636316363393230336563333261616263343833386334376636623233 +65396330613837636139636132303530316236666132646266383466306663313038343833373734 +35376339666664393533666134353330626163306432363634653364343934343336306264646439 +66383138626232343639623033383565626232323830626362313733666663633037343737623333 +34653665666262303236616534343436333334393837326661383932623430303038623538313463 +38373233373730633937306638333966653433626666373565623866646665643231323065383230 +38353961396438373236393038626237346162653966383364626366666335656465346336323830 +63343937363732326239396664663963633733643036396164343038613136373037383664646130 +36386564333734643336303661336230363865323936343732646564336136653732363334316135 +38383935396161653132396661373636353761616661616635303465653266623337303534353038 +61333937393534336533363933383461303539303964353164376134653134356439356462376161 +62356333363238376139356231373835386139363637336566356132363932313639643334396334 +36326630663532313536393139386336303833653833323532653230613166376233633739623738 +35336138343434343064616335373836363032376537386439323165336365626230316435623766 +33653434633766323864343031346565323936373133396436623036353563653236393230653065 +63616336316339393034643063376137663565396137356461303061626336343437316462653437 +64383765376439616232663936616564366136666139343663336634366530303561303163373339 +66616233613532636138613836636666323237646566356538376566626639356436376230306130 +64623430613962333537366235616631323833626163383138393662623539643864346436346561 +64326636396235613534666534306639363864303539623563333934353766306130356564333538 +65386338616639663338636337303038316633383866346362633636653162353433366131333866 +38643037646531643633333334626163353833623833616338373863373533316561313361616462 +36323533343932376633653138363162646362313332353065633561666664663436376230376432 +31373461613033306434313136373532303666306130353064326436373961633534656462643866 +65623238396163646336343461303137366135306263313035663461653465346638383835666362 +30306431396136616334666631646662386533343238323962353837306139316335386234366333 +63343564386630356566363234636466303162643438653561323263336464633964616162616366 +30376532313739306339336366306262663230366337313662313036303436666563326236333961 +61373231653433613861633363333633626366643133633933333363636635656530643464653834 +61306633333032316531396165366462386230336330376239653436313836643435316533613331 +66623261396262316133326233316361656634333936353531623964313235333739376137633961 +31656631643966393164323463373832363538653235333165333061653163333436633335633632 +31613930333061653331303863303233376431306361613230383763623231636330343566323237 +65306430366133393332386631356135663134306264633536636134623230386635313231343661 +31383638616565363364373561613162393133363538626332363964663139336466336538333139 +61613939653866333037393564383464663331306439643163343464373766313139656264316163 +35383461663231613539613462336162353635333030323663333139653337663932633035666336 +65376264306639316137383730626561396365316661396564623335313865313263646536613233 +39313365333736363861666363383537376666346533383865636535343764326635343061366535 +33323336303861393862623832353936383537363238623932643035323863303865383233633432 +39366637656264656463393664336565366465333766643437623164636565346364623730633234 +66663432383765643161356533633564626463383237373330663836346232636635373330363161 +36303039393035396364666366373664623031363836646233616565346634356130646639313432 +33323736373133383666613565356133343266343432633737313030663466636135326364623639 +33633337383762333634613637383731613031353834663262313230303166376361373931623836 +33663232633661373663376163303131373363313036666262613866633237373261393130626364 +63343535396462316536356334356463323466656633373439656161356162386666386461336163 +33373233616539653634663136623630626137663832313361313663306438643737393262653862 +38313233396334353433313162316434653162653739663935396539326330383439366364343532 +38336266353964656163346537333166366431626239356465313634623035373861333663633862 +3164 diff --git a/group_vars/aurore/main.yml b/group_vars/aurore/main.yml new file mode 100644 index 0000000..7cf0189 --- /dev/null +++ b/group_vars/aurore/main.yml @@ -0,0 +1,4 @@ +--- +apartment_block: aurore +apartment_block_id: 0 +router_ip_suffix: 254 diff --git a/hosts b/hosts index 1f41aab..277bcc0 100644 --- a/hosts +++ b/hosts @@ -12,6 +12,8 @@ merlin.adm.auro.re [aurore_vm] +routeur-aurore.adm.auro.re +routeur-aurore-backup.adm.auro.re radius-aurore.adm.auro.re dhcp-aurore.adm.auro.re dns-aurore.adm.auro.re @@ -111,7 +113,6 @@ dhcp-edc-backup.adm.auro.re unifi-edc.adm.auro.re radius-edc.adm.auro.re radius-edc-backup.adm.auro.re -routeur-aurore.adm.auro.re ldap-replica-edc.adm.auro.re ldap-replica-edc-backup.adm.auro.re @@ -150,6 +151,11 @@ thor.adm.auro.re ############################################################################### # Groups by location +# -aurore services +[aurore:children] +aurore_vm + + # everything at ovh [ovh:children] ovh_pve diff --git a/network.yml b/network.yml index 43f2297..25e0920 100755 --- a/network.yml +++ b/network.yml @@ -29,6 +29,11 @@ - router - radvd +# No radvd here +- hosts: ~routeur-aurore.*\.adm\.auro\.re + roles: + - router + # Radius (backup only for now) - hosts: ~radius-(edc|fleming|pacaterie|gs).* diff --git a/roles/router/handlers/main.yml b/roles/router/handlers/main.yml index 11ba484..b095c21 100644 --- a/roles/router/handlers/main.yml +++ b/roles/router/handlers/main.yml @@ -2,6 +2,7 @@ systemd: state: restarted name: keepalived + enabled: yes - name: run aurore-firewall command: python3 main.py --force diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index d09a2c8..a686a6e 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -1,5 +1,16 @@ --- +# XXX: YES, this is ugly as fuck. +- name: set IP suffix (main) + set_fact: + router_hard_ip_suffix: 240 + when: "'backup' not in ansible_hostname" + +- name: set IP suffix (backup) + set_fact: + router_hard_ip_suffix: 140 + when: "'backup' in ansible_hostname" + - name: Enable IPv4 packet forwarding ansible.posix.sysctl: name: net.ipv4.ip_forward @@ -12,6 +23,13 @@ value: '1' sysctl_set: yes +- name: Configure /etc/network/interfaces for routeur-aurore* + template: + src: interfaces-aurore + dest: /etc/network/interfaces + mode: 0644 + when: "'routeur-aurore' in ansible_hostname" + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service @@ -25,12 +43,21 @@ password: "{{ vault_serviceuser_passwd }}" notify: run aurore-firewall -- name: Configure aurore-firewall +- name: Configure aurore-firewall for local router template: src: firewall_config.py dest: /var/local/re2o-services/aurore-firewall/firewall_config.py mode: 0644 notify: run aurore-firewall + when: "'routeur-aurore' not in ansible_hostname" + +- name: Configure aurore-firewall for routeur-aurore* + template: + src: firewall_config_aurore.py + dest: /var/local/re2o-services/aurore-firewall/firewall_config.py + mode: 0644 + notify: run aurore-firewall + when: "'routeur-aurore' in ansible_hostname" - name: Install keepalived apt: @@ -40,13 +67,21 @@ retries: 3 until: apt_result is succeeded -- name: Configure keepalived +- name: configure keepalived for local router template: src: keepalived.conf dest: /etc/keepalived/keepalived.conf mode: 0644 notify: restart keepalived + when: "'routeur-aurore' not in ansible_hostname" +- name: configure keepalived for routeur-aurore* + template: + src: keepalived-aurore.conf + dest: /etc/keepalived/keepalived.conf + mode: 0644 + notify: restart keepalived + when: "'routeur-aurore' in ansible_hostname" - name: Configure cron template: diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py new file mode 100644 index 0000000..c41fd92 --- /dev/null +++ b/roles/router/templates/firewall_config_aurore.py @@ -0,0 +1,49 @@ +# -*- mode: python; coding: utf-8 -*- +# Re2o est un logiciel d'administration développé initiallement au rezometz. Il +# se veut agnostique au réseau considéré, de manière à être installable en +# quelques clics. +# +# Copyright © 2017 Gabriel Détraz +# Copyright © 2017 Goulven Kermarec +# Copyright © 2017 Augustin Lemesle +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +### Give me a role + +role = ['routeur'] + +### Specify each interface role + +interfaces_type = { + 'routable' : ['ens21', 'ens22'], + 'sortie' : ['ens18', 'ens1'], + 'admin' : ['ens19', 'ens20', 'ens23'] +} + +### Specify nat settings: name, interfaces with range, and global range for nat +### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST +### contain /16 range + +nat = [ + { + 'name' : 'AdminVlans', + 'extra_nat' : { + '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', + '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', + '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}' + } + } +] diff --git a/roles/router/templates/interfaces-aurore b/roles/router/templates/interfaces-aurore new file mode 100644 index 0000000..440392f --- /dev/null +++ b/roles/router/templates/interfaces-aurore @@ -0,0 +1,84 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# VLAN 129: routage +auto ens18 +iface ens18 inet static + address 10.129.0.{{ router_hard_ip_suffix }}/16 + gateway 10.129.0.1 + +iface ens18 inet6 static + address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64 + + post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18 + post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18 + + post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18 + post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18 + + post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18 + post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18 + + post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18 + post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18 + + +# The primary network interface +allow-hotplug ens19 +iface ens19 inet static + address 10.128.0.{{ router_hard_ip_suffix }}/16 + gateway 10.128.0.254 + dns-search adm.auro.re + +iface ens19 inet6 static + address 2a09:6840:128::0:{{ router_hard_ip_suffix }}/64 + + # Ensures internet connectivity when running as keepalived backup. + gateway 2a09:6840:128::0:254 + +# VlAN 130: switches +auto ens20 +iface ens20 inet static + address 10.130.0.{{ router_hard_ip_suffix }}/16 + +iface ens20 inet6 static + address 2a09:6840:130::0:{{ router_hard_ip_suffix }}/64 + +# VLAN 111: IPs publiques serveurs +auto ens21 +iface ens21 inet static + address 45.66.111.{{ router_hard_ip_suffix }}/24 + + # Nécessaire pour contacter re2o et bootstrap le firewall. + # Ces directives sont _aussi_ set par aurore-firewall ! + up iptables -t nat -A POSTROUTING -s 10.129.0.{{ router_hard_ip_suffix }}/32 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + up iptables -t nat -A POSTROUTING -s 10.128.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + up iptables -t nat -A POSTROUTING -s 10.130.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + +iface ens21 inet6 static + address 2a09:6840:111::{{ router_hard_ip_suffix }}/48 + +# VLAN 110: IP publiques adhérents +auto ens22 +iface ens22 inet static + address 45.66.110.{{ router_hard_ip_suffix }}/24 + +iface ens22 inet6 static + address 2a09:6840:110::{{ router_hard_ip_suffix }}/48 + +# VLAN 131: onduleurs et PDU +auto ens23 +iface ens23 inet static + address 10.131.0.{{ router_hard_ip_suffix }}/16 + +iface ens23 inet6 static + address 2a09:6840:131::0:{{ router_hard_ip_suffix }}/64 + +auto ens1 +iface ens1 inet6 manual diff --git a/roles/router/templates/keepalived-aurore.conf b/roles/router/templates/keepalived-aurore.conf new file mode 100644 index 0000000..6687229 --- /dev/null +++ b/roles/router/templates/keepalived-aurore.conf @@ -0,0 +1,121 @@ +global_defs { + notification_email { + monitoring.aurore@lists.crans.org + } + notification_email_from routeur-aurore{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re + smtp_server smtp.crans.org +} + + +vrrp_instance VI_ROUT_aurore_IPv4 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens19 + + # Shared by MASTER and BACKUP + virtual_router_id 40 + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing + 10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global + + # Adm + 10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global + + # Switches + 10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global + + # IPs publiques serveurs + 45.66.111.254/24 brd 45.66.111.255 dev ens21 scope global + + # IPs publiques adhérents + 45.66.110.254/24 brd 45.66.110.255 dev ens22 scope global + + # VLAN 131: Onduleurs et PDUs + 10.131.0.254/16 brd 10.131.255.255 dev ens23 scope global + } + + + virtual_routes { + # IPv4 gateway: yggdrasil + src 10.129.0.254 to 0.0.0.0/0 via 10.129.0.1 dev ens18 + } +} + +vrrp_instance VI_ROUT_aurore_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens19 + + # Shared by MASTER and BACKUP + virtual_router_id 60 + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Hello zayo + 2001:1b48:2:103::d7:2/126 dev ens1 scope global + + # Routing + 2a09:6840:129::254/64 dev ens18 scope global + + # Adm + 2a09:6840:128::254/64 dev ens19 scope global + + # Switches + 2a09:6840:130::254/64 dev ens20 scope global + + # IPs publiques serveurs + 2a09:6840:111::254/64 dev ens21 scope global + + # IPs publiques adhérents + 2a09:6840:110::254/64 dev ens22 scope global + + # VLAN 131: Onduleurs et PDUs + 2a09:6840:131::254/64 dev ens23 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src 2001:1b48:2:103::d7:2/126 to ::/0 via 2001:1b48:2:103::d7:1 dev ens1 + } +} + From 5c4619138973e366ede21b54d018ea525da06b9d Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Fri, 4 Sep 2020 09:56:02 +0200 Subject: [PATCH 30/31] Register camelot and gitea, make camelot accessible for everyone --- hosts | 2 ++ roles/ldap-client/tasks/1_group_security.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/hosts b/hosts index 277bcc0..d7eaa31 100644 --- a/hosts +++ b/hosts @@ -19,6 +19,8 @@ dhcp-aurore.adm.auro.re dns-aurore.adm.auro.re docker-worker1-aurore.adm.auro.re proxy-backup.adm.auro.re +camelot.adm.auro.re +gitea.adm.auro.re ############################################################################### diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index 8477ac4..06664e6 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -1,6 +1,7 @@ --- # Filter SSH on groups - name: Filter SSH on groups + when: ansible_facts['hostname'] != "camelot" # Camelot is accessible for everyone lineinfile: dest: /etc/ssh/sshd_config regexp: ^AllowGroups From 276a780c6545d883200aea43e9fcb485c22918da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 8 Sep 2020 22:32:49 +0200 Subject: [PATCH 31/31] hosts: add viviane and nextcloud --- hosts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index d7eaa31..c8f971e 100644 --- a/hosts +++ b/hosts @@ -8,6 +8,8 @@ ############################################################################### # Aurore : main services +viviane.adm.auro.re + [aurore_pve] merlin.adm.auro.re @@ -21,7 +23,7 @@ docker-worker1-aurore.adm.auro.re proxy-backup.adm.auro.re camelot.adm.auro.re gitea.adm.auro.re - +nextcloud.adm.auro.re ############################################################################### # OVH