Merge branch 'ansible-2.10' into master

.gitignore

@@ -1,2 +1,3 @@
 *.retry
+tmp
 ldap-password.txt

README.md

@@ -118,3 +118,23 @@ for ip in `cat hosts|grep .adm.auro.re`; do
     ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
 done
 ```
+
+
+### Passage à Ansible 2.10 (release: 30 juillet)
+
+Installez la version de développement d'ansible pour faire fonctionner les
+playbooks de ce repo, ainsi que les collections suivantes :
+
+```bash
+ansible-galaxy collection install community.general
+ansible-galaxy collection install ansible.posix
+```
+
+
+Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
+workaround est le suivant :
+
+`$  export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
+
+Notez l'espace au début pour ne pas log la commande dans votre historique
+shell.

ansible.cfg

@@ -33,3 +33,6 @@ become_ask_pass = True
 # TO know what changed
 always = yes
 
+
+[ssh_connection]
+pipelining = True

base.yml

@@ -11,8 +11,3 @@
   roles:
     - ldap-client
 
-# Clone LDAP on local geographic location
-# DON'T DO THIS AS IT RECREATES THE REPLICA
-#- hosts: ldap_replica
-#  roles:
-#    - ldap-replica

group_vars/all/vars.yml

@@ -50,8 +50,13 @@ dns_host_suffix_backup: 153
 backup_dns_servers:
   - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
 
-# Misc
+# Finally raised!
-mtu: 1400
+mtu: 1500
+
+subnet_ids:
+  ap: "14{{ apartment_block_id }}"
+  users_wired: "{{ apartment_block_id }}0"
+  users_wifi: "{{ apartment_block_id }}1"
 
 
 # Keepalived
@@ -67,3 +72,15 @@ re2o_aes_key: "{{ vault_re2o_aes_key }}"
 radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
 radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
 radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
+
+radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}"
+radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
+
+
+apartment_block_dhcp: "{{ apartment_block }}"
+
+
+
+# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
+# However, we ALWAYS keep the trailing 0 to have byte alignment.
+ipv6_base_prefix: "2a09:6840"

group_vars/all/vault.yml

@@ -1,162 +1,170 @@
 $ANSIBLE_VAULT;1.1;AES256
-61336339613837303864333338376131306234356334366237613038323565363539656161643663
+61623264646363313062633131306234666436616566383936616431653033303531333738666639
-3630396462363834616166383634323735386461653430330a353861386131386130613733663465
+6137653535623535333435383862306361376564396562370a366166373232343137363662356463
-66363639336164303137326133373364643539663032303237633831333764376534366464313030
+34383636393830386465323534373534336462333937316530666139633835356635356562353134
-6161663162613636660a393262663061656235333836356331366638313263333364306262636631
+3234333736333831390a663033313531363838303566666530373432346536306137393561393734
-62393434336561313630343366626136393933383966613463353135643334666432366433383038
+32613234373363333233333630666464386437333337623434356161303834656662366661343363
-39306538616266656536373435363963336463366635653433666566343162623065323738336339
+62326164363764323365643166636664343032613835656663363636383963663138633837646466
-38346632383039663666623137393431313931656538326136356433386261303638616165626336
+33373838343439663830626432353332666138356564383864616632353063376634393032613231
-63326134336330646236336631306266306532366435323830333233363565366134373236623263
+38336233396263316563363332316131323439363664646237383731363930613563343763653537
-62653836386362613166643762633865303239666662313138363866373335333566353033613732
+66383137353633653931616564616365366564626431626439383661666535663430353463346232
-38663634313962373264393763303733616236346230393665633366316538666334333537306536
+31613536343566373437353738323133646439373465376632656530393033373037383864663937
-61643061356633646133616138396163346538633065313935666639623531303861303663666466
+66623563393138653437353437373138386365653433313166353231653530613935333038653830
-63346531666362386363383534303436376338653034633565383361386430386636336664626431
+61306239356433346438663239646162633838623036653439376362336636633862383266633239
-62613263306132633336363562323030613832373363646464303263616264353431386664626137
+33363666383934633665303537396663363339323761356439636331656163363436333865306338
-36633434343536346333383530343965313262353639363266656562633132343036656137383938
+63656166343835646262393634613865623936633566356531366663326431353836363238656631
-63333165333835636634336336343732383865306634393939343332396565643661313666656239
+31333862346266653933663236626234663865373936623334323433643661343634653334316662
-61633635623236383764646664356539383834303437636338633138343465656337643962616365
+36313262626230356531393661303834653263666138613435333538373330633432366338363131
-37633032303161616664333264336331626531613031363066323137313539373637646533623663
+33336566633030346136613566353366653333666661336463336333333634643433393333353061
-66313662356438666566313364653933316335376438313939313430643865643432356139353231
+65653236653362636564653932306131346532343738333361646563623865373538636662643932
-31356236663234383564383162633431376436396331613838613039343762336562343562653738
+37373961313935373964376336333337396135623764376563623431326266633434336665303864
-33383163653535373538646237623865356462626665613136316365623036396536373633363536
+34383836333762336665313635366166316339396437656330636432353064343836616362326432
-30613932656534313966633664303661336366336561656434373438373361643532623335643234
+34353532626362636661363631666335316564636237646336323666636661336532313266616264
-61353466323636663463643262616635653639633463373235636432616561623662393838636335
+37353637626636613161396430623139323662303862393439643235653833386166363332616438
-30646164633962353138396164303666633366363364373039393339383063316238393332623139
+62653439363861626437663736313436386138363466333566333335323265333930366337386537
-62333166393831636232373738643962613063396530633132366536663839333136656338336464
+63353931353165666337666330636363386463616463376336323834343666393331653863633430
-37633039626138666261343863363232633936323234386362373463353737343330656430643966
+64626636373363626335303234306662323335363130623763333835373438373733353136306463
-30633037613033383134653133653232373236353535663033323634633564656636316636383537
+31646363663463623635363537636338376131623766386339623763376532343733613061343736
-65373663393235323561386232613634663962653564373634333034373530353264333037663431
+31653764383737646132353537633631643265336539316332636465353638346163613036653038
-32326438613436333935346335313364363361383732323362383437626234663533396235333935
+64653238363661303032666330623334376130383365386334313137376339623164313538643637
-31333132366534373832636637333664346365393236353366363937306138333961393939626138
+32323539346664663237306630346365646364663231633162393265376433313633336661326137
-33333036653839623138373832613233326262633836363562346261323639383536353433613764
+35366662386235616531323264326632353635646337303830663364643336653039643865313036
-63323434663437653236383334346634633765636339646665653638333938303665643132643735
+36343634613563353965643330306134393664336238653361616631623837313764653835333464
-63393838363732646339343937323732653939656466313637383738626131396261303838326565
+31303835653265343466303363623331376631383064643336306166386632353566633231303031
-34393934333738323137646264666633386661343637613462393864613134383538653966383732
+64646338333961373237323563633462363236626134366430323334373864633731323838383562
-64383738653833306266663431623162643333616537656136373439373462626266383663303031
+65356137323234653932373438306335383666386433386563343136343934623936653565663135
-63666265373664653334373266616437653764623765616539343139373934356133613338376239
+61353366393735663064383234343435633738623233643535393337326531356131643131646562
-63393735613066636432663466353865666661316232393361306438623036643438346130383937
+34623862626430343464663230323561313736646135323339656562323332306265323765626130
-36373762316263643764303638383633373161383862373630386465643462396432656134313764
+31333531626236393165663236393464303338623937646331663563636336316166303462396562
-61666534636565366136653438666339346539303238613135613261333431336361346138333161
+66643638383432333035373431393463343831643731636133343538346431613236663266643639
-33393130333765326361336239373365366332626566396639643966313434666561626262646664
+39346332303537393031353231626433393165386437343361663335646165623165336337643237
-37386534316136613061343333656630303839356366623835656239306562646436656131366366
+30643466666462373937346162383032386361383439613332653162613765326237643038613665
-36346635393235663630633331646231313737363535643663333162616135316566396530303030
+38633134653934346464346233323563623139386235343766386661643861313638643936636439
-33346331303935326631646563663833663266323937383134396162353131396231323837656631
+34393039626163336636323862643237363633373339353263303035386636393232613536633038
-66373864316332646433316131633435386133373239333261616136613632613162346366643366
+32656335396564623133373439333065633638373032323161383436363966386535393135623931
-30363030393736343438643866343363366331393031633638333731393732646132393165383361
+62313838353034343033653130633666336433656565373836336331363339636330663836343835
-31303637386535366535386332666133316564366463313465313637393663623662373431646234
+64656461376235323133316135396464353239316438386466323964326139316564313938333363
-62663461353961626237343663356664623731376432343538656332613866323135373637313831
+66636337613362633639623265336434313938366666626434393532373534303865376632313830
-34396132343961656266656430663838643464353362393732623739393938353764323065303464
+32353861306165383133633132623939386338343364623132386135316361336238616432383662
-66656435303333616432313232333431326535613635396536663835626361643733363461653831
+31663763306431623932323930373637363633346139663539666236363032386535363932393264
-33313634656632633831313866306233363633316330313037313035366537373034326231383463
+63306437616635343263643162393462653835643038373961336531313635663732343062613164
-34633062353635396261353438633564623564346536356131353166353835336135316662343262
+63316463376239383634373461343533393730613235633765356166313131613230326562303863
-34386333353731313335333339323936643862386264363565373737383364623366663265353339
+38626365383035363130326365353366316635323832333630343934346632643566373062313963
-62663730623430303535333138653636323864383039653361383435383062336537633865356466
+38356165646438383936336431326566386564306636386432643537666434613434343235323666
-64303532303338383365326635353363363161613962336166663764353562666236336133353538
+32366432393663333632383333333837646237643730383438336364376235353463656238393431
-35343733343338346666366139363261313662633866306263666331313336336330326537636538
+34656561613566383761386233366637343230613634333062636239626639343132353837656363
-37326330393732636163333161643831356533393238303039643663663766613634376336303062
+63373264646631336664303662386531386635303861333662313633613933353063363832623462
-66316138396433356365623437323932663632393831613835366632653138656530336236383063
+35656536616333333861383930623237363062363335636231383033316465323339396530353166
-31376433343664643863396537663730663335656262306663303961333832343366343835616362
+61613935366233326532366135623939353135323336346630303933633731316461626463643936
-34393032363862636639656338656462636436343238616663616634393365353432623361323763
+64393430386430343362346334633036316464656561356132376365323463316631336530346663
-66323937643936636537323866353461653232653136663631313231613731353231313130353565
+65373432666436323364316633623734353464393036383065643832653838323730643163393033
-31373336643261336535663739316366626634323635616537666131653534333164353836336531
+37383639343061616563623365383564336132356162373937346338356562313262366261646434
-36613763353135346630323138643039383634393234656330306664346136346238343762646639
+65656631326334336230333862303766633363653863666330373530343132336262653763336331
-38383466356332383063613565383765313931356235363330366138333064383938316538373933
+31303535393231373833633631323265383435666665353461306638633031376339613230343966
-32353836663535613339636130303832323231633832353366393166373235306538656364633666
+31306134383164333763656262636537343563386336393734626139646136643635313038663830
-62386134643738363830613130353565666337343861653538366530373966626330343032393531
+65376366656465653165663762313738303438346136646638633962646466626339653566343530
-64373162626336353631306661623837353036663364383930303633613561373432303366323463
+33353061643730663138383662663233383864626631626238306266653734306161383431653530
-37633963633835363565643131343962656463376163336366383531303164303263663034303530
+38353262386439663331633465313262386630363465646661643366336438356163393564653565
-30616337373466663939333666313761313334626335376236363436376563626534626666383230
+65346637346533323338383233313434346361383139666363336435633535326434373438366533
-35373537633135346138323231316565633862666432626430386231653532663132333532373837
+64303737336631643735376130653031303533646464313562623036643762653937613735316162
-38316161316565346663323138623538356130303564306638623461323765366634633161356234
+61396336376534393738323830333864383533343834616432373731633431316662656137363030
-39313862336532326161346436363865353833663663376566303865616264303035323864633739
+36313566633863383162643432396235306661393563303138386339343462636566323135313631
-30383435653961303861646365356462376261663634383433383137363734616337643836333730
+32336365393662633932383665623561373164353963646464323163303039333035366562363634
-37643737626339646434386638326439663264373362333165623637306664396330303164363366
+34643731343931656239326165323962613630636132353334643866393933653631393134326635
-66353234386137343136363764633463666137653438393131393436613563313934313736303165
+61353538633337343935396566396437663137326161323032336665356531373433643231326164
-33633638373561623933623033333036346339346533373435336262346164656162303561366638
+38663463633863643636336337316162666339343630373366396634666363306137323161626561
-30383035623338653430343731353766653164616139616638636563643630313735333463376662
+33336332383330383761623636366464353163386633356132656364373962316437626664333439
-62666661623438333936323762616433373236396439636563646237313535343866333064393432
+38393137356364383535383231613431343261613036666238323431663532663333336563306239
-64336139623933323265333633616131396661656264396262646662303633346262356662633535
+31313931623665623661323433346138383430366433623738356366373337383263316435393330
-31333038666163316132613365386662396330366630313562663561313962366261323131623939
+30356131333132343333623732383263353330346635613833626562613536376232386663663265
-33626634303663353466306631653439633430383138643534386430623238326332303232623965
+39636239663139393761303363313862333834336265616330353933333935616637646639326461
-61653165323132303335353338353366323462633763623062616335663831653266323463353364
+34323231616662306366616665346239313839616435393738303833653138353135353161393830
-61303339336162663235303837643432383333343466333365333535633763396664353636613165
+34653163386161653536666330353431356133623639653539316166313661343136643565393735
-38306536656665333731376339383061383232346437643564346134396265633362616161306339
+33343966613534653034333261383136323135613032613063653363303437633832653834393063
-63333264656235393639386435353631333438376166646662656631353838326338656438326231
+63623738333361636638646234363665616563633534626638613938613933343638386165346537
-65326563363431653266623034393435383061333533316235363236393131333231366665343964
+61316261663039633462333637636561656166663430353037336530663036353564353530323663
-65376438653165633265646233343131373133313939666163313735336564333038333765623766
+61386164636461363831303231353733646431313334323761633835373832333663306336633836
-38633061303731623832353638396566373238393535383631396566343035656137353461613838
+63363838613434303066333732333237343264363238313962393230633165396135643431626664
-65363239303664613132363466383336313038653962343939616363323339333866343036613238
+35316663333439326437343331303639616365633938393039633362303135393230313261376531
-34656537663765346430623332656266323035343435616361343537306263363466373665306361
+62343533383034363331343661333036646530366665336431303561653138626262336239303864
-39663066633833306330336334306437323430643764306266626634633139396231353638633665
+30643131356538316434313665353466383539383034623830363264343736396130623265306564
-66336364633536323931343930623832306331393533626539306361333961306663353266303631
+30666535393839306333616134323333326535336564313735323864346139393762336265623137
-30326633326332353861383735656362306334646238656137656533323835633937313439356538
+33653734393464353833333939363766656436393639626161383666613263643064323933663834
-38653130656465656531623635343565663739306665313932356562313131373934393435623932
+63663761356233633134646561353631396364343761386631323764643631663564653265303330
-38663737306135306332373730613466386631353463633261663532393933663034633634343934
+38333466666634383666326132356132303363666136666132373161383863653434333633386238
-34353437393934663866323236346236383664343963383239636332643639623131376466656363
+36333361383663396238643433383338646461386363396563643133303166356538666435646639
-32336363616661303535633037303334343861616263616334626430396334633934303162633839
+65353034373263316139363464343434326362366531666233323366383331353131383634396538
-65613163303037653963353535343132323431326262643862393365356437316566393130383866
+65313631363564303133396462353934623939663739343431346465386430353030363235343032
-32666133333166656566373532373064373138333335313563633963393938383363396464396532
+33653065643334663737643961396530316336633562323733626261376462303366313462353464
-61303037326665316634363536653537393933666532396339366531636362306537626638623634
+38666235366365633833336630316564643132633839313465636164393439626635653739346166
-32383363663134623133626332343132333335356133646134656330376339306538633165353634
+61343765653037656533313663333139663364666239626263393261353732363639623966623961
-65663731313832613264633430393531633765353233363766386137306364303138373339633438
+62643266313734363064333063633030383865653665313832623535636666623364333635643238
-62323837653531393738636531303130653530656632393535393739363565666162376436376138
+64623233393962313032343938666363333533653331303334643032636561303030633066636634
-65656131656165626636386435346132623030626664656437633261383037396332323534653664
+35363864613430356264633936663833373739643562343631623336316263373939353563393634
-31306137313162356638653064363236336434626134313966613335653633623338356230323133
+35376466376161383563646430363432626639363436633365323137346338306161636230323934
-61653437663537376561633235646361633233316662313331303962303161393937346565333366
+38383238646366343766333032633038663037386339333038636136343732613838306130303539
-31326362303735353937313734363738636439323338646531383235626137393334306363393031
+61303963333035366330646636336530396331333739306666396333333839613536343337323230
-32383861643734396132626231333537656431656165316261376237333734623635623837623366
+31326461623731653461376132356165343130333235336130323361616333333762623131393265
-61346566663433366364326561313663333732303737346533363536313365353863333632386232
+36636335313539613565326537373565313036306465326631326332373364313565333834373232
-63363639656230373639336636333464336136343839353835616565313165336537613666613233
+36346166373433313033363533346565316535666538363538303134616365326336613461633931
-33313130373838633736306237326666383736616663343838323137663632626630313334623063
+39333633383939623633386263346637386465326139363336663738393538393039376338366461
-34313737613334343331613864343062663130633963386466626233386332633233663762306237
+64336138643166663362376339366537653463386265316434346532663633643765663339333062
-35316635396439333934363836353134363538643430363066616636343634643230383630626138
+34303739366634383330356161333031313465323235666437363136643964623431336133633031
-65623931383631396465353163636161376337346335303738326433363835346162643732393464
+62373462623531373665653137383833643332366562396134386536666666356139663631323965
-32346462383432636530636166633466393239316631663834653562353436636637393136663933
+33633266353062363339613139666534393737393765383830643731616366316164626335373564
-36326538646331333436316262373037343065656662623563313465643832626539326261333738
+38613533356661626163646138316163343938666366353964623131383063353534326637323162
-62353063373461373835333662626465303030366535303332336362663166633736316237313535
+66633139633861623765316631323933363662383234616238336333383135326166656530376331
-32336533333536626461383737643161373738616539396339336165333162333830633661363162
+30613534613636333533356666333864326438646462383862616338323864336136323566393231
-38626365616633363431303333613237343538393734653533663831613336346164343734313435
+64323339386363623063373237346362366665666662306266323338653561396535323766316233
-62366264323738383038393938663366613533666438393261636336363266393736636634323436
+30383036326331323563663533333166366130326262393732343135643463643064313364393530
-37643262316663663938353338343338373162356337313566376134313464643336326138313838
+39326332346635343333376636316363393230336563333261616263343833386334376636623233
-36366136306163306265663836663235623231306334633734633736306239316334616132303531
+65396330613837636139636132303530316236666132646266383466306663313038343833373734
-39663562373762653634666438333861626563353366396231356232663737396436633934363734
+35376339666664393533666134353330626163306432363634653364343934343336306264646439
-33353738656430383066373463313336623231613530313830633965356361323138396139353664
+66383138626232343639623033383565626232323830626362313733666663633037343737623333
-38393339613064303365343766663536643061393864313466343966356666633231353765376364
+34653665666262303236616534343436333334393837326661383932623430303038623538313463
-37636439356164646633313231346365376566663930386563633062633234303163333131663332
+38373233373730633937306638333966653433626666373565623866646665643231323065383230
-38653431303264636266326665633465303635373762363663303164636330356636616137626633
+38353961396438373236393038626237346162653966383364626366666335656465346336323830
-30366466626164333332613933396362666135623137636537653838646664643235626233303531
+63343937363732326239396664663963633733643036396164343038613136373037383664646130
-64373833646434653530613935336434323737313061333930316563653331643938623438626632
+36386564333734643336303661336230363865323936343732646564336136653732363334316135
-34386236633462616231353063353330346663323535333335383465366135653064343535616233
+38383935396161653132396661373636353761616661616635303465653266623337303534353038
-31613236303238663331613739623261366231613661653033626562376664336161303134646535
+61333937393534336533363933383461303539303964353164376134653134356439356462376161
-36393461626237666466353862303564306333356635303035346237653062663238323030313866
+62356333363238376139356231373835386139363637336566356132363932313639643334396334
-37613530346335623031316165666137626631653965333236396162323966356633306630633934
+36326630663532313536393139386336303833653833323532653230613166376233633739623738
-66323465643834396635363131343735643365363163646132373537383233663830643330643666
+35336138343434343064616335373836363032376537386439323165336365626230316435623766
-38316461313830326433643566366566343966376362373661373839353933353231653539393534
+33653434633766323864343031346565323936373133396436623036353563653236393230653065
-61373437663937616237353064653934333330306230373034376631633963316236626232643136
+63616336316339393034643063376137663565396137356461303061626336343437316462653437
-36633865343363373530646566313636326130323136346235636430346561333030393361623161
+64383765376439616232663936616564366136666139343663336634366530303561303163373339
-38636531626632633632616139613861363332383030396338356461623865323262663763303564
+66616233613532636138613836636666323237646566356538376566626639356436376230306130
-33643661353230336430383930643433613938646133316636666463626363396264643638363762
+64623430613962333537366235616631323833626163383138393662623539643864346436346561
-30343135643530356633373330353565373264383665333237663331373035613336653135333133
+64326636396235613534666534306639363864303539623563333934353766306130356564333538
-37386439303763616138313661333335626532633731373939633966323332646364383665333331
+65386338616639663338636337303038316633383866346362633636653162353433366131333866
-35623133303865346464313761396462613435613262383339663735386639393536646634323935
+38643037646531643633333334626163353833623833616338373863373533316561313361616462
-34646661613839386639313733333036623439666536396463336663393737383130383962366336
+36323533343932376633653138363162646362313332353065633561666664663436376230376432
-37656431653533333338633162663938646432306163376438396134376565353531353832663439
+31373461613033306434313136373532303666306130353064326436373961633534656462643866
-34366435326364356464366633356332656231623164646361653737333331653636353136626465
+65623238396163646336343461303137366135306263313035663461653465346638383835666362
-63353233396234386630643864333364373562643333343036386639333036326362383264313431
+30306431396136616334666631646662386533343238323962353837306139316335386234366333
-62636362663631376666383034303337393562613135376537376335343939343630343766356362
+63343564386630356566363234636466303162643438653561323263336464633964616162616366
-63326435646163663737633133313735316663386337363830646261396333636431363938623062
+30376532313739306339336366306262663230366337313662313036303436666563326236333961
-63363338373334343634366139363866343731626561626565663339643164633731396363353435
+61373231653433613861633363333633626366643133633933333363636635656530643464653834
-32663634366532343939366130363233373634323664313765636235383638613061323034663364
+61306633333032316531396165366462386230336330376239653436313836643435316533613331
-65646665653732326530383962313762313035353866636362363835613261643331666135336365
+66623261396262316133326233316361656634333936353531623964313235333739376137633961
-35353161663966643564383935386331633730386134343837613164623537393462313130636235
+31656631643966393164323463373832363538653235333165333061653163333436633335633632
-66653539396639623264303733636232343131373339303034633337333930393061306139373638
+31613930333061653331303863303233376431306361613230383763623231636330343566323237
-30363139386238636436316239366537663662363432366132346361666436353337663830363037
+65306430366133393332386631356135663134306264633536636134623230386635313231343661
-38643365366339343961383234313830623138316235383464346439396166363739623937653166
+31383638616565363364373561613162393133363538626332363964663139336466336538333139
-31323639383838323362323663316265333162393664346262323562646232613134626335366231
+61613939653866333037393564383464663331306439643163343464373766313139656264316163
-63366230623733643336373132383633356530653766653834663430383538366366363966393237
+35383461663231613539613462336162353635333030323663333139653337663932633035666336
-64633436653332646336343037303665306465323162643863336235623435666131636661616635
+65376264306639316137383730626561396365316661396564623335313865313263646536613233
-34336562393961383737393632623035633362383763666138343533363166363731323832343534
+39313365333736363861666363383537376666346533383865636535343764326635343061366535
-31343038666533343130396264613836396434323363396434653938353131336262373936353333
+33323336303861393862623832353936383537363238623932643035323863303865383233633432
-65373265306132623235316439373936353834376639386364383763643438373039393263383538
+39366637656264656463393664336565366465333766643437623164636565346364623730633234
-30366532313335306332306261333434613733383430356633626338643537373030336434383231
+66663432383765643161356533633564626463383237373330663836346232636635373330363161
-39656162643264316239646339643835343934323639623334303931613938363531
+36303039393035396364666366373664623031363836646233616565346634356130646639313432
+33323736373133383666613565356133343266343432633737313030663466636135326364623639
+33633337383762333634613637383731613031353834663262313230303166376361373931623836
+33663232633661373663376163303131373363313036666262613866633237373261393130626364
+63343535396462316536356334356463323466656633373439656161356162386666386461336163
+33373233616539653634663136623630626137663832313361313663306438643737393262653862
+38313233396334353433313162316434653162653739663935396539326330383439366364343532
+38336266353964656163346537333166366431626239356465313634623035373861333663633862
+3164

group_vars/aurore/main.yml

@@ -0,0 +1,4 @@
+---
+apartment_block: aurore
+apartment_block_id: 0
+router_ip_suffix: 254

group_vars/edc/main.yml

@@ -2,11 +2,6 @@
 apartment_block: edc
 apartment_block_id: 4
 
-subnet_ids:
-  ap: 144
-  users_wired: 40
-  users_wifi: 41
-
 router_ip_suffix: 254
 
 mtu: 1500

group_vars/fleming/main.yml

@@ -2,9 +2,6 @@
 apartment_block: fleming
 apartment_block_id: 1
 
-subnet_ids:
-  ap: 141
-  users_wired: 10
-  users_wifi: 11
-
 router_ip_suffix: 254
+
+mtu: 1500

group_vars/georgesand/main.yml

@@ -1,5 +0,0 @@
----
-apartment_block: gs
-apartment_block_id: 5
-
-router_ip_suffix: 240

group_vars/gs/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: gs
+apartment_block_dhcp: sand
+
+apartment_block_id: 5
+
+router_ip_suffix: 254

group_vars/pacaterie/main.yml

@@ -2,11 +2,6 @@
 apartment_block: pacaterie
 apartment_block_id: 2
 
-subnet_ids:
-  ap: 142
-  users_wired: 20
-  users_wifi: 21
-
 router_ip_suffix: 254
 
 mtu: 1500

hosts

@@ -8,16 +8,22 @@
 ###############################################################################
 # Aurore : main services
 
+viviane.adm.auro.re
+
 [aurore_pve]
 merlin.adm.auro.re
 
 [aurore_vm]
+routeur-aurore.adm.auro.re
+routeur-aurore-backup.adm.auro.re
 radius-aurore.adm.auro.re
 dhcp-aurore.adm.auro.re
 dns-aurore.adm.auro.re
 docker-worker1-aurore.adm.auro.re
 proxy-backup.adm.auro.re
-
+camelot.adm.auro.re
+gitea.adm.auro.re
+nextcloud.adm.auro.re
 
 ###############################################################################
 # OVH
@@ -111,7 +117,6 @@ dhcp-edc-backup.adm.auro.re
 unifi-edc.adm.auro.re
 radius-edc.adm.auro.re
 radius-edc-backup.adm.auro.re
-routeur-aurore.adm.auro.re
 ldap-replica-edc.adm.auro.re
 ldap-replica-edc-backup.adm.auro.re
 
@@ -121,21 +126,40 @@ ldap-replica-edc-backup.adm.auro.re
 
 [gs_pve]
 perceval.adm.auro.re
+lancelot.adm.auro.re
+odin.adm.auro.re
 
 [gs_vm]
 dhcp-gs.adm.auro.re
+dhcp-gs-backup.adm.auro.re
 dns-gs.adm.auro.re
+dns-gs-backup.adm.auro.re
 routeur-gs.adm.auro.re
+routeur-gs-backup.adm.auro.re
 unifi-gs.adm.auro.re
 radius-gs.adm.auro.re
+radius-gs-backup.adm.auro.re
 prometheus-gs.adm.auro.re
-#inexistant : ldap-replica-gs.adm.auro.re
+ldap-replica-gs.adm.auro.re
-#inexistant : ldap-replica-gs-backup.adm.auro.re
+ldap-replica-gs-backup.adm.auro.re
+
+###############################################################################
+# Les Rives
+[rives_pve]
+thor.adm.auro.re
+
+
+
 
 
 ###############################################################################
 # Groups by location
 
+# -aurore services
+[aurore:children]
+aurore_vm
+
+
 # everything at ovh
 [ovh:children]
 ovh_pve
@@ -164,6 +188,10 @@ edc_vm
 gs_pve
 gs_vm
 
+# everything at Les Rives
+[rives:children]
+rives_pve
+
 
 ###############################################################################
 # Groups by type
@@ -187,6 +215,7 @@ fleming_pve
 pacaterie_pve
 edc_pve
 gs_pve
+rives_pve
 
 
 ###############################################################################

ldap_replica.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+# Clone LDAP on local geographic location
+# DON'T DO THIS AS IT RECREATES THE REPLICA
+- hosts: ldap_replica
+  roles:
+    - ldap-replica

network.yml

@@ -1,7 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Set up DHCP servers.
-- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re,!dhcp-gs*.adm.auro.re
+- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re
   vars:
     service_repo: https://gitlab.federez.net/re2o/dhcp.git
     service_name: dhcp
@@ -16,19 +16,27 @@
 
 
 # Deploy unbound DNS server (recursive).
-- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re,!dns-gs*.adm.auro.re
+- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
   roles:
     - unbound
 
 
 # Déploiement du service re2o aurore-firewall et keepalived
-- hosts: ~routeur-(pacaterie|edc|fleming).*\.adm\.auro\.re
+# radvd: IPv6 SLAAC (/64 subnets, private IPs).
+#   Must NOT be on routeur-aurore-*, or will with DHCPv6!
+- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re
+  roles:
+    - router
+    - radvd
+
+# No radvd here
+- hosts: ~routeur-aurore.*\.adm\.auro\.re
   roles:
     - router
 
 
 # Radius (backup only for now)
-- hosts: radius-edc-backup.adm.auro.re
+- hosts: ~radius-(edc|fleming|pacaterie|gs).*
   roles:
     - radius
 

nuke-radius-dbs.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: ~radius-(edc|fleming|pacaterie|gs).*
+  roles:
+    - radius
+  vars:
+    nuke_radius: true

roles/baseconfig/templates/resolv.conf

@@ -1,3 +1,4 @@
 domain adm.auro.re
 nameserver 10.128.0.253
+nameserver 2a09:6840:128::253
 nameserver 80.67.169.12

roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2

@@ -43,12 +43,12 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 {
        option subnet-mask 255.255.0.0;
        option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255;
        option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }};
-       option domain-name "fil.{{ apartment_block }}.auro.re";
+       option domain-name "fil.{{ apartment_block_dhcp }}.auro.re";
        option domain-search "auro.re";
 
        option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
 
-       include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list";
+       include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list";
 
        deny unknown-clients;
 }
@@ -60,12 +60,12 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 {
        option subnet-mask 255.255.0.0;
        option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255;
        option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }};
-       option domain-name "wifi.{{ apartment_block }}.auro.re";
+       option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re";
        option domain-search "auro.re";
 
        option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
 
-       include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list";
+       include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list";
 
        pool {
             range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255;

roles/ldap-client/tasks/1_group_security.yml

@@ -1,6 +1,7 @@
 ---
 # Filter SSH on groups
 - name: Filter SSH on groups
+  when: ansible_facts['hostname'] != "camelot"  # Camelot is accessible for everyone
   lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: ^AllowGroups

roles/radius/tasks/main.yml

@@ -5,6 +5,7 @@
     - "deb"
     - "deb-src"
 
+
 - name: Ensure /var/www exists
   file:
     name: "/var/www"
@@ -14,14 +15,16 @@
   git:
     repo: "https://gitlab.federez.net/re2o/re2o.git"
     dest: "/var/www/re2o"
-    version: "master_freeradius_python3"
+    version: "dev"
     force: true
 
-- name: Template local settings
+- name: Template local re2o settings
   template:
-    src: settings_local.py.j2
+    src: "{{ item }}.j2"
-    dest: "/var/www/re2o/re2o/settings_local.py"
+    dest: "/var/www/re2o/re2o/{{ item }}"
-
+  loop:
+    - settings_local.py
+    - local_routers.py
 
 
 # What follows is a hideous abomination.
@@ -30,14 +33,22 @@
 - name: try to install freeradius-python3 (this will fail on post-install)
   apt:
     name: freeradius-python3
+    default_release: buster-backports
+    update_cache: yes
   ignore_errors: yes
-  no_log: yes
 
 - name: fix freeradius-python3 postinstall script
   template:
     src: freeradius-python3.postinst.j2
     dest: /var/lib/dpkg/info/freeradius-python3.postinst
 
+- name: reinstall broken package (this might fail too, for different reasons)
+  apt:
+    name: freeradius-python3
+    default_release: buster-backports
+    force: yes
+  ignore_errors: yes
+
 - name: Setup radius symlinks
   file:
     src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
@@ -54,7 +65,7 @@
     - local_prefix: freeradius3/
       filename: mods-enabled/eap
 
-- name: Configure radius clients.conf
+- name: Configure freeradius
   template:
     src: "{{ item }}.j2"
     dest: "/etc/freeradius/3.0/{{ item }}"
@@ -64,10 +75,6 @@
     - sites-enabled/inner-tunnel
     - proxy.conf
 
-- name: reinstall broken backpage
-  apt:
-    name: freeradius-python3
-    force: yes
 
 - name: Install radius requirements (except freeradius-python3)
   shell:
@@ -79,3 +86,149 @@
 
 
 # End of hideousness (hopefully).
+
+- name: Configure log rotation
+  template:
+    src: "freeradius-logrotate.j2"
+    dest: "/etc/logrotate.d/freeradius"
+
+
+# Database setup
+
+
+- name: Install postgresql
+  apt:
+    name:
+      - postgresql
+      - postgresql-client
+
+- name: Install postgresql ansible module requirement(s)
+  pip:
+    name: psycopg2
+
+- name: Create read-only user
+  community.general.postgresql_user:
+    name: re2o_ro
+    password: "{{ radius_pg_re2o_ro_password }}"
+  become_user: postgres
+
+- name: Create replication user
+  community.general.postgresql_user:
+    name: replication
+    password: "{{ radius_pg_replication_password }}"
+  become_user: postgres
+
+
+- name: Nuking - Stop freeradius
+  systemd:
+    name: freeradius
+    state: stopped
+  when: nuke_radius|default(false)
+
+- name: Nuking - Remove old subscription if it exists
+  community.general.postgresql_subscription:
+    name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
+    db: re2o
+    state: absent
+  become_user: postgres
+  when: nuke_radius|default(false)
+  ignore_errors: yes
+
+- name: Nuking - Destroy old local DB if it exists
+  community.general.postgresql_db:
+    name: re2o
+    state: absent
+  become_user: postgres
+  when: nuke_radius|default(false)
+
+- name: Create local DB
+  community.general.postgresql_db:
+    name: re2o
+    owner: replication
+    state: present
+    encoding: "UTF8"
+    lc_collate: 'fr_FR.UTF-8'
+    lc_ctype: 'fr_FR.UTF-8'
+  become_user: postgres
+
+- name: Dump radius re2o PostgreSQL database schema from master
+  community.general.postgresql_db:
+    name: re2o
+    state: dump
+    target: /tmp/re2o-schema.sql
+    target_opts: '-s'
+    login_host: 10.128.0.12
+    login_user: replication
+    login_password: "{{ radius_pg_replication_password }}"
+
+
+- name: Restore DB
+  tags:
+    - restore
+  community.general.postgresql_db:
+    name: re2o
+    state: restore
+    target: /tmp/re2o-schema.sql
+    target_opts: "-s"
+    login_host: localhost
+    login_user: replication
+    login_password: "{{ radius_pg_replication_password }}"
+
+
+- name: Grant select permissions on all tables to read-only user
+  tags:
+    - perms
+  community.general.postgresql_privs:
+    database: re2o
+    privs: SELECT
+    objs: ALL_IN_SCHEMA
+    schema: public
+    roles: re2o_ro
+  become_user: postgres
+
+- name: Grant usage permission on schema to read-only user
+  tags:
+    - perms
+  community.general.postgresql_privs:
+    database: re2o
+    privs: USAGE
+    objs: public
+    type: schema
+    roles: re2o_ro
+  become_user: postgres
+
+- name: Set default privileges in schema
+  tags:
+    - perms
+  community.general.postgresql_privs:
+    database: re2o
+    privs: SELECT
+    schema: public
+    objs: TABLES
+    type: default_privs
+    roles: re2o_ro
+  become_user: postgres
+
+
+- name: Set up subscription to main database
+  tags:
+    - sub
+  community.general.postgresql_subscription:
+    name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
+    connparams:
+      host: re2o-db.adm.auro.re
+      user: replication
+      password: "{{ radius_pg_replication_password }}"
+      dbname: re2o
+    db: re2o
+    publications:
+       - re2o_pub
+  become_user: postgres
+
+
+- name: Restart freeradius, ensure enabled
+  systemd:
+    name: freeradius
+    enabled: yes
+    state: restarted
+    daemon_reload: yes

roles/radius/templates/freeradius-logrotate.j2

@@ -0,0 +1,50 @@
+#  The main server log
+/var/log/freeradius/radius.log {
+        # common options
+        daily
+        rotate 365
+        missingok
+        compress
+        delaycompress
+        notifempty
+
+        copytruncate
+}
+
+# (in order)
+#  Session monitoring utilities
+#  Session database modules
+#  SQL log files
+/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
+/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
+/var/log/freeradius/sqllog.sql
+{
+        # common options
+        daily
+        rotate 365
+        missingok
+        compress
+        delaycompress
+        notifempty
+
+        nocreate
+}
+
+# There are different detail-rotating strategies you can use.  One is
+# to write to a single detail file per IP and use the rotate config
+# below.  Another is to write to a daily detail file per IP with:
+#     detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+# (or similar) in radiusd.conf, without rotation.  If you go with the
+# second technique, you will need another cron job that removes old
+# detail files.  You do not need to comment out the below for method #2.
+/var/log/freeradius/radacct/*/detail {
+        # common options
+        daily
+        rotate 365
+        missingok
+        compress
+        delaycompress
+        notifempty
+
+        nocreate
+}

roles/radius/templates/local_routers.py.j2

@@ -0,0 +1,28 @@
+class DbRouter(object):
+    """
+    A router to control all database operations on models in the
+    auth application.
+    """
+    def db_for_read(self, model, **hints):
+        """
+        Attempts to read remote models go to local database.
+        """
+        return 'default'
+
+    def db_for_write(self, model, **hints):
+        """
+        Attempts to write remote models go to the remote database.
+        """
+        return 'master'
+
+    def allow_relation(self, obj1, obj2, **hints):
+        """
+        Allow relations involving the remote database
+        """
+        return True
+
+    def allow_migrate(self, db, app_label, model_name=None, **hints):
+        """
+        Allow migrations on the remote database
+        """
+        return True

roles/radius/templates/settings_local.py.j2

@@ -44,14 +44,14 @@ DEBUG = False
 ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')]
 
 # The list of hostname the server will respond to.
-ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re']
+ALLOWED_HOSTS = ['{{ inventory_hostname }}']
 
 # The time zone the server is runned in
 TIME_ZONE = 'Europe/Paris'
 
 # The storage systems parameters to use
 DATABASES = {
-    'default': {  # The DB
+    'master': {
         'ENGINE': 'django.db.backends.postgresql_psycopg2',
         'NAME': 're2o',
         'USER': 're2o',
@@ -62,7 +62,18 @@ DATABASES = {
             'COLLATION': 'utf8_general_ci'
         }
     },
-    'ldap': {  # The LDAP
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'NAME': 're2o',
+        'USER': 're2o_ro',
+        'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
+        'HOST': 'localhost',
+        'TEST': {
+            'CHARSET': 'utf8',
+            'COLLATION': 'utf8_general_ci'
+        }
+    },
+    'ldap': {
         'ENGINE': 'ldapdb.backends.ldap',
         'NAME': 'ldap://10.128.0.11/',
         'USER': 'cn=admin,dc=auro,dc=re',
@@ -114,3 +125,5 @@ OPTIONNAL_APPS_RE2O = ()
 
 # Some Django apps you want to add in you local project
 OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
+
+LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]

roles/radvd/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart radvd
+  systemd:
+    state: restarted
+    name: radvd
+    enabled: yes

roles/radvd/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+
+# Warning: radvd installation seems to fail if the configuration
+# file doesn't already exist when the package is installed,
+# so the order is important.
+- name: Configure radvd
+  template:
+    src: radvd.conf.j2
+    dest: /etc/radvd.conf
+    mode: 0644
+  notify: restart radvd
+  tags:
+    - radconf
+
+- name: Install radvd
+  apt:
+    update_cache: true
+    name: radvd
+    state: present
+  notify: restart radvd
+

roles/radvd/templates/radvd.conf.j2

@@ -0,0 +1,80 @@
+# -*- mode: conf-unix; coding: utf-8 -*-
+
+##
+# Bornes Wi-Fi
+##
+
+# # Need to add an interface for this VLAN on "routeur-*" hosts.
+# 
+# interface ens19 {
+#     AdvSendAdvert on;
+#     AdvLinkMTU {{ mtu }};
+#     AdvDefaultPreference high;
+#     MaxRtrAdvInterval 30;
+# 
+#     AdvRASrcAddress {
+#         {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller
+#     };
+# 
+#     prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64  {
+#         AdvRouterAddr on;
+#     };
+# 
+#     # La zone DNS
+#     DNSSL borne.auro.re {};
+# 
+#     # Les DNS récursifs
+#     RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {};
+#     RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {};
+# };
+
+##
+# Utilisateurs filaire
+##
+interface ens20 {
+    AdvSendAdvert on;
+    AdvLinkMTU {{ mtu }};
+    AdvDefaultPreference high;
+    MaxRtrAdvInterval 30;
+
+    AdvRASrcAddress {
+        fe80::1; # link-local virtual IP used with keepalived
+    };
+
+    prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64  {
+        AdvRouterAddr on;
+    };
+
+    DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
+
+    RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {};
+    RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {};
+};
+
+
+##
+# Utilisateurs wifi
+##
+interface ens21 {
+    AdvSendAdvert on;
+    AdvLinkMTU {{ mtu }};
+    AdvDefaultPreference high;
+    MaxRtrAdvInterval 30;
+
+    AdvRASrcAddress {
+        fe80::1;
+    };
+
+    prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64  {
+        AdvRouterAddr on;
+    };
+
+    DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
+
+    RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {};
+    RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {};
+};
+
+
+
+# For public IPs: will use DHCPv6, deployed on routeur-aurore alone.

roles/re2o-service/tasks/main.yml

@@ -21,8 +21,8 @@
   become: true
   become_user: "{{ service_user }}"
 
-- name: Configure re2o {{ service_name }} project
+- name: "Configure re2o {{ service_name }} project"
-  ini_file:
+  community.general.ini_file:
     path: "{{ service_homedir }}/config.ini"
     section: Re2o
     option: "{{ item.key }}"

roles/router/handlers/main.yml

@@ -2,6 +2,7 @@
   systemd:
     state: restarted
     name: keepalived
+    enabled: yes
 
 - name: run aurore-firewall
   command: python3 main.py --force

roles/router/tasks/main.yml

@@ -1,11 +1,35 @@
 ---
 
+# XXX: YES, this is ugly as fuck.
+- name: set IP suffix (main)
+  set_fact:
+      router_hard_ip_suffix: 240
+  when: "'backup' not in ansible_hostname"
+
+- name: set IP suffix (backup)
+  set_fact:
+      router_hard_ip_suffix: 140
+  when: "'backup' in ansible_hostname"
+
 - name: Enable IPv4 packet forwarding
-  sysctl:
+  ansible.posix.sysctl:
     name: net.ipv4.ip_forward
     value: '1'
     sysctl_set: yes
 
+- name: Enable IPv6 packet forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: yes
+
+- name: Configure /etc/network/interfaces for routeur-aurore*
+  template:
+    src: interfaces-aurore
+    dest: /etc/network/interfaces
+    mode: 0644
+  when: "'routeur-aurore' in ansible_hostname"
+
 - name: Install aurore-firewall (re2o-service)
   import_role:
     name: re2o-service
@@ -19,12 +43,21 @@
       password: "{{ vault_serviceuser_passwd }}"
   notify: run aurore-firewall
 
-- name: Configure aurore-firewall
+- name: Configure aurore-firewall for local router
   template:
     src: firewall_config.py
     dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
     mode: 0644
   notify: run aurore-firewall
+  when: "'routeur-aurore' not in ansible_hostname"
+
+- name: Configure aurore-firewall for routeur-aurore*
+  template:
+    src: firewall_config_aurore.py
+    dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
+    mode: 0644
+  notify: run aurore-firewall
+  when: "'routeur-aurore' in ansible_hostname"
 
 - name: Install keepalived
   apt:
@@ -34,13 +67,21 @@
   retries: 3
   until: apt_result is succeeded
 
-- name: Configure keepalived
+- name: configure keepalived for local router
   template:
     src: keepalived.conf
     dest: /etc/keepalived/keepalived.conf
     mode: 0644
   notify: restart keepalived
+  when: "'routeur-aurore' not in ansible_hostname"
 
+- name: configure keepalived for routeur-aurore*
+  template:
+    src: keepalived-aurore.conf
+    dest: /etc/keepalived/keepalived.conf
+    mode: 0644
+  notify: restart keepalived
+  when: "'routeur-aurore' in ansible_hostname"
 
 - name: Configure cron
   template:

roles/router/templates/firewall_config.py

@@ -24,8 +24,8 @@
 
 ### Give me a role
 
-# routeur4 = routeur IPv4
+# previously: routeur4 = routeur IPv4
-role = ['routeur4']
+role = ['routeur']
 
 
 ### Specify each interface role

roles/router/templates/firewall_config_aurore.py

@@ -0,0 +1,49 @@
+# -*- mode: python; coding: utf-8 -*-
+# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
+# se veut agnostique au réseau considéré, de manière à être installable en
+# quelques clics.
+#
+# Copyright © 2017  Gabriel Détraz
+# Copyright © 2017  Goulven Kermarec
+# Copyright © 2017  Augustin Lemesle
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+### Give me a role
+
+role = ['routeur']
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['ens21', 'ens22'],
+    'sortie' : ['ens18', 'ens1'],
+    'admin' : ['ens19', 'ens20', 'ens23']
+}
+
+### Specify nat settings: name, interfaces with range, and global range for nat
+### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
+### contain /16 range
+
+nat = [
+    {
+        'name' : 'AdminVlans',
+        'extra_nat' : {
+            '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
+            '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
+            '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
+        }
+    }
+]

roles/router/templates/interfaces-aurore

@@ -0,0 +1,84 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# VLAN 129: routage
+auto ens18
+iface ens18 inet static
+        address 10.129.0.{{ router_hard_ip_suffix }}/16
+        gateway 10.129.0.1
+
+iface ens18 inet6 static
+        address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64
+
+        post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18
+        post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18
+
+        post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18
+        post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18
+
+        post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18
+        post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18
+
+        post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18
+        post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18
+
+
+# The primary network interface
+allow-hotplug ens19
+iface ens19 inet static
+        address 10.128.0.{{ router_hard_ip_suffix }}/16
+        gateway 10.128.0.254
+        dns-search adm.auro.re
+
+iface ens19 inet6 static
+        address 2a09:6840:128::0:{{ router_hard_ip_suffix }}/64
+
+        # Ensures internet connectivity when running as keepalived backup.
+        gateway 2a09:6840:128::0:254
+
+# VlAN 130: switches
+auto ens20
+iface ens20 inet static
+        address 10.130.0.{{ router_hard_ip_suffix }}/16
+
+iface ens20 inet6 static
+        address 2a09:6840:130::0:{{ router_hard_ip_suffix }}/64
+
+# VLAN 111: IPs publiques serveurs
+auto ens21
+iface ens21 inet static
+        address 45.66.111.{{ router_hard_ip_suffix }}/24
+
+        # Nécessaire pour contacter re2o et bootstrap le firewall.
+        # Ces directives sont _aussi_ set par aurore-firewall !
+        up iptables -t nat -A POSTROUTING -s 10.129.0.{{ router_hard_ip_suffix }}/32 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
+        up iptables -t nat -A POSTROUTING -s 10.128.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
+        up iptables -t nat -A POSTROUTING -s 10.130.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
+
+iface ens21 inet6 static
+        address 2a09:6840:111::{{ router_hard_ip_suffix }}/48
+
+# VLAN 110: IP publiques adhérents
+auto ens22
+iface ens22 inet static
+        address 45.66.110.{{ router_hard_ip_suffix }}/24
+
+iface ens22 inet6 static
+        address 2a09:6840:110::{{ router_hard_ip_suffix }}/48
+
+# VLAN 131: onduleurs et PDU
+auto ens23
+iface ens23 inet static
+        address 10.131.0.{{ router_hard_ip_suffix }}/16
+
+iface ens23 inet6 static
+        address 2a09:6840:131::0:{{ router_hard_ip_suffix }}/64
+
+auto ens1
+iface ens1 inet6 manual

roles/router/templates/keepalived-aurore.conf

@@ -0,0 +1,121 @@
+global_defs {
+  notification_email {
+    monitoring.aurore@lists.crans.org
+  }
+  notification_email_from routeur-aurore{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re
+  smtp_server smtp.crans.org
+}
+
+
+vrrp_instance VI_ROUT_aurore_IPv4 {
+  {% if 'backup' in inventory_hostname %}
+  state BACKUP
+  priority 100
+  {% else %}
+  state MASTER
+  priority 150
+  {% endif %}
+
+
+  # Interface used for VRRP communication.
+  interface ens19
+
+  # Shared by MASTER and BACKUP
+  virtual_router_id 40
+
+  # Timeout in seconds before failover kicks in.
+  advert_int 2
+
+  # Used to authenticate VRRP communication between master and backup.
+  authentication {
+    auth_type PASS
+    auth_pass {{ keepalived_password }}
+  }
+
+  smtp_alert
+
+  virtual_ipaddress {
+        # Routing
+        10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global
+
+        # Adm
+        10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global
+
+        # Switches
+        10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global
+
+        # IPs publiques serveurs
+        45.66.111.254/24 brd 45.66.111.255 dev ens21 scope global
+
+        # IPs publiques adhérents
+        45.66.110.254/24 brd 45.66.110.255 dev ens22 scope global
+
+        # VLAN 131: Onduleurs et PDUs
+        10.131.0.254/16 brd 10.131.255.255 dev ens23 scope global
+   }
+
+
+  virtual_routes {
+        # IPv4 gateway: yggdrasil
+        src 10.129.0.254 to 0.0.0.0/0 via 10.129.0.1 dev ens18
+  }
+}
+
+vrrp_instance VI_ROUT_aurore_IPv6 {
+  {% if 'backup' in inventory_hostname %}
+  state BACKUP
+  priority 100
+  {% else %}
+  state MASTER
+  priority 150
+  {% endif %}
+
+
+  # Interface used for VRRP communication.
+  interface ens19
+
+  # Shared by MASTER and BACKUP
+  virtual_router_id 60
+
+  # Timeout in seconds before failover kicks in.
+  advert_int 2
+
+  # Used to authenticate VRRP communication between master and backup.
+  authentication {
+    auth_type PASS
+    auth_pass {{ keepalived_password }}
+  }
+
+  smtp_alert
+
+  virtual_ipaddress {
+        # Hello zayo
+        2001:1b48:2:103::d7:2/126 dev ens1 scope global
+
+        # Routing
+        2a09:6840:129::254/64 dev ens18 scope global
+
+        # Adm
+        2a09:6840:128::254/64 dev ens19 scope global
+
+        # Switches
+        2a09:6840:130::254/64 dev ens20 scope global
+
+        # IPs publiques serveurs
+        2a09:6840:111::254/64 dev ens21 scope global
+
+        # IPs publiques adhérents
+        2a09:6840:110::254/64 dev ens22 scope global
+
+        # VLAN 131: Onduleurs et PDUs
+        2a09:6840:131::254/64 dev ens23 scope global
+   }
+
+
+  virtual_routes {
+        # For IPv6, the master router is routeur-aurore, NOT yggdrasil,
+        # because yggdrasil doesn't support BGPv6 announcements.
+        src 2001:1b48:2:103::d7:2/126 to ::/0 via 2001:1b48:2:103::d7:1 dev ens1
+  }
+}
+

roles/router/templates/keepalived.conf

@@ -2,12 +2,12 @@ global_defs {
   notification_email {
     monitoring.aurore@lists.crans.org
   }
-  notification_email_from routeur-edc-backup@auro.re
+  notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re
   smtp_server smtp.crans.org
 }
 
 
-vrrp_instance VI_ROUT_{{ apartment_block }} {
+vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
   {% if 'backup' in inventory_hostname %}
   state BACKUP
   priority 100
@@ -21,12 +21,11 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
   interface ens18
 
   # Shared by MASTER and BACKUP
-  virtual_router_id {{ apartment_block_id }}
+  virtual_router_id 4{{ apartment_block_id }}
 
   # Timeout in seconds before failover kicks in.
   advert_int 2
 
-
   # Used to authenticate VRRP communication between master and backup.
   authentication {
     auth_type PASS
@@ -39,19 +38,72 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
         # Routing subnet
         10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
 
-        # Public subnet: wired
+
+        # NATed subnet: wired
         45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
-        # Public subnet: wifi
+
+        # NATed subnet: wifi
         45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
 
         # Wired
         10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
+
         # Wifi
         10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
    }
 
+
   virtual_routes {
         # 10.129.0.1 is Yggdrasil
         src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
   }
 }
+
+vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 {
+  {% if 'backup' in inventory_hostname %}
+  state BACKUP
+  priority 100
+  {% else %}
+  state MASTER
+  priority 150
+  {% endif %}
+
+
+  # Interface used for VRRP communication.
+  interface ens18
+
+  # Shared by MASTER and BACKUP
+  virtual_router_id 6{{ apartment_block_id }}
+
+  # Timeout in seconds before failover kicks in.
+  advert_int 2
+
+  # Used to authenticate VRRP communication between master and backup.
+  authentication {
+    auth_type PASS
+    auth_pass {{ keepalived_password }}
+  }
+
+  smtp_alert
+
+  virtual_ipaddress {
+        # Routing subnet
+        fe80::1/64 dev ens19 scope global
+        {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global
+
+        # Wired
+        fe80::1/64 dev ens20 scope global
+
+        # Wifi
+        fe80::1/64 dev ens21 scope global
+   }
+
+
+  virtual_routes {
+        # For IPv6, the master router is routeur-aurore, NOT yggdrasil,
+        # because yggdrasil doesn't support BGPv6 announcements.
+        src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19
+  }
+}
+
+

roles/unbound/templates/recursive.conf.j2

@@ -11,20 +11,32 @@ server:
     logfile: "/var/log/unbound/unbound.log"
 
     do-ip4: yes
-    # FIXME: IPv6 deployment... someday...
+    do-ip6: yes
-    do-ip6: no
 
     # IP addresses on which to listen.
+    #
+    # Note: dns_host_suffix is dynamically set in this role's tasks,
+    # and changes depending on whether we're handling the main or backup
+    # recursive DNS node.
+    
+    # IPv4
     interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
     interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
     interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
 
+
+    # IPv6
+    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
+    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
+    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
+
  
     # By default, anything other than localhost is refused.
     # Whitelist some subnets:
     access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
+    access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
 
     num-threads: {{ ansible_processor_vcpus }}