Merge branch 'ansible-2.10' into master
This commit is contained in:
commit
e48425300a
36 changed files with 1030 additions and 229 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,2 +1,3 @@
|
||||||
*.retry
|
*.retry
|
||||||
|
tmp
|
||||||
ldap-password.txt
|
ldap-password.txt
|
||||||
|
|
20
README.md
20
README.md
|
@ -118,3 +118,23 @@ for ip in `cat hosts|grep .adm.auro.re`; do
|
||||||
ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
|
ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Passage à Ansible 2.10 (release: 30 juillet)
|
||||||
|
|
||||||
|
Installez la version de développement d'ansible pour faire fonctionner les
|
||||||
|
playbooks de ce repo, ainsi que les collections suivantes :
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ansible-galaxy collection install community.general
|
||||||
|
ansible-galaxy collection install ansible.posix
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
|
||||||
|
workaround est le suivant :
|
||||||
|
|
||||||
|
`$ export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
|
||||||
|
|
||||||
|
Notez l'espace au début pour ne pas log la commande dans votre historique
|
||||||
|
shell.
|
||||||
|
|
|
@ -33,3 +33,6 @@ become_ask_pass = True
|
||||||
# TO know what changed
|
# TO know what changed
|
||||||
always = yes
|
always = yes
|
||||||
|
|
||||||
|
|
||||||
|
[ssh_connection]
|
||||||
|
pipelining = True
|
||||||
|
|
5
base.yml
5
base.yml
|
@ -11,8 +11,3 @@
|
||||||
roles:
|
roles:
|
||||||
- ldap-client
|
- ldap-client
|
||||||
|
|
||||||
# Clone LDAP on local geographic location
|
|
||||||
# DON'T DO THIS AS IT RECREATES THE REPLICA
|
|
||||||
#- hosts: ldap_replica
|
|
||||||
# roles:
|
|
||||||
# - ldap-replica
|
|
||||||
|
|
|
@ -50,8 +50,13 @@ dns_host_suffix_backup: 153
|
||||||
backup_dns_servers:
|
backup_dns_servers:
|
||||||
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
|
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
|
||||||
|
|
||||||
# Misc
|
# Finally raised!
|
||||||
mtu: 1400
|
mtu: 1500
|
||||||
|
|
||||||
|
subnet_ids:
|
||||||
|
ap: "14{{ apartment_block_id }}"
|
||||||
|
users_wired: "{{ apartment_block_id }}0"
|
||||||
|
users_wifi: "{{ apartment_block_id }}1"
|
||||||
|
|
||||||
|
|
||||||
# Keepalived
|
# Keepalived
|
||||||
|
@ -67,3 +72,15 @@ re2o_aes_key: "{{ vault_re2o_aes_key }}"
|
||||||
radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
|
radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
|
||||||
radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
|
radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
|
||||||
radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
|
radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
|
||||||
|
|
||||||
|
radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}"
|
||||||
|
radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
|
||||||
|
|
||||||
|
|
||||||
|
apartment_block_dhcp: "{{ apartment_block }}"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
|
||||||
|
# However, we ALWAYS keep the trailing 0 to have byte alignment.
|
||||||
|
ipv6_base_prefix: "2a09:6840"
|
||||||
|
|
|
@ -1,162 +1,170 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
61336339613837303864333338376131306234356334366237613038323565363539656161643663
|
61623264646363313062633131306234666436616566383936616431653033303531333738666639
|
||||||
3630396462363834616166383634323735386461653430330a353861386131386130613733663465
|
6137653535623535333435383862306361376564396562370a366166373232343137363662356463
|
||||||
66363639336164303137326133373364643539663032303237633831333764376534366464313030
|
34383636393830386465323534373534336462333937316530666139633835356635356562353134
|
||||||
6161663162613636660a393262663061656235333836356331366638313263333364306262636631
|
3234333736333831390a663033313531363838303566666530373432346536306137393561393734
|
||||||
62393434336561313630343366626136393933383966613463353135643334666432366433383038
|
32613234373363333233333630666464386437333337623434356161303834656662366661343363
|
||||||
39306538616266656536373435363963336463366635653433666566343162623065323738336339
|
62326164363764323365643166636664343032613835656663363636383963663138633837646466
|
||||||
38346632383039663666623137393431313931656538326136356433386261303638616165626336
|
33373838343439663830626432353332666138356564383864616632353063376634393032613231
|
||||||
63326134336330646236336631306266306532366435323830333233363565366134373236623263
|
38336233396263316563363332316131323439363664646237383731363930613563343763653537
|
||||||
62653836386362613166643762633865303239666662313138363866373335333566353033613732
|
66383137353633653931616564616365366564626431626439383661666535663430353463346232
|
||||||
38663634313962373264393763303733616236346230393665633366316538666334333537306536
|
31613536343566373437353738323133646439373465376632656530393033373037383864663937
|
||||||
61643061356633646133616138396163346538633065313935666639623531303861303663666466
|
66623563393138653437353437373138386365653433313166353231653530613935333038653830
|
||||||
63346531666362386363383534303436376338653034633565383361386430386636336664626431
|
61306239356433346438663239646162633838623036653439376362336636633862383266633239
|
||||||
62613263306132633336363562323030613832373363646464303263616264353431386664626137
|
33363666383934633665303537396663363339323761356439636331656163363436333865306338
|
||||||
36633434343536346333383530343965313262353639363266656562633132343036656137383938
|
63656166343835646262393634613865623936633566356531366663326431353836363238656631
|
||||||
63333165333835636634336336343732383865306634393939343332396565643661313666656239
|
31333862346266653933663236626234663865373936623334323433643661343634653334316662
|
||||||
61633635623236383764646664356539383834303437636338633138343465656337643962616365
|
36313262626230356531393661303834653263666138613435333538373330633432366338363131
|
||||||
37633032303161616664333264336331626531613031363066323137313539373637646533623663
|
33336566633030346136613566353366653333666661336463336333333634643433393333353061
|
||||||
66313662356438666566313364653933316335376438313939313430643865643432356139353231
|
65653236653362636564653932306131346532343738333361646563623865373538636662643932
|
||||||
31356236663234383564383162633431376436396331613838613039343762336562343562653738
|
37373961313935373964376336333337396135623764376563623431326266633434336665303864
|
||||||
33383163653535373538646237623865356462626665613136316365623036396536373633363536
|
34383836333762336665313635366166316339396437656330636432353064343836616362326432
|
||||||
30613932656534313966633664303661336366336561656434373438373361643532623335643234
|
34353532626362636661363631666335316564636237646336323666636661336532313266616264
|
||||||
61353466323636663463643262616635653639633463373235636432616561623662393838636335
|
37353637626636613161396430623139323662303862393439643235653833386166363332616438
|
||||||
30646164633962353138396164303666633366363364373039393339383063316238393332623139
|
62653439363861626437663736313436386138363466333566333335323265333930366337386537
|
||||||
62333166393831636232373738643962613063396530633132366536663839333136656338336464
|
63353931353165666337666330636363386463616463376336323834343666393331653863633430
|
||||||
37633039626138666261343863363232633936323234386362373463353737343330656430643966
|
64626636373363626335303234306662323335363130623763333835373438373733353136306463
|
||||||
30633037613033383134653133653232373236353535663033323634633564656636316636383537
|
31646363663463623635363537636338376131623766386339623763376532343733613061343736
|
||||||
65373663393235323561386232613634663962653564373634333034373530353264333037663431
|
31653764383737646132353537633631643265336539316332636465353638346163613036653038
|
||||||
32326438613436333935346335313364363361383732323362383437626234663533396235333935
|
64653238363661303032666330623334376130383365386334313137376339623164313538643637
|
||||||
31333132366534373832636637333664346365393236353366363937306138333961393939626138
|
32323539346664663237306630346365646364663231633162393265376433313633336661326137
|
||||||
33333036653839623138373832613233326262633836363562346261323639383536353433613764
|
35366662386235616531323264326632353635646337303830663364643336653039643865313036
|
||||||
63323434663437653236383334346634633765636339646665653638333938303665643132643735
|
36343634613563353965643330306134393664336238653361616631623837313764653835333464
|
||||||
63393838363732646339343937323732653939656466313637383738626131396261303838326565
|
31303835653265343466303363623331376631383064643336306166386632353566633231303031
|
||||||
34393934333738323137646264666633386661343637613462393864613134383538653966383732
|
64646338333961373237323563633462363236626134366430323334373864633731323838383562
|
||||||
64383738653833306266663431623162643333616537656136373439373462626266383663303031
|
65356137323234653932373438306335383666386433386563343136343934623936653565663135
|
||||||
63666265373664653334373266616437653764623765616539343139373934356133613338376239
|
61353366393735663064383234343435633738623233643535393337326531356131643131646562
|
||||||
63393735613066636432663466353865666661316232393361306438623036643438346130383937
|
34623862626430343464663230323561313736646135323339656562323332306265323765626130
|
||||||
36373762316263643764303638383633373161383862373630386465643462396432656134313764
|
31333531626236393165663236393464303338623937646331663563636336316166303462396562
|
||||||
61666534636565366136653438666339346539303238613135613261333431336361346138333161
|
66643638383432333035373431393463343831643731636133343538346431613236663266643639
|
||||||
33393130333765326361336239373365366332626566396639643966313434666561626262646664
|
39346332303537393031353231626433393165386437343361663335646165623165336337643237
|
||||||
37386534316136613061343333656630303839356366623835656239306562646436656131366366
|
30643466666462373937346162383032386361383439613332653162613765326237643038613665
|
||||||
36346635393235663630633331646231313737363535643663333162616135316566396530303030
|
38633134653934346464346233323563623139386235343766386661643861313638643936636439
|
||||||
33346331303935326631646563663833663266323937383134396162353131396231323837656631
|
34393039626163336636323862643237363633373339353263303035386636393232613536633038
|
||||||
66373864316332646433316131633435386133373239333261616136613632613162346366643366
|
32656335396564623133373439333065633638373032323161383436363966386535393135623931
|
||||||
30363030393736343438643866343363366331393031633638333731393732646132393165383361
|
62313838353034343033653130633666336433656565373836336331363339636330663836343835
|
||||||
31303637386535366535386332666133316564366463313465313637393663623662373431646234
|
64656461376235323133316135396464353239316438386466323964326139316564313938333363
|
||||||
62663461353961626237343663356664623731376432343538656332613866323135373637313831
|
66636337613362633639623265336434313938366666626434393532373534303865376632313830
|
||||||
34396132343961656266656430663838643464353362393732623739393938353764323065303464
|
32353861306165383133633132623939386338343364623132386135316361336238616432383662
|
||||||
66656435303333616432313232333431326535613635396536663835626361643733363461653831
|
31663763306431623932323930373637363633346139663539666236363032386535363932393264
|
||||||
33313634656632633831313866306233363633316330313037313035366537373034326231383463
|
63306437616635343263643162393462653835643038373961336531313635663732343062613164
|
||||||
34633062353635396261353438633564623564346536356131353166353835336135316662343262
|
63316463376239383634373461343533393730613235633765356166313131613230326562303863
|
||||||
34386333353731313335333339323936643862386264363565373737383364623366663265353339
|
38626365383035363130326365353366316635323832333630343934346632643566373062313963
|
||||||
62663730623430303535333138653636323864383039653361383435383062336537633865356466
|
38356165646438383936336431326566386564306636386432643537666434613434343235323666
|
||||||
64303532303338383365326635353363363161613962336166663764353562666236336133353538
|
32366432393663333632383333333837646237643730383438336364376235353463656238393431
|
||||||
35343733343338346666366139363261313662633866306263666331313336336330326537636538
|
34656561613566383761386233366637343230613634333062636239626639343132353837656363
|
||||||
37326330393732636163333161643831356533393238303039643663663766613634376336303062
|
63373264646631336664303662386531386635303861333662313633613933353063363832623462
|
||||||
66316138396433356365623437323932663632393831613835366632653138656530336236383063
|
35656536616333333861383930623237363062363335636231383033316465323339396530353166
|
||||||
31376433343664643863396537663730663335656262306663303961333832343366343835616362
|
61613935366233326532366135623939353135323336346630303933633731316461626463643936
|
||||||
34393032363862636639656338656462636436343238616663616634393365353432623361323763
|
64393430386430343362346334633036316464656561356132376365323463316631336530346663
|
||||||
66323937643936636537323866353461653232653136663631313231613731353231313130353565
|
65373432666436323364316633623734353464393036383065643832653838323730643163393033
|
||||||
31373336643261336535663739316366626634323635616537666131653534333164353836336531
|
37383639343061616563623365383564336132356162373937346338356562313262366261646434
|
||||||
36613763353135346630323138643039383634393234656330306664346136346238343762646639
|
65656631326334336230333862303766633363653863666330373530343132336262653763336331
|
||||||
38383466356332383063613565383765313931356235363330366138333064383938316538373933
|
31303535393231373833633631323265383435666665353461306638633031376339613230343966
|
||||||
32353836663535613339636130303832323231633832353366393166373235306538656364633666
|
31306134383164333763656262636537343563386336393734626139646136643635313038663830
|
||||||
62386134643738363830613130353565666337343861653538366530373966626330343032393531
|
65376366656465653165663762313738303438346136646638633962646466626339653566343530
|
||||||
64373162626336353631306661623837353036663364383930303633613561373432303366323463
|
33353061643730663138383662663233383864626631626238306266653734306161383431653530
|
||||||
37633963633835363565643131343962656463376163336366383531303164303263663034303530
|
38353262386439663331633465313262386630363465646661643366336438356163393564653565
|
||||||
30616337373466663939333666313761313334626335376236363436376563626534626666383230
|
65346637346533323338383233313434346361383139666363336435633535326434373438366533
|
||||||
35373537633135346138323231316565633862666432626430386231653532663132333532373837
|
64303737336631643735376130653031303533646464313562623036643762653937613735316162
|
||||||
38316161316565346663323138623538356130303564306638623461323765366634633161356234
|
61396336376534393738323830333864383533343834616432373731633431316662656137363030
|
||||||
39313862336532326161346436363865353833663663376566303865616264303035323864633739
|
36313566633863383162643432396235306661393563303138386339343462636566323135313631
|
||||||
30383435653961303861646365356462376261663634383433383137363734616337643836333730
|
32336365393662633932383665623561373164353963646464323163303039333035366562363634
|
||||||
37643737626339646434386638326439663264373362333165623637306664396330303164363366
|
34643731343931656239326165323962613630636132353334643866393933653631393134326635
|
||||||
66353234386137343136363764633463666137653438393131393436613563313934313736303165
|
61353538633337343935396566396437663137326161323032336665356531373433643231326164
|
||||||
33633638373561623933623033333036346339346533373435336262346164656162303561366638
|
38663463633863643636336337316162666339343630373366396634666363306137323161626561
|
||||||
30383035623338653430343731353766653164616139616638636563643630313735333463376662
|
33336332383330383761623636366464353163386633356132656364373962316437626664333439
|
||||||
62666661623438333936323762616433373236396439636563646237313535343866333064393432
|
38393137356364383535383231613431343261613036666238323431663532663333336563306239
|
||||||
64336139623933323265333633616131396661656264396262646662303633346262356662633535
|
31313931623665623661323433346138383430366433623738356366373337383263316435393330
|
||||||
31333038666163316132613365386662396330366630313562663561313962366261323131623939
|
30356131333132343333623732383263353330346635613833626562613536376232386663663265
|
||||||
33626634303663353466306631653439633430383138643534386430623238326332303232623965
|
39636239663139393761303363313862333834336265616330353933333935616637646639326461
|
||||||
61653165323132303335353338353366323462633763623062616335663831653266323463353364
|
34323231616662306366616665346239313839616435393738303833653138353135353161393830
|
||||||
61303339336162663235303837643432383333343466333365333535633763396664353636613165
|
34653163386161653536666330353431356133623639653539316166313661343136643565393735
|
||||||
38306536656665333731376339383061383232346437643564346134396265633362616161306339
|
33343966613534653034333261383136323135613032613063653363303437633832653834393063
|
||||||
63333264656235393639386435353631333438376166646662656631353838326338656438326231
|
63623738333361636638646234363665616563633534626638613938613933343638386165346537
|
||||||
65326563363431653266623034393435383061333533316235363236393131333231366665343964
|
61316261663039633462333637636561656166663430353037336530663036353564353530323663
|
||||||
65376438653165633265646233343131373133313939666163313735336564333038333765623766
|
61386164636461363831303231353733646431313334323761633835373832333663306336633836
|
||||||
38633061303731623832353638396566373238393535383631396566343035656137353461613838
|
63363838613434303066333732333237343264363238313962393230633165396135643431626664
|
||||||
65363239303664613132363466383336313038653962343939616363323339333866343036613238
|
35316663333439326437343331303639616365633938393039633362303135393230313261376531
|
||||||
34656537663765346430623332656266323035343435616361343537306263363466373665306361
|
62343533383034363331343661333036646530366665336431303561653138626262336239303864
|
||||||
39663066633833306330336334306437323430643764306266626634633139396231353638633665
|
30643131356538316434313665353466383539383034623830363264343736396130623265306564
|
||||||
66336364633536323931343930623832306331393533626539306361333961306663353266303631
|
30666535393839306333616134323333326535336564313735323864346139393762336265623137
|
||||||
30326633326332353861383735656362306334646238656137656533323835633937313439356538
|
33653734393464353833333939363766656436393639626161383666613263643064323933663834
|
||||||
38653130656465656531623635343565663739306665313932356562313131373934393435623932
|
63663761356233633134646561353631396364343761386631323764643631663564653265303330
|
||||||
38663737306135306332373730613466386631353463633261663532393933663034633634343934
|
38333466666634383666326132356132303363666136666132373161383863653434333633386238
|
||||||
34353437393934663866323236346236383664343963383239636332643639623131376466656363
|
36333361383663396238643433383338646461386363396563643133303166356538666435646639
|
||||||
32336363616661303535633037303334343861616263616334626430396334633934303162633839
|
65353034373263316139363464343434326362366531666233323366383331353131383634396538
|
||||||
65613163303037653963353535343132323431326262643862393365356437316566393130383866
|
65313631363564303133396462353934623939663739343431346465386430353030363235343032
|
||||||
32666133333166656566373532373064373138333335313563633963393938383363396464396532
|
33653065643334663737643961396530316336633562323733626261376462303366313462353464
|
||||||
61303037326665316634363536653537393933666532396339366531636362306537626638623634
|
38666235366365633833336630316564643132633839313465636164393439626635653739346166
|
||||||
32383363663134623133626332343132333335356133646134656330376339306538633165353634
|
61343765653037656533313663333139663364666239626263393261353732363639623966623961
|
||||||
65663731313832613264633430393531633765353233363766386137306364303138373339633438
|
62643266313734363064333063633030383865653665313832623535636666623364333635643238
|
||||||
62323837653531393738636531303130653530656632393535393739363565666162376436376138
|
64623233393962313032343938666363333533653331303334643032636561303030633066636634
|
||||||
65656131656165626636386435346132623030626664656437633261383037396332323534653664
|
35363864613430356264633936663833373739643562343631623336316263373939353563393634
|
||||||
31306137313162356638653064363236336434626134313966613335653633623338356230323133
|
35376466376161383563646430363432626639363436633365323137346338306161636230323934
|
||||||
61653437663537376561633235646361633233316662313331303962303161393937346565333366
|
38383238646366343766333032633038663037386339333038636136343732613838306130303539
|
||||||
31326362303735353937313734363738636439323338646531383235626137393334306363393031
|
61303963333035366330646636336530396331333739306666396333333839613536343337323230
|
||||||
32383861643734396132626231333537656431656165316261376237333734623635623837623366
|
31326461623731653461376132356165343130333235336130323361616333333762623131393265
|
||||||
61346566663433366364326561313663333732303737346533363536313365353863333632386232
|
36636335313539613565326537373565313036306465326631326332373364313565333834373232
|
||||||
63363639656230373639336636333464336136343839353835616565313165336537613666613233
|
36346166373433313033363533346565316535666538363538303134616365326336613461633931
|
||||||
33313130373838633736306237326666383736616663343838323137663632626630313334623063
|
39333633383939623633386263346637386465326139363336663738393538393039376338366461
|
||||||
34313737613334343331613864343062663130633963386466626233386332633233663762306237
|
64336138643166663362376339366537653463386265316434346532663633643765663339333062
|
||||||
35316635396439333934363836353134363538643430363066616636343634643230383630626138
|
34303739366634383330356161333031313465323235666437363136643964623431336133633031
|
||||||
65623931383631396465353163636161376337346335303738326433363835346162643732393464
|
62373462623531373665653137383833643332366562396134386536666666356139663631323965
|
||||||
32346462383432636530636166633466393239316631663834653562353436636637393136663933
|
33633266353062363339613139666534393737393765383830643731616366316164626335373564
|
||||||
36326538646331333436316262373037343065656662623563313465643832626539326261333738
|
38613533356661626163646138316163343938666366353964623131383063353534326637323162
|
||||||
62353063373461373835333662626465303030366535303332336362663166633736316237313535
|
66633139633861623765316631323933363662383234616238336333383135326166656530376331
|
||||||
32336533333536626461383737643161373738616539396339336165333162333830633661363162
|
30613534613636333533356666333864326438646462383862616338323864336136323566393231
|
||||||
38626365616633363431303333613237343538393734653533663831613336346164343734313435
|
64323339386363623063373237346362366665666662306266323338653561396535323766316233
|
||||||
62366264323738383038393938663366613533666438393261636336363266393736636634323436
|
30383036326331323563663533333166366130326262393732343135643463643064313364393530
|
||||||
37643262316663663938353338343338373162356337313566376134313464643336326138313838
|
39326332346635343333376636316363393230336563333261616263343833386334376636623233
|
||||||
36366136306163306265663836663235623231306334633734633736306239316334616132303531
|
65396330613837636139636132303530316236666132646266383466306663313038343833373734
|
||||||
39663562373762653634666438333861626563353366396231356232663737396436633934363734
|
35376339666664393533666134353330626163306432363634653364343934343336306264646439
|
||||||
33353738656430383066373463313336623231613530313830633965356361323138396139353664
|
66383138626232343639623033383565626232323830626362313733666663633037343737623333
|
||||||
38393339613064303365343766663536643061393864313466343966356666633231353765376364
|
34653665666262303236616534343436333334393837326661383932623430303038623538313463
|
||||||
37636439356164646633313231346365376566663930386563633062633234303163333131663332
|
38373233373730633937306638333966653433626666373565623866646665643231323065383230
|
||||||
38653431303264636266326665633465303635373762363663303164636330356636616137626633
|
38353961396438373236393038626237346162653966383364626366666335656465346336323830
|
||||||
30366466626164333332613933396362666135623137636537653838646664643235626233303531
|
63343937363732326239396664663963633733643036396164343038613136373037383664646130
|
||||||
64373833646434653530613935336434323737313061333930316563653331643938623438626632
|
36386564333734643336303661336230363865323936343732646564336136653732363334316135
|
||||||
34386236633462616231353063353330346663323535333335383465366135653064343535616233
|
38383935396161653132396661373636353761616661616635303465653266623337303534353038
|
||||||
31613236303238663331613739623261366231613661653033626562376664336161303134646535
|
61333937393534336533363933383461303539303964353164376134653134356439356462376161
|
||||||
36393461626237666466353862303564306333356635303035346237653062663238323030313866
|
62356333363238376139356231373835386139363637336566356132363932313639643334396334
|
||||||
37613530346335623031316165666137626631653965333236396162323966356633306630633934
|
36326630663532313536393139386336303833653833323532653230613166376233633739623738
|
||||||
66323465643834396635363131343735643365363163646132373537383233663830643330643666
|
35336138343434343064616335373836363032376537386439323165336365626230316435623766
|
||||||
38316461313830326433643566366566343966376362373661373839353933353231653539393534
|
33653434633766323864343031346565323936373133396436623036353563653236393230653065
|
||||||
61373437663937616237353064653934333330306230373034376631633963316236626232643136
|
63616336316339393034643063376137663565396137356461303061626336343437316462653437
|
||||||
36633865343363373530646566313636326130323136346235636430346561333030393361623161
|
64383765376439616232663936616564366136666139343663336634366530303561303163373339
|
||||||
38636531626632633632616139613861363332383030396338356461623865323262663763303564
|
66616233613532636138613836636666323237646566356538376566626639356436376230306130
|
||||||
33643661353230336430383930643433613938646133316636666463626363396264643638363762
|
64623430613962333537366235616631323833626163383138393662623539643864346436346561
|
||||||
30343135643530356633373330353565373264383665333237663331373035613336653135333133
|
64326636396235613534666534306639363864303539623563333934353766306130356564333538
|
||||||
37386439303763616138313661333335626532633731373939633966323332646364383665333331
|
65386338616639663338636337303038316633383866346362633636653162353433366131333866
|
||||||
35623133303865346464313761396462613435613262383339663735386639393536646634323935
|
38643037646531643633333334626163353833623833616338373863373533316561313361616462
|
||||||
34646661613839386639313733333036623439666536396463336663393737383130383962366336
|
36323533343932376633653138363162646362313332353065633561666664663436376230376432
|
||||||
37656431653533333338633162663938646432306163376438396134376565353531353832663439
|
31373461613033306434313136373532303666306130353064326436373961633534656462643866
|
||||||
34366435326364356464366633356332656231623164646361653737333331653636353136626465
|
65623238396163646336343461303137366135306263313035663461653465346638383835666362
|
||||||
63353233396234386630643864333364373562643333343036386639333036326362383264313431
|
30306431396136616334666631646662386533343238323962353837306139316335386234366333
|
||||||
62636362663631376666383034303337393562613135376537376335343939343630343766356362
|
63343564386630356566363234636466303162643438653561323263336464633964616162616366
|
||||||
63326435646163663737633133313735316663386337363830646261396333636431363938623062
|
30376532313739306339336366306262663230366337313662313036303436666563326236333961
|
||||||
63363338373334343634366139363866343731626561626565663339643164633731396363353435
|
61373231653433613861633363333633626366643133633933333363636635656530643464653834
|
||||||
32663634366532343939366130363233373634323664313765636235383638613061323034663364
|
61306633333032316531396165366462386230336330376239653436313836643435316533613331
|
||||||
65646665653732326530383962313762313035353866636362363835613261643331666135336365
|
66623261396262316133326233316361656634333936353531623964313235333739376137633961
|
||||||
35353161663966643564383935386331633730386134343837613164623537393462313130636235
|
31656631643966393164323463373832363538653235333165333061653163333436633335633632
|
||||||
66653539396639623264303733636232343131373339303034633337333930393061306139373638
|
31613930333061653331303863303233376431306361613230383763623231636330343566323237
|
||||||
30363139386238636436316239366537663662363432366132346361666436353337663830363037
|
65306430366133393332386631356135663134306264633536636134623230386635313231343661
|
||||||
38643365366339343961383234313830623138316235383464346439396166363739623937653166
|
31383638616565363364373561613162393133363538626332363964663139336466336538333139
|
||||||
31323639383838323362323663316265333162393664346262323562646232613134626335366231
|
61613939653866333037393564383464663331306439643163343464373766313139656264316163
|
||||||
63366230623733643336373132383633356530653766653834663430383538366366363966393237
|
35383461663231613539613462336162353635333030323663333139653337663932633035666336
|
||||||
64633436653332646336343037303665306465323162643863336235623435666131636661616635
|
65376264306639316137383730626561396365316661396564623335313865313263646536613233
|
||||||
34336562393961383737393632623035633362383763666138343533363166363731323832343534
|
39313365333736363861666363383537376666346533383865636535343764326635343061366535
|
||||||
31343038666533343130396264613836396434323363396434653938353131336262373936353333
|
33323336303861393862623832353936383537363238623932643035323863303865383233633432
|
||||||
65373265306132623235316439373936353834376639386364383763643438373039393263383538
|
39366637656264656463393664336565366465333766643437623164636565346364623730633234
|
||||||
30366532313335306332306261333434613733383430356633626338643537373030336434383231
|
66663432383765643161356533633564626463383237373330663836346232636635373330363161
|
||||||
39656162643264316239646339643835343934323639623334303931613938363531
|
36303039393035396364666366373664623031363836646233616565346634356130646639313432
|
||||||
|
33323736373133383666613565356133343266343432633737313030663466636135326364623639
|
||||||
|
33633337383762333634613637383731613031353834663262313230303166376361373931623836
|
||||||
|
33663232633661373663376163303131373363313036666262613866633237373261393130626364
|
||||||
|
63343535396462316536356334356463323466656633373439656161356162386666386461336163
|
||||||
|
33373233616539653634663136623630626137663832313361313663306438643737393262653862
|
||||||
|
38313233396334353433313162316434653162653739663935396539326330383439366364343532
|
||||||
|
38336266353964656163346537333166366431626239356465313634623035373861333663633862
|
||||||
|
3164
|
||||||
|
|
4
group_vars/aurore/main.yml
Normal file
4
group_vars/aurore/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
apartment_block: aurore
|
||||||
|
apartment_block_id: 0
|
||||||
|
router_ip_suffix: 254
|
|
@ -2,11 +2,6 @@
|
||||||
apartment_block: edc
|
apartment_block: edc
|
||||||
apartment_block_id: 4
|
apartment_block_id: 4
|
||||||
|
|
||||||
subnet_ids:
|
|
||||||
ap: 144
|
|
||||||
users_wired: 40
|
|
||||||
users_wifi: 41
|
|
||||||
|
|
||||||
router_ip_suffix: 254
|
router_ip_suffix: 254
|
||||||
|
|
||||||
mtu: 1500
|
mtu: 1500
|
||||||
|
|
|
@ -2,9 +2,6 @@
|
||||||
apartment_block: fleming
|
apartment_block: fleming
|
||||||
apartment_block_id: 1
|
apartment_block_id: 1
|
||||||
|
|
||||||
subnet_ids:
|
|
||||||
ap: 141
|
|
||||||
users_wired: 10
|
|
||||||
users_wifi: 11
|
|
||||||
|
|
||||||
router_ip_suffix: 254
|
router_ip_suffix: 254
|
||||||
|
|
||||||
|
mtu: 1500
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
apartment_block: gs
|
|
||||||
apartment_block_id: 5
|
|
||||||
|
|
||||||
router_ip_suffix: 240
|
|
7
group_vars/gs/main.yml
Normal file
7
group_vars/gs/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
apartment_block: gs
|
||||||
|
apartment_block_dhcp: sand
|
||||||
|
|
||||||
|
apartment_block_id: 5
|
||||||
|
|
||||||
|
router_ip_suffix: 254
|
|
@ -2,11 +2,6 @@
|
||||||
apartment_block: pacaterie
|
apartment_block: pacaterie
|
||||||
apartment_block_id: 2
|
apartment_block_id: 2
|
||||||
|
|
||||||
subnet_ids:
|
|
||||||
ap: 142
|
|
||||||
users_wired: 20
|
|
||||||
users_wifi: 21
|
|
||||||
|
|
||||||
router_ip_suffix: 254
|
router_ip_suffix: 254
|
||||||
|
|
||||||
mtu: 1500
|
mtu: 1500
|
||||||
|
|
37
hosts
37
hosts
|
@ -8,16 +8,22 @@
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Aurore : main services
|
# Aurore : main services
|
||||||
|
|
||||||
|
viviane.adm.auro.re
|
||||||
|
|
||||||
[aurore_pve]
|
[aurore_pve]
|
||||||
merlin.adm.auro.re
|
merlin.adm.auro.re
|
||||||
|
|
||||||
[aurore_vm]
|
[aurore_vm]
|
||||||
|
routeur-aurore.adm.auro.re
|
||||||
|
routeur-aurore-backup.adm.auro.re
|
||||||
radius-aurore.adm.auro.re
|
radius-aurore.adm.auro.re
|
||||||
dhcp-aurore.adm.auro.re
|
dhcp-aurore.adm.auro.re
|
||||||
dns-aurore.adm.auro.re
|
dns-aurore.adm.auro.re
|
||||||
docker-worker1-aurore.adm.auro.re
|
docker-worker1-aurore.adm.auro.re
|
||||||
proxy-backup.adm.auro.re
|
proxy-backup.adm.auro.re
|
||||||
|
camelot.adm.auro.re
|
||||||
|
gitea.adm.auro.re
|
||||||
|
nextcloud.adm.auro.re
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# OVH
|
# OVH
|
||||||
|
@ -111,7 +117,6 @@ dhcp-edc-backup.adm.auro.re
|
||||||
unifi-edc.adm.auro.re
|
unifi-edc.adm.auro.re
|
||||||
radius-edc.adm.auro.re
|
radius-edc.adm.auro.re
|
||||||
radius-edc-backup.adm.auro.re
|
radius-edc-backup.adm.auro.re
|
||||||
routeur-aurore.adm.auro.re
|
|
||||||
ldap-replica-edc.adm.auro.re
|
ldap-replica-edc.adm.auro.re
|
||||||
ldap-replica-edc-backup.adm.auro.re
|
ldap-replica-edc-backup.adm.auro.re
|
||||||
|
|
||||||
|
@ -121,21 +126,40 @@ ldap-replica-edc-backup.adm.auro.re
|
||||||
|
|
||||||
[gs_pve]
|
[gs_pve]
|
||||||
perceval.adm.auro.re
|
perceval.adm.auro.re
|
||||||
|
lancelot.adm.auro.re
|
||||||
|
odin.adm.auro.re
|
||||||
|
|
||||||
[gs_vm]
|
[gs_vm]
|
||||||
dhcp-gs.adm.auro.re
|
dhcp-gs.adm.auro.re
|
||||||
|
dhcp-gs-backup.adm.auro.re
|
||||||
dns-gs.adm.auro.re
|
dns-gs.adm.auro.re
|
||||||
|
dns-gs-backup.adm.auro.re
|
||||||
routeur-gs.adm.auro.re
|
routeur-gs.adm.auro.re
|
||||||
|
routeur-gs-backup.adm.auro.re
|
||||||
unifi-gs.adm.auro.re
|
unifi-gs.adm.auro.re
|
||||||
radius-gs.adm.auro.re
|
radius-gs.adm.auro.re
|
||||||
|
radius-gs-backup.adm.auro.re
|
||||||
prometheus-gs.adm.auro.re
|
prometheus-gs.adm.auro.re
|
||||||
#inexistant : ldap-replica-gs.adm.auro.re
|
ldap-replica-gs.adm.auro.re
|
||||||
#inexistant : ldap-replica-gs-backup.adm.auro.re
|
ldap-replica-gs-backup.adm.auro.re
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Les Rives
|
||||||
|
[rives_pve]
|
||||||
|
thor.adm.auro.re
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Groups by location
|
# Groups by location
|
||||||
|
|
||||||
|
# -aurore services
|
||||||
|
[aurore:children]
|
||||||
|
aurore_vm
|
||||||
|
|
||||||
|
|
||||||
# everything at ovh
|
# everything at ovh
|
||||||
[ovh:children]
|
[ovh:children]
|
||||||
ovh_pve
|
ovh_pve
|
||||||
|
@ -164,6 +188,10 @@ edc_vm
|
||||||
gs_pve
|
gs_pve
|
||||||
gs_vm
|
gs_vm
|
||||||
|
|
||||||
|
# everything at Les Rives
|
||||||
|
[rives:children]
|
||||||
|
rives_pve
|
||||||
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Groups by type
|
# Groups by type
|
||||||
|
@ -187,6 +215,7 @@ fleming_pve
|
||||||
pacaterie_pve
|
pacaterie_pve
|
||||||
edc_pve
|
edc_pve
|
||||||
gs_pve
|
gs_pve
|
||||||
|
rives_pve
|
||||||
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
7
ldap_replica.yml
Executable file
7
ldap_replica.yml
Executable file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Clone LDAP on local geographic location
|
||||||
|
# DON'T DO THIS AS IT RECREATES THE REPLICA
|
||||||
|
- hosts: ldap_replica
|
||||||
|
roles:
|
||||||
|
- ldap-replica
|
16
network.yml
16
network.yml
|
@ -1,7 +1,7 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Set up DHCP servers.
|
# Set up DHCP servers.
|
||||||
- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re,!dhcp-gs*.adm.auro.re
|
- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re
|
||||||
vars:
|
vars:
|
||||||
service_repo: https://gitlab.federez.net/re2o/dhcp.git
|
service_repo: https://gitlab.federez.net/re2o/dhcp.git
|
||||||
service_name: dhcp
|
service_name: dhcp
|
||||||
|
@ -16,19 +16,27 @@
|
||||||
|
|
||||||
|
|
||||||
# Deploy unbound DNS server (recursive).
|
# Deploy unbound DNS server (recursive).
|
||||||
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re,!dns-gs*.adm.auro.re
|
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
|
||||||
roles:
|
roles:
|
||||||
- unbound
|
- unbound
|
||||||
|
|
||||||
|
|
||||||
# Déploiement du service re2o aurore-firewall et keepalived
|
# Déploiement du service re2o aurore-firewall et keepalived
|
||||||
- hosts: ~routeur-(pacaterie|edc|fleming).*\.adm\.auro\.re
|
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
|
||||||
|
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
|
||||||
|
- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re
|
||||||
|
roles:
|
||||||
|
- router
|
||||||
|
- radvd
|
||||||
|
|
||||||
|
# No radvd here
|
||||||
|
- hosts: ~routeur-aurore.*\.adm\.auro\.re
|
||||||
roles:
|
roles:
|
||||||
- router
|
- router
|
||||||
|
|
||||||
|
|
||||||
# Radius (backup only for now)
|
# Radius (backup only for now)
|
||||||
- hosts: radius-edc-backup.adm.auro.re
|
- hosts: ~radius-(edc|fleming|pacaterie|gs).*
|
||||||
roles:
|
roles:
|
||||||
- radius
|
- radius
|
||||||
|
|
||||||
|
|
7
nuke-radius-dbs.yml
Executable file
7
nuke-radius-dbs.yml
Executable file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: ~radius-(edc|fleming|pacaterie|gs).*
|
||||||
|
roles:
|
||||||
|
- radius
|
||||||
|
vars:
|
||||||
|
nuke_radius: true
|
|
@ -1,3 +1,4 @@
|
||||||
domain adm.auro.re
|
domain adm.auro.re
|
||||||
nameserver 10.128.0.253
|
nameserver 10.128.0.253
|
||||||
|
nameserver 2a09:6840:128::253
|
||||||
nameserver 80.67.169.12
|
nameserver 80.67.169.12
|
||||||
|
|
|
@ -43,12 +43,12 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 {
|
||||||
option subnet-mask 255.255.0.0;
|
option subnet-mask 255.255.0.0;
|
||||||
option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255;
|
option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255;
|
||||||
option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }};
|
option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }};
|
||||||
option domain-name "fil.{{ apartment_block }}.auro.re";
|
option domain-name "fil.{{ apartment_block_dhcp }}.auro.re";
|
||||||
option domain-search "auro.re";
|
option domain-search "auro.re";
|
||||||
|
|
||||||
option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
|
option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
|
||||||
|
|
||||||
include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list";
|
include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list";
|
||||||
|
|
||||||
deny unknown-clients;
|
deny unknown-clients;
|
||||||
}
|
}
|
||||||
|
@ -60,12 +60,12 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 {
|
||||||
option subnet-mask 255.255.0.0;
|
option subnet-mask 255.255.0.0;
|
||||||
option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255;
|
option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255;
|
||||||
option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }};
|
option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }};
|
||||||
option domain-name "wifi.{{ apartment_block }}.auro.re";
|
option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re";
|
||||||
option domain-search "auro.re";
|
option domain-search "auro.re";
|
||||||
|
|
||||||
option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
|
option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
|
||||||
|
|
||||||
include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list";
|
include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list";
|
||||||
|
|
||||||
pool {
|
pool {
|
||||||
range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255;
|
range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255;
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
# Filter SSH on groups
|
# Filter SSH on groups
|
||||||
- name: Filter SSH on groups
|
- name: Filter SSH on groups
|
||||||
|
when: ansible_facts['hostname'] != "camelot" # Camelot is accessible for everyone
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: ^AllowGroups
|
regexp: ^AllowGroups
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
- "deb"
|
- "deb"
|
||||||
- "deb-src"
|
- "deb-src"
|
||||||
|
|
||||||
|
|
||||||
- name: Ensure /var/www exists
|
- name: Ensure /var/www exists
|
||||||
file:
|
file:
|
||||||
name: "/var/www"
|
name: "/var/www"
|
||||||
|
@ -14,14 +15,16 @@
|
||||||
git:
|
git:
|
||||||
repo: "https://gitlab.federez.net/re2o/re2o.git"
|
repo: "https://gitlab.federez.net/re2o/re2o.git"
|
||||||
dest: "/var/www/re2o"
|
dest: "/var/www/re2o"
|
||||||
version: "master_freeradius_python3"
|
version: "dev"
|
||||||
force: true
|
force: true
|
||||||
|
|
||||||
- name: Template local settings
|
- name: Template local re2o settings
|
||||||
template:
|
template:
|
||||||
src: settings_local.py.j2
|
src: "{{ item }}.j2"
|
||||||
dest: "/var/www/re2o/re2o/settings_local.py"
|
dest: "/var/www/re2o/re2o/{{ item }}"
|
||||||
|
loop:
|
||||||
|
- settings_local.py
|
||||||
|
- local_routers.py
|
||||||
|
|
||||||
|
|
||||||
# What follows is a hideous abomination.
|
# What follows is a hideous abomination.
|
||||||
|
@ -30,14 +33,22 @@
|
||||||
- name: try to install freeradius-python3 (this will fail on post-install)
|
- name: try to install freeradius-python3 (this will fail on post-install)
|
||||||
apt:
|
apt:
|
||||||
name: freeradius-python3
|
name: freeradius-python3
|
||||||
|
default_release: buster-backports
|
||||||
|
update_cache: yes
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
no_log: yes
|
|
||||||
|
|
||||||
- name: fix freeradius-python3 postinstall script
|
- name: fix freeradius-python3 postinstall script
|
||||||
template:
|
template:
|
||||||
src: freeradius-python3.postinst.j2
|
src: freeradius-python3.postinst.j2
|
||||||
dest: /var/lib/dpkg/info/freeradius-python3.postinst
|
dest: /var/lib/dpkg/info/freeradius-python3.postinst
|
||||||
|
|
||||||
|
- name: reinstall broken package (this might fail too, for different reasons)
|
||||||
|
apt:
|
||||||
|
name: freeradius-python3
|
||||||
|
default_release: buster-backports
|
||||||
|
force: yes
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
- name: Setup radius symlinks
|
- name: Setup radius symlinks
|
||||||
file:
|
file:
|
||||||
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
|
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
|
||||||
|
@ -54,7 +65,7 @@
|
||||||
- local_prefix: freeradius3/
|
- local_prefix: freeradius3/
|
||||||
filename: mods-enabled/eap
|
filename: mods-enabled/eap
|
||||||
|
|
||||||
- name: Configure radius clients.conf
|
- name: Configure freeradius
|
||||||
template:
|
template:
|
||||||
src: "{{ item }}.j2"
|
src: "{{ item }}.j2"
|
||||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||||
|
@ -64,10 +75,6 @@
|
||||||
- sites-enabled/inner-tunnel
|
- sites-enabled/inner-tunnel
|
||||||
- proxy.conf
|
- proxy.conf
|
||||||
|
|
||||||
- name: reinstall broken backpage
|
|
||||||
apt:
|
|
||||||
name: freeradius-python3
|
|
||||||
force: yes
|
|
||||||
|
|
||||||
- name: Install radius requirements (except freeradius-python3)
|
- name: Install radius requirements (except freeradius-python3)
|
||||||
shell:
|
shell:
|
||||||
|
@ -79,3 +86,149 @@
|
||||||
|
|
||||||
|
|
||||||
# End of hideousness (hopefully).
|
# End of hideousness (hopefully).
|
||||||
|
|
||||||
|
- name: Configure log rotation
|
||||||
|
template:
|
||||||
|
src: "freeradius-logrotate.j2"
|
||||||
|
dest: "/etc/logrotate.d/freeradius"
|
||||||
|
|
||||||
|
|
||||||
|
# Database setup
|
||||||
|
|
||||||
|
|
||||||
|
- name: Install postgresql
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- postgresql
|
||||||
|
- postgresql-client
|
||||||
|
|
||||||
|
- name: Install postgresql ansible module requirement(s)
|
||||||
|
pip:
|
||||||
|
name: psycopg2
|
||||||
|
|
||||||
|
- name: Create read-only user
|
||||||
|
community.general.postgresql_user:
|
||||||
|
name: re2o_ro
|
||||||
|
password: "{{ radius_pg_re2o_ro_password }}"
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Create replication user
|
||||||
|
community.general.postgresql_user:
|
||||||
|
name: replication
|
||||||
|
password: "{{ radius_pg_replication_password }}"
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
|
||||||
|
- name: Nuking - Stop freeradius
|
||||||
|
systemd:
|
||||||
|
name: freeradius
|
||||||
|
state: stopped
|
||||||
|
when: nuke_radius|default(false)
|
||||||
|
|
||||||
|
- name: Nuking - Remove old subscription if it exists
|
||||||
|
community.general.postgresql_subscription:
|
||||||
|
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
||||||
|
db: re2o
|
||||||
|
state: absent
|
||||||
|
become_user: postgres
|
||||||
|
when: nuke_radius|default(false)
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Nuking - Destroy old local DB if it exists
|
||||||
|
community.general.postgresql_db:
|
||||||
|
name: re2o
|
||||||
|
state: absent
|
||||||
|
become_user: postgres
|
||||||
|
when: nuke_radius|default(false)
|
||||||
|
|
||||||
|
- name: Create local DB
|
||||||
|
community.general.postgresql_db:
|
||||||
|
name: re2o
|
||||||
|
owner: replication
|
||||||
|
state: present
|
||||||
|
encoding: "UTF8"
|
||||||
|
lc_collate: 'fr_FR.UTF-8'
|
||||||
|
lc_ctype: 'fr_FR.UTF-8'
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Dump radius re2o PostgreSQL database schema from master
|
||||||
|
community.general.postgresql_db:
|
||||||
|
name: re2o
|
||||||
|
state: dump
|
||||||
|
target: /tmp/re2o-schema.sql
|
||||||
|
target_opts: '-s'
|
||||||
|
login_host: 10.128.0.12
|
||||||
|
login_user: replication
|
||||||
|
login_password: "{{ radius_pg_replication_password }}"
|
||||||
|
|
||||||
|
|
||||||
|
- name: Restore DB
|
||||||
|
tags:
|
||||||
|
- restore
|
||||||
|
community.general.postgresql_db:
|
||||||
|
name: re2o
|
||||||
|
state: restore
|
||||||
|
target: /tmp/re2o-schema.sql
|
||||||
|
target_opts: "-s"
|
||||||
|
login_host: localhost
|
||||||
|
login_user: replication
|
||||||
|
login_password: "{{ radius_pg_replication_password }}"
|
||||||
|
|
||||||
|
|
||||||
|
- name: Grant select permissions on all tables to read-only user
|
||||||
|
tags:
|
||||||
|
- perms
|
||||||
|
community.general.postgresql_privs:
|
||||||
|
database: re2o
|
||||||
|
privs: SELECT
|
||||||
|
objs: ALL_IN_SCHEMA
|
||||||
|
schema: public
|
||||||
|
roles: re2o_ro
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Grant usage permission on schema to read-only user
|
||||||
|
tags:
|
||||||
|
- perms
|
||||||
|
community.general.postgresql_privs:
|
||||||
|
database: re2o
|
||||||
|
privs: USAGE
|
||||||
|
objs: public
|
||||||
|
type: schema
|
||||||
|
roles: re2o_ro
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Set default privileges in schema
|
||||||
|
tags:
|
||||||
|
- perms
|
||||||
|
community.general.postgresql_privs:
|
||||||
|
database: re2o
|
||||||
|
privs: SELECT
|
||||||
|
schema: public
|
||||||
|
objs: TABLES
|
||||||
|
type: default_privs
|
||||||
|
roles: re2o_ro
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
|
||||||
|
- name: Set up subscription to main database
|
||||||
|
tags:
|
||||||
|
- sub
|
||||||
|
community.general.postgresql_subscription:
|
||||||
|
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
||||||
|
connparams:
|
||||||
|
host: re2o-db.adm.auro.re
|
||||||
|
user: replication
|
||||||
|
password: "{{ radius_pg_replication_password }}"
|
||||||
|
dbname: re2o
|
||||||
|
db: re2o
|
||||||
|
publications:
|
||||||
|
- re2o_pub
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
|
||||||
|
- name: Restart freeradius, ensure enabled
|
||||||
|
systemd:
|
||||||
|
name: freeradius
|
||||||
|
enabled: yes
|
||||||
|
state: restarted
|
||||||
|
daemon_reload: yes
|
||||||
|
|
50
roles/radius/templates/freeradius-logrotate.j2
Normal file
50
roles/radius/templates/freeradius-logrotate.j2
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
# The main server log
|
||||||
|
/var/log/freeradius/radius.log {
|
||||||
|
# common options
|
||||||
|
daily
|
||||||
|
rotate 365
|
||||||
|
missingok
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
notifempty
|
||||||
|
|
||||||
|
copytruncate
|
||||||
|
}
|
||||||
|
|
||||||
|
# (in order)
|
||||||
|
# Session monitoring utilities
|
||||||
|
# Session database modules
|
||||||
|
# SQL log files
|
||||||
|
/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
|
||||||
|
/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
|
||||||
|
/var/log/freeradius/sqllog.sql
|
||||||
|
{
|
||||||
|
# common options
|
||||||
|
daily
|
||||||
|
rotate 365
|
||||||
|
missingok
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
notifempty
|
||||||
|
|
||||||
|
nocreate
|
||||||
|
}
|
||||||
|
|
||||||
|
# There are different detail-rotating strategies you can use. One is
|
||||||
|
# to write to a single detail file per IP and use the rotate config
|
||||||
|
# below. Another is to write to a daily detail file per IP with:
|
||||||
|
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
|
||||||
|
# (or similar) in radiusd.conf, without rotation. If you go with the
|
||||||
|
# second technique, you will need another cron job that removes old
|
||||||
|
# detail files. You do not need to comment out the below for method #2.
|
||||||
|
/var/log/freeradius/radacct/*/detail {
|
||||||
|
# common options
|
||||||
|
daily
|
||||||
|
rotate 365
|
||||||
|
missingok
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
notifempty
|
||||||
|
|
||||||
|
nocreate
|
||||||
|
}
|
28
roles/radius/templates/local_routers.py.j2
Normal file
28
roles/radius/templates/local_routers.py.j2
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
class DbRouter(object):
|
||||||
|
"""
|
||||||
|
A router to control all database operations on models in the
|
||||||
|
auth application.
|
||||||
|
"""
|
||||||
|
def db_for_read(self, model, **hints):
|
||||||
|
"""
|
||||||
|
Attempts to read remote models go to local database.
|
||||||
|
"""
|
||||||
|
return 'default'
|
||||||
|
|
||||||
|
def db_for_write(self, model, **hints):
|
||||||
|
"""
|
||||||
|
Attempts to write remote models go to the remote database.
|
||||||
|
"""
|
||||||
|
return 'master'
|
||||||
|
|
||||||
|
def allow_relation(self, obj1, obj2, **hints):
|
||||||
|
"""
|
||||||
|
Allow relations involving the remote database
|
||||||
|
"""
|
||||||
|
return True
|
||||||
|
|
||||||
|
def allow_migrate(self, db, app_label, model_name=None, **hints):
|
||||||
|
"""
|
||||||
|
Allow migrations on the remote database
|
||||||
|
"""
|
||||||
|
return True
|
|
@ -44,14 +44,14 @@ DEBUG = False
|
||||||
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')]
|
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')]
|
||||||
|
|
||||||
# The list of hostname the server will respond to.
|
# The list of hostname the server will respond to.
|
||||||
ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re']
|
ALLOWED_HOSTS = ['{{ inventory_hostname }}']
|
||||||
|
|
||||||
# The time zone the server is runned in
|
# The time zone the server is runned in
|
||||||
TIME_ZONE = 'Europe/Paris'
|
TIME_ZONE = 'Europe/Paris'
|
||||||
|
|
||||||
# The storage systems parameters to use
|
# The storage systems parameters to use
|
||||||
DATABASES = {
|
DATABASES = {
|
||||||
'default': { # The DB
|
'master': {
|
||||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
||||||
'NAME': 're2o',
|
'NAME': 're2o',
|
||||||
'USER': 're2o',
|
'USER': 're2o',
|
||||||
|
@ -62,7 +62,18 @@ DATABASES = {
|
||||||
'COLLATION': 'utf8_general_ci'
|
'COLLATION': 'utf8_general_ci'
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
'ldap': { # The LDAP
|
'default': {
|
||||||
|
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
||||||
|
'NAME': 're2o',
|
||||||
|
'USER': 're2o_ro',
|
||||||
|
'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
|
||||||
|
'HOST': 'localhost',
|
||||||
|
'TEST': {
|
||||||
|
'CHARSET': 'utf8',
|
||||||
|
'COLLATION': 'utf8_general_ci'
|
||||||
|
}
|
||||||
|
},
|
||||||
|
'ldap': {
|
||||||
'ENGINE': 'ldapdb.backends.ldap',
|
'ENGINE': 'ldapdb.backends.ldap',
|
||||||
'NAME': 'ldap://10.128.0.11/',
|
'NAME': 'ldap://10.128.0.11/',
|
||||||
'USER': 'cn=admin,dc=auro,dc=re',
|
'USER': 'cn=admin,dc=auro,dc=re',
|
||||||
|
@ -114,3 +125,5 @@ OPTIONNAL_APPS_RE2O = ()
|
||||||
|
|
||||||
# Some Django apps you want to add in you local project
|
# Some Django apps you want to add in you local project
|
||||||
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
|
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
|
||||||
|
|
||||||
|
LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]
|
||||||
|
|
5
roles/radvd/handlers/main.yml
Normal file
5
roles/radvd/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
- name: restart radvd
|
||||||
|
systemd:
|
||||||
|
state: restarted
|
||||||
|
name: radvd
|
||||||
|
enabled: yes
|
22
roles/radvd/tasks/main.yml
Normal file
22
roles/radvd/tasks/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
# Warning: radvd installation seems to fail if the configuration
|
||||||
|
# file doesn't already exist when the package is installed,
|
||||||
|
# so the order is important.
|
||||||
|
- name: Configure radvd
|
||||||
|
template:
|
||||||
|
src: radvd.conf.j2
|
||||||
|
dest: /etc/radvd.conf
|
||||||
|
mode: 0644
|
||||||
|
notify: restart radvd
|
||||||
|
tags:
|
||||||
|
- radconf
|
||||||
|
|
||||||
|
- name: Install radvd
|
||||||
|
apt:
|
||||||
|
update_cache: true
|
||||||
|
name: radvd
|
||||||
|
state: present
|
||||||
|
notify: restart radvd
|
||||||
|
|
80
roles/radvd/templates/radvd.conf.j2
Normal file
80
roles/radvd/templates/radvd.conf.j2
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
# -*- mode: conf-unix; coding: utf-8 -*-
|
||||||
|
|
||||||
|
##
|
||||||
|
# Bornes Wi-Fi
|
||||||
|
##
|
||||||
|
|
||||||
|
# # Need to add an interface for this VLAN on "routeur-*" hosts.
|
||||||
|
#
|
||||||
|
# interface ens19 {
|
||||||
|
# AdvSendAdvert on;
|
||||||
|
# AdvLinkMTU {{ mtu }};
|
||||||
|
# AdvDefaultPreference high;
|
||||||
|
# MaxRtrAdvInterval 30;
|
||||||
|
#
|
||||||
|
# AdvRASrcAddress {
|
||||||
|
# {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller
|
||||||
|
# };
|
||||||
|
#
|
||||||
|
# prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 {
|
||||||
|
# AdvRouterAddr on;
|
||||||
|
# };
|
||||||
|
#
|
||||||
|
# # La zone DNS
|
||||||
|
# DNSSL borne.auro.re {};
|
||||||
|
#
|
||||||
|
# # Les DNS récursifs
|
||||||
|
# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {};
|
||||||
|
# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {};
|
||||||
|
# };
|
||||||
|
|
||||||
|
##
|
||||||
|
# Utilisateurs filaire
|
||||||
|
##
|
||||||
|
interface ens20 {
|
||||||
|
AdvSendAdvert on;
|
||||||
|
AdvLinkMTU {{ mtu }};
|
||||||
|
AdvDefaultPreference high;
|
||||||
|
MaxRtrAdvInterval 30;
|
||||||
|
|
||||||
|
AdvRASrcAddress {
|
||||||
|
fe80::1; # link-local virtual IP used with keepalived
|
||||||
|
};
|
||||||
|
|
||||||
|
prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 {
|
||||||
|
AdvRouterAddr on;
|
||||||
|
};
|
||||||
|
|
||||||
|
DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
|
||||||
|
|
||||||
|
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {};
|
||||||
|
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
##
|
||||||
|
# Utilisateurs wifi
|
||||||
|
##
|
||||||
|
interface ens21 {
|
||||||
|
AdvSendAdvert on;
|
||||||
|
AdvLinkMTU {{ mtu }};
|
||||||
|
AdvDefaultPreference high;
|
||||||
|
MaxRtrAdvInterval 30;
|
||||||
|
|
||||||
|
AdvRASrcAddress {
|
||||||
|
fe80::1;
|
||||||
|
};
|
||||||
|
|
||||||
|
prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 {
|
||||||
|
AdvRouterAddr on;
|
||||||
|
};
|
||||||
|
|
||||||
|
DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
|
||||||
|
|
||||||
|
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {};
|
||||||
|
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# For public IPs: will use DHCPv6, deployed on routeur-aurore alone.
|
|
@ -21,8 +21,8 @@
|
||||||
become: true
|
become: true
|
||||||
become_user: "{{ service_user }}"
|
become_user: "{{ service_user }}"
|
||||||
|
|
||||||
- name: Configure re2o {{ service_name }} project
|
- name: "Configure re2o {{ service_name }} project"
|
||||||
ini_file:
|
community.general.ini_file:
|
||||||
path: "{{ service_homedir }}/config.ini"
|
path: "{{ service_homedir }}/config.ini"
|
||||||
section: Re2o
|
section: Re2o
|
||||||
option: "{{ item.key }}"
|
option: "{{ item.key }}"
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
systemd:
|
systemd:
|
||||||
state: restarted
|
state: restarted
|
||||||
name: keepalived
|
name: keepalived
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
- name: run aurore-firewall
|
- name: run aurore-firewall
|
||||||
command: python3 main.py --force
|
command: python3 main.py --force
|
||||||
|
|
|
@ -1,11 +1,35 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# XXX: YES, this is ugly as fuck.
|
||||||
|
- name: set IP suffix (main)
|
||||||
|
set_fact:
|
||||||
|
router_hard_ip_suffix: 240
|
||||||
|
when: "'backup' not in ansible_hostname"
|
||||||
|
|
||||||
|
- name: set IP suffix (backup)
|
||||||
|
set_fact:
|
||||||
|
router_hard_ip_suffix: 140
|
||||||
|
when: "'backup' in ansible_hostname"
|
||||||
|
|
||||||
- name: Enable IPv4 packet forwarding
|
- name: Enable IPv4 packet forwarding
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: net.ipv4.ip_forward
|
name: net.ipv4.ip_forward
|
||||||
value: '1'
|
value: '1'
|
||||||
sysctl_set: yes
|
sysctl_set: yes
|
||||||
|
|
||||||
|
- name: Enable IPv6 packet forwarding
|
||||||
|
ansible.posix.sysctl:
|
||||||
|
name: net.ipv6.conf.all.forwarding
|
||||||
|
value: '1'
|
||||||
|
sysctl_set: yes
|
||||||
|
|
||||||
|
- name: Configure /etc/network/interfaces for routeur-aurore*
|
||||||
|
template:
|
||||||
|
src: interfaces-aurore
|
||||||
|
dest: /etc/network/interfaces
|
||||||
|
mode: 0644
|
||||||
|
when: "'routeur-aurore' in ansible_hostname"
|
||||||
|
|
||||||
- name: Install aurore-firewall (re2o-service)
|
- name: Install aurore-firewall (re2o-service)
|
||||||
import_role:
|
import_role:
|
||||||
name: re2o-service
|
name: re2o-service
|
||||||
|
@ -19,12 +43,21 @@
|
||||||
password: "{{ vault_serviceuser_passwd }}"
|
password: "{{ vault_serviceuser_passwd }}"
|
||||||
notify: run aurore-firewall
|
notify: run aurore-firewall
|
||||||
|
|
||||||
- name: Configure aurore-firewall
|
- name: Configure aurore-firewall for local router
|
||||||
template:
|
template:
|
||||||
src: firewall_config.py
|
src: firewall_config.py
|
||||||
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
|
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify: run aurore-firewall
|
notify: run aurore-firewall
|
||||||
|
when: "'routeur-aurore' not in ansible_hostname"
|
||||||
|
|
||||||
|
- name: Configure aurore-firewall for routeur-aurore*
|
||||||
|
template:
|
||||||
|
src: firewall_config_aurore.py
|
||||||
|
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
|
||||||
|
mode: 0644
|
||||||
|
notify: run aurore-firewall
|
||||||
|
when: "'routeur-aurore' in ansible_hostname"
|
||||||
|
|
||||||
- name: Install keepalived
|
- name: Install keepalived
|
||||||
apt:
|
apt:
|
||||||
|
@ -34,13 +67,21 @@
|
||||||
retries: 3
|
retries: 3
|
||||||
until: apt_result is succeeded
|
until: apt_result is succeeded
|
||||||
|
|
||||||
- name: Configure keepalived
|
- name: configure keepalived for local router
|
||||||
template:
|
template:
|
||||||
src: keepalived.conf
|
src: keepalived.conf
|
||||||
dest: /etc/keepalived/keepalived.conf
|
dest: /etc/keepalived/keepalived.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify: restart keepalived
|
notify: restart keepalived
|
||||||
|
when: "'routeur-aurore' not in ansible_hostname"
|
||||||
|
|
||||||
|
- name: configure keepalived for routeur-aurore*
|
||||||
|
template:
|
||||||
|
src: keepalived-aurore.conf
|
||||||
|
dest: /etc/keepalived/keepalived.conf
|
||||||
|
mode: 0644
|
||||||
|
notify: restart keepalived
|
||||||
|
when: "'routeur-aurore' in ansible_hostname"
|
||||||
|
|
||||||
- name: Configure cron
|
- name: Configure cron
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -24,8 +24,8 @@
|
||||||
|
|
||||||
### Give me a role
|
### Give me a role
|
||||||
|
|
||||||
# routeur4 = routeur IPv4
|
# previously: routeur4 = routeur IPv4
|
||||||
role = ['routeur4']
|
role = ['routeur']
|
||||||
|
|
||||||
|
|
||||||
### Specify each interface role
|
### Specify each interface role
|
||||||
|
|
49
roles/router/templates/firewall_config_aurore.py
Normal file
49
roles/router/templates/firewall_config_aurore.py
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
# -*- mode: python; coding: utf-8 -*-
|
||||||
|
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
|
||||||
|
# se veut agnostique au réseau considéré, de manière à être installable en
|
||||||
|
# quelques clics.
|
||||||
|
#
|
||||||
|
# Copyright © 2017 Gabriel Détraz
|
||||||
|
# Copyright © 2017 Goulven Kermarec
|
||||||
|
# Copyright © 2017 Augustin Lemesle
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License along
|
||||||
|
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
|
||||||
|
### Give me a role
|
||||||
|
|
||||||
|
role = ['routeur']
|
||||||
|
|
||||||
|
### Specify each interface role
|
||||||
|
|
||||||
|
interfaces_type = {
|
||||||
|
'routable' : ['ens21', 'ens22'],
|
||||||
|
'sortie' : ['ens18', 'ens1'],
|
||||||
|
'admin' : ['ens19', 'ens20', 'ens23']
|
||||||
|
}
|
||||||
|
|
||||||
|
### Specify nat settings: name, interfaces with range, and global range for nat
|
||||||
|
### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
|
||||||
|
### contain /16 range
|
||||||
|
|
||||||
|
nat = [
|
||||||
|
{
|
||||||
|
'name' : 'AdminVlans',
|
||||||
|
'extra_nat' : {
|
||||||
|
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||||
|
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||||
|
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
84
roles/router/templates/interfaces-aurore
Normal file
84
roles/router/templates/interfaces-aurore
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
# This file describes the network interfaces available on your system
|
||||||
|
# and how to activate them. For more information, see interfaces(5).
|
||||||
|
|
||||||
|
source /etc/network/interfaces.d/*
|
||||||
|
|
||||||
|
# The loopback network interface
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
|
||||||
|
# VLAN 129: routage
|
||||||
|
auto ens18
|
||||||
|
iface ens18 inet static
|
||||||
|
address 10.129.0.{{ router_hard_ip_suffix }}/16
|
||||||
|
gateway 10.129.0.1
|
||||||
|
|
||||||
|
iface ens18 inet6 static
|
||||||
|
address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64
|
||||||
|
|
||||||
|
post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18
|
||||||
|
post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18
|
||||||
|
|
||||||
|
post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18
|
||||||
|
post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18
|
||||||
|
|
||||||
|
post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18
|
||||||
|
post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18
|
||||||
|
|
||||||
|
post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18
|
||||||
|
post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18
|
||||||
|
|
||||||
|
|
||||||
|
# The primary network interface
|
||||||
|
allow-hotplug ens19
|
||||||
|
iface ens19 inet static
|
||||||
|
address 10.128.0.{{ router_hard_ip_suffix }}/16
|
||||||
|
gateway 10.128.0.254
|
||||||
|
dns-search adm.auro.re
|
||||||
|
|
||||||
|
iface ens19 inet6 static
|
||||||
|
address 2a09:6840:128::0:{{ router_hard_ip_suffix }}/64
|
||||||
|
|
||||||
|
# Ensures internet connectivity when running as keepalived backup.
|
||||||
|
gateway 2a09:6840:128::0:254
|
||||||
|
|
||||||
|
# VlAN 130: switches
|
||||||
|
auto ens20
|
||||||
|
iface ens20 inet static
|
||||||
|
address 10.130.0.{{ router_hard_ip_suffix }}/16
|
||||||
|
|
||||||
|
iface ens20 inet6 static
|
||||||
|
address 2a09:6840:130::0:{{ router_hard_ip_suffix }}/64
|
||||||
|
|
||||||
|
# VLAN 111: IPs publiques serveurs
|
||||||
|
auto ens21
|
||||||
|
iface ens21 inet static
|
||||||
|
address 45.66.111.{{ router_hard_ip_suffix }}/24
|
||||||
|
|
||||||
|
# Nécessaire pour contacter re2o et bootstrap le firewall.
|
||||||
|
# Ces directives sont _aussi_ set par aurore-firewall !
|
||||||
|
up iptables -t nat -A POSTROUTING -s 10.129.0.{{ router_hard_ip_suffix }}/32 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
|
||||||
|
up iptables -t nat -A POSTROUTING -s 10.128.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
|
||||||
|
up iptables -t nat -A POSTROUTING -s 10.130.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
|
||||||
|
|
||||||
|
iface ens21 inet6 static
|
||||||
|
address 2a09:6840:111::{{ router_hard_ip_suffix }}/48
|
||||||
|
|
||||||
|
# VLAN 110: IP publiques adhérents
|
||||||
|
auto ens22
|
||||||
|
iface ens22 inet static
|
||||||
|
address 45.66.110.{{ router_hard_ip_suffix }}/24
|
||||||
|
|
||||||
|
iface ens22 inet6 static
|
||||||
|
address 2a09:6840:110::{{ router_hard_ip_suffix }}/48
|
||||||
|
|
||||||
|
# VLAN 131: onduleurs et PDU
|
||||||
|
auto ens23
|
||||||
|
iface ens23 inet static
|
||||||
|
address 10.131.0.{{ router_hard_ip_suffix }}/16
|
||||||
|
|
||||||
|
iface ens23 inet6 static
|
||||||
|
address 2a09:6840:131::0:{{ router_hard_ip_suffix }}/64
|
||||||
|
|
||||||
|
auto ens1
|
||||||
|
iface ens1 inet6 manual
|
121
roles/router/templates/keepalived-aurore.conf
Normal file
121
roles/router/templates/keepalived-aurore.conf
Normal file
|
@ -0,0 +1,121 @@
|
||||||
|
global_defs {
|
||||||
|
notification_email {
|
||||||
|
monitoring.aurore@lists.crans.org
|
||||||
|
}
|
||||||
|
notification_email_from routeur-aurore{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re
|
||||||
|
smtp_server smtp.crans.org
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
vrrp_instance VI_ROUT_aurore_IPv4 {
|
||||||
|
{% if 'backup' in inventory_hostname %}
|
||||||
|
state BACKUP
|
||||||
|
priority 100
|
||||||
|
{% else %}
|
||||||
|
state MASTER
|
||||||
|
priority 150
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
|
# Interface used for VRRP communication.
|
||||||
|
interface ens19
|
||||||
|
|
||||||
|
# Shared by MASTER and BACKUP
|
||||||
|
virtual_router_id 40
|
||||||
|
|
||||||
|
# Timeout in seconds before failover kicks in.
|
||||||
|
advert_int 2
|
||||||
|
|
||||||
|
# Used to authenticate VRRP communication between master and backup.
|
||||||
|
authentication {
|
||||||
|
auth_type PASS
|
||||||
|
auth_pass {{ keepalived_password }}
|
||||||
|
}
|
||||||
|
|
||||||
|
smtp_alert
|
||||||
|
|
||||||
|
virtual_ipaddress {
|
||||||
|
# Routing
|
||||||
|
10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global
|
||||||
|
|
||||||
|
# Adm
|
||||||
|
10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global
|
||||||
|
|
||||||
|
# Switches
|
||||||
|
10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global
|
||||||
|
|
||||||
|
# IPs publiques serveurs
|
||||||
|
45.66.111.254/24 brd 45.66.111.255 dev ens21 scope global
|
||||||
|
|
||||||
|
# IPs publiques adhérents
|
||||||
|
45.66.110.254/24 brd 45.66.110.255 dev ens22 scope global
|
||||||
|
|
||||||
|
# VLAN 131: Onduleurs et PDUs
|
||||||
|
10.131.0.254/16 brd 10.131.255.255 dev ens23 scope global
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
virtual_routes {
|
||||||
|
# IPv4 gateway: yggdrasil
|
||||||
|
src 10.129.0.254 to 0.0.0.0/0 via 10.129.0.1 dev ens18
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
vrrp_instance VI_ROUT_aurore_IPv6 {
|
||||||
|
{% if 'backup' in inventory_hostname %}
|
||||||
|
state BACKUP
|
||||||
|
priority 100
|
||||||
|
{% else %}
|
||||||
|
state MASTER
|
||||||
|
priority 150
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
|
# Interface used for VRRP communication.
|
||||||
|
interface ens19
|
||||||
|
|
||||||
|
# Shared by MASTER and BACKUP
|
||||||
|
virtual_router_id 60
|
||||||
|
|
||||||
|
# Timeout in seconds before failover kicks in.
|
||||||
|
advert_int 2
|
||||||
|
|
||||||
|
# Used to authenticate VRRP communication between master and backup.
|
||||||
|
authentication {
|
||||||
|
auth_type PASS
|
||||||
|
auth_pass {{ keepalived_password }}
|
||||||
|
}
|
||||||
|
|
||||||
|
smtp_alert
|
||||||
|
|
||||||
|
virtual_ipaddress {
|
||||||
|
# Hello zayo
|
||||||
|
2001:1b48:2:103::d7:2/126 dev ens1 scope global
|
||||||
|
|
||||||
|
# Routing
|
||||||
|
2a09:6840:129::254/64 dev ens18 scope global
|
||||||
|
|
||||||
|
# Adm
|
||||||
|
2a09:6840:128::254/64 dev ens19 scope global
|
||||||
|
|
||||||
|
# Switches
|
||||||
|
2a09:6840:130::254/64 dev ens20 scope global
|
||||||
|
|
||||||
|
# IPs publiques serveurs
|
||||||
|
2a09:6840:111::254/64 dev ens21 scope global
|
||||||
|
|
||||||
|
# IPs publiques adhérents
|
||||||
|
2a09:6840:110::254/64 dev ens22 scope global
|
||||||
|
|
||||||
|
# VLAN 131: Onduleurs et PDUs
|
||||||
|
2a09:6840:131::254/64 dev ens23 scope global
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
virtual_routes {
|
||||||
|
# For IPv6, the master router is routeur-aurore, NOT yggdrasil,
|
||||||
|
# because yggdrasil doesn't support BGPv6 announcements.
|
||||||
|
src 2001:1b48:2:103::d7:2/126 to ::/0 via 2001:1b48:2:103::d7:1 dev ens1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -2,12 +2,12 @@ global_defs {
|
||||||
notification_email {
|
notification_email {
|
||||||
monitoring.aurore@lists.crans.org
|
monitoring.aurore@lists.crans.org
|
||||||
}
|
}
|
||||||
notification_email_from routeur-edc-backup@auro.re
|
notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re
|
||||||
smtp_server smtp.crans.org
|
smtp_server smtp.crans.org
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
vrrp_instance VI_ROUT_{{ apartment_block }} {
|
vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
|
||||||
{% if 'backup' in inventory_hostname %}
|
{% if 'backup' in inventory_hostname %}
|
||||||
state BACKUP
|
state BACKUP
|
||||||
priority 100
|
priority 100
|
||||||
|
@ -21,12 +21,11 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
|
||||||
interface ens18
|
interface ens18
|
||||||
|
|
||||||
# Shared by MASTER and BACKUP
|
# Shared by MASTER and BACKUP
|
||||||
virtual_router_id {{ apartment_block_id }}
|
virtual_router_id 4{{ apartment_block_id }}
|
||||||
|
|
||||||
# Timeout in seconds before failover kicks in.
|
# Timeout in seconds before failover kicks in.
|
||||||
advert_int 2
|
advert_int 2
|
||||||
|
|
||||||
|
|
||||||
# Used to authenticate VRRP communication between master and backup.
|
# Used to authenticate VRRP communication between master and backup.
|
||||||
authentication {
|
authentication {
|
||||||
auth_type PASS
|
auth_type PASS
|
||||||
|
@ -39,19 +38,72 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
|
||||||
# Routing subnet
|
# Routing subnet
|
||||||
10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
|
10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
|
||||||
|
|
||||||
# Public subnet: wired
|
|
||||||
|
# NATed subnet: wired
|
||||||
45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
|
45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
|
||||||
# Public subnet: wifi
|
|
||||||
|
# NATed subnet: wifi
|
||||||
45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
|
45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
|
||||||
|
|
||||||
# Wired
|
# Wired
|
||||||
10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
|
10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
|
||||||
|
|
||||||
# Wifi
|
# Wifi
|
||||||
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
|
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
virtual_routes {
|
virtual_routes {
|
||||||
# 10.129.0.1 is Yggdrasil
|
# 10.129.0.1 is Yggdrasil
|
||||||
src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
|
src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 {
|
||||||
|
{% if 'backup' in inventory_hostname %}
|
||||||
|
state BACKUP
|
||||||
|
priority 100
|
||||||
|
{% else %}
|
||||||
|
state MASTER
|
||||||
|
priority 150
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
|
# Interface used for VRRP communication.
|
||||||
|
interface ens18
|
||||||
|
|
||||||
|
# Shared by MASTER and BACKUP
|
||||||
|
virtual_router_id 6{{ apartment_block_id }}
|
||||||
|
|
||||||
|
# Timeout in seconds before failover kicks in.
|
||||||
|
advert_int 2
|
||||||
|
|
||||||
|
# Used to authenticate VRRP communication between master and backup.
|
||||||
|
authentication {
|
||||||
|
auth_type PASS
|
||||||
|
auth_pass {{ keepalived_password }}
|
||||||
|
}
|
||||||
|
|
||||||
|
smtp_alert
|
||||||
|
|
||||||
|
virtual_ipaddress {
|
||||||
|
# Routing subnet
|
||||||
|
fe80::1/64 dev ens19 scope global
|
||||||
|
{{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global
|
||||||
|
|
||||||
|
# Wired
|
||||||
|
fe80::1/64 dev ens20 scope global
|
||||||
|
|
||||||
|
# Wifi
|
||||||
|
fe80::1/64 dev ens21 scope global
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
virtual_routes {
|
||||||
|
# For IPv6, the master router is routeur-aurore, NOT yggdrasil,
|
||||||
|
# because yggdrasil doesn't support BGPv6 announcements.
|
||||||
|
src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -11,20 +11,32 @@ server:
|
||||||
logfile: "/var/log/unbound/unbound.log"
|
logfile: "/var/log/unbound/unbound.log"
|
||||||
|
|
||||||
do-ip4: yes
|
do-ip4: yes
|
||||||
# FIXME: IPv6 deployment... someday...
|
do-ip6: yes
|
||||||
do-ip6: no
|
|
||||||
|
|
||||||
# IP addresses on which to listen.
|
# IP addresses on which to listen.
|
||||||
|
#
|
||||||
|
# Note: dns_host_suffix is dynamically set in this role's tasks,
|
||||||
|
# and changes depending on whether we're handling the main or backup
|
||||||
|
# recursive DNS node.
|
||||||
|
|
||||||
|
# IPv4
|
||||||
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
||||||
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
||||||
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
||||||
|
|
||||||
|
|
||||||
|
# IPv6
|
||||||
|
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
|
||||||
|
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
|
||||||
|
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
|
||||||
|
|
||||||
|
|
||||||
# By default, anything other than localhost is refused.
|
# By default, anything other than localhost is refused.
|
||||||
# Whitelist some subnets:
|
# Whitelist some subnets:
|
||||||
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
||||||
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
||||||
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
||||||
|
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
|
||||||
|
|
||||||
num-threads: {{ ansible_processor_vcpus }}
|
num-threads: {{ ansible_processor_vcpus }}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue