Merge branch 'ansible-2.10' into master

This commit is contained in:
Yohaï-Eliel BERREBY 2020-09-08 22:35:30 +02:00
commit e48425300a
36 changed files with 1030 additions and 229 deletions

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
*.retry
tmp
ldap-password.txt

View file

@ -118,3 +118,23 @@ for ip in `cat hosts|grep .adm.auro.re`; do
ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
done
```
### Passage à Ansible 2.10 (release: 30 juillet)
Installez la version de développement d'ansible pour faire fonctionner les
playbooks de ce repo, ainsi que les collections suivantes :
```bash
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
```
Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
workaround est le suivant :
`$ export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
Notez l'espace au début pour ne pas log la commande dans votre historique
shell.

View file

@ -33,3 +33,6 @@ become_ask_pass = True
# TO know what changed
always = yes
[ssh_connection]
pipelining = True

View file

@ -11,8 +11,3 @@
roles:
- ldap-client
# Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA
#- hosts: ldap_replica
# roles:
# - ldap-replica

View file

@ -50,8 +50,13 @@ dns_host_suffix_backup: 153
backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
# Misc
mtu: 1400
# Finally raised!
mtu: 1500
subnet_ids:
ap: "14{{ apartment_block_id }}"
users_wired: "{{ apartment_block_id }}0"
users_wifi: "{{ apartment_block_id }}1"
# Keepalived
@ -67,3 +72,15 @@ re2o_aes_key: "{{ vault_re2o_aes_key }}"
radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}"
radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
apartment_block_dhcp: "{{ apartment_block }}"
# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
# However, we ALWAYS keep the trailing 0 to have byte alignment.
ipv6_base_prefix: "2a09:6840"

View file

@ -1,162 +1,170 @@
$ANSIBLE_VAULT;1.1;AES256
61336339613837303864333338376131306234356334366237613038323565363539656161643663
3630396462363834616166383634323735386461653430330a353861386131386130613733663465
66363639336164303137326133373364643539663032303237633831333764376534366464313030
6161663162613636660a393262663061656235333836356331366638313263333364306262636631
62393434336561313630343366626136393933383966613463353135643334666432366433383038
39306538616266656536373435363963336463366635653433666566343162623065323738336339
38346632383039663666623137393431313931656538326136356433386261303638616165626336
63326134336330646236336631306266306532366435323830333233363565366134373236623263
62653836386362613166643762633865303239666662313138363866373335333566353033613732
38663634313962373264393763303733616236346230393665633366316538666334333537306536
61643061356633646133616138396163346538633065313935666639623531303861303663666466
63346531666362386363383534303436376338653034633565383361386430386636336664626431
62613263306132633336363562323030613832373363646464303263616264353431386664626137
36633434343536346333383530343965313262353639363266656562633132343036656137383938
63333165333835636634336336343732383865306634393939343332396565643661313666656239
61633635623236383764646664356539383834303437636338633138343465656337643962616365
37633032303161616664333264336331626531613031363066323137313539373637646533623663
66313662356438666566313364653933316335376438313939313430643865643432356139353231
31356236663234383564383162633431376436396331613838613039343762336562343562653738
33383163653535373538646237623865356462626665613136316365623036396536373633363536
30613932656534313966633664303661336366336561656434373438373361643532623335643234
61353466323636663463643262616635653639633463373235636432616561623662393838636335
30646164633962353138396164303666633366363364373039393339383063316238393332623139
62333166393831636232373738643962613063396530633132366536663839333136656338336464
37633039626138666261343863363232633936323234386362373463353737343330656430643966
30633037613033383134653133653232373236353535663033323634633564656636316636383537
65373663393235323561386232613634663962653564373634333034373530353264333037663431
32326438613436333935346335313364363361383732323362383437626234663533396235333935
31333132366534373832636637333664346365393236353366363937306138333961393939626138
33333036653839623138373832613233326262633836363562346261323639383536353433613764
63323434663437653236383334346634633765636339646665653638333938303665643132643735
63393838363732646339343937323732653939656466313637383738626131396261303838326565
34393934333738323137646264666633386661343637613462393864613134383538653966383732
64383738653833306266663431623162643333616537656136373439373462626266383663303031
63666265373664653334373266616437653764623765616539343139373934356133613338376239
63393735613066636432663466353865666661316232393361306438623036643438346130383937
36373762316263643764303638383633373161383862373630386465643462396432656134313764
61666534636565366136653438666339346539303238613135613261333431336361346138333161
33393130333765326361336239373365366332626566396639643966313434666561626262646664
37386534316136613061343333656630303839356366623835656239306562646436656131366366
36346635393235663630633331646231313737363535643663333162616135316566396530303030
33346331303935326631646563663833663266323937383134396162353131396231323837656631
66373864316332646433316131633435386133373239333261616136613632613162346366643366
30363030393736343438643866343363366331393031633638333731393732646132393165383361
31303637386535366535386332666133316564366463313465313637393663623662373431646234
62663461353961626237343663356664623731376432343538656332613866323135373637313831
34396132343961656266656430663838643464353362393732623739393938353764323065303464
66656435303333616432313232333431326535613635396536663835626361643733363461653831
33313634656632633831313866306233363633316330313037313035366537373034326231383463
34633062353635396261353438633564623564346536356131353166353835336135316662343262
34386333353731313335333339323936643862386264363565373737383364623366663265353339
62663730623430303535333138653636323864383039653361383435383062336537633865356466
64303532303338383365326635353363363161613962336166663764353562666236336133353538
35343733343338346666366139363261313662633866306263666331313336336330326537636538
37326330393732636163333161643831356533393238303039643663663766613634376336303062
66316138396433356365623437323932663632393831613835366632653138656530336236383063
31376433343664643863396537663730663335656262306663303961333832343366343835616362
34393032363862636639656338656462636436343238616663616634393365353432623361323763
66323937643936636537323866353461653232653136663631313231613731353231313130353565
31373336643261336535663739316366626634323635616537666131653534333164353836336531
36613763353135346630323138643039383634393234656330306664346136346238343762646639
38383466356332383063613565383765313931356235363330366138333064383938316538373933
32353836663535613339636130303832323231633832353366393166373235306538656364633666
62386134643738363830613130353565666337343861653538366530373966626330343032393531
64373162626336353631306661623837353036663364383930303633613561373432303366323463
37633963633835363565643131343962656463376163336366383531303164303263663034303530
30616337373466663939333666313761313334626335376236363436376563626534626666383230
35373537633135346138323231316565633862666432626430386231653532663132333532373837
38316161316565346663323138623538356130303564306638623461323765366634633161356234
39313862336532326161346436363865353833663663376566303865616264303035323864633739
30383435653961303861646365356462376261663634383433383137363734616337643836333730
37643737626339646434386638326439663264373362333165623637306664396330303164363366
66353234386137343136363764633463666137653438393131393436613563313934313736303165
33633638373561623933623033333036346339346533373435336262346164656162303561366638
30383035623338653430343731353766653164616139616638636563643630313735333463376662
62666661623438333936323762616433373236396439636563646237313535343866333064393432
64336139623933323265333633616131396661656264396262646662303633346262356662633535
31333038666163316132613365386662396330366630313562663561313962366261323131623939
33626634303663353466306631653439633430383138643534386430623238326332303232623965
61653165323132303335353338353366323462633763623062616335663831653266323463353364
61303339336162663235303837643432383333343466333365333535633763396664353636613165
38306536656665333731376339383061383232346437643564346134396265633362616161306339
63333264656235393639386435353631333438376166646662656631353838326338656438326231
65326563363431653266623034393435383061333533316235363236393131333231366665343964
65376438653165633265646233343131373133313939666163313735336564333038333765623766
38633061303731623832353638396566373238393535383631396566343035656137353461613838
65363239303664613132363466383336313038653962343939616363323339333866343036613238
34656537663765346430623332656266323035343435616361343537306263363466373665306361
39663066633833306330336334306437323430643764306266626634633139396231353638633665
66336364633536323931343930623832306331393533626539306361333961306663353266303631
30326633326332353861383735656362306334646238656137656533323835633937313439356538
38653130656465656531623635343565663739306665313932356562313131373934393435623932
38663737306135306332373730613466386631353463633261663532393933663034633634343934
34353437393934663866323236346236383664343963383239636332643639623131376466656363
32336363616661303535633037303334343861616263616334626430396334633934303162633839
65613163303037653963353535343132323431326262643862393365356437316566393130383866
32666133333166656566373532373064373138333335313563633963393938383363396464396532
61303037326665316634363536653537393933666532396339366531636362306537626638623634
32383363663134623133626332343132333335356133646134656330376339306538633165353634
65663731313832613264633430393531633765353233363766386137306364303138373339633438
62323837653531393738636531303130653530656632393535393739363565666162376436376138
65656131656165626636386435346132623030626664656437633261383037396332323534653664
31306137313162356638653064363236336434626134313966613335653633623338356230323133
61653437663537376561633235646361633233316662313331303962303161393937346565333366
31326362303735353937313734363738636439323338646531383235626137393334306363393031
32383861643734396132626231333537656431656165316261376237333734623635623837623366
61346566663433366364326561313663333732303737346533363536313365353863333632386232
63363639656230373639336636333464336136343839353835616565313165336537613666613233
33313130373838633736306237326666383736616663343838323137663632626630313334623063
34313737613334343331613864343062663130633963386466626233386332633233663762306237
35316635396439333934363836353134363538643430363066616636343634643230383630626138
65623931383631396465353163636161376337346335303738326433363835346162643732393464
32346462383432636530636166633466393239316631663834653562353436636637393136663933
36326538646331333436316262373037343065656662623563313465643832626539326261333738
62353063373461373835333662626465303030366535303332336362663166633736316237313535
32336533333536626461383737643161373738616539396339336165333162333830633661363162
38626365616633363431303333613237343538393734653533663831613336346164343734313435
62366264323738383038393938663366613533666438393261636336363266393736636634323436
37643262316663663938353338343338373162356337313566376134313464643336326138313838
36366136306163306265663836663235623231306334633734633736306239316334616132303531
39663562373762653634666438333861626563353366396231356232663737396436633934363734
33353738656430383066373463313336623231613530313830633965356361323138396139353664
38393339613064303365343766663536643061393864313466343966356666633231353765376364
37636439356164646633313231346365376566663930386563633062633234303163333131663332
38653431303264636266326665633465303635373762363663303164636330356636616137626633
30366466626164333332613933396362666135623137636537653838646664643235626233303531
64373833646434653530613935336434323737313061333930316563653331643938623438626632
34386236633462616231353063353330346663323535333335383465366135653064343535616233
31613236303238663331613739623261366231613661653033626562376664336161303134646535
36393461626237666466353862303564306333356635303035346237653062663238323030313866
37613530346335623031316165666137626631653965333236396162323966356633306630633934
66323465643834396635363131343735643365363163646132373537383233663830643330643666
38316461313830326433643566366566343966376362373661373839353933353231653539393534
61373437663937616237353064653934333330306230373034376631633963316236626232643136
36633865343363373530646566313636326130323136346235636430346561333030393361623161
38636531626632633632616139613861363332383030396338356461623865323262663763303564
33643661353230336430383930643433613938646133316636666463626363396264643638363762
30343135643530356633373330353565373264383665333237663331373035613336653135333133
37386439303763616138313661333335626532633731373939633966323332646364383665333331
35623133303865346464313761396462613435613262383339663735386639393536646634323935
34646661613839386639313733333036623439666536396463336663393737383130383962366336
37656431653533333338633162663938646432306163376438396134376565353531353832663439
34366435326364356464366633356332656231623164646361653737333331653636353136626465
63353233396234386630643864333364373562643333343036386639333036326362383264313431
62636362663631376666383034303337393562613135376537376335343939343630343766356362
63326435646163663737633133313735316663386337363830646261396333636431363938623062
63363338373334343634366139363866343731626561626565663339643164633731396363353435
32663634366532343939366130363233373634323664313765636235383638613061323034663364
65646665653732326530383962313762313035353866636362363835613261643331666135336365
35353161663966643564383935386331633730386134343837613164623537393462313130636235
66653539396639623264303733636232343131373339303034633337333930393061306139373638
30363139386238636436316239366537663662363432366132346361666436353337663830363037
38643365366339343961383234313830623138316235383464346439396166363739623937653166
31323639383838323362323663316265333162393664346262323562646232613134626335366231
63366230623733643336373132383633356530653766653834663430383538366366363966393237
64633436653332646336343037303665306465323162643863336235623435666131636661616635
34336562393961383737393632623035633362383763666138343533363166363731323832343534
31343038666533343130396264613836396434323363396434653938353131336262373936353333
65373265306132623235316439373936353834376639386364383763643438373039393263383538
30366532313335306332306261333434613733383430356633626338643537373030336434383231
39656162643264316239646339643835343934323639623334303931613938363531
61623264646363313062633131306234666436616566383936616431653033303531333738666639
6137653535623535333435383862306361376564396562370a366166373232343137363662356463
34383636393830386465323534373534336462333937316530666139633835356635356562353134
3234333736333831390a663033313531363838303566666530373432346536306137393561393734
32613234373363333233333630666464386437333337623434356161303834656662366661343363
62326164363764323365643166636664343032613835656663363636383963663138633837646466
33373838343439663830626432353332666138356564383864616632353063376634393032613231
38336233396263316563363332316131323439363664646237383731363930613563343763653537
66383137353633653931616564616365366564626431626439383661666535663430353463346232
31613536343566373437353738323133646439373465376632656530393033373037383864663937
66623563393138653437353437373138386365653433313166353231653530613935333038653830
61306239356433346438663239646162633838623036653439376362336636633862383266633239
33363666383934633665303537396663363339323761356439636331656163363436333865306338
63656166343835646262393634613865623936633566356531366663326431353836363238656631
31333862346266653933663236626234663865373936623334323433643661343634653334316662
36313262626230356531393661303834653263666138613435333538373330633432366338363131
33336566633030346136613566353366653333666661336463336333333634643433393333353061
65653236653362636564653932306131346532343738333361646563623865373538636662643932
37373961313935373964376336333337396135623764376563623431326266633434336665303864
34383836333762336665313635366166316339396437656330636432353064343836616362326432
34353532626362636661363631666335316564636237646336323666636661336532313266616264
37353637626636613161396430623139323662303862393439643235653833386166363332616438
62653439363861626437663736313436386138363466333566333335323265333930366337386537
63353931353165666337666330636363386463616463376336323834343666393331653863633430
64626636373363626335303234306662323335363130623763333835373438373733353136306463
31646363663463623635363537636338376131623766386339623763376532343733613061343736
31653764383737646132353537633631643265336539316332636465353638346163613036653038
64653238363661303032666330623334376130383365386334313137376339623164313538643637
32323539346664663237306630346365646364663231633162393265376433313633336661326137
35366662386235616531323264326632353635646337303830663364643336653039643865313036
36343634613563353965643330306134393664336238653361616631623837313764653835333464
31303835653265343466303363623331376631383064643336306166386632353566633231303031
64646338333961373237323563633462363236626134366430323334373864633731323838383562
65356137323234653932373438306335383666386433386563343136343934623936653565663135
61353366393735663064383234343435633738623233643535393337326531356131643131646562
34623862626430343464663230323561313736646135323339656562323332306265323765626130
31333531626236393165663236393464303338623937646331663563636336316166303462396562
66643638383432333035373431393463343831643731636133343538346431613236663266643639
39346332303537393031353231626433393165386437343361663335646165623165336337643237
30643466666462373937346162383032386361383439613332653162613765326237643038613665
38633134653934346464346233323563623139386235343766386661643861313638643936636439
34393039626163336636323862643237363633373339353263303035386636393232613536633038
32656335396564623133373439333065633638373032323161383436363966386535393135623931
62313838353034343033653130633666336433656565373836336331363339636330663836343835
64656461376235323133316135396464353239316438386466323964326139316564313938333363
66636337613362633639623265336434313938366666626434393532373534303865376632313830
32353861306165383133633132623939386338343364623132386135316361336238616432383662
31663763306431623932323930373637363633346139663539666236363032386535363932393264
63306437616635343263643162393462653835643038373961336531313635663732343062613164
63316463376239383634373461343533393730613235633765356166313131613230326562303863
38626365383035363130326365353366316635323832333630343934346632643566373062313963
38356165646438383936336431326566386564306636386432643537666434613434343235323666
32366432393663333632383333333837646237643730383438336364376235353463656238393431
34656561613566383761386233366637343230613634333062636239626639343132353837656363
63373264646631336664303662386531386635303861333662313633613933353063363832623462
35656536616333333861383930623237363062363335636231383033316465323339396530353166
61613935366233326532366135623939353135323336346630303933633731316461626463643936
64393430386430343362346334633036316464656561356132376365323463316631336530346663
65373432666436323364316633623734353464393036383065643832653838323730643163393033
37383639343061616563623365383564336132356162373937346338356562313262366261646434
65656631326334336230333862303766633363653863666330373530343132336262653763336331
31303535393231373833633631323265383435666665353461306638633031376339613230343966
31306134383164333763656262636537343563386336393734626139646136643635313038663830
65376366656465653165663762313738303438346136646638633962646466626339653566343530
33353061643730663138383662663233383864626631626238306266653734306161383431653530
38353262386439663331633465313262386630363465646661643366336438356163393564653565
65346637346533323338383233313434346361383139666363336435633535326434373438366533
64303737336631643735376130653031303533646464313562623036643762653937613735316162
61396336376534393738323830333864383533343834616432373731633431316662656137363030
36313566633863383162643432396235306661393563303138386339343462636566323135313631
32336365393662633932383665623561373164353963646464323163303039333035366562363634
34643731343931656239326165323962613630636132353334643866393933653631393134326635
61353538633337343935396566396437663137326161323032336665356531373433643231326164
38663463633863643636336337316162666339343630373366396634666363306137323161626561
33336332383330383761623636366464353163386633356132656364373962316437626664333439
38393137356364383535383231613431343261613036666238323431663532663333336563306239
31313931623665623661323433346138383430366433623738356366373337383263316435393330
30356131333132343333623732383263353330346635613833626562613536376232386663663265
39636239663139393761303363313862333834336265616330353933333935616637646639326461
34323231616662306366616665346239313839616435393738303833653138353135353161393830
34653163386161653536666330353431356133623639653539316166313661343136643565393735
33343966613534653034333261383136323135613032613063653363303437633832653834393063
63623738333361636638646234363665616563633534626638613938613933343638386165346537
61316261663039633462333637636561656166663430353037336530663036353564353530323663
61386164636461363831303231353733646431313334323761633835373832333663306336633836
63363838613434303066333732333237343264363238313962393230633165396135643431626664
35316663333439326437343331303639616365633938393039633362303135393230313261376531
62343533383034363331343661333036646530366665336431303561653138626262336239303864
30643131356538316434313665353466383539383034623830363264343736396130623265306564
30666535393839306333616134323333326535336564313735323864346139393762336265623137
33653734393464353833333939363766656436393639626161383666613263643064323933663834
63663761356233633134646561353631396364343761386631323764643631663564653265303330
38333466666634383666326132356132303363666136666132373161383863653434333633386238
36333361383663396238643433383338646461386363396563643133303166356538666435646639
65353034373263316139363464343434326362366531666233323366383331353131383634396538
65313631363564303133396462353934623939663739343431346465386430353030363235343032
33653065643334663737643961396530316336633562323733626261376462303366313462353464
38666235366365633833336630316564643132633839313465636164393439626635653739346166
61343765653037656533313663333139663364666239626263393261353732363639623966623961
62643266313734363064333063633030383865653665313832623535636666623364333635643238
64623233393962313032343938666363333533653331303334643032636561303030633066636634
35363864613430356264633936663833373739643562343631623336316263373939353563393634
35376466376161383563646430363432626639363436633365323137346338306161636230323934
38383238646366343766333032633038663037386339333038636136343732613838306130303539
61303963333035366330646636336530396331333739306666396333333839613536343337323230
31326461623731653461376132356165343130333235336130323361616333333762623131393265
36636335313539613565326537373565313036306465326631326332373364313565333834373232
36346166373433313033363533346565316535666538363538303134616365326336613461633931
39333633383939623633386263346637386465326139363336663738393538393039376338366461
64336138643166663362376339366537653463386265316434346532663633643765663339333062
34303739366634383330356161333031313465323235666437363136643964623431336133633031
62373462623531373665653137383833643332366562396134386536666666356139663631323965
33633266353062363339613139666534393737393765383830643731616366316164626335373564
38613533356661626163646138316163343938666366353964623131383063353534326637323162
66633139633861623765316631323933363662383234616238336333383135326166656530376331
30613534613636333533356666333864326438646462383862616338323864336136323566393231
64323339386363623063373237346362366665666662306266323338653561396535323766316233
30383036326331323563663533333166366130326262393732343135643463643064313364393530
39326332346635343333376636316363393230336563333261616263343833386334376636623233
65396330613837636139636132303530316236666132646266383466306663313038343833373734
35376339666664393533666134353330626163306432363634653364343934343336306264646439
66383138626232343639623033383565626232323830626362313733666663633037343737623333
34653665666262303236616534343436333334393837326661383932623430303038623538313463
38373233373730633937306638333966653433626666373565623866646665643231323065383230
38353961396438373236393038626237346162653966383364626366666335656465346336323830
63343937363732326239396664663963633733643036396164343038613136373037383664646130
36386564333734643336303661336230363865323936343732646564336136653732363334316135
38383935396161653132396661373636353761616661616635303465653266623337303534353038
61333937393534336533363933383461303539303964353164376134653134356439356462376161
62356333363238376139356231373835386139363637336566356132363932313639643334396334
36326630663532313536393139386336303833653833323532653230613166376233633739623738
35336138343434343064616335373836363032376537386439323165336365626230316435623766
33653434633766323864343031346565323936373133396436623036353563653236393230653065
63616336316339393034643063376137663565396137356461303061626336343437316462653437
64383765376439616232663936616564366136666139343663336634366530303561303163373339
66616233613532636138613836636666323237646566356538376566626639356436376230306130
64623430613962333537366235616631323833626163383138393662623539643864346436346561
64326636396235613534666534306639363864303539623563333934353766306130356564333538
65386338616639663338636337303038316633383866346362633636653162353433366131333866
38643037646531643633333334626163353833623833616338373863373533316561313361616462
36323533343932376633653138363162646362313332353065633561666664663436376230376432
31373461613033306434313136373532303666306130353064326436373961633534656462643866
65623238396163646336343461303137366135306263313035663461653465346638383835666362
30306431396136616334666631646662386533343238323962353837306139316335386234366333
63343564386630356566363234636466303162643438653561323263336464633964616162616366
30376532313739306339336366306262663230366337313662313036303436666563326236333961
61373231653433613861633363333633626366643133633933333363636635656530643464653834
61306633333032316531396165366462386230336330376239653436313836643435316533613331
66623261396262316133326233316361656634333936353531623964313235333739376137633961
31656631643966393164323463373832363538653235333165333061653163333436633335633632
31613930333061653331303863303233376431306361613230383763623231636330343566323237
65306430366133393332386631356135663134306264633536636134623230386635313231343661
31383638616565363364373561613162393133363538626332363964663139336466336538333139
61613939653866333037393564383464663331306439643163343464373766313139656264316163
35383461663231613539613462336162353635333030323663333139653337663932633035666336
65376264306639316137383730626561396365316661396564623335313865313263646536613233
39313365333736363861666363383537376666346533383865636535343764326635343061366535
33323336303861393862623832353936383537363238623932643035323863303865383233633432
39366637656264656463393664336565366465333766643437623164636565346364623730633234
66663432383765643161356533633564626463383237373330663836346232636635373330363161
36303039393035396364666366373664623031363836646233616565346634356130646639313432
33323736373133383666613565356133343266343432633737313030663466636135326364623639
33633337383762333634613637383731613031353834663262313230303166376361373931623836
33663232633661373663376163303131373363313036666262613866633237373261393130626364
63343535396462316536356334356463323466656633373439656161356162386666386461336163
33373233616539653634663136623630626137663832313361313663306438643737393262653862
38313233396334353433313162316434653162653739663935396539326330383439366364343532
38336266353964656163346537333166366431626239356465313634623035373861333663633862
3164

View file

@ -0,0 +1,4 @@
---
apartment_block: aurore
apartment_block_id: 0
router_ip_suffix: 254

View file

@ -2,11 +2,6 @@
apartment_block: edc
apartment_block_id: 4
subnet_ids:
ap: 144
users_wired: 40
users_wifi: 41
router_ip_suffix: 254
mtu: 1500

View file

@ -2,9 +2,6 @@
apartment_block: fleming
apartment_block_id: 1
subnet_ids:
ap: 141
users_wired: 10
users_wifi: 11
router_ip_suffix: 254
mtu: 1500

View file

@ -1,5 +0,0 @@
---
apartment_block: gs
apartment_block_id: 5
router_ip_suffix: 240

7
group_vars/gs/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
apartment_block: gs
apartment_block_dhcp: sand
apartment_block_id: 5
router_ip_suffix: 254

View file

@ -2,11 +2,6 @@
apartment_block: pacaterie
apartment_block_id: 2
subnet_ids:
ap: 142
users_wired: 20
users_wifi: 21
router_ip_suffix: 254
mtu: 1500

37
hosts
View file

@ -8,16 +8,22 @@
###############################################################################
# Aurore : main services
viviane.adm.auro.re
[aurore_pve]
merlin.adm.auro.re
[aurore_vm]
routeur-aurore.adm.auro.re
routeur-aurore-backup.adm.auro.re
radius-aurore.adm.auro.re
dhcp-aurore.adm.auro.re
dns-aurore.adm.auro.re
docker-worker1-aurore.adm.auro.re
proxy-backup.adm.auro.re
camelot.adm.auro.re
gitea.adm.auro.re
nextcloud.adm.auro.re
###############################################################################
# OVH
@ -111,7 +117,6 @@ dhcp-edc-backup.adm.auro.re
unifi-edc.adm.auro.re
radius-edc.adm.auro.re
radius-edc-backup.adm.auro.re
routeur-aurore.adm.auro.re
ldap-replica-edc.adm.auro.re
ldap-replica-edc-backup.adm.auro.re
@ -121,21 +126,40 @@ ldap-replica-edc-backup.adm.auro.re
[gs_pve]
perceval.adm.auro.re
lancelot.adm.auro.re
odin.adm.auro.re
[gs_vm]
dhcp-gs.adm.auro.re
dhcp-gs-backup.adm.auro.re
dns-gs.adm.auro.re
dns-gs-backup.adm.auro.re
routeur-gs.adm.auro.re
routeur-gs-backup.adm.auro.re
unifi-gs.adm.auro.re
radius-gs.adm.auro.re
radius-gs-backup.adm.auro.re
prometheus-gs.adm.auro.re
#inexistant : ldap-replica-gs.adm.auro.re
#inexistant : ldap-replica-gs-backup.adm.auro.re
ldap-replica-gs.adm.auro.re
ldap-replica-gs-backup.adm.auro.re
###############################################################################
# Les Rives
[rives_pve]
thor.adm.auro.re
###############################################################################
# Groups by location
# -aurore services
[aurore:children]
aurore_vm
# everything at ovh
[ovh:children]
ovh_pve
@ -164,6 +188,10 @@ edc_vm
gs_pve
gs_vm
# everything at Les Rives
[rives:children]
rives_pve
###############################################################################
# Groups by type
@ -187,6 +215,7 @@ fleming_pve
pacaterie_pve
edc_pve
gs_pve
rives_pve
###############################################################################

7
ldap_replica.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica
roles:
- ldap-replica

View file

@ -1,7 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re,!dhcp-gs*.adm.auro.re
- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re
vars:
service_repo: https://gitlab.federez.net/re2o/dhcp.git
service_name: dhcp
@ -16,19 +16,27 @@
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re,!dns-gs*.adm.auro.re
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
roles:
- unbound
# Déploiement du service re2o aurore-firewall et keepalived
- hosts: ~routeur-(pacaterie|edc|fleming).*\.adm\.auro\.re
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re
roles:
- router
- radvd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
roles:
- router
# Radius (backup only for now)
- hosts: radius-edc-backup.adm.auro.re
- hosts: ~radius-(edc|fleming|pacaterie|gs).*
roles:
- radius

7
nuke-radius-dbs.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: ~radius-(edc|fleming|pacaterie|gs).*
roles:
- radius
vars:
nuke_radius: true

View file

@ -1,3 +1,4 @@
domain adm.auro.re
nameserver 10.128.0.253
nameserver 2a09:6840:128::253
nameserver 80.67.169.12

View file

@ -43,12 +43,12 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 {
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255;
option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }};
option domain-name "fil.{{ apartment_block }}.auro.re";
option domain-name "fil.{{ apartment_block_dhcp }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list";
include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list";
deny unknown-clients;
}
@ -60,12 +60,12 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 {
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255;
option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }};
option domain-name "wifi.{{ apartment_block }}.auro.re";
option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list";
include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list";
pool {
range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255;

View file

@ -1,6 +1,7 @@
---
# Filter SSH on groups
- name: Filter SSH on groups
when: ansible_facts['hostname'] != "camelot" # Camelot is accessible for everyone
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^AllowGroups

View file

@ -5,6 +5,7 @@
- "deb"
- "deb-src"
- name: Ensure /var/www exists
file:
name: "/var/www"
@ -14,14 +15,16 @@
git:
repo: "https://gitlab.federez.net/re2o/re2o.git"
dest: "/var/www/re2o"
version: "master_freeradius_python3"
version: "dev"
force: true
- name: Template local settings
- name: Template local re2o settings
template:
src: settings_local.py.j2
dest: "/var/www/re2o/re2o/settings_local.py"
src: "{{ item }}.j2"
dest: "/var/www/re2o/re2o/{{ item }}"
loop:
- settings_local.py
- local_routers.py
# What follows is a hideous abomination.
@ -30,14 +33,22 @@
- name: try to install freeradius-python3 (this will fail on post-install)
apt:
name: freeradius-python3
default_release: buster-backports
update_cache: yes
ignore_errors: yes
no_log: yes
- name: fix freeradius-python3 postinstall script
template:
src: freeradius-python3.postinst.j2
dest: /var/lib/dpkg/info/freeradius-python3.postinst
- name: reinstall broken package (this might fail too, for different reasons)
apt:
name: freeradius-python3
default_release: buster-backports
force: yes
ignore_errors: yes
- name: Setup radius symlinks
file:
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
@ -54,7 +65,7 @@
- local_prefix: freeradius3/
filename: mods-enabled/eap
- name: Configure radius clients.conf
- name: Configure freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
@ -64,10 +75,6 @@
- sites-enabled/inner-tunnel
- proxy.conf
- name: reinstall broken backpage
apt:
name: freeradius-python3
force: yes
- name: Install radius requirements (except freeradius-python3)
shell:
@ -79,3 +86,149 @@
# End of hideousness (hopefully).
- name: Configure log rotation
template:
src: "freeradius-logrotate.j2"
dest: "/etc/logrotate.d/freeradius"
# Database setup
- name: Install postgresql
apt:
name:
- postgresql
- postgresql-client
- name: Install postgresql ansible module requirement(s)
pip:
name: psycopg2
- name: Create read-only user
community.general.postgresql_user:
name: re2o_ro
password: "{{ radius_pg_re2o_ro_password }}"
become_user: postgres
- name: Create replication user
community.general.postgresql_user:
name: replication
password: "{{ radius_pg_replication_password }}"
become_user: postgres
- name: Nuking - Stop freeradius
systemd:
name: freeradius
state: stopped
when: nuke_radius|default(false)
- name: Nuking - Remove old subscription if it exists
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
db: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
ignore_errors: yes
- name: Nuking - Destroy old local DB if it exists
community.general.postgresql_db:
name: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
- name: Create local DB
community.general.postgresql_db:
name: re2o
owner: replication
state: present
encoding: "UTF8"
lc_collate: 'fr_FR.UTF-8'
lc_ctype: 'fr_FR.UTF-8'
become_user: postgres
- name: Dump radius re2o PostgreSQL database schema from master
community.general.postgresql_db:
name: re2o
state: dump
target: /tmp/re2o-schema.sql
target_opts: '-s'
login_host: 10.128.0.12
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Restore DB
tags:
- restore
community.general.postgresql_db:
name: re2o
state: restore
target: /tmp/re2o-schema.sql
target_opts: "-s"
login_host: localhost
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Grant select permissions on all tables to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
objs: ALL_IN_SCHEMA
schema: public
roles: re2o_ro
become_user: postgres
- name: Grant usage permission on schema to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: USAGE
objs: public
type: schema
roles: re2o_ro
become_user: postgres
- name: Set default privileges in schema
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
schema: public
objs: TABLES
type: default_privs
roles: re2o_ro
become_user: postgres
- name: Set up subscription to main database
tags:
- sub
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
connparams:
host: re2o-db.adm.auro.re
user: replication
password: "{{ radius_pg_replication_password }}"
dbname: re2o
db: re2o
publications:
- re2o_pub
become_user: postgres
- name: Restart freeradius, ensure enabled
systemd:
name: freeradius
enabled: yes
state: restarted
daemon_reload: yes

View file

@ -0,0 +1,50 @@
# The main server log
/var/log/freeradius/radius.log {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
copytruncate
}
# (in order)
# Session monitoring utilities
# Session database modules
# SQL log files
/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
/var/log/freeradius/sqllog.sql
{
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
nocreate
}
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/freeradius/radacct/*/detail {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
nocreate
}

View file

@ -0,0 +1,28 @@
class DbRouter(object):
"""
A router to control all database operations on models in the
auth application.
"""
def db_for_read(self, model, **hints):
"""
Attempts to read remote models go to local database.
"""
return 'default'
def db_for_write(self, model, **hints):
"""
Attempts to write remote models go to the remote database.
"""
return 'master'
def allow_relation(self, obj1, obj2, **hints):
"""
Allow relations involving the remote database
"""
return True
def allow_migrate(self, db, app_label, model_name=None, **hints):
"""
Allow migrations on the remote database
"""
return True

View file

@ -44,14 +44,14 @@ DEBUG = False
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')]
# The list of hostname the server will respond to.
ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re']
ALLOWED_HOSTS = ['{{ inventory_hostname }}']
# The time zone the server is runned in
TIME_ZONE = 'Europe/Paris'
# The storage systems parameters to use
DATABASES = {
'default': { # The DB
'master': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 're2o',
'USER': 're2o',
@ -62,7 +62,18 @@ DATABASES = {
'COLLATION': 'utf8_general_ci'
}
},
'ldap': { # The LDAP
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 're2o',
'USER': 're2o_ro',
'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
'HOST': 'localhost',
'TEST': {
'CHARSET': 'utf8',
'COLLATION': 'utf8_general_ci'
}
},
'ldap': {
'ENGINE': 'ldapdb.backends.ldap',
'NAME': 'ldap://10.128.0.11/',
'USER': 'cn=admin,dc=auro,dc=re',
@ -114,3 +125,5 @@ OPTIONNAL_APPS_RE2O = ()
# Some Django apps you want to add in you local project
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]

View file

@ -0,0 +1,5 @@
- name: restart radvd
systemd:
state: restarted
name: radvd
enabled: yes

View file

@ -0,0 +1,22 @@
---
# Warning: radvd installation seems to fail if the configuration
# file doesn't already exist when the package is installed,
# so the order is important.
- name: Configure radvd
template:
src: radvd.conf.j2
dest: /etc/radvd.conf
mode: 0644
notify: restart radvd
tags:
- radconf
- name: Install radvd
apt:
update_cache: true
name: radvd
state: present
notify: restart radvd

View file

@ -0,0 +1,80 @@
# -*- mode: conf-unix; coding: utf-8 -*-
##
# Bornes Wi-Fi
##
# # Need to add an interface for this VLAN on "routeur-*" hosts.
#
# interface ens19 {
# AdvSendAdvert on;
# AdvLinkMTU {{ mtu }};
# AdvDefaultPreference high;
# MaxRtrAdvInterval 30;
#
# AdvRASrcAddress {
# {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller
# };
#
# prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 {
# AdvRouterAddr on;
# };
#
# # La zone DNS
# DNSSL borne.auro.re {};
#
# # Les DNS récursifs
# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {};
# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {};
# };
##
# Utilisateurs filaire
##
interface ens20 {
AdvSendAdvert on;
AdvLinkMTU {{ mtu }};
AdvDefaultPreference high;
MaxRtrAdvInterval 30;
AdvRASrcAddress {
fe80::1; # link-local virtual IP used with keepalived
};
prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 {
AdvRouterAddr on;
};
DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {};
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {};
};
##
# Utilisateurs wifi
##
interface ens21 {
AdvSendAdvert on;
AdvLinkMTU {{ mtu }};
AdvDefaultPreference high;
MaxRtrAdvInterval 30;
AdvRASrcAddress {
fe80::1;
};
prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 {
AdvRouterAddr on;
};
DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {};
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {};
};
# For public IPs: will use DHCPv6, deployed on routeur-aurore alone.

View file

@ -21,8 +21,8 @@
become: true
become_user: "{{ service_user }}"
- name: Configure re2o {{ service_name }} project
ini_file:
- name: "Configure re2o {{ service_name }} project"
community.general.ini_file:
path: "{{ service_homedir }}/config.ini"
section: Re2o
option: "{{ item.key }}"

View file

@ -2,6 +2,7 @@
systemd:
state: restarted
name: keepalived
enabled: yes
- name: run aurore-firewall
command: python3 main.py --force

View file

@ -1,11 +1,35 @@
---
# XXX: YES, this is ugly as fuck.
- name: set IP suffix (main)
set_fact:
router_hard_ip_suffix: 240
when: "'backup' not in ansible_hostname"
- name: set IP suffix (backup)
set_fact:
router_hard_ip_suffix: 140
when: "'backup' in ansible_hostname"
- name: Enable IPv4 packet forwarding
sysctl:
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
- name: Enable IPv6 packet forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: yes
- name: Configure /etc/network/interfaces for routeur-aurore*
template:
src: interfaces-aurore
dest: /etc/network/interfaces
mode: 0644
when: "'routeur-aurore' in ansible_hostname"
- name: Install aurore-firewall (re2o-service)
import_role:
name: re2o-service
@ -19,12 +43,21 @@
password: "{{ vault_serviceuser_passwd }}"
notify: run aurore-firewall
- name: Configure aurore-firewall
- name: Configure aurore-firewall for local router
template:
src: firewall_config.py
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
mode: 0644
notify: run aurore-firewall
when: "'routeur-aurore' not in ansible_hostname"
- name: Configure aurore-firewall for routeur-aurore*
template:
src: firewall_config_aurore.py
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
mode: 0644
notify: run aurore-firewall
when: "'routeur-aurore' in ansible_hostname"
- name: Install keepalived
apt:
@ -34,13 +67,21 @@
retries: 3
until: apt_result is succeeded
- name: Configure keepalived
- name: configure keepalived for local router
template:
src: keepalived.conf
dest: /etc/keepalived/keepalived.conf
mode: 0644
notify: restart keepalived
when: "'routeur-aurore' not in ansible_hostname"
- name: configure keepalived for routeur-aurore*
template:
src: keepalived-aurore.conf
dest: /etc/keepalived/keepalived.conf
mode: 0644
notify: restart keepalived
when: "'routeur-aurore' in ansible_hostname"
- name: Configure cron
template:

View file

@ -24,8 +24,8 @@
### Give me a role
# routeur4 = routeur IPv4
role = ['routeur4']
# previously: routeur4 = routeur IPv4
role = ['routeur']
### Specify each interface role

View file

@ -0,0 +1,49 @@
# -*- mode: python; coding: utf-8 -*-
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
# se veut agnostique au réseau considéré, de manière à être installable en
# quelques clics.
#
# Copyright © 2017 Gabriel Détraz
# Copyright © 2017 Goulven Kermarec
# Copyright © 2017 Augustin Lemesle
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
### Give me a role
role = ['routeur']
### Specify each interface role
interfaces_type = {
'routable' : ['ens21', 'ens22'],
'sortie' : ['ens18', 'ens1'],
'admin' : ['ens19', 'ens20', 'ens23']
}
### Specify nat settings: name, interfaces with range, and global range for nat
### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
### contain /16 range
nat = [
{
'name' : 'AdminVlans',
'extra_nat' : {
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
}
}
]

View file

@ -0,0 +1,84 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# VLAN 129: routage
auto ens18
iface ens18 inet static
address 10.129.0.{{ router_hard_ip_suffix }}/16
gateway 10.129.0.1
iface ens18 inet6 static
address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64
post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18
post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18
post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18
post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18
post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18
post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18
post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18
post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18
# The primary network interface
allow-hotplug ens19
iface ens19 inet static
address 10.128.0.{{ router_hard_ip_suffix }}/16
gateway 10.128.0.254
dns-search adm.auro.re
iface ens19 inet6 static
address 2a09:6840:128::0:{{ router_hard_ip_suffix }}/64
# Ensures internet connectivity when running as keepalived backup.
gateway 2a09:6840:128::0:254
# VlAN 130: switches
auto ens20
iface ens20 inet static
address 10.130.0.{{ router_hard_ip_suffix }}/16
iface ens20 inet6 static
address 2a09:6840:130::0:{{ router_hard_ip_suffix }}/64
# VLAN 111: IPs publiques serveurs
auto ens21
iface ens21 inet static
address 45.66.111.{{ router_hard_ip_suffix }}/24
# Nécessaire pour contacter re2o et bootstrap le firewall.
# Ces directives sont _aussi_ set par aurore-firewall !
up iptables -t nat -A POSTROUTING -s 10.129.0.{{ router_hard_ip_suffix }}/32 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
up iptables -t nat -A POSTROUTING -s 10.128.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
up iptables -t nat -A POSTROUTING -s 10.130.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }}
iface ens21 inet6 static
address 2a09:6840:111::{{ router_hard_ip_suffix }}/48
# VLAN 110: IP publiques adhérents
auto ens22
iface ens22 inet static
address 45.66.110.{{ router_hard_ip_suffix }}/24
iface ens22 inet6 static
address 2a09:6840:110::{{ router_hard_ip_suffix }}/48
# VLAN 131: onduleurs et PDU
auto ens23
iface ens23 inet static
address 10.131.0.{{ router_hard_ip_suffix }}/16
iface ens23 inet6 static
address 2a09:6840:131::0:{{ router_hard_ip_suffix }}/64
auto ens1
iface ens1 inet6 manual

View file

@ -0,0 +1,121 @@
global_defs {
notification_email {
monitoring.aurore@lists.crans.org
}
notification_email_from routeur-aurore{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re
smtp_server smtp.crans.org
}
vrrp_instance VI_ROUT_aurore_IPv4 {
{% if 'backup' in inventory_hostname %}
state BACKUP
priority 100
{% else %}
state MASTER
priority 150
{% endif %}
# Interface used for VRRP communication.
interface ens19
# Shared by MASTER and BACKUP
virtual_router_id 40
# Timeout in seconds before failover kicks in.
advert_int 2
# Used to authenticate VRRP communication between master and backup.
authentication {
auth_type PASS
auth_pass {{ keepalived_password }}
}
smtp_alert
virtual_ipaddress {
# Routing
10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global
# Adm
10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global
# Switches
10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global
# IPs publiques serveurs
45.66.111.254/24 brd 45.66.111.255 dev ens21 scope global
# IPs publiques adhérents
45.66.110.254/24 brd 45.66.110.255 dev ens22 scope global
# VLAN 131: Onduleurs et PDUs
10.131.0.254/16 brd 10.131.255.255 dev ens23 scope global
}
virtual_routes {
# IPv4 gateway: yggdrasil
src 10.129.0.254 to 0.0.0.0/0 via 10.129.0.1 dev ens18
}
}
vrrp_instance VI_ROUT_aurore_IPv6 {
{% if 'backup' in inventory_hostname %}
state BACKUP
priority 100
{% else %}
state MASTER
priority 150
{% endif %}
# Interface used for VRRP communication.
interface ens19
# Shared by MASTER and BACKUP
virtual_router_id 60
# Timeout in seconds before failover kicks in.
advert_int 2
# Used to authenticate VRRP communication between master and backup.
authentication {
auth_type PASS
auth_pass {{ keepalived_password }}
}
smtp_alert
virtual_ipaddress {
# Hello zayo
2001:1b48:2:103::d7:2/126 dev ens1 scope global
# Routing
2a09:6840:129::254/64 dev ens18 scope global
# Adm
2a09:6840:128::254/64 dev ens19 scope global
# Switches
2a09:6840:130::254/64 dev ens20 scope global
# IPs publiques serveurs
2a09:6840:111::254/64 dev ens21 scope global
# IPs publiques adhérents
2a09:6840:110::254/64 dev ens22 scope global
# VLAN 131: Onduleurs et PDUs
2a09:6840:131::254/64 dev ens23 scope global
}
virtual_routes {
# For IPv6, the master router is routeur-aurore, NOT yggdrasil,
# because yggdrasil doesn't support BGPv6 announcements.
src 2001:1b48:2:103::d7:2/126 to ::/0 via 2001:1b48:2:103::d7:1 dev ens1
}
}

View file

@ -2,12 +2,12 @@ global_defs {
notification_email {
monitoring.aurore@lists.crans.org
}
notification_email_from routeur-edc-backup@auro.re
notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re
smtp_server smtp.crans.org
}
vrrp_instance VI_ROUT_{{ apartment_block }} {
vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
{% if 'backup' in inventory_hostname %}
state BACKUP
priority 100
@ -21,12 +21,11 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
interface ens18
# Shared by MASTER and BACKUP
virtual_router_id {{ apartment_block_id }}
virtual_router_id 4{{ apartment_block_id }}
# Timeout in seconds before failover kicks in.
advert_int 2
# Used to authenticate VRRP communication between master and backup.
authentication {
auth_type PASS
@ -39,19 +38,72 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
# Routing subnet
10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
# Public subnet: wired
# NATed subnet: wired
45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
# Public subnet: wifi
# NATed subnet: wifi
45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
# Wired
10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
# Wifi
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
}
virtual_routes {
# 10.129.0.1 is Yggdrasil
src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
}
}
vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 {
{% if 'backup' in inventory_hostname %}
state BACKUP
priority 100
{% else %}
state MASTER
priority 150
{% endif %}
# Interface used for VRRP communication.
interface ens18
# Shared by MASTER and BACKUP
virtual_router_id 6{{ apartment_block_id }}
# Timeout in seconds before failover kicks in.
advert_int 2
# Used to authenticate VRRP communication between master and backup.
authentication {
auth_type PASS
auth_pass {{ keepalived_password }}
}
smtp_alert
virtual_ipaddress {
# Routing subnet
fe80::1/64 dev ens19 scope global
{{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global
# Wired
fe80::1/64 dev ens20 scope global
# Wifi
fe80::1/64 dev ens21 scope global
}
virtual_routes {
# For IPv6, the master router is routeur-aurore, NOT yggdrasil,
# because yggdrasil doesn't support BGPv6 announcements.
src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19
}
}

View file

@ -11,20 +11,32 @@ server:
logfile: "/var/log/unbound/unbound.log"
do-ip4: yes
# FIXME: IPv6 deployment... someday...
do-ip6: no
do-ip6: yes
# IP addresses on which to listen.
#
# Note: dns_host_suffix is dynamically set in this role's tasks,
# and changes depending on whether we're handling the main or backup
# recursive DNS node.
# IPv4
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
# IPv6
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
# By default, anything other than localhost is refused.
# Whitelist some subnets:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
num-threads: {{ ansible_processor_vcpus }}