diff --git a/group_vars/all/chronyd.yml b/group_vars/all/chronyd.yml new file mode 100644 index 0000000..3f5f3db --- /dev/null +++ b/group_vars/all/chronyd.yml @@ -0,0 +1,5 @@ +--- +chronyd__pools: + - ntp-1.int.infra.auro.re + - ntp-2.int.infra.auro.re +... diff --git a/group_vars/all/ifupdown2.yml b/group_vars/all/ifupdown2.yml new file mode 100644 index 0000000..e9e4576 --- /dev/null +++ b/group_vars/all/ifupdown2.yml @@ -0,0 +1,19 @@ +--- +ifupdown2__wireguard_proto: wireguard +ifupdown2__gateways: + adm: + - 2a09:6840:128::254 + - 10.128.0.254 + int: + - 2a09:6840:206::1 + - 10.206.0.1 + pub: + - 2a09:6840:111::254 + - 45.66.111.254 + monit: + - 2a09:6840:204::1 + - 10.204.0.1 + isp: + - 2a09:6840:210::1 + - 10.210.0.1 +... diff --git a/group_vars/all/openssh.yml b/group_vars/all/openssh.yml new file mode 100644 index 0000000..4e9063d --- /dev/null +++ b/group_vars/all/openssh.yml @@ -0,0 +1,10 @@ +--- +openssh__users_ca_public_key: + "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\ + hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\ + F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==" + +openssh__authorized_principals: + - any + - "{{ inventory_hostname }}" +... diff --git a/group_vars/all/resolvconf.yml b/group_vars/all/resolvconf.yml new file mode 100644 index 0000000..077f3c6 --- /dev/null +++ b/group_vars/all/resolvconf.yml @@ -0,0 +1,13 @@ +--- +resolvconf__nameservers: + - 2a09:6840:206::1:1 + - 2a09:6840:206::1:2 + - 10.206.1.1 + - 10.206.1.2 + +resolvconf__domain: auro.re. + +resolvconf__search: + - "{{ inventory_hostname | remove_domain_suffix }}" + - auro.re. +... diff --git a/group_vars/all/root.yml b/group_vars/all/root.yml new file mode 100644 index 0000000..9ac0720 --- /dev/null +++ b/group_vars/all/root.yml @@ -0,0 +1,5 @@ +--- +root__shell: /bin/bash + +root__password: "{{ vault_root_password }}" +... diff --git a/group_vars/dhcp/dhcpd.yml b/group_vars/dhcp/dhcpd.yml new file mode 100644 index 0000000..33f6644 --- /dev/null +++ b/group_vars/dhcp/dhcpd.yml @@ -0,0 +1,69 @@ +--- +dhcpd__omapi_key: + algorithm: hmac-sha512 + secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA== + +dhcpd__interfaces: + - client0 + - client1 + - client2 + - client3 + - client4 + +dhcpd__dns_servers: + - 10.128.10.3 + - 10.128.10.103 + +dhcpd__domain_search: + - isp.auro.re. + - auro.re. + +dhcpd__subnets: + - network: 100.64.0.0/27 + routers: + - 100.64.0.1 + start: 100.64.0.4 + end: 100.64.0.30 + domain_name: client0.isp.auro.re + failover: true + - network: 100.64.0.32/27 + routers: + - 100.64.0.31 + start: 100.64.0.33 + end: 100.64.0.63 + domain_name: client1.isp.auro.re + failover: true + - network: 100.64.0.64/27 + routers: + - 100.64.0.65 + start: 100.64.0.67 + end: 100.64.0.95 + domain_name: client2.isp.auro.re + failover: true + - network: 100.64.0.96/27 + routers: + - 100.64.0.97 + start: 100.64.0.99 + end: 100.64.0.127 + domain_name: client3.isp.auro.re + failover: true + - network: 100.64.0.128/27 + routers: + - 100.64.0.129 + start: 100.64.0.131 + end: 100.64.0.159 + domain_name: client4.isp.auro.re + +dhcpd__failover: + dhcp-1.isp.infra.auro.re: 10.210.1.1 + dhcp-2.isp.infra.auro.re: 10.210.1.2 + +dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}" + +dhcpd__failover_peer_address: "{{ dhcpd__failover + | dict2items + | selectattr('key', '!=', + inventory_hostname) + | map(attribute='value') + | first }}" +... diff --git a/group_vars/dns/kresd.yml b/group_vars/dns/kresd.yml new file mode 100644 index 0000000..9565ae7 --- /dev/null +++ b/group_vars/dns/kresd.yml @@ -0,0 +1,24 @@ +--- +kresd__listen: + - address: 0.0.0.0 + port: 53 + kind: dns + - address: "::" + port: 53 + kind: dns + - address: 0.0.0.0 + port: 853 + kind: tls + - address: "::" + port: 853 + kind: tls + - address: 0.0.0.0 + port: 8453 + kind: webmgmt + - address: "::" + port: 8453 + kind: webmgmt + tls: false + +kresd__cache_size: 512 +... diff --git a/group_vars/edge/keepalived.yml b/group_vars/edge/keepalived.yml new file mode 100644 index 0000000..c09316f --- /dev/null +++ b/group_vars/edge/keepalived.yml @@ -0,0 +1,17 @@ +--- +keepalived__virtual_router_id: 81 + +keepalived__interface: back0 + +keepalived__virtual_addresses: + crans0: + - 185.230.79.254/29 + - 2a0c:700:28::2/64 + - fe80::1/10 + zayo0: + - 2001:1b48:2:103::d7:2/126 + - 83.167.52.69/31 + - fe80::1/10 + +keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}" +... diff --git a/group_vars/infra/firewall.yml b/group_vars/infra/firewall.yml new file mode 100644 index 0000000..f7893bb --- /dev/null +++ b/group_vars/infra/firewall.yml @@ -0,0 +1,175 @@ +--- +firewall__zones: + adm-legacy: + addrs: + - 2a09:6840:128::/64 + - 10.128.0.0/16 + ups: + addrs: + - 2a09:6840:201::/64 + - 10.201.0.0/16 + back: + addrs: + - 2a09:6840:203::/64 + - 10.203.0.0/16 + monit: + addrs: + - 2a09:6840:204::/64 + - 10.204.0.0/16 + wifi: + addrs: + - 2a09:6840:205::/64 + - 10.205.0.0/16 + int: + addrs: + - 2a09:6840:206::/64 + - 10.206.0.0/16 + sw: + addrs: + - 2a09:6840:207::/64 + - 10.207.0.0/16 + bmc: + addrs: + - 2a09:6840:208::/64 + - 10.208.0.0/16 + pve: + addrs: + - 2a09:6840:209::/64 + - 10.209.0.0/16 + isp: + addrs: + - 2a09:6840:210::/64 + - 10.210.0.0/16 + ext: + addrs: + - 2a09:6840:211::/64 + - 45.66.111.0/24 + - 10.211.0.0/16 + vpn-clients: + addrs: + - 2a09:6840:212::/64 + - 10.212.0.0/16 + vpn: + addrs: + - 2a09:6840:213::/64 + - 10.213.0.0/16 + infra: + zones: + - adm-legacy + - ups + - back + - monit + - wifi + - int + - sw + - bmc + - pve + - isp + - ext + - vpn + internet: + negate: true + addrs: + - 2a09:6840::/32 + - 2a09:6841::/32 + - 2a09:6842::/32 + - 45.66.108.0/22 + - 10.0.0.0/8 + - 100.64.0.0/10 + prometheus.int: + addrs: + - 2a09:6840:204::1:1 + - 10.204.1.1 + - 2a09:6840:204::1:2 + - 10.204.1.2 + grafana.adm: + addrs: + - 2a09:6840:128::98 + - 10.128.0.98 + dns.int: + addrs: + - 2a09:6840:206::1:1 + - 10.206.1.1 + - 2a09:6840:206::1:2 + - 10.206.1.2 + ntp.int: + addrs: + - 2a09:6840:206::1:5 + - 10.206.1.5 + - 2a09:6840:206::1:6 + - 10.206.1.6 + +firewall__input: + - verdict: accept + +firewall__output: + - verdict: accept + +firewall__forward: + - src: back + dst: infra + verdict: accept + - src: infra # FIXME: temporary + dst: internet + verdict: accept + - src: monit + dst: bmc + protocols: + icmp: true + verdict: accept + - src: adm-legacy + dst: bmc + verdict: accept + - src: grafana.adm + dst: prometheus.int + protocols: + tcp: + dport: 9100 + verdict: accept + # Admin VPN clients + - src: vpn-clients + dst: infra + verdict: accept + # Prometheus node + - src: monit + dst: int + protocols: + tcp: + dport: 9100 + verdict: accept + # Allow DNS from infra to dns-{1,2} + - src: infra + dst: dns.int + protocols: + udp: + dport: 53 + verdict: accept + - src: infra + dst: dns.int + protocols: + tcp: + dport: 53 + verdict: accept + # Allow NTP from infra to ntp-{1,2} + - src: infra + dst: ntp.int + protocols: + udp: + dport: 123 + verdict: accept + # Admin Wireguard + - dst: + - 2a09:6840:211::204 + - 45.66.111.204 + protocols: + udp: + dport: 5121 + verdict: accept + +firewall__nat: + - src: 10.0.0.0/8 + dst: internet + protocols: null + snat: + addr: 45.66.111.200/32 +... diff --git a/group_vars/infra/keepalived.yml b/group_vars/infra/keepalived.yml new file mode 100644 index 0000000..7d1bd4f --- /dev/null +++ b/group_vars/infra/keepalived.yml @@ -0,0 +1,52 @@ +--- +keepalived__virtual_router_id: 82 + +keepalived__interface: back0 + +keepalived__virtual_addresses: + ups0: + - 10.201.0.1/16 + - 2a09:6840:201::1/64 + - fe80::1/10 + monit0: + - 10.204.0.1/16 + - 2a09:6840:204::1/64 + - fe80::1/10 + wifi0: + - 10.205.0.1/16 + - 2a09:6840:205::1/64 + - fe80::1/10 + int0: + - 10.206.0.1/16 + - 2a09:6840:206::1/64 + - fe80::1/10 + sw0: + - 10.207.0.1/16 + - 2a09:6840:207::1/64 + - fe80::1/10 + bmc0: + - 10.208.0.1/16 + - 2a09:6840:208::1/64 + - fe80::1/10 + pve0: + - 10.209.0.1/16 + - 2a09:6840:209::1/64 + - fe80::1/10 + isp0: + - 10.210.0.1/16 + - 2a09:6840:210::1/64 + - fe80::1/10 + ext0: + - 10.211.0.1/16 + - 2a09:6840:211::1/64 + - fe80::1/10 + +keepalived__virtual_routes: + ext0: + - 45.66.111.204/30 + +keepalived__virtual_blackholes: + - 45.66.111.200/30 + +keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}" +... diff --git a/group_vars/isp/firewall.yml b/group_vars/isp/firewall.yml new file mode 100644 index 0000000..0cf9d8a --- /dev/null +++ b/group_vars/isp/firewall.yml @@ -0,0 +1,40 @@ +--- +firewall__zones: + internet: + negate: true + addrs: + - 2a09:6840::/32 + - 2a09:6841::/32 + - 2a09:6842::/32 + - 45.66.108.0/22 + - 10.0.0.0/8 + - 100.64.0.0/10 + clients: + addrs: + - 100.64.0.0/10 + non_clients: + negate: true + zones: clients + allowed_clients: + file: + path: /var/run/firewall/allowed_clients.yml + default: [] + +firewall__input: + - verdict: accept + +firewall__output: + - verdict: accept + +firewall__forward: + - src: allowed_clients + dst: non_clients + verdict: accept + +firewall__nat: + - src: clients + dst: internet + protocols: null + snat: + addr: 45.66.111.220 +... diff --git a/group_vars/isp/keepalived.yml b/group_vars/isp/keepalived.yml new file mode 100644 index 0000000..0a18a88 --- /dev/null +++ b/group_vars/isp/keepalived.yml @@ -0,0 +1,29 @@ +--- +keepalived__virtual_router_id: 80 + +keepalived__interface: back0 + +keepalived__virtual_addresses: + client0: + - 100.64.0.1/27 + - 2a09:6841::1/56 + - fe80::1/10 + client1: + - 100.64.0.33/27 + - 2a09:6841:0:1::1/64 + - fe80::1/10 + client2: + - 100.64.0.65/27 + - 2a09:6841:0:2::1/64 + - fe80::1/10 + client3: + - 100.64.0.97/27 + - 2a09:6841:0:3::1/64 + - fe80::1/10 + client4: + - 100.64.0.129/27 + - 2a09:6841:0:4::1/64 + - fe80::1/10 + +keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}" +... diff --git a/group_vars/ntp/chronyd.yml b/group_vars/ntp/chronyd.yml new file mode 100644 index 0000000..f60faf4 --- /dev/null +++ b/group_vars/ntp/chronyd.yml @@ -0,0 +1,13 @@ +--- +chronyd__allow_networks: + - 2a09:6840::/32 + - 10.0.0.0/8 + +chronyd__pools: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org + +chronyd__local_stratum: 10 +... diff --git a/group_vars/pve/pve_auth.yml b/group_vars/pve/pve_auth.yml new file mode 100644 index 0000000..1999432 --- /dev/null +++ b/group_vars/pve/pve_auth.yml @@ -0,0 +1,31 @@ +--- +pve_auth__groups: + admin: + - Administrator + +pve_auth__pam_users: + root: + enabled: false + +pve_auth__users: + jeltz: + password: "{{ vault_pve_passwords.jeltz }}" + groups: + - admin + otthorn: + password: "{{ vault_pve_passwords.otthorn }}" + groups: + - admin + v-lafeychine: + password: "{{ vault_pve_passwords['v-lafeychine'] }}" + groups: + - admin + pz2891: + password: "{{ vault_pve_passwords.pz2891 }}" + groups: + - admin + loutr: + password: "{{ vault_pve_passwords.loutr }}" + groups: + - admin +... diff --git a/group_vars/radius/freeradius.yml b/group_vars/radius/freeradius.yml new file mode 100644 index 0000000..44d4d42 --- /dev/null +++ b/group_vars/radius/freeradius.yml @@ -0,0 +1,17 @@ +--- +radiusd__guest_vlan: 1000 + +radiusd__clients: + localhost: + addr: 127.0.0.1 + secret: abcdef + type: aurore + wifi-ap-v4: + addr: 10.102.0.0/16 + secret: abcdef + type: aurore + wifi-ap-v6: + addr: 2a09:6840:102::/56 + secret: abcdef + type: aurore +... diff --git a/host_vars/dhcp-1.isp.infra.auro.re.yml b/host_vars/dhcp-1.isp.infra.auro.re.yml new file mode 100644 index 0000000..82f1119 --- /dev/null +++ b/host_vars/dhcp-1.isp.infra.auro.re.yml @@ -0,0 +1,47 @@ +--- +systemd_link__links: + isp0: 02:00:00:c6:3f:6f + trunk0: 02:00:00:b1:8d:d6 + +ifupdown2__interfaces: + isp0: + addresses: + - 2a09:6840:210::1:1/64 + - 10.210.1.1/16 + gateways: "{{ ifupdown2__gateways.isp }}" + trunk0: + ipv6_addrgen: false + clients0: + bridge_vlan_aware: true + bridge_ports: + - trunk0 + bridge_vids: + - 1000-1004 + bridge_disable_pvid: true + ipv6_addrgen: false + client0: + addresses: + - 100.64.0.2/27 + vlan_id: 1000 + vlan_raw_device: clients0 + client1: + addresses: + - 100.64.0.34/27 + vlan_id: 1001 + vlan_raw_device: clients0 + client2: + addresses: + - 100.64.0.66/27 + vlan_id: 1002 + vlan_raw_device: clients0 + client3: + addresses: + - 100.64.0.98/27 + vlan_id: 1003 + vlan_raw_device: clients0 + client4: + addresses: + - 100.64.0.130/27 + vlan_id: 1004 + vlan_raw_device: clients0 +... diff --git a/host_vars/dhcp-2.isp.infra.auro.re.yml b/host_vars/dhcp-2.isp.infra.auro.re.yml new file mode 100644 index 0000000..b3d918f --- /dev/null +++ b/host_vars/dhcp-2.isp.infra.auro.re.yml @@ -0,0 +1,47 @@ +--- +systemd_link__links: + isp0: 04:00:00:8c:d1:36 + trunk0: 04:00:00:33:2c:3c + +ifupdown2__interfaces: + isp0: + addresses: + - 2a09:6840:210::1:2/64 + - 10.210.1.2/16 + gateways: "{{ ifupdown2__gateways.isp }}" + trunk0: + ipv6_addrgen: false + clients0: + bridge_vlan_aware: true + bridge_ports: + - trunk0 + bridge_vids: + - 1000-1004 + bridge_disable_pvid: true + ipv6_addrgen: false + client0: + addresses: + - 100.64.0.3/27 + vlan_id: 1000 + vlan_raw_device: clients0 + client1: + addresses: + - 100.64.0.35/27 + vlan_id: 1001 + vlan_raw_device: clients0 + client2: + addresses: + - 100.64.0.67/27 + vlan_id: 1002 + vlan_raw_device: clients0 + client3: + addresses: + - 100.64.0.99/27 + vlan_id: 1003 + vlan_raw_device: clients0 + client4: + addresses: + - 100.64.0.131/27 + vlan_id: 1004 + vlan_raw_device: clients0 +... diff --git a/host_vars/dns-1.int.infra.auro.re.yml b/host_vars/dns-1.int.infra.auro.re.yml new file mode 100644 index 0000000..88fedb7 --- /dev/null +++ b/host_vars/dns-1.int.infra.auro.re.yml @@ -0,0 +1,16 @@ +--- +systemd_link__links: + adm0: 02:00:00:6c:4b:89 + int0: 02:00:00:9f:d9:f9 + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:3/64 + - 10.128.10.3/16 + int0: + addresses: + - 2a09:6840:206::1:1/64 + - 10.206.1.1/16 + gateways: "{{ ifupdown2__gateways.int }}" +... diff --git a/host_vars/dns-2.int.infra.auro.re.yml b/host_vars/dns-2.int.infra.auro.re.yml new file mode 100644 index 0000000..743b1e6 --- /dev/null +++ b/host_vars/dns-2.int.infra.auro.re.yml @@ -0,0 +1,16 @@ +--- +systemd_link__links: + adm0: 04:00:00:2a:6e:be + int0: 04:00:00:3c:c0:5a + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:103/64 + - 10.128.10.103/16 + int0: + addresses: + - 2a09:6840:206::1:2/64 + - 10.206.1.2/16 + gateways: "{{ ifupdown2__gateways.int }}" +... diff --git a/host_vars/edge-1.back.infra.auro.re.yml b/host_vars/edge-1.back.infra.auro.re.yml new file mode 100644 index 0000000..1451db9 --- /dev/null +++ b/host_vars/edge-1.back.infra.auro.re.yml @@ -0,0 +1,39 @@ +--- +systemd_link__links: + adm0: 02:00:00:9E:3E:21 + crans0: 02:00:00:A2:7C:68 + zayo0: 02:00:00:35:89:82 + rezel0: 02:00:00:8F:4A:AD + back0: 02:00:00:1C:3A:2E + viarezo0: 02:00:00:ED:70:64 + router0: 02:00:00:5A:17:7C + oti0: 02:00:00:05:0E:A6 + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:2/64 + - 10.128.10.2/16 + crans0: + ipv6_addrgen: false + zayo0: + ipv6_addrgen: false + rezel0: + addresses: + - 2a09:6842:19:9116::1/64 + - 45.66.111.1/29 + back0: + addresses: + - 2a09:6840:203::1:1/64 + - 10.203.1.1/16 + viarezo0: + ipv6_addrgen: false + router0: + addresses: + - 2a09:6840:129::10:2/56 + - 10.129.10.2/16 + oti0: + addresses: + - 2a00:a4c0:100c:1::b/127 + - 77.95.70.11/31 +... diff --git a/host_vars/edge-2.back.infra.auro.re.yml b/host_vars/edge-2.back.infra.auro.re.yml new file mode 100644 index 0000000..68a8f5e --- /dev/null +++ b/host_vars/edge-2.back.infra.auro.re.yml @@ -0,0 +1,34 @@ +--- +systemd_link__links: + adm0: 04:00:00:F5:69:B9 + crans0: 04:00:00:CF:E1:D0 + zayo0: 04:00:00:67:7B:12 + rezel0: 04:00:00:C6:05:B7 + back0: 04:00:00:DE:22:E6 + viarezo0: 04:00:00:45:FA:E6 + router0: 04:00:00:AD:D7:71 + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:102/64 + - 10.128.10.102/16 + crans0: + ipv6_addrgen: false + zayo0: + ipv6_addrgen: false + rezel0: + addresses: + - 2a09:6842:19:9116::3/64 + - 45.66.111.3/29 + back0: + addresses: + - 2a09:6840:203::1:2/64 + - 10.203.1.2/16 + viarezo0: + ipv6_addrgen: false + router0: + addresses: + - 2a09:6840:129::10:102/56 + - 10.129.10.102/16 +... diff --git a/host_vars/infra-1.back.infra.auro.re.yml b/host_vars/infra-1.back.infra.auro.re.yml new file mode 100644 index 0000000..0449d58 --- /dev/null +++ b/host_vars/infra-1.back.infra.auro.re.yml @@ -0,0 +1,43 @@ +--- +systemd_link__links: + ups0: 02:00:00:fe:6f:0e + back0: 02:00:00:f8:93:22 + monit0: 02:00:00:da:97:7f + wifi0: 02:00:00:8c:c5:bf + int0: 02:00:00:75:40:3e + sw0: 02:00:00:ca:e8:d1 + bmc0: 02:00:00:47:d1:b9 + pve0: 02:00:00:b3:35:e7 + isp0: 02:00:00:6b:53:14 + ext0: 02:00:00:32:86:60 + vpn0: 02:00:00:52:5f:85 + +ifupdown2__interfaces: + back0: + addresses: + - 2a09:6840:203::1:3/64 + - 45.66.111.210/32 + - 10.203.1.3/16 + ups0: + ipv6_addrgen: false + monit0: + ipv6_addrgen: false + wifi0: + ipv6_addrgen: false + int0: + ipv6_addrgen: false + sw0: + ipv6_addrgen: false + bmc0: + ipv6_addrgen: false + pve0: + ipv6_addrgen: false + isp0: + ipv6_addrgen: false + ext0: + ipv6_addrgen: false + vpn0: + addresses: + - 2a09:6840:213::1:1 + - 10.213.1.1 +... diff --git a/host_vars/infra-2.back.infra.auro.re.yml b/host_vars/infra-2.back.infra.auro.re.yml new file mode 100644 index 0000000..6b4843d --- /dev/null +++ b/host_vars/infra-2.back.infra.auro.re.yml @@ -0,0 +1,43 @@ +--- +systemd_link__links: + ups0: 04:00:00:6d:97:83 + back0: 04:00:00:46:ba:f9 + monit0: 04:00:00:72:0b:2d + wifi0: 04:00:00:ee:42:0f + int0: 04:00:00:21:fd:d0 + sw0: 04:00:00:2e:5b:16 + bmc0: 04:00:00:bb:5a:a6 + pve0: 04:00:00:0b:2b:82 + isp0: 04:00:00:f4:4c:5d + ext0: 04:00:00:1d:0e:83 + vpn0: 04:00:00:02:ba:dd + +ifupdown2__interfaces: + back0: + addresses: + - 2a09:6840:203::1:4/64 + - 45.66.111.211/32 + - 10.203.1.4/16 + ups0: + ipv6_addrgen: false + monit0: + ipv6_addrgen: false + wifi0: + ipv6_addrgen: false + int0: + ipv6_addrgen: false + sw0: + ipv6_addrgen: false + bmc0: + ipv6_addrgen: false + pve0: + ipv6_addrgen: false + isp0: + ipv6_addrgen: false + ext0: + ipv6_addrgen: false + vpn0: + addresses: + - 2a09:6840:213::1:2 + - 10.213.1.2 +... diff --git a/host_vars/isp-1.back.infra.auro.re.yml b/host_vars/isp-1.back.infra.auro.re.yml new file mode 100644 index 0000000..9f3eb70 --- /dev/null +++ b/host_vars/isp-1.back.infra.auro.re.yml @@ -0,0 +1,47 @@ +--- +systemd_link__links: + adm0: 02:00:00:D8:37:45 + back0: 02:00:00:BF:10:4C + trunk0: 02:00:00:E9:BA:15 + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:5/64 + - 10.128.10.5/16 + gateways: "{{ ifupdown2__gateways.adm }}" + back0: + addresses: + - 2a09:6840:203::1:5/64 + - 10.203.1.5/16 + trunk0: + ipv6_addrgen: false + clients0: + bridge_vlan_aware: true + bridge_ports: + - trunk0 + bridge_vids: + - 1000-1004 + bridge_disable_pvid: true + ipv6_addrgen: false + client0: + vlan_id: 1000 + vlan_raw_device: clients0 + ipv6_addrgen: false + client1: + vlan_id: 1001 + vlan_raw_device: clients0 + ipv6_addrgen: false + client2: + vlan_id: 1002 + vlan_raw_device: clients0 + ipv6_addrgen: false + client3: + vlan_id: 1003 + vlan_raw_device: clients0 + ipv6_addrgen: false + client4: + vlan_id: 1004 + vlan_raw_device: clients0 + ipv6_addrgen: false +... diff --git a/host_vars/isp-2.back.infra.auro.re.yml b/host_vars/isp-2.back.infra.auro.re.yml new file mode 100644 index 0000000..c37134d --- /dev/null +++ b/host_vars/isp-2.back.infra.auro.re.yml @@ -0,0 +1,47 @@ +--- +systemd_link__links: + adm0: 04:00:00:85:C3:5D + back0: 04:00:00:FE:2D:67 + trunk0: 04:00:00:D8:F5:4D + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:105/64 + - 10.128.10.105/16 + gateways: "{{ ifupdown2__gateways.adm }}" + back0: + addresses: + - 2a09:6840:203::1:6/64 + - 10.203.1.6/16 + trunk0: + ipv6_addrgen: false + clients0: + bridge_vlan_aware: true + bridge_ports: + - trunk0 + bridge_vids: + - 1000-1004 + bridge_disable_pvid: true + ipv6_addrgen: false + client0: + vlan_id: 1000 + vlan_raw_device: clients0 + ipv6_addrgen: false + client1: + vlan_id: 1001 + vlan_raw_device: clients0 + ipv6_addrgen: false + client2: + vlan_id: 1002 + vlan_raw_device: clients0 + ipv6_addrgen: false + client3: + vlan_id: 1003 + vlan_raw_device: clients0 + ipv6_addrgen: false + client4: + vlan_id: 1004 + vlan_raw_device: clients0 + ipv6_addrgen: false +... diff --git a/host_vars/ldap-1.int.infra.auro.re.yml b/host_vars/ldap-1.int.infra.auro.re.yml new file mode 100644 index 0000000..f59b1ba --- /dev/null +++ b/host_vars/ldap-1.int.infra.auro.re.yml @@ -0,0 +1,16 @@ +--- +systemd_link__links: + adm0: 02:00:00:38:c2:52 + int0: 02:00:00:fe:a8:54 + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:8/64 + - 10.128.10.8/16 + int0: + addresses: + - 2a09:6840:206::1:3/64 + - 10.206.1.7/16 + gateways: "{{ ifupdown2__gateways.int }}" +... diff --git a/host_vars/ldap-2.int.infra.auro.re.yml b/host_vars/ldap-2.int.infra.auro.re.yml new file mode 100644 index 0000000..7be77d1 --- /dev/null +++ b/host_vars/ldap-2.int.infra.auro.re.yml @@ -0,0 +1,16 @@ +--- +systemd_link__links: + adm0: 04:00:00:f7:1c:47 + int0: 04:00:00:e4:83:d2 + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:108/64 + - 10.128.10.108/16 + int0: + addresses: + - 2a09:6840:206::1:4/64 + - 10.206.1.8/16 + gateways: "{{ ifupdown2__gateways.int }}" +... diff --git a/host_vars/ns-master.int.infra.auro.re/knotd.yml b/host_vars/ns-master.int.infra.auro.re/knotd.yml new file mode 100644 index 0000000..657f576 --- /dev/null +++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml @@ -0,0 +1,502 @@ +--- +knotd__listen: + - address: 0.0.0.0 + - address: "::" + +knotd__keys: + xfr: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_xfr_key }}" + ksk-infra: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_ksk_infra_key }}" + update-acme-challenge: + algorithm: hmac-sha512 + secret: "{{ vault_certbot_dns_secret }}" + +knotd__remotes: + xfr-ns-1: + address: 10.128.0.199 + key: xfr + xfr-ns-2: + address: 10.128.0.109 + key: xfr + ksk-infra: + address: ::1 + key: ksk-infra + +knotd__policies: + public: + algorithm: ECDSAP256SHA256 + reproducible_signing: true + # Je n'ai pas trouvé de façon de pousser les records automatiquement + # sur .re, donc pour éviter d'oublier de le faire manuellement, la + # KSK n'expire pas + ksk_lifetime: 0 + zsk_lifetime: 30d + nsec3: true + infra: + algorithm: ECDSAP256SHA256 + ksk_lifetime: 365d + zsk_lifetime: 30d + nsec3: on + ds-push: ksk-infra + cds-cdnskey-publish: rollover + ksk-submission: infra + ripe: + algorithm: ECDSAP256SHA256 + ksk_lifetime: 365d + zsk_lifetime: 30d + nsec3: on + ds-push: ksk-ripe + cds-cdnskey-publish: rollover + ksk-submission: ripe + +knotd__acl: + xfr: + addresses: + - 10.128.0.199 + - 2a09:6840:128::199 + - 10.128.0.109 + - 2a09:6840:128::109 + action: transfer + key: xfr + ksk-infra: + addresses: + - 127.0.0.1 + - ::1 + key: ksk-infra + action: update + update_types: + - DS + update_owner: name + update_owner_match: equal + update_owner_name: + - infra + update-acme-challenge: + addresses: + - 10.128.0.0/16 + - 2a09:6840:128::/48 + key: update-acme-challenge + action: update + update_types: + - TXT + update_owner: name + update_owner_match: equal + update_owner_name: + - _acme-challenge.auro.re. + +knotd__queryacl: + local: + addresses: + - 10.0.0.0/8 + +knotd__soa_rname: root@auro.re. + +knotd__hosts: + + auro.re: + proxy-ovh: + - 92.222.211.195 + horus: + - 92.23.218.136 + ns-1: + - 45.66.111.30 + - 2a09:6840:111::30 + ns-2: + - 92.222.211.194 + serge: + - 92.222.211.196 + lama: + - 185.230.78.220 + - 2a0c:700:12:0:67:e5ff:fee9:108 + vpn-ovh: + - 92.222.211.197 + passerelle: + - 45.66.111.254 + - 2a09:6840:111::254 + proxy: + - 45.66.111.61 + - 2a09:6840:111::61 + camelot: + - 45.66.111.59 + - 2a09:6840:111::59 + mail: + - 45.66.111.62 + - 2a09:6840:111::62 + galene: + - 45.66.111.65 + - 2a09:6840:111::65 + aclyas: + - 45.66.111.231 + - 2a09:6840:111::231 + jitsi: + - 45.66.111.55 + - 2a09:6840:111::55 + portail-fleming: + - 10.13.0.247 + - 2a09:6840:13::247 + portail-pacaterie: + - 10.23.0.247 + - 2a09:6840:23::247 + portail-rives: + - 10.33.0.247 + - 2a09:6840:33::247 + portail-edc: + - 10.43.0.247 + - 2a09:6840:43::247 + portail-gs: + - 10.53.0.247 + - 2a09:6840:53::247 + + adh.auro.re: + hoffman: + - 45.66.110.1 + - 2a09:6840:110:0:2d8:61ff:fe56:d7eb + hindley: + - 45.66.110.3 + - 2a09:6840:110:0:a6ba:dbff:fe03:1f36 + yberreby: + - 45.66.110.5 + - 2a09:6840:110:0:d896:1dff:fe59:8381 + paon: + - 45.66.110.10 + - 2a09:6840:110:0:231:92ff:fe1b:ae22 + lovelace: + - 45.66.110.45 + - 2a09:6840:110:0:c634:6bff:feb5:7bcc + switch-leo: + - 45.66.110.103 + - 2a09:6840:110:0:82cc:9cff:fe82:ca3e + haskell: + - 45.66.110.112 + - 2a09:6840:110:0:f4ac:cbff:fe81:7f48 + lyshyga0: + - 45.66.110.113 + - 2a09:6840:110:0:6af7:28ff:fe91:e8d9 + pz28910: + - 45.66.110.114 + vinsing0: + - 45.66.110.123 + - 2a09:6840:110:0:1e1b:dff:fe90:7d81 + osc-routeur: + - 45.66.110.125 + - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1 + odroid: + - 45.66.110.154 + - 2a09:6840:110:0:21e:6ff:fe49:e00 + amau0: + - 45.66.110.164 + - 2a09:6840:110:0:3e7c:3fff:fec3:27d1 + regulus: + - 45.66.110.180 + - 2a09:6840:110:0:2ef0:5dff:fe2a:1530 + toaster: + - 45.66.110.188 + - 2a09:6840:110:0:5246:5dff:fe9a:f70 + rpijutax: + - 45.66.110.190 + - 2a09:6840:110:0:ba27:ebff:fe76:a9bc + lafeychine: + - 45.66.110.200 + - 2a09:6840:110:0:46a5:6eff:fe71:1 + polaris: + - 45.66.110.245 + - 2a09:6840:110:0:dea6:32ff:feb4:d033 + +knotd__zones: + + auro.re: + dnssec_policy: public + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - update-acme-challenge + - ksk-infra + - xfr + soa: + mname: ns-master.int.infra + ns: + - target: + - ns-1 + - ns-2 + - name: infra + target: + - ns-1 + - ns-2 + - name: adm + target: + - serge + - lama + - name: ups + target: + - serge + - lama + - name: switch + target: + - serge + - lama + - name: borne + target: + - serge + - lama + mx: + - exchange: mail + preference: 5 + - exchange: proxy-ovh + preference: 10 + spf: + - data: v=spf1 mx -all + a: + - address: 92.222.211.195 + cname: + - name: + - gisti + - gistiti + target: jitsi + - name: + - element + - riot + - auth + - rss + - codimd + - hedgedoc + - kanboard + - www + - pad + - privatebin + - zero + - paste + target: proxy-ovh + - name: + - grafana + - netbox + - wiki + - matrix + - drone + - gitea + - re2o + - nextcloud + - vote + target: proxy + - name: intranet + target: re2o + - name: + - smtp + - imap + target: mail + - name: + - prometheus-paul.adh + - pma-paul.adh + - nextcloud-paul.adh + - grafana-paul.adh + - jellyfin.adh + - monitoring.adh + - beta-mpp.adh + - pz28.adh + target: lucepaul.myvnc.com. + - name: + - services-1.pve + target: services-1.pve.infra + - name: + - services-2.pve + target: services-2.pve.infra + - name: + - services-3.pve + target: services-3.pve.infra + hosts: "{{ knotd__hosts['auro.re'] + | combine(knotd__hosts['adh.auro.re'] + | add_origin_keys('adh.auro.re.')) }}" + + infra.auro.re: + dnssec_policy: infra + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + #queryacl: local + soa: + mname: ns-master.int + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + hosts: + services-1.ceph: + - 10.132.1.1 + - "2a09:6840:132:1:1::" + services-2.ceph: + - 10.132.1.2 + - "2a09:6840:132:1:2::" + services-3.ceph: + - 10.132.1.3 + - "2a09:6840:132:1:3::" + services-1.pve: + - 10.134.1.1 + - 2a09:6840:132:1:1::1 + services-2.pve: + - 10.134.1.2 + - 2a09:6840:132:1:2::1 + services-3.pve: + - 10.134.1.3 + - 2a09:6840:132:1:3::1 + ns-master.int: + - 10.128.0.110 + - 2a09:6840:128:0::110 + ec-1.ups: + - 10.131.4.1 + - 2a09:6840:131::4:1 + ec-2.ups: + - 10.131.4.2 + - 2a09:6840:131::4:2 + network-1.pve: + - 2a09:6840:209::1:1 + - 10.209.1.1 + network-2.pve: + - 2a09:6840:209::1:2 + - 10.209.1.2 + edge-1.back: + - 2a09:6840:203::1:1 + - 10.203.1.1 + edge-2.back: + - 2a09:6840:203::1:2 + - 10.203.1.2 + dns-1.int: + - 2a09:6840:206::1:1 + - 10.206.1.1 + dns-2.int: + - 2a09:6840:206::1:2 + - 10.206.1.2 + vpn-1.back: + - 10.128.10.11 + - 2a09:6840:128::10:11 + vpn-2.back: + - 10.128.10.111 + - 2a09:6840:128::10:111 + infra-1.back: + - 2a09:6840:203::1:3 + - 10.203.1.3 + infra-2.back: + - 2a09:6840:203::1:4 + - 10.203.1.4 + isp-1.back: + - 2a09:6840:203::1:5 + - 10.203.1.5 + isp-2.back: + - 2a09:6840:203::1:6 + - 10.203.1.6 + dhcp-1.isp: + - 2a09:6840:210::1:1 + - 10.210.1.1 + dhcp-2.isp: + - 2a09:6840:210::1:2 + - 10.210.1.2 + radius-1.isp: + - 2a09:6840:210::1:3 + - 10.210.1.3 + radius-2.isp: + - 2a09:6840:210::1:4 + - 10.210.1.4 + ldap-1.int: + - 10.128.10.8 + - 2a09:6840:128::10:8 + ldap-2.int: + - 10.128.10.108 + - 2a09:6840:128::10:108 + ntp-1.int: + - 2a09:6840:206::1:5 + - 10.206.1.5 + ntp-2.int: + - 2a09:6840:206::1:6 + - 10.206.1.6 + prometheus-1.monit: + - 2a09:6840:204::1:1 + - 10.204.1.1 + prometheus-2.monit: + - 2a09:6840:204::1:2 + - 10.204.1.2 + + 108.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + + 109.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + + 110.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + reverse_hosts: "{{ knotd__hosts['adh.auro.re'] + | ip_filter(['45.66.110.0/24']) + | add_origin_keys('adh.auro.re.') }}" + + 111.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + reverse_hosts: "{{ knotd__hosts['auro.re'] + | ip_filter(['45.66.111.0/24']) + | add_origin_keys('auro.re.') }}" + + 0.4.8.6.9.0.a.2.ip6.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + reverse_hosts: "{{ knotd__hosts['auro.re'] + | ip_filter(['2a09:6840::/32']) + | add_origin_keys('auro.re.') + | combine(knotd__hosts['adh.auro.re'] + | ip_filter(['2a09:6840::/32']) + | add_origin_keys('adh.auro.re.')) }}" +... diff --git a/host_vars/ntp-1.int.infra.auro.re.yml b/host_vars/ntp-1.int.infra.auro.re.yml new file mode 100644 index 0000000..8834c92 --- /dev/null +++ b/host_vars/ntp-1.int.infra.auro.re.yml @@ -0,0 +1,11 @@ +--- +systemd_link__links: + int0: 02:00:00:74:71:83 + +ifupdown2__interfaces: + int0: + addresses: + - 2a09:6840:206::1:5/64 + - 10.206.1.5/16 + gateways: "{{ ifupdown2__gateways.int }}" +... diff --git a/host_vars/ntp-2.int.infra.auro.re.yml b/host_vars/ntp-2.int.infra.auro.re.yml new file mode 100644 index 0000000..31c64f1 --- /dev/null +++ b/host_vars/ntp-2.int.infra.auro.re.yml @@ -0,0 +1,11 @@ +--- +systemd_link__links: + int0: 04:00:00:31:be:50 + +ifupdown2__interfaces: + int0: + addresses: + - 2a09:6840:206::1:6/64 + - 10.206.1.6/16 + gateways: "{{ ifupdown2__gateways.int }}" +... diff --git a/host_vars/prometheus-1.monit.infra.auro.re.yml b/host_vars/prometheus-1.monit.infra.auro.re.yml new file mode 100644 index 0000000..5d82e71 --- /dev/null +++ b/host_vars/prometheus-1.monit.infra.auro.re.yml @@ -0,0 +1,11 @@ +--- +systemd_link__links: + monit0: 02:00:00:a8:6b:51 + +ifupdown2__interfaces: + monit0: + addresses: + - 2a09:6840:204::1:1/64 + - 10.204.1.1/16 + gateways: "{{ ifupdown2__gateways.monit }}" +... diff --git a/host_vars/prometheus-2.monit.infra.auro.re.yml b/host_vars/prometheus-2.monit.infra.auro.re.yml new file mode 100644 index 0000000..093659d --- /dev/null +++ b/host_vars/prometheus-2.monit.infra.auro.re.yml @@ -0,0 +1,11 @@ +--- +systemd_link__links: + monit0: 04:00:00:a6:93:5a + +ifupdown2__interfaces: + monit0: + addresses: + - 2a09:6840:204::1:2/64 + - 10.204.1.2/16 + gateways: "{{ ifupdown2__gateways.monit }}" +... diff --git a/host_vars/radius-1.isp.infra.auro.re.yml b/host_vars/radius-1.isp.infra.auro.re.yml new file mode 100644 index 0000000..4f96b4f --- /dev/null +++ b/host_vars/radius-1.isp.infra.auro.re.yml @@ -0,0 +1,11 @@ +--- +systemd_link__links: + isp0: 02:00:00:6a:3e:f4 + +ifupdown2__interfaces: + isp0: + addresses: + - 2a09:6840:210::1:3/64 + - 10.210.1.3/16 + gateways: "{{ ifupdown2__gateways.isp }}" +... diff --git a/host_vars/radius-2.isp.infra.auro.re.yml b/host_vars/radius-2.isp.infra.auro.re.yml new file mode 100644 index 0000000..97dc658 --- /dev/null +++ b/host_vars/radius-2.isp.infra.auro.re.yml @@ -0,0 +1,11 @@ +--- +systemd_link__links: + isp0: 04:00:00:29:6d:c9 + +ifupdown2__interfaces: + isp0: + addresses: + - 2a09:6840:210::1:4/64 + - 10.210.1.4/16 + gateways: "{{ ifupdown2__gateways.isp }}" +... diff --git a/host_vars/vpn-1.back.infra.auro.re.yml b/host_vars/vpn-1.back.infra.auro.re.yml new file mode 100644 index 0000000..ba23e2f --- /dev/null +++ b/host_vars/vpn-1.back.infra.auro.re.yml @@ -0,0 +1,24 @@ +--- +ifupdown2__wireguard: + wg0: + private_key: "{{ vault_wireguard_wg0_private }}" + listen_port: 5121 + goto_table: bird + peer_allowed_addresses: + - 2a09:6840:212::1:1/128 + - 10.212.1.1/32 + peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY= + +ifupdown2__interfaces: + adm0: + addresses: + - 2a09:6840:128::10:11/64 + - 10.128.10.11/16 + ext0: + addresses: + - 45.66.111.200/30 + vpn0: + addresses: + - 2a09:6840:213::1:3/64 + - 10.213.1.3/16 +... diff --git a/hosts b/hosts index a914079..057afd1 100644 --- a/hosts +++ b/hosts @@ -1,35 +1,57 @@ # Aurore servers inventory -# How to name your server ? -# > We name servers according to location, then type, then function. -# > Then we regroup everything in global geographic, type and function groups. +[vpn] +#vpn-[1:2].back.infra.auro.re -[pve_network] -network-1.pve.infra.auro.re -network-2.pve.infra.auro.re +[dns] +dns-[1:2].int.infra.auro.re + +[dhcp] +dhcp-[1:2].isp.infra.auro.re + +[edge] +edge-[1:2].back.infra.auro.re + +[isp] +isp-1.back.infra.auro.re +#isp-[1:2].back.infra.auro.re + +[infra] +infra-[1:2].back.infra.auro.re + +[prometheus] +prometheus-[1:2].monit.infra.auro.re + +[ldap] +#ldap-[1:2].int.infra.auro.re + +[ntp] +ntp-[1:2].int.infra.auro.re + +[radius] +radius-[1:2].isp.infra.auro.re [vm_network] -edge-1.back.infra.auro.re -edge-2.back.infra.auro.re -dns-1.int.infra.auro.re -dns-2.int.infra.auro.re -ssh-1.mgmt.infra.auro.re -ssh-2.mgmt.infra.auro.re -infra-1.back.infra.auro.re -infra-2.back.infra.auro.re -isp-1.back.infra.auro.re -isp-2.back.infra.auro.re -dhcp-1.isp.infra.auro.re -dhcp-2.isp.infra.auro.re -radius-1.isp.infra.auro.re -radius-2.isp.infra.auro.re -ldap-1.int.infra.auro.re -ldap-2.int.infra.auro.re -ntp-1.int.infra.auro.re -ntp-2.int.infra.auro.re -prometheus-1.monit.infra.auro.re -prometheus-2.monit.infra.auro.re -vpn-1.back.infra.auro.re +#vpn-[1:2].back.infra.auro.re +edge-[1:2].back.infra.auro.re +dhcp-[1:2].isp.infra.auro.re +dns-[1:2].int.infra.auro.re +radius-[1:2].isp.infra.auro.re +ntp-[1:2].int.infra.auro.re +#ldap-[1:2].int.infra.auro.re +#isp-[1:2].back.infra.auro.re +infra-[1:2].back.infra.auro.re +prometheus-[1:2].monit.infra.auro.re + +[pve:children] +pve_network +pve_services + +[pve_network] +network-[1:2].pve.infra.auro.re + +[pve_services] +services-[1:2].pve.infra.auro.re ############################################################################### # Aurore : main services @@ -116,26 +138,10 @@ dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re dns-fleming-backup.adm.auro.re -ntp-1.int.infra.auro.re prometheus-fleming.adm.auro.re ns-master.int.infra.auro.re -dns-1.int.infra.auro.re ns-1.auro.re -ldap-1.int.infra.auro.re -radius-1.isp.infra.auro.re -#prometheus-fleming-fo.adm.auro.re -dhcp-1.isp.auro.re -dhcp-2.isp.auro.re radius-fleming.adm.auro.re -dns-1.int.infra.auro.re -isp-1.back.infra.auro.re -isp-2.back.infra.auro.re -edge-1.back.infra.auro.re -edge-2.back.infra.auro.re -infra-1.back.infra.auro.re -infra-2.back.infra.auro.re -dhcp-1.isp.auro.re -dhcp-2.isp.auro.re radius-fleming-backup.adm.auro.re unifi-fleming.adm.auro.re routeur-fleming.adm.auro.re diff --git a/playbooks/chronyd.yml b/playbooks/chronyd.yml index fe17d5f..5cddf4a 100755 --- a/playbooks/chronyd.yml +++ b/playbooks/chronyd.yml @@ -1,30 +1,9 @@ #!/usr/bin/env ansible-playbook --- -- hosts: - - ntp-1.int.infra.auro.re - - ntp-2.int.infra.auro.re - vars: - chronyd__allow_networks: - - 10.128.0.0/16 - - 2a09:6840:128::/48 - chronyd__pools: - - 0.pool.ntp.org - - 1.pool.ntp.org - - 2.pool.ntp.org - - 3.pool.ntp.org - chronyd__local_stratum: 10 - roles: - - chronyd - - hosts: - pve_network - vm_network - - "!ntp-1.int.infra.auro.re" - - "!ntp-2.int.infra.auro.re" - vars: - chronyd__pools: - - ntp-1.int.infra.auro.re - - ntp-2.int.infra.auro.re + - ntp roles: - chronyd ... diff --git a/playbooks/dhcpd.yml b/playbooks/dhcpd.yml index 7f57bd6..d4bfafe 100755 --- a/playbooks/dhcpd.yml +++ b/playbooks/dhcpd.yml @@ -1,70 +1,7 @@ #!/usr/bin/env ansible-playbook --- - hosts: - - dhcp-1.isp.infra.auro.re - - dhcp-2.isp.infra.auro.re - vars: - dhcpd__omapi_key: - algorithm: hmac-sha512 - secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA== - dhcpd__interfaces: - - client0 - - client1 - - client2 - - client3 - - client4 - dhcpd__dns_servers: - - 10.128.10.3 - - 10.128.10.103 - dhcpd__domain_search: - - isp.auro.re. - - auro.re. - dhcpd__subnets: - - network: 100.64.0.0/27 - routers: - - 100.64.0.1 - start: 100.64.0.4 - end: 100.64.0.30 - domain_name: client0.isp.auro.re - failover: true - - network: 100.64.0.32/27 - routers: - - 100.64.0.31 - start: 100.64.0.33 - end: 100.64.0.63 - domain_name: client1.isp.auro.re - failover: true - - network: 100.64.0.64/27 - routers: - - 100.64.0.65 - start: 100.64.0.67 - end: 100.64.0.95 - domain_name: client2.isp.auro.re - failover: true - - network: 100.64.0.96/27 - routers: - - 100.64.0.97 - start: 100.64.0.99 - end: 100.64.0.127 - domain_name: client3.isp.auro.re - failover: true - - network: 100.64.0.128/27 - routers: - - 100.64.0.129 - start: 100.64.0.131 - end: 100.64.0.159 - domain_name: client4.isp.auro.re - failover: true - dhcpd__failover: - dhcp-1.isp.infra.auro.re: 10.210.1.1 - dhcp-2.isp.infra.auro.re: 10.210.1.2 - dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}" - dhcpd__failover_peer_address: "{{ dhcpd__failover - | dict2items - | selectattr('key', '!=', - inventory_hostname) - | map(attribute='value') - | first }}" + - dhcp roles: - dhcpd ... diff --git a/playbooks/firewall.yml b/playbooks/firewall.yml index da03b34..7129b27 100755 --- a/playbooks/firewall.yml +++ b/playbooks/firewall.yml @@ -1,123 +1,8 @@ #!/usr/bin/env ansible-playbook --- - hosts: - - infra-1.back.infra.auro.re - - infra-2.back.infra.auro.re - vars: - firewall__zones: - adm-legacy: - addrs: - - 2a09:6840:128::/64 - - 10.128.0.0/16 - ups: - addrs: - - 2a09:6840:201::/64 - - 10.201.0.0/16 - edge: - addrs: - - 2a09:6840:202::/64 - - 10.202.0.0/16 - core: - addrs: - - 2a09:6840:203::/64 - - 10.203.0.0/16 - monit: - addrs: - - 2a09:6840:204::/64 - - 10.204.0.0/16 - wifi: - addrs: - - 2a09:6840:205::/64 - - 10.205.0.0/16 - int: - addrs: - - 2a09:6840:206::/64 - - 10.206.0.0/16 - sw: - addrs: - - 2a09:6840:207::/64 - - 10.207.0.0/16 - bmc: - addrs: - - 2a09:6840:208::/64 - - 10.208.0.0/16 - pve: - addrs: - - 2a09:6840:209::/64 - - 10.209.0.0/16 - isp: - addrs: - - 2a09:6840:210::/64 - - 10.210.0.0/16 - ext: - addrs: - - 2a09:6840:211::/64 - - 45.66.111.0/24 - - 10.211.0.0/16 - vpn-clients: - addrs: - - 2a09:6840:212::/64 - - 10.212.0.0/16 - vpn: - addrs: - - 2a09:6840:213::/64 - - 10.213.0.0/16 - infra: - zones: - - adm-legacy - - ups - - core - - edge - - monit - - wifi - - int - - sw - - bmc - - pve - - isp - - ext - - vpn - internet: - negate: true - addrs: - - 2a09:6840::/32 - - 2a09:6841::/32 - - 2a09:6842::/32 - - 45.66.108.0/22 - - 10.0.0.0/8 - - 100.64.0.0/10 - firewall__input: - - verdict: accept - firewall__output: - - verdict: accept - firewall__forward: - - src: vpn-clients - dst: infra - verdict: accept - - src: infra # FIXME: temporary - dst: internet - verdict: accept - - src: monit - dst: bmc - protocols: - icmp: true - verdict: accept - - src: adm-legacy - dst: bmc - verdict: accept - - dst: - - 2a09:6840:211::204 - - 45.66.111.204 - protocols: - udp: - dport: 5121 - verdict: accept - firewall__nat: - - src: 10.0.0.0/8 - dst: internet - protocols: null - snat: - addr: 45.66.111.200/32 + - infra + - isp roles: - firewall ... diff --git a/playbooks/freeradius.yml b/playbooks/freeradius.yml index b5cac6a..e7621b7 100755 --- a/playbooks/freeradius.yml +++ b/playbooks/freeradius.yml @@ -1,22 +1,7 @@ #!/usr/bin/env ansible-playbook --- - hosts: - - radius-1.isp.infra.auro.re - vars: - radiusd__guest_vlan: 1000 - radiusd__clients: - localhost: - addr: 127.0.0.1 - secret: abcdef - type: aurore - wifi-ap-v4: - addr: 10.102.0.0/16 - secret: abcdef - type: aurore - wifi-ap-v6: - addr: 2a09:6840:102::/56 - secret: abcdef - type: aurore + - radius roles: - freeradius ... diff --git a/playbooks/ifupdown2.yml b/playbooks/ifupdown2.yml index 678e12d..42a4841 100755 --- a/playbooks/ifupdown2.yml +++ b/playbooks/ifupdown2.yml @@ -2,458 +2,6 @@ --- - hosts: - vm_network - vars: - ifupdown2__wireguard_proto: wireguard - ifupdown2__gateways: - adm: - - 2a09:6840:128::254 - - 10.128.0.254 - int: - - 2a09:6840:206::1 - - 10.206.0.1 - pub: - - 2a09:6840:111::254 - - 45.66.111.254 - ifupdown2__hosts_wireguard: - vpn-1.back.infra.auro.re: - wg0: - private_key: "{{ vault_wireguard_wg0_private }}" - listen_port: 5121 - goto_table: bird - peer_allowed_addresses: - - 2a09:6840:212::1:1/128 - - 10.212.1.1/32 - peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY= - ifupdown2__hosts_base: - edge-1.back.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:2/64 - - 10.128.10.2/16 - crans0: - ipv6_addrgen: false - zayo0: - ipv6_addrgen: false - rezel0: - addresses: - - 2a09:6842:19:9116::1/64 - - 45.66.111.1/29 - back0: - addresses: - - 2a09:6840:203::1:1/64 - - 10.203.1.1/16 - viarezo0: - ipv6_addrgen: false - router0: - addresses: - - 2a09:6840:129::10:2/56 - - 10.129.10.2/16 - oti0: - addresses: - - 2a00:a4c0:100c:1::b/127 - - 77.95.70.11/31 - edge-2.back.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:102/64 - - 10.128.10.102/16 - crans0: - ipv6_addrgen: false - zayo0: - ipv6_addrgen: false - rezel0: - addresses: - - 2a09:6842:19:9116::3/64 - - 45.66.111.3/29 - back0: - addresses: - - 2a09:6840:203::1:2/64 - - 10.203.1.2/16 - viarezo0: - ipv6_addrgen: false - router0: - addresses: - - 2a09:6840:129::10:102/56 - - 10.129.10.102/16 - dns-1.int.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:3/64 - - 10.128.10.3/16 - gateways: "{{ ifupdown2__gateways.adm }}" - int0: - addresses: - - 2a09:6840:206::2/64 - - 10.206.0.2/16 - dns-2.int.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:103/64 - - 10.128.10.103/16 - gateways: "{{ ifupdown2__gateways.adm }}" - int0: - addresses: - - 2a09:6840:206::3/64 - - 10.206.0.3/16 - vpn-1.back.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:11/64 - - 10.128.10.11/16 - pub0: - addresses: - - 2a09:6840:207::118/64 - - 45.66.111.118/24 - vpn0: - addresses: - - 2a09:6840:213::1:3/64 - - 10.213.1.3/16 - vpn-2.mgmt.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:111/64 - - 10.128.10.111/16 - gateways: "{{ ifupdown2__gateways.adm }}" - back0: - addresses: - - 2a09:6840:203::1:8/64 - - 10.203.1.8/16 - ssh-1.mgmt.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:1/64 - - 10.128.10.1/16 - gateways: "{{ ifupdown2__gateways.adm }}" - pub0: - addresses: - - 2a09:6840:207::2/64 - - 45.66.108.2/16 - mgmt0: - addresses: - - 2a09:6840:211::1:1/64 - - 10.211.1.1/16 - ssh-2.mgmt.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:101/64 - - 10.128.10.101/16 - gateways: "{{ ifupdown2__gateways.adm }}" - pub0: - addresses: - - 2a09:6840:207::3/64 - - 45.66.108.3/16 - mgmt0: - addresses: - - 2a09:6840:211::1:2/64 - - 10.211.1.2/16 - infra-1.back.infra.auro.re: - back0: - addresses: - - 2a09:6840:203::1:3/64 - - 45.66.111.210/32 - - 10.203.1.3/16 - ups0: - ipv6_addrgen: false - monit0: - ipv6_addrgen: false - wifi0: - ipv6_addrgen: false - int0: - ipv6_addrgen: false - sw0: - ipv6_addrgen: false - bmc0: - ipv6_addrgen: false - pve0: - ipv6_addrgen: false - isp0: - ipv6_addrgen: false - ext0: - ipv6_addrgen: false - vpn0: - ipv6_addrgen: false - infra-2.back.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:104/64 - - 10.128.10.104/16 - gateways: "{{ ifupdown2__gateways.adm }}" - back0: - addresses: - - 2a09:6840:203::1:4/64 - - 45.66.111.211/32 - - 10.203.1.4/16 - ups0: - ipv6_addrgen: false - monit0: - ipv6_addrgen: false - wifi0: - ipv6_addrgen: false - int0: - ipv6_addrgen: false - sw0: - ipv6_addrgen: false - bmc0: - ipv6_addrgen: false - pve0: - ipv6_addrgen: false - isp0: - ipv6_addrgen: false - ext0: - ipv6_addrgen: false - vpn0: - ipv6_addrgen: false - isp-1.back.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:5/64 - - 10.128.10.5/16 - gateways: "{{ ifupdown2__gateways.adm }}" - back0: - addresses: - - 2a09:6840:203::1:5/64 - - 10.203.1.5/16 - trunk0: - ipv6_addrgen: false - clients0: - bridge_vlan_aware: true - bridge_ports: - - trunk0 - bridge_vids: - - 1000-1004 - bridge_disable_pvid: true - ipv6_addrgen: false - client0: - vlan_id: 1000 - vlan_raw_device: clients0 - ipv6_addrgen: false - client1: - vlan_id: 1001 - vlan_raw_device: clients0 - ipv6_addrgen: false - client2: - vlan_id: 1002 - vlan_raw_device: clients0 - ipv6_addrgen: false - client3: - vlan_id: 1003 - vlan_raw_device: clients0 - ipv6_addrgen: false - client4: - vlan_id: 1004 - vlan_raw_device: clients0 - ipv6_addrgen: false - isp-2.back.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:105/64 - - 10.128.10.105/16 - gateways: "{{ ifupdown2__gateways.adm }}" - back0: - addresses: - - 2a09:6840:203::1:6/64 - - 10.203.1.6/16 - trunk0: - ipv6_addrgen: false - clients0: - bridge_vlan_aware: true - bridge_ports: - - trunk0 - bridge_vids: - - 1000-1004 - bridge_disable_pvid: true - ipv6_addrgen: false - client0: - vlan_id: 1000 - vlan_raw_device: clients0 - ipv6_addrgen: false - client1: - vlan_id: 1001 - vlan_raw_device: clients0 - ipv6_addrgen: false - client2: - vlan_id: 1002 - vlan_raw_device: clients0 - ipv6_addrgen: false - client3: - vlan_id: 1003 - vlan_raw_device: clients0 - ipv6_addrgen: false - client4: - vlan_id: 1004 - vlan_raw_device: clients0 - ipv6_addrgen: false - dhcp-1.isp.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:6/64 - - 10.128.10.6/16 - gateways: "{{ ifupdown2__gateways.adm }}" - isp0: - addresses: - - 2a09:6840:210::1:1/64 - - 10.210.1.1/16 - trunk0: null - clients0: - bridge_vlan_aware: true - bridge_ports: - - trunk0 - bridge_vids: - - 1000-1004 - bridge_disable_pvid: true - ipv6_addrgen: false - client0: - addresses: - - 100.64.0.2/27 - vlan_id: 1000 - vlan_raw_device: clients0 - client1: - addresses: - - 100.64.0.34/27 - vlan_id: 1001 - vlan_raw_device: clients0 - client2: - addresses: - - 100.64.0.66/27 - vlan_id: 1002 - vlan_raw_device: clients0 - client3: - addresses: - - 100.64.0.98/27 - vlan_id: 1003 - vlan_raw_device: clients0 - client4: - addresses: - - 100.64.0.130/27 - vlan_id: 1004 - vlan_raw_device: clients0 - dhcp-2.isp.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:106/64 - - 10.128.10.106/16 - gateways: "{{ ifupdown2__gateways.adm }}" - isp0: - addresses: - - 2a09:6840:210::1:2/64 - - 10.210.1.2/16 - trunk0: null - clients0: - bridge_vlan_aware: true - bridge_ports: - - trunk0 - bridge_vids: - - 1000-1004 - bridge_disable_pvid: true - ipv6_addrgen: false - client0: - addresses: - - 100.64.0.3/27 - vlan_id: 1000 - vlan_raw_device: clients0 - client1: - addresses: - - 100.64.0.35/27 - vlan_id: 1001 - vlan_raw_device: clients0 - client2: - addresses: - - 100.64.0.67/27 - vlan_id: 1002 - vlan_raw_device: clients0 - client3: - addresses: - - 100.64.0.99/27 - vlan_id: 1003 - vlan_raw_device: clients0 - client4: - addresses: - - 100.64.0.131/27 - vlan_id: 1004 - vlan_raw_device: clients0 - radius-1.isp.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:7/64 - - 10.128.10.7/16 - gateways: "{{ ifupdown2__gateways.adm }}" - isp0: - addresses: - - 2a09:6840:210::1:3/64 - - 10.210.1.3/16 - radius-2.isp.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:107/64 - - 10.128.10.107/16 - gateways: "{{ ifupdown2__gateways.adm }}" - isp0: - addresses: - - 2a09:6840:210::1:4/64 - - 10.210.1.4/16 - ldap-1.int.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:8/64 - - 10.128.10.8/16 - gateways: "{{ ifupdown2__gateways.adm }}" - int0: - addresses: - - 2a09:6840:206::1:3/64 - - 10.206.1.3/16 - ldap-2.int.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:108/64 - - 10.128.10.108/16 - gateways: "{{ ifupdown2__gateways.adm }}" - int0: - addresses: - - 2a09:6840:206::1:4/64 - - 10.206.1.4/16 - ntp-1.int.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:9/64 - - 10.128.10.9/16 - gateways: "{{ ifupdown2__gateways.adm }}" - int0: - addresses: - - 2a09:6840:206::1:5/64 - - 10.206.1.5/16 - ntp-2.int.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:109/64 - - 10.128.10.109/16 - gateways: "{{ ifupdown2__gateways.adm }}" - int0: - addresses: - - 2a09:6840:206::1:6/64 - - 10.206.1.6/16 - prometheus-1.monit.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:10/64 - - 10.128.10.10/16 - gateways: "{{ ifupdown2__gateways.adm }}" - monit0: - addresses: - - 2a09:6840:204::1:1/64 - - 10.204.1.1/16 - prometheus-2.monit.infra.auro.re: - adm0: - addresses: - - 2a09:6840:128::10:110/64 - - 10.128.10.110/16 - gateways: "{{ ifupdown2__gateways.adm }}" - monit0: - addresses: - - 2a09:6840:204::1:2/64 - - 10.204.1.2/16 - ifupdown2__wireguard: "{{ ifupdown2__hosts_wireguard[inventory_hostname] - | default({}) }}" - ifupdown2__interfaces: "{{ ifupdown2__hosts_base[inventory_hostname] }}" roles: - ifupdown2 ... diff --git a/playbooks/ip_forward.yml b/playbooks/ip_forward.yml index 85073cb..03b6f7e 100755 --- a/playbooks/ip_forward.yml +++ b/playbooks/ip_forward.yml @@ -1,11 +1,10 @@ #!/usr/bin/env ansible-playbook --- - hosts: - - edge-1.back.infra.auro.re - - edge-2.back.infra.auro.re - - infra-1.back.infra.auro.re - - infra-2.back.infra.auro.re - - vpn-1.back.infra.auro.re + - edge + - infra + - isp + - vpn roles: - ip_forward ... diff --git a/playbooks/keepalived.yml b/playbooks/keepalived.yml index 7355a17..defbd47 100755 --- a/playbooks/keepalived.yml +++ b/playbooks/keepalived.yml @@ -1,108 +1,9 @@ #!/usr/bin/env ansible-playbook --- - hosts: - - isp-1.back.infra.auro.re - - isp-2.back.infra.auro.re - vars: - keepalived__virtual_router_id: 80 - keepalived__interface: back0 - keepalived__virtual_addresses: - client0: - - 100.64.0.1/27 - - 2a09:6841::1/56 - - fe80::1/10 - client1: - - 100.64.0.33/27 - - 2a09:6841:0:1::1/64 - - fe80::1/10 - client2: - - 100.64.0.65/27 - - 2a09:6841:0:2::1/64 - - fe80::1/10 - client3: - - 100.64.0.97/27 - - 2a09:6841:0:3::1/64 - - fe80::1/10 - client4: - - 100.64.0.129/27 - - 2a09:6841:0:4::1/64 - - fe80::1/10 - keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}" - roles: - - keepalived - -- hosts: - - edge-1.back.infra.auro.re - - edge-2.back.infra.auro.re - vars: - keepalived__virtual_router_id: 81 - keepalived__interface: back0 - keepalived__virtual_addresses: - crans0: - - 185.230.79.254/29 - - 2a0c:700:28::2/64 - - fe80::1/10 - zayo0: - - 2001:1b48:2:103::d7:2/126 - - 83.167.52.69/31 - - fe80::1/10 - keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}" - roles: - - keepalived - -- hosts: - - infra-1.back.infra.auro.re - - infra-2.back.infra.auro.re - vars: - keepalived__virtual_router_id: 82 - keepalived__interface: back0 - keepalived__virtual_addresses: - ups0: - - 10.201.0.1/16 - - 2a09:6840:201::1/64 - - fe80::1/10 - monit0: - - 10.204.0.1/16 - - 2a09:6840:204::1/64 - - fe80::1/10 - wifi0: - - 10.205.0.1/16 - - 2a09:6840:205::1/64 - - fe80::1/10 - int0: - - 10.206.0.1/16 - - 2a09:6840:206::1/64 - - fe80::1/10 - sw0: - - 10.207.0.1/16 - - 2a09:6840:207::1/64 - - fe80::1/10 - bmc0: - - 10.208.0.1/16 - - 2a09:6840:208::1/64 - - fe80::1/10 - pve0: - - 10.209.0.1/16 - - 2a09:6840:209::1/64 - - fe80::1/10 - isp0: - - 10.210.0.1/16 - - 2a09:6840:210::1/64 - - fe80::1/10 - ext0: - - 10.211.0.1/16 - - 2a09:6840:211::1/64 - - fe80::1/10 - vpn0: - - 10.213.0.1/16 - - 2a09:6840:213::1/64 - - fe80::1/10 - keepalived__virtual_routes: - ext0: - - 45.66.111.204/30 - keepalived__virtual_blackholes: - - 45.66.111.200/30 - keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}" + - isp + - edge + - infra roles: - keepalived ... diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 10c0598..a74c40a 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -1,496 +1,6 @@ #!/usr/bin/env ansible-playbook --- - hosts: ns-master.int.infra.auro.re - vars: - knotd__listen: - - address: 0.0.0.0 - - address: "::" - knotd__keys: - xfr: - algorithm: hmac-sha512 - secret: "{{ vault_knotd_xfr_key }}" - ksk-infra: - algorithm: hmac-sha512 - secret: "{{ vault_knotd_ksk_infra_key }}" - update-acme-challenge: - algorithm: hmac-sha512 - secret: "{{ vault_certbot_dns_secret }}" - knotd__remotes: - xfr-ns-1: - address: 10.128.0.199 - key: xfr - xfr-ns-2: - address: 10.128.0.109 - key: xfr - ksk-infra: - address: ::1 - key: ksk-infra - knotd__policies: - public: - algorithm: ECDSAP256SHA256 - reproducible_signing: true - # Je n'ai pas trouvé de façon de pousser les records automatiquement - # sur .re, donc pour éviter d'oublier de le faire manuellement, la - # KSK n'expire pas - ksk_lifetime: 0 - zsk_lifetime: 30d - nsec3: true - infra: - algorithm: ECDSAP256SHA256 - ksk_lifetime: 365d - zsk_lifetime: 30d - nsec3: on - ds-push: ksk-infra - cds-cdnskey-publish: rollover - ksk-submission: infra - ripe: - algorithm: ECDSAP256SHA256 - ksk_lifetime: 365d - zsk_lifetime: 30d - nsec3: on - ds-push: ksk-ripe - cds-cdnskey-publish: rollover - ksk-submission: ripe - knotd__acl: - xfr: - addresses: - - 10.128.0.199 - - 2a09:6840:128::199 - - 10.128.0.109 - - 2a09:6840:128::109 - action: transfer - key: xfr - ksk-infra: - addresses: - - 127.0.0.1 - - ::1 - key: ksk-infra - action: update - update_types: - - DS - update_owner: name - update_owner_match: equal - update_owner_name: - - infra - update-acme-challenge: - addresses: - - 10.128.0.0/16 - - 2a09:6840:128::/48 - key: update-acme-challenge - action: update - update_types: - - TXT - update_owner: name - update_owner_match: equal - update_owner_name: - - _acme-challenge.auro.re. - knotd__queryacl: - local: - addresses: - - 10.0.0.0/8 - knotd__soa_rname: root@auro.re. - # TODO: Netbox - knotd__hosts: - auro.re: - proxy-ovh: - - 92.222.211.195 - horus: - - 92.23.218.136 - ns-1: - - 45.66.111.30 - - 2a09:6840:111::30 - ns-2: - - 92.222.211.194 - serge: - - 92.222.211.196 - lama: - - 185.230.78.220 - - 2a0c:700:12:0:67:e5ff:fee9:108 - vpn-ovh: - - 92.222.211.197 - passerelle: - - 45.66.111.254 - - 2a09:6840:111::254 - proxy: - - 45.66.111.61 - - 2a09:6840:111::61 - camelot: - - 45.66.111.59 - - 2a09:6840:111::59 - mail: - - 45.66.111.62 - - 2a09:6840:111::62 - galene: - - 45.66.111.65 - - 2a09:6840:111::65 - aclyas: - - 45.66.111.231 - - 2a09:6840:111::231 - jitsi: - - 45.66.111.55 - - 2a09:6840:111::55 - portail-fleming: - - 10.13.0.247 - - 2a09:6840:13::247 - portail-pacaterie: - - 10.23.0.247 - - 2a09:6840:23::247 - portail-rives: - - 10.33.0.247 - - 2a09:6840:33::247 - portail-edc: - - 10.43.0.247 - - 2a09:6840:43::247 - portail-gs: - - 10.53.0.247 - - 2a09:6840:53::247 - adh.auro.re: - hoffman: - - 45.66.110.1 - - 2a09:6840:110:0:2d8:61ff:fe56:d7eb - hindley: - - 45.66.110.3 - - 2a09:6840:110:0:a6ba:dbff:fe03:1f36 - yberreby: - - 45.66.110.5 - - 2a09:6840:110:0:d896:1dff:fe59:8381 - paon: - - 45.66.110.10 - - 2a09:6840:110:0:231:92ff:fe1b:ae22 - lovelace: - - 45.66.110.45 - - 2a09:6840:110:0:c634:6bff:feb5:7bcc - switch-leo: - - 45.66.110.103 - - 2a09:6840:110:0:82cc:9cff:fe82:ca3e - haskell: - - 45.66.110.112 - - 2a09:6840:110:0:f4ac:cbff:fe81:7f48 - lyshyga0: - - 45.66.110.113 - - 2a09:6840:110:0:6af7:28ff:fe91:e8d9 - pz28910: - - 45.66.110.114 - vinsing0: - - 45.66.110.123 - - 2a09:6840:110:0:1e1b:dff:fe90:7d81 - osc-routeur: - - 45.66.110.125 - - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1 - odroid: - - 45.66.110.154 - - 2a09:6840:110:0:21e:6ff:fe49:e00 - amau0: - - 45.66.110.164 - - 2a09:6840:110:0:3e7c:3fff:fec3:27d1 - regulus: - - 45.66.110.180 - - 2a09:6840:110:0:2ef0:5dff:fe2a:1530 - toaster: - - 45.66.110.188 - - 2a09:6840:110:0:5246:5dff:fe9a:f70 - rpijutax: - - 45.66.110.190 - - 2a09:6840:110:0:ba27:ebff:fe76:a9bc - lafeychine: - - 45.66.110.200 - - 2a09:6840:110:0:46a5:6eff:fe71:1 - polaris: - - 45.66.110.245 - - 2a09:6840:110:0:dea6:32ff:feb4:d033 - knotd__zones: - auro.re: - dnssec_policy: public - notify: - - xfr-ns-1 - - xfr-ns-2 - acl: - - update-acme-challenge - - ksk-infra - - xfr - soa: - mname: ns-master.int.infra - ns: - - target: - - ns-1 - - ns-2 - - name: infra - target: - - ns-1 - - ns-2 - - name: adm - target: - - serge - - lama - - name: ups - target: - - serge - - lama - - name: switch - target: - - serge - - lama - - name: borne - target: - - serge - - lama - mx: - - exchange: mail - preference: 5 - - exchange: proxy-ovh - preference: 10 - spf: - - data: v=spf1 mx -all - a: - - address: 92.222.211.195 - cname: - - name: - - gisti - - gistiti - target: jitsi - - name: - - element - - riot - - auth - - rss - - codimd - - hedgedoc - - kanboard - - www - - pad - - privatebin - - zero - - paste - target: proxy-ovh - - name: - - grafana - - netbox - - wiki - - matrix - - drone - - gitea - - re2o - - nextcloud - - vote - target: proxy - - name: intranet - target: re2o - - name: - - smtp - - imap - target: mail - - name: - - prometheus-paul.adh - - pma-paul.adh - - nextcloud-paul.adh - - grafana-paul.adh - - jellyfin.adh - - monitoring.adh - - beta-mpp.adh - - pz28.adh - target: lucepaul.myvnc.com. - - name: - - services-1.pve - target: services-1.pve.infra - - name: - - services-2.pve - target: services-2.pve.infra - - name: - - services-3.pve - target: services-3.pve.infra - hosts: "{{ knotd__hosts['auro.re'] - | combine(knotd__hosts['adh.auro.re'] - | add_origin_keys('adh.auro.re.')) }}" - infra.auro.re: - dnssec_policy: infra - notify: - - xfr-ns-1 - - xfr-ns-2 - acl: - - xfr - #queryacl: local - soa: - mname: ns-master.int - ns: - - target: - - ns-1.auro.re. - - ns-2.auro.re. - hosts: - services-1.ceph: - - 10.132.1.1 - - "2a09:6840:132:1:1::" - services-2.ceph: - - 10.132.1.2 - - "2a09:6840:132:1:2::" - services-3.ceph: - - 10.132.1.3 - - "2a09:6840:132:1:3::" - services-1.pve: - - 10.134.1.1 - - 2a09:6840:132:1:1::1 - services-2.pve: - - 10.134.1.2 - - 2a09:6840:132:1:2::1 - services-3.pve: - - 10.134.1.3 - - 2a09:6840:132:1:3::1 - ns-master.int: - - 10.128.0.110 - - 2a09:6840:128:0::110 - ec-1.ups: - - 10.131.4.1 - - 2a09:6840:131::4:1 - ec-2.ups: - - 10.131.4.2 - - 2a09:6840:131::4:2 - network-1.pve: - - 10.128.5.1 - - 2a09:6840:128::5:1 - network-2.pve: - - 10.128.2.1 - - 2a09:6840:128::2:1 - edge-1.back: - - 10.128.10.2 - - 2a09:6840:128::10:2 - edge-2.back: - - 10.128.10.102 - - 2a09:6840:128::10:102 - dns-1.int: - - 10.128.10.3 - - 2a09:6840:128::10:3 - dns-2.int: - - 10.128.10.103 - - 2a09:6840:128::10:103 - ssh-1.mgmt: - - 10.128.10.1 - - 2a09:6840:128::10:1 - ssh-2.mgmt: - - 10.128.10.101 - - 2a09:6840:128::10:101 - vpn-1.back: - - 10.128.10.11 - - 2a09:6840:128::10:11 - - 10.128.10.111 - - 2a09:6840:128::10:111 - infra-1.back: - - 2a09:6840:203::1:3 - - 10.203.1.3 - infra-2.back: - - 2a09:6840:203::1:4 - - 10.203.1.4 - isp-1.back: - - 10.128.10.5 - - 2a09:6840:128::10:5 - isp-2.back: - - 10.128.10.105 - - 2a09:6840:128::10:105 - dhcp-1.isp: - - 10.128.10.6 - - 2a09:6840:128::10:6 - dhcp-2.isp: - - 10.128.10.106 - - 2a09:6840:128::10:106 - radius-1.isp: - - 10.128.10.7 - - 2a09:6840:128::10:7 - radius-2.isp: - - 10.128.10.107 - - 2a09:6840:128::10:107 - ldap-1.int: - - 10.128.10.8 - - 2a09:6840:128::10:8 - ldap-2.int: - - 10.128.10.108 - - 2a09:6840:128::10:108 - ntp-1.int: - - 10.128.10.9 - - 2a09:6840:128::10:9 - ntp-2.int: - - 10.128.10.109 - - 2a09:6840:128::10:109 - prometheus-1.monit: - - 10.128.10.10 - - 2a09:6840:128::10:10 - prometheus-2.monit: - - 10.128.10.110 - - 2a09:6840:128::10:110 - 108.66.45.in-addr.arpa: - dnssec_policy: ripe - notify: - - xfr-ns-1 - - xfr-ns-2 - acl: - - xfr - soa: - mname: ns-master.int.infra.auro.re. - ns: - - target: - - ns-1.auro.re. - - ns-2.auro.re. - 109.66.45.in-addr.arpa: - dnssec_policy: ripe - notify: - - xfr-ns-1 - - xfr-ns-2 - acl: - - xfr - soa: - mname: ns-master.int.infra.auro.re. - ns: - - target: - - ns-1.auro.re. - - ns-2.auro.re. - 110.66.45.in-addr.arpa: - dnssec_policy: ripe - notify: - - xfr-ns-1 - - xfr-ns-2 - acl: - - xfr - soa: - mname: ns-master.int.infra.auro.re. - ns: - - target: - - ns-1.auro.re. - - ns-2.auro.re. - reverse_hosts: "{{ knotd__hosts['adh.auro.re'] - | ip_filter(['45.66.110.0/24']) - | add_origin_keys('adh.auro.re.') }}" - 111.66.45.in-addr.arpa: - dnssec_policy: ripe - notify: - - xfr-ns-1 - - xfr-ns-2 - acl: - - xfr - soa: - mname: ns-master.int.infra.auro.re. - ns: - - target: - - ns-1.auro.re. - - ns-2.auro.re. - reverse_hosts: "{{ knotd__hosts['auro.re'] - | ip_filter(['45.66.111.0/24']) - | add_origin_keys('auro.re.') }}" - 0.4.8.6.9.0.a.2.ip6.arpa: - dnssec_policy: ripe - notify: - - xfr-ns-1 - - xfr-ns-2 - acl: - - xfr - soa: - mname: ns-master.int.infra.auro.re. - ns: - - target: - - ns-1.auro.re. - - ns-2.auro.re. - reverse_hosts: "{{ knotd__hosts['auro.re'] - | ip_filter(['2a09:6840::/32']) - | add_origin_keys('auro.re.') - | combine(knotd__hosts['adh.auro.re'] - | ip_filter(['2a09:6840::/32']) - | add_origin_keys('adh.auro.re.')) }}" roles: - knotd diff --git a/playbooks/kresd.yml b/playbooks/kresd.yml index 1d41fca..052e66b 100755 --- a/playbooks/kresd.yml +++ b/playbooks/kresd.yml @@ -1,30 +1,6 @@ #!/usr/bin/env ansible-playbook --- -- hosts: - - dns-1.int.infra.auro.re - - dns-2.int.infra.auro.re - vars: - kresd__listen: - - address: 0.0.0.0 - port: 53 - kind: dns - - address: "::" - port: 53 - kind: dns - - address: 0.0.0.0 - port: 853 - kind: tls - - address: "::" - port: 853 - kind: tls - - address: 0.0.0.0 - port: 8453 - kind: webmgmt - - address: "::" - port: 8453 - kind: webmgmt - tls: false - kresd__cache_size: 512 +- hosts: dns roles: - kresd ... diff --git a/playbooks/openssh.yml b/playbooks/openssh.yml index 305c8aa..064ec01 100755 --- a/playbooks/openssh.yml +++ b/playbooks/openssh.yml @@ -3,14 +3,6 @@ - hosts: - pve_network - vm_network - vars: - openssh__users_ca_public_key: - "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\ - hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\ - F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==" - openssh__authorized_principals: - - any - - "{{ inventory_hostname }}" roles: - openssh_server ... diff --git a/playbooks/pve.yml b/playbooks/pve.yml index f0aac7e..aae7678 100755 --- a/playbooks/pve.yml +++ b/playbooks/pve.yml @@ -1,35 +1,7 @@ #!/usr/bin/env ansible-playbook --- - hosts: - - pve_network - vars: - pve_auth__groups: - admin: - - Administrator - pve_auth__pam_users: - root: - enabled: false - pve_auth__users: - jeltz: - password: "{{ vault_pve_passwords.jeltz }}" - groups: - - admin - otthorn: - password: "{{ vault_pve_passwords.otthorn }}" - groups: - - admin - v-lafeychine: - password: "{{ vault_pve_passwords['v-lafeychine'] }}" - groups: - - admin - pz2891: - password: "{{ vault_pve_passwords.pz2891 }}" - groups: - - admin - loutr: - password: "{{ vault_pve_passwords.loutr }}" - groups: - - admin + - pve roles: - pve_activate - pve_auth diff --git a/playbooks/resolvconf.yml b/playbooks/resolvconf.yml index 1030c41..af74db2 100755 --- a/playbooks/resolvconf.yml +++ b/playbooks/resolvconf.yml @@ -3,16 +3,6 @@ - hosts: - vm_network - pve_network - vars: - resolvconf__nameservers: - - 2a09:6840:128::10:103 - - 2a09:6840:128::10:3 - - 10.128.10.103 - - 10.128.10.3 - resolvconf__domain: auro.re. - resolvconf__search: - - "{{ inventory_hostname | remove_domain_suffix }}" - - auro.re. roles: - resolvconf ... diff --git a/playbooks/root.yml b/playbooks/root.yml index 425140a..c8a8ac7 100755 --- a/playbooks/root.yml +++ b/playbooks/root.yml @@ -3,9 +3,6 @@ - hosts: - vm_network - pve_network - vars: - root_shell: /bin/bash - root_password: "{{ vault_root_password }}" roles: - root_account ... diff --git a/playbooks/systemd_link.yml b/playbooks/systemd_link.yml index 78e166b..7db0aa9 100755 --- a/playbooks/systemd_link.yml +++ b/playbooks/systemd_link.yml @@ -1,131 +1,22 @@ #!/usr/bin/env ansible-playbook --- - hosts: - - edge-1.back.infra.auro.re - - edge-2.back.infra.auro.re - - ssh-1.mgmt.infra.auro.re - - ssh-2.mgmt.infra.auro.re - - vpn-1.back.infra.auro.re - - dns-1.int.infra.auro.re - - dns-2.int.infra.auro.re - - infra-1.back.infra.auro.re - - infra-2.back.infra.auro.re - - isp-1.back.infra.auro.re - - isp-2.back.infra.auro.re - - dhcp-1.isp.infra.auro.re - - dhcp-2.isp.infra.auro.re - - radius-1.isp.infra.auro.re - - radius-2.isp.infra.auro.re - - ldap-1.int.infra.auro.re - - ldap-2.int.infra.auro.re - - ntp-1.int.infra.auro.re - - ntp-2.int.infra.auro.re - - prometheus-1.monit.infra.auro.re - - prometheus-2.monit.infra.auro.re + - infra + - dns + - ntp + - prometheus + - radius + - edge + - dhcp + - ldap + - isp + - vpn vars: systemd_link__hosts: - edge-1.back.infra.auro.re: - adm0: 02:00:00:9E:3E:21 - crans0: 02:00:00:A2:7C:68 - zayo0: 02:00:00:35:89:82 - rezel0: 02:00:00:8F:4A:AD - back0: 02:00:00:1C:3A:2E - viarezo0: 02:00:00:ED:70:64 - router0: 02:00:00:5A:17:7C - oti0: 02:00:00:05:0E:A6 - edge-2.back.infra.auro.re: - adm0: 04:00:00:F5:69:B9 - crans0: 04:00:00:CF:E1:D0 - zayo0: 04:00:00:67:7B:12 - rezel0: 04:00:00:C6:05:B7 - back0: 04:00:00:DE:22:E6 - viarezo0: 04:00:00:45:FA:E6 - router0: 04:00:00:AD:D7:71 - ssh-1.mgmt.infra.auro.re: - adm0: 02:00:00:a3:49:20 - pub0: 02:00:00:27:ea:9d - mgmt0: 02:00:00:0f:ac:75 vpn-1.back.infra.auro.re: adm0: 02:00:00:3b:74:20 vpn0: 02:00:00:b5:ca:c7 pub0: 02:00:00:e3:65:49 - ssh-2.mgmt.infra.auro.re: - adm0: 04:00:00:98:c2:10 - pub0: 04:00:00:65:cc:52 - mgmt0: 04:00:00:3c:67:08 - dns-1.int.infra.auro.re: - adm0: 02:00:00:6c:4b:89 - int0: 02:00:00:9f:d9:f9 - dns-2.int.infra.auro.re: - adm0: 04:00:00:2a:6e:be - int0: 04:00:00:3c:c0:5a - infra-1.back.infra.auro.re: - adm0: 02:00:00:f0:8a:dd - ups0: 02:00:00:fe:6f:0e - back0: 02:00:00:f8:93:22 - monit0: 02:00:00:da:97:7f - wifi0: 02:00:00:8c:c5:bf - int0: 02:00:00:75:40:3e - sw0: 02:00:00:ca:e8:d1 - bmc0: 02:00:00:47:d1:b9 - pve0: 02:00:00:b3:35:e7 - isp0: 02:00:00:6b:53:14 - ext0: 02:00:00:32:86:60 - vpn0: 02:00:00:52:5f:85 - infra-2.back.infra.auro.re: - adm0: 04:00:00:d3:03:53 - ups0: 04:00:00:6d:97:83 - back0: 04:00:00:46:ba:f9 - monit0: 04:00:00:72:0b:2d - wifi0: 04:00:00:ee:42:0f - int0: 04:00:00:21:fd:d0 - sw0: 04:00:00:2e:5b:16 - bmc0: 04:00:00:bb:5a:a6 - pve0: 04:00:00:0b:2b:82 - isp0: 04:00:00:f4:4c:5d - ext0: 04:00:00:1d:0e:83 - vpn0: 04:00:00:02:ba:dd - isp-1.back.infra.auro.re: - adm0: 02:00:00:D8:37:45 - back0: 02:00:00:BF:10:4C - trunk0: 02:00:00:E9:BA:15 - isp-2.back.infra.auro.re: - adm0: 04:00:00:85:C3:5D - back0: 04:00:00:FE:2D:67 - trunk0: 04:00:00:D8:F5:4D - dhcp-1.isp.infra.auro.re: - adm0: 02:00:00:17:61:5b - isp0: 02:00:00:c6:3f:6f - trunk0: 02:00:00:b1:8d:d6 - dhcp-2.isp.infra.auro.re: - adm0: 04:00:00:0c:f1:42 - isp0: 04:00:00:8c:d1:36 - trunk0: 04:00:00:33:2c:3c - radius-1.isp.infra.auro.re: - adm0: 02:00:00:4f:35:12 - isp0: 02:00:00:6a:3e:f4 - radius-2.isp.infra.auro.re: - adm0: 04:00:00:96:54:a6 - isp0: 04:00:00:29:6d:c9 - ldap-1.int.infra.auro.re: - adm0: 02:00:00:38:c2:52 - int0: 02:00:00:fe:a8:54 - ldap-2.int.infra.auro.re: - adm0: 04:00:00:f7:1c:47 - int0: 04:00:00:e4:83:d2 - ntp-1.int.infra.auro.re: - adm0: 02:00:00:e0:26:2e - int0: 02:00:00:74:71:83 - ntp-2.int.infra.auro.re: - adm0: 04:00:00:08:83:2b - int0: 04:00:00:31:be:50 - prometheus-1.monit.infra.auro.re: - adm0: 02:00:00:66:33:9d - monit0: 02:00:00:a8:6b:51 - prometheus-2.monit.infra.auro.re: - adm0: 04:00:00:3d:c6:a1 - monit0: 04:00:00:a6:93:5a - systemd_link__links: "{{ systemd_link__hosts[inventory_hostname] }}" roles: - systemd_link ... diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index db0c344..e3f473e 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -5,10 +5,10 @@ iface lo {% macro iface_common(iface, index=None) %} {% for address in iface.addresses | default([]) %} -address {{ address | ipaddr }} +address {{ address | ansible.utils.ipaddr }} {% endfor %} {% for gateway in iface.gateways | default([]) %} -gateway {{ gateway | ipaddr }} +gateway {{ gateway | ansible.utils.ipaddr }} {% endfor %} {% if iface.forward | default(false) %} ip-forward yes @@ -23,7 +23,7 @@ post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole {% endif %} {% if iface.ipv6_addrgen is defined %} ipv6-addrgen {{ iface.ipv6_addrgen - | ternary("yes", "no") }} + | ternary("yes", "no") }} {% endif %} {% endmacro %} diff --git a/roles/root_account/tasks/main.yml b/roles/root_account/tasks/main.yml index be0b984..1225e7d 100644 --- a/roles/root_account/tasks/main.yml +++ b/roles/root_account/tasks/main.yml @@ -2,8 +2,8 @@ - name: Set root password user: name: root - shell: "{{ root_shell }}" - password: "{{ root_password }}" + shell: "{{ root__shell }}" + password: "{{ root__password }}" - name: Setup bashrc for root template: