misc: move variables to {host,group}_vars

2023-09-17 20:32:05 +02:00 · 2023-09-17 20:32:05 +02:00 · fbdeddfc72
commit fbdeddfc72
parent 17b46bab5e
52 changed files with 1600 additions and 1510 deletions
--- a/group_vars/all/chronyd.yml
+++ b/group_vars/all/chronyd.yml
@ -0,0 +1,5 @@
+---
+chronyd__pools:
+  - ntp-1.int.infra.auro.re
+  - ntp-2.int.infra.auro.re
+...
--- a/group_vars/all/ifupdown2.yml
+++ b/group_vars/all/ifupdown2.yml
@ -0,0 +1,19 @@
+---
+ifupdown2__wireguard_proto: wireguard
+ifupdown2__gateways:
+  adm:
+    - 2a09:6840:128::254
+    - 10.128.0.254
+  int:
+    - 2a09:6840:206::1
+    - 10.206.0.1
+  pub:
+    - 2a09:6840:111::254
+    - 45.66.111.254
+  monit:
+    - 2a09:6840:204::1
+    - 10.204.0.1
+  isp:
+    - 2a09:6840:210::1
+    - 10.210.0.1
+...
--- a/group_vars/all/openssh.yml
+++ b/group_vars/all/openssh.yml
@ -0,0 +1,10 @@
+---
+openssh__users_ca_public_key:
+  "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
+  hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
+  F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
+
+openssh__authorized_principals:
+  - any
+  - "{{ inventory_hostname }}"
+...
--- a/group_vars/all/resolvconf.yml
+++ b/group_vars/all/resolvconf.yml
@ -0,0 +1,13 @@
+---
+resolvconf__nameservers:
+  - 2a09:6840:206::1:1
+  - 2a09:6840:206::1:2
+  - 10.206.1.1
+  - 10.206.1.2
+
+resolvconf__domain: auro.re.
+
+resolvconf__search:
+  - "{{ inventory_hostname | remove_domain_suffix }}"
+  - auro.re.
+...
--- a/group_vars/all/root.yml
+++ b/group_vars/all/root.yml
@ -0,0 +1,5 @@
+---
+root__shell: /bin/bash
+
+root__password: "{{ vault_root_password }}"
+...
--- a/group_vars/dhcp/dhcpd.yml
+++ b/group_vars/dhcp/dhcpd.yml
@ -0,0 +1,69 @@
+---
+dhcpd__omapi_key:
+  algorithm: hmac-sha512
+  secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
+
+dhcpd__interfaces:
+  - client0
+  - client1
+  - client2
+  - client3
+  - client4
+
+dhcpd__dns_servers:
+  - 10.128.10.3
+  - 10.128.10.103
+
+dhcpd__domain_search:
+  - isp.auro.re.
+  - auro.re.
+
+dhcpd__subnets:
+  - network: 100.64.0.0/27
+    routers:
+      - 100.64.0.1
+    start: 100.64.0.4
+    end: 100.64.0.30
+    domain_name: client0.isp.auro.re
+    failover: true
+  - network: 100.64.0.32/27
+    routers:
+      - 100.64.0.31
+    start: 100.64.0.33
+    end: 100.64.0.63
+    domain_name: client1.isp.auro.re
+    failover: true
+  - network: 100.64.0.64/27
+    routers:
+      - 100.64.0.65
+    start: 100.64.0.67
+    end: 100.64.0.95
+    domain_name: client2.isp.auro.re
+    failover: true
+  - network: 100.64.0.96/27
+    routers:
+      - 100.64.0.97
+    start: 100.64.0.99
+    end: 100.64.0.127
+    domain_name: client3.isp.auro.re
+    failover: true
+  - network: 100.64.0.128/27
+    routers:
+      - 100.64.0.129
+    start: 100.64.0.131
+    end: 100.64.0.159
+    domain_name: client4.isp.auro.re
+
+dhcpd__failover:
+  dhcp-1.isp.infra.auro.re: 10.210.1.1
+  dhcp-2.isp.infra.auro.re: 10.210.1.2
+
+dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
+
+dhcpd__failover_peer_address: "{{ dhcpd__failover
+                                  | dict2items
+                                  | selectattr('key', '!=',
+                                               inventory_hostname)
+                                  | map(attribute='value')
+                                  | first }}"
+...
--- a/group_vars/dns/kresd.yml
+++ b/group_vars/dns/kresd.yml
@ -0,0 +1,24 @@
+---
+kresd__listen:
+  - address: 0.0.0.0
+    port: 53
+    kind: dns
+  - address: "::"
+    port: 53
+    kind: dns
+  - address: 0.0.0.0
+    port: 853
+    kind: tls
+  - address: "::"
+    port: 853
+    kind: tls
+  - address: 0.0.0.0
+    port: 8453
+    kind: webmgmt
+  - address: "::"
+    port: 8453
+    kind: webmgmt
+    tls: false
+
+kresd__cache_size: 512
+...
--- a/group_vars/edge/keepalived.yml
+++ b/group_vars/edge/keepalived.yml
@ -0,0 +1,17 @@
+---
+keepalived__virtual_router_id: 81
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  crans0:
+    - 185.230.79.254/29
+    - 2a0c:700:28::2/64
+    - fe80::1/10
+  zayo0:
+    - 2001:1b48:2:103::d7:2/126
+    - 83.167.52.69/31
+    - fe80::1/10
+
+keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
+...
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@ -0,0 +1,175 @@
+---
+firewall__zones:
+  adm-legacy:
+    addrs:
+      - 2a09:6840:128::/64
+      - 10.128.0.0/16
+  ups:
+    addrs:
+      - 2a09:6840:201::/64
+      - 10.201.0.0/16
+  back:
+    addrs:
+      - 2a09:6840:203::/64
+      - 10.203.0.0/16
+  monit:
+    addrs:
+      - 2a09:6840:204::/64
+      - 10.204.0.0/16
+  wifi:
+    addrs:
+      - 2a09:6840:205::/64
+      - 10.205.0.0/16
+  int:
+    addrs:
+      - 2a09:6840:206::/64
+      - 10.206.0.0/16
+  sw:
+    addrs:
+      - 2a09:6840:207::/64
+      - 10.207.0.0/16
+  bmc:
+    addrs:
+      - 2a09:6840:208::/64
+      - 10.208.0.0/16
+  pve:
+    addrs:
+      - 2a09:6840:209::/64
+      - 10.209.0.0/16
+  isp:
+    addrs:
+      - 2a09:6840:210::/64
+      - 10.210.0.0/16
+  ext:
+    addrs:
+      - 2a09:6840:211::/64
+      - 45.66.111.0/24
+      - 10.211.0.0/16
+  vpn-clients:
+    addrs:
+      - 2a09:6840:212::/64
+      - 10.212.0.0/16
+  vpn:
+    addrs:
+      - 2a09:6840:213::/64
+      - 10.213.0.0/16
+  infra:
+    zones:
+      - adm-legacy
+      - ups
+      - back
+      - monit
+      - wifi
+      - int
+      - sw
+      - bmc
+      - pve
+      - isp
+      - ext
+      - vpn
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  prometheus.int:
+    addrs:
+      - 2a09:6840:204::1:1
+      - 10.204.1.1
+      - 2a09:6840:204::1:2
+      - 10.204.1.2
+  grafana.adm:
+    addrs:
+      - 2a09:6840:128::98
+      - 10.128.0.98
+  dns.int:
+    addrs:
+      - 2a09:6840:206::1:1
+      - 10.206.1.1
+      - 2a09:6840:206::1:2
+      - 10.206.1.2
+  ntp.int:
+    addrs:
+      - 2a09:6840:206::1:5
+      - 10.206.1.5
+      - 2a09:6840:206::1:6
+      - 10.206.1.6
+
+firewall__input:
+  - verdict: accept
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: back
+    dst: infra
+    verdict: accept
+  - src: infra # FIXME: temporary
+    dst: internet
+    verdict: accept
+  - src: monit
+    dst: bmc
+    protocols:
+      icmp: true
+    verdict: accept
+  - src: adm-legacy
+    dst: bmc
+    verdict: accept
+  - src: grafana.adm
+    dst: prometheus.int
+    protocols:
+      tcp:
+        dport: 9100
+    verdict: accept
+  # Admin VPN clients
+  - src: vpn-clients
+    dst: infra
+    verdict: accept
+  # Prometheus node
+  - src: monit
+    dst: int
+    protocols:
+      tcp:
+        dport: 9100
+    verdict: accept
+  # Allow DNS from infra to dns-{1,2}
+  - src: infra
+    dst: dns.int
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src: infra
+    dst: dns.int
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  # Allow NTP from infra to ntp-{1,2} 
+  - src: infra
+    dst: ntp.int
+    protocols:
+      udp:
+        dport: 123
+    verdict: accept
+  # Admin Wireguard
+  - dst:
+      - 2a09:6840:211::204
+      - 45.66.111.204
+    protocols:
+      udp:
+        dport: 5121
+    verdict: accept
+
+firewall__nat:
+  - src: 10.0.0.0/8
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.200/32
+...
--- a/group_vars/infra/keepalived.yml
+++ b/group_vars/infra/keepalived.yml
@ -0,0 +1,52 @@
+---
+keepalived__virtual_router_id: 82
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  ups0:
+    - 10.201.0.1/16
+    - 2a09:6840:201::1/64
+    - fe80::1/10
+  monit0:
+    - 10.204.0.1/16
+    - 2a09:6840:204::1/64
+    - fe80::1/10
+  wifi0:
+    - 10.205.0.1/16
+    - 2a09:6840:205::1/64
+    - fe80::1/10
+  int0:
+    - 10.206.0.1/16
+    - 2a09:6840:206::1/64
+    - fe80::1/10
+  sw0:
+    - 10.207.0.1/16
+    - 2a09:6840:207::1/64
+    - fe80::1/10
+  bmc0:
+    - 10.208.0.1/16
+    - 2a09:6840:208::1/64
+    - fe80::1/10
+  pve0:
+    - 10.209.0.1/16
+    - 2a09:6840:209::1/64
+    - fe80::1/10
+  isp0:
+    - 10.210.0.1/16
+    - 2a09:6840:210::1/64
+    - fe80::1/10
+  ext0:
+    - 10.211.0.1/16
+    - 2a09:6840:211::1/64
+    - fe80::1/10
+
+keepalived__virtual_routes:
+  ext0:
+    - 45.66.111.204/30
+
+keepalived__virtual_blackholes:
+  - 45.66.111.200/30
+
+keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
+...
--- a/group_vars/isp/firewall.yml
+++ b/group_vars/isp/firewall.yml
@ -0,0 +1,40 @@
+---
+firewall__zones:
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  clients:
+    addrs:
+      - 100.64.0.0/10
+  non_clients:
+    negate: true
+    zones: clients
+  allowed_clients:
+    file:
+      path: /var/run/firewall/allowed_clients.yml
+      default: []
+
+firewall__input:
+  - verdict: accept
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: allowed_clients
+    dst: non_clients
+    verdict: accept
+
+firewall__nat:
+  - src: clients
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.220
+...
--- a/group_vars/isp/keepalived.yml
+++ b/group_vars/isp/keepalived.yml
@ -0,0 +1,29 @@
+---
+keepalived__virtual_router_id: 80
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  client0:
+    - 100.64.0.1/27
+    - 2a09:6841::1/56
+    - fe80::1/10
+  client1:
+    - 100.64.0.33/27
+    - 2a09:6841:0:1::1/64
+    - fe80::1/10
+  client2:
+    - 100.64.0.65/27
+    - 2a09:6841:0:2::1/64
+    - fe80::1/10
+  client3:
+    - 100.64.0.97/27
+    - 2a09:6841:0:3::1/64
+    - fe80::1/10
+  client4:
+    - 100.64.0.129/27
+    - 2a09:6841:0:4::1/64
+    - fe80::1/10
+
+keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
+...
--- a/group_vars/ntp/chronyd.yml
+++ b/group_vars/ntp/chronyd.yml
@ -0,0 +1,13 @@
+---
+chronyd__allow_networks:
+  - 2a09:6840::/32
+  - 10.0.0.0/8
+
+chronyd__pools:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+
+chronyd__local_stratum: 10
+...
--- a/group_vars/pve/pve_auth.yml
+++ b/group_vars/pve/pve_auth.yml
@ -0,0 +1,31 @@
+---
+pve_auth__groups:
+  admin:
+    - Administrator
+
+pve_auth__pam_users:
+  root:
+    enabled: false
+
+pve_auth__users:
+  jeltz:
+    password: "{{ vault_pve_passwords.jeltz }}"
+    groups:
+      - admin
+  otthorn:
+    password: "{{ vault_pve_passwords.otthorn }}"
+    groups:
+      - admin
+  v-lafeychine:
+    password: "{{ vault_pve_passwords['v-lafeychine'] }}"
+    groups:
+      - admin
+  pz2891:
+    password: "{{ vault_pve_passwords.pz2891 }}"
+    groups:
+      - admin
+  loutr:
+    password: "{{ vault_pve_passwords.loutr }}"
+    groups:
+      - admin
+...
--- a/group_vars/radius/freeradius.yml
+++ b/group_vars/radius/freeradius.yml
@ -0,0 +1,17 @@
+---
+radiusd__guest_vlan: 1000
+
+radiusd__clients:
+  localhost:
+    addr: 127.0.0.1
+    secret: abcdef
+    type: aurore
+  wifi-ap-v4:
+    addr: 10.102.0.0/16
+    secret: abcdef
+    type: aurore
+  wifi-ap-v6:
+    addr: 2a09:6840:102::/56
+    secret: abcdef
+    type: aurore
+...
--- a/host_vars/dhcp-1.isp.infra.auro.re.yml
+++ b/host_vars/dhcp-1.isp.infra.auro.re.yml
@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 02:00:00:c6:3f:6f
+  trunk0: 02:00:00:b1:8d:d6
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:1/64
+      - 10.210.1.1/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.2/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.34/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.66/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.98/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.130/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...
--- a/host_vars/dhcp-2.isp.infra.auro.re.yml
+++ b/host_vars/dhcp-2.isp.infra.auro.re.yml
@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 04:00:00:8c:d1:36
+  trunk0: 04:00:00:33:2c:3c
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:2/64
+      - 10.210.1.2/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.3/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.35/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.67/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.99/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.131/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...
--- a/host_vars/dns-1.int.infra.auro.re.yml
+++ b/host_vars/dns-1.int.infra.auro.re.yml
@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:6c:4b:89
+  int0: 02:00:00:9f:d9:f9
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:3/64
+      - 10.128.10.3/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:1/64
+      - 10.206.1.1/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/dns-2.int.infra.auro.re.yml
+++ b/host_vars/dns-2.int.infra.auro.re.yml
@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:2a:6e:be
+  int0: 04:00:00:3c:c0:5a
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:103/64
+      - 10.128.10.103/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:2/64
+      - 10.206.1.2/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/edge-1.back.infra.auro.re.yml
+++ b/host_vars/edge-1.back.infra.auro.re.yml
@ -0,0 +1,39 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:9E:3E:21
+  crans0: 02:00:00:A2:7C:68
+  zayo0: 02:00:00:35:89:82
+  rezel0: 02:00:00:8F:4A:AD
+  back0: 02:00:00:1C:3A:2E
+  viarezo0: 02:00:00:ED:70:64
+  router0: 02:00:00:5A:17:7C
+  oti0: 02:00:00:05:0E:A6
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:2/64
+      - 10.128.10.2/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::1/64
+      - 45.66.111.1/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:1/64
+      - 10.203.1.1/16
+  viarezo0:
+    ipv6_addrgen: false
+  router0:
+    addresses:
+      - 2a09:6840:129::10:2/56
+      - 10.129.10.2/16
+  oti0:
+    addresses:
+      - 2a00:a4c0:100c:1::b/127
+      - 77.95.70.11/31
+...
--- a/host_vars/edge-2.back.infra.auro.re.yml
+++ b/host_vars/edge-2.back.infra.auro.re.yml
@ -0,0 +1,34 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:F5:69:B9
+  crans0: 04:00:00:CF:E1:D0
+  zayo0: 04:00:00:67:7B:12
+  rezel0: 04:00:00:C6:05:B7
+  back0: 04:00:00:DE:22:E6
+  viarezo0: 04:00:00:45:FA:E6
+  router0: 04:00:00:AD:D7:71
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:102/64
+      - 10.128.10.102/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::3/64
+      - 45.66.111.3/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:2/64
+      - 10.203.1.2/16
+  viarezo0:
+    ipv6_addrgen: false
+  router0:
+    addresses:
+      - 2a09:6840:129::10:102/56
+      - 10.129.10.102/16
+...
--- a/host_vars/infra-1.back.infra.auro.re.yml
+++ b/host_vars/infra-1.back.infra.auro.re.yml
@ -0,0 +1,43 @@
+---
+systemd_link__links:
+  ups0: 02:00:00:fe:6f:0e
+  back0: 02:00:00:f8:93:22
+  monit0: 02:00:00:da:97:7f
+  wifi0: 02:00:00:8c:c5:bf
+  int0: 02:00:00:75:40:3e
+  sw0: 02:00:00:ca:e8:d1
+  bmc0: 02:00:00:47:d1:b9
+  pve0: 02:00:00:b3:35:e7
+  isp0: 02:00:00:6b:53:14
+  ext0: 02:00:00:32:86:60
+  vpn0: 02:00:00:52:5f:85
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:3/64
+      - 45.66.111.210/32
+      - 10.203.1.3/16
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:1
+      - 10.213.1.1
+...
--- a/host_vars/infra-2.back.infra.auro.re.yml
+++ b/host_vars/infra-2.back.infra.auro.re.yml
@ -0,0 +1,43 @@
+---
+systemd_link__links:
+  ups0: 04:00:00:6d:97:83
+  back0: 04:00:00:46:ba:f9
+  monit0: 04:00:00:72:0b:2d
+  wifi0: 04:00:00:ee:42:0f
+  int0: 04:00:00:21:fd:d0
+  sw0: 04:00:00:2e:5b:16
+  bmc0: 04:00:00:bb:5a:a6
+  pve0: 04:00:00:0b:2b:82
+  isp0: 04:00:00:f4:4c:5d
+  ext0: 04:00:00:1d:0e:83
+  vpn0: 04:00:00:02:ba:dd
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:4/64
+      - 45.66.111.211/32
+      - 10.203.1.4/16
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:2
+      - 10.213.1.2
+...
--- a/host_vars/isp-1.back.infra.auro.re.yml
+++ b/host_vars/isp-1.back.infra.auro.re.yml
@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:D8:37:45
+  back0: 02:00:00:BF:10:4C
+  trunk0: 02:00:00:E9:BA:15
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:5/64
+      - 10.128.10.5/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:5/64
+      - 10.203.1.5/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+...
--- a/host_vars/isp-2.back.infra.auro.re.yml
+++ b/host_vars/isp-2.back.infra.auro.re.yml
@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:85:C3:5D
+  back0: 04:00:00:FE:2D:67
+  trunk0: 04:00:00:D8:F5:4D
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:105/64
+      - 10.128.10.105/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:6/64
+      - 10.203.1.6/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+...
--- a/host_vars/ldap-1.int.infra.auro.re.yml
+++ b/host_vars/ldap-1.int.infra.auro.re.yml
@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:38:c2:52
+  int0: 02:00:00:fe:a8:54
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:8/64
+      - 10.128.10.8/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:3/64
+      - 10.206.1.7/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/ldap-2.int.infra.auro.re.yml
+++ b/host_vars/ldap-2.int.infra.auro.re.yml
@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:f7:1c:47
+  int0: 04:00:00:e4:83:d2
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:108/64
+      - 10.128.10.108/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:4/64
+      - 10.206.1.8/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@ -0,0 +1,502 @@
+---
+knotd__listen:
+  - address: 0.0.0.0
+  - address: "::"
+
+knotd__keys:
+  xfr:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_xfr_key }}"
+  ksk-infra:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_ksk_infra_key }}"
+  update-acme-challenge:
+    algorithm: hmac-sha512
+    secret: "{{ vault_certbot_dns_secret }}"
+
+knotd__remotes:
+  xfr-ns-1:
+    address: 10.128.0.199
+    key: xfr
+  xfr-ns-2:
+    address: 10.128.0.109
+    key: xfr
+  ksk-infra:
+    address: ::1
+    key: ksk-infra
+
+knotd__policies:
+  public:
+    algorithm: ECDSAP256SHA256
+    reproducible_signing: true
+    # Je n'ai pas trouvé de façon de pousser les records automatiquement
+    # sur .re, donc pour éviter d'oublier de le faire manuellement, la
+    # KSK n'expire pas
+    ksk_lifetime: 0
+    zsk_lifetime: 30d
+    nsec3: true
+  infra:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-infra
+    cds-cdnskey-publish: rollover
+    ksk-submission: infra
+  ripe:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-ripe
+    cds-cdnskey-publish: rollover
+    ksk-submission: ripe
+
+knotd__acl:
+  xfr:
+    addresses:
+      - 10.128.0.199
+      - 2a09:6840:128::199
+      - 10.128.0.109
+      - 2a09:6840:128::109
+    action: transfer
+    key: xfr
+  ksk-infra:
+    addresses:
+      - 127.0.0.1
+      - ::1
+    key: ksk-infra
+    action: update
+    update_types:
+      - DS
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - infra
+  update-acme-challenge:
+    addresses:
+      - 10.128.0.0/16
+      - 2a09:6840:128::/48
+    key: update-acme-challenge
+    action: update
+    update_types:
+      - TXT
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - _acme-challenge.auro.re.
+
+knotd__queryacl:
+  local:
+    addresses:
+      - 10.0.0.0/8
+
+knotd__soa_rname: root@auro.re.
+
+knotd__hosts:
+
+  auro.re:
+    proxy-ovh:
+      - 92.222.211.195
+    horus:
+      - 92.23.218.136
+    ns-1:
+      - 45.66.111.30
+      - 2a09:6840:111::30
+    ns-2:
+      - 92.222.211.194
+    serge:
+      - 92.222.211.196
+    lama:
+      - 185.230.78.220
+      - 2a0c:700:12:0:67:e5ff:fee9:108
+    vpn-ovh:
+      - 92.222.211.197
+    passerelle:
+      - 45.66.111.254
+      - 2a09:6840:111::254
+    proxy:
+      - 45.66.111.61
+      - 2a09:6840:111::61
+    camelot:
+      - 45.66.111.59
+      - 2a09:6840:111::59
+    mail:
+      - 45.66.111.62
+      - 2a09:6840:111::62
+    galene:
+      - 45.66.111.65
+      - 2a09:6840:111::65
+    aclyas:
+      - 45.66.111.231
+      - 2a09:6840:111::231
+    jitsi:
+      - 45.66.111.55
+      - 2a09:6840:111::55
+    portail-fleming:
+      - 10.13.0.247
+      - 2a09:6840:13::247
+    portail-pacaterie:
+      - 10.23.0.247
+      - 2a09:6840:23::247
+    portail-rives:
+      - 10.33.0.247
+      - 2a09:6840:33::247
+    portail-edc:
+      - 10.43.0.247
+      - 2a09:6840:43::247
+    portail-gs:
+      - 10.53.0.247
+      - 2a09:6840:53::247
+
+  adh.auro.re:
+    hoffman:
+      - 45.66.110.1
+      - 2a09:6840:110:0:2d8:61ff:fe56:d7eb
+    hindley:
+      - 45.66.110.3
+      - 2a09:6840:110:0:a6ba:dbff:fe03:1f36
+    yberreby:
+      - 45.66.110.5
+      - 2a09:6840:110:0:d896:1dff:fe59:8381
+    paon:
+      - 45.66.110.10
+      - 2a09:6840:110:0:231:92ff:fe1b:ae22
+    lovelace:
+      - 45.66.110.45
+      - 2a09:6840:110:0:c634:6bff:feb5:7bcc
+    switch-leo:
+      - 45.66.110.103
+      - 2a09:6840:110:0:82cc:9cff:fe82:ca3e
+    haskell:
+      - 45.66.110.112
+      - 2a09:6840:110:0:f4ac:cbff:fe81:7f48
+    lyshyga0:
+      - 45.66.110.113
+      - 2a09:6840:110:0:6af7:28ff:fe91:e8d9
+    pz28910:
+      - 45.66.110.114
+    vinsing0:
+      - 45.66.110.123
+      - 2a09:6840:110:0:1e1b:dff:fe90:7d81
+    osc-routeur:
+      - 45.66.110.125
+      - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
+    odroid:
+      - 45.66.110.154
+      - 2a09:6840:110:0:21e:6ff:fe49:e00
+    amau0:
+      - 45.66.110.164
+      - 2a09:6840:110:0:3e7c:3fff:fec3:27d1
+    regulus:
+      - 45.66.110.180
+      - 2a09:6840:110:0:2ef0:5dff:fe2a:1530
+    toaster:
+      - 45.66.110.188
+      - 2a09:6840:110:0:5246:5dff:fe9a:f70
+    rpijutax:
+      - 45.66.110.190
+      - 2a09:6840:110:0:ba27:ebff:fe76:a9bc
+    lafeychine:
+      - 45.66.110.200
+      - 2a09:6840:110:0:46a5:6eff:fe71:1
+    polaris:
+      - 45.66.110.245
+      - 2a09:6840:110:0:dea6:32ff:feb4:d033
+
+knotd__zones:
+
+  auro.re:
+    dnssec_policy: public
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+    acl:
+      - update-acme-challenge
+      - ksk-infra
+      - xfr
+    soa:
+      mname: ns-master.int.infra
+    ns:
+      - target:
+          - ns-1
+          - ns-2
+      - name: infra
+        target:
+          - ns-1
+          - ns-2
+      - name: adm
+        target:
+          - serge
+          - lama
+      - name: ups
+        target:
+          - serge
+          - lama
+      - name: switch
+        target:
+          - serge
+          - lama
+      - name: borne
+        target:
+          - serge
+          - lama
+    mx:
+      - exchange: mail
+        preference: 5
+      - exchange: proxy-ovh
+        preference: 10
+    spf:
+      - data: v=spf1 mx -all
+    a:
+      - address: 92.222.211.195
+    cname:
+      - name:
+          - gisti
+          - gistiti
+        target: jitsi
+      - name:
+          - element
+          - riot
+          - auth
+          - rss
+          - codimd
+          - hedgedoc
+          - kanboard
+          - www
+          - pad
+          - privatebin
+          - zero
+          - paste
+        target: proxy-ovh
+      - name:
+          - grafana
+          - netbox
+          - wiki
+          - matrix
+          - drone
+          - gitea
+          - re2o
+          - nextcloud
+          - vote
+        target: proxy
+      - name: intranet
+        target: re2o
+      - name:
+          - smtp
+          - imap
+        target: mail
+      - name:
+          - prometheus-paul.adh
+          - pma-paul.adh
+          - nextcloud-paul.adh
+          - grafana-paul.adh
+          - jellyfin.adh
+          - monitoring.adh
+          - beta-mpp.adh
+          - pz28.adh
+        target: lucepaul.myvnc.com.
+      - name:
+          - services-1.pve
+        target: services-1.pve.infra
+      - name:
+          - services-2.pve
+        target: services-2.pve.infra
+      - name:
+          - services-3.pve
+        target: services-3.pve.infra
+    hosts: "{{ knotd__hosts['auro.re']
+               | combine(knotd__hosts['adh.auro.re']
+                         | add_origin_keys('adh.auro.re.')) }}"
+
+  infra.auro.re:
+    dnssec_policy: infra
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+    acl:
+      - xfr
+    #queryacl: local
+    soa:
+      mname: ns-master.int
+    ns:
+      - target:
+          - ns-1.auro.re.
+          - ns-2.auro.re.
+    hosts:
+      services-1.ceph:
+        - 10.132.1.1
+        - "2a09:6840:132:1:1::"
+      services-2.ceph:
+        - 10.132.1.2
+        - "2a09:6840:132:1:2::"
+      services-3.ceph:
+        - 10.132.1.3
+        - "2a09:6840:132:1:3::"
+      services-1.pve:
+        - 10.134.1.1
+        - 2a09:6840:132:1:1::1
+      services-2.pve:
+        - 10.134.1.2
+        - 2a09:6840:132:1:2::1
+      services-3.pve:
+        - 10.134.1.3
+        - 2a09:6840:132:1:3::1
+      ns-master.int:
+        - 10.128.0.110
+        - 2a09:6840:128:0::110
+      ec-1.ups:
+        - 10.131.4.1
+        - 2a09:6840:131::4:1
+      ec-2.ups:
+        - 10.131.4.2
+        - 2a09:6840:131::4:2
+      network-1.pve:
+        - 2a09:6840:209::1:1
+        - 10.209.1.1
+      network-2.pve:
+        - 2a09:6840:209::1:2
+        - 10.209.1.2
+      edge-1.back:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      edge-2.back:
+        - 2a09:6840:203::1:2
+        - 10.203.1.2
+      dns-1.int:
+        - 2a09:6840:206::1:1
+        - 10.206.1.1
+      dns-2.int:
+        - 2a09:6840:206::1:2
+        - 10.206.1.2
+      vpn-1.back:
+        - 10.128.10.11
+        - 2a09:6840:128::10:11
+      vpn-2.back:
+        - 10.128.10.111
+        - 2a09:6840:128::10:111
+      infra-1.back:
+        - 2a09:6840:203::1:3
+        - 10.203.1.3
+      infra-2.back:
+        - 2a09:6840:203::1:4
+        - 10.203.1.4
+      isp-1.back:
+        - 2a09:6840:203::1:5
+        - 10.203.1.5
+      isp-2.back:
+        - 2a09:6840:203::1:6
+        - 10.203.1.6
+      dhcp-1.isp:
+        - 2a09:6840:210::1:1
+        - 10.210.1.1
+      dhcp-2.isp:
+        - 2a09:6840:210::1:2
+        - 10.210.1.2
+      radius-1.isp:
+        - 2a09:6840:210::1:3
+        - 10.210.1.3
+      radius-2.isp:
+        - 2a09:6840:210::1:4
+        - 10.210.1.4
+      ldap-1.int:
+        - 10.128.10.8
+        - 2a09:6840:128::10:8
+      ldap-2.int:
+        - 10.128.10.108
+        - 2a09:6840:128::10:108
+      ntp-1.int:
+        - 2a09:6840:206::1:5
+        - 10.206.1.5
+      ntp-2.int:
+        - 2a09:6840:206::1:6
+        - 10.206.1.6
+      prometheus-1.monit:
+        - 2a09:6840:204::1:1
+        - 10.204.1.1
+      prometheus-2.monit:
+        - 2a09:6840:204::1:2
+        - 10.204.1.2
+
+  108.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.auro.re.
+          - ns-2.auro.re.
+
+  109.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.auro.re.
+          - ns-2.auro.re.
+
+  110.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.auro.re.
+          - ns-2.auro.re.
+    reverse_hosts: "{{ knotd__hosts['adh.auro.re']
+                       | ip_filter(['45.66.110.0/24'])
+                       | add_origin_keys('adh.auro.re.') }}"
+
+  111.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.auro.re.
+          - ns-2.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['45.66.111.0/24'])
+                       | add_origin_keys('auro.re.') }}"
+
+  0.4.8.6.9.0.a.2.ip6.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.auro.re.
+          - ns-2.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['2a09:6840::/32'])
+                       | add_origin_keys('auro.re.')
+                       | combine(knotd__hosts['adh.auro.re']
+                                 | ip_filter(['2a09:6840::/32'])
+                                 | add_origin_keys('adh.auro.re.')) }}"
+...
--- a/host_vars/ntp-1.int.infra.auro.re.yml
+++ b/host_vars/ntp-1.int.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 02:00:00:74:71:83
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:5/64
+      - 10.206.1.5/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/ntp-2.int.infra.auro.re.yml
+++ b/host_vars/ntp-2.int.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 04:00:00:31:be:50
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:6/64
+      - 10.206.1.6/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/prometheus-1.monit.infra.auro.re.yml
+++ b/host_vars/prometheus-1.monit.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  monit0: 02:00:00:a8:6b:51
+
+ifupdown2__interfaces:
+  monit0:
+    addresses:
+      - 2a09:6840:204::1:1/64
+      - 10.204.1.1/16
+    gateways: "{{ ifupdown2__gateways.monit }}"
+...
--- a/host_vars/prometheus-2.monit.infra.auro.re.yml
+++ b/host_vars/prometheus-2.monit.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  monit0: 04:00:00:a6:93:5a
+
+ifupdown2__interfaces:
+  monit0:
+    addresses:
+      - 2a09:6840:204::1:2/64
+      - 10.204.1.2/16
+    gateways: "{{ ifupdown2__gateways.monit }}"
+...
--- a/host_vars/radius-1.isp.infra.auro.re.yml
+++ b/host_vars/radius-1.isp.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  isp0: 02:00:00:6a:3e:f4
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:3/64
+      - 10.210.1.3/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+...
--- a/host_vars/radius-2.isp.infra.auro.re.yml
+++ b/host_vars/radius-2.isp.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  isp0: 04:00:00:29:6d:c9
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:4/64
+      - 10.210.1.4/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+...
--- a/host_vars/vpn-1.back.infra.auro.re.yml
+++ b/host_vars/vpn-1.back.infra.auro.re.yml
@ -0,0 +1,24 @@
+---
+ifupdown2__wireguard:
+  wg0:
+    private_key: "{{ vault_wireguard_wg0_private }}"
+    listen_port: 5121
+    goto_table: bird
+    peer_allowed_addresses:
+      - 2a09:6840:212::1:1/128
+      - 10.212.1.1/32
+    peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:11/64
+      - 10.128.10.11/16
+  ext0:
+    addresses:
+      - 45.66.111.200/30
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:3/64
+      - 10.213.1.3/16
+...
--- a/92
+++ b/92
@ -1,35 +1,57 @@
 # Aurore servers inventory

-# How to name your server ?
-# > We name servers according to location, then type, then function.
-# > Then we regroup everything in global geographic, type and function groups.
+[vpn]
+#vpn-[1:2].back.infra.auro.re

-[pve_network]
-network-1.pve.infra.auro.re
-network-2.pve.infra.auro.re
+[dns]
+dns-[1:2].int.infra.auro.re
+
+[dhcp]
+dhcp-[1:2].isp.infra.auro.re
+
+[edge]
+edge-[1:2].back.infra.auro.re
+
+[isp]
+isp-1.back.infra.auro.re
+#isp-[1:2].back.infra.auro.re
+
+[infra]
+infra-[1:2].back.infra.auro.re
+
+[prometheus]
+prometheus-[1:2].monit.infra.auro.re
+
+[ldap]
+#ldap-[1:2].int.infra.auro.re
+
+[ntp]
+ntp-[1:2].int.infra.auro.re
+
+[radius]
+radius-[1:2].isp.infra.auro.re

 [vm_network]
-edge-1.back.infra.auro.re
-edge-2.back.infra.auro.re
-dns-1.int.infra.auro.re
-dns-2.int.infra.auro.re
-ssh-1.mgmt.infra.auro.re
-ssh-2.mgmt.infra.auro.re
-infra-1.back.infra.auro.re
-infra-2.back.infra.auro.re
-isp-1.back.infra.auro.re
-isp-2.back.infra.auro.re
-dhcp-1.isp.infra.auro.re
-dhcp-2.isp.infra.auro.re
-radius-1.isp.infra.auro.re
-radius-2.isp.infra.auro.re
-ldap-1.int.infra.auro.re
-ldap-2.int.infra.auro.re
-ntp-1.int.infra.auro.re
-ntp-2.int.infra.auro.re
-prometheus-1.monit.infra.auro.re
-prometheus-2.monit.infra.auro.re
-vpn-1.back.infra.auro.re
+#vpn-[1:2].back.infra.auro.re
+edge-[1:2].back.infra.auro.re
+dhcp-[1:2].isp.infra.auro.re
+dns-[1:2].int.infra.auro.re
+radius-[1:2].isp.infra.auro.re
+ntp-[1:2].int.infra.auro.re
+#ldap-[1:2].int.infra.auro.re
+#isp-[1:2].back.infra.auro.re
+infra-[1:2].back.infra.auro.re
+prometheus-[1:2].monit.infra.auro.re
+
+[pve:children]
+pve_network
+pve_services
+
+[pve_network]
+network-[1:2].pve.infra.auro.re
+
+[pve_services]
+services-[1:2].pve.infra.auro.re

 ###############################################################################
 # Aurore : main services
@ -116,26 +138,10 @@ dhcp-fleming.adm.auro.re
 dhcp-fleming-backup.adm.auro.re
 dns-fleming.adm.auro.re
 dns-fleming-backup.adm.auro.re
-ntp-1.int.infra.auro.re
 prometheus-fleming.adm.auro.re
 ns-master.int.infra.auro.re
-dns-1.int.infra.auro.re
 ns-1.auro.re
-ldap-1.int.infra.auro.re
-radius-1.isp.infra.auro.re
-#prometheus-fleming-fo.adm.auro.re
-dhcp-1.isp.auro.re
-dhcp-2.isp.auro.re
 radius-fleming.adm.auro.re
-dns-1.int.infra.auro.re
-isp-1.back.infra.auro.re
-isp-2.back.infra.auro.re
-edge-1.back.infra.auro.re
-edge-2.back.infra.auro.re
-infra-1.back.infra.auro.re
-infra-2.back.infra.auro.re
-dhcp-1.isp.auro.re
-dhcp-2.isp.auro.re
 radius-fleming-backup.adm.auro.re
 unifi-fleming.adm.auro.re
 routeur-fleming.adm.auro.re
--- a/playbooks/chronyd.yml
+++ b/playbooks/chronyd.yml
@ -1,30 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
- hosts:
-    - ntp-1.int.infra.auro.re
-    - ntp-2.int.infra.auro.re
-  vars:
-    chronyd__allow_networks:
-      - 10.128.0.0/16
-      - 2a09:6840:128::/48
-    chronyd__pools:
-      - 0.pool.ntp.org
-      - 1.pool.ntp.org
-      - 2.pool.ntp.org
-      - 3.pool.ntp.org
-    chronyd__local_stratum: 10
-  roles:
-    - chronyd
-
 - hosts:
    - pve_network
    - vm_network
-    - "!ntp-1.int.infra.auro.re"
-    - "!ntp-2.int.infra.auro.re"
-  vars:
-    chronyd__pools:
-      - ntp-1.int.infra.auro.re
-      - ntp-2.int.infra.auro.re
+    - ntp
  roles:
    - chronyd
 ...
--- a/playbooks/dhcpd.yml
+++ b/playbooks/dhcpd.yml
@ -1,70 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - dhcp-1.isp.infra.auro.re
-    - dhcp-2.isp.infra.auro.re
-  vars:
-    dhcpd__omapi_key:
-      algorithm: hmac-sha512
-      secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
-    dhcpd__interfaces:
-      - client0
-      - client1
-      - client2
-      - client3
-      - client4
-    dhcpd__dns_servers:
-      - 10.128.10.3
-      - 10.128.10.103
-    dhcpd__domain_search:
-      - isp.auro.re.
-      - auro.re.
-    dhcpd__subnets:
-      - network: 100.64.0.0/27
-        routers:
-          - 100.64.0.1
-        start: 100.64.0.4
-        end: 100.64.0.30
-        domain_name: client0.isp.auro.re
-        failover: true
-      - network: 100.64.0.32/27
-        routers:
-          - 100.64.0.31
-        start: 100.64.0.33
-        end: 100.64.0.63
-        domain_name: client1.isp.auro.re
-        failover: true
-      - network: 100.64.0.64/27
-        routers:
-          - 100.64.0.65
-        start: 100.64.0.67
-        end: 100.64.0.95
-        domain_name: client2.isp.auro.re
-        failover: true
-      - network: 100.64.0.96/27
-        routers:
-          - 100.64.0.97
-        start: 100.64.0.99
-        end: 100.64.0.127
-        domain_name: client3.isp.auro.re
-        failover: true
-      - network: 100.64.0.128/27
-        routers:
-          - 100.64.0.129
-        start: 100.64.0.131
-        end: 100.64.0.159
-        domain_name: client4.isp.auro.re
-        failover: true
-    dhcpd__failover:
-      dhcp-1.isp.infra.auro.re: 10.210.1.1
-      dhcp-2.isp.infra.auro.re: 10.210.1.2
-    dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
-    dhcpd__failover_peer_address: "{{ dhcpd__failover
-                                      | dict2items
-                                      | selectattr('key', '!=',
-                                                   inventory_hostname)
-                                      | map(attribute='value')
-                                      | first }}"
+    - dhcp
  roles:
    - dhcpd
 ...
--- a/playbooks/firewall.yml
+++ b/playbooks/firewall.yml
@ -1,123 +1,8 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - infra-1.back.infra.auro.re
-    - infra-2.back.infra.auro.re
-  vars:
-    firewall__zones:
-      adm-legacy:
-        addrs:
-          - 2a09:6840:128::/64
-          - 10.128.0.0/16
-      ups:
-        addrs: 
-          - 2a09:6840:201::/64
-          - 10.201.0.0/16
-      edge:
-        addrs:
-          - 2a09:6840:202::/64
-          - 10.202.0.0/16
-      core:
-        addrs:
-          - 2a09:6840:203::/64
-          - 10.203.0.0/16
-      monit:
-        addrs: 
-          - 2a09:6840:204::/64
-          - 10.204.0.0/16
-      wifi:
-        addrs: 
-          - 2a09:6840:205::/64
-          - 10.205.0.0/16
-      int:
-        addrs: 
-          - 2a09:6840:206::/64
-          - 10.206.0.0/16
-      sw:
-        addrs: 
-          - 2a09:6840:207::/64
-          - 10.207.0.0/16
-      bmc:
-        addrs: 
-          - 2a09:6840:208::/64
-          - 10.208.0.0/16
-      pve:
-        addrs: 
-          - 2a09:6840:209::/64
-          - 10.209.0.0/16
-      isp:
-        addrs: 
-          - 2a09:6840:210::/64
-          - 10.210.0.0/16
-      ext:
-        addrs: 
-          - 2a09:6840:211::/64
-          - 45.66.111.0/24
-          - 10.211.0.0/16
-      vpn-clients:
-        addrs:
-          - 2a09:6840:212::/64
-          - 10.212.0.0/16
-      vpn:
-        addrs:
-          - 2a09:6840:213::/64
-          - 10.213.0.0/16
-      infra:
-        zones:
-          - adm-legacy
-          - ups
-          - core
-          - edge
-          - monit
-          - wifi
-          - int
-          - sw
-          - bmc
-          - pve
-          - isp
-          - ext
-          - vpn
-      internet:
-        negate: true
-        addrs:
-          - 2a09:6840::/32
-          - 2a09:6841::/32
-          - 2a09:6842::/32
-          - 45.66.108.0/22
-          - 10.0.0.0/8
-          - 100.64.0.0/10
-    firewall__input:
-      - verdict: accept
-    firewall__output:
-      - verdict: accept
-    firewall__forward:
-      - src: vpn-clients
-        dst: infra
-        verdict: accept
-      - src: infra # FIXME: temporary
-        dst: internet
-        verdict: accept
-      - src: monit
-        dst: bmc
-        protocols:
-          icmp: true
-        verdict: accept
-      - src: adm-legacy
-        dst: bmc
-        verdict: accept
-      - dst:
-          - 2a09:6840:211::204
-          - 45.66.111.204
-        protocols:
-          udp:
-            dport: 5121
-        verdict: accept
-    firewall__nat:
-      - src: 10.0.0.0/8
-        dst: internet
-        protocols: null
-        snat:
-          addr: 45.66.111.200/32
+    - infra
+    - isp
  roles:
    - firewall
 ...
--- a/playbooks/freeradius.yml
+++ b/playbooks/freeradius.yml
@ -1,22 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - radius-1.isp.infra.auro.re
-  vars:
-    radiusd__guest_vlan: 1000
-    radiusd__clients:
-      localhost:
-        addr: 127.0.0.1
-        secret: abcdef
-        type: aurore
-      wifi-ap-v4:
-        addr: 10.102.0.0/16
-        secret: abcdef
-        type: aurore
-      wifi-ap-v6:
-        addr: 2a09:6840:102::/56
-        secret: abcdef
-        type: aurore
+    - radius
  roles:
    - freeradius
 ...
--- a/playbooks/ifupdown2.yml
+++ b/playbooks/ifupdown2.yml
@ -2,458 +2,6 @@
 ---
 - hosts:
    - vm_network
-  vars:
-    ifupdown2__wireguard_proto: wireguard
-    ifupdown2__gateways:
-      adm:
-        - 2a09:6840:128::254
-        - 10.128.0.254
-      int:
-        - 2a09:6840:206::1
-        - 10.206.0.1
-      pub:
-        - 2a09:6840:111::254
-        - 45.66.111.254
-    ifupdown2__hosts_wireguard:
-      vpn-1.back.infra.auro.re:
-        wg0:
-          private_key: "{{ vault_wireguard_wg0_private }}"
-          listen_port: 5121
-          goto_table: bird
-          peer_allowed_addresses:
-            - 2a09:6840:212::1:1/128
-            - 10.212.1.1/32
-          peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
-    ifupdown2__hosts_base:
-      edge-1.back.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:2/64
-            - 10.128.10.2/16
-        crans0:
-          ipv6_addrgen: false
-        zayo0:
-          ipv6_addrgen: false
-        rezel0:
-          addresses:
-            - 2a09:6842:19:9116::1/64
-            - 45.66.111.1/29
-        back0:
-          addresses:
-            - 2a09:6840:203::1:1/64
-            - 10.203.1.1/16
-        viarezo0:
-          ipv6_addrgen: false
-        router0:
-          addresses:
-            - 2a09:6840:129::10:2/56
-            - 10.129.10.2/16
-        oti0:
-          addresses:
-            - 2a00:a4c0:100c:1::b/127
-            - 77.95.70.11/31
-      edge-2.back.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:102/64
-            - 10.128.10.102/16
-        crans0:
-          ipv6_addrgen: false
-        zayo0:
-          ipv6_addrgen: false
-        rezel0:
-          addresses:
-            - 2a09:6842:19:9116::3/64
-            - 45.66.111.3/29
-        back0:
-          addresses:
-            - 2a09:6840:203::1:2/64
-            - 10.203.1.2/16
-        viarezo0:
-          ipv6_addrgen: false
-        router0:
-          addresses:
-            - 2a09:6840:129::10:102/56
-            - 10.129.10.102/16
-      dns-1.int.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:3/64
-            - 10.128.10.3/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        int0:
-          addresses:
-            - 2a09:6840:206::2/64
-            - 10.206.0.2/16
-      dns-2.int.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:103/64
-            - 10.128.10.103/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        int0:
-          addresses:
-            - 2a09:6840:206::3/64
-            - 10.206.0.3/16
-      vpn-1.back.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:11/64
-            - 10.128.10.11/16
-        pub0:
-          addresses:
-            - 2a09:6840:207::118/64
-            - 45.66.111.118/24
-        vpn0:
-          addresses:
-            - 2a09:6840:213::1:3/64
-            - 10.213.1.3/16
-      vpn-2.mgmt.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:111/64
-            - 10.128.10.111/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        back0:
-          addresses:
-            - 2a09:6840:203::1:8/64
-            - 10.203.1.8/16
-      ssh-1.mgmt.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:1/64
-            - 10.128.10.1/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        pub0:
-          addresses:
-            - 2a09:6840:207::2/64
-            - 45.66.108.2/16
-        mgmt0:
-          addresses:
-            - 2a09:6840:211::1:1/64
-            - 10.211.1.1/16
-      ssh-2.mgmt.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:101/64
-            - 10.128.10.101/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        pub0:
-          addresses:
-            - 2a09:6840:207::3/64
-            - 45.66.108.3/16
-        mgmt0:
-          addresses:
-            - 2a09:6840:211::1:2/64
-            - 10.211.1.2/16
-      infra-1.back.infra.auro.re:
-        back0:
-          addresses:
-            - 2a09:6840:203::1:3/64
-            - 45.66.111.210/32
-            - 10.203.1.3/16
-        ups0:
-          ipv6_addrgen: false
-        monit0:
-          ipv6_addrgen: false
-        wifi0:
-          ipv6_addrgen: false
-        int0:
-          ipv6_addrgen: false
-        sw0:
-          ipv6_addrgen: false
-        bmc0:
-          ipv6_addrgen: false
-        pve0:
-          ipv6_addrgen: false
-        isp0:
-          ipv6_addrgen: false
-        ext0:
-          ipv6_addrgen: false
-        vpn0:
-          ipv6_addrgen: false
-      infra-2.back.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:104/64
-            - 10.128.10.104/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        back0:
-          addresses:
-            - 2a09:6840:203::1:4/64
-            - 45.66.111.211/32
-            - 10.203.1.4/16
-        ups0:
-          ipv6_addrgen: false
-        monit0:
-          ipv6_addrgen: false
-        wifi0:
-          ipv6_addrgen: false
-        int0:
-          ipv6_addrgen: false
-        sw0:
-          ipv6_addrgen: false
-        bmc0:
-          ipv6_addrgen: false
-        pve0:
-          ipv6_addrgen: false
-        isp0:
-          ipv6_addrgen: false
-        ext0:
-          ipv6_addrgen: false
-        vpn0:
-          ipv6_addrgen: false
-      isp-1.back.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:5/64
-            - 10.128.10.5/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        back0:
-          addresses:
-            - 2a09:6840:203::1:5/64
-            - 10.203.1.5/16
-        trunk0:
-          ipv6_addrgen: false
-        clients0:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - trunk0
-          bridge_vids:
-            - 1000-1004
-          bridge_disable_pvid: true
-          ipv6_addrgen: false
-        client0:
-          vlan_id: 1000
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client1:
-          vlan_id: 1001
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client2:
-          vlan_id: 1002
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client3:
-          vlan_id: 1003
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client4:
-          vlan_id: 1004
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-      isp-2.back.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:105/64
-            - 10.128.10.105/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        back0:
-          addresses:
-            - 2a09:6840:203::1:6/64
-            - 10.203.1.6/16
-        trunk0:
-          ipv6_addrgen: false
-        clients0:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - trunk0
-          bridge_vids:
-            - 1000-1004
-          bridge_disable_pvid: true
-          ipv6_addrgen: false
-        client0:
-          vlan_id: 1000
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client1:
-          vlan_id: 1001
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client2:
-          vlan_id: 1002
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client3:
-          vlan_id: 1003
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-        client4:
-          vlan_id: 1004
-          vlan_raw_device: clients0
-          ipv6_addrgen: false
-      dhcp-1.isp.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:6/64
-            - 10.128.10.6/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        isp0:
-          addresses:
-            - 2a09:6840:210::1:1/64
-            - 10.210.1.1/16
-        trunk0: null
-        clients0:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - trunk0
-          bridge_vids:
-            - 1000-1004
-          bridge_disable_pvid: true
-          ipv6_addrgen: false
-        client0:
-          addresses:
-            - 100.64.0.2/27
-          vlan_id: 1000
-          vlan_raw_device: clients0
-        client1:
-          addresses:
-            - 100.64.0.34/27
-          vlan_id: 1001
-          vlan_raw_device: clients0
-        client2:
-          addresses:
-            - 100.64.0.66/27
-          vlan_id: 1002
-          vlan_raw_device: clients0
-        client3:
-          addresses:
-            - 100.64.0.98/27
-          vlan_id: 1003
-          vlan_raw_device: clients0
-        client4:
-          addresses:
-            - 100.64.0.130/27
-          vlan_id: 1004
-          vlan_raw_device: clients0
-      dhcp-2.isp.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:106/64
-            - 10.128.10.106/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        isp0:
-          addresses:
-            - 2a09:6840:210::1:2/64
-            - 10.210.1.2/16
-        trunk0: null
-        clients0:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - trunk0
-          bridge_vids:
-            - 1000-1004
-          bridge_disable_pvid: true
-          ipv6_addrgen: false
-        client0:
-          addresses:
-            - 100.64.0.3/27
-          vlan_id: 1000
-          vlan_raw_device: clients0
-        client1:
-          addresses:
-            - 100.64.0.35/27
-          vlan_id: 1001
-          vlan_raw_device: clients0
-        client2:
-          addresses:
-            - 100.64.0.67/27
-          vlan_id: 1002
-          vlan_raw_device: clients0
-        client3:
-          addresses:
-            - 100.64.0.99/27
-          vlan_id: 1003
-          vlan_raw_device: clients0
-        client4:
-          addresses:
-            - 100.64.0.131/27
-          vlan_id: 1004
-          vlan_raw_device: clients0
-      radius-1.isp.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:7/64
-            - 10.128.10.7/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        isp0:
-          addresses:
-            - 2a09:6840:210::1:3/64
-            - 10.210.1.3/16
-      radius-2.isp.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:107/64
-            - 10.128.10.107/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        isp0:
-          addresses:
-            - 2a09:6840:210::1:4/64
-            - 10.210.1.4/16
-      ldap-1.int.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:8/64
-            - 10.128.10.8/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        int0:
-          addresses:
-            - 2a09:6840:206::1:3/64
-            - 10.206.1.3/16
-      ldap-2.int.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:108/64
-            - 10.128.10.108/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        int0:
-          addresses:
-            - 2a09:6840:206::1:4/64
-            - 10.206.1.4/16
-      ntp-1.int.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:9/64
-            - 10.128.10.9/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        int0:
-          addresses:
-            - 2a09:6840:206::1:5/64
-            - 10.206.1.5/16
-      ntp-2.int.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:109/64
-            - 10.128.10.109/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        int0:
-          addresses:
-            - 2a09:6840:206::1:6/64
-            - 10.206.1.6/16
-      prometheus-1.monit.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:10/64
-            - 10.128.10.10/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        monit0:
-          addresses:
-            - 2a09:6840:204::1:1/64
-            - 10.204.1.1/16
-      prometheus-2.monit.infra.auro.re:
-        adm0:
-          addresses:
-            - 2a09:6840:128::10:110/64
-            - 10.128.10.110/16
-          gateways: "{{ ifupdown2__gateways.adm }}"
-        monit0:
-          addresses:
-            - 2a09:6840:204::1:2/64
-            - 10.204.1.2/16
-    ifupdown2__wireguard: "{{ ifupdown2__hosts_wireguard[inventory_hostname]
-                              | default({}) }}"
-    ifupdown2__interfaces: "{{ ifupdown2__hosts_base[inventory_hostname] }}"
  roles:
    - ifupdown2
 ...
--- a/playbooks/ip_forward.yml
+++ b/playbooks/ip_forward.yml
@ -1,11 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - edge-1.back.infra.auro.re
-    - edge-2.back.infra.auro.re
-    - infra-1.back.infra.auro.re
-    - infra-2.back.infra.auro.re
-    - vpn-1.back.infra.auro.re
+    - edge
+    - infra
+    - isp
+    - vpn
  roles:
    - ip_forward
 ...
--- a/playbooks/keepalived.yml
+++ b/playbooks/keepalived.yml
@ -1,108 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - isp-1.back.infra.auro.re
-    - isp-2.back.infra.auro.re
-  vars:
-    keepalived__virtual_router_id: 80
-    keepalived__interface: back0
-    keepalived__virtual_addresses:
-      client0:
-        - 100.64.0.1/27
-        - 2a09:6841::1/56
-        - fe80::1/10
-      client1:
-        - 100.64.0.33/27
-        - 2a09:6841:0:1::1/64
-        - fe80::1/10
-      client2:
-        - 100.64.0.65/27
-        - 2a09:6841:0:2::1/64
-        - fe80::1/10
-      client3:
-        - 100.64.0.97/27
-        - 2a09:6841:0:3::1/64
-        - fe80::1/10
-      client4:
-        - 100.64.0.129/27
-        - 2a09:6841:0:4::1/64
-        - fe80::1/10
-    keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
-  roles:
-    - keepalived
-
- hosts:
-    - edge-1.back.infra.auro.re
-    - edge-2.back.infra.auro.re
-  vars:
-    keepalived__virtual_router_id: 81
-    keepalived__interface: back0
-    keepalived__virtual_addresses:
-      crans0:
-        - 185.230.79.254/29
-        - 2a0c:700:28::2/64
-        - fe80::1/10
-      zayo0:
-        - 2001:1b48:2:103::d7:2/126
-        - 83.167.52.69/31
-        - fe80::1/10
-    keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
-  roles:
-    - keepalived
-
- hosts:
-    - infra-1.back.infra.auro.re
-    - infra-2.back.infra.auro.re
-  vars:
-    keepalived__virtual_router_id: 82
-    keepalived__interface: back0
-    keepalived__virtual_addresses:
-      ups0:
-        - 10.201.0.1/16
-        - 2a09:6840:201::1/64
-        - fe80::1/10
-      monit0:
-        - 10.204.0.1/16
-        - 2a09:6840:204::1/64
-        - fe80::1/10
-      wifi0:
-        - 10.205.0.1/16
-        - 2a09:6840:205::1/64
-        - fe80::1/10
-      int0:
-        - 10.206.0.1/16
-        - 2a09:6840:206::1/64
-        - fe80::1/10
-      sw0:
-        - 10.207.0.1/16
-        - 2a09:6840:207::1/64
-        - fe80::1/10
-      bmc0:
-        - 10.208.0.1/16
-        - 2a09:6840:208::1/64
-        - fe80::1/10
-      pve0:
-        - 10.209.0.1/16
-        - 2a09:6840:209::1/64
-        - fe80::1/10
-      isp0:
-        - 10.210.0.1/16
-        - 2a09:6840:210::1/64
-        - fe80::1/10
-      ext0:
-        - 10.211.0.1/16
-        - 2a09:6840:211::1/64
-        - fe80::1/10
-      vpn0:
-        - 10.213.0.1/16
-        - 2a09:6840:213::1/64
-        - fe80::1/10
-    keepalived__virtual_routes:
-      ext0:
-        - 45.66.111.204/30
-    keepalived__virtual_blackholes:
-      - 45.66.111.200/30
-    keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
+    - isp
+    - edge
+    - infra
  roles:
    - keepalived
 ...
--- a/playbooks/knotd.yml
+++ b/playbooks/knotd.yml
@ -1,496 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: ns-master.int.infra.auro.re
-  vars:
-    knotd__listen:
-      - address: 0.0.0.0
-      - address: "::"
-    knotd__keys:
-      xfr:
-        algorithm: hmac-sha512
-        secret: "{{ vault_knotd_xfr_key }}"
-      ksk-infra:
-        algorithm: hmac-sha512
-        secret: "{{ vault_knotd_ksk_infra_key }}"
-      update-acme-challenge:
-        algorithm: hmac-sha512
-        secret: "{{ vault_certbot_dns_secret }}"
-    knotd__remotes:
-      xfr-ns-1:
-        address: 10.128.0.199
-        key: xfr
-      xfr-ns-2:
-        address: 10.128.0.109
-        key: xfr
-      ksk-infra:
-        address: ::1
-        key: ksk-infra
-    knotd__policies:
-      public:
-        algorithm: ECDSAP256SHA256
-        reproducible_signing: true
-        # Je n'ai pas trouvé de façon de pousser les records automatiquement
-        # sur .re, donc pour éviter d'oublier de le faire manuellement, la
-        # KSK n'expire pas
-        ksk_lifetime: 0
-        zsk_lifetime: 30d
-        nsec3: true
-      infra:
-        algorithm: ECDSAP256SHA256
-        ksk_lifetime: 365d
-        zsk_lifetime: 30d
-        nsec3: on
-        ds-push: ksk-infra
-        cds-cdnskey-publish: rollover
-        ksk-submission: infra
-      ripe:
-        algorithm: ECDSAP256SHA256
-        ksk_lifetime: 365d
-        zsk_lifetime: 30d
-        nsec3: on
-        ds-push: ksk-ripe
-        cds-cdnskey-publish: rollover
-        ksk-submission: ripe
-    knotd__acl:
-      xfr:
-        addresses:
-          - 10.128.0.199
-          - 2a09:6840:128::199
-          - 10.128.0.109
-          - 2a09:6840:128::109
-        action: transfer
-        key: xfr
-      ksk-infra:
-        addresses:
-          - 127.0.0.1
-          - ::1
-        key: ksk-infra
-        action: update
-        update_types:
-          - DS
-        update_owner: name
-        update_owner_match: equal
-        update_owner_name:
-          - infra
-      update-acme-challenge:
-        addresses:
-          - 10.128.0.0/16
-          - 2a09:6840:128::/48
-        key: update-acme-challenge
-        action: update
-        update_types:
-          - TXT
-        update_owner: name
-        update_owner_match: equal
-        update_owner_name:
-          - _acme-challenge.auro.re.
-    knotd__queryacl:
-      local:
-        addresses:
-          - 10.0.0.0/8
-    knotd__soa_rname: root@auro.re.
-    # TODO: Netbox
-    knotd__hosts:
-      auro.re:
-        proxy-ovh:
-          - 92.222.211.195
-        horus:
-          - 92.23.218.136
-        ns-1:
-          - 45.66.111.30
-          - 2a09:6840:111::30
-        ns-2:
-          - 92.222.211.194
-        serge:
-          - 92.222.211.196
-        lama:
-          - 185.230.78.220
-          - 2a0c:700:12:0:67:e5ff:fee9:108
-        vpn-ovh:
-          - 92.222.211.197
-        passerelle:
-          - 45.66.111.254
-          - 2a09:6840:111::254
-        proxy:
-          - 45.66.111.61
-          - 2a09:6840:111::61
-        camelot:
-          - 45.66.111.59
-          - 2a09:6840:111::59
-        mail:
-          - 45.66.111.62
-          - 2a09:6840:111::62
-        galene:
-          - 45.66.111.65
-          - 2a09:6840:111::65
-        aclyas:
-          - 45.66.111.231
-          - 2a09:6840:111::231
-        jitsi:
-          - 45.66.111.55
-          - 2a09:6840:111::55
-        portail-fleming:
-          - 10.13.0.247
-          - 2a09:6840:13::247
-        portail-pacaterie:
-          - 10.23.0.247
-          - 2a09:6840:23::247
-        portail-rives:
-          - 10.33.0.247
-          - 2a09:6840:33::247
-        portail-edc:
-          - 10.43.0.247
-          - 2a09:6840:43::247
-        portail-gs:
-          - 10.53.0.247
-          - 2a09:6840:53::247
-      adh.auro.re:
-        hoffman:
-          - 45.66.110.1
-          - 2a09:6840:110:0:2d8:61ff:fe56:d7eb
-        hindley:
-          - 45.66.110.3
-          - 2a09:6840:110:0:a6ba:dbff:fe03:1f36
-        yberreby:
-          - 45.66.110.5
-          - 2a09:6840:110:0:d896:1dff:fe59:8381
-        paon:
-          - 45.66.110.10
-          - 2a09:6840:110:0:231:92ff:fe1b:ae22
-        lovelace:
-          - 45.66.110.45
-          - 2a09:6840:110:0:c634:6bff:feb5:7bcc
-        switch-leo:
-          - 45.66.110.103
-          - 2a09:6840:110:0:82cc:9cff:fe82:ca3e
-        haskell:
-          - 45.66.110.112
-          - 2a09:6840:110:0:f4ac:cbff:fe81:7f48
-        lyshyga0:
-          - 45.66.110.113
-          - 2a09:6840:110:0:6af7:28ff:fe91:e8d9
-        pz28910:
-          - 45.66.110.114
-        vinsing0:
-          - 45.66.110.123
-          - 2a09:6840:110:0:1e1b:dff:fe90:7d81
-        osc-routeur:
-          - 45.66.110.125
-          - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
-        odroid:
-          - 45.66.110.154
-          - 2a09:6840:110:0:21e:6ff:fe49:e00
-        amau0:
-          - 45.66.110.164
-          - 2a09:6840:110:0:3e7c:3fff:fec3:27d1
-        regulus:
-          - 45.66.110.180
-          - 2a09:6840:110:0:2ef0:5dff:fe2a:1530
-        toaster:
-          - 45.66.110.188
-          - 2a09:6840:110:0:5246:5dff:fe9a:f70
-        rpijutax:
-          - 45.66.110.190
-          - 2a09:6840:110:0:ba27:ebff:fe76:a9bc
-        lafeychine:
-          - 45.66.110.200
-          - 2a09:6840:110:0:46a5:6eff:fe71:1
-        polaris:
-          - 45.66.110.245
-          - 2a09:6840:110:0:dea6:32ff:feb4:d033
-    knotd__zones:
-      auro.re:
-        dnssec_policy: public
-        notify:
-          - xfr-ns-1
-          - xfr-ns-2
-        acl:
-          - update-acme-challenge
-          - ksk-infra
-          - xfr
-        soa:
-          mname: ns-master.int.infra
-        ns:
-          - target:
-              - ns-1
-              - ns-2
-          - name: infra
-            target:
-              - ns-1
-              - ns-2
-          - name: adm
-            target:
-              - serge
-              - lama
-          - name: ups
-            target:
-              - serge
-              - lama
-          - name: switch
-            target:
-              - serge
-              - lama
-          - name: borne
-            target:
-              - serge
-              - lama
-        mx:
-          - exchange: mail
-            preference: 5
-          - exchange: proxy-ovh
-            preference: 10
-        spf:
-          - data: v=spf1 mx -all
-        a:
-          - address: 92.222.211.195
-        cname:
-          - name:
-              - gisti
-              - gistiti
-            target: jitsi
-          - name:
-              - element
-              - riot
-              - auth
-              - rss
-              - codimd
-              - hedgedoc
-              - kanboard
-              - www
-              - pad
-              - privatebin
-              - zero
-              - paste
-            target: proxy-ovh
-          - name:
-              - grafana
-              - netbox
-              - wiki
-              - matrix
-              - drone
-              - gitea
-              - re2o
-              - nextcloud
-              - vote
-            target: proxy
-          - name: intranet
-            target: re2o
-          - name:
-              - smtp
-              - imap
-            target: mail
-          - name:
-              - prometheus-paul.adh
-              - pma-paul.adh
-              - nextcloud-paul.adh
-              - grafana-paul.adh
-              - jellyfin.adh
-              - monitoring.adh
-              - beta-mpp.adh
-              - pz28.adh
-            target: lucepaul.myvnc.com.
-          - name:
-              - services-1.pve
-            target: services-1.pve.infra
-          - name:
-              - services-2.pve
-            target: services-2.pve.infra
-          - name:
-              - services-3.pve
-            target: services-3.pve.infra
-        hosts: "{{ knotd__hosts['auro.re']
-                   | combine(knotd__hosts['adh.auro.re']
-                             | add_origin_keys('adh.auro.re.')) }}"
-      infra.auro.re:
-        dnssec_policy: infra
-        notify:
-          - xfr-ns-1
-          - xfr-ns-2
-        acl:
-          - xfr
-        #queryacl: local
-        soa:
-          mname: ns-master.int
-        ns:
-          - target:
-              - ns-1.auro.re.
-              - ns-2.auro.re.
-        hosts:
-          services-1.ceph:
-            - 10.132.1.1
-            - "2a09:6840:132:1:1::"
-          services-2.ceph:
-            - 10.132.1.2
-            - "2a09:6840:132:1:2::"
-          services-3.ceph:
-            - 10.132.1.3
-            - "2a09:6840:132:1:3::"
-          services-1.pve:
-            - 10.134.1.1
-            - 2a09:6840:132:1:1::1
-          services-2.pve:
-            - 10.134.1.2
-            - 2a09:6840:132:1:2::1
-          services-3.pve:
-            - 10.134.1.3
-            - 2a09:6840:132:1:3::1
-          ns-master.int:
-            - 10.128.0.110
-            - 2a09:6840:128:0::110
-          ec-1.ups:
-            - 10.131.4.1
-            - 2a09:6840:131::4:1
-          ec-2.ups:
-            - 10.131.4.2
-            - 2a09:6840:131::4:2
-          network-1.pve:
-            - 10.128.5.1
-            - 2a09:6840:128::5:1
-          network-2.pve:
-            - 10.128.2.1
-            - 2a09:6840:128::2:1
-          edge-1.back:
-            - 10.128.10.2
-            - 2a09:6840:128::10:2
-          edge-2.back:
-            - 10.128.10.102
-            - 2a09:6840:128::10:102
-          dns-1.int:
-            - 10.128.10.3
-            - 2a09:6840:128::10:3
-          dns-2.int:
-            - 10.128.10.103
-            - 2a09:6840:128::10:103
-          ssh-1.mgmt:
-            - 10.128.10.1
-            - 2a09:6840:128::10:1
-          ssh-2.mgmt:
-            - 10.128.10.101
-            - 2a09:6840:128::10:101
-          vpn-1.back:
-            - 10.128.10.11
-            - 2a09:6840:128::10:11
-            - 10.128.10.111
-            - 2a09:6840:128::10:111
-          infra-1.back:
-            - 2a09:6840:203::1:3
-            - 10.203.1.3
-          infra-2.back:
-            - 2a09:6840:203::1:4
-            - 10.203.1.4
-          isp-1.back:
-            - 10.128.10.5
-            - 2a09:6840:128::10:5
-          isp-2.back:
-            - 10.128.10.105
-            - 2a09:6840:128::10:105
-          dhcp-1.isp:
-            - 10.128.10.6
-            - 2a09:6840:128::10:6
-          dhcp-2.isp:
-            - 10.128.10.106
-            - 2a09:6840:128::10:106
-          radius-1.isp:
-            - 10.128.10.7
-            - 2a09:6840:128::10:7
-          radius-2.isp:
-            - 10.128.10.107
-            - 2a09:6840:128::10:107
-          ldap-1.int:
-            - 10.128.10.8
-            - 2a09:6840:128::10:8
-          ldap-2.int:
-            - 10.128.10.108
-            - 2a09:6840:128::10:108
-          ntp-1.int:
-            - 10.128.10.9
-            - 2a09:6840:128::10:9
-          ntp-2.int:
-            - 10.128.10.109
-            - 2a09:6840:128::10:109
-          prometheus-1.monit:
-            - 10.128.10.10
-            - 2a09:6840:128::10:10
-          prometheus-2.monit:
-            - 10.128.10.110
-            - 2a09:6840:128::10:110
-      108.66.45.in-addr.arpa:
-        dnssec_policy: ripe
-        notify:
-          - xfr-ns-1
-          - xfr-ns-2
-        acl:
-          - xfr
-        soa:
-          mname: ns-master.int.infra.auro.re.
-        ns:
-          - target:
-              - ns-1.auro.re.
-              - ns-2.auro.re.
-      109.66.45.in-addr.arpa:
-        dnssec_policy: ripe
-        notify:
-          - xfr-ns-1
-          - xfr-ns-2
-        acl:
-          - xfr
-        soa:
-          mname: ns-master.int.infra.auro.re.
-        ns:
-          - target:
-              - ns-1.auro.re.
-              - ns-2.auro.re.
-      110.66.45.in-addr.arpa:
-        dnssec_policy: ripe
-        notify:
-          - xfr-ns-1
-          - xfr-ns-2
-        acl:
-          - xfr
-        soa:
-          mname: ns-master.int.infra.auro.re.
-        ns:
-          - target:
-              - ns-1.auro.re.
-              - ns-2.auro.re.
-        reverse_hosts: "{{ knotd__hosts['adh.auro.re']
-                           | ip_filter(['45.66.110.0/24'])
-                           | add_origin_keys('adh.auro.re.') }}"
-      111.66.45.in-addr.arpa:
-        dnssec_policy: ripe
-        notify:
-          - xfr-ns-1
-          - xfr-ns-2
-        acl:
-          - xfr
-        soa:
-          mname: ns-master.int.infra.auro.re.
-        ns:
-          - target:
-              - ns-1.auro.re.
-              - ns-2.auro.re.
-        reverse_hosts: "{{ knotd__hosts['auro.re']
-                           | ip_filter(['45.66.111.0/24'])
-                           | add_origin_keys('auro.re.') }}"
-      0.4.8.6.9.0.a.2.ip6.arpa:
-        dnssec_policy: ripe
-        notify:
-          - xfr-ns-1
-          - xfr-ns-2
-        acl:
-          - xfr
-        soa:
-          mname: ns-master.int.infra.auro.re.
-        ns:
-          - target:
-              - ns-1.auro.re.
-              - ns-2.auro.re.
-        reverse_hosts: "{{ knotd__hosts['auro.re']
-                           | ip_filter(['2a09:6840::/32'])
-                           | add_origin_keys('auro.re.')
-                           | combine(knotd__hosts['adh.auro.re']
-                                     | ip_filter(['2a09:6840::/32'])
-                                     | add_origin_keys('adh.auro.re.')) }}"
  roles:
    - knotd

--- a/playbooks/kresd.yml
+++ b/playbooks/kresd.yml
@ -1,30 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
- hosts:
-    - dns-1.int.infra.auro.re
-    - dns-2.int.infra.auro.re
-  vars:
-    kresd__listen:
-      - address: 0.0.0.0
-        port: 53
-        kind: dns
-      - address: "::"
-        port: 53
-        kind: dns
-      - address: 0.0.0.0
-        port: 853
-        kind: tls
-      - address: "::"
-        port: 853
-        kind: tls
-      - address: 0.0.0.0
-        port: 8453
-        kind: webmgmt
-      - address: "::"
-        port: 8453
-        kind: webmgmt
-        tls: false
-    kresd__cache_size: 512
+- hosts: dns
  roles:
    - kresd
 ...
--- a/playbooks/openssh.yml
+++ b/playbooks/openssh.yml
@ -3,14 +3,6 @@
 - hosts:
    - pve_network
    - vm_network
-  vars:
-    openssh__users_ca_public_key:
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
-      hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
-      F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
-    openssh__authorized_principals:
-      - any
-      - "{{ inventory_hostname }}"
  roles:
    - openssh_server
 ...
--- a/playbooks/pve.yml
+++ b/playbooks/pve.yml
@ -1,35 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - pve_network
-  vars:
-    pve_auth__groups:
-      admin:
-        - Administrator
-    pve_auth__pam_users:
-      root:
-        enabled: false
-    pve_auth__users:
-      jeltz:
-        password: "{{ vault_pve_passwords.jeltz }}"
-        groups:
-          - admin
-      otthorn:
-        password: "{{ vault_pve_passwords.otthorn }}"
-        groups:
-          - admin
-      v-lafeychine:
-        password: "{{ vault_pve_passwords['v-lafeychine'] }}"
-        groups:
-          - admin
-      pz2891:
-        password: "{{ vault_pve_passwords.pz2891 }}"
-        groups:
-          - admin
-      loutr:
-        password: "{{ vault_pve_passwords.loutr }}"
-        groups:
-          - admin
+    - pve
  roles:
    - pve_activate
    - pve_auth
--- a/playbooks/resolvconf.yml
+++ b/playbooks/resolvconf.yml
@ -3,16 +3,6 @@
 - hosts:
    - vm_network
    - pve_network
-  vars:
-    resolvconf__nameservers:
-      - 2a09:6840:128::10:103
-      - 2a09:6840:128::10:3
-      - 10.128.10.103
-      - 10.128.10.3
-    resolvconf__domain: auro.re.
-    resolvconf__search:
-      - "{{ inventory_hostname | remove_domain_suffix }}"
-      - auro.re.
  roles:
    - resolvconf
 ...
--- a/playbooks/root.yml
+++ b/playbooks/root.yml
@ -3,9 +3,6 @@
 - hosts:
    - vm_network
    - pve_network
-  vars:
-    root_shell: /bin/bash
-    root_password: "{{ vault_root_password }}"
  roles:
    - root_account
 ...
--- a/playbooks/systemd_link.yml
+++ b/playbooks/systemd_link.yml
@ -1,131 +1,22 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - edge-1.back.infra.auro.re
-    - edge-2.back.infra.auro.re
-    - ssh-1.mgmt.infra.auro.re
-    - ssh-2.mgmt.infra.auro.re
-    - vpn-1.back.infra.auro.re
-    - dns-1.int.infra.auro.re
-    - dns-2.int.infra.auro.re
-    - infra-1.back.infra.auro.re
-    - infra-2.back.infra.auro.re
-    - isp-1.back.infra.auro.re
-    - isp-2.back.infra.auro.re
-    - dhcp-1.isp.infra.auro.re
-    - dhcp-2.isp.infra.auro.re
-    - radius-1.isp.infra.auro.re
-    - radius-2.isp.infra.auro.re
-    - ldap-1.int.infra.auro.re
-    - ldap-2.int.infra.auro.re
-    - ntp-1.int.infra.auro.re
-    - ntp-2.int.infra.auro.re
-    - prometheus-1.monit.infra.auro.re
-    - prometheus-2.monit.infra.auro.re
+    - infra
+    - dns
+    - ntp
+    - prometheus
+    - radius
+    - edge
+    - dhcp
+    - ldap
+    - isp
+    - vpn
  vars:
    systemd_link__hosts:
-      edge-1.back.infra.auro.re:
-        adm0: 02:00:00:9E:3E:21
-        crans0: 02:00:00:A2:7C:68
-        zayo0: 02:00:00:35:89:82
-        rezel0: 02:00:00:8F:4A:AD
-        back0: 02:00:00:1C:3A:2E
-        viarezo0: 02:00:00:ED:70:64
-        router0: 02:00:00:5A:17:7C
-        oti0: 02:00:00:05:0E:A6
-      edge-2.back.infra.auro.re:
-        adm0: 04:00:00:F5:69:B9
-        crans0: 04:00:00:CF:E1:D0
-        zayo0: 04:00:00:67:7B:12
-        rezel0: 04:00:00:C6:05:B7
-        back0: 04:00:00:DE:22:E6
-        viarezo0: 04:00:00:45:FA:E6
-        router0: 04:00:00:AD:D7:71
-      ssh-1.mgmt.infra.auro.re:
-        adm0: 02:00:00:a3:49:20
-        pub0: 02:00:00:27:ea:9d
-        mgmt0: 02:00:00:0f:ac:75
      vpn-1.back.infra.auro.re:
        adm0: 02:00:00:3b:74:20
        vpn0: 02:00:00:b5:ca:c7
        pub0: 02:00:00:e3:65:49
-      ssh-2.mgmt.infra.auro.re:
-        adm0: 04:00:00:98:c2:10
-        pub0: 04:00:00:65:cc:52
-        mgmt0: 04:00:00:3c:67:08
-      dns-1.int.infra.auro.re:
-        adm0: 02:00:00:6c:4b:89
-        int0: 02:00:00:9f:d9:f9
-      dns-2.int.infra.auro.re:
-        adm0: 04:00:00:2a:6e:be
-        int0: 04:00:00:3c:c0:5a
-      infra-1.back.infra.auro.re:
-        adm0: 02:00:00:f0:8a:dd
-        ups0: 02:00:00:fe:6f:0e
-        back0: 02:00:00:f8:93:22
-        monit0: 02:00:00:da:97:7f
-        wifi0: 02:00:00:8c:c5:bf
-        int0: 02:00:00:75:40:3e
-        sw0: 02:00:00:ca:e8:d1
-        bmc0: 02:00:00:47:d1:b9
-        pve0: 02:00:00:b3:35:e7
-        isp0: 02:00:00:6b:53:14
-        ext0: 02:00:00:32:86:60
-        vpn0: 02:00:00:52:5f:85
-      infra-2.back.infra.auro.re:
-        adm0: 04:00:00:d3:03:53
-        ups0: 04:00:00:6d:97:83
-        back0: 04:00:00:46:ba:f9
-        monit0: 04:00:00:72:0b:2d
-        wifi0: 04:00:00:ee:42:0f
-        int0: 04:00:00:21:fd:d0
-        sw0: 04:00:00:2e:5b:16
-        bmc0: 04:00:00:bb:5a:a6
-        pve0: 04:00:00:0b:2b:82
-        isp0: 04:00:00:f4:4c:5d
-        ext0: 04:00:00:1d:0e:83
-        vpn0: 04:00:00:02:ba:dd
-      isp-1.back.infra.auro.re:
-        adm0: 02:00:00:D8:37:45
-        back0: 02:00:00:BF:10:4C
-        trunk0: 02:00:00:E9:BA:15
-      isp-2.back.infra.auro.re:
-        adm0: 04:00:00:85:C3:5D
-        back0: 04:00:00:FE:2D:67
-        trunk0: 04:00:00:D8:F5:4D
-      dhcp-1.isp.infra.auro.re:
-        adm0: 02:00:00:17:61:5b
-        isp0: 02:00:00:c6:3f:6f
-        trunk0: 02:00:00:b1:8d:d6
-      dhcp-2.isp.infra.auro.re:
-        adm0: 04:00:00:0c:f1:42
-        isp0: 04:00:00:8c:d1:36
-        trunk0: 04:00:00:33:2c:3c
-      radius-1.isp.infra.auro.re:
-        adm0: 02:00:00:4f:35:12
-        isp0: 02:00:00:6a:3e:f4
-      radius-2.isp.infra.auro.re:
-        adm0: 04:00:00:96:54:a6
-        isp0: 04:00:00:29:6d:c9
-      ldap-1.int.infra.auro.re:
-        adm0: 02:00:00:38:c2:52
-        int0: 02:00:00:fe:a8:54
-      ldap-2.int.infra.auro.re:
-        adm0: 04:00:00:f7:1c:47
-        int0: 04:00:00:e4:83:d2
-      ntp-1.int.infra.auro.re:
-        adm0: 02:00:00:e0:26:2e
-        int0: 02:00:00:74:71:83
-      ntp-2.int.infra.auro.re:
-        adm0: 04:00:00:08:83:2b
-        int0: 04:00:00:31:be:50
-      prometheus-1.monit.infra.auro.re:
-        adm0: 02:00:00:66:33:9d
-        monit0: 02:00:00:a8:6b:51
-      prometheus-2.monit.infra.auro.re:
-        adm0: 04:00:00:3d:c6:a1
-        monit0: 04:00:00:a6:93:5a
-    systemd_link__links: "{{ systemd_link__hosts[inventory_hostname] }}"
  roles:
    - systemd_link
 ...
--- a/roles/ifupdown2/templates/interfaces.j2
+++ b/roles/ifupdown2/templates/interfaces.j2
@ -5,10 +5,10 @@ iface lo

 {% macro iface_common(iface, index=None) %}
 {% for address in iface.addresses | default([]) %}
-address {{ address | ipaddr }}
+address {{ address | ansible.utils.ipaddr }}
 {% endfor %}
 {% for gateway in iface.gateways | default([]) %}
-gateway {{ gateway | ipaddr }}
+gateway {{ gateway | ansible.utils.ipaddr }}
 {% endfor %}
 {% if iface.forward | default(false) %}
 ip-forward yes
@ -23,7 +23,7 @@ post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole
 {% endif %}
 {% if iface.ipv6_addrgen is defined %}
 ipv6-addrgen {{ iface.ipv6_addrgen
-	        | ternary("yes", "no") }}
+                | ternary("yes", "no") }}
 {% endif %}
 {% endmacro %}

--- a/roles/root_account/tasks/main.yml
+++ b/roles/root_account/tasks/main.yml
@ -2,8 +2,8 @@
 - name: Set root password
  user:
    name: root
-    shell: "{{ root_shell }}"
-    password: "{{ root_password }}"
+    shell: "{{ root__shell }}"
+    password: "{{ root__password }}"

 - name: Setup bashrc for root
  template: