switchs: Add EDC access point

dns: log-{1,2} & pve
grafana-ng: configuration firewall, dns, caddy
2025-10-09 21:01:43 +02:00 · 2025-10-09 19:14:53 +02:00 · 2025-10-07 08:47:55 +02:00 · 2025-10-05 16:13:05 +02:00 · 2025-10-02 23:30:29 +02:00 · 2025-09-30 23:00:48 +02:00
439 changed files with 98536 additions and 4629 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -3,9 +3,7 @@ skip_list:
  - load-failure
  - document-start
  - meta-no-info
-
+  - ignore-errors
 warn_list:
  - experimental  # all rules tagged as experimental
 exclude_paths:
  - group_vars/all/vault.yml
--- a/.drone.yml
+++ b/.drone.yml
@ -5,8 +5,7 @@ name: check
 steps:
  - name: ansible and yaml linting
-    pull: never
+    image: quay.io/ansible/toolset:3.5.0
    image: aurore-ansible-lint-image
    commands:
      - ansible-lint
 ...
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
 *.retry
 tmp
 ldap-password.txt
-debug.yml
+__pycache__/
--- a/README.md
+++ b/README.md
@ -1,9 +1,8 @@
 [![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
 # Recettes Ansible d'Aurore
-Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
+Dépendances requises :
-Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
+
 * Ansible 2.9 ou plus récent.
 ## Ansible 101
@ -14,8 +13,9 @@ Il contient la définition de chaque machine et le regroupement.
 Quand on regroupe avec un `:children` en réalité on groupe des groupes.
-Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine
+Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette
-avec ce hostname, car c'est ce qu'Ansible fera.
+machine avec ce hostname, car c'est ce qu'Ansible fera (sauf pour les switchs,
 voir plus bas).
 **Playbook** : c'est une politique de déploiement.
 Il contient les associations des rôles avec les machines.
@ -36,31 +36,42 @@ déployer un serveur prometheus, déployer une node prometheus…
 **Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
 action. Elle est associée à un module Ansible.
-*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans
+*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une
-un fichier avec le module `lineinfile`, copier une template avec le module `template`…
+ligne dans un fichier avec le module `lineinfile`, copier une template avec le
 module `template`…
-Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante,
+Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand
-récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions…
+elle plante, récupérer son résultat dans une variable, mettre une boucle
 dessus, mettre des conditions…
-N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules
+N'oubliez pas d'aller lire l'excellente documentation de RedHat sur tous les modules
 d'Ansible !
 ### Gestion des groupes de machines
 Pour la liste complète, je vous invite à lire le fichier `hosts`.
-  * pour tester les versions de Debian,
+Exemple :
-    ```YAML
+```yaml
-    ansible_lsb.codename == 'stretch'
+[fleming_vm]
 dhcp-fleming.adm.auro.re
 dns-fleming.adm.auro.re
 prometheus-fleming.adm.auro.re
 routeur-fleming.adm.auro.re
 [fleming_pve]
 pve1.adm.auro.re
 [fleming:children]
 fleming_pve
 fleming_vm
 ```
-  * pour tester si c'est un CPU Intel x86_64,
+> NB :
-
+>
-    ```YAML
+> L'exemple a été adapté de la configuration d'Aurore pour des raisons
-    ansible_processor[0].find('Intel') != -1
+> pédagogiques.
    and ansible_architecture == 'x86_64'
    ```
 Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
 de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
@ -73,27 +84,46 @@ qui peuvent ensuite être utilisés dans des variables.
 Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
 on peut exécuter le module `setup` manuellement.
-```
+```bash
 ansible proxy.adm.auro.re -m setup --ask-vault-pass
 ```
 Il est notamment possible de :
 * tester les versions de Debian,
  ```YAML
  ansible_lsb.codename == 'stretch'
  ```
 * tester si c'est un CPU Intel x86_64,
  ```YAML
  ansible_processor[0].find('Intel') != -1
  and ansible_architecture == 'x86_64'
  ```
 ## Exécution d'Ansible
 ### Configurer la connexion au vlan adm
 Envoyer son agent SSH peut être dangereux
-([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
+([source](https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
 On va utiliser plutôt `ProxyJump`.
 Dans la configuration SSH :
-```
+```text
-# Use a proxy jump server to log on all Aurore inventory
+Host *.adm.auro.re *.pve.auro.re
-Host 10.128.0.* *.adm.auro.re
+    # Accept new host keys
    StrictHostKeyChecking accept-new
    # Use passerelle to connect to administration VLANs
    ProxyJump passerelle.auro.re
 ```
-Il faut sa clé SSH configurée sur le serveur que l'on déploit.
+Il faut sa clé SSH configurée sur le serveur que l'on déploie.
 ```bash
 ssh-copy-id proxy.adm.auro.re
 ```
@ -103,6 +133,7 @@ ssh-copy-id proxy.adm.auro.re
 Il faut `python3-netaddr` sur sa machine.
 Pour tester le playbook `base.yml` :
 ```bash
 ansible-playbook --ask-vault-pass base.yml --check
 ```
@ -112,7 +143,7 @@ Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
 Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
 première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.
-### Ajouter tous les empruntes de serveur
+### Ajouter toutes les empreintes de serveur
 ```bash
 #!/bin/bash
@ -121,6 +152,10 @@ for ip in `cat hosts|grep .adm.auro.re`; do
 done
 ```
 > Remarque :
 >
 > L'utilisation d'un certificat permet d'éviter d'avoir à ajouter sa clé ssh
 > sur les serveurs.
 ### Passage à Ansible 2.10 (release: 30 juillet)
@ -132,11 +167,141 @@ ansible-galaxy collection install community.general
 ansible-galaxy collection install ansible.posix
 ```
-
+Si vous n'arrivez pas à entrer votre *become password* (bug dans ansible?), un
 Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
 workaround est le suivant :
 `$  export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
 Notez l'espace au début pour ne pas log la commande dans votre historique
 shell.
 ## Configuration des switchs depuis Ansible
 Afin d'acquérir de l'indépendance vis-à-vis de re2o, un module permettant de
 configurer les switchs depuis Ansible a été créé. Il utilise l'api rest des
 switchs afin de récupérer et appliquer la configuration voulue.
 ### Prérequis
 Pour utiliser le module, il faut d'abord annoncer à Ansible qu'il ne faut pas
 effectuer de connexion ssh et de ne pas récupérer les faits. Cela se fait à
 l'aide des variables `connection: httpapi` et `gather_facts: false` à placer
 dans le playbook (pour une configuration locale) ou dans ansible.cfg (pour une
 configuration globale). Ensuite, l'infrastructure actuelle de Aurore nécessite
 l'utilisation d'un proxy. Pour cela, il suffit d'exécuter la commande :
 ```bash
 ssh -D 3000 switchs-manager.adm.auro.re
 ```
 et d'annoncer l'utilisation du proxy dans la configuration en exportant la
 variable d'environnement `HTTP_PROXY=socks5://localhost:3000` et en
 configurant la variable du module `use_proxy: true`.
 Exemple :
 ```yaml
 environment:
  HTTP_PROXY: "socks5://localhost:3000"
 tasks:
  - name: vlans
    switch_config:
      username: ****
      password: ****
      port: 80
      host: 192.168.1.42
      use_proxy: true
      config:
        path: vlans/42
        data:
          name: VLAN42
          vlan_id: 42
          status: VS_PORT_BASED
          type: VT_STATIC
 ```
 Le module est alors utilisable, il ne reste plus qu'à le configurer.
 ### Écrire la configuration
 Le module se veut assez libre. Ainsi, l'ensemble de la requête doit être écrite
 dans les `tasks`. Voici un exemple pour configurer un vlan :
 ```yaml
 tasks:
  - name: vlans
    switch_config:
      username: ****
      password: ****
      port: 80
      host: 192.168.1.42
      config:
        path: vlans/42
        data:
          name: VLAN42
          vlan_id: 42
          status: VS_PORT_BASED
          type: VT_STATIC
 ```
 Le `path` correspond à l'url de l'objet que l'on souhaite éditer et `data`
 correspond aux données qui seront envoyées dans une requête `PUT` (au format
 `json`). Cependant, la configuration d'un vlan peut nécessiter de le créer.
 Pour remédier à ce problème, il est possible d'utiliser la syntaxe suivante :
 ```yaml
 tasks:
  - name: vlans
    switch_config:
      username: ****
      password: ****
      port: 80
      host: 192.168.1.42
      config:
        path: vlans
        create_method: POST
        subpath:
          - path: 42
            data:
              name: VLAN42
              vlan_id: 42
              status: VS_PORT_BASED
              type: VT_STATIC
 ```
 Le variable `create_method` correspond au type de la requête pour effectuer une
 action de création de l'objet. Il s'agit généralement de `POST`. Dans le cas
 où la variable n'est pas définit, la création sera désactivée et ainsi, si
 l'url indiquée dans les `subpath` n'existe pas, alors la configuration échouera.
 Par conséquent, si le vlan 42 a besoin d'être créé, une requête `POST` sera
 effectué sur l'url `vlans` avec les données dans `data`.
 Il est également possible d'éxecuter une action de suppression d'un vlan à l'aide
 de la variable `delete` :
 ```yaml
  tasks:
    - name: vlans
      switch_config:
        username: ****
        password: ****
        port: 80
        host: 192.168.1.42
        config:
          path: vlans/42
          delete: true
 ```
 Si la variable `delete` est activée, alors une requête `DELETE` sera envoyée
 sur l'url indiquée. Pour vérifier si la suppression est déjà effective avant
 l'éxecution, le module vérifiera si un `GET` sur l'url retourne une 404.
 > Remarque :
 >
 > Si les variables `delete` et `data` sont définies (dont `delete` à `true`),
 > alors il en résultera une action de suppression malgré tout.
 Puisque `subpath` est une liste, il est possible de configurer plusieurs requête
 en même temps. Cela à l'avantage d'effectuer toutes les modifications à la suite
 (sans avoir à se connecter plusieurs sur l'api).
--- a/all.yml
+++ b/all.yml
@ -0,0 +1,18 @@
 #!/usr/bin/env ansible-playbook
 ---
 - import_playbook: playbooks/base.yml
 - import_playbook: playbooks/root.yml
 - import_playbook: playbooks/ssh.yml
 - import_playbook: playbooks/chronyd.yml
 - import_playbook: playbooks/kresd.yml
 - import_playbook: playbooks/knotd.yml
 - import_playbook: playbooks/resolvconf.yml
 - import_playbook: playbooks/ifupdown2.yml
 - import_playbook: playbooks/systemd_link.yml
 - import_playbook: playbooks/keepalived.yml
 - import_playbook: playbooks/ip_forward.yml
 - import_playbook: playbooks/dhcpd.yml
 - import_playbook: playbooks/bird.yml
 - import_playbook: playbooks/pve.yml
 - import_playbook: playbooks/prometheus.yml
 ...
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,38 +1,22 @@
 # Ansible configuration
 [defaults]
 jinja2_native = true
-# Do not create .retry files
+ask_vault_pass = True
 roles_path = ./roles
 retry_files_enabled = False
 # Use inventory
 inventory = ./hosts
-
+stdout_callback = debug
-# Custom header in templates
+library = ./library
-ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
+filter_plugins = ./filter_plugins
-
+ansible_managed = Ansible managed
 # Do not use cows (with cowsay)
 nocows = 1
 # Do more parallelism
 forks = 15
 # Some SSH connection will take time
 timeout = 60
-
+remote_user = root
 [privilege_escalation]
 # Use sudo to get priviledge access
 become = True
 # Ask for password
 become_ask_pass = True
 [diff]
 # TO know what changed
 always = yes
 [ssh_connection]
 pipelining = True
 retries = 3
--- a/backups.yml
+++ b/backups.yml
@ -1,9 +0,0 @@
 ---
 - hosts: perceval.adm.auro.re
  roles:
    - borgbackup_server
 - hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
  roles:
    - borgbackup_client
 ...
--- a/base.yml
+++ b/base.yml
@ -1,17 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Put a common configuration on all servers
 - hosts: all,!unifi
  roles:
    - baseconfig
    - basesecurity
 # Plug LDAP on all servers
 - hosts: all,!unifi
  roles:
    - ldap_client
 # Install logrotate
 - hosts: all,!unifi,!pve
  roles:
    - logrotate
--- a/bdd.yml
+++ b/bdd.yml
@ -1,7 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Install and configure bdd servers at Saclay and at OVH
 - hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
  roles:
    - postgresql_server
 ...
--- a/copy-keys.sh
+++ b/copy-keys.sh
@ -1,20 +0,0 @@
 #!/bin/bash
 set -e
 # Grab valid unique hostnames from the Ansible inventory.
 HOSTS=$(grep -ve '^[#\[]' hosts \
 | grep -F adm.auro.re \
 | sort -u)
 # Ask password
 read -s -p "Hello adventurer, what is your LDAP password? " passwd
 echo
 for host in $HOSTS; do
  echo "[+] Handling host $host"
  # sshpass can be used for non-interactive password authentication.
  # place your password in ldap-password.txt.
  SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host"
 done
--- a/deploy_postfix_non_mailhost.yml
+++ b/deploy_postfix_non_mailhost.yml
@ -1,8 +0,0 @@
 ---
 # Deploy a correclty configured postfix on non mailhost servers
 - hosts: all,!unifi
  vars:
    local_network: 10.128.0.0/16
    relay_host: proxy.adm.auro.re
  roles:
    - postfix_non_mailhost
--- a/docker-ansible-lint/Dockerfile
+++ b/docker-ansible-lint/Dockerfile
@ -1,7 +0,0 @@
 FROM python:3.9-alpine
 LABEL description="Aurore's docker image for ansible-lint"
 RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
 RUN pip install --no-cache-dir "yamllint>=1.26.0,<2.0"
 RUN pip install --no-cache-dir "ansible-lint>=5.0.0"
 RUN pip install --no-cache-dir "ansible>=2.10,<2.11"
--- a/docker-ansible-lint/README.md
+++ b/docker-ansible-lint/README.md
@ -1,18 +0,0 @@
 # Ansible-lint image
 In order to build this image when a new version comes out, you need to
 1. ssh into the `drone.adm.auro.re` server
 2. git pull this repo to the lastest version
 3. optionally make the changes if it has not been done yet
 4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
 5. ???
 6. enjoy
 You can verify that the image was correclty built by running
 ```
 # list the images present
 sudo docker image ls
 # run your image with an interactive shell
 sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
 ```
--- a/filter_plugins/enquote.py
+++ b/filter_plugins/enquote.py
@ -0,0 +1,16 @@
 class FilterModule:
    def filters(self):
        return {
            "enquote": enquote,
        }
 def enquote(string, delimiter='"', escape="\\"):
    translation = str.maketrans(
        {
            delimiter: f"{escape}{delimiter}",
            escape: f"{escape}{escape}",
        }
    )
    escaped = string.translate(translation)
    return f"{delimiter}{escaped}{delimiter}"
--- a/filter_plugins/format_rev.py
+++ b/filter_plugins/format_rev.py
@ -0,0 +1,9 @@
 class FilterModule:
    def filters(self):
        return {
            "format_rev": format_rev,
        }
 def format_rev(text, fmt, *args, **kwargs):
    return fmt.format(text, *args, **kwargs)
--- a/filter_plugins/net_utils.py
+++ b/filter_plugins/net_utils.py
@ -0,0 +1,68 @@
 import ipaddress
 from operator import attrgetter
 import dns.name
 class FilterModule:
    def filters(self):
        return {
            "add_origin": add_origin,
            "add_origin_keys": add_origin_keys,
            "ip_filter": ip_filter,
            "remove_domain_suffix": remove_domain_suffix,
            "ipaddr_sort": ipaddr_sort,
        }
 def first_addr(addresses, ipv4 = True):
    version = ipaddress.IPv4Address if ipv4 else ipaddress.IPv6Address
    for addr in addresses:
        parsed = ipaddress.ip_address(xx)
        if isinstance(parsed, version):
            return parsed
    raise ValueError("missing address")
 def ip_filter(addresses, networks):
    if isinstance(addresses, dict):
        return {k: ip_filter(v, networks) for k, v in addresses.items()}
    ip_networks = [ipaddress.ip_network(n) for n in networks]
    ip_addresses = [ipaddress.ip_address(a) for a in addresses]
    return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
 def add_origin(name, origin="."):
    return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
 def add_origin_keys(dct, origin="."):
    return {add_origin(k, origin): v for k, v in dct.items()}
 def remove_domain_suffix(name):
    parent = dns.name.from_text(name).parent()
    return parent.to_text()
 def ipaddr_sort(addrs, types, unknown_after=True):
    check_types = {
        "global": attrgetter("is_global"),
        "link-local": attrgetter("is_link_local"),
        "loopback": attrgetter("is_loopback"),
        "multicast": attrgetter("is_multicast"),
        "private": attrgetter("is_private"),
        "reserved": attrgetter("is_reserved"),
        "site_local": attrgetter("is_site_local"),
        "unspecified": attrgetter("is_unspecified"),
    }
    def addr_weight(addr):
        if isinstance(addr, str):
            addr = ipaddress.ip_address(addr.split("/")[0])
        for index, ty in enumerate(types):
            if check_types[ty](ipaddress.ip_address(addr)):
                return index
        return len(types) if unknown_after else -1
    return sorted(addrs, key=addr_weight)
--- a/filter_plugins/suffix.py
+++ b/filter_plugins/suffix.py
@ -0,0 +1,9 @@
 class FilterModule:
    def filters(self):
        return {
            "suffix": suffix,
        }
 def suffix(value, suffix):
    return value + suffix
--- a/filter_plugins/switch_range.py
+++ b/filter_plugins/switch_range.py
@ -0,0 +1,38 @@
 #!/usr/bin/python
 class FilterModule(object):
    def filters(self):
        return {
            'range2list': self.range2list,
        }
    def range2list(self, port_range):
        """
            Convert a range into list
            Exemple:
            ```
            >>> FilterModule.range2list("1-10,42")
            [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 42]
            ````
        """
        port_range = port_range.replace(" ", "").split(",")
        ports = []
        for r in port_range:
            if "-" in r:
                try:
                    a, b = r.split("-")
                except:
                    raise Exception("A range must contain 2 values")
                try:
                    a = int(a)
                    b = int(b)
                except:
                    raise TypeError("A range must contain integer")
                for n in range(a, b+1):
                    ports.append(n)
            else:
                try:
                    ports.append(int(r))
                except:
                    raise TypeError("Value must be integer")
        return list(set(ports))
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,61 @@
 {
  "nodes": {
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
        "lastModified": 1756770412,
        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "4524271976b625a4a605beefd893f270620fd751",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1757020766,
        "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1754788789,
        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-parts": "flake-parts",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,27 @@
 {
  description = "Ansible Aurore";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
    flake-parts.url = "github:hercules-ci/flake-parts";
  };
  outputs =
    inputs@{
      self,
      nixpkgs,
      flake-parts,
      ...
    }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      systems = [ "x86_64-linux" ];
      perSystem =
        { config, pkgs, ... }:
        {
          devShells = {
            default = pkgs.callPackage ./shell.nix {};
          };
        };
    };
 }
--- a/group_vars/all/bird.yml
+++ b/group_vars/all/bird.yml
@ -0,0 +1,4 @@
 ---
 bird__as:
  aurore: 43619
 ...
--- a/group_vars/all/chronyd.yml
+++ b/group_vars/all/chronyd.yml
@ -0,0 +1,5 @@
 ---
 chronyd__pools:
  - ntp-1.int.infra.auro.re
  - ntp-2.int.infra.auro.re
 ...
--- a/group_vars/all/ifupdown2.yml
+++ b/group_vars/all/ifupdown2.yml
@ -0,0 +1,24 @@
 ---
 ifupdown2__wireguard_proto: wireguard
 ifupdown2__gateways:
  adm:
    - 2a09:6840:128::254
    - 10.128.0.254
  int:
    - 2a09:6840:206::1
    - 10.206.0.1
  ext:
    - 2a09:6840:211::1
    - 10.211.0.1
  monit:
    - 2a09:6840:204::1
    - 10.204.0.1
  isp:
    - 2a09:6840:210::1
    - 10.210.0.1
  pub:
    - 2a09:6840:215::1
    - 45.66.111.204
  ovh:
    - 92.222.211.254
 ...
--- a/group_vars/all/openssh.yml
+++ b/group_vars/all/openssh.yml
@ -0,0 +1,10 @@
 ---
 openssh__users_ca_public_key:
  "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
  hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
  F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
 openssh__authorized_principals:
  - any
  - "{{ inventory_hostname }}"
 ...
--- a/group_vars/all/prometheus.yml
+++ b/group_vars/all/prometheus.yml
@ -0,0 +1,3 @@
 ---
 prometheus_node__text_dir: /var/run/prometheus-node-exporter
 ...
--- a/group_vars/all/resolvconf.yml
+++ b/group_vars/all/resolvconf.yml
@ -0,0 +1,13 @@
 ---
 resolvconf__nameservers:
  - 2a09:6840:206::1:1
  - 2a09:6840:206::1:2
  - 10.206.1.1
  - 10.206.1.2
 resolvconf__domain: auro.re.
 resolvconf__search:
  - "{{ inventory_hostname | remove_domain_suffix }}"
  - auro.re.
 ...
--- a/group_vars/all/root.yml
+++ b/group_vars/all/root.yml
@ -0,0 +1,5 @@
 ---
 root__shell: /bin/bash
 root__password: "{{ vault_root_password }}"
 ...
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -18,16 +18,6 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
 # Databases
 postgresql_services_url: 'bdd-ovh.adm.auro.re'
 postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
 postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
 postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
 postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
 postgresql_grafana_passwd: "{{ vault_postgresql_grafana_passwd }}"
 postgresql_cas_passwd: "{{ vault_postgresql_cas_passwd }}"
 postgresql_drone_passwd: "{{ vault_postgresql_drone_passwd }}"
 postgresql_wikijs_passwd: "{{ vault_postgresql_wikijs_passwd }}"
 postgresql_nextcloud_passwd: "{{ vault_postgresql_nextcloud_passwd }}"
 postgresql_gitea_passwd: "{{ vault_postgresql_gitea_passwd }}"
 # Scripts will tell users to go there to manage their account
 intranet_url: 'https://re2o.auro.re/'
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,214 +1,297 @@
 $ANSIBLE_VAULT;1.1;AES256
-65616665376265626636393064366339323264623332323337356438303634646361303530626536
+35353866373931343963333639323431636465303562306166333735383462353032323461613232
-3134646236376339666130646239626333613866383766340a366465373839396639623862636436
+3666653438393936356535633661363838613233323932370a656439316234356339613532663237
-34336636326332313432373162356565383034636366613135353037393138363466626235353261
+39373439366432363533303961396466623366323339383735316531653538633264393264353337
-3634306231333966350a323133396531626565633433313761343433303964316163643365626466
+3937323861616530640a666361323164353338306336616564663466616630393839613833373933
-33376632643937663566386232383161303231326638356338383536626531313462636335363166
+65613161323164613334656631333336343262363835323962343662333133366561306139636261
-35353138393964663063613331386138363030356661633530313533336138336362306437626431
+61656532666563333063356231636565626631633436623531313938663930396362343031356534
-34613435383966333538363734613730386634393532653334393766613262666434303666386537
+34303565623832366664303561643137626433333164623730623639656439346639616164623865
-33643832653236313136663761613762656334356466623431383533333563646135336332653331
+31613462316439613937313138313830323334373337366630323331393537633437303063353363
-39376164363533383930343237366638323534313232613561643936336330353538393136363534
+66383930353930616137303436383864363439326139643361356231373939306439633332666232
-37353536623939386131616638623531326531316233656166383133316564393731623366353833
+38363061636139346430373263613932336361356262656138663233386464373839366630303765
-31613665303532303435363765373434653933386530356433653061623232306239316534653432
+35343064336533373238396430393536366438653534366565373733313962616364313061626133
-39663938616637363238623866303439326666303438613066633866343830303762633233383333
+37666538313038643865346461626537353930366264643162376530353536623863656236303433
-65343332616430613839636337396238666466666430383031663939323239383964346638356538
+31336561336131383635393238366464653934613130363831306335643935373033303162353534
-65306463303330373534316438313932373864626637643935636165333835373662623737613734
+38353832653664633061646331653634393963333038306635313464636136616366313962333431
-36373161386163383831623065323763356637313364303539343763653065383139623934353638
+39363934643266646131653236303138636163326663373765373761663062656463643162373038
-34373861616336363861363761373665393465623566393063346331333861326337316363373163
+34656163633964626235366539663132396666623363303632363236303831613532393931373761
-31633532373966656565303866653335356364633063313665386335663863363163303431656165
+65613435353162346233323533383537316231363437653239343233636533333966613066343932
-61383231666665346162303635393838323462613261663231356531393734313063663231616632
+30626636306531333736613965396432373130356238313136336434356133353435643065626261
-30343562366433363261393037313062343036663139353431663330383263316662313330636534
+32633732613361376261363831363866333332393132643439626639383438663438366330386534
-33666463393664636538376365663236613536633663303738373034303136383939343039316463
+31303532323461303862346364386532663839323163653366356136666131363839663635343166
-38363731333435333262383064336138303062303836303735383836626430623738666635383637
+38353962326430383561333630623030623536353838633231393763393238316530363939343536
-36383031646561666632666339616632366138383534393030636331323037643564306363303864
+66323562336334376234613436373237303562363831323038366232393161356262653864663037
-33616664326330656136336538363539623039376565383166373032386230383639326564343961
+34363436356332633363363963613635346337613438326436333836386534353738646166643333
-39623465366233383663383433313862306366643432623130363037643033366531376163386165
+65356637366431326132363432663662346638383439383766646531363662356266313961356239
-64353930386233373561356530316361623665643531333632376266633963303262346532386633
+31323236393538363662643662643535623633663738343266636163363835383030646661363966
-34363938363765313366636134636364616634393061333264386262386261383236386532393966
+36366466386666613364313166353366333131343061353135306135656663323461303338346666
-62636332633165383730313365366631303032336339346138633231656165646465643039666362
+32626231613738316233636361633337343635656334336536663865633465326639373966303137
-39613534303532616433646433616261653739663366383566303862386666383363633736306265
+39383731303862353637386438306136303765333136653465663963663930383037343130316466
-65366434626634303033616463316433393730373034666463663333376633656630386665313934
+33343932383033643530323136316632386230366338373362366462666233336530393561353933
-36626337383236373533623830326134303931653434613837353961366130623665623336303139
+36356330386361303562666339306265663539616434336264373832636139313365633065343763
-63616265366638393064666166343331306530313438636436306264636235643762623564653762
+31323633346536366635646562356266373964616338366165376331306561663938396661396164
-65393435363564366266313161393631383836396464643635643361363034306134626535353962
+31363438326439343964666439356339326661666136303461343436303533363630353735633038
-63393530313438383731303666343637303666616239643334626338393864613635363330653062
+38383365363739333034373031326530353962646661343039616230396132323833626162643964
-31633030396362666237376232306238373065616238373934313930313234353433343934363432
+65363165333233643738373638353537343162366265316661353563353862623134663362633261
-35633636656632643964613431333435656532653038373532343036396136636231306436326639
+32343364333236363738333130316538666536306664363661616536336264363438396464666533
-36376163656634303236396133316664613164346661346565646165303664343735303233636164
+37616533363936356335663562366563303564623530303762363034343435326666356162316535
-38393361343561396336333133326539346561373038613265666364316630363339336565363265
+61363133326263653937373037643930343565336166643939663466316232313535333965303737
-64623063346232346334373836346231353336383931393663373365623838363036643232646330
+35313566353963616632313763366561633039626239353236323438383261663066323334333632
-37303139663166653634336363626637653666363965383632313261326530323236303961343130
+62393265396235636461653862383830613634393431396131323439613362366463633239383761
-39663165303836346339396536313137636462373765313135303039386339393536303263636236
+39343361663463633332666666346339363334366330393936373433353034653765323130383335
-31333534323735373638666364643365396435636533393932643432386630663135633839643965
+63336338653333356438323264356162316638336338343033326639303237656663633233383735
-34346330613132383533393361626333636132616130343266663835616534616562646366366336
+34646535633831636238316564373035353635383738356133326664626566623766366535333439
-38303337373331303638643639373535633331626461613862333562653165306663383237383232
+30326437613539373163323464323635316632633930353931303466376661396135623031623133
-63303331656338656137613162323138333661613834323863633265353737633666336263636665
+33653735336230666665616638353561623235343439666135386165313436306666643837616166
-34393064376330306562343930376337626165373562336630633938316566343434633734613561
+37613964663837373137383736393063333037366433643632333963623038623636653639343936
-39363531383233666437373562663136303834373838383632356436643638306633346434316362
+32383532613430623563623565633665663030616530643735653563303035616530313463643431
-63343866353465396630383562306230313737353863363935346630396134393534353531336535
+31663361383835613631336638343338373639613532313561313231353765316237653431663462
-65366634316230323264366662376133303565626638386635616536303839363737663538353338
+65366162326630656566663731316262336536303032386336666263326265316564336339316430
-32663834636363643034316165303164386430346663303635323634373465326537653132366230
+31643066633438663562343730393534663338613165633635356333323635653161346136336261
-38376361663233646266663330363236666533663861303365303833386465653864656331616162
+30313332383065633335396131656136613932346331343632386235643764363235376531376437
-66323532643737643539643562653335393338643465373838656464326133393466373733343666
+61303130316537633830366662366237303934306561333134366463646464386530623631346264
-39613331376538653934333061376664323230636663336232333361623136393836326262336430
+30356536613932613264643835356637356364653038383130366237656232333031313163643332
-35663930336364376230356537326131323666343330373030303765653763323863646631666136
+34393865323162613936613264313864613734373032386266653432616535636464363463633564
-39623936613762393332303763633966303966396536643236366534316539386136633230653433
+37343661623935353365333831623631386439343237383933313337393065653934303065313634
-65326634323062313730376338343965386338306135393033333161313839333963326134653966
+61396163323937643837643636343337343231616265643765313932346462373735323737326663
-66363365353537323034646537633331336134363239393465363164663263313731666335613032
+66316135646663376537613663373432393865623038363239356265303362326161366462356138
-61643935623064626464346430353033313961326164316637316664363830633137383335316538
+65336536626634366363623865656234363335343662333134613835393635623434393036316638
-31646133623461386434343663313365376230613237326638393464366166633635646462373939
+35366431653463626665663861303333363038666131643861646465663761623364333162343761
-31313165616363373730393733386430633065373433643935643931363965393465323264626164
+64396131643136323634643461656339616361323030626166303930623838343438393465653364
-65333431653566646134646132626136323035323362313163303463393962306631363631383762
+66633037616633316534386639306438363863363530376131363332353536656533393161313931
-63333063633934646332303966666461663566626564643365643232323732646530303834616639
+34386636643737353738323265363435636239353261373466383430346461383932323634346466
-63616262316563636636613764663563323063636331643063373364373337373664333763363464
+33666436343130643032626562613165396334323937353663376162643266646539353932313137
-31346663633866653162323934613532333934626430643138613631653164343063323661383163
+62336162646535346631623332376334336538326530356233646239306337633365373562653166
-36633431376463633334306663346462373166613531663064323238323434346439333936313539
+32383639353431666137396631663237313436393434626531316365666335306466363639626663
-33663036663234383934626661383530666566323336363734336265346235306135336136373864
+63643861656537306133343138633535323737346538643063363330383366313362653933383365
-38313937663965313334653139366430316632313737303639636135666235346633303861626430
+34313230663163303730326361303337373136346161353132626362623461343661663964333765
-34373938633331666535336438313363626636363063333265316166333562616330306563386335
+37353165333762346539333730333731366532623531343962333037336464666530396437353666
-65366366303937376438313032643037656465393263393434623462336430393031373433383532
+62313035323234643236343534663434356264643830636433323831313364663762646130306362
-66306566656437323530323434353835303838303438613662356134343136386630643338333264
+32316530643230313230376662383439343639343336633431623135626134353134383030396264
-30643039666535323736303930336239643730653233393538633235303938623161343437616136
+38623933356332336231343434663563653332633237653966663964646232623637313231366638
-34613337383363656536373737396261396261653264373362313161336435623466366436623736
+30363966373362363432376562656436356338356561303133643432303736376234643632663137
-61313036383063656537613664633437336361396665633764313062396265323766346363656666
+34336630356362303132343737376637303939623133363663306133383465613263356632383030
-33656130316566633563353631323438343532393563633830343131653063353331323961343636
+61346138316538353638343833366261366534353963326162303866393430333964653333346539
-38303239623566383337356262313538316437323731326166366139623665356132313563663734
+64386161663435646331613834363336373738396338653263323937623163663236366636343239
-34353065316164653638313439303466316338373565323435343937653632313566656438333730
+36383135343763636139393331663139323431376562353165353662396165653235633464363035
-62373366333335643366356438613838373963363436393035623132626233373830666238323464
+31393233636561366639373566623738636537363235666234633534376238323163363238393237
-33356562636261376665303262633665323830316137306239626432323330393863613938313539
+64316132666530336135353434623866363739643830646463656536336136646334393064303630
-33613438373733633661633266353866373834346436383466636138393736373638623136383639
+65343964613265333934306432313739633134663131666433386630303132663866343532363835
-38653439373230353265386166663562633738306232623132636333396135343461646136303162
+38353237343630653561636365656561313636623065363836333663363934643162656534623864
-36343636306333376564383764356433653362356434306566376565653736643035336433303331
+62373763353961646235613465646630306562386531396364386164633065643763396437316466
-38626430623633313336653261633834323430323137313533333166393966633662613561643863
+32376564616562656136346563383266303963666136663863626137653462373430363363336364
-65653237636436373739633862313132623831623461643063626361613231343537383032346132
+35333133303463363663356365626365613036633835323334653264626637353634373665643036
-61383666383134373061643061656164366364656231343434616366356237303766343166613964
+65663736323235353964326466376163313630323265333631323866663137313665626238396130
-36376461366663373132326263616263316663323039626239643361363362306334633636343064
+64653832626639626633376231326534303530373937396235366239626639356234363238633336
-66336533626562323832633133653366323137616431363566653561363233626239616262346165
+34343064393334613732356332633361613633643039366537623465303739663635626365656631
-30396466343639383665383762383765396638323761653065356339343965373032306136656563
+64343936613536636438313232376564376539623261623539346564303036303131366561643564
-31353033343532366339303331366235373838356461353564623430333561356635336163396466
+61623630393032666636366338336266656264353631393061383162323766616530323734326134
-38303438616436383763386538663039393862636333326630623862353732343961646162653933
+31623962373435323730323830373239363738663164653338623836386636626337623739366566
-35633235303530353065343434333164306530363839663366316235333563663965623934383634
+61663835623038626266653062666264663639363763623139393862633061356164323530666665
-32616565313232373964366163323739353261643432363037666639663664303861383033333462
+31623538333264633735643839376433653934383663333130336133653235313631336163343134
-62333633626263393637306365353565306636386238613365643537353861396638643065616236
+33653533613430323834653730326661323462316338636338393063653866316335626633323137
-63303130313363326333663936393765623930636331663837313835333862386263303238386262
+32653262353964653131343430383661643231383135643332616462343231323266333430373061
-35646634663163626438356536346239666461306462326465613339653337326436356638323666
+62623136393239356166393964323830623239613434636361633365353862646130373865643136
-38323134396238356532623430303233303636343839646436363066383136366436336536313766
+66346336363866393762353633353638663433363332356131626639326166393234313765346138
-33373036386465623737316435643430616434336165343832386539666432613365326664663237
+64613431333139376139343234666664313236633031393938663431376336643133323964303938
-61333166343438313131643635663234626638623139363034616263643463356632353932383938
+64616536613462306363613639613132383361393535333362363630393230636532316634373231
-61383065343231633438313536633039633266323563336531663365326137666535623230336134
+63313839323263663237373937323361373533616465643830396666376661616631646561663130
-34646661306330653631383364343566386531313137643233376265313461396538373132396366
+66376266363338666133313263653733646365653034653538333332623861323833633033393234
-66313534386133346161373130386465383139623831653566326434646461306139633433656630
+39633834343231663166376333633635366261616561643363393137383736303436383339633734
-64623164376361643062396139356464373131653036336361623738633263326234323066613661
+30623939343939373038656461333464353033313632643138393334373565383331326430653263
-31306163313038333861656561356661383436363534366665376362346661616464633065303234
+66343630396135633636366337353061363730333364376664623234333434356661323935626633
-61616237313434363761636261313630356639346434636465363763373235636462666338343265
+63336465343661393636333663306361386432373235313337353361333735373436633832633439
-34336533376366393339306539633238326663656266373965623962623665626238366333393734
+30653766373230383364396638366237643932633364663639643661393438653339393031616338
-35646636666535396638373134376362396134353035633566336461326630323833383734356161
+62396632353063376566333261356662356265373733323631363263396337383631383733393034
-62303738343662633735663965336435316630653061373736643035653337363635623863626533
+65616434356530306661636633363333353138303631626565636637313738353338343334633533
-31306138313839616131363333326439323863646236613133333163366162353063366561656631
+39313232356166623939383864346665626333363132663033326430366565336339306465343337
-61623237633361313631633463666335643935616237656134383830393335346632393066666632
+34613736356534653534363034366431653861613534663261633739366361373134323566376335
-66326331653430633165333037316637303138353133313264643739626566353137383265366264
+31313263313262353162353039623634653534346363323131633362323035633337366536366561
-38353533613863353431656665363339633265303463613565636565393836616230643932333762
+64323432353236383839643662383138373938373834323262386364376162663839366232313433
-30353437343761613236613431626536666538336234633166623961363031393235333763626337
+38643662613065663863636664636162333830353131636238383439323439316363383935623731
-65623836323538653730393533383532626133393834376339303630626533613339623666353839
+62393964636137653935313338343465396633333461643032383730313139396462393936383630
-38613833623830306566333035336334383733626166363239356661353965353462393161626136
+63353166633735623364653264643934666438383739663461373332623631323932333162303630
-37336365663863393963653031303337396666653262646635386337386230383562616564653966
+39353637353437636537613935306539633163613334303833393832616338323061633532303361
-34393831383639303562333464653736363330326462623266383038326561323264363563623065
+63656635333331376561363962386135303963303030396564356534333037623635613963313666
-30366435323961613463653636666238383632353661326439346430356134643866396531623039
+65303664316164613835343930623338326235363933623533343961666664323836316231613465
-66663830353732663863393762626161383263663535333032393632633066363836363939316262
+65373931666331326634316463663134613031363636363434643839386239333164333538393831
-30373766363637316535306538663235656137363038623936366465376636393535326437666334
+65653935623431373238326231343439666635623730393639636131386162373466316164356263
-30343437326362613761376262383265313264383464383838386638653065313864353235373331
+37316539656230316336303265646339303139306262396536633533366261346238393335393765
-62646366333137643931316339373761663731633766363864633461323266663236613231656633
+39376630306639353862323834343830646330643737653631633361326134613666613430323433
-31653132343031313535656538663761386266333062646439383633336531373764366166646165
+64363965653063316432353431386533386661386239636332323139393933653063643865646338
-64343439386336323064616634363532353166353531633332663862653666666436666564356236
+34626433393731343535313766303237313866613166663333616535323661666362613439376166
-62336332386437626137386566333934393636313933386466366361633232383135383066396263
+62626430363661303630346265383863613162356535306165633537383038613131346561306330
-38343432323865353563363631646535633438336333316134343862336666313063643036343030
+61623435626363623762313832313031363665623933656238623131303362326137313266316630
-62323732353837363639376564336665343265663861303938316564646533346337306338623834
+32366664633963626463613562643666383637383831343234666435373564306635343730373665
-62353835356465303561346337366136396664383961663237653538643462666263346638303363
+36643436633066373962303965373663376266323133343233323563393065633162383237323162
-32663564646333343532613861336132396530363435626361643631666464383364613336383235
+38656336306432623330616234373936306163646330313734653864386464646535666331616335
-64376465636238633765643234383665663637643565626663393066316538313563393730396430
+32623163356337326665333731656438393633326638363635353733663861323934333536393338
-36373037396264613731353337393261346534343263393862376464393565353739393431313031
+33656231373166313761643030363437373638366461653038363565623633623035393564643161
-61353538366439383234316530326338633635393035376335616565356630633964636639386639
+38663064356239393034323761386435396437386534633734353938653239323533333531363965
-63356666653532666435663564393332303234363465636335316365326365633837663930616233
+36316636353864626461303936313632663261353437396238363930626239336139323561373133
-61343933653232666138613866666430376439396336353535663361373564366262646663653064
+61366330386135363039303166326231656331653632343261306531653731313465396131643330
-31353765386537656235613131323763323930363162646236333632663034356237363231313762
+35616432613631636264333263363239616435303436653936386165343335356337343032386239
-39323531333264633863363163333735303636333866653763373362626265396265356564303533
+37373230623366653834663031343738643063616661363138316262643635343439333838363632
-31353838333337393732633961353561633430616637396235626261316433366339356239633737
+34353236393730363262303439313132663735336463323432303036366361666338363237313664
-64333636333566366237303231376337613539643464663839303438313532323538643738353866
+39366434303839356163616136336237643061373633343737333036653362643635643536386436
-38626438303033346531323836336534633732366631376665663139323037643161326561363635
+30336636333464626464326332343333656535666431353338336438346335346433313934346231
-34633237623537383466316433336636633962623161383338656339613139346138366132356365
+32326231636262346232636366393361623830316238303537666164626339383061633765333039
-38363635666234616532316333366236396639353130646234626533666133363661393038353666
+30633539666535366539383061396461313437383537656239393131326538636536356536643735
-38343530306239336234336463646332356462356565376463383930656561336239656465303231
+66653336343364346635383761613731666263366465643336636661323263386364653035333062
-61323862333032343137636434643335383163366236373161653366323139646235306564366637
+33616364393664613363383937653530356138316363633335386232336531373835303732383962
-31313335653732633434616436636532343037383861393931323734383964346437323933653737
+65643264656134393663653333346531316365323730383363373564323133333032373330643232
-39653633663064313933346231663931343163336166663662333239376634386135666230393563
+63373239366435643738353130353333646136303530643065383066313035366239326664363830
-34333163653935326532386662613537373161366331633737653539333161386461313638643034
+36626366646264643130326261363536313835356638636139636434333362366363313133316130
-62323433613164383731653534383662316364333538613433623731376234306538663766363965
+61383734636433313433303466323265386132363862643131613666306162396437643166393630
-64376432396361636637343539393330323835353562393031616137393363333662346332616464
+32613464313530316262353938383735336262663939323730626662663235303638303065663939
-32643939663266343038356539656464393665616637383030666630333834613830373837353738
+33636234383033393237303865633961333462663232363562386637333335373565663261363933
-63623130653465386135636635643637366231383765623761356563323061343337306538633031
+31356436613138653765663162646566326134313736316130356336663536643466623331653039
-66326334303539623763636362333534643431383962383539613964613531353135663463373266
+38616465306532666434333534356464666663613263383430336465376133393032623762323237
-37326632353861383964653430656362613930353138316566636531323733396231333361663431
+63343462373834383566393466366332303235323865343730373062343739363265343164623262
-66356561366634323832386437336130363535343132333436633761613731636561333039303965
+38346539343533636435626133306662623865653934666665363063356162326461316561383261
-33336532373764303334636461646464633866656237656466613361613131613764366339336233
+33666362656635323262353066356330616263326134613635336261343438393838326438613435
-38373030366130613230636365303233393631383538316230366434326137336532333261383236
+64343336393034303330323563346233653135633439386465653065633339643032636662313531
-64306566343964643139646438633066373261363836386361316138326362373361316536313839
+38356234326632336161666666353030366238626262353831393532306166363432633939383166
-39663633343330663732376230633638626533313963306266363030306431373862633833383532
+66316136333838653433383439623366333062313833616366656566393965393665613738303833
-36623537323532373934613962613761376463363337393666316434383463393962616366643436
+38326139366330393863623365383963306361613665643962376664636134353533623836643362
-34326566383666663266396165613534633464656130313535383963353238623238393837353133
+39626166353138646666633136363662393565336333393638626534636330313632326333353366
-66396661626432313038306362393136616166653962363736363133303835376264616561343736
+39353133666532306531343137353834353133633165613566323135313362333962303637663965
-38383531623733326366333661393262613335653238343235353165613339393535316236353563
+63383730663562646563333763356135613537666332393537663062653662623938353434323136
-35663037363935386634623064636333666135313361303837383630643665613863373931626333
+39663965616437653232623333363762616233316530303833376332396165616635336532653035
-36316138343462636538616466383461353639613264653831323133333262626633353766643730
+36306331643232336664363733376632323630616139353030343930343166623433616234616539
-63343030346536616539643832303238393539383362316137386437356630313438623436636465
+34393131303363626166383037336262323662393431356463616665343463363432356132313531
-35363436306634393764386362616330373732623763373064306562326337303732333733346563
+37653331336165626435343162663662386662613164336439636465363335386233383065393535
-63356231343165653132303338343439356666646162626639646232623064656664336133666233
+31396466636465336164383563326236356463393831363534656536616664613361346463613837
-36366366363264663033333731616632383438306435663631613439646466663434343931663764
+35366562623432353166303836353261313233663864626665663837336233653237373031393636
-36623437666232323336366363333333373430303639393761636463333135626263333066656538
+64343763386361626232633032316466373161666536313363633765653365656538343130326566
-35336431623265663239633963353162366534653864653530623935333137653761336234616133
+38396534323433343634333139333063633531343631316163346135643037323034633835363963
-61643231663033393535383063373236363538623964303435623337383031653734626461623731
+32343963653263663438666537653963376133633661393562623131636465386266616166366566
-62306565303739313166333663363935313362356362303066323635626638393961623138613864
+36343963623262656162303337366365616263376363366161373236323166353834616262393061
-33626639323030306461326232323533303131633630316437333936653839626362613162336339
+39393239303335623332346236356335393836636533386432653164656334613738393533623764
-39373339626238303238306363356166646532623963306438626264633961643765353434326430
+36363136353034633934323066323335626138353763333537353761303930623930353062373932
-65323535306566343537663632393866616239613732643032356536303764636564306630383633
+30656339663333373431633763366433366266316563393332613334633966633339633230303166
-66356435616237376538653539366636636533343866623764316462346634313032333636336166
+61346264386134623962316532343664386637303738333835343036633038323137323961323837
-33653231336563363336303936336430343137653966393530393532323563393532353434393231
+33376431316465373165663338623538636136343538666235333334373664323463326336336334
-38363662613161626132383266323635613165363433623630653663396562366262376634326561
+32303361393134653338646563643636356361366133633634393731343332313437643731366634
-66643938306331663931386535613833613761313639363038616139343966656662646432663666
+30386466333965356135303732663433316363376438623764653464343564353835626435333230
-63393931373738373536323631353361303366343330306565393230396332373932303866333034
+30646238393266643137373037326136306337306130343739633933626134643364326534386464
-35396166633165396537373638333730303730613939386663653032626439363466623231303833
+65303531623335663766623037663630376366333631363165633762616564396538643866313465
-63656338656435383531613734643165613536353632393535646132303034663731396631303237
+35343265663336303537663962643536653937373839313435383337353036313239653263323061
-64376438373538373362353766303963396639333732373266343766363534623063313138616139
+63653865656461363334646466396135663338383065646464656631636666643030376363633333
-39313861616164613031643934313466633431316230656566306666303932343039383737313565
+30333331636438656238326534656165396233633131306562336263653330396366343964313434
-66356432336663636631666138636538323238303462376330663134616365323536386234666136
+66653862386531306236336339353935653335616638643831393430613533643533626135313835
-63343032383465616437303437303063626335363333656166393435343834646634313435653334
+64313065373564323132663531626436623465663766663566643964353361303336386464386463
-31366465386238393133366364376565656639656230343161613463393931373537383564353866
+38373036613536386436373535323664333231663437643962373339653236393339653064363530
-31313464663531353165646665356231646634383936643539323866376631666635306334616261
+61393835343230356234376630613230326637636534336564383139366663663136306665363363
-39383439366664386563386133356239333133306162316466343334356631616434623363643535
+66373237373530303062333935633634313766316461666439666433616236346434623535343531
-38663530623063373965666530386632323034623139303839323761376638313362316430373536
+30383264303536653236363533383561613636303662663935303761353065336631353735376365
-62363265366537656237633663663266653631653561303965616635363438613061306362336430
+63343162646663623736336638306465666233343031656137393037623035613236373930633131
-35303461633864353735613330643966396230623434323132383135623331353361633134663931
+36366633656131633563336561323835343766356131343038643761663966656364376430366636
-33333435306635313161613930656239346461623931356430306364383937353433626435633832
+36316633633736353436666539303039383231333437653666313435616536626434653833376532
-64613437313464323861356338643733386432656233663333343437353935353236346561366330
+66376130653339643564646139633238643266316633363137313038363061386163613863313733
-32396465333833343732653136616636663736623434363765336161383433356333313135313161
+66633665613537303834393233376463343965343664343564343832376238383064373262336162
-33373764393265376661613465626638353636653931323162363031666262653062626166363930
+61313163303632373261383563363964353731363739306337333161333130656235363631343761
-39613931356338393862356537343332633635366134343037633765616634316362386335663036
+61353265633338336466623830396466646233333039323065333636303035363563373366396334
-32666465323538356634346662383238326663333339623430376362306534363630613337626266
+37366637306430396262376539653134396536643931643563386666623364346635363138373937
-39326361383435623939663163373835626439643433393839383730666166666266356361633731
+61613232386666343033383031363439373335396362643130656235653066376537373062333363
-33336265613531303735613239316362633538386632343836613230326164366165616265313066
+39373737316136303835616639363162363839376635666237353064323433373961326338393263
-35333361303734343231633930346230343432336665383337343431303031383962383366343433
+34343162336336623530653531663136366136353139343561623532633139366533386263316364
-63363364333063313632663765633831323863626636643862323865356461366361343563383363
+36306134356666343230643639303766343466353562643130363063343330393232663161306266
-33363138646366333136326435376537356338633862623531393938373935353466376266333664
+66336435356265396330366566373137323265623431386535396665313335666332616233383664
-31633039336362363237376266346561313064393537613832663130653761636633313562316639
+63656663363366613431366632306230633265306663336439306263646132626631363663643861
-36633432613931663263343861396632356136366636336163343333323661666663346365626564
+30373330653637623733653165336132643965623232383839623535326336643239333133313030
-32613734313663656164333537653666313033643262336239623961313638306634343666303938
+32326634643238333163383562393134623532363561393364616430366532633862396438306433
-62636236353161336134323430336263643038623663353965656236623465326661633766363765
+33653235303639383333633035656533633165653137326130643961393965346266383861616333
-35653261663335313065383266383833393431333631653363363030363939323862653262316637
+37306266393231336666343333643530353230383239343931303838623335303262313130616162
-62343263623037643435656165623466326365363532353434643665336632383765313937666535
+65383962613965646438323065303962663965333231323139303438343631396363666330653330
-37663463303034363531386465383663393534393435633764646138313962373735393334326137
+61323839333863343034356363366433313039383963303063346237366261363861643839396362
-61653933316435363130333335323066386532626234626534396435383061333961363739333033
+31346637303032356463303564303562313639643563396261326538353834363737323235646430
-61656364313963303132623837666463633066653165316633373166373161343539393132316665
+64343230336539663237306235623662333062396238383135616231383837366339376633663938
-37646631643265333665643262666265653339616530336361333333633939373839323264613761
+65313739333065383335323437396232323564363733333437363133613766653334396431333036
-62643363356431306330313761623933623333383066333364663439646536333232386232623238
+38333038656339363132346362333863643261376335666536306231316630303437306231646565
-62356533636632396330353430653935613965383938643638353632643865323832623737646635
+61666334623736373832613366376438323664653531393938353234303030633532653561313665
-32636464343734653765396236653538343463373662653733326362363330643038663766383861
+63613064663564646235373234326661303562646139323330343330343139633462646131353038
-34316338343064393862353364613037393231343366633364393535343965623431
+62663535393738626432633564663564653663393937656634666137646363643365353930373266
 66373162373165653533383862363835346133313234326162393331666566316439633133316633
 66393733373333653630363334353833363565336338613361396335326166643630623133303466
 31663037663766356531663039386232316138393266333035613364316539353837653763616666
 32376431383965633138666536386532663761343537646266643566373132343762383966326233
 38373766353962323362366330383564636236363961333535313064313039343933346439396237
 66616631633539623537633164363665393239643633663338393765336434653930356662656164
 65366533633336313832633166376265376634613635363563643866323730343139306537323863
 61373461363237653634666331366436356335306265643639373034666131626238336632346632
 34613062346532656530626364343938636162383862653538353563363035346339623839663261
 39663438396362383866663336643035653833336466663037313764326434373061626232646333
 63336336383366333538613331303863356430373764363930363061383036343836386561663362
 63663232373563343461306131333263376437623534346562626536376138393939373064333231
 31303464656332383036616661656565313063346231623634356638326239343536316162613335
 34663232326438333966313663336465373833646634353934323361343833373661633265313239
 62656533656338376562323861396665353166623732623139353431336439386263363235316132
 35373933613236616362396363323031633166633837383634313638656430373634383563616463
 38353738636631626639636135363561623935646365316161376166653461356430326362623738
 64386537373230303239356334313663616336393439623431616639643233353662306265373232
 39343066353564316433653361333766363535636533626338386434646531653432313034393134
 62653733313636653331356363396531313136346136303661656466333138363366616530306536
 66373532626230313739306432363433313736316261383837393737356333326236323261613965
 36373064636138373134373530363533613031376362386334393464383062663663313234643432
 64363232376137613231313862386561313131376133376466393630383737306666393738613265
 66646236646632313832633366333335313239363763326464326361326263346636326332376336
 31306230373963636135643235306537623930636164346366623862303838653238373030653035
 35653634393532653566323063323761643738616532376262623163393461346334393034643862
 62653835363236303732386365626464346131363231336431316233643132383566356531346237
 66333933386539396366333565653938396564643464663165323535386262623532666237393630
 65336262636630386633626335636231616332353965356335666362313562643738306263376230
 63323938633237363431386639613830633765353232313236336233363736363566346237616637
 61656234376562323162656432393665393930313736313439316261363264333865356139343233
 63636638646332626365383839373765383864346532383236386266656635653333343032313231
 65626233313634333533653436626134373632363565653230656161613963323334613262646530
 66636331396130613934363939653238343463396639363731393363643830663362373439646337
 63396435376637666563333165623338386337613638366339656561366538366635363037366531
 32306235666231303762356665613738323336306465613531313964626631313731373963353964
 32616632376534316532643531386635386330313866326265393736376538616431323238333562
 36373238656361323336383466363563623333306634373164366134376635373262353533653330
 38643233363737356564653834316435336439663562343366353866336662356138323566363061
 63313336323435343861393164313130346438343862366530363233643266393964316265663535
 65323739306536373331326338326132383265343939663336303534633537393637353639636561
 64656432313636366434313465626562626638613232653230373530363234306537363665646633
 33326163663830353166643662386637323438366334386533303664356631653561323032666265
 61333165363636363634353461613039313362373863663739323231663230643635663466323430
 37393431333733313134326231313234353930663365646637386639643535316362626232323430
 32363631353565323663393235343336663930373439663861613661636433356366633065343935
 61356636323039656230353264646166626633316430653162383638336265653865373536643036
 35653166333765366231636163666638383262613432646334663430323565333538626665343763
 32646663356565646362646261343436383039623635666439643762616463656361386631313637
 61616164383734353634306633636338623837356230626263653161616664613266356432653335
 30646434346436383565343138623264386630333832386134666463313936383364333364383232
 39393066333666653734616463343530643537613437623766313237353033623662336137356534
 35303635623232333230363362353137656235373539316163653863326666383237303235316164
 34623138346261366238303037653764366537333561623135656236663435316565303931353939
 34663932303239393836363663343735313632333639633733323564343039346436343935373430
 66313863643361306161373634373738383462313831643161333230646435313261383534396464
 39663466643864666433366531323866333935373833663661323833623734646265393035613966
 62393165653135643737343333346232356638646437326664396466333063666135653338623266
 34663133636164386164636434666231643163343930353863306538333337643762616661366366
 63646336613433623862356365633563633235396337356535376335636633636563333738383061
 33326136393530353964666639633638643433653736376637386638336561643061323635373565
 65393836613638313165313262376166643561623131363836363531616232663333333063393039
 35643938626132383439393761623165303730396365323665613663643961663466393937333731
 30643662663034616631343336343236613437376362366234343436376563303466633030323465
 64626536333465626430333336353038336539313531303933633466333633336364363961353861
 31636135303332343733313637326461643264636236313331643438613365393733383764653432
 65346533616130396233613863633331613638316462366364346465353234373531393137336165
 36666336333036396262663661343962663763316531393765346536646236613331626139383230
 32623665353463326633646466376232343333666465616633333033663031643262663732323230
 36363439613934643037393562333237636262306330356638666235333361376136623462313736
 33373163336134316563353031616339336234623738373230323335623130376265386130333235
 64616261633232316131633062623163333135323737376462383539663137366539656261396238
 31363232356361376264373863663362346535346136313834623761333037343435326339633735
 33656465376264326334356365346437343062343631663430346561656531653662646530316133
 64396563376263306533306565623163316238326264306330393465333737303062363030343662
 65333633643635643737323231343664613735336230393835346132613331366266336434623937
 65616366633734373434333837326465613862633930626435623165633964313732373936346434
 30643161633238343435623538316134616161313461616538653161383032313038666638376432
 64646564626231656664306235633031356564373432626561386135653136313062383861323130
 34393331316439613363636631666262343334393739303631633936623964343938373334623230
 39343031663565333431333731363966623730666335346164623662373265643732306662393663
 39336137326533643533623865313934336464633634613436616438373531636562313762383666
 37386365333361626362
--- a/group_vars/dhcp/dhcpd.yml
+++ b/group_vars/dhcp/dhcpd.yml
@ -0,0 +1,69 @@
 ---
 dhcpd__omapi_key:
  algorithm: hmac-sha512
  secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
 dhcpd__interfaces:
  - client0
  - client1
  - client2
  - client3
  - client4
 dhcpd__dns_servers:
  - 10.128.10.3
  - 10.128.10.103
 dhcpd__domain_search:
  - isp.auro.re.
  - auro.re.
 dhcpd__subnets:
  - network: 100.64.0.0/27
    routers:
      - 100.64.0.1
    start: 100.64.0.4
    end: 100.64.0.30
    domain_name: client0.isp.auro.re
    failover: true
  - network: 100.64.0.32/27
    routers:
      - 100.64.0.31
    start: 100.64.0.33
    end: 100.64.0.63
    domain_name: client1.isp.auro.re
    failover: true
  - network: 100.64.0.64/27
    routers:
      - 100.64.0.65
    start: 100.64.0.67
    end: 100.64.0.95
    domain_name: client2.isp.auro.re
    failover: true
  - network: 100.64.0.96/27
    routers:
      - 100.64.0.97
    start: 100.64.0.99
    end: 100.64.0.127
    domain_name: client3.isp.auro.re
    failover: true
  - network: 100.64.0.128/27
    routers:
      - 100.64.0.129
    start: 100.64.0.131
    end: 100.64.0.159
    domain_name: client4.isp.auro.re
 dhcpd__failover:
  dhcp-1.isp.infra.auro.re: 10.210.1.1
  dhcp-2.isp.infra.auro.re: 10.210.1.2
 dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
 dhcpd__failover_peer_address: "{{ dhcpd__failover
                                  | dict2items
                                  | selectattr('key', '!=',
                                               inventory_hostname)
                                  | map(attribute='value')
                                  | first }}"
 ...
--- a/group_vars/dns/kresd.yml
+++ b/group_vars/dns/kresd.yml
@ -0,0 +1,24 @@
 ---
 kresd__listen:
  - address: 0.0.0.0
    port: 53
    kind: dns
  - address: "::"
    port: 53
    kind: dns
  - address: 0.0.0.0
    port: 853
    kind: tls
  - address: "::"
    port: 853
    kind: tls
  - address: 0.0.0.0
    port: 8453
    kind: webmgmt
  - address: "::"
    port: 8453
    kind: webmgmt
    tls: false
 kresd__cache_size: 512
 ...
--- a/group_vars/edge/keepalived.yml
+++ b/group_vars/edge/keepalived.yml
@ -0,0 +1,21 @@
 ---
 keepalived__virtual_router_id: 81
 keepalived__interface: back0
 keepalived__virtual_addresses:
  crans0:
    - 185.230.79.254/29
    - 2a0c:700:28::2/64
    - fe80::1/10
  zayo0:
    - 2001:1b48:2:103::d7:2/126
    - 83.167.52.69/31
    - fe80::1/10
  oti0:
    - 2a00:a4c0:100c:1::b/127
    - 77.95.70.11/31
    - fe80::1/10
 keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
 ...
--- a/group_vars/infra/bird.yml
+++ b/group_vars/infra/bird.yml
@ -0,0 +1,86 @@
 ---
 bird__kernel:
  kernel:
    learn: true
    import: accept
    export: accept
 bird__ospf:
  limits:
    import: 4000
    export: 4000
  import: accept
  export:
    protos: kernel
  areas:
    0:
      broadcast:
        - back0
      stub:
        - monit0
        - wifi0
        - int0
        - sw0
        - bmc0
        - pve0
        - isp0
        - ext0
        - pub0
        - th30
        - ups0
    1:
      broadcast:
        - vpn0
 bird__bgp:
  edge1:
    local:
      address: "{{ bird__bgp_addr.back }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:203::1:1
        - 10.203.1.1
      as: "{{ bird__as.aurore }}"
    import:
      - pref_src: "{{ bird__pref_src_addr }}"
      - accept
    export: reject
  edge2:
    local:
      address: "{{ bird__bgp_addr.back }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:203::1:2
        - 10.203.1.2
      as: "{{ bird__as.aurore }}"
    import:
      - pref_src: "{{ bird__pref_src_addr }}"
      - accept
    export: reject
      #wg1:
      #local:
      #address: "{{ bird__bgp_addr.vpn }}"
      #as: "{{ bird__as.aurore }}"
      #neighbor:
      #address:
      #  - 2a09:6840:213::1:3
      #  - 10.213.1.3
      #as: "{{ bird__as.aurore }}"
      #rr_cluster_client: 10.203.1.1
      #import: reject
      #export: accept
      #wg2:
      #local:
      #address: "{{ bird__bgp_addr.vpn }}"
      #as: "{{ bird__as.aurore }}"
      #neighbor:
      #address:
      #  - 2a09:6840:213::1:4
      #  - 10.203.1.4
      #as: "{{ bird__as.aurore }}"
      #rr_cluster_client: 10.203.1.1
      #import: reject
      #export: accept
 ...
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@ -0,0 +1,457 @@
 ---
 firewall__zones:
  adm-legacy:
    addrs:
      - 2a09:6840:128::/64
      - 10.128.0.0/16
  ups:
    addrs:
      - 2a09:6840:201::/64
      - 10.201.0.0/16
  back:
    addrs:
      - 2a09:6840:203::/64
      - 10.203.0.0/16
  monit:
    addrs:
      - 2a09:6840:204::/64
      - 10.204.0.0/16
  wifi:
    addrs:
      - 2a09:6840:205::/64
      - 10.205.0.0/16
  int:
    addrs:
      - 2a09:6840:206::/64
      - 10.206.0.0/16
  sw:
    addrs:
      - 2a09:6840:207::/64
      - 10.207.0.0/16
  bmc:
    addrs:
      - 2a09:6840:208::/64
      - 10.208.0.0/16
  pve:
    addrs:
      - 2a09:6840:209::/64
      - 10.209.0.0/16
  isp:
    addrs:
      - 2a09:6840:210::/64
      - 10.210.0.0/16
  ext:
    addrs:
      - 2a09:6840:211::/64
      - 10.211.0.0/16
  pub:
    addrs:
      - 2a09:6840:215::/64
      - 45.66.111.192/27
  vpn-clients:
    addrs:
      - 2a09:6840:212::/64
      - 10.212.0.0/16
  vpn:
    addrs:
      - 2a09:6840:213::/64
      - 10.213.0.0/16
  infra:
    zones:
      - adm-legacy
      - ups
      - back
      - monit
      - wifi
      - int
      - sw
      - bmc
      - pve
      - isp
      - ext
      - pub
      - vpn
  internet:
    negate: true
    addrs:
      - 2a09:6840::/32
      - 2a09:6841::/32
      - 2a09:6842::/32
      - 45.66.108.0/22
      - 10.0.0.0/8
      - 100.64.0.0/10
  prometheus.int:
    addrs:
      - 2a09:6840:204::1:1
      - 10.204.1.1
      - 2a09:6840:204::1:2
      - 10.204.1.2
  grafana.adm:
    addrs:
      - 2a09:6840:128::98
      - 10.128.0.98
  re2o-ldap.adm:
    addrs:
      - 2a09:6840:128::21
      - 10.128.0.21
  ldap-replica-edc.adm:
    addrs:
      - 2a09:6840:128::4:249
      - 10.128.4.249
  nextcloud.adm:
    addrs:
      - 2a09:6840:128::58
      - 10.128.0.58
  dns.int:
    addrs:
      - 2a09:6840:206::1:1
      - 10.206.1.1
      - 2a09:6840:206::1:2
      - 10.206.1.2
  ntp.int:
    addrs:
      - 2a09:6840:206::1:5
      - 10.206.1.5
      - 2a09:6840:206::1:6
      - 10.206.1.6
  docker-ovh.adm:
    addrs:
      - 2a09:6840:128::150
      - 10.128.0.150
  mx.test:
    addrs:
      - 2a09:6840:211::1:5
      - 45.66.111.208
      - 10.128.1.5
  proxy.pub:
    addrs:
      - 2a09:6840:215::1:1
      - 45.66.111.206
  collabora.ext:
    addrs:
      - 2a09:6840:211::1:1
      - 10.211.1.1
  grafana.ext:
    addrs:
      - 2a09:6840:211::1:7
      - 10.211.1.7
  ns-1.pub:
    addrs:
      - 2a09:6840:215::1:2
      - 45.66.111.205
  ns-2.pub:
    addrs:
      - 2a09:6840:215::1:3
      - 45.66.111.207
  ns-master.int:
    addrs:
      - 2a09:6840:206::1:7
      - 10.206.1.7
  tor.pub:
    addrs:
      - 45.66.111.215
      - 2a09:6840:215::1:215
  jitsi.pub:
    addrs:
      - 45.66.111.216
      - 2a09:6840:215::1:216
  log-1.int:
    addrs:
      - 10.206.1.9
      - 2a09:6840:206::1:9
  log-2.int:
    addrs:
      - 10.206.1.10
      - 2a09:6840:206::1:10
 firewall__input:
  - iif:
      - back0 # FIXME link-local
      - vpn0
    verdict: accept
  - src:
      - back
      - vpn
    verdict: accept
  - src: monit
    protocols:
      tcp:
        dport:
          - 9100
          - 9700
    verdict: accept
  - src: monit
    protocols:
      tcp:
        dport: 9324
    verdict: accept
  - protocols:
      icmp: true
    verdict: accept
  - protocols:
      tcp:
        dport: 22
    verdict: accept
  - verdict: drop
 firewall__output:
  - verdict: accept
 firewall__forward:
  - src: back
    dst: infra
    verdict: accept
  - src: infra # FIXME: temporary
    dst: internet
    verdict: accept
  - src: monit
    dst: bmc
    protocols:
      icmp: true
    verdict: accept
  - dst: mx.test
    protocols:
      icmp: true
    verdict: accept
  - dst: mx.test
    protocols:
      tcp:
        dport:
          - 25
          - 465
          - 993
    verdict: accept
  # NS
  - dst:
      - ns-1.pub
      - ns-2.pub
    protocols:
      tcp:
        dport: 53
    verdict: accept
  - dst:
      - ns-1.pub
      - ns-2.pub
    protocols:
      udp:
        dport: 53
    verdict: accept
  - src:
      - ns-1.pub
      - ns-2.pub
    dst: ns-master.int
    protocols:
      udp:
        dport: 53
    verdict: accept
  - src:
      - ns-1.pub
      - ns-2.pub
    dst: ns-master.int
    protocols:
      tcp:
        dport: 53
    verdict: accept
  # SNMP
  - src: monit
    dst:
      - sw
      - ups
      - bmc
    protocols:
      udp:
        dport: 161
    verdict: accept
  - src: monit
    dst:
      - sw
      - ups
      - bmc
    protocols:
      tcp:
        dport: 161
    verdict: accept
  # Alertmanager
  - src: monit
    dst: docker-ovh.adm
    protocols:
      tcp:
        dport: 9093
    verdict: accept
  - src: adm-legacy
    dst: bmc
    verdict: accept
  # Prometheus for Grafana
  - src: grafana.adm
    dst: prometheus.int
    protocols:
      tcp:
        dport: 9090
    verdict: accept
  # Prometheus for Grafana nixos
  - src: grafana.ext
    dst: prometheus.int
    protocols:
      tcp:
        dport: 9090
    verdict: accept
  - src: grafana.ext
    dst: re2o-ldap.adm
    protocols:
      tcp:
        dport: 389
    verdict: accept
  - src: grafana.ext
    dst: ldap-replica-edc.adm
    protocols:
      tcp:
        dport: 389
    verdict: accept
  # Admin VPN clients
  - src: vpn-clients
    dst: infra
    verdict: accept
  # Prometheus node
  - src: monit
    dst: infra
    protocols:
      tcp:
        dport:
          - 9100
          - 9700
    verdict: accept
  # Prometheus bird
  - src: monit
    dst: back
    protocols:
      tcp:
        dport: 9324
    verdict: accept
  # Prometheus kresd
  - src: monit
    dst: dns.int
    protocols:
      tcp:
        dport: 8453
    verdict: accept
  # Allow DNS from infra to dns-{1,2}
  - src: infra
    dst: dns.int
    protocols:
      udp:
        dport: 53
    verdict: accept
  - src: infra
    dst: dns.int
    protocols:
      tcp:
        dport: 53
    verdict: accept
  # Allow NTP from infra to ntp-{1,2} 
  - src: 
      - infra
      - pub
    dst: ntp.int
    protocols:
      udp:
        dport: 123
    verdict: accept
  # Admin Wireguard
  - dst:
      - 2a09:6840:211::1:1
      - 45.66.111.204
      - 10.211.1.1
    protocols:
      udp:
        dport: 5121
    verdict: accept
  # Proxy web
  - dst: 
      - jitsi.pub
      - proxy.pub
    protocols:
      tcp:
        dport:
          - 80
          - 443
    verdict: accept
  - src: proxy.pub
    dst: grafana.adm
    protocols:
      tcp:
        dport: 3000
    verdict: accept
  - src: proxy.pub
    dst: grafana.ext
    protocols:
      tcp:
        dport: 80
    verdict: accept
  - src: proxy.pub
    dst: nextcloud.adm
    protocols:
      tcp:
        dport: 8080
  - src: proxy.pub
    dst: adm-legacy
    protocols:
      tcp:
        dport:
          - 80
          - 443
    verdict: accept
  # ICMP to public vlan
  - dst: pub
    protocols:
      icmp: true
    verdict: accept
  # Proxy -> Collabora
  - src: proxy.pub
    dst: collabora.ext
    protocols:
      tcp:
        dport: 9980
    verdict: accept
  # Collabora -> Proxy
  - src: collabora.ext
    dst: proxy.pub
    protocols:
      tcp:
        dport:
          - 80
          - 443
    verdict: accept
  # Tor: SSH
  - dst: tor.pub
    protocols:
      tcp:
        dport: 
          - 22
          - 4444
    verdict: accept
  # Jitsi UDP
  - dst: jitsi.pub
    protocols:
      udp:
        dport:
          - 3478
          - 10000
  # Jitsi TCP
  - dst: jitsi.pub
    protocols:
      tcp:
        dport:
          - 5349
 firewall__nat:
  - src: 10.0.0.0/8
    dst: internet
    protocols: null
    snat:
      addr: 45.66.111.200/30
  #- src: monit
  #  dst: adm-legacy
  #  protocols: null
  #  snat:
  #    addr: 10.203.1.3/32
 ...
--- a/group_vars/infra/keepalived.yml
+++ b/group_vars/infra/keepalived.yml
@ -0,0 +1,59 @@
 ---
 keepalived__virtual_router_id: 82
 keepalived__interface: back0
 keepalived__virtual_addresses:
  ups0:
    - 10.201.0.1/16
    - 2a09:6840:201::1/64
    - fe80::1/10
  monit0:
    - 10.204.0.1/16
    - 2a09:6840:204::1/64
    - fe80::1/10
  wifi0:
    - 10.205.0.1/16
    - 2a09:6840:205::1/64
    - fe80::1/10
  int0:
    - 10.206.0.1/16
    - 2a09:6840:206::1/64
    - fe80::1/10
  sw0:
    - 10.207.0.1/16
    - 2a09:6840:207::1/64
    - fe80::1/10
  bmc0:
    - 10.208.0.1/16
    - 2a09:6840:208::1/64
    - fe80::1/10
  pve0:
    - 10.209.0.1/16
    - 2a09:6840:209::1/64
    - fe80::1/10
  isp0:
    - 10.210.0.1/16
    - 2a09:6840:210::1/64
    - fe80::1/10
  ext0:
    - 10.211.0.1/16
    - 2a09:6840:211::1/64
    - fe80::1/10
  th30:
    - 10.126.0.6/24
    - fe80::1/10
  pub0:
    - 2a09:6840:215::1/64
    - 45.66.111.204/27
    - fe80::1/10
 #keepalived__virtual_routes:
 #  ext0:
 #    - 45.66.111.204/30
 keepalived__virtual_blackholes:
  - 45.66.111.200/30 # NAT
 keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
 ...
--- a/group_vars/isp/bird.yml
+++ b/group_vars/isp/bird.yml
@ -0,0 +1,53 @@
 ---
 bird__kernel:
  kernel:
    learn: true
    import: accept
    export: accept
 bird__ospf:
  limits:
    import: 4000
    export: 4000
  import: accept
  export:
    protos: kernel
  areas:
    0:
      broadcast:
        - back0
      stub:
        - client0
        - client1
        - client2
        - client3
        - client4
 bird__bgp:
  edge1:
    local:
      address: "{{ bird__bgp_addr.back }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:203::1:1
        - 10.203.1.1
      as: "{{ bird__as.aurore }}"
    import:
      - pref_src: "{{ bird__pref_src_addr }}"
      - accept
    export: reject
 bird__radv:
  rdnss:
    - 2a09:6840:206::1:1
    - 2a09:6840:206::1:2
  interfaces:
    client0:
      max_interval: 5
      prefixes:
        - 2a09:6841::/64
      dnssl: client0.isp.auro.re
      domain_search:
        - auro.re
 ...
--- a/group_vars/isp/firewall.yml
+++ b/group_vars/isp/firewall.yml
@ -0,0 +1,40 @@
 ---
 firewall__zones:
  internet:
    negate: true
    addrs:
      - 2a09:6840::/32
      - 2a09:6841::/32
      - 2a09:6842::/32
      - 45.66.108.0/22
      - 10.0.0.0/8
      - 100.64.0.0/10
  clients:
    addrs:
      - 100.64.0.0/10
  non_clients:
    negate: true
    zones: clients
  allowed_clients:
    file:
      path: /var/run/firewall/allowed_clients.yml
      default: []
 firewall__input:
  - verdict: accept
 firewall__output:
  - verdict: accept
 firewall__forward:
  - src: allowed_clients
    dst: non_clients
    verdict: accept
 firewall__nat:
  - src: clients
    dst: internet
    protocols: null
    snat:
      addr: 45.66.111.220
 ...
--- a/group_vars/isp/keepalived.yml
+++ b/group_vars/isp/keepalived.yml
@ -0,0 +1,32 @@
 ---
 keepalived__virtual_router_id: 80
 keepalived__interface: back0
 keepalived__virtual_addresses:
  client0:
    - 100.64.0.1/27
    - 2a09:6841::1/56
    - fe80::1/10
  client1:
    - 100.64.0.33/27
    - 2a09:6841:0:1::1/64
    - fe80::1/10
  client2:
    - 100.64.0.65/27
    - 2a09:6841:0:2::1/64
    - fe80::1/10
  client3:
    - 100.64.0.97/27
    - 2a09:6841:0:3::1/64
    - fe80::1/10
  client4:
    - 100.64.0.129/27
    - 2a09:6841:0:4::1/64
    - fe80::1/10
 keepalived__virtual_blackholes:
  - 45.66.111.220/32
 keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
 ...
--- a/group_vars/ns/knotd.yml
+++ b/group_vars/ns/knotd.yml
@ -0,0 +1,71 @@
 ---
 knotd__listen:
  - address: 0.0.0.0
  - address: "::"
 knotd__keys:
  xfr:
    algorithm: hmac-sha512
    secret: "{{ vault_knotd_xfr_key }}"
 knotd__remotes:
  xfr-master:
    address: 2a09:6840:206::1:7
    key: xfr
 knotd__acl:
  notify-master:
    address:
      - 2a09:6840:206::1:7
      - 10.206.1.7
    key: xfr
    action: notify
 knotd__queryacl:
  local:
    addresses:
      - 10.0.0.0/8
 knotd__zones:
  auro.re:
    dnssec_validation: true
    acl:
      - notify-master
    master: xfr-master
  test.auro.re:
    dnssec_validation: true
    acl:
      - notify-master
    master: xfr-master
  infra.auro.re:
    dnssec_validation: true
    acl:
      - notify-master
    #queryacl: local
    master: xfr-master
  108.66.45.in-addr.arpa:
    dnssec_validation: false
    acl:
      - notify-master
    master: xfr-master
  109.66.45.in-addr.arpa:
    dnssec_validation: false
    acl:
      - notify-master
    master: xfr-master
  110.66.45.in-addr.arpa:
    dnssec_validation: false
    acl:
      - notify-master
    master: xfr-master
  111.66.45.in-addr.arpa:
    dnssec_validation: false
    acl:
      - notify-master
    master: xfr-master
  0.4.8.6.9.0.a.2.ip6.arpa:
    dnssec_validation: false
    acl:
      - notify-master
    master: xfr-master
 ...
--- a/group_vars/ntp/chronyd.yml
+++ b/group_vars/ntp/chronyd.yml
@ -0,0 +1,13 @@
 ---
 chronyd__allow_networks:
  - 2a09:6840::/32
  - 10.0.0.0/8
 chronyd__pools:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
  - 2.pool.ntp.org
  - 3.pool.ntp.org
 chronyd__local_stratum: 10
 ...
--- a/group_vars/prom/prometheus/bird.yml
+++ b/group_vars/prom/prometheus/bird.yml
@ -0,0 +1,144 @@
 ---
 prometheus__scraping_bird:
  targets: "{{ groups.router }}"
  address:
    port: 9324
 prometheus__rules_bird:
  - record: bird:protocol_up:bgp_all
    expr:
      label_replace(
        bird_protocol_up{proto="BGP"},
        "group", "$1",
        "instance", "^([^0-9\\.]+)-[0-9]+.*"
      )
  # FIXME: sessions en cours d'installation, pas encore monitorées
  - record: bird:protocol_up:bgp
    expr:
      bird:protocol_up:bgp_all
      unless bird:protocol_up:bgp_all{
        group="edge",
        name=~"^(viarezo|isp[12]|rezel)[46]$"
      }
  # Sessions qui ne sont volontairement pas redondées
  # au sein d'un groupe
  - record: bird:protocol_up:bgp:non_redundant
    expr:
      bird:protocol_up:bgp{
        group="edge",
        name=~"^(oti|crans|legacy|edge)[46]$"
      }
  # Sessions qui le sont
  - record: bird:protocol_up:bgp:redundant
    expr:
      bird:protocol_up:bgp
      unless
      bird:protocol_up:bgp:non_redundant
  - alert: BirdBGPRedundancyDegraded
    expr:
      (
        count by (group, name) (
          bird:protocol_up:bgp:redundant{state="Established"}
        ) + (
          count by (group, name) (
            bird:protocol_up:bgp:redundant{state!="Established"} * 0
          )
        )
      ) < 2
    for: 0m
    labels:
      severity: warning
    annotations:
      Session: !unsafe "{{ $labels.name }}"
      Count: !unsafe "{{ $value }}"
      Group: !unsafe "{{ $labels.group }}"
  - alert: BirdBGPDown
    expr:
      (
        count by (group, name) (
          bird:protocol_up:bgp{state="Established"}
        ) + (
          count by (group, name) (
            bird:protocol_up:bgp{state!="Established"} * 0
          )
        )
      ) == 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Session: !unsafe "{{ $labels.name }}"
      Group: !unsafe "{{ $labels.group }}"
  # TODO: warning pour redondant ?
  - alert: BirdBGPNoExportedPrefixRedundant
    expr:
      bird_protocol_prefix_export_count{
        export_filter!="REJECT",
      } * on (instance, name) group_left (group) (
        bird:protocol_up:bgp:redundant{state="Established"}
      ) == 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Session: !unsafe "{{ $labels.name }}"
      Group: !unsafe "{{ $labels.group }}"
  - alert: BirdBGPNoImportedPrefixRedundant
    expr:
      bird_protocol_prefix_import_count{
        import_filter!="REJECT",
      } * on (instance, name) group_left (group) (
        bird:protocol_up:bgp:redundant{state="Established"}
      ) == 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Session: !unsafe "{{ $labels.name }}"
      Group: !unsafe "{{ $labels.group }}"
  - alert: BirdBGPNoExportedPrefixNonRedundant
    expr:
      sum by (group) (
        bird_protocol_prefix_export_count{
          export_filter!="REJECT",
        } * on (instance, name) group_left (group) (
          bird:protocol_up:bgp:non_redundant{state="Established"}
        )
      ) == 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Session: !unsafe "{{ $labels.name }}"
      Group: !unsafe "{{ $labels.group }}"
  - alert: BirdBGPNoImportedPrefixNonRedundant
    expr:
      sum by (group) (
        bird_protocol_prefix_import_count{
          import_filter!="REJECT",
        } * on (instance, name) group_left (group) (
          bird:protocol_up:bgp:non_redundant{state="Established"}
        )
      ) == 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Session: !unsafe "{{ $labels.name }}"
      Group: !unsafe "{{ $labels.group }}"
  - alert: BirdOSPFNeighboursChange
    expr:
      changes(bird_ospf_neighbor_count[5m]) > 0
      or changes(bird_ospfv3_neighbor_count[5m]) > 0
    for: 0m
    labels:
      severity: warning
  - alert: BirdOSPFDown
    expr:
      bird_ospf_running == 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Instance: !unsafe "{{ $labels.name }}"
 ...
--- a/group_vars/prom/prometheus/common.yml
+++ b/group_vars/prom/prometheus/common.yml
@ -0,0 +1,11 @@
 ---
 prometheus__rules_common:
  - alert: CollectorDown
    expr:
      up == 0
    for: 3m
    labels:
      severity: critical
    annotations:
      Job: !unsafe "{{ $labels.job }}"
 ...
--- a/group_vars/prom/prometheus/eaton.yml
+++ b/group_vars/prom/prometheus/eaton.yml
@ -0,0 +1,11 @@
 ---
 prometheus__scraping_eaton:
  targets: "{{ groups.eaton_ups }}"
  address: 127.0.0.1:9116
  path: /snmp
  params:
    module:
      - eaton
 prometheus__rules_eaton: {}
 ...
--- a/group_vars/prom/prometheus/ilo.yml
+++ b/group_vars/prom/prometheus/ilo.yml
@ -0,0 +1,13 @@
 ---
 prometheus__scraping_ilo:
  targets: "{{ groups.ilo }}"
  address: 127.0.0.1:9116
  path: /snmp
  timeout: 180s
  interval: 180s
  params:
    module:
      - ilo
 prometheus__rules_ilo: {}
 ...
--- a/group_vars/prom/prometheus/jitsi.yml
+++ b/group_vars/prom/prometheus/jitsi.yml
@ -0,0 +1,6 @@
 ---
 prometheus__scraping_jitsi:
  targets: ["jitsi.pub.infra.auro.re"]
  address:
    port: 9700
 ...
--- a/group_vars/prom/prometheus/keepalived.yml
+++ b/group_vars/prom/prometheus/keepalived.yml
@ -0,0 +1,23 @@
 ---
 prometheus__rules_keepalived:
  - alert: KeepalivedVrrpFault
    expr:
      keepalived_vrrp_state{state="fault"} > 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Instance: !unsafe "{{ $labels.instance }}"
  - alert: KeepalivedMasterChange
    expr:
      changes(
        keepalived_vrrp_state{
          keepalived_vvrp_state="master"
        }[1m]
      ) > 0
    for: 0m
    labels:
      severity: warning
    annotations:
      Instance: !unsafe "{{ $labels.instance }}"
 ...
--- a/group_vars/prom/prometheus/kresd.yml
+++ b/group_vars/prom/prometheus/kresd.yml
@ -0,0 +1,6 @@
 ---
 prometheus__scraping_kresd:
  targets: "{{ groups.dns }}"
  address:
    port: 8453
 ...
--- a/group_vars/prom/prometheus/main.yml
+++ b/group_vars/prom/prometheus/main.yml
@ -0,0 +1,28 @@
 ---
 prometheus__alertmanager_targets:
  - docker-ovh.adm.auro.re:9093
 prometheus__tsdb_retention_time: 90d
 prometheus__scraping:
  node: "{{ prometheus__scraping_node }}"
  prometheus: "{{ prometheus__scraping_prometheus }}"
  kresd: "{{ prometheus__scraping_kresd }}"
  bird: "{{ prometheus__scraping_bird }}"
  quanta: "{{ prometheus__scraping_quanta }}"
  ilo: "{{ prometheus__scraping_ilo }}"
  snmp: "{{ prometheus__scraping_snmp }}"
  eaton: "{{ prometheus__scraping_eaton }}"
  jitsi: "{{ prometheus__scraping_jitsi }}"
 prometheus__rules:
  common: "{{ prometheus__rules_common }}"
  switch: "{{ prometheus__rules_switch }}"
  prometheus: "{{ prometheus__rules_prometheus }}"
  node: "{{ prometheus__rules_node }}"
  keepalived: "{{ prometheus__rules_keepalived }}"
  quanta: "{{ prometheus__rules_quanta }}"
  #ilo: "{{ prometheus__rules_ilo }}"
  bird: "{{ prometheus__rules_bird }}"
  #eaton: "{{ prometheus__rules_eaton }}"
 ...
--- a/group_vars/prom/prometheus/node.yml
+++ b/group_vars/prom/prometheus/node.yml
@ -0,0 +1,200 @@
 ---
 prometheus__scraping_node:
  targets: "{{ groups.vm + groups.pve }}"
  address:
    port: 9100
 prometheus__rules_node:
  - alert: OutOfMemory
    expr:
      (
        node_memory_MemFree_bytes
        + node_memory_Cached_bytes
        + node_memory_Buffers_bytes
      ) / node_memory_MemTotal_bytes < 0.1
    for: 5m
    labels:
      severity: warning
    annotations:
      FreeMemory: !unsafe "{{ $value | humanizePercentage }}"
  - alert: HostSwapIsFillingUp
    expr:
      (
        1 - (
          node_memory_SwapFree_bytes
          / node_memory_SwapTotal_bytes
        )
      ) >= 0.5
    for: 3m
    labels:
      severity: critical
    annotations:
      UsedSwap: !unsafe "{{ $value | humanizePercentage }}"
  - alert: HostPhysicalComponentTooHot
    expr:
      node_hwmon_temp_celsius > 79
    for: 3m
    labels:
      severity: critical
    annotations:
      Temperature: !unsafe "{{ $value | humanize }} °C"
      Chip: !unsafe "{{ $labels.chip }}"
      Sensor: !unsafe "{{ $labels.sensor }}"
  - alert: HostNodeOvertemperatureAlarm
    expr:
      node_hwmon_temp_crit_alarm_celsius == 1
    for: 0m
    labels:
      severity: critical
    annotations:
      Chip: !unsafe "{{ $labels.chip }}"
      Sensor: !unsafe "{{ $labels.sensor }}"
  - alert: HostRaidArrayGotInactive
    expr:
      node_md_state{state="inactive"} > 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Device: !unsafe "{{ $labels.device }}"
  - alert: HostRaidDiskFailure
    expr:
      node_md_disks{state="failed"} > 0
    for: 0m
    labels:
      severity: critical
    annotations:
      severity: !unsafe "{{ $labels.md_device }}"
  - alert: HostOomKillDetected
    expr:
      increase(node_vmstat_oom_kill[1m]) > 0
    for: 0m
    labels:
      severity: warning
    annotations:
      PID: !unsafe "{{ $value }}"
  - alert: HostEdacCorrectableErrorsDetected
    expr:
      increase(node_edac_correctable_errors_total[1m]) > 0
    for: 0m
    labels:
      severity: warning
    annotations:
      CorrectedErrors: !unsafe "{{ $value }}"
  - alert: HostEdacUncorrectableErrorsDetected
    expr:
      increase(node_edac_uncorrectable_errors_total[1m]) > 0
    for: 0m
    labels:
      severity: warning
    annotations:
      DetectedErrors: !unsafe "{{ $value }}"
  - alert: OutOfDiskSpace
    expr:
      (
        node_filesystem_free_bytes
        / node_filesystem_size_bytes < 0.1
      )
      and on (instance, device, mountpoint) (
        node_filesystem_readonly
      ) == 0
    for: 5m
    labels:
      severity: critical
    annotations:
      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
      FreeSpace: !unsafe "{{ $value | humanizePercentage }}"
  - alert: HostConntrackLimit
    expr:
      (
        node_nf_conntrack_entries
        / node_nf_conntrack_entries_limit
      ) > 0.8
    for: 5m
    labels:
      severity: warning
    annotations:
      Filled: !unsafe "{{ $value | humanizePercentage }}"
  - alert: HostClockSkew
    expr:
      (
        node_timex_offset_seconds > 0.05
        and deriv(node_timex_offset_seconds[5m]) >= 0
      ) or (
        node_timex_offset_seconds < -0.05
        and deriv(node_timex_offset_seconds[5m]) <= 0
      )
    for: 2m
    labels:
      severity: warning
  - alert: HostClockNotSynchronising
    expr:
      min_over_time(node_timex_sync_status[1m]) == 0
      and node_timex_maxerror_seconds >= 16
    for: 2m
    labels:
      severity: warning
  - alert: HostRequiresReboot
    expr:
      node_reboot_required > 0
    for: 5m
    labels:
      severity: warning
  - alert: OutOfInodes
    expr:
      node_filesystem_files_free
      / node_filesystem_files < 0.1
    for: 3m
    labels:
      severity: warning
    annotations:
      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
      FreeInodes: !unsafe "{{ $value | humanizePercentage }}"
  - alert: CpuUsage
    expr:
      (
        1 - avg by (instance) (
          irate(node_cpu_seconds_total{mode="idle"}[5m])
        )
      ) > 0.75
    for: 10m
    labels:
      severity: warning
    annotations:
      Usage: !unsafe "{{ $value | humanizePercentage }}"
  - alert: SystemdServiceFailed
    expr:
      node_systemd_unit_state{state="failed"} == 1
    for: 10m
    labels:
      severity: warning
    annotations:
      Service: !unsafe "{{ $labels.name }}"
  - alert: LoadUsage
    expr:
      node_load1 > 5
    for: 2m
    labels:
      severity: warning
    annotations:
      Load1: !unsafe "{{ $value | humanize }}"
  - alert: UnhealthyDisk
    expr:
      smartmon_device_smart_healthy < 1
    for: 10m
    labels:
      severity: critical
    annotations:
      Disk: !unsafe "{{ $labels.disk }}"
  - alert: HostCpuStealNoisyNeighbor
    expr:
      avg by (instance) (
        rate(node_cpu_seconds_total{mode="steal"}[5m])
      ) > 0.1
    for: 5m
    labels:
      severity: warning
    annotations:
      Disk: !unsafe "{{ $labels.disk }}"
      Steal: !unsafe "{{ $value | humanizePercentage }}"
 ...
--- a/group_vars/prom/prometheus/prometheus.yml
+++ b/group_vars/prom/prometheus/prometheus.yml
@ -0,0 +1,14 @@
 ---
 prometheus__scraping_prometheus:
  targets: "{{ groups.prom }}"
  address:
    port: 9090
 prometheus__rules_prometheus:
  - alert: PrometheusTsdbCompactionFailed
    expr:
      increase(prometheus_tsdb_compactions_failed_total[1m]) > 0
    for: 0m
    labels:
      severity: critical
 ...
--- a/group_vars/prom/prometheus/quanta.yml
+++ b/group_vars/prom/prometheus/quanta.yml
@ -0,0 +1,98 @@
 ---
 prometheus__scraping_quanta:
  targets: "{{ groups.quanta }}"
  address: 127.0.0.1:9116
  path: /snmp
  timeout: 180s
  interval: 180s
  params:
    module:
      - quanta
 prometheus__rules_quanta:
  - alert: QuantaQueueOverflow
    expr:
      snAgGblQueueOverflow == 1
    for: 0m
    labels:
      severity: critical
  - alert: QuantaCpuUsage
    expr:
      snAgGblCpuUtil1MinAvg > 50
    for: 5m
    labels:
      severity: warning
    annotations:
      Usage: !unsafe "{{ $value }} %"
  - alert: QuantaCpuUsage
    expr:
      snAgGblCpuUtil1MinAvg > 80
    for: 5m
    labels:
      severity: critical
    annotations:
      Usage: !unsafe "{{ $value }} %"
  - alert: QuantaMemoryUsage
    expr:
      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 50
    for: 5m
    labels:
      severity: warning
    annotations:
      UsedMemory: !unsafe "{{ $value }} %"
  - alert: QuantaMemoryUsage
    expr:
      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 80
    for: 5m
    labels:
      severity: alert
    annotations:
      UsedMemory: !unsafe "{{ $value }} %"
  - alert: QuantaFanHealth
    expr:
      snChasFanOperStatus{snChasFanOperStatus="normal"} == 0
    for: 0m
    labels:
      severity: critical
    annotations:
      Description: !unsafe "{{ $labels.shChasFanDescription }}"
      Status: !unsafe "{{ $labels.snChasFanOperStatus }}"
  - alert: QuantaMissingIntakeTemp
    expr:
      count by (instance) (
        snAgentTempValue
      ) - count by (instance) (
        snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"}
      ) == 0
    for: 0m
    labels:
      severity: critical
  - alert: QuantaIntakeTemp
    expr:
      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 60
    for: 10m
    keep_firing_for: 30m
    labels:
      severity: warning
    annotations:
      Temperature: !unsafe "{{ $value }} °C"
      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
  - alert: QuantaIntakeTemp
    expr:
      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 70
    for: 10m
    keep_firing_for: 30m
    labels:
      severity: critical
    annotations:
      Temperature: !unsafe "{{ $value }} °C"
      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
  - alert: QuantaPowerRedundancyFailure
    expr:
      count by (instance) (
        snChasPwrSupplyOperStatus{snChasPwrSupplyOperStatus="normal"}
      ) < 2
    for: 0m
    labels:
      severity: warning
 ...
--- a/group_vars/prom/prometheus/snmp.yml
+++ b/group_vars/prom/prometheus/snmp.yml
@ -0,0 +1,6 @@
 ---
 prometheus__scraping_snmp:
  targets: "{{ groups.prom }}"
  address:
    port: 9116
 ...
--- a/group_vars/prom/prometheus/switch.yml
+++ b/group_vars/prom/prometheus/switch.yml
@ -0,0 +1,91 @@
 ---
 prometheus__rules_switch:
  - alert: SwitchPromiscuousChange
    expr:
      changes(ifPromiscuousMode[5m]) > 0
    for: 0m
    labels:
      severity: warning
    annotations:
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
  - alert: SwitchInterfaceUpChange
    expr:
      changes(ifOperStatus{ifOperStatus="up"}[5m]) > 0
    for: 0m
    labels:
      severity: warning
    annotations:
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
  - alert: SwitchInErrors
    expr:
      irate(ifInErrors[5m]) / (
        irate(ifInUcastPkts[5m])
        + irate(ifInNUcastPkts[5m])
      ) > 0.0001
    for: 0m
    labels:
      severity: warning
    annotations:
      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
  - alert: SwitchOutErrors
    expr:
      irate(ifOutErrors[5m]) / (
        irate(ifOutUcastPkts[5m])
        + irate(ifOutNUcastPkts[5m])
      ) > 0.0001
    for: 0m
    labels:
      severity: warning
    annotations:
      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
  - alert: SwitchInLinkUsage
    expr:
      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
    for: 5m
    keep_firing_for: 10m
    labels:
      severity: warning
    annotations:
      Usage: !unsafe "{{ $value | humanizePercentage }}"
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
  - alert: SwitchInLinkUsage
    expr:
      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
    for: 5m
    keep_firing_for: 10m
    labels:
      severity: critical
    annotations:
      Usage: !unsafe "{{ $value | humanizePercentage }}"
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
  - alert: SwitchOutLinkUsage
    expr:
      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
    for: 5m
    keep_firing_for: 10m
    labels:
      severity: warning
    annotations:
      Usage: !unsafe "{{ $value | humanizePercentage }}"
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
  - alert: SwitchOutLinkUsage
    expr:
      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
    for: 5m
    keep_firing_for: 10m
    labels:
      severity: warning
    annotations:
      Usage: !unsafe "{{ $value | humanizePercentage }}"
      Interface: !unsafe "{{ $labels.ifName }}
        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
 ...
--- a/group_vars/prom/prometheus_snmp/eaton.yml
+++ b/group_vars/prom/prometheus_snmp/eaton.yml
@ -0,0 +1,40 @@
 ---
 prometheus_snmp__modules_eaton:
  version: 1
  auth:
    community: "{{ vault_snmp_eaton_community }}"
  walk:
    - sysUpTime
    #- upsBattery
    - xupsInput
    - xupsOutput
    - xupsBypass
    - xupsEnvironment
    - xupsBattery
    - xupsConfig
  lookups:
    - source_indexes:
        - xupsInputPhase
      lookup: xupsInputName
    - source_indexes:
        - xupsOutputPhase
      lookup: xupsOutputName
    - source_indexes:
        - xupsBypassPhase
      lookup: xupsBypassName
  overrides:
    upsBatteryStatus:
      type: EnumAsStateSet
    xupsInputId:
      type: EnumAsStateSet
    xupsOutputId:
      type: EnumAsStateSet
    xupsBypassId:
      type: EnumAsStateSet
    xupsOutputSource:
      type: EnumAsStateSet
    xupsBatteryAbmStatus:
      type: EnumAsStateSet
    xupsContactType:
      type: EnumAsStateSet
 ...
--- a/group_vars/prom/prometheus_snmp/ilo.yml
+++ b/group_vars/prom/prometheus_snmp/ilo.yml
@ -0,0 +1,19 @@
 ---
 prometheus_snmp__modules_ilo:
  version: 3
  timeout: 10s
  retries: 10
  auth:
    security_level: authPriv
    auth_protocol: SHA
    username: aurore
    password: "{{ vault_snmp_ilo_auth }}"
    priv_protocol: AES
    priv_password: "{{ vault_snmp_ilo_priv }}"
  walk:
    - sysUpTime
    - cpqHeTemperatureTable
  overrides:
    cpqHeTemperatureThresholdType:
      type: EnumAsStateSet
 ...
--- a/group_vars/prom/prometheus_snmp/main.yml
+++ b/group_vars/prom/prometheus_snmp/main.yml
@ -0,0 +1,6 @@
 ---
 prometheus_snmp__modules:
  quanta: "{{ prometheus_snmp__modules_quanta }}"
  ilo: "{{ prometheus_snmp__modules_ilo }}"
  eaton: "{{ prometheus_snmp__modules_eaton }}"
 ...
--- a/group_vars/prom/prometheus_snmp/quanta.yml
+++ b/group_vars/prom/prometheus_snmp/quanta.yml
@ -0,0 +1,125 @@
 ---
 prometheus_snmp__modules_quanta:
  auth:
    community: "{{ vault_snmp_quanta_community }}"
  timeout: 60s
  retries: 3
  walk:
    - interfaces
    - ifXTable
    - snAgGblQueueOverflow
    - snAgGblDynMemTotal
    - snAgGblDynMemFree
    - snAgGblCpuUtil1SecAvg
    - snAgGblCpuUtil5SecAvg
    - snAgGblCpuUtil1MinAvg
    - sysUpTime
    - snAgentCpuUtilPercent
    - snAgent
    - snChasFan
    - snChasPwr
    - snAgentTemp
    - snAgentCpu
    - snSwInfo
    - snSwIfInfoTable
    - dot3StatsTable
    - dot3HCStatsTable
    - dot3Errors
    - dot3Tests
    - dot3CollTable
    - lldpLocChassisId
    - lldpRemTable
    - lldpLocPortTable
    - dot1dBasePort
  lookups:
    - source_indexes:
        - ifIndex
      lookup: ifAlias
    - source_indexes:
        - ifIndex
      lookup: ifDescr
    - source_indexes:
        - ifIndex
      lookup: ifName
    - source_indexes:
        - snChasFanIndex
      lookup: snChasFanDescription
    - source_indexes:
        - snAgentTempSlotNum
        - snAgentTempSensorId
      lookup: snAgentTempSensorDescr
    - source_indexes:
        - snSwIfInfoPortNum
      lookup: snSwIfName
    - source_indexes:
        - snSwIfInfoPortNum
      lookup: snSwIfDescr
    - source_indexes:
        - dot3StatsIndex
      lookup: ifAlias
    - source_indexes:
        - dot3StatsIndex
      lookup: ifDescr
    - source_indexes:
        - dot3StatsIndex
      lookup: ifName
    - source_indexes:
        - lldpRemTimeMark
        - lldpRemLocalPortNum
        - lldpRemIndex
      lookup: lldpRemChassisId
    #- source_indexes:
    #    - lldpLocPortNum
    #  lookup: lldpLocPortIdSubtype
  overrides:
    ifIndex:
      ignore: true
    ifAlias:
      ignore: true
    ifDescr:
      ignore: true
    ifName:
      ignore: true
    ifOperStatus:
      type: EnumAsStateSet
    ifAdminStatus:
      type: EnumAsStateSet
    snChasFanIndex:
      ignore: true
    snChasFanDescription:
      ignore: true
    snChasPwrSupplyIndex:
      ignore: true
    snAgentTempSensorDescr:
      ignore: true
    snChasFanOperStatus:
      type: EnumAsStateSet
    snChasPwrSupplyOperStatus:
      type: EnumAsStateSet
    snSwIfName:
      ignore: true
    snSwIfDescr:
      ignore: true
    snSwIfVlanId:
      ignore: true
    snSwIfInfoPortNum:
      ignore: true
    snSwIfInfoMonitorMode:
      type: EnumAsStateSet
    snSwIfInfoMirrorPorts:
      ignore: true
    snSwIfInfoMediaType:
      type: EnumAsInfo
    ifType:
      type: EnumAsInfo
    dot3StatsIndex:
      ignore: true
    dot3StatsEtherChipSet:
      ignore: true
    dot3StatsDuplexStatus:
      type: EnumAsStateSet
    lldpLocPortIdSubtype:
      type: EnumAsInfo
    lldpRemPortIdSubtype:
      type: EnumAsInfo
 ...
--- a/group_vars/pve/pve_auth.yml
+++ b/group_vars/pve/pve_auth.yml
@ -0,0 +1,31 @@
 ---
 pve_auth__groups:
  admin:
    - Administrator
 pve_auth__pam_users:
  root:
    enabled: false
 pve_auth__users:
  elkmaennchen:
    password: "{{ vault_pve_passwords.elkmaennchen }}"
    groups:
      - admin
  jeltz:
    password: "{{ vault_pve_passwords.jeltz }}"
    groups:
      - admin
  korenstin:
    password: "{{ vault_pve_passwords.korenstin }}"
    groups:
      - admin
  otthorn:
    password: "{{ vault_pve_passwords.otthorn }}"
    groups:
      - admin
  v-lafeychine:
    password: "{{ vault_pve_passwords['v-lafeychine'] }}"
    groups:
      - admin
 ...
--- a/group_vars/radius/freeradius.yml
+++ b/group_vars/radius/freeradius.yml
@ -0,0 +1,17 @@
 ---
 radiusd__guest_vlan: 1000
 radiusd__clients:
  localhost:
    addr: 127.0.0.1
    secret: abcdef
    type: aurore
  wifi-ap-v4:
    addr: 10.102.0.0/16
    secret: abcdef
    type: aurore
  wifi-ap-v6:
    addr: 2a09:6840:102::/56
    secret: abcdef
    type: aurore
 ...
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@ -1,3 +1,4 @@
 ---
 loc_nginx:
  servers: []
--- a/group_vars/router/prometheus.yml
+++ b/group_vars/router/prometheus.yml
@ -0,0 +1,3 @@
 ---
 prometheus_keepalived__dest: /var/run/prometheus-node-exporter/keepalived.prom
 ... 
--- a/group_vars/switch.yml
+++ b/group_vars/switch.yml
@ -0,0 +1,12 @@
 ---
 glob_switch:
  loop_protect:
    port_disable_timer_in_seconds: 30
    transmit_interval_in_seconds: 3
  sntp:
    operation_mode: SNTP_UNICAST_MODE
    poll_interval: 720
    servers:
      - ip: 10.206.1.5
        priority: 1
 ...
--- a/group_vars/vpn/bird.yml
+++ b/group_vars/vpn/bird.yml
@ -0,0 +1,60 @@
 ---
 bird__tables:
  - wg
 bird__kernel:
  kernel:
    learn: true
    import: accept
    export: accept
  vrf:
    learn: true
    import:
      sources:
        - "{{ iproute2__custom_protos.wireguard }}"
    export: accept
    table: wg
    kernel: "{{ iproute2__custom_tables.wireguard }}"
 bird__ospf:
  limits:
    import: 4000
    export: 4000
  table: wg
  import: accept
  export:
    sources:
      - "{{ iproute2__custom_protos.wireguard }}"
  areas:
    1:
      broadcast:
        - vpn0
 bird__bgp:
  infra1:
    local:
      address: "{{ bird__bgp_addr.vpn }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:213::1:1
        - 10.213.1.1
      as: "{{ bird__as.aurore }}"
    table: wg
    import: accept
    export: reject
    next_hop_self: true
  infra2:
    local:
      address: "{{ bird__bgp_addr.vpn }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:213::1:2
        - 10.213.1.2
      as: "{{ bird__as.aurore }}"
    table: wg
    import: accept
    export: reject
    next_hop_self: true
 ...
--- a/group_vars/vpn/ifupdown2.yml
+++ b/group_vars/vpn/ifupdown2.yml
@ -0,0 +1,16 @@
 ---
 ifupdown2__vrf:
  wg-vrf:
    table: "{{ iproute2__custom_tables.wireguard }}"
 ifupdown2__wireguard:
  wg0:
    private_key: "{{ vault_wireguard_wg0_private }}"
    listen_port: 5121
    vrf: wg-vrf
    table: "{{ iproute2__custom_tables.wireguard }}"
    peer_allowed_addresses:
      - 2a09:6840:212::1:1/128
      - 10.212.1.1/32
    peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
 ...
--- a/group_vars/vpn/iproute2.yml
+++ b/group_vars/vpn/iproute2.yml
@ -0,0 +1,7 @@
 ---
 iproute2__custom_tables:
  wireguard: 2000
 iproute2__custom_protos:
  wireguard: 200
 ...
--- a/host_vars/bdd-ovh.adm.auro.re.yml
+++ b/host_vars/bdd-ovh.adm.auro.re.yml
@ -1,70 +0,0 @@
 ---
 postgresql:
  version: 13
 postgresql_hosts:
  - database: etherpad
    user: etherpad
    net: 10.128.0.150/32
    method: md5
  - database: codimd
    user: codimd
    net: 10.128.0.150/32
    method: md5
  - database: synapse
    user: synapse
    net: 10.128.0.56/32
    method: md5
  - database: kanboard
    user: kanboard
    net: 10.128.0.150/32
    method: md5
  - database: grafana
    user: grafana
    net: 10.128.0.150/32
    method: md5
  - database: cas
    user: cas
    net: 10.128.0.150/32
    method: md5
 postgresql_databases:
  - synapse
  - codimd
  - etherpad
  - kanboard
  - grafana
  - cas
 postgresql_users:
  - name: synapse
    database: synapse
    password: "{{ postgresql_synapse_passwd }}"
    privs:
      - ALL
  - name: codimd
    database: codimd
    password: "{{ postgresql_codimd_passwd }}"
    privs:
      - ALL
  - name: etherpad
    database: etherpad
    password: "{{ postgresql_etherpad_passwd }}"
    privs:
      - ALL
  - name: kanboard
    database: kanboard
    password: "{{ postgresql_kanboard_passwd }}"
    privs:
      - ALL
  - name: grafana
    database: grafana
    password: "{{ postgresql_grafana_passwd }}"
    privs:
      - ALL
  - name: cas
    database: cas
    password: "{{ postgresql_cas_passwd }}"
    privs:
      - ALL
 ...
--- a/host_vars/bdd.adm.auro.re.yml
+++ b/host_vars/bdd.adm.auro.re.yml
@ -1,50 +0,0 @@
 ---
 postgresql:
  version: 13
 postgresql_hosts:
  - database: nextcloud
    user: nextcloud
    net: 10.128.0.58/32
    method: md5
  - database: gitea
    user: gitea
    net: 10.128.0.60/32
    method: md5
  - database: wikijs
    user: wikijs
    net: 10.128.0.66/32
    method: md5
  - database: drone
    user: drone
    net: 10.128.0.64/32
    method: md5
 postgresql_databases:
  - nextcloud
  - gitea
  - wikijs
  - drone
 postgresql_users:
  - name: nextcloud
    database: nextcloud
    password: "{{ postgresql_nextcloud_passwd }}"
    privs:
      - ALL
  - name: gitea
    database: gitea
    password: "{{ postgresql_gitea_passwd }}"
    privs:
      - ALL
  - name: wikijs
    database: wikijs
    password: "{{ postgresql_wikijs_passwd }}"
    privs:
      - ALL
  - name: drone
    database: drone
    password: "{{ postgresql_drone_passwd }}"
    privs:
      - ALL
 ...
--- a/host_vars/collabora.ext.infra.auro.re.yml
+++ b/host_vars/collabora.ext.infra.auro.re.yml
@ -0,0 +1,22 @@
 ---
 systemd_link__links:
  pub0: ae:ae:ae:2C:60:35
 ifupdown2__interfaces:
  pub0:
    addresses:
      - 2a09:6840:128::220/64
      - 10.128.0.220/16
    gateways: "{{ ifupdown2__gateways.adm }}"
 collabora__server_name: office.auro.re
 collabora__post_allow_addrs:
  - 2a09:6840:215::1:1
  - 45.66.111.206
 collabora__wopi_groups:
  - host: https://cloud.auro.re:443
    aliases:
      - https://nextcloud.auro.re:443
 ...
--- a/host_vars/dhcp-1.isp.infra.auro.re.yml
+++ b/host_vars/dhcp-1.isp.infra.auro.re.yml
@ -0,0 +1,47 @@
 ---
 systemd_link__links:
  isp0: 02:00:00:c6:3f:6f
  trunk0: 02:00:00:b1:8d:d6
 ifupdown2__interfaces:
  isp0:
    addresses:
      - 2a09:6840:210::1:1/64
      - 10.210.1.1/16
    gateways: "{{ ifupdown2__gateways.isp }}"
  trunk0:
    ipv6_addrgen: false
  clients0:
    bridge_vlan_aware: true
    bridge_ports:
      - trunk0
    bridge_vids:
      - 1000-1004
    bridge_disable_pvid: true
    ipv6_addrgen: false
  client0:
    addresses:
      - 100.64.0.2/27
    vlan_id: 1000
    vlan_raw_device: clients0
  client1:
    addresses:
      - 100.64.0.34/27
    vlan_id: 1001
    vlan_raw_device: clients0
  client2:
    addresses:
      - 100.64.0.66/27
    vlan_id: 1002
    vlan_raw_device: clients0
  client3:
    addresses:
      - 100.64.0.98/27
    vlan_id: 1003
    vlan_raw_device: clients0
  client4:
    addresses:
      - 100.64.0.130/27
    vlan_id: 1004
    vlan_raw_device: clients0
 ...
--- a/host_vars/dhcp-2.isp.infra.auro.re.yml
+++ b/host_vars/dhcp-2.isp.infra.auro.re.yml
@ -0,0 +1,47 @@
 ---
 systemd_link__links:
  isp0: 04:00:00:8c:d1:36
  trunk0: 04:00:00:33:2c:3c
 ifupdown2__interfaces:
  isp0:
    addresses:
      - 2a09:6840:210::1:2/64
      - 10.210.1.2/16
    gateways: "{{ ifupdown2__gateways.isp }}"
  trunk0:
    ipv6_addrgen: false
  clients0:
    bridge_vlan_aware: true
    bridge_ports:
      - trunk0
    bridge_vids:
      - 1000-1004
    bridge_disable_pvid: true
    ipv6_addrgen: false
  client0:
    addresses:
      - 100.64.0.3/27
    vlan_id: 1000
    vlan_raw_device: clients0
  client1:
    addresses:
      - 100.64.0.35/27
    vlan_id: 1001
    vlan_raw_device: clients0
  client2:
    addresses:
      - 100.64.0.67/27
    vlan_id: 1002
    vlan_raw_device: clients0
  client3:
    addresses:
      - 100.64.0.99/27
    vlan_id: 1003
    vlan_raw_device: clients0
  client4:
    addresses:
      - 100.64.0.131/27
    vlan_id: 1004
    vlan_raw_device: clients0
 ...
--- a/host_vars/dns-1.int.infra.auro.re.yml
+++ b/host_vars/dns-1.int.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  int0: 02:00:00:9f:d9:f9
 ifupdown2__interfaces:
  int0:
    addresses:
      - 2a09:6840:206::1:1/64
      - 10.206.1.1/16
    gateways: "{{ ifupdown2__gateways.int }}"
 ...
--- a/host_vars/dns-2.int.infra.auro.re.yml
+++ b/host_vars/dns-2.int.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  int0: 04:00:00:3c:c0:5a
 ifupdown2__interfaces:
  int0:
    addresses:
      - 2a09:6840:206::1:2/64
      - 10.206.1.2/16
    gateways: "{{ ifupdown2__gateways.int }}"
 ...
--- a/host_vars/edge-1.back.infra.auro.re.yml
+++ b/host_vars/edge-1.back.infra.auro.re.yml
@ -0,0 +1,39 @@
 ---
 systemd_link__links:
  adm0: 02:00:00:9E:3E:21
  crans0: 02:00:00:A2:7C:68
  zayo0: 02:00:00:35:89:82
  rezel0: 02:00:00:8F:4A:AD
  back0: 02:00:00:1C:3A:2E
  viarezo0: 02:00:00:ED:70:64
  router0: 02:00:00:5A:17:7C
  oti0: 02:00:00:05:0E:A6
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::10:2/64
      - 10.128.10.2/16
  crans0:
    ipv6_addrgen: false
  zayo0:
    ipv6_addrgen: false
  rezel0:
    addresses:
      - 2a09:6842:19:9116::1/64
      - 45.66.111.1/29
  back0:
    addresses:
      - 2a09:6840:203::1:1/64
      - 10.203.1.1/16
  viarezo0:
    addresses:
      - 2a0c:b641:2ff::6/125
      - 192.159.121.133/29
  router0:
    addresses:
      - 2a09:6840:129::10:2/56
      - 10.129.10.2/16
  oti0:
    ipv6_addrgen: false
 ...
--- a/host_vars/edge-2.back.infra.auro.re.yml
+++ b/host_vars/edge-2.back.infra.auro.re.yml
@ -0,0 +1,39 @@
 ---
 systemd_link__links:
  adm0: 04:00:00:F5:69:B9
  crans0: 04:00:00:CF:E1:D0
  zayo0: 04:00:00:67:7B:12
  rezel0: 04:00:00:C6:05:B7
  back0: 04:00:00:DE:22:E6
  viarezo0: 04:00:00:45:FA:E6
  router0: 04:00:00:AD:D7:71
  oti0: 02:00:00:05:0E:A6
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::10:102/64
      - 10.128.10.102/16
  crans0:
    ipv6_addrgen: false
  zayo0:
    ipv6_addrgen: false
  rezel0:
    addresses:
      - 2a09:6842:19:9116::3/64
      - 45.66.111.3/29
  back0:
    addresses:
      - 2a09:6840:203::1:2/64
      - 10.203.1.2/16
  viarezo0:
    addresses:
      - 2a0c:b641:2ff::7/125
      - 192.159.121.134/29
  router0:
    addresses:
      - 2a09:6840:129::10:102/56
      - 10.129.10.102/16
  oti0:
    ipv6_addrgen: false
 ...
--- a/host_vars/infra-1.back.infra.auro.re.yml
+++ b/host_vars/infra-1.back.infra.auro.re.yml
@ -0,0 +1,63 @@
 ---
 systemd_link__links:
  ups0: 02:00:00:fe:6f:0e
  back0: 02:00:00:f8:93:22
  monit0: 02:00:00:da:97:7f
  wifi0: 02:00:00:8c:c5:bf
  int0: 02:00:00:75:40:3e
  sw0: 02:00:00:ca:e8:d1
  bmc0: 02:00:00:47:d1:b9
  pve0: 02:00:00:b3:35:e7
  isp0: 02:00:00:6b:53:14
  ext0: 02:00:00:32:86:60
  vpn0: 02:00:00:52:5f:85
  th30: 02:00:00:23:a7:d3
  pub0: 02:00:00:7d:34:06
 ifupdown2__interfaces:
  back0:
    addresses:
      - 2a09:6840:203::1:3/64
      - 10.203.1.3/16
      - 45.66.111.210/32 # secondary
  ups0:
    ipv6_addrgen: false
  monit0:
    ipv6_addrgen: false
  wifi0:
    ipv6_addrgen: false
  int0:
    ipv6_addrgen: false
  sw0:
    ipv6_addrgen: false
  bmc0:
    ipv6_addrgen: false
  pve0:
    ipv6_addrgen: false
  isp0:
    ipv6_addrgen: false
  ext0:
    ipv6_addrgen: false
  pub0:
    ipv6_addrgen: false
  vpn0:
    addresses:
      - 2a09:6840:213::1:1/64
      - 10.213.1.1/16
  th30:
    ipv6_addrgen: false
 bird__router_id: 10.203.1.3
 bird__bgp_addr:
  back:
    - 2a09:6840:203::1:3
    - 10.203.1.3
  vpn:
    - 2a09:6840:213::1:1
    - 10.213.1.1
 bird__pref_src_addr:
  - 2a09:6840:203::1:3
  - 45.66.111.210
 ...
--- a/host_vars/infra-2.back.infra.auro.re.yml
+++ b/host_vars/infra-2.back.infra.auro.re.yml
@ -0,0 +1,63 @@
 ---
 systemd_link__links:
  ups0: 04:00:00:6d:97:83
  back0: 04:00:00:46:ba:f9
  monit0: 04:00:00:72:0b:2d
  wifi0: 04:00:00:ee:42:0f
  int0: 04:00:00:21:fd:d0
  sw0: 04:00:00:2e:5b:16
  bmc0: 04:00:00:bb:5a:a6
  pve0: 04:00:00:0b:2b:82
  isp0: 04:00:00:f4:4c:5d
  ext0: 04:00:00:1d:0e:83
  vpn0: 04:00:00:02:ba:dd
  th30: 04:00:00:9e:8d:4f
  pub0: 04:00:00:f8:3b:9b
 ifupdown2__interfaces:
  back0:
    addresses:
      - 2a09:6840:203::1:4/64
      - 10.203.1.4/16
      - 45.66.111.211/32 # secondary
  ups0:
    ipv6_addrgen: false
  monit0:
    ipv6_addrgen: false
  wifi0:
    ipv6_addrgen: false
  int0:
    ipv6_addrgen: false
  sw0:
    ipv6_addrgen: false
  bmc0:
    ipv6_addrgen: false
  pve0:
    ipv6_addrgen: false
  isp0:
    ipv6_addrgen: false
  ext0:
    ipv6_addrgen: false
  vpn0:
    addresses:
      - 2a09:6840:213::1:2/64
      - 10.213.1.2/16
  th30:
    ipv6_addrgen: false
  pub0:
    ipv6_addrgen: false
 bird__router_id: 10.203.1.4
 bird__bgp_addr:
  back:
    - 2a09:6840:203::1:4
    - 10.203.1.4
  vpn:
    - 2a09:6840:213:1:2
    - 10.213.1.2
 bird__pref_src_addr:
  - 2a09:6840:203::1:4
  - 45.66.111.211
 ...
--- a/host_vars/isp-1.back.infra.auro.re.yml
+++ b/host_vars/isp-1.back.infra.auro.re.yml
@ -0,0 +1,59 @@
 ---
 systemd_link__links:
  adm0: 02:00:00:D8:37:45
  back0: 02:00:00:BF:10:4C
  trunk0: 02:00:00:E9:BA:15
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::10:5/64
      - 10.128.10.5/16
    gateways: "{{ ifupdown2__gateways.adm }}"
  back0:
    addresses:
      - 2a09:6840:203::1:5/64
      - 45.66.111.211/32
      - 10.203.1.5/16
  trunk0:
    ipv6_addrgen: false
  clients0:
    bridge_vlan_aware: true
    bridge_ports:
      - trunk0
    bridge_vids:
      - 1000-1004
    bridge_disable_pvid: true
    ipv6_addrgen: false
  client0:
    vlan_id: 1000
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client1:
    vlan_id: 1001
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client2:
    vlan_id: 1002
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client3:
    vlan_id: 1003
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client4:
    vlan_id: 1004
    vlan_raw_device: clients0
    ipv6_addrgen: false
 bird__router_id: 10.203.1.5
 bird__bgp_addr:
  back:
    - 2a09:6840:203::1:5
    - 10.203.1.5
 bird__pref_src_addr:
  - 2a09:6840:203::1:5
  - 45.66.111.211
 ...
--- a/host_vars/isp-2.back.infra.auro.re.yml
+++ b/host_vars/isp-2.back.infra.auro.re.yml
@ -0,0 +1,47 @@
 ---
 systemd_link__links:
  adm0: 04:00:00:85:C3:5D
  back0: 04:00:00:FE:2D:67
  trunk0: 04:00:00:D8:F5:4D
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::10:105/64
      - 10.128.10.105/16
    gateways: "{{ ifupdown2__gateways.adm }}"
  back0:
    addresses:
      - 2a09:6840:203::1:6/64
      - 10.203.1.6/16
  trunk0:
    ipv6_addrgen: false
  clients0:
    bridge_vlan_aware: true
    bridge_ports:
      - trunk0
    bridge_vids:
      - 1000-1004
    bridge_disable_pvid: true
    ipv6_addrgen: false
  client0:
    vlan_id: 1000
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client1:
    vlan_id: 1001
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client2:
    vlan_id: 1002
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client3:
    vlan_id: 1003
    vlan_raw_device: clients0
    ipv6_addrgen: false
  client4:
    vlan_id: 1004
    vlan_raw_device: clients0
    ipv6_addrgen: false
 ...
--- a/host_vars/ldap-1.int.infra.auro.re.yml
+++ b/host_vars/ldap-1.int.infra.auro.re.yml
@ -0,0 +1,16 @@
 ---
 systemd_link__links:
  adm0: 02:00:00:38:c2:52
  int0: 02:00:00:fe:a8:54
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::10:8/64
      - 10.128.10.8/16
  int0:
    addresses:
      - 2a09:6840:206::1:3/64
      - 10.206.1.7/16
    gateways: "{{ ifupdown2__gateways.int }}"
 ...
--- a/host_vars/ldap-2.int.infra.auro.re.yml
+++ b/host_vars/ldap-2.int.infra.auro.re.yml
@ -0,0 +1,16 @@
 ---
 systemd_link__links:
  adm0: 04:00:00:f7:1c:47
  int0: 04:00:00:e4:83:d2
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::10:108/64
      - 10.128.10.108/16
  int0:
    addresses:
      - 2a09:6840:206::1:4/64
      - 10.206.1.8/16
    gateways: "{{ ifupdown2__gateways.int }}"
 ...
--- a/host_vars/log.adm.auro.re.yml
+++ b/host_vars/log.adm.auro.re.yml
@ -10,5 +10,7 @@ rsyslog_inputs:
    port: 20514
  - proto: udp
    port: 514
  - proto: tcp
    port: 6514
 rsyslog_outputs: []
 ...
--- a/host_vars/mx.test.infra.auro.re.yml
+++ b/host_vars/mx.test.infra.auro.re.yml
@ -0,0 +1,38 @@
 ---
 dovecot__auth_default_realm: test.auro.re
 dovecot__auth_users:
  jeltz@test.auro.re: "{plain}password"
  lafeych@test.auro.re: "{plain}password"
  toto@test.auro.re: "{plain}password"
  root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
 dovecot__lmtp_postmaster_address: postmaster@test.auro.re
 ifupdown2__interfaces:
  ext0:
    addresses:
      - 2a09:6840:211::1:5/64
      - 10.211.1.5/16
      - 45.66.111.208/30
    gateways: "{{ ifupdown2__gateways.ext }}"
 postfix__hostname: mx.test.auro.re
 postfix__sasl_local_domain: test.auro.re
 postfix__virtual_aliases:
  postmaster@test.auro.re: root@test.auro.re
  dmarc@test.auro.re: root@test.auro.re
 postfix__virtual_mailbox_domains:
 - infra.test.auro.re
 - test.auro.re
 postfix__virtual_mailboxes:
  jeltz@test.auro.re: jeltz@test.auro.re
  root@test.auro.re: root@test.auro.re
  toto@test.auro.re: toto@test.auro.re
  vincent.lafeychine@test.auro.re: lafeych@test.auro.re
 systemd_link__links:
  ext0: ae:ae:ae:1d:c8:b2
 ...
--- a/host_vars/ns-1.pub.infra.auro.re.yml
+++ b/host_vars/ns-1.pub.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  pub0: 02:00:00:ad:62:64
 ifupdown2__interfaces:
  pub0:
    addresses:
      - 2a09:6840:215::1:2/64
      - 45.66.111.205/27
    gateways: "{{ ifupdown2__gateways.pub }}"
 ...
--- a/host_vars/ns-2.pub.infra.auro.re.yml
+++ b/host_vars/ns-2.pub.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  pub0: 04:00:00:1b:0a:3a
 ifupdown2__interfaces:
  pub0:
    addresses:
      - 2a09:6840:215::1:3/64
      - 45.66.111.207/27
    gateways: "{{ ifupdown2__gateways.pub }}"
 ...
--- a/host_vars/ns-3.ovh.infra.auro.re.yml
+++ b/host_vars/ns-3.ovh.infra.auro.re.yml
@ -0,0 +1,29 @@
 ---
 systemd_link__links:
  adm0: 96:77:96:91:e3:6c
  ovh0: 02:00:00:97:78:6d
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::109/64
      - 10.128.0.109/16
  ovh0:
    addresses:
      - 92.222.211.194/24
    gateways: "{{ ifupdown2__gateways.ovh }}"
 # TODO: remove as soon as the VPN works
 knotd__remotes:
  xfr-master:
    address: 2a09:6840:128::110
    key: xfr
 knotd__acl:
  notify-master:
    address:
      - 2a09:6840:128::110
      - 10.128.0.110
    key: xfr
    action: notify
 ...
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@ -0,0 +1,617 @@
 ---
 knotd__listen:
  - address: 0.0.0.0
  - address: "::"
 knotd__keys:
  xfr:
    algorithm: hmac-sha512
    secret: "{{ vault_knotd_xfr_key }}"
  ksk-infra:
    algorithm: hmac-sha512
    secret: "{{ vault_knotd_ksk_infra_key }}"
  update-acme-challenge:
    algorithm: hmac-sha512
    secret: "{{ vault_certbot_dns_secret }}"
 knotd__remotes:
  xfr-ns-1:
    address: 2a09:6840:215::1:2
    key: xfr
  xfr-ns-2:
    address: 2a09:6840:215::1:3
    key: xfr
  xfr-ns-3:
    address: 10.128.0.109
    key: xfr
  ksk-infra:
    address: ::1
    key: ksk-infra
 knotd__policies:
  public:
    algorithm: ECDSAP256SHA256
    reproducible_signing: true
    # Je n'ai pas trouvé de façon de pousser les records automatiquement
    # sur .re, donc pour éviter d'oublier de le faire manuellement, la
    # KSK n'expire pas
    ksk_lifetime: 0
    zsk_lifetime: 30d
    nsec3: true
  infra:
    algorithm: ECDSAP256SHA256
    ksk_lifetime: 365d
    zsk_lifetime: 30d
    nsec3: on
    ds-push: ksk-infra
    cds-cdnskey-publish: rollover
    ksk-submission: infra
  ripe:
    algorithm: ECDSAP256SHA256
    ksk_lifetime: 365d
    zsk_lifetime: 30d
    nsec3: on
    ds-push: ksk-ripe
    cds-cdnskey-publish: rollover
    ksk-submission: ripe
 knotd__acl:
  xfr:
    addresses:
      - 2a09:6840:128::109
      - 10.128.0.109
      - 2a09:6840:215::1:2
      - 45.66.111.205
      - 2a09:6840:215::1:3
      - 45.66.111.207
    action: transfer
    key: xfr
  ksk-infra:
    addresses:
      - 127.0.0.1
      - ::1
    key: ksk-infra
    action: update
    update_types:
      - DS
    update_owner: name
    update_owner_match: equal
    update_owner_name:
      - infra
  update-acme-challenge:
    addresses:
      - 10.128.0.0/16
      - 2a09:6840:128::/48
    key: update-acme-challenge
    action: update
    update_types:
      - TXT
    update_owner: name
    update_owner_match: equal
    update_owner_name:
      - _acme-challenge.auro.re.
 knotd__queryacl:
  local:
    addresses:
      - 10.0.0.0/8
 knotd__soa_rname: root@auro.re.
 knotd__hosts:
  auro.re:
    proxy-ovh:
      - 92.222.211.195
    horus:
      - 92.23.218.136
    ns-1:
      - 45.66.111.205
      - 2a09:6840:215::1:2
    ns-2:
      - 92.222.211.194
    serge:
      - 92.222.211.196
    lama:
      - 185.230.78.220
      - 2a0c:700:12:0:67:e5ff:fee9:108
    vpn-ovh:
      - 92.222.211.197
    passerelle:
      - 45.66.111.254
      - 2a09:6840:111::254
    proxy:
      - 45.66.111.61
      - 2a09:6840:111::61
    camelot:
      - 45.66.111.59
      - 2a09:6840:111::59
    mail:
      - 45.66.111.62
      - 2a09:6840:111::62
    galene:
      - 45.66.111.65
      - 2a09:6840:111::65
    aclyas:
      - 45.66.111.231
      - 2a09:6840:111::231
    jitsi:
      - 45.66.111.55
      - 2a09:6840:111::55
    jitsi-ng:
      - 45.66.111.216
      - 2a09:6840:215::1:216
    portail-fleming:
      - 10.13.0.247
      - 2a09:6840:13::247
    portail-pacaterie:
      - 10.23.0.247
      - 2a09:6840:23::247
    portail-rives:
      - 10.33.0.247
      - 2a09:6840:33::247
    portail-edc:
      - 10.43.0.247
      - 2a09:6840:43::247
    portail-gs:
      - 10.53.0.247
      - 2a09:6840:53::247
  adh.auro.re:
    paon:
      - 45.66.110.10
      - 2a09:6840:110:0:231:92ff:fe1b:ae22
    lyshyga0:
      - 45.66.110.113
      - 2a09:6840:110:0:6af7:28ff:fe91:e8d9
    pz28910:
      - 45.66.110.114
    vinsing0:
      - 45.66.110.123
      - 2a09:6840:110:0:1e1b:dff:fe90:7d81
    osc-routeur:
      - 45.66.110.125
      - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
    odroid:
      - 45.66.110.154
      - 2a09:6840:110:0:21e:6ff:fe49:e00
    amau0:
      - 45.66.110.164
      - 2a09:6840:110:0:3e7c:3fff:fec3:27d1
    regulus:
      - 45.66.110.180
      - 2a09:6840:110:0:2ef0:5dff:fe2a:1530
    toaster:
      - 45.66.110.188
      - 2a09:6840:110:0:5246:5dff:fe9a:f70
    rpijutax:
      - 45.66.110.190
      - 2a09:6840:110:0:ba27:ebff:fe76:a9bc
    polaris:
      - 45.66.110.245
      - 2a09:6840:110:0:dea6:32ff:feb4:d033
    lafeychine:
      - 92.91.154.45
  infra.auro.re:
    services-1.ceph:
      - 2a09:6840:214::1:1
      - 10.214.1.1
    services-2.ceph:
      - 2a09:6840:214::1:2
      - 10.214.1.2
    services-3.ceph:
      - 2a09:6840:209::1:3
      - 10.214.1.3
    services-1.pve:
      - 2a09:6840:209::2:1
      - 10.209.2.1
    services-2.pve:
      - 2a09:6840:209::2:2
      - 10.209.2.2
    network-1.pve:
      - 2a09:6840:209::1:1
      - 10.209.1.1
    network-2.pve:
      - 2a09:6840:209::1:2
      - 10.209.1.2
    services-3.pve:
      - 2a09:6840:209::2:3
      - 10.209.2.3
    caradoc.bmc:
      - 2a09:6840:208::1:1
      - 10.208.1.1
    services-1.bmc:
      - 2a09:6840:208::1:2
      - 10.208.1.2
    services-2.bmc:
      - 2a09:6840:208::1:3
      - 10.208.1.3
    services-3.bmc:
      - 2a09:6840:208::1:4
      - 10.208.1.4
    perceval.bmc:
      - 2a09:6840:208::1:5
      - 10.208.1.5
    chapalux.bmc:
      - 2a09:6840:208::1:6
      - 10.208.1.6
    loki.bmc:
      - 2a09:6840:208::1:7
      - 10.208.1.7
    network-1.bmc:
      - 2a09:6840:208::1:8
      - 10.208.1.8
    network-2.bmc:
      - 2a09:6840:208::1:9
      - 10.208.1.9
    escalope.bmc:
      - 2a09:6840:208::1:10
      - 10.208.1.10
    edge-1.back:
      - 2a09:6840:203::1:1
      - 10.203.1.1
    edge-2.back:
      - 2a09:6840:203::1:2
      - 10.203.1.2
    isp-1.back:
      - 2a09:6840:203::1:5
      - 10.203.1.5
    isp-2.back:
      - 2a09:6840:203::1:6
      - 10.203.1.6
    infra-1.back:
      - 2a09:6840:203::1:3
      - 10.203.1.3
    infra-2.back:
      - 2a09:6840:203::1:4
      - 10.203.1.4
    ns-master.int:
      - 2a09:6840:128:0::110
      - 10.128.0.110
    log-1.int:
      - 2a09:6840:206::1:9
      - 10.206.1.9
    log-2.int:
      - 2a09:6840:206::1:10
      - 10.206.1.10
    dns-1.int:
      - 2a09:6840:206::1:1
      - 10.206.1.1
    dns-2.int:
      - 2a09:6840:206::1:2
      - 10.206.1.2
    nis2.int:
      - 2a09:6840:206::2:1
      - 10.206.2.1
    ldap-1.int:
      - 10.128.10.8
      - 2a09:6840:128::10:8
    ldap-2.int:
      - 10.128.10.108
      - 2a09:6840:128::10:108
    ntp-1.int:
      - 2a09:6840:206::1:5
      - 10.206.1.5
    ntp-2.int:
      - 2a09:6840:206::1:6
      - 10.206.1.6
    wg-1.vpn:
      - 2a09:6840:213::1:3
      - 10.213.1.3
    wg-2.vpn:
      - 2a09:6840:213::1:4
      - 10.213.1.4
    dhcp-1.isp:
      - 2a09:6840:210::1:1
      - 10.210.1.1
    dhcp-2.isp:
      - 2a09:6840:210::1:2
      - 10.210.1.2
    radius-1.isp:
      - 2a09:6840:210::1:3
      - 10.210.1.3
    radius-2.isp:
      - 2a09:6840:210::1:4
      - 10.210.1.4
    prometheus-1.monit:
      - 2a09:6840:204::1:1
      - 10.204.1.1
    prometheus-2.monit:
      - 2a09:6840:204::1:2
      - 10.204.1.2
    ff-1.core.sw:
      - 10.207.1.1
    ff-2.core.sw:
      - 10.207.1.2
    fl-1.core.sw:
      - 10.207.1.3
    fl-2.core.sw:
      - 10.207.1.4
    fd-1.core.sw:
      - 10.207.1.5
    ff-3.core.sw:
      - 10.207.1.6
    gk-1.core.sw:
      - 10.207.2.1
    eb-1.core.sw:
      - 10.207.3.1
    r3-1.core.sw:
      - 10.207.4.1
    eb-1.ups:
      - 2a09:6840:201::3:1
      - 10.201.3.1
    ec-1.ups:
      - 2a09:6840:201::3:2
      - 10.201.3.2
    mx.test:
      - 2a09:6840:211::1:5
      - 10.211.1.5
    collabora.ext:
      - 2a09:6840:211::1:1
      - 10.211.1.1
    grafana.ext:
      - 2a09:6840:211::1:7
      - 10.211.1.7
    proxy.pub:
      - 2a09:6840:215::1:1
      - 45.66.111.206
    ns-1.pub:
      - 2a09:6840:215::1:2
      - 45.66.111.205
    ns-2.pub:
      - 2a09:6840:215::1:3
      - 45.66.111.207
    ns-3.ovh:
      - 92.222.211.194
    tor.pub:
      - 45.66.111.215
      - 2a09:6840:215::1:215
    jitsi.pub:
      - 45.66.111.216
      - 2a09:6840:215::1:216
 knotd__zones:
  auro.re:
    dnssec_policy: public
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - update-acme-challenge
      - ksk-infra
      - xfr
    soa:
      mname: ns-master.int.infra
    ns:
      - target:
          - ns-1.pub.infra
          - ns-2.pub.infra
      - name: infra
        target:
          - ns-1.pub.infra
          - ns-2.pub.infra
      - name: test
        target:
          - ns-1.pub.infra
          - ns-2.pub.infra
      - name: adm
        target:
          - serge
          - lama
      - name: ups
        target:
          - serge
          - lama
      - name: switch
        target:
          - serge
          - lama
      - name: borne
        target:
          - serge
          - lama
    mx:
      - exchange: mail
        preference: 5
      - exchange: proxy-ovh
        preference: 10
    txt:
      - data: v=spf1 mx -all
    a:
      - address: 92.222.211.195
    cname:
      - name:
          - gisti
          - gistiti
        target: jitsi
      - name:
          - element
          - riot
          - auth
          - rss
          - codimd
          - hedgedoc
          - grist
          - kanboard
          - www
          - pad
          - privatebin
          - zero
          - paste
        target: proxy-ovh
      - name:
          - grafana
          - grafana-ng
          - nextcloud
          - cloud
          - office
        target: proxy.pub.infra
      - name:
          - netbox
          - wiki
          - matrix
          - drone
          - gitea
          - re2o
          - vote
        target: proxy
      - name: intranet
        target: re2o
      - name:
          - smtp
          - imap
        target: mail
      - name:
          - prometheus-paul.adh
          - pma-paul.adh
          - nextcloud-paul.adh
          - grafana-paul.adh
          - jellyfin.adh
          - monitoring.adh
          - beta-mpp.adh
          - pz28.adh
        target: lucepaul.myvnc.com.
      - name:
          - services-1.pve
        target: services-1.pve.infra
      - name:
          - services-2.pve
        target: services-2.pve.infra
      - name:
          - services-3.pve
        target: services-3.pve.infra
    hosts: "{{ knotd__hosts['auro.re']
               | combine(knotd__hosts['adh.auro.re']
                         | add_origin_keys('adh.auro.re.')) }}"
  test.auro.re:
    dnssec_policy: public
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - xfr
    soa:
      mname: ns-master.int.infra.auro.re.
    txt:
      - data: v=spf1 mx -all
      - name: _dmarc
        data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
    ns:
      - target:
          - ns-1.pub.infra.auro.re.
          - ns-2.pub.infra.auro.re.
    mx:
      - exchange: mx
        preference: 5
    cname:
      - name:
          - www1
          - www2
          - www3
        target: proxy.pub.infra.auro.re.
    hosts:
      mx:
        - 2a09:6840:211::1:5
        - 45.66.111.205
  infra.auro.re:
    dnssec_policy: infra
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - xfr
    #queryacl: local
    soa:
      mname: ns-master.int
    ns:
      - target:
          - ns-1.pub.infra.auro.re.
          - ns-2.pub.infra.auro.re.
    hosts: "{{ knotd__hosts['infra.auro.re'] }}"
  108.66.45.in-addr.arpa:
    dnssec_policy: ripe
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - xfr
    soa:
      mname: ns-master.int.infra.auro.re.
    ns:
      - target:
          - ns-1.pub.infra.auro.re.
          - ns-2.pub.infra.auro.re.
  109.66.45.in-addr.arpa:
    dnssec_policy: ripe
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - xfr
    soa:
      mname: ns-master.int.infra.auro.re.
    ns:
      - target:
          - ns-1.pub.infra.auro.re.
          - ns-2.pub.infra.auro.re.
  110.66.45.in-addr.arpa:
    dnssec_policy: ripe
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - xfr
    soa:
      mname: ns-master.int.infra.auro.re.
    ns:
      - target:
          - ns-1.pub.infra.auro.re.
          - ns-2.pub.infra.auro.re.
    reverse_hosts: "{{ knotd__hosts['adh.auro.re']
                       | ip_filter(['45.66.110.0/24'])
                       | add_origin_keys('adh.auro.re.') }}"
  111.66.45.in-addr.arpa:
    dnssec_policy: ripe
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - xfr
    soa:
      mname: ns-master.int.infra.auro.re.
    ns:
      - target:
          - ns-1.pub.infra.auro.re.
          - ns-2.pub.infra.auro.re.
    reverse_hosts: "{{ knotd__hosts['auro.re']
                       | ip_filter(['45.66.111.0/24'])
                       | add_origin_keys('auro.re.') }}"
  0.4.8.6.9.0.a.2.ip6.arpa:
    dnssec_policy: ripe
    notify:
      - xfr-ns-1
      - xfr-ns-2
      - xfr-ns-3
    acl:
      - xfr
    soa:
      mname: ns-master.int.infra.auro.re.
    ns:
      - target:
          - ns-1.pub.infra.auro.re.
          - ns-2.pub.infra.auro.re.
    reverse_hosts: "{{ knotd__hosts['auro.re']
                       | ip_filter(['2a09:6840::/32'])
                       | add_origin_keys('auro.re.')
                       | combine(knotd__hosts['adh.auro.re']
                                 | ip_filter(['2a09:6840::/32'])
                                 | add_origin_keys('adh.auro.re.')) }}"
 ...
--- a/host_vars/ns-master.int.infra.auro.re/main.yml
+++ b/host_vars/ns-master.int.infra.auro.re/main.yml
@ -0,0 +1,16 @@
 ---
 systemd_link__links:
  int0: 02:00:00:e3:36:c8
  adm0: 42:17:a7:d1:bd:6a
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::110/64
      - 10.128.0.110/16
  int0:
    addresses:
      - 2a09:6840:206::1:7/64
      - 10.206.1.7/16
    gateways: "{{ ifupdown2__gateways.int }}"
 ...
--- a/host_vars/ntp-1.int.infra.auro.re.yml
+++ b/host_vars/ntp-1.int.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  int0: 02:00:00:74:71:83
 ifupdown2__interfaces:
  int0:
    addresses:
      - 2a09:6840:206::1:5/64
      - 10.206.1.5/16
    gateways: "{{ ifupdown2__gateways.int }}"
 ...
--- a/host_vars/ntp-2.int.infra.auro.re.yml
+++ b/host_vars/ntp-2.int.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  int0: 04:00:00:31:be:50
 ifupdown2__interfaces:
  int0:
    addresses:
      - 2a09:6840:206::1:6/64
      - 10.206.1.6/16
    gateways: "{{ ifupdown2__gateways.int }}"
 ...
--- a/host_vars/prometheus-1.monit.infra.auro.re.yml
+++ b/host_vars/prometheus-1.monit.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  monit0: 02:00:00:a8:6b:51
 ifupdown2__interfaces:
  monit0:
    addresses:
      - 2a09:6840:204::1:1/64
      - 10.204.1.1/16
    gateways: "{{ ifupdown2__gateways.monit }}"
 ...
--- a/host_vars/prometheus-2.monit.infra.auro.re.yml
+++ b/host_vars/prometheus-2.monit.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  monit0: 04:00:00:a6:93:5a
 ifupdown2__interfaces:
  monit0:
    addresses:
      - 2a09:6840:204::1:2/64
      - 10.204.1.2/16
    gateways: "{{ ifupdown2__gateways.monit }}"
 ...
--- a/host_vars/proxy-ovh.adm.auro.re.yml
+++ b/host_vars/proxy-ovh.adm.auro.re.yml
@ -13,6 +13,8 @@ loc_reverseproxy:
      to: auro.re
    - from: 92.222.211.195
      to: auro.re
    - from: codimd.auro.re
      to: hedgedoc.auro.re
  reverseproxy_sites:
    - from: phabricator.auro.re
@ -27,6 +29,9 @@ loc_reverseproxy:
    - from: passbolt.auro.re
      to: 10.128.0.53
    - from: auth.auro.re
      to: 10.128.0.150:8089
    - from: riot.auro.re
      to: "10.128.0.150:8080"
    - from: element.auro.re
@ -34,8 +39,6 @@ loc_reverseproxy:
    - from: chat.auro.re
      to: "10.128.0.150:8080"
    - from: codimd.auro.re
      to: "10.128.0.150:8081"
    - from: hedgedoc.auro.re
      to: "10.128.0.150:8081"
@ -56,6 +59,8 @@ loc_reverseproxy:
    - from: cas.auro.re
      to: "10.128.0.150:8085"
    - from: rss.auro.re
      to: 10.128.0.150:8090
    - from: status.auro.re
      to: "10.128.0.150:8086"
    - from: "kanboard.auro.re"
--- a/host_vars/proxy.adm.auro.re.yml
+++ b/host_vars/proxy.adm.auro.re.yml
@ -41,9 +41,6 @@ loc_reverseproxy:
    - from: intranet.auro.re
      to: 10.128.0.20
    - from: bbb.auro.re
      to: 10.128.0.54
    - from: nextcloud.auro.re
      to: "10.128.0.58:8080"
@ -64,3 +61,15 @@ loc_reverseproxy:
    - from: wikijs.auro.re
      to: "10.128.0.66:3000"
    - from: wiki.auro.re
      to: "10.128.0.66:3000"
    - from: netbox.auro.re
      to: 10.128.0.97
    - from: grafana.auro.re
      to: "10.128.0.98:3000"
    - from: office.auro.re
      to: "10.128.0.220"
--- a/host_vars/proxy.pub.infra.auro.re.yml
+++ b/host_vars/proxy.pub.infra.auro.re.yml
@ -0,0 +1,103 @@
 ---
 systemd_link__links:
  pub0: ae:ae:ae:3a:71:0b
 ifupdown2__interfaces:
  pub0:
    addresses:
      - 2a09:6840:215::1:1/64
      - 45.66.111.206/27
    gateways: "{{ ifupdown2__gateways.pub }}"
 caddy__matrix_headers:
  access-control-allow-headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
  access-control-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
  access-control-allow-origin: "*"
 caddy__routes_https:
  www1.test.auro.re:
    - root: /var/www/auro.re
    - path: /.well-known/matrix/server
      headers: "{{ caddy__matrix_headers }}"
      body: '{"m.server": "matrix.auro.re:8448"}'
      status: 200
    - path: /.well-known/matrix/client
      headers: "{{ caddy__matrix_headers }}"
      body: '{"m.homeserver": {"base_url": "https://matrix.auro.re"}}'
      status: 200
  www2.test.auro.re:
    headers:
      location: "https://auro.re{http.request.uri}"
    status: 301
  www3.test.auro.re:
    reverse:
      - "[2a09:6840:128::198]:3000"
      - 10.128.0.198:3000
  grafana.auro.re:
    reverse:
      - "[2a09:6840:128::98]:3000"
      - 10.128.0.98:3000
  grafana-ng.auro.re:
    reverse:
      - "[2a09:6840:211::1:7]:80"
      - 10.211.1.7:80
  office.auro.re:
    reverse:
      - "[2a09:6840:211::1:1]:9980"
      - 10.211.1.1:9980
  nextcloud.auro.re:
    headers:
      location: "https://cloud.auro.re{http.request.uri}"
    status: 301
  cloud.auro.re:
    - path: /.well-known/carddav
      headers:
        location: /remote.php/dav/
      status: 301
    - path: /.well-known/caldav
      headers:
        location: /remote.php/dav/
      status: 301
    - path: /.well-known/webfinger
      headers:
        location: /index.php/.well-known/webfinger
      status: 301
    - path: /.well-known/nodeinfo
      headers:
        location: /index.php/.well-known/nodeinfo
      status: 301
    - path: /remote/*
      rewrite: /remote.php
    - path: /ocm-provider/*
      rewrite: /index.php
    - path: "*.mjs"
      headers:
        content-type: text/javascript
    - reverse:
        - "[2a09:6840:128::58]:8080"
        - 10.128.0.58:8080
      headers:
        x-robots-tag: noindex, nofollow
        referrer-policy: no-referrer
        x-content-type-options: nosniff
        x-frame-options: SAMEORIGIN
        x-permitted-cross-domain-policies: none
        x-xss-protection: "1; mode=block"
 caddy__contact_email: tech.aurore@lists.crans.org
 caddy__errors:
  - root: "{{ caddy__error_dir }}"
  - rewrite: /error.html
  - file_server: true
    templates: true
 caddy__servers:
  https:
    listen: ":443"
    routes: "{{ caddy__routes_https }}"
    errors: "{{ caddy__errors }}"
  http:
    listen: ":80"
 ...
--- a/host_vars/radius-1.isp.infra.auro.re.yml
+++ b/host_vars/radius-1.isp.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  isp0: 02:00:00:6a:3e:f4
 ifupdown2__interfaces:
  isp0:
    addresses:
      - 2a09:6840:210::1:3/64
      - 10.210.1.3/16
    gateways: "{{ ifupdown2__gateways.isp }}"
 ...
--- a/host_vars/radius-2.isp.infra.auro.re.yml
+++ b/host_vars/radius-2.isp.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  isp0: 04:00:00:29:6d:c9
 ifupdown2__interfaces:
  isp0:
    addresses:
      - 2a09:6840:210::1:4/64
      - 10.210.1.4/16
    gateways: "{{ ifupdown2__gateways.isp }}"
 ...
--- a/host_vars/re2o-bdd.adm.auro.re.yml
+++ b/host_vars/re2o-bdd.adm.auro.re.yml
@ -1 +0,0 @@
 postgresql_databases: true
--- a/host_vars/sw-ec-1.yml
+++ b/host_vars/sw-ec-1.yml
@ -0,0 +1,93 @@
 ---
 switch_vars:
  name: sw-ec-1
  location: "Local_de_Brassage_EdC"
  host: 10.130.4.11
  port: 80
  username: "{{ vault_switch.username }}"
  password: "{{ vault_switch.password }}"
  delete_vlans: []
  vlans:
    - id: 40
      name: "Filaire_EDC"
      tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
    - id: 41
      name: "Wifi_EDC"
      tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
    - id: 42
      name: "Banni_EDC"
      tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
    - id: 43
      name: "Accueil_EDC"
      tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
    - id: 110
      name: "Adherents_IP_Publiques"
      tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
    - id: 111
      name: "Serveurs_IP_Publiques"
      tagged: "{{ '25' | range2list }}"
    - id: 131
      name: "Onduleurs"
      tagged: [25]
    - id: 144
      name: "Bornes_Wifi_EDC"
      tagged: [25]
      untagged: "{{ '5-8,12,14,16,18,20,22-24' | range2list }}"
  ports:
    - id: 1
      name: "Room_Ouest_363"
    - id: 2
      name: "Room_Ouest_364"
    - id: 3
      name: "Room_Principale_Foyer_1"
    - id: 4
      name: "Room_Principale_Foyer_2"
    - id: 5
      name: "Borne_Principale_0_1"
    - id: 6
      name: "Borne_Principale_1_1"
    - id: 7
      name: "Borne_Principale_1_2"
    - id: 8
      name: "Borne_Principale_1_3"
    - id: 9
      name: "Room_Ouest_352"
    - id: 10
      name: "Borne_Adh_Ouest_252"
    - id: 11
      name: "Room_Ouest_273"
    - id: 12
      name: "Borne_Adh_Est_231"
    - id: 13
      name: "Room_Ouest_261"
    - id: 14
      name: "Borne_Adh_Ouest_272"
    - id: 15
      name: "Room_Ouest_262"
    - id: 16
      name: "Room_Est_225"
    - id: 17
      name: "Room_Ouest_263"
    - id: 18
      name: "Room_Ouest_76"
    - id: 19
      name: "Room_Ouest_264"
    - id: 20
      name: "Borne_Adh_Ouest_58"
    - id: 21
      name: "Room_Ouest_265"
    - id: 22
      name: "Not_used"
    - id: 23
      name: "Room_Ouest_158"
    - id: 24
      name: "Borne_Adh_Ouest_267"
    # id: 25
    # name: "Uplink_sw-ec-core"
    - id: 26
      name: "Not_used"
    - id: 27
      name: "Not_used"
    - id: 28
      name: "Not_used"
 ...
--- a/host_vars/sw-ec-2.yml
+++ b/host_vars/sw-ec-2.yml
@ -0,0 +1,228 @@
 ---
 switch_vars:
  name: sw-ec-2
  location: Local de Brassage EdC
  host: 10.130.4.12
  port: 80
  username: "{{ vault_switch.username }}"
  password: "{{ vault_switch.password }}"
  delete_vlans: []
  vlans:
    - id: 40
      name: "Filaire_edc"
      tagged: [49]
    - id: 41
      name: "Wifi_edc"
      tagged: [49]
    - id: 42
      name: "Banni_edc"
      tagged: [49]
    - id: 43
      name: "Accueil_edc"
      tagged: [49]
    - id: 110
      name: "Adherents_ip_publiques"
      tagged: [49]
    - id: 111
      name: "Serveurs_ip_publiques"
      tagged: [49]
    - id: 131
      name: "Onduleurs"
      tagged: [49]
    - id: 144
      name: "Bornes_wifi_edc"
      tagged: [49]
  ports:
    - id: 1
      name: "Room_edc_Aile_Principale_115"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 2
      name: "Room_edc_Aile_Principale_103"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 3
      name: "Room_edc_Aile_Principale_114"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 4
      name: "Room_edc_Aile_Principale_102"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 5
      name: "Room_edc_Aile_Principale_113"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 6
      name: "Room_edc_Aile_Principale_101"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 7
      name: "Room_edc_Aile_Principale_112"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 8
      name: "Room_edc_Aile_Principale_100"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 9
      name: "Room_edc_Aile_Principale_111"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 10
      name: "Room_edc_Aile_Principale_215"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 11
      name: "Room_edc_Aile_Principale_110"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 12
      name: "Room_edc_Aile_Principale_214"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 13
      name: "Room_edc_Aile_Principale_207"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 14
      name: "Room_edc_Aile_Est_24"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 15
      name: "Room_edc_Aile_Principale_206"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 16
      name: "Room_edc_Aile_Est_25"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 17
      name: "Room_edc_Aile_Principale_205"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 18
      name: "Room_edc_Aile_Est_26"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 19
      name: "Room_edc_Aile_Principale_204"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 20
      name: "Room_edc_Aile_Est_27"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 21
      name: "Room_edc_Aile_Principale_203"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 22
      name: "Room_edc_Aile_Est_28"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 23
      name: "Room_edc_Aile_Principale_202"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 24
      name: "Room_edc_Aile_Est_29"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 25
      name: "Room_edc_Aile_Principale_201"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 26
      name: "Room_edc_Aile_Est_30"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 27
      name: "Room_edc_Aile_Principale_200"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 28
      name: "Room_edc_Aile_Est_31"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 29
      name: "Room_edc_Aile_Est_20"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 30
      name: "Room_edc_Aile_Est_32"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 31
      name: "Room_edc_Aile_Est_21"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 32
      name: "Room_edc_Aile_Est_33"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 33
      name: "Room_edc_Aile_Est_22"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 34
      name: "Room_edc_Aile_Est_34"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 35
      name: "Room_edc_Aile_Est_23"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 36
      name: "Room_edc_Aile_Est_120"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 37
      name: "Room_edc_Aile_Principale_109"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 38
      name: "Room_edc_Aile_Principale_213"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 39
      name: "Room_edc_Aile_Principale_108"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 40
      name: "Room_edc_Aile_Principale_212"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 41
      name: "Room_edc_Aile_Principale_107"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 42
      name: "Room_edc_Aile_Principale_211"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 43
      name: "Room_edc_Aile_Principale_106"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 44
      name: "Room_edc_Aile_Principale_210"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 45
      name: "Room_edc_Aile_Principale_105"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 46
      name: "Room_edc_Aile_Principale_209"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 47
      name: "Room_edc_Aile_Principale_104"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 48
      name: "Room_edc_Aile_Principale_208"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
 ...
--- a/host_vars/sw-ec-3.yml
+++ b/host_vars/sw-ec-3.yml
@ -0,0 +1,220 @@
 ---
 switch_vars:
  name: sw-ec-3
  location: Local de Brassage EdC
  host: 10.130.4.13
  port: 80
  username: "{{ vault_switch.username }}"
  password: "{{ vault_switch.password }}"
  delete_vlans: []
  vlans:
    - id: 40
      name: "Filaire_edc"
      tagged: [49]
    - id: 41
      name: "Wifi_edc"
      tagged: [49]
    - id: 42
      name: "Banni_edc"
      tagged: [49]
    - id: 43
      name: "Accueil_edc"
      tagged: [49]
    - id: 110
      name: "Adherents_ip_publiques"
      tagged: [49]
    - id: 111
      name: "Serveurs_ip_publiques"
      tagged: [49]
    - id: 131
      name: "Onduleurs"
      tagged: [49]
    - id: 144
      name: "Bornes_wifi_edc"
      tagged: [49]
  ports:
    - id: 1
      name: "Room_edc_Aile_Est_121"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 2
      name: "Room_edc_Aile_Est_133"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 3
      name: "Room_edc_Aile_Est_122"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 4
      name: "Room_edc_Aile_Est_134"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 5
      name: "Room_edc_Aile_Est_123"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 6
      name: "Room_edc_Aile_Est_135"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 7
      name: "Room_edc_Aile_Est_124"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 8
      name: "Room_edc_Aile_Est_136"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 9
      name: "Room_edc_Aile_Est_125"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 10
      name: "Room_edc_Aile_Est_137"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 11
      name: "Room_edc_Aile_Est_126"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 12
      name: "Room_edc_Aile_Est_138"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 14
      name: "Room_edc_Aile_Est_237"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 15
      name: "Room_edc_Aile_Est_226"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 16
      name: "Room_edc_Aile_Est_238"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 17
      name: "Room_edc_Aile_Est_227"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 18
      name: "Room_edc_Aile_Est_239"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 19
      name: "Room_edc_Aile_Est_228"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 20
      name: "Room_edc_Aile_Est_333"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 21
      name: "Room_edc_Aile_Est_229"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 22
      name: "Room_edc_Aile_Est_332"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 24
      name: "Room_edc_Aile_Est_331"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 25
      name: "Room_edc_Aile_Est_231"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 26
      name: "Room_edc_Aile_Est_330"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 27
      name: "Room_edc_Aile_Est_232"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 28
      name: "Room_edc_Aile_Est_329"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 29
      name: "Room_edc_Aile_Est_233"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 30
      name: "Room_edc_Aile_Est_328"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 31
      name: "Room_edc_Aile_Est_234"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 32
      name: "Room_edc_Aile_Est_327"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 33
      name: "Room_edc_Aile_Est_235"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 34
      name: "Room_edc_Aile_Est_326"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 35
      name: "Room_edc_Aile_Est_236"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 36
      name: "Room_edc_Aile_Est_325"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 37
      name: "Room_edc_Aile_Est_127"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 38
      name: "Room_edc_Aile_Est_139"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 39
      name: "Room_edc_Aile_Est_128"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 40
      name: "Room_edc_Aile_Est_220"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 41
      name: "Room_edc_Aile_Est_129"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 42
      name: "Room_edc_Aile_Est_221"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 43
      name: "Room_edc_Aile_Est_130"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 44
      name: "Room_edc_Aile_Est_222"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 45
      name: "Room_edc_Aile_Est_131"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 46
      name: "Room_edc_Aile_Est_223"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 47
      name: "Room_edc_Aile_Est_132"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
    - id: 48
      name: "Room_edc_Aile_Est_224"
      lldp: "LPAS_TX_AND_RX"
      loop_protect: true
 ...
--- a/Show more
+++ b/Show more