switchs: Add EDC access point

dns: log-{1,2} & pve
grafana-ng: configuration firewall, dns, caddy
2025-10-09 21:01:43 +02:00 · 2025-10-09 19:14:53 +02:00 · 2025-10-07 08:47:55 +02:00 · 2025-10-05 16:13:05 +02:00 · 2025-10-02 23:30:29 +02:00 · 2025-09-30 23:00:48 +02:00
430 changed files with 97995 additions and 4595 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -3,9 +3,7 @@ skip_list:
  - load-failure
  - document-start
  - meta-no-info
-
-warn_list:
-  - experimental  # all rules tagged as experimental
+  - ignore-errors

 exclude_paths:
  - group_vars/all/vault.yml
--- a/.drone.yml
+++ b/.drone.yml
@ -5,8 +5,7 @@ name: check

 steps:
  - name: ansible and yaml linting
-    pull: never
-    image: aurore-ansible-lint-image
+    image: quay.io/ansible/toolset:3.5.0
    commands:
      - ansible-lint
 ...
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 *.retry
 tmp
 ldap-password.txt
+__pycache__/
--- a/README.md
+++ b/README.md
@ -1,9 +1,8 @@
-[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
-
 # Recettes Ansible d'Aurore

-Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
-Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
+Dépendances requises :
+
+* Ansible 2.9 ou plus récent.

 ## Ansible 101

@ -14,8 +13,9 @@ Il contient la définition de chaque machine et le regroupement.

 Quand on regroupe avec un `:children` en réalité on groupe des groupes.

-Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine
-avec ce hostname, car c'est ce qu'Ansible fera.
+Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette
+machine avec ce hostname, car c'est ce qu'Ansible fera (sauf pour les switchs,
+voir plus bas).

 **Playbook** : c'est une politique de déploiement.
 Il contient les associations des rôles avec les machines.
@ -36,31 +36,42 @@ déployer un serveur prometheus, déployer une node prometheus…
 **Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
 action. Elle est associée à un module Ansible.

-*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans
-un fichier avec le module `lineinfile`, copier une template avec le module `template`…
+*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une
+ligne dans un fichier avec le module `lineinfile`, copier une template avec le
+module `template`…

-Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante,
-récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions…
+Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand
+elle plante, récupérer son résultat dans une variable, mettre une boucle
+dessus, mettre des conditions…

-N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules
+N'oubliez pas d'aller lire l'excellente documentation de RedHat sur tous les modules
 d'Ansible !

 ### Gestion des groupes de machines

 Pour la liste complète, je vous invite à lire le fichier `hosts`.

-  * pour tester les versions de Debian,
+Exemple :

-    ```YAML
-    ansible_lsb.codename == 'stretch'
-    ```
+```yaml
+[fleming_vm]
+dhcp-fleming.adm.auro.re
+dns-fleming.adm.auro.re
+prometheus-fleming.adm.auro.re
+routeur-fleming.adm.auro.re

-  * pour tester si c'est un CPU Intel x86_64,
+[fleming_pve]
+pve1.adm.auro.re

-    ```YAML
-    ansible_processor[0].find('Intel') != -1
-    and ansible_architecture == 'x86_64'
-    ```
+[fleming:children]
+fleming_pve
+fleming_vm
+```
+
+> NB :
+>
+> L'exemple a été adapté de la configuration d'Aurore pour des raisons
+> pédagogiques.

 Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
 de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
@ -73,27 +84,46 @@ qui peuvent ensuite être utilisés dans des variables.
 Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
 on peut exécuter le module `setup` manuellement.

-```
+```bash
 ansible proxy.adm.auro.re -m setup --ask-vault-pass
 ```

+Il est notamment possible de :
+
+* tester les versions de Debian,
+
+  ```YAML
+  ansible_lsb.codename == 'stretch'
+  ```
+
+* tester si c'est un CPU Intel x86_64,
+
+  ```YAML
+  ansible_processor[0].find('Intel') != -1
+  and ansible_architecture == 'x86_64'
+  ```
+
 ## Exécution d'Ansible

 ### Configurer la connexion au vlan adm

 Envoyer son agent SSH peut être dangereux
-([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
+([source](https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).

 On va utiliser plutôt `ProxyJump`.
 Dans la configuration SSH :

-```
-# Use a proxy jump server to log on all Aurore inventory
-Host 10.128.0.* *.adm.auro.re
+```text
+Host *.adm.auro.re *.pve.auro.re
+    # Accept new host keys
+    StrictHostKeyChecking accept-new
+
+    # Use passerelle to connect to administration VLANs
    ProxyJump passerelle.auro.re
 ```

-Il faut sa clé SSH configurée sur le serveur que l'on déploit.
+Il faut sa clé SSH configurée sur le serveur que l'on déploie.
+
 ```bash
 ssh-copy-id proxy.adm.auro.re
 ```
@ -103,6 +133,7 @@ ssh-copy-id proxy.adm.auro.re
 Il faut `python3-netaddr` sur sa machine.

 Pour tester le playbook `base.yml` :
+
 ```bash
 ansible-playbook --ask-vault-pass base.yml --check
 ```
@ -112,7 +143,7 @@ Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
 Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
 première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.

-### Ajouter tous les empruntes de serveur
+### Ajouter toutes les empreintes de serveur

 ```bash
 #!/bin/bash
@ -121,6 +152,10 @@ for ip in `cat hosts|grep .adm.auro.re`; do
 done
 ```

+> Remarque :
+>
+> L'utilisation d'un certificat permet d'éviter d'avoir à ajouter sa clé ssh
+> sur les serveurs.

 ### Passage à Ansible 2.10 (release: 30 juillet)

@ -132,11 +167,141 @@ ansible-galaxy collection install community.general
 ansible-galaxy collection install ansible.posix
 ```

-
-Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
+Si vous n'arrivez pas à entrer votre *become password* (bug dans ansible?), un
 workaround est le suivant :

 `$  export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`

 Notez l'espace au début pour ne pas log la commande dans votre historique
 shell.
+
+## Configuration des switchs depuis Ansible
+
+Afin d'acquérir de l'indépendance vis-à-vis de re2o, un module permettant de
+configurer les switchs depuis Ansible a été créé. Il utilise l'api rest des
+switchs afin de récupérer et appliquer la configuration voulue.
+
+### Prérequis
+
+Pour utiliser le module, il faut d'abord annoncer à Ansible qu'il ne faut pas
+effectuer de connexion ssh et de ne pas récupérer les faits. Cela se fait à
+l'aide des variables `connection: httpapi` et `gather_facts: false` à placer
+dans le playbook (pour une configuration locale) ou dans ansible.cfg (pour une
+configuration globale). Ensuite, l'infrastructure actuelle de Aurore nécessite
+l'utilisation d'un proxy. Pour cela, il suffit d'exécuter la commande :
+
+```bash
+ssh -D 3000 switchs-manager.adm.auro.re
+```
+
+et d'annoncer l'utilisation du proxy dans la configuration en exportant la
+variable d'environnement `HTTP_PROXY=socks5://localhost:3000` et en
+configurant la variable du module `use_proxy: true`.
+
+Exemple :
+
+```yaml
+environment:
+  HTTP_PROXY: "socks5://localhost:3000"
+tasks:
+  - name: vlans
+    switch_config:
+      username: ****
+      password: ****
+      port: 80
+      host: 192.168.1.42
+      use_proxy: true
+      config:
+        path: vlans/42
+        data:
+          name: VLAN42
+          vlan_id: 42
+          status: VS_PORT_BASED
+          type: VT_STATIC
+```
+
+Le module est alors utilisable, il ne reste plus qu'à le configurer.
+
+### Écrire la configuration
+
+Le module se veut assez libre. Ainsi, l'ensemble de la requête doit être écrite
+dans les `tasks`. Voici un exemple pour configurer un vlan :
+
+```yaml
+tasks:
+  - name: vlans
+    switch_config:
+      username: ****
+      password: ****
+      port: 80
+      host: 192.168.1.42
+      config:
+        path: vlans/42
+        data:
+          name: VLAN42
+          vlan_id: 42
+          status: VS_PORT_BASED
+          type: VT_STATIC
+```
+
+Le `path` correspond à l'url de l'objet que l'on souhaite éditer et `data`
+correspond aux données qui seront envoyées dans une requête `PUT` (au format
+`json`). Cependant, la configuration d'un vlan peut nécessiter de le créer.
+Pour remédier à ce problème, il est possible d'utiliser la syntaxe suivante :
+
+```yaml
+
+tasks:
+  - name: vlans
+    switch_config:
+      username: ****
+      password: ****
+      port: 80
+      host: 192.168.1.42
+      config:
+        path: vlans
+        create_method: POST
+        subpath:
+          - path: 42
+            data:
+              name: VLAN42
+              vlan_id: 42
+              status: VS_PORT_BASED
+              type: VT_STATIC
+```
+
+Le variable `create_method` correspond au type de la requête pour effectuer une
+action de création de l'objet. Il s'agit généralement de `POST`. Dans le cas
+où la variable n'est pas définit, la création sera désactivée et ainsi, si
+l'url indiquée dans les `subpath` n'existe pas, alors la configuration échouera.
+Par conséquent, si le vlan 42 a besoin d'être créé, une requête `POST` sera
+effectué sur l'url `vlans` avec les données dans `data`.
+
+Il est également possible d'éxecuter une action de suppression d'un vlan à l'aide
+de la variable `delete` :
+
+```yaml
+  tasks:
+    - name: vlans
+      switch_config:
+        username: ****
+        password: ****
+        port: 80
+        host: 192.168.1.42
+        config:
+          path: vlans/42
+          delete: true
+```
+
+Si la variable `delete` est activée, alors une requête `DELETE` sera envoyée
+sur l'url indiquée. Pour vérifier si la suppression est déjà effective avant
+l'éxecution, le module vérifiera si un `GET` sur l'url retourne une 404.
+
+> Remarque :
+>
+> Si les variables `delete` et `data` sont définies (dont `delete` à `true`),
+> alors il en résultera une action de suppression malgré tout.
+
+Puisque `subpath` est une liste, il est possible de configurer plusieurs requête
+en même temps. Cela à l'avantage d'effectuer toutes les modifications à la suite
+(sans avoir à se connecter plusieurs sur l'api).
--- a/all.yml
+++ b/all.yml
@ -0,0 +1,18 @@
+#!/usr/bin/env ansible-playbook
+---
+- import_playbook: playbooks/base.yml
+- import_playbook: playbooks/root.yml
+- import_playbook: playbooks/ssh.yml
+- import_playbook: playbooks/chronyd.yml
+- import_playbook: playbooks/kresd.yml
+- import_playbook: playbooks/knotd.yml
+- import_playbook: playbooks/resolvconf.yml
+- import_playbook: playbooks/ifupdown2.yml
+- import_playbook: playbooks/systemd_link.yml
+- import_playbook: playbooks/keepalived.yml
+- import_playbook: playbooks/ip_forward.yml
+- import_playbook: playbooks/dhcpd.yml
+- import_playbook: playbooks/bird.yml
+- import_playbook: playbooks/pve.yml
+- import_playbook: playbooks/prometheus.yml
+...
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,38 +1,22 @@
-# Ansible configuration
-
 [defaults]
+jinja2_native = true

-# Do not create .retry files
+ask_vault_pass = True
+roles_path = ./roles
 retry_files_enabled = False
-
-# Use inventory
 inventory = ./hosts
-
-# Custom header in templates
-ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
-
-# Do not use cows (with cowsay)
+stdout_callback = debug
+library = ./library
+filter_plugins = ./filter_plugins
+ansible_managed = Ansible managed
 nocows = 1
-
-# Do more parallelism
 forks = 15
-
-# Some SSH connection will take time
 timeout = 60
-
-[privilege_escalation]
-
-# Use sudo to get priviledge access
-become = True
-
-# Ask for password
-become_ask_pass = True
+remote_user = root

 [diff]
-
-# TO know what changed
 always = yes

-
 [ssh_connection]
 pipelining = True
+retries = 3
--- a/backups.yml
+++ b/backups.yml
@ -1,9 +0,0 @@
---
- hosts: perceval.adm.auro.re
-  roles:
-    - borgbackup_server
-
- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
-  roles:
-    - borgbackup_client
-...
--- a/base.yml
+++ b/base.yml
@ -1,17 +0,0 @@
-#!/usr/bin/env ansible-playbook
---
-# Put a common configuration on all servers
- hosts: all,!unifi
-  roles:
-    - baseconfig
-    - basesecurity
-
-# Plug LDAP on all servers
- hosts: all,!unifi
-  roles:
-    - ldap_client
-
-# Install logrotate
- hosts: all,!unifi,!pve
-  roles:
-    - logrotate
--- a/bdd.yml
+++ b/bdd.yml
@ -1,7 +0,0 @@
-#!/usr/bin/env ansible-playbook
---
-# Install and configure bdd servers at Saclay and at OVH
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
-  roles:
-    - postgresql_server
-...
--- a/copy-keys.sh
+++ b/copy-keys.sh
@ -1,20 +0,0 @@
-#!/bin/bash
-set -e
-
-# Grab valid unique hostnames from the Ansible inventory.
-HOSTS=$(grep -ve '^[#\[]' hosts \
-| grep -F adm.auro.re \
-| sort -u)
-
-# Ask password
-read -s -p "Hello adventurer, what is your LDAP password? " passwd
-echo
-
-for host in $HOSTS; do
-  echo "[+] Handling host $host"
-
-  # sshpass can be used for non-interactive password authentication.
-  # place your password in ldap-password.txt.
-  SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host"
-done
-
--- a/deploy_postfix_non_mailhost.yml
+++ b/deploy_postfix_non_mailhost.yml
@ -1,8 +0,0 @@
---
-# Deploy a correclty configured postfix on non mailhost servers
- hosts: all,!unifi
-  vars:
-    local_network: 10.128.0.0/16
-    relay_host: proxy.adm.auro.re
-  roles:
-    - postfix_non_mailhost
--- a/docker-ansible-lint/Dockerfile
+++ b/docker-ansible-lint/Dockerfile
@ -1,7 +0,0 @@
-FROM python:3.9-alpine
-LABEL description="Aurore's docker image for ansible-lint"
-
-RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
-RUN pip install --no-cache-dir "yamllint>=1.26.0,<2.0"
-RUN pip install --no-cache-dir "ansible-lint>=5.0.0"
-RUN pip install --no-cache-dir "ansible>=2.10,<2.11"
--- a/docker-ansible-lint/README.md
+++ b/docker-ansible-lint/README.md
@ -1,18 +0,0 @@
-# Ansible-lint image
-
-In order to build this image when a new version comes out, you need to
-1. ssh into the `drone.adm.auro.re` server
-2. git pull this repo to the lastest version
-3. optionally make the changes if it has not been done yet
-4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
-5. ???
-6. enjoy
-
-You can verify that the image was correclty built by running
-```
-# list the images present
-sudo docker image ls
-
-# run your image with an interactive shell
-sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
-```
--- a/filter_plugins/enquote.py
+++ b/filter_plugins/enquote.py
@ -0,0 +1,16 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "enquote": enquote,
+        }
+
+
+def enquote(string, delimiter='"', escape="\\"):
+    translation = str.maketrans(
+        {
+            delimiter: f"{escape}{delimiter}",
+            escape: f"{escape}{escape}",
+        }
+    )
+    escaped = string.translate(translation)
+    return f"{delimiter}{escaped}{delimiter}"
--- a/filter_plugins/format_rev.py
+++ b/filter_plugins/format_rev.py
@ -0,0 +1,9 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "format_rev": format_rev,
+        }
+
+
+def format_rev(text, fmt, *args, **kwargs):
+    return fmt.format(text, *args, **kwargs)
--- a/filter_plugins/net_utils.py
+++ b/filter_plugins/net_utils.py
@ -0,0 +1,68 @@
+import ipaddress
+from operator import attrgetter
+
+import dns.name
+
+
+class FilterModule:
+    def filters(self):
+        return {
+            "add_origin": add_origin,
+            "add_origin_keys": add_origin_keys,
+            "ip_filter": ip_filter,
+            "remove_domain_suffix": remove_domain_suffix,
+            "ipaddr_sort": ipaddr_sort,
+        }
+
+
+def first_addr(addresses, ipv4 = True):
+    version = ipaddress.IPv4Address if ipv4 else ipaddress.IPv6Address
+    for addr in addresses:
+        parsed = ipaddress.ip_address(xx)
+        if isinstance(parsed, version):
+            return parsed
+    raise ValueError("missing address")
+
+
+def ip_filter(addresses, networks):
+    if isinstance(addresses, dict):
+        return {k: ip_filter(v, networks) for k, v in addresses.items()}
+    ip_networks = [ipaddress.ip_network(n) for n in networks]
+    ip_addresses = [ipaddress.ip_address(a) for a in addresses]
+    return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
+
+
+def add_origin(name, origin="."):
+    return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
+
+
+def add_origin_keys(dct, origin="."):
+    return {add_origin(k, origin): v for k, v in dct.items()}
+
+
+def remove_domain_suffix(name):
+    parent = dns.name.from_text(name).parent()
+    return parent.to_text()
+
+
+def ipaddr_sort(addrs, types, unknown_after=True):
+    check_types = {
+        "global": attrgetter("is_global"),
+        "link-local": attrgetter("is_link_local"),
+        "loopback": attrgetter("is_loopback"),
+        "multicast": attrgetter("is_multicast"),
+        "private": attrgetter("is_private"),
+        "reserved": attrgetter("is_reserved"),
+        "site_local": attrgetter("is_site_local"),
+        "unspecified": attrgetter("is_unspecified"),
+    }
+
+    def addr_weight(addr):
+        if isinstance(addr, str):
+            addr = ipaddress.ip_address(addr.split("/")[0])
+        for index, ty in enumerate(types):
+            if check_types[ty](ipaddress.ip_address(addr)):
+                return index
+        return len(types) if unknown_after else -1
+
+    return sorted(addrs, key=addr_weight)
--- a/filter_plugins/suffix.py
+++ b/filter_plugins/suffix.py
@ -0,0 +1,9 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "suffix": suffix,
+        }
+
+
+def suffix(value, suffix):
+    return value + suffix
--- a/filter_plugins/switch_range.py
+++ b/filter_plugins/switch_range.py
@ -0,0 +1,38 @@
+#!/usr/bin/python
+class FilterModule(object):
+    def filters(self):
+        return {
+            'range2list': self.range2list,
+        }
+
+    def range2list(self, port_range):
+        """
+            Convert a range into list
+
+            Exemple:
+            ```
+            >>> FilterModule.range2list("1-10,42")
+            [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 42]
+            ````
+        """
+        port_range = port_range.replace(" ", "").split(",")
+        ports = []
+        for r in port_range:
+            if "-" in r:
+                try:
+                    a, b = r.split("-")
+                except:
+                    raise Exception("A range must contain 2 values")
+                try:
+                    a = int(a)
+                    b = int(b)
+                except:
+                    raise TypeError("A range must contain integer")
+                for n in range(a, b+1):
+                    ports.append(n)
+            else:
+                try:
+                    ports.append(int(r))
+                except:
+                    raise TypeError("Value must be integer")
+        return list(set(ports))
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1757020766,
+        "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,27 @@
+{
+  description = "Ansible Aurore";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+  };
+
+  outputs =
+    inputs@{
+      self,
+      nixpkgs,
+      flake-parts,
+      ...
+    }:
+    flake-parts.lib.mkFlake { inherit inputs; } {
+      systems = [ "x86_64-linux" ];
+
+      perSystem =
+        { config, pkgs, ... }:
+        {
+          devShells = {
+            default = pkgs.callPackage ./shell.nix {};
+          };
+        };
+    };
+}
--- a/group_vars/all/bird.yml
+++ b/group_vars/all/bird.yml
@ -0,0 +1,4 @@
+---
+bird__as:
+  aurore: 43619
+...
--- a/group_vars/all/chronyd.yml
+++ b/group_vars/all/chronyd.yml
@ -0,0 +1,5 @@
+---
+chronyd__pools:
+  - ntp-1.int.infra.auro.re
+  - ntp-2.int.infra.auro.re
+...
--- a/group_vars/all/ifupdown2.yml
+++ b/group_vars/all/ifupdown2.yml
@ -0,0 +1,24 @@
+---
+ifupdown2__wireguard_proto: wireguard
+ifupdown2__gateways:
+  adm:
+    - 2a09:6840:128::254
+    - 10.128.0.254
+  int:
+    - 2a09:6840:206::1
+    - 10.206.0.1
+  ext:
+    - 2a09:6840:211::1
+    - 10.211.0.1
+  monit:
+    - 2a09:6840:204::1
+    - 10.204.0.1
+  isp:
+    - 2a09:6840:210::1
+    - 10.210.0.1
+  pub:
+    - 2a09:6840:215::1
+    - 45.66.111.204
+  ovh:
+    - 92.222.211.254
+...
--- a/group_vars/all/openssh.yml
+++ b/group_vars/all/openssh.yml
@ -0,0 +1,10 @@
+---
+openssh__users_ca_public_key:
+  "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
+  hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
+  F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
+
+openssh__authorized_principals:
+  - any
+  - "{{ inventory_hostname }}"
+...
--- a/group_vars/all/prometheus.yml
+++ b/group_vars/all/prometheus.yml
@ -0,0 +1,3 @@
+---
+prometheus_node__text_dir: /var/run/prometheus-node-exporter
+...
--- a/group_vars/all/resolvconf.yml
+++ b/group_vars/all/resolvconf.yml
@ -0,0 +1,13 @@
+---
+resolvconf__nameservers:
+  - 2a09:6840:206::1:1
+  - 2a09:6840:206::1:2
+  - 10.206.1.1
+  - 10.206.1.2
+
+resolvconf__domain: auro.re.
+
+resolvconf__search:
+  - "{{ inventory_hostname | remove_domain_suffix }}"
+  - auro.re.
+...
--- a/group_vars/all/root.yml
+++ b/group_vars/all/root.yml
@ -0,0 +1,5 @@
+---
+root__shell: /bin/bash
+
+root__password: "{{ vault_root_password }}"
+...
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -18,16 +18,6 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"

 # Databases
 postgresql_services_url: 'bdd-ovh.adm.auro.re'
-postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
-postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
-postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
-postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
-postgresql_grafana_passwd: "{{ vault_postgresql_grafana_passwd }}"
-postgresql_cas_passwd: "{{ vault_postgresql_cas_passwd }}"
-postgresql_drone_passwd: "{{ vault_postgresql_drone_passwd }}"
-postgresql_wikijs_passwd: "{{ vault_postgresql_wikijs_passwd }}"
-postgresql_nextcloud_passwd: "{{ vault_postgresql_nextcloud_passwd }}"
-postgresql_gitea_passwd: "{{ vault_postgresql_gitea_passwd }}"

 # Scripts will tell users to go there to manage their account
 intranet_url: 'https://re2o.auro.re/'
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,218 +1,297 @@
 $ANSIBLE_VAULT;1.1;AES256
-34353636353331626234623838643238343237306237313336663433326164313030646263393165
-3964666632653139323634663061363763656533373538660a393464333663313633393866383432
-31303736366665306465333037373835383266383035626666353461623435393438303861376435
-3161393136653361610a336438393566393936633637613436366634353237313363653232333263
-38643566626564656635316564363362386236356164646238336265663839363430623739366266
-66333233666439656561626161653336633136396565336633356630303436303234613063396238
-62363437306639343236636537303363313236633765363430623865323734316531383662353763
-37636439356164303730323235346362393436656333393062333566336536316131343338663630
-31613063313034396162323034313562356662653266636638633665376531663932653461636363
-32653061386562376237653837333239326438656630646138393362383539616339393365343435
-63616462363733623930623435333435333937336538353735626161666162333337633931333338
-62316638373736326432373464326266373361613864633262656432313364343366373832643865
-64343866393966346534623238386437373632326632376166396630613630613365393932333066
-37663162656134346564353762383961386161343064373637373634353231653137383461626666
-34666365656632333764613931643266613737393032366431323764623830666131386566613535
-30346631396237336332636438653339613633636662663266663235613634346162316134336533
-61353361353437626231393137653464363934383233363830373961373033653336323666313836
-63643638353438363661653239346530366630336661343336303836383439613462333532653263
-63643437323166386230663635333130333632376661393830646365333666323239323134386636
-30656266323839633237663433376136313437366264633039376165633961656137363038616534
-32393330656464373739353833646232633634333937613932393834356535396464613633653334
-33386231313830656562366335333162386461616331333733343163313562636232646261383135
-36376131333931303566343337343539323265313931346538343539363230643030646531373134
-36636364326539356533363832333661396435363365633831346664393165626330356536343961
-64613935636333333331633931313266633732663430373166393362373431353363316630663235
-31353936343932386665366134643962313937366634396262386434396334383332343537383163
-37323235326161636339323237643366323430623136323937353665383364306436616664356662
-38616466636465313330303464343665333163626231613164663030623963626634383965613135
-31336632366231613062366430393636646535616134383232386334343137333138643866393633
-38636161623734613862313638666562393164356536613665303839633035636330353965356163
-65646530383162323630633865363334306234383466383033663762633933653162356166376138
-33343832323466333132386564336636323765383839366134636433613866623830626133303434
-64643066366638316633663338333335313466366433313134306239393233663233333730333138
-32666133633931393961323663353565653532323837316165653536396339316364623633613137
-30626636623037396438636261633939643363326136613631376139396538623932356237313637
-62656337663438623666633435373564313566636538373339663731393564653264623863353032
-33613639616135623735393364623439393432316632626239313837653464623563393663346163
-36303764343562376337366465643434646263383133336162376166383434633436633263303263
-61656536363037666230393063336263363865356465616231333966396332383434366265343434
-66363732313435656164613135333762306464373133343739636266346336346261366535316230
-36663433616332386166323965643436393433666264343062393463653339646264353264366663
-31653331613138316138383930336163616333666161386466616566323664346263396637393735
-38386462313763346164613430653133316631633261356663613738663435313963303734373364
-34353332643366353930633339373962376162383239316134346561336539643737656239336230
-33613662646466383434303638343362323933643831653932393030383762323539346332333961
-34616338386361353362366434663365663262383835383031393430633235393631666332623261
-36393231366164303165336633663565376334643864323366666434383634353031326633313266
-66346234323036396562313366346661333130363434643565333763316234353733383733623839
-37663761656131363932333330663638323733666333336636613264363164643230343964643061
-37633264313865373732653466356639653335313236646331623932303963326364343132656464
-65636665616364373538613732643938323364626166316437623166383734316662386134316233
-66313430626133303461336465333532373361616334393139663233363132393265643865656561
-63303734313934343636333135373164636536663935323030366563623635616535616230363061
-38653362343264626432373866313363373439333331333963333765356462323762333739313061
-33626365663433396562633534643630326364346135383531343063373266633635353130363166
-30363735386665346661343166373034663466636335323838666465613163353039366233386562
-39626462383635356230343031633666346561376462376634636236323164626537396337323337
-64653163623030326435623833383136386366613764623633303732613337373732386432303737
-61303530356461343339333165663161343262613434306162653563643765323837303537653963
-30383964336230326336313765333832323639626131303063363030313537346463393765303132
-33376633313135613832616239343939363562363132666433373966616166383836376636363630
-65376266323266636430383236616338373632323134626165393961383733363365383761653538
-61386365363262623665313637333761626561643530376433326531313161303733626432333866
-63663762313130336535666134343961353337653034643436363263306664666562356431313433
-63333034623762663630323031653363356666366538323064363866366662656466666361373938
-35653562383865363437346466663963326439316531396165376439383931366132386161346364
-66633334666239393336383336376130663633613161306564336131356435396639336566636131
-37653763373537353635393536363531626332313461626166373763613861346433653237306636
-39393435633163386164356131636530623732316538646133316365383561653061376431333431
-66356561333637353537316231616133646231306462626439326462393131633562393462396132
-62396337626436336230636338373439343839646266613033633930383530363932616463633538
-35646230393536396330383566346138633434333063333362313139643537346236313336376463
-31363335633333333262316239383735633139383332303235623430626539626466336365306465
-66396336323637613036616532363963363430383737343566366162663836396132353933346534
-35366565336462646364643137323864656334336635376435623561666530386334623964323136
-39653365646161366330376336353931633366653832383966656639393364386438363832333934
-34616536653064363739333363663233376631636134323162626333343035396265666662636230
-31343931323435373964383562616333333835326238623131646433366134343830616432643866
-36353363356532383963623364636363393834343132303434393331653335313938393662376534
-33376565613433373864666536313439656339306532643233336137363264303638346563643932
-35343838616538343262613066343665386433386339373362313533643639326136663430363135
-37393734306565613566663632643639343939353361656566663431386539333136393663656262
-34363537333431356363633932373736383262343336396666383237616661353763643861376537
-63306133353331653833346339663062353438356162356431333336373536623439366132343930
-31623736353532323230373264363163386339346563313236633061313239663962623136323962
-62333166636230363333633661336539373962623337666538636565643664396132613263633461
-64663430666630303562323065613838666265653438383838363561303637663931613239326639
-30663533376662333162613731636665646565336465396132663165613431343332313038613335
-62643030376564306335633138373937613934653738396361303064306263353566336232346639
-38323266373537646334633761643933653931646439353939326536383463373666646262353362
-61356230333461646435353332656564616464363539373966333535653365326330333230373539
-62613335363632393335306535643862653262363031356439386639656262353662656432656331
-34323431356337646238353135326332346431383535643735646562386161353164393961646264
-63396161316563323537396431646561633730373930306637623438323761613935396238363965
-61613339353234626565653939643139626665343439626365656165616437653234326530316464
-39303433333533643439313464623531646133316563306337386261356332393435613237653632
-63386439353136383265323965646538316334343661376532323461636666363630613836366233
-63326465633438633564396135386137383061663264373530313330666639333236343539653734
-62323637313131613839363665633163316235306536343039626166396263383332363365373936
-66356135646330373162346261326531616538303566663761626639363635633064623361663463
-34373937653165376262643064653738396365353532343864653836306231306566386665343963
-36353066346161323733346131386466653964653961343136643039653035383864653238663265
-35623565303731636164353664666636303430333933616230336330393530633032353037626339
-34326664373239663330356430346531663635646161356130623733303862613964613433393334
-33303735333934343964363230326634653465623465366465386639616361316139323536363261
-30313531363533356636303565303265363430363530356662313838646435316439363263346165
-37666463393332323066376464313339383138343235613438663464613436376237333565616563
-31363936393731623562363331666433626636396136636533353435386634336363613963636162
-33306233616636363432316236363665333162393133616130313530313764643738336666316639
-36613263303138633039376135396266613766666261373436626333373035393863376133386162
-38633333353963313433636236636339666135376530323731663761303938313764356636363963
-34393035333561626564313638656266313666643166633163636630633938346661653033643832
-36393632633765656661353236376432383034343766643336353236623437356638336264326364
-30616161633130653131373932303337616237656633346438323832623964323332613836326365
-66666666663766653865636435623562643637363134333336636231356332356439396262386338
-62643738326437343139616134386130616533653066666631633139653038646336306363373233
-30626134623732393361653637313235363463336331666231336434363432646363373534336661
-39623864643130613337336232313263323161313030353535313336393233643237343566373063
-64633935366430316566306461313261633031656562356461376632373031333462323237646263
-37343535393539393032653135653666393933326632653166666633613638333130623937383530
-35323737363662346337326134366239666137343031326663356533353033633332633931333738
-34383937316461313231313936626436633030373833306636643633343266343461363732373132
-66396233396432336336623166653361646561313432383861313061376234656636663864616132
-32336664636162346633376633353938613865323162356437373330306236383164376261613461
-37313839363331653139623264336631663534643530663434393535333865353965343161636638
-34653334373865356439333736366432323832323834633239333130386639366163643337303832
-37383637366231613930633661316466346136333666343266393137663965653331303034356661
-61643439383630353139613635636665616534396639643161653334626434616132333731323532
-39363462313039336661636332623530363832316564343135343330323362366633333632646239
-34633736383534653130343437376134616363363736613462326332643031376331636164623837
-32316331663030383762333562373937663663633931623535303139306163613962643762353633
-66643038633630633736316634316238643136363532396363323361323163363638653331616631
-30303832363163346663613433646432326566613738356133386238386266376261336532356338
-61383539336138666261636234316461646365373236383038363965626635393530346236666263
-38636164336463393565613362626334346565653464663136316564646631323835626364333536
-36633566613432346334656665636134386334663362633562623938343264396538656432366166
-65626635336139306335366265616430366337656265346235653333646362383232386434663832
-65636634646363323736323165666637373661333136636164613933396130633932373837393030
-38303466303363623038336363633037666631356262396631396464383065343730346537303534
-62383764653763313639313332386331653163313134303336396336323862323063643265383761
-35633939626636613030653564366266346338346239356163383864383762393261396561613032
-31313866356666666538613935653965373932366666303634636436633662333638396563336161
-32303934373238323838366563623035663863393835353839343230626235353830336532306532
-36303035613238656133643936353735646336396238363334326561336365666238363735633561
-62616338336664366631336364636564393539363163626465613530343939303961353364666364
-38666665326563333039386462656261666531646637306261316233336130343730663661336431
-62666138343766393262313431386136613139386265623939613830646233666134386235326564
-36353032383336353763363231313564396630363565666163316237323363633866323734326664
-30316533383363363461613564646137646337303738373833373238396661656265626139333637
-30353835363062393333646433356362613132653463656532366137356136306431633836653333
-65326266303038393233373263313933323637303539353065663233356333326235633064353536
-30626433356630316364386332393331626135656266376233363837303438636539386434613038
-31313938653662306533663635333564653232306436396331386433343561313365633664383865
-33356163343232626165353739386534346231336634656231613235383536616338383133383664
-31303734363836326662633062396130343637343731613532353533323164353934383230626436
-33356139303663326361333535306261386431343736396238616435633565613266306339363166
-61646233353636303739353336336662633662303861623864323033376133623734373436646365
-33626332366464393166613339623663346234653830386664396630376539656163633263663664
-63646539353035323263306136396537373561646264363939613737313462643063663136623136
-61643138623962383039313836633032323861313937643164343832303634643833393230656637
-35393566396562343863323235333835353135323139613166303539306266636265363931336162
-32363361356231326164376533346464613836373162323333336438333532333161633432343637
-65356364636264313036643836643863396435663837393564393833303037643331363633643065
-36396662626462303232386531653234373231306131353732656663353538356636646331646163
-32306362366264343966393237633831633263383236336133343166633639366266316235386538
-32623039366561643663653564633066306339613938386234666430666462316363373863626337
-37366232633365653462613732353064396539356432393661626462313663363634613434376462
-61316266366131343239616133613038303338323566633363666330336364393261636130313164
-32336237383536363562663537343661306434313964373034376263373262643635316664646130
-35333631626236653638633661363831323262336465323339356637356331313738666634656538
-34363438633566393866313662386365313030646230393862343735356535633366666138623863
-65306336356633326530303932373634613733643364336561653737363132343534333336376264
-34663965373532393330393763646232623533376332323239376232303935393339656230356537
-30306264636362353733656366363139613637303264323361333138666462666531323131663564
-62616362303035613733386231316431326333643739373738666135363232616564346238636462
-64623234363632613436636336323965383762626261626137386631393334666266343636323862
-34326431303365393234616263653862376466363861353835316336633336613534373235353436
-65663531303939386233353934376335643732373063666362343234353037363430356233356138
-34663530643266343535333336643938326131366239333630336163363263613561393639333631
-63333031643033623964303361383462343339353264656435626365393938613162623835646539
-62626331393339373839316166613965373862316438636561306162376535633861396531396637
-66623936323361616333326330616361323232343034343366643130623037653463333730316337
-61383965663130646334343833333737383931363339326266666437353030626262633263626135
-32626239383137303538623735343033633465653861316231636564653535646662646561333832
-30613639353563363534663764376232643630626434626466306663303331643565313239353131
-36303363306538393164663563313133636663653664616438346235646637636132373532393332
-35633533346432616532653937636565363431323161336430323566363239373035616264373636
-62306337323935336332663262396466323064633738306334386233663531313633656232373330
-38656635636264353635356165343233643061363836396266386631393433366265646662633239
-63303939363637663030663965626637336366666638386532666466613965396533373935346135
-62623837643462356334323234633263636130653762636461353037396461623961383330613731
-61626634383232313337313363363637623036653630396266623265363961303662366165373462
-66656364633735626231323335373135663462373966396136653634653865316238393263316464
-66663537383763386335383131303438353930366534616637636564313431346163353534366431
-34356262653134656633636631373963393032393061353636363333313464386463616638663939
-39306136373433346362613934626332316633353232373963633939336338656331366661666232
-37646566393062643738383832363230393337363361653566303433666561643936313037653662
-65666266353032313862666365313237323431666365613666373931383838383435663034343239
-39323139336266373463323465656237366166653230373236613335616433363465613131326234
-39393363386334303963613036333661373364633437386262363937333565316639313261643133
-62626235303163666435333030353039316432316661383933353834313733326435613366313030
-33303631323132323861613366313532333931623739623731353566373039656133653061633637
-36366365653836346662616135303536613331656364306163633731376634313739633634646132
-31396138663337656332653331616462333936313531646135663930616130623338323733663634
-62373866353663336138346335383637333738363035393366613434306536643239356436396333
-39333133366235666562383239363530343464353735666436356333313932613965613065663639
-39383962376264643337633365386164353166343165306634376634646233626466363661666465
-34306533616238616131306130323637656536663561306437346238303464616636306134366130
-30386566326465323962396130336661613433613938633565363635356166643263383364636164
-34643465353664386437316366396130383533626132363566656265353366663865616531386238
-32633831623334643166356237353164356563646132656130363634343664663765373839616430
-37346432616161636139643733346631643165313636323231643461313164646663623439663966
-33323230376337663566636233333038633465323238636533336136363037633065336538383033
-31356634363261643064326335656535356434373862663935316434613938663833626139646636
-63333936363637356234373237326430376232623561663461633138363032616138343730663939
-37353462326266636562373331326161646338623261303762316265323432313139356439306361
-32336132376439616662386132363566363438313739313830393336393439343839
+35353866373931343963333639323431636465303562306166333735383462353032323461613232
+3666653438393936356535633661363838613233323932370a656439316234356339613532663237
+39373439366432363533303961396466623366323339383735316531653538633264393264353337
+3937323861616530640a666361323164353338306336616564663466616630393839613833373933
+65613161323164613334656631333336343262363835323962343662333133366561306139636261
+61656532666563333063356231636565626631633436623531313938663930396362343031356534
+34303565623832366664303561643137626433333164623730623639656439346639616164623865
+31613462316439613937313138313830323334373337366630323331393537633437303063353363
+66383930353930616137303436383864363439326139643361356231373939306439633332666232
+38363061636139346430373263613932336361356262656138663233386464373839366630303765
+35343064336533373238396430393536366438653534366565373733313962616364313061626133
+37666538313038643865346461626537353930366264643162376530353536623863656236303433
+31336561336131383635393238366464653934613130363831306335643935373033303162353534
+38353832653664633061646331653634393963333038306635313464636136616366313962333431
+39363934643266646131653236303138636163326663373765373761663062656463643162373038
+34656163633964626235366539663132396666623363303632363236303831613532393931373761
+65613435353162346233323533383537316231363437653239343233636533333966613066343932
+30626636306531333736613965396432373130356238313136336434356133353435643065626261
+32633732613361376261363831363866333332393132643439626639383438663438366330386534
+31303532323461303862346364386532663839323163653366356136666131363839663635343166
+38353962326430383561333630623030623536353838633231393763393238316530363939343536
+66323562336334376234613436373237303562363831323038366232393161356262653864663037
+34363436356332633363363963613635346337613438326436333836386534353738646166643333
+65356637366431326132363432663662346638383439383766646531363662356266313961356239
+31323236393538363662643662643535623633663738343266636163363835383030646661363966
+36366466386666613364313166353366333131343061353135306135656663323461303338346666
+32626231613738316233636361633337343635656334336536663865633465326639373966303137
+39383731303862353637386438306136303765333136653465663963663930383037343130316466
+33343932383033643530323136316632386230366338373362366462666233336530393561353933
+36356330386361303562666339306265663539616434336264373832636139313365633065343763
+31323633346536366635646562356266373964616338366165376331306561663938396661396164
+31363438326439343964666439356339326661666136303461343436303533363630353735633038
+38383365363739333034373031326530353962646661343039616230396132323833626162643964
+65363165333233643738373638353537343162366265316661353563353862623134663362633261
+32343364333236363738333130316538666536306664363661616536336264363438396464666533
+37616533363936356335663562366563303564623530303762363034343435326666356162316535
+61363133326263653937373037643930343565336166643939663466316232313535333965303737
+35313566353963616632313763366561633039626239353236323438383261663066323334333632
+62393265396235636461653862383830613634393431396131323439613362366463633239383761
+39343361663463633332666666346339363334366330393936373433353034653765323130383335
+63336338653333356438323264356162316638336338343033326639303237656663633233383735
+34646535633831636238316564373035353635383738356133326664626566623766366535333439
+30326437613539373163323464323635316632633930353931303466376661396135623031623133
+33653735336230666665616638353561623235343439666135386165313436306666643837616166
+37613964663837373137383736393063333037366433643632333963623038623636653639343936
+32383532613430623563623565633665663030616530643735653563303035616530313463643431
+31663361383835613631336638343338373639613532313561313231353765316237653431663462
+65366162326630656566663731316262336536303032386336666263326265316564336339316430
+31643066633438663562343730393534663338613165633635356333323635653161346136336261
+30313332383065633335396131656136613932346331343632386235643764363235376531376437
+61303130316537633830366662366237303934306561333134366463646464386530623631346264
+30356536613932613264643835356637356364653038383130366237656232333031313163643332
+34393865323162613936613264313864613734373032386266653432616535636464363463633564
+37343661623935353365333831623631386439343237383933313337393065653934303065313634
+61396163323937643837643636343337343231616265643765313932346462373735323737326663
+66316135646663376537613663373432393865623038363239356265303362326161366462356138
+65336536626634366363623865656234363335343662333134613835393635623434393036316638
+35366431653463626665663861303333363038666131643861646465663761623364333162343761
+64396131643136323634643461656339616361323030626166303930623838343438393465653364
+66633037616633316534386639306438363863363530376131363332353536656533393161313931
+34386636643737353738323265363435636239353261373466383430346461383932323634346466
+33666436343130643032626562613165396334323937353663376162643266646539353932313137
+62336162646535346631623332376334336538326530356233646239306337633365373562653166
+32383639353431666137396631663237313436393434626531316365666335306466363639626663
+63643861656537306133343138633535323737346538643063363330383366313362653933383365
+34313230663163303730326361303337373136346161353132626362623461343661663964333765
+37353165333762346539333730333731366532623531343962333037336464666530396437353666
+62313035323234643236343534663434356264643830636433323831313364663762646130306362
+32316530643230313230376662383439343639343336633431623135626134353134383030396264
+38623933356332336231343434663563653332633237653966663964646232623637313231366638
+30363966373362363432376562656436356338356561303133643432303736376234643632663137
+34336630356362303132343737376637303939623133363663306133383465613263356632383030
+61346138316538353638343833366261366534353963326162303866393430333964653333346539
+64386161663435646331613834363336373738396338653263323937623163663236366636343239
+36383135343763636139393331663139323431376562353165353662396165653235633464363035
+31393233636561366639373566623738636537363235666234633534376238323163363238393237
+64316132666530336135353434623866363739643830646463656536336136646334393064303630
+65343964613265333934306432313739633134663131666433386630303132663866343532363835
+38353237343630653561636365656561313636623065363836333663363934643162656534623864
+62373763353961646235613465646630306562386531396364386164633065643763396437316466
+32376564616562656136346563383266303963666136663863626137653462373430363363336364
+35333133303463363663356365626365613036633835323334653264626637353634373665643036
+65663736323235353964326466376163313630323265333631323866663137313665626238396130
+64653832626639626633376231326534303530373937396235366239626639356234363238633336
+34343064393334613732356332633361613633643039366537623465303739663635626365656631
+64343936613536636438313232376564376539623261623539346564303036303131366561643564
+61623630393032666636366338336266656264353631393061383162323766616530323734326134
+31623962373435323730323830373239363738663164653338623836386636626337623739366566
+61663835623038626266653062666264663639363763623139393862633061356164323530666665
+31623538333264633735643839376433653934383663333130336133653235313631336163343134
+33653533613430323834653730326661323462316338636338393063653866316335626633323137
+32653262353964653131343430383661643231383135643332616462343231323266333430373061
+62623136393239356166393964323830623239613434636361633365353862646130373865643136
+66346336363866393762353633353638663433363332356131626639326166393234313765346138
+64613431333139376139343234666664313236633031393938663431376336643133323964303938
+64616536613462306363613639613132383361393535333362363630393230636532316634373231
+63313839323263663237373937323361373533616465643830396666376661616631646561663130
+66376266363338666133313263653733646365653034653538333332623861323833633033393234
+39633834343231663166376333633635366261616561643363393137383736303436383339633734
+30623939343939373038656461333464353033313632643138393334373565383331326430653263
+66343630396135633636366337353061363730333364376664623234333434356661323935626633
+63336465343661393636333663306361386432373235313337353361333735373436633832633439
+30653766373230383364396638366237643932633364663639643661393438653339393031616338
+62396632353063376566333261356662356265373733323631363263396337383631383733393034
+65616434356530306661636633363333353138303631626565636637313738353338343334633533
+39313232356166623939383864346665626333363132663033326430366565336339306465343337
+34613736356534653534363034366431653861613534663261633739366361373134323566376335
+31313263313262353162353039623634653534346363323131633362323035633337366536366561
+64323432353236383839643662383138373938373834323262386364376162663839366232313433
+38643662613065663863636664636162333830353131636238383439323439316363383935623731
+62393964636137653935313338343465396633333461643032383730313139396462393936383630
+63353166633735623364653264643934666438383739663461373332623631323932333162303630
+39353637353437636537613935306539633163613334303833393832616338323061633532303361
+63656635333331376561363962386135303963303030396564356534333037623635613963313666
+65303664316164613835343930623338326235363933623533343961666664323836316231613465
+65373931666331326634316463663134613031363636363434643839386239333164333538393831
+65653935623431373238326231343439666635623730393639636131386162373466316164356263
+37316539656230316336303265646339303139306262396536633533366261346238393335393765
+39376630306639353862323834343830646330643737653631633361326134613666613430323433
+64363965653063316432353431386533386661386239636332323139393933653063643865646338
+34626433393731343535313766303237313866613166663333616535323661666362613439376166
+62626430363661303630346265383863613162356535306165633537383038613131346561306330
+61623435626363623762313832313031363665623933656238623131303362326137313266316630
+32366664633963626463613562643666383637383831343234666435373564306635343730373665
+36643436633066373962303965373663376266323133343233323563393065633162383237323162
+38656336306432623330616234373936306163646330313734653864386464646535666331616335
+32623163356337326665333731656438393633326638363635353733663861323934333536393338
+33656231373166313761643030363437373638366461653038363565623633623035393564643161
+38663064356239393034323761386435396437386534633734353938653239323533333531363965
+36316636353864626461303936313632663261353437396238363930626239336139323561373133
+61366330386135363039303166326231656331653632343261306531653731313465396131643330
+35616432613631636264333263363239616435303436653936386165343335356337343032386239
+37373230623366653834663031343738643063616661363138316262643635343439333838363632
+34353236393730363262303439313132663735336463323432303036366361666338363237313664
+39366434303839356163616136336237643061373633343737333036653362643635643536386436
+30336636333464626464326332343333656535666431353338336438346335346433313934346231
+32326231636262346232636366393361623830316238303537666164626339383061633765333039
+30633539666535366539383061396461313437383537656239393131326538636536356536643735
+66653336343364346635383761613731666263366465643336636661323263386364653035333062
+33616364393664613363383937653530356138316363633335386232336531373835303732383962
+65643264656134393663653333346531316365323730383363373564323133333032373330643232
+63373239366435643738353130353333646136303530643065383066313035366239326664363830
+36626366646264643130326261363536313835356638636139636434333362366363313133316130
+61383734636433313433303466323265386132363862643131613666306162396437643166393630
+32613464313530316262353938383735336262663939323730626662663235303638303065663939
+33636234383033393237303865633961333462663232363562386637333335373565663261363933
+31356436613138653765663162646566326134313736316130356336663536643466623331653039
+38616465306532666434333534356464666663613263383430336465376133393032623762323237
+63343462373834383566393466366332303235323865343730373062343739363265343164623262
+38346539343533636435626133306662623865653934666665363063356162326461316561383261
+33666362656635323262353066356330616263326134613635336261343438393838326438613435
+64343336393034303330323563346233653135633439386465653065633339643032636662313531
+38356234326632336161666666353030366238626262353831393532306166363432633939383166
+66316136333838653433383439623366333062313833616366656566393965393665613738303833
+38326139366330393863623365383963306361613665643962376664636134353533623836643362
+39626166353138646666633136363662393565336333393638626534636330313632326333353366
+39353133666532306531343137353834353133633165613566323135313362333962303637663965
+63383730663562646563333763356135613537666332393537663062653662623938353434323136
+39663965616437653232623333363762616233316530303833376332396165616635336532653035
+36306331643232336664363733376632323630616139353030343930343166623433616234616539
+34393131303363626166383037336262323662393431356463616665343463363432356132313531
+37653331336165626435343162663662386662613164336439636465363335386233383065393535
+31396466636465336164383563326236356463393831363534656536616664613361346463613837
+35366562623432353166303836353261313233663864626665663837336233653237373031393636
+64343763386361626232633032316466373161666536313363633765653365656538343130326566
+38396534323433343634333139333063633531343631316163346135643037323034633835363963
+32343963653263663438666537653963376133633661393562623131636465386266616166366566
+36343963623262656162303337366365616263376363366161373236323166353834616262393061
+39393239303335623332346236356335393836636533386432653164656334613738393533623764
+36363136353034633934323066323335626138353763333537353761303930623930353062373932
+30656339663333373431633763366433366266316563393332613334633966633339633230303166
+61346264386134623962316532343664386637303738333835343036633038323137323961323837
+33376431316465373165663338623538636136343538666235333334373664323463326336336334
+32303361393134653338646563643636356361366133633634393731343332313437643731366634
+30386466333965356135303732663433316363376438623764653464343564353835626435333230
+30646238393266643137373037326136306337306130343739633933626134643364326534386464
+65303531623335663766623037663630376366333631363165633762616564396538643866313465
+35343265663336303537663962643536653937373839313435383337353036313239653263323061
+63653865656461363334646466396135663338383065646464656631636666643030376363633333
+30333331636438656238326534656165396233633131306562336263653330396366343964313434
+66653862386531306236336339353935653335616638643831393430613533643533626135313835
+64313065373564323132663531626436623465663766663566643964353361303336386464386463
+38373036613536386436373535323664333231663437643962373339653236393339653064363530
+61393835343230356234376630613230326637636534336564383139366663663136306665363363
+66373237373530303062333935633634313766316461666439666433616236346434623535343531
+30383264303536653236363533383561613636303662663935303761353065336631353735376365
+63343162646663623736336638306465666233343031656137393037623035613236373930633131
+36366633656131633563336561323835343766356131343038643761663966656364376430366636
+36316633633736353436666539303039383231333437653666313435616536626434653833376532
+66376130653339643564646139633238643266316633363137313038363061386163613863313733
+66633665613537303834393233376463343965343664343564343832376238383064373262336162
+61313163303632373261383563363964353731363739306337333161333130656235363631343761
+61353265633338336466623830396466646233333039323065333636303035363563373366396334
+37366637306430396262376539653134396536643931643563386666623364346635363138373937
+61613232386666343033383031363439373335396362643130656235653066376537373062333363
+39373737316136303835616639363162363839376635666237353064323433373961326338393263
+34343162336336623530653531663136366136353139343561623532633139366533386263316364
+36306134356666343230643639303766343466353562643130363063343330393232663161306266
+66336435356265396330366566373137323265623431386535396665313335666332616233383664
+63656663363366613431366632306230633265306663336439306263646132626631363663643861
+30373330653637623733653165336132643965623232383839623535326336643239333133313030
+32326634643238333163383562393134623532363561393364616430366532633862396438306433
+33653235303639383333633035656533633165653137326130643961393965346266383861616333
+37306266393231336666343333643530353230383239343931303838623335303262313130616162
+65383962613965646438323065303962663965333231323139303438343631396363666330653330
+61323839333863343034356363366433313039383963303063346237366261363861643839396362
+31346637303032356463303564303562313639643563396261326538353834363737323235646430
+64343230336539663237306235623662333062396238383135616231383837366339376633663938
+65313739333065383335323437396232323564363733333437363133613766653334396431333036
+38333038656339363132346362333863643261376335666536306231316630303437306231646565
+61666334623736373832613366376438323664653531393938353234303030633532653561313665
+63613064663564646235373234326661303562646139323330343330343139633462646131353038
+62663535393738626432633564663564653663393937656634666137646363643365353930373266
+66373162373165653533383862363835346133313234326162393331666566316439633133316633
+66393733373333653630363334353833363565336338613361396335326166643630623133303466
+31663037663766356531663039386232316138393266333035613364316539353837653763616666
+32376431383965633138666536386532663761343537646266643566373132343762383966326233
+38373766353962323362366330383564636236363961333535313064313039343933346439396237
+66616631633539623537633164363665393239643633663338393765336434653930356662656164
+65366533633336313832633166376265376634613635363563643866323730343139306537323863
+61373461363237653634666331366436356335306265643639373034666131626238336632346632
+34613062346532656530626364343938636162383862653538353563363035346339623839663261
+39663438396362383866663336643035653833336466663037313764326434373061626232646333
+63336336383366333538613331303863356430373764363930363061383036343836386561663362
+63663232373563343461306131333263376437623534346562626536376138393939373064333231
+31303464656332383036616661656565313063346231623634356638326239343536316162613335
+34663232326438333966313663336465373833646634353934323361343833373661633265313239
+62656533656338376562323861396665353166623732623139353431336439386263363235316132
+35373933613236616362396363323031633166633837383634313638656430373634383563616463
+38353738636631626639636135363561623935646365316161376166653461356430326362623738
+64386537373230303239356334313663616336393439623431616639643233353662306265373232
+39343066353564316433653361333766363535636533626338386434646531653432313034393134
+62653733313636653331356363396531313136346136303661656466333138363366616530306536
+66373532626230313739306432363433313736316261383837393737356333326236323261613965
+36373064636138373134373530363533613031376362386334393464383062663663313234643432
+64363232376137613231313862386561313131376133376466393630383737306666393738613265
+66646236646632313832633366333335313239363763326464326361326263346636326332376336
+31306230373963636135643235306537623930636164346366623862303838653238373030653035
+35653634393532653566323063323761643738616532376262623163393461346334393034643862
+62653835363236303732386365626464346131363231336431316233643132383566356531346237
+66333933386539396366333565653938396564643464663165323535386262623532666237393630
+65336262636630386633626335636231616332353965356335666362313562643738306263376230
+63323938633237363431386639613830633765353232313236336233363736363566346237616637
+61656234376562323162656432393665393930313736313439316261363264333865356139343233
+63636638646332626365383839373765383864346532383236386266656635653333343032313231
+65626233313634333533653436626134373632363565653230656161613963323334613262646530
+66636331396130613934363939653238343463396639363731393363643830663362373439646337
+63396435376637666563333165623338386337613638366339656561366538366635363037366531
+32306235666231303762356665613738323336306465613531313964626631313731373963353964
+32616632376534316532643531386635386330313866326265393736376538616431323238333562
+36373238656361323336383466363563623333306634373164366134376635373262353533653330
+38643233363737356564653834316435336439663562343366353866336662356138323566363061
+63313336323435343861393164313130346438343862366530363233643266393964316265663535
+65323739306536373331326338326132383265343939663336303534633537393637353639636561
+64656432313636366434313465626562626638613232653230373530363234306537363665646633
+33326163663830353166643662386637323438366334386533303664356631653561323032666265
+61333165363636363634353461613039313362373863663739323231663230643635663466323430
+37393431333733313134326231313234353930663365646637386639643535316362626232323430
+32363631353565323663393235343336663930373439663861613661636433356366633065343935
+61356636323039656230353264646166626633316430653162383638336265653865373536643036
+35653166333765366231636163666638383262613432646334663430323565333538626665343763
+32646663356565646362646261343436383039623635666439643762616463656361386631313637
+61616164383734353634306633636338623837356230626263653161616664613266356432653335
+30646434346436383565343138623264386630333832386134666463313936383364333364383232
+39393066333666653734616463343530643537613437623766313237353033623662336137356534
+35303635623232333230363362353137656235373539316163653863326666383237303235316164
+34623138346261366238303037653764366537333561623135656236663435316565303931353939
+34663932303239393836363663343735313632333639633733323564343039346436343935373430
+66313863643361306161373634373738383462313831643161333230646435313261383534396464
+39663466643864666433366531323866333935373833663661323833623734646265393035613966
+62393165653135643737343333346232356638646437326664396466333063666135653338623266
+34663133636164386164636434666231643163343930353863306538333337643762616661366366
+63646336613433623862356365633563633235396337356535376335636633636563333738383061
+33326136393530353964666639633638643433653736376637386638336561643061323635373565
+65393836613638313165313262376166643561623131363836363531616232663333333063393039
+35643938626132383439393761623165303730396365323665613663643961663466393937333731
+30643662663034616631343336343236613437376362366234343436376563303466633030323465
+64626536333465626430333336353038336539313531303933633466333633336364363961353861
+31636135303332343733313637326461643264636236313331643438613365393733383764653432
+65346533616130396233613863633331613638316462366364346465353234373531393137336165
+36666336333036396262663661343962663763316531393765346536646236613331626139383230
+32623665353463326633646466376232343333666465616633333033663031643262663732323230
+36363439613934643037393562333237636262306330356638666235333361376136623462313736
+33373163336134316563353031616339336234623738373230323335623130376265386130333235
+64616261633232316131633062623163333135323737376462383539663137366539656261396238
+31363232356361376264373863663362346535346136313834623761333037343435326339633735
+33656465376264326334356365346437343062343631663430346561656531653662646530316133
+64396563376263306533306565623163316238326264306330393465333737303062363030343662
+65333633643635643737323231343664613735336230393835346132613331366266336434623937
+65616366633734373434333837326465613862633930626435623165633964313732373936346434
+30643161633238343435623538316134616161313461616538653161383032313038666638376432
+64646564626231656664306235633031356564373432626561386135653136313062383861323130
+34393331316439613363636631666262343334393739303631633936623964343938373334623230
+39343031663565333431333731363966623730666335346164623662373265643732306662393663
+39336137326533643533623865313934336464633634613436616438373531636562313762383666
+37386365333361626362
--- a/group_vars/dhcp/dhcpd.yml
+++ b/group_vars/dhcp/dhcpd.yml
@ -0,0 +1,69 @@
+---
+dhcpd__omapi_key:
+  algorithm: hmac-sha512
+  secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
+
+dhcpd__interfaces:
+  - client0
+  - client1
+  - client2
+  - client3
+  - client4
+
+dhcpd__dns_servers:
+  - 10.128.10.3
+  - 10.128.10.103
+
+dhcpd__domain_search:
+  - isp.auro.re.
+  - auro.re.
+
+dhcpd__subnets:
+  - network: 100.64.0.0/27
+    routers:
+      - 100.64.0.1
+    start: 100.64.0.4
+    end: 100.64.0.30
+    domain_name: client0.isp.auro.re
+    failover: true
+  - network: 100.64.0.32/27
+    routers:
+      - 100.64.0.31
+    start: 100.64.0.33
+    end: 100.64.0.63
+    domain_name: client1.isp.auro.re
+    failover: true
+  - network: 100.64.0.64/27
+    routers:
+      - 100.64.0.65
+    start: 100.64.0.67
+    end: 100.64.0.95
+    domain_name: client2.isp.auro.re
+    failover: true
+  - network: 100.64.0.96/27
+    routers:
+      - 100.64.0.97
+    start: 100.64.0.99
+    end: 100.64.0.127
+    domain_name: client3.isp.auro.re
+    failover: true
+  - network: 100.64.0.128/27
+    routers:
+      - 100.64.0.129
+    start: 100.64.0.131
+    end: 100.64.0.159
+    domain_name: client4.isp.auro.re
+
+dhcpd__failover:
+  dhcp-1.isp.infra.auro.re: 10.210.1.1
+  dhcp-2.isp.infra.auro.re: 10.210.1.2
+
+dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
+
+dhcpd__failover_peer_address: "{{ dhcpd__failover
+                                  | dict2items
+                                  | selectattr('key', '!=',
+                                               inventory_hostname)
+                                  | map(attribute='value')
+                                  | first }}"
+...
--- a/group_vars/dns/kresd.yml
+++ b/group_vars/dns/kresd.yml
@ -0,0 +1,24 @@
+---
+kresd__listen:
+  - address: 0.0.0.0
+    port: 53
+    kind: dns
+  - address: "::"
+    port: 53
+    kind: dns
+  - address: 0.0.0.0
+    port: 853
+    kind: tls
+  - address: "::"
+    port: 853
+    kind: tls
+  - address: 0.0.0.0
+    port: 8453
+    kind: webmgmt
+  - address: "::"
+    port: 8453
+    kind: webmgmt
+    tls: false
+
+kresd__cache_size: 512
+...
--- a/group_vars/edge/keepalived.yml
+++ b/group_vars/edge/keepalived.yml
@ -0,0 +1,21 @@
+---
+keepalived__virtual_router_id: 81
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  crans0:
+    - 185.230.79.254/29
+    - 2a0c:700:28::2/64
+    - fe80::1/10
+  zayo0:
+    - 2001:1b48:2:103::d7:2/126
+    - 83.167.52.69/31
+    - fe80::1/10
+  oti0:
+    - 2a00:a4c0:100c:1::b/127
+    - 77.95.70.11/31
+    - fe80::1/10
+
+keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
+...
--- a/group_vars/infra/bird.yml
+++ b/group_vars/infra/bird.yml
@ -0,0 +1,86 @@
+---
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  import: accept
+  export:
+    protos: kernel
+  areas:
+    0:
+      broadcast:
+        - back0
+      stub:
+        - monit0
+        - wifi0
+        - int0
+        - sw0
+        - bmc0
+        - pve0
+        - isp0
+        - ext0
+        - pub0
+        - th30
+        - ups0
+    1:
+      broadcast:
+        - vpn0
+
+bird__bgp:
+  edge1:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+  edge2:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:2
+        - 10.203.1.2
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+      #wg1:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:3
+      #  - 10.213.1.3
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+      #wg2:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:4
+      #  - 10.203.1.4
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+...
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@ -0,0 +1,457 @@
+---
+firewall__zones:
+  adm-legacy:
+    addrs:
+      - 2a09:6840:128::/64
+      - 10.128.0.0/16
+  ups:
+    addrs:
+      - 2a09:6840:201::/64
+      - 10.201.0.0/16
+  back:
+    addrs:
+      - 2a09:6840:203::/64
+      - 10.203.0.0/16
+  monit:
+    addrs:
+      - 2a09:6840:204::/64
+      - 10.204.0.0/16
+  wifi:
+    addrs:
+      - 2a09:6840:205::/64
+      - 10.205.0.0/16
+  int:
+    addrs:
+      - 2a09:6840:206::/64
+      - 10.206.0.0/16
+  sw:
+    addrs:
+      - 2a09:6840:207::/64
+      - 10.207.0.0/16
+  bmc:
+    addrs:
+      - 2a09:6840:208::/64
+      - 10.208.0.0/16
+  pve:
+    addrs:
+      - 2a09:6840:209::/64
+      - 10.209.0.0/16
+  isp:
+    addrs:
+      - 2a09:6840:210::/64
+      - 10.210.0.0/16
+  ext:
+    addrs:
+      - 2a09:6840:211::/64
+      - 10.211.0.0/16
+  pub:
+    addrs:
+      - 2a09:6840:215::/64
+      - 45.66.111.192/27
+  vpn-clients:
+    addrs:
+      - 2a09:6840:212::/64
+      - 10.212.0.0/16
+  vpn:
+    addrs:
+      - 2a09:6840:213::/64
+      - 10.213.0.0/16
+  infra:
+    zones:
+      - adm-legacy
+      - ups
+      - back
+      - monit
+      - wifi
+      - int
+      - sw
+      - bmc
+      - pve
+      - isp
+      - ext
+      - pub
+      - vpn
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  prometheus.int:
+    addrs:
+      - 2a09:6840:204::1:1
+      - 10.204.1.1
+      - 2a09:6840:204::1:2
+      - 10.204.1.2
+  grafana.adm:
+    addrs:
+      - 2a09:6840:128::98
+      - 10.128.0.98
+  re2o-ldap.adm:
+    addrs:
+      - 2a09:6840:128::21
+      - 10.128.0.21
+  ldap-replica-edc.adm:
+    addrs:
+      - 2a09:6840:128::4:249
+      - 10.128.4.249
+  nextcloud.adm:
+    addrs:
+      - 2a09:6840:128::58
+      - 10.128.0.58
+  dns.int:
+    addrs:
+      - 2a09:6840:206::1:1
+      - 10.206.1.1
+      - 2a09:6840:206::1:2
+      - 10.206.1.2
+  ntp.int:
+    addrs:
+      - 2a09:6840:206::1:5
+      - 10.206.1.5
+      - 2a09:6840:206::1:6
+      - 10.206.1.6
+  docker-ovh.adm:
+    addrs:
+      - 2a09:6840:128::150
+      - 10.128.0.150
+  mx.test:
+    addrs:
+      - 2a09:6840:211::1:5
+      - 45.66.111.208
+      - 10.128.1.5
+  proxy.pub:
+    addrs:
+      - 2a09:6840:215::1:1
+      - 45.66.111.206
+  collabora.ext:
+    addrs:
+      - 2a09:6840:211::1:1
+      - 10.211.1.1
+  grafana.ext:
+    addrs:
+      - 2a09:6840:211::1:7
+      - 10.211.1.7
+  ns-1.pub:
+    addrs:
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+  ns-2.pub:
+    addrs:
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+  ns-master.int:
+    addrs:
+      - 2a09:6840:206::1:7
+      - 10.206.1.7
+  tor.pub:
+    addrs:
+      - 45.66.111.215
+      - 2a09:6840:215::1:215
+  jitsi.pub:
+    addrs:
+      - 45.66.111.216
+      - 2a09:6840:215::1:216
+  log-1.int:
+    addrs:
+      - 10.206.1.9
+      - 2a09:6840:206::1:9
+  log-2.int:
+    addrs:
+      - 10.206.1.10
+      - 2a09:6840:206::1:10
+
+firewall__input:
+  - iif:
+      - back0 # FIXME link-local
+      - vpn0
+    verdict: accept
+  - src:
+      - back
+      - vpn
+    verdict: accept
+  - src: monit
+    protocols:
+      tcp:
+        dport:
+          - 9100
+          - 9700
+    verdict: accept
+  - src: monit
+    protocols:
+      tcp:
+        dport: 9324
+    verdict: accept
+  - protocols:
+      icmp: true
+    verdict: accept
+  - protocols:
+      tcp:
+        dport: 22
+    verdict: accept
+  - verdict: drop
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: back
+    dst: infra
+    verdict: accept
+  - src: infra # FIXME: temporary
+    dst: internet
+    verdict: accept
+  - src: monit
+    dst: bmc
+    protocols:
+      icmp: true
+    verdict: accept
+  - dst: mx.test
+    protocols:
+      icmp: true
+    verdict: accept
+  - dst: mx.test
+    protocols:
+      tcp:
+        dport:
+          - 25
+          - 465
+          - 993
+    verdict: accept
+  # NS
+  - dst:
+      - ns-1.pub
+      - ns-2.pub
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  - dst:
+      - ns-1.pub
+      - ns-2.pub
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src:
+      - ns-1.pub
+      - ns-2.pub
+    dst: ns-master.int
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src:
+      - ns-1.pub
+      - ns-2.pub
+    dst: ns-master.int
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  # SNMP
+  - src: monit
+    dst:
+      - sw
+      - ups
+      - bmc
+    protocols:
+      udp:
+        dport: 161
+    verdict: accept
+  - src: monit
+    dst:
+      - sw
+      - ups
+      - bmc
+    protocols:
+      tcp:
+        dport: 161
+    verdict: accept
+  # Alertmanager
+  - src: monit
+    dst: docker-ovh.adm
+    protocols:
+      tcp:
+        dport: 9093
+    verdict: accept
+  - src: adm-legacy
+    dst: bmc
+    verdict: accept
+  # Prometheus for Grafana
+  - src: grafana.adm
+    dst: prometheus.int
+    protocols:
+      tcp:
+        dport: 9090
+    verdict: accept
+  # Prometheus for Grafana nixos
+  - src: grafana.ext
+    dst: prometheus.int
+    protocols:
+      tcp:
+        dport: 9090
+    verdict: accept
+  - src: grafana.ext
+    dst: re2o-ldap.adm
+    protocols:
+      tcp:
+        dport: 389
+    verdict: accept
+  - src: grafana.ext
+    dst: ldap-replica-edc.adm
+    protocols:
+      tcp:
+        dport: 389
+    verdict: accept
+  # Admin VPN clients
+  - src: vpn-clients
+    dst: infra
+    verdict: accept
+  # Prometheus node
+  - src: monit
+    dst: infra
+    protocols:
+      tcp:
+        dport:
+          - 9100
+          - 9700
+    verdict: accept
+  # Prometheus bird
+  - src: monit
+    dst: back
+    protocols:
+      tcp:
+        dport: 9324
+    verdict: accept
+  # Prometheus kresd
+  - src: monit
+    dst: dns.int
+    protocols:
+      tcp:
+        dport: 8453
+    verdict: accept
+  # Allow DNS from infra to dns-{1,2}
+  - src: infra
+    dst: dns.int
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src: infra
+    dst: dns.int
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  # Allow NTP from infra to ntp-{1,2} 
+  - src: 
+      - infra
+      - pub
+    dst: ntp.int
+    protocols:
+      udp:
+        dport: 123
+    verdict: accept
+  # Admin Wireguard
+  - dst:
+      - 2a09:6840:211::1:1
+      - 45.66.111.204
+      - 10.211.1.1
+    protocols:
+      udp:
+        dport: 5121
+    verdict: accept
+  # Proxy web
+  - dst: 
+      - jitsi.pub
+      - proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  - src: proxy.pub
+    dst: grafana.adm
+    protocols:
+      tcp:
+        dport: 3000
+    verdict: accept
+  - src: proxy.pub
+    dst: grafana.ext
+    protocols:
+      tcp:
+        dport: 80
+    verdict: accept
+  - src: proxy.pub
+    dst: nextcloud.adm
+    protocols:
+      tcp:
+        dport: 8080
+  - src: proxy.pub
+    dst: adm-legacy
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  # ICMP to public vlan
+  - dst: pub
+    protocols:
+      icmp: true
+    verdict: accept
+  # Proxy -> Collabora
+  - src: proxy.pub
+    dst: collabora.ext
+    protocols:
+      tcp:
+        dport: 9980
+    verdict: accept
+  # Collabora -> Proxy
+  - src: collabora.ext
+    dst: proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  # Tor: SSH
+  - dst: tor.pub
+    protocols:
+      tcp:
+        dport: 
+          - 22
+          - 4444
+    verdict: accept
+  # Jitsi UDP
+  - dst: jitsi.pub
+    protocols:
+      udp:
+        dport:
+          - 3478
+          - 10000
+  # Jitsi TCP
+  - dst: jitsi.pub
+    protocols:
+      tcp:
+        dport:
+          - 5349
+
+firewall__nat:
+  - src: 10.0.0.0/8
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.200/30
+  #- src: monit
+  #  dst: adm-legacy
+  #  protocols: null
+  #  snat:
+  #    addr: 10.203.1.3/32
+...
--- a/group_vars/infra/keepalived.yml
+++ b/group_vars/infra/keepalived.yml
@ -0,0 +1,59 @@
+---
+keepalived__virtual_router_id: 82
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  ups0:
+    - 10.201.0.1/16
+    - 2a09:6840:201::1/64
+    - fe80::1/10
+  monit0:
+    - 10.204.0.1/16
+    - 2a09:6840:204::1/64
+    - fe80::1/10
+  wifi0:
+    - 10.205.0.1/16
+    - 2a09:6840:205::1/64
+    - fe80::1/10
+  int0:
+    - 10.206.0.1/16
+    - 2a09:6840:206::1/64
+    - fe80::1/10
+  sw0:
+    - 10.207.0.1/16
+    - 2a09:6840:207::1/64
+    - fe80::1/10
+  bmc0:
+    - 10.208.0.1/16
+    - 2a09:6840:208::1/64
+    - fe80::1/10
+  pve0:
+    - 10.209.0.1/16
+    - 2a09:6840:209::1/64
+    - fe80::1/10
+  isp0:
+    - 10.210.0.1/16
+    - 2a09:6840:210::1/64
+    - fe80::1/10
+  ext0:
+    - 10.211.0.1/16
+    - 2a09:6840:211::1/64
+    - fe80::1/10
+  th30:
+    - 10.126.0.6/24
+    - fe80::1/10
+  pub0:
+    - 2a09:6840:215::1/64
+    - 45.66.111.204/27
+    - fe80::1/10
+
+#keepalived__virtual_routes:
+#  ext0:
+#    - 45.66.111.204/30
+
+keepalived__virtual_blackholes:
+  - 45.66.111.200/30 # NAT
+
+keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
+...
--- a/group_vars/isp/bird.yml
+++ b/group_vars/isp/bird.yml
@ -0,0 +1,53 @@
+---
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  import: accept
+  export:
+    protos: kernel
+  areas:
+    0:
+      broadcast:
+        - back0
+      stub:
+        - client0
+        - client1
+        - client2
+        - client3
+        - client4
+
+bird__bgp:
+  edge1:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+
+bird__radv:
+  rdnss:
+    - 2a09:6840:206::1:1
+    - 2a09:6840:206::1:2
+  interfaces:
+    client0:
+      max_interval: 5
+      prefixes:
+        - 2a09:6841::/64
+      dnssl: client0.isp.auro.re
+      domain_search:
+        - auro.re
+...
--- a/group_vars/isp/firewall.yml
+++ b/group_vars/isp/firewall.yml
@ -0,0 +1,40 @@
+---
+firewall__zones:
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  clients:
+    addrs:
+      - 100.64.0.0/10
+  non_clients:
+    negate: true
+    zones: clients
+  allowed_clients:
+    file:
+      path: /var/run/firewall/allowed_clients.yml
+      default: []
+
+firewall__input:
+  - verdict: accept
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: allowed_clients
+    dst: non_clients
+    verdict: accept
+
+firewall__nat:
+  - src: clients
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.220
+...
--- a/group_vars/isp/keepalived.yml
+++ b/group_vars/isp/keepalived.yml
@ -0,0 +1,32 @@
+---
+keepalived__virtual_router_id: 80
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  client0:
+    - 100.64.0.1/27
+    - 2a09:6841::1/56
+    - fe80::1/10
+  client1:
+    - 100.64.0.33/27
+    - 2a09:6841:0:1::1/64
+    - fe80::1/10
+  client2:
+    - 100.64.0.65/27
+    - 2a09:6841:0:2::1/64
+    - fe80::1/10
+  client3:
+    - 100.64.0.97/27
+    - 2a09:6841:0:3::1/64
+    - fe80::1/10
+  client4:
+    - 100.64.0.129/27
+    - 2a09:6841:0:4::1/64
+    - fe80::1/10
+
+keepalived__virtual_blackholes:
+  - 45.66.111.220/32
+
+keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
+...
--- a/group_vars/ns/knotd.yml
+++ b/group_vars/ns/knotd.yml
@ -0,0 +1,71 @@
+---
+knotd__listen:
+  - address: 0.0.0.0
+  - address: "::"
+
+knotd__keys:
+  xfr:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_xfr_key }}"
+
+knotd__remotes:
+  xfr-master:
+    address: 2a09:6840:206::1:7
+    key: xfr
+
+knotd__acl:
+  notify-master:
+    address:
+      - 2a09:6840:206::1:7
+      - 10.206.1.7
+    key: xfr
+    action: notify
+
+knotd__queryacl:
+  local:
+    addresses:
+      - 10.0.0.0/8
+
+knotd__zones:
+  auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    master: xfr-master
+  test.auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    master: xfr-master
+  infra.auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    #queryacl: local
+    master: xfr-master
+  108.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  109.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  110.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  111.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  0.4.8.6.9.0.a.2.ip6.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+...
--- a/group_vars/ntp/chronyd.yml
+++ b/group_vars/ntp/chronyd.yml
@ -0,0 +1,13 @@
+---
+chronyd__allow_networks:
+  - 2a09:6840::/32
+  - 10.0.0.0/8
+
+chronyd__pools:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+
+chronyd__local_stratum: 10
+...
--- a/group_vars/prom/prometheus/bird.yml
+++ b/group_vars/prom/prometheus/bird.yml
@ -0,0 +1,144 @@
+---
+prometheus__scraping_bird:
+  targets: "{{ groups.router }}"
+  address:
+    port: 9324
+
+prometheus__rules_bird:
+  - record: bird:protocol_up:bgp_all
+    expr:
+      label_replace(
+        bird_protocol_up{proto="BGP"},
+        "group", "$1",
+        "instance", "^([^0-9\\.]+)-[0-9]+.*"
+      )
+  # FIXME: sessions en cours d'installation, pas encore monitorées
+  - record: bird:protocol_up:bgp
+    expr:
+      bird:protocol_up:bgp_all
+      unless bird:protocol_up:bgp_all{
+        group="edge",
+        name=~"^(viarezo|isp[12]|rezel)[46]$"
+      }
+  # Sessions qui ne sont volontairement pas redondées
+  # au sein d'un groupe
+  - record: bird:protocol_up:bgp:non_redundant
+    expr:
+      bird:protocol_up:bgp{
+        group="edge",
+        name=~"^(oti|crans|legacy|edge)[46]$"
+      }
+  # Sessions qui le sont
+  - record: bird:protocol_up:bgp:redundant
+    expr:
+      bird:protocol_up:bgp
+      unless
+      bird:protocol_up:bgp:non_redundant
+  - alert: BirdBGPRedundancyDegraded
+    expr:
+      (
+        count by (group, name) (
+          bird:protocol_up:bgp:redundant{state="Established"}
+        ) + (
+          count by (group, name) (
+            bird:protocol_up:bgp:redundant{state!="Established"} * 0
+          )
+        )
+      ) < 2
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Count: !unsafe "{{ $value }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPDown
+    expr:
+      (
+        count by (group, name) (
+          bird:protocol_up:bgp{state="Established"}
+        ) + (
+          count by (group, name) (
+            bird:protocol_up:bgp{state!="Established"} * 0
+          )
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  # TODO: warning pour redondant ?
+  - alert: BirdBGPNoExportedPrefixRedundant
+    expr:
+      bird_protocol_prefix_export_count{
+        export_filter!="REJECT",
+      } * on (instance, name) group_left (group) (
+        bird:protocol_up:bgp:redundant{state="Established"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoImportedPrefixRedundant
+    expr:
+      bird_protocol_prefix_import_count{
+        import_filter!="REJECT",
+      } * on (instance, name) group_left (group) (
+        bird:protocol_up:bgp:redundant{state="Established"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoExportedPrefixNonRedundant
+    expr:
+      sum by (group) (
+        bird_protocol_prefix_export_count{
+          export_filter!="REJECT",
+        } * on (instance, name) group_left (group) (
+          bird:protocol_up:bgp:non_redundant{state="Established"}
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoImportedPrefixNonRedundant
+    expr:
+      sum by (group) (
+        bird_protocol_prefix_import_count{
+          import_filter!="REJECT",
+        } * on (instance, name) group_left (group) (
+          bird:protocol_up:bgp:non_redundant{state="Established"}
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdOSPFNeighboursChange
+    expr:
+      changes(bird_ospf_neighbor_count[5m]) > 0
+      or changes(bird_ospfv3_neighbor_count[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+  - alert: BirdOSPFDown
+    expr:
+      bird_ospf_running == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Instance: !unsafe "{{ $labels.name }}"
+...
--- a/group_vars/prom/prometheus/common.yml
+++ b/group_vars/prom/prometheus/common.yml
@ -0,0 +1,11 @@
+---
+prometheus__rules_common:
+  - alert: CollectorDown
+    expr:
+      up == 0
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      Job: !unsafe "{{ $labels.job }}"
+...
--- a/group_vars/prom/prometheus/eaton.yml
+++ b/group_vars/prom/prometheus/eaton.yml
@ -0,0 +1,11 @@
+---
+prometheus__scraping_eaton:
+  targets: "{{ groups.eaton_ups }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  params:
+    module:
+      - eaton
+
+prometheus__rules_eaton: {}
+...
--- a/group_vars/prom/prometheus/ilo.yml
+++ b/group_vars/prom/prometheus/ilo.yml
@ -0,0 +1,13 @@
+---
+prometheus__scraping_ilo:
+  targets: "{{ groups.ilo }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  timeout: 180s
+  interval: 180s
+  params:
+    module:
+      - ilo
+
+prometheus__rules_ilo: {}
+...
--- a/group_vars/prom/prometheus/jitsi.yml
+++ b/group_vars/prom/prometheus/jitsi.yml
@ -0,0 +1,6 @@
+---
+prometheus__scraping_jitsi:
+  targets: ["jitsi.pub.infra.auro.re"]
+  address:
+    port: 9700
+...
--- a/group_vars/prom/prometheus/keepalived.yml
+++ b/group_vars/prom/prometheus/keepalived.yml
@ -0,0 +1,23 @@
+---
+prometheus__rules_keepalived:
+  - alert: KeepalivedVrrpFault
+    expr:
+      keepalived_vrrp_state{state="fault"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Instance: !unsafe "{{ $labels.instance }}"
+  - alert: KeepalivedMasterChange
+    expr:
+      changes(
+        keepalived_vrrp_state{
+          keepalived_vvrp_state="master"
+        }[1m]
+      ) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Instance: !unsafe "{{ $labels.instance }}"
+...
--- a/group_vars/prom/prometheus/kresd.yml
+++ b/group_vars/prom/prometheus/kresd.yml
@ -0,0 +1,6 @@
+---
+prometheus__scraping_kresd:
+  targets: "{{ groups.dns }}"
+  address:
+    port: 8453
+...
--- a/group_vars/prom/prometheus/main.yml
+++ b/group_vars/prom/prometheus/main.yml
@ -0,0 +1,28 @@
+---
+prometheus__alertmanager_targets:
+  - docker-ovh.adm.auro.re:9093
+
+prometheus__tsdb_retention_time: 90d
+
+prometheus__scraping:
+  node: "{{ prometheus__scraping_node }}"
+  prometheus: "{{ prometheus__scraping_prometheus }}"
+  kresd: "{{ prometheus__scraping_kresd }}"
+  bird: "{{ prometheus__scraping_bird }}"
+  quanta: "{{ prometheus__scraping_quanta }}"
+  ilo: "{{ prometheus__scraping_ilo }}"
+  snmp: "{{ prometheus__scraping_snmp }}"
+  eaton: "{{ prometheus__scraping_eaton }}"
+  jitsi: "{{ prometheus__scraping_jitsi }}"
+
+prometheus__rules:
+  common: "{{ prometheus__rules_common }}"
+  switch: "{{ prometheus__rules_switch }}"
+  prometheus: "{{ prometheus__rules_prometheus }}"
+  node: "{{ prometheus__rules_node }}"
+  keepalived: "{{ prometheus__rules_keepalived }}"
+  quanta: "{{ prometheus__rules_quanta }}"
+  #ilo: "{{ prometheus__rules_ilo }}"
+  bird: "{{ prometheus__rules_bird }}"
+  #eaton: "{{ prometheus__rules_eaton }}"
+...
--- a/group_vars/prom/prometheus/node.yml
+++ b/group_vars/prom/prometheus/node.yml
@ -0,0 +1,200 @@
+---
+prometheus__scraping_node:
+  targets: "{{ groups.vm + groups.pve }}"
+  address:
+    port: 9100
+
+prometheus__rules_node:
+  - alert: OutOfMemory
+    expr:
+      (
+        node_memory_MemFree_bytes
+        + node_memory_Cached_bytes
+        + node_memory_Buffers_bytes
+      ) / node_memory_MemTotal_bytes < 0.1
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      FreeMemory: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostSwapIsFillingUp
+    expr:
+      (
+        1 - (
+          node_memory_SwapFree_bytes
+          / node_memory_SwapTotal_bytes
+        )
+      ) >= 0.5
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      UsedSwap: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostPhysicalComponentTooHot
+    expr:
+      node_hwmon_temp_celsius > 79
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      Temperature: !unsafe "{{ $value | humanize }} °C"
+      Chip: !unsafe "{{ $labels.chip }}"
+      Sensor: !unsafe "{{ $labels.sensor }}"
+  - alert: HostNodeOvertemperatureAlarm
+    expr:
+      node_hwmon_temp_crit_alarm_celsius == 1
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Chip: !unsafe "{{ $labels.chip }}"
+      Sensor: !unsafe "{{ $labels.sensor }}"
+  - alert: HostRaidArrayGotInactive
+    expr:
+      node_md_state{state="inactive"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Device: !unsafe "{{ $labels.device }}"
+  - alert: HostRaidDiskFailure
+    expr:
+      node_md_disks{state="failed"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      severity: !unsafe "{{ $labels.md_device }}"
+  - alert: HostOomKillDetected
+    expr:
+      increase(node_vmstat_oom_kill[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      PID: !unsafe "{{ $value }}"
+  - alert: HostEdacCorrectableErrorsDetected
+    expr:
+      increase(node_edac_correctable_errors_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      CorrectedErrors: !unsafe "{{ $value }}"
+  - alert: HostEdacUncorrectableErrorsDetected
+    expr:
+      increase(node_edac_uncorrectable_errors_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      DetectedErrors: !unsafe "{{ $value }}"
+  - alert: OutOfDiskSpace
+    expr:
+      (
+        node_filesystem_free_bytes
+        / node_filesystem_size_bytes < 0.1
+      )
+      and on (instance, device, mountpoint) (
+        node_filesystem_readonly
+      ) == 0
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
+      FreeSpace: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostConntrackLimit
+    expr:
+      (
+        node_nf_conntrack_entries
+        / node_nf_conntrack_entries_limit
+      ) > 0.8
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Filled: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostClockSkew
+    expr:
+      (
+        node_timex_offset_seconds > 0.05
+        and deriv(node_timex_offset_seconds[5m]) >= 0
+      ) or (
+        node_timex_offset_seconds < -0.05
+        and deriv(node_timex_offset_seconds[5m]) <= 0
+      )
+    for: 2m
+    labels:
+      severity: warning
+  - alert: HostClockNotSynchronising
+    expr:
+      min_over_time(node_timex_sync_status[1m]) == 0
+      and node_timex_maxerror_seconds >= 16
+    for: 2m
+    labels:
+      severity: warning
+  - alert: HostRequiresReboot
+    expr:
+      node_reboot_required > 0
+    for: 5m
+    labels:
+      severity: warning
+  - alert: OutOfInodes
+    expr:
+      node_filesystem_files_free
+      / node_filesystem_files < 0.1
+    for: 3m
+    labels:
+      severity: warning
+    annotations:
+      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
+      FreeInodes: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: CpuUsage
+    expr:
+      (
+        1 - avg by (instance) (
+          irate(node_cpu_seconds_total{mode="idle"}[5m])
+        )
+      ) > 0.75
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: SystemdServiceFailed
+    expr:
+      node_systemd_unit_state{state="failed"} == 1
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Service: !unsafe "{{ $labels.name }}"
+  - alert: LoadUsage
+    expr:
+      node_load1 > 5
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      Load1: !unsafe "{{ $value | humanize }}"
+  - alert: UnhealthyDisk
+    expr:
+      smartmon_device_smart_healthy < 1
+    for: 10m
+    labels:
+      severity: critical
+    annotations:
+      Disk: !unsafe "{{ $labels.disk }}"
+  - alert: HostCpuStealNoisyNeighbor
+    expr:
+      avg by (instance) (
+        rate(node_cpu_seconds_total{mode="steal"}[5m])
+      ) > 0.1
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Disk: !unsafe "{{ $labels.disk }}"
+      Steal: !unsafe "{{ $value | humanizePercentage }}"
+...
--- a/group_vars/prom/prometheus/prometheus.yml
+++ b/group_vars/prom/prometheus/prometheus.yml
@ -0,0 +1,14 @@
+---
+prometheus__scraping_prometheus:
+  targets: "{{ groups.prom }}"
+  address:
+    port: 9090
+
+prometheus__rules_prometheus:
+  - alert: PrometheusTsdbCompactionFailed
+    expr:
+      increase(prometheus_tsdb_compactions_failed_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: critical
+...
--- a/group_vars/prom/prometheus/quanta.yml
+++ b/group_vars/prom/prometheus/quanta.yml
@ -0,0 +1,98 @@
+---
+prometheus__scraping_quanta:
+  targets: "{{ groups.quanta }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  timeout: 180s
+  interval: 180s
+  params:
+    module:
+      - quanta
+
+prometheus__rules_quanta:
+  - alert: QuantaQueueOverflow
+    expr:
+      snAgGblQueueOverflow == 1
+    for: 0m
+    labels:
+      severity: critical
+  - alert: QuantaCpuUsage
+    expr:
+      snAgGblCpuUtil1MinAvg > 50
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value }} %"
+  - alert: QuantaCpuUsage
+    expr:
+      snAgGblCpuUtil1MinAvg > 80
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      Usage: !unsafe "{{ $value }} %"
+  - alert: QuantaMemoryUsage
+    expr:
+      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 50
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      UsedMemory: !unsafe "{{ $value }} %"
+  - alert: QuantaMemoryUsage
+    expr:
+      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 80
+    for: 5m
+    labels:
+      severity: alert
+    annotations:
+      UsedMemory: !unsafe "{{ $value }} %"
+  - alert: QuantaFanHealth
+    expr:
+      snChasFanOperStatus{snChasFanOperStatus="normal"} == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Description: !unsafe "{{ $labels.shChasFanDescription }}"
+      Status: !unsafe "{{ $labels.snChasFanOperStatus }}"
+  - alert: QuantaMissingIntakeTemp
+    expr:
+      count by (instance) (
+        snAgentTempValue
+      ) - count by (instance) (
+        snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+  - alert: QuantaIntakeTemp
+    expr:
+      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 60
+    for: 10m
+    keep_firing_for: 30m
+    labels:
+      severity: warning
+    annotations:
+      Temperature: !unsafe "{{ $value }} °C"
+      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
+  - alert: QuantaIntakeTemp
+    expr:
+      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 70
+    for: 10m
+    keep_firing_for: 30m
+    labels:
+      severity: critical
+    annotations:
+      Temperature: !unsafe "{{ $value }} °C"
+      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
+  - alert: QuantaPowerRedundancyFailure
+    expr:
+      count by (instance) (
+        snChasPwrSupplyOperStatus{snChasPwrSupplyOperStatus="normal"}
+      ) < 2
+    for: 0m
+    labels:
+      severity: warning
+...
--- a/group_vars/prom/prometheus/snmp.yml
+++ b/group_vars/prom/prometheus/snmp.yml
@ -0,0 +1,6 @@
+---
+prometheus__scraping_snmp:
+  targets: "{{ groups.prom }}"
+  address:
+    port: 9116
+...
--- a/group_vars/prom/prometheus/switch.yml
+++ b/group_vars/prom/prometheus/switch.yml
@ -0,0 +1,91 @@
+---
+prometheus__rules_switch:
+  - alert: SwitchPromiscuousChange
+    expr:
+      changes(ifPromiscuousMode[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInterfaceUpChange
+    expr:
+      changes(ifOperStatus{ifOperStatus="up"}[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInErrors
+    expr:
+      irate(ifInErrors[5m]) / (
+        irate(ifInUcastPkts[5m])
+        + irate(ifInNUcastPkts[5m])
+      ) > 0.0001
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutErrors
+    expr:
+      irate(ifOutErrors[5m]) / (
+        irate(ifOutUcastPkts[5m])
+        + irate(ifOutNUcastPkts[5m])
+      ) > 0.0001
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInLinkUsage
+    expr:
+      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInLinkUsage
+    expr:
+      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: critical
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutLinkUsage
+    expr:
+      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutLinkUsage
+    expr:
+      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+...
--- a/group_vars/prom/prometheus_snmp/eaton.yml
+++ b/group_vars/prom/prometheus_snmp/eaton.yml
@ -0,0 +1,40 @@
+---
+prometheus_snmp__modules_eaton:
+  version: 1
+  auth:
+    community: "{{ vault_snmp_eaton_community }}"
+  walk:
+    - sysUpTime
+    #- upsBattery
+    - xupsInput
+    - xupsOutput
+    - xupsBypass
+    - xupsEnvironment
+    - xupsBattery
+    - xupsConfig
+  lookups:
+    - source_indexes:
+        - xupsInputPhase
+      lookup: xupsInputName
+    - source_indexes:
+        - xupsOutputPhase
+      lookup: xupsOutputName
+    - source_indexes:
+        - xupsBypassPhase
+      lookup: xupsBypassName
+  overrides:
+    upsBatteryStatus:
+      type: EnumAsStateSet
+    xupsInputId:
+      type: EnumAsStateSet
+    xupsOutputId:
+      type: EnumAsStateSet
+    xupsBypassId:
+      type: EnumAsStateSet
+    xupsOutputSource:
+      type: EnumAsStateSet
+    xupsBatteryAbmStatus:
+      type: EnumAsStateSet
+    xupsContactType:
+      type: EnumAsStateSet
+...
--- a/group_vars/prom/prometheus_snmp/ilo.yml
+++ b/group_vars/prom/prometheus_snmp/ilo.yml
@ -0,0 +1,19 @@
+---
+prometheus_snmp__modules_ilo:
+  version: 3
+  timeout: 10s
+  retries: 10
+  auth:
+    security_level: authPriv
+    auth_protocol: SHA
+    username: aurore
+    password: "{{ vault_snmp_ilo_auth }}"
+    priv_protocol: AES
+    priv_password: "{{ vault_snmp_ilo_priv }}"
+  walk:
+    - sysUpTime
+    - cpqHeTemperatureTable
+  overrides:
+    cpqHeTemperatureThresholdType:
+      type: EnumAsStateSet
+...
--- a/group_vars/prom/prometheus_snmp/main.yml
+++ b/group_vars/prom/prometheus_snmp/main.yml
@ -0,0 +1,6 @@
+---
+prometheus_snmp__modules:
+  quanta: "{{ prometheus_snmp__modules_quanta }}"
+  ilo: "{{ prometheus_snmp__modules_ilo }}"
+  eaton: "{{ prometheus_snmp__modules_eaton }}"
+...
--- a/group_vars/prom/prometheus_snmp/quanta.yml
+++ b/group_vars/prom/prometheus_snmp/quanta.yml
@ -0,0 +1,125 @@
+---
+prometheus_snmp__modules_quanta:
+  auth:
+    community: "{{ vault_snmp_quanta_community }}"
+  timeout: 60s
+  retries: 3
+  walk:
+    - interfaces
+    - ifXTable
+    - snAgGblQueueOverflow
+    - snAgGblDynMemTotal
+    - snAgGblDynMemFree
+    - snAgGblCpuUtil1SecAvg
+    - snAgGblCpuUtil5SecAvg
+    - snAgGblCpuUtil1MinAvg
+    - sysUpTime
+    - snAgentCpuUtilPercent
+    - snAgent
+    - snChasFan
+    - snChasPwr
+    - snAgentTemp
+    - snAgentCpu
+    - snSwInfo
+    - snSwIfInfoTable
+    - dot3StatsTable
+    - dot3HCStatsTable
+    - dot3Errors
+    - dot3Tests
+    - dot3CollTable
+    - lldpLocChassisId
+    - lldpRemTable
+    - lldpLocPortTable
+    - dot1dBasePort
+  lookups:
+    - source_indexes:
+        - ifIndex
+      lookup: ifAlias
+    - source_indexes:
+        - ifIndex
+      lookup: ifDescr
+    - source_indexes:
+        - ifIndex
+      lookup: ifName
+    - source_indexes:
+        - snChasFanIndex
+      lookup: snChasFanDescription
+    - source_indexes:
+        - snAgentTempSlotNum
+        - snAgentTempSensorId
+      lookup: snAgentTempSensorDescr
+    - source_indexes:
+        - snSwIfInfoPortNum
+      lookup: snSwIfName
+    - source_indexes:
+        - snSwIfInfoPortNum
+      lookup: snSwIfDescr
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifAlias
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifDescr
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifName
+    - source_indexes:
+        - lldpRemTimeMark
+        - lldpRemLocalPortNum
+        - lldpRemIndex
+      lookup: lldpRemChassisId
+    #- source_indexes:
+    #    - lldpLocPortNum
+    #  lookup: lldpLocPortIdSubtype
+  overrides:
+    ifIndex:
+      ignore: true
+    ifAlias:
+      ignore: true
+    ifDescr:
+      ignore: true
+    ifName:
+      ignore: true
+    ifOperStatus:
+      type: EnumAsStateSet
+    ifAdminStatus:
+      type: EnumAsStateSet
+    snChasFanIndex:
+      ignore: true
+    snChasFanDescription:
+      ignore: true
+    snChasPwrSupplyIndex:
+      ignore: true
+    snAgentTempSensorDescr:
+      ignore: true
+    snChasFanOperStatus:
+      type: EnumAsStateSet
+    snChasPwrSupplyOperStatus:
+      type: EnumAsStateSet
+    snSwIfName:
+      ignore: true
+    snSwIfDescr:
+      ignore: true
+    snSwIfVlanId:
+      ignore: true
+    snSwIfInfoPortNum:
+      ignore: true
+    snSwIfInfoMonitorMode:
+      type: EnumAsStateSet
+    snSwIfInfoMirrorPorts:
+      ignore: true
+    snSwIfInfoMediaType:
+      type: EnumAsInfo
+    ifType:
+      type: EnumAsInfo
+    dot3StatsIndex:
+      ignore: true
+    dot3StatsEtherChipSet:
+      ignore: true
+    dot3StatsDuplexStatus:
+      type: EnumAsStateSet
+    lldpLocPortIdSubtype:
+      type: EnumAsInfo
+    lldpRemPortIdSubtype:
+      type: EnumAsInfo
+...
--- a/group_vars/pve/pve_auth.yml
+++ b/group_vars/pve/pve_auth.yml
@ -0,0 +1,31 @@
+---
+pve_auth__groups:
+  admin:
+    - Administrator
+
+pve_auth__pam_users:
+  root:
+    enabled: false
+
+pve_auth__users:
+  elkmaennchen:
+    password: "{{ vault_pve_passwords.elkmaennchen }}"
+    groups:
+      - admin
+  jeltz:
+    password: "{{ vault_pve_passwords.jeltz }}"
+    groups:
+      - admin
+  korenstin:
+    password: "{{ vault_pve_passwords.korenstin }}"
+    groups:
+      - admin
+  otthorn:
+    password: "{{ vault_pve_passwords.otthorn }}"
+    groups:
+      - admin
+  v-lafeychine:
+    password: "{{ vault_pve_passwords['v-lafeychine'] }}"
+    groups:
+      - admin
+...
--- a/group_vars/radius/freeradius.yml
+++ b/group_vars/radius/freeradius.yml
@ -0,0 +1,17 @@
+---
+radiusd__guest_vlan: 1000
+
+radiusd__clients:
+  localhost:
+    addr: 127.0.0.1
+    secret: abcdef
+    type: aurore
+  wifi-ap-v4:
+    addr: 10.102.0.0/16
+    secret: abcdef
+    type: aurore
+  wifi-ap-v6:
+    addr: 2a09:6840:102::/56
+    secret: abcdef
+    type: aurore
+...
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@ -1,3 +1,4 @@
+---
 loc_nginx:
  servers: []

--- a/group_vars/router/prometheus.yml
+++ b/group_vars/router/prometheus.yml
@ -0,0 +1,3 @@
+---
+prometheus_keepalived__dest: /var/run/prometheus-node-exporter/keepalived.prom
+... 
--- a/group_vars/switch.yml
+++ b/group_vars/switch.yml
@ -0,0 +1,12 @@
+---
+glob_switch:
+  loop_protect:
+    port_disable_timer_in_seconds: 30
+    transmit_interval_in_seconds: 3
+  sntp:
+    operation_mode: SNTP_UNICAST_MODE
+    poll_interval: 720
+    servers:
+      - ip: 10.206.1.5
+        priority: 1
+...
--- a/group_vars/vpn/bird.yml
+++ b/group_vars/vpn/bird.yml
@ -0,0 +1,60 @@
+---
+bird__tables:
+  - wg
+
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+  vrf:
+    learn: true
+    import:
+      sources:
+        - "{{ iproute2__custom_protos.wireguard }}"
+    export: accept
+    table: wg
+    kernel: "{{ iproute2__custom_tables.wireguard }}"
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  table: wg
+  import: accept
+  export:
+    sources:
+      - "{{ iproute2__custom_protos.wireguard }}"
+  areas:
+    1:
+      broadcast:
+        - vpn0
+
+bird__bgp:
+  infra1:
+    local:
+      address: "{{ bird__bgp_addr.vpn }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:213::1:1
+        - 10.213.1.1
+      as: "{{ bird__as.aurore }}"
+    table: wg
+    import: accept
+    export: reject
+    next_hop_self: true
+  infra2:
+    local:
+      address: "{{ bird__bgp_addr.vpn }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:213::1:2
+        - 10.213.1.2
+      as: "{{ bird__as.aurore }}"
+    table: wg
+    import: accept
+    export: reject
+    next_hop_self: true
+...
--- a/group_vars/vpn/ifupdown2.yml
+++ b/group_vars/vpn/ifupdown2.yml
@ -0,0 +1,16 @@
+---
+ifupdown2__vrf:
+  wg-vrf:
+    table: "{{ iproute2__custom_tables.wireguard }}"
+
+ifupdown2__wireguard:
+  wg0:
+    private_key: "{{ vault_wireguard_wg0_private }}"
+    listen_port: 5121
+    vrf: wg-vrf
+    table: "{{ iproute2__custom_tables.wireguard }}"
+    peer_allowed_addresses:
+      - 2a09:6840:212::1:1/128
+      - 10.212.1.1/32
+    peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
+...
--- a/group_vars/vpn/iproute2.yml
+++ b/group_vars/vpn/iproute2.yml
@ -0,0 +1,7 @@
+---
+iproute2__custom_tables:
+  wireguard: 2000
+
+iproute2__custom_protos:
+  wireguard: 200
+...
--- a/host_vars/bdd-ovh.adm.auro.re.yml
+++ b/host_vars/bdd-ovh.adm.auro.re.yml
@ -1,70 +0,0 @@
---
-postgresql:
-  version: 13
-
-postgresql_hosts:
-  - database: etherpad
-    user: etherpad
-    net: 10.128.0.150/32
-    method: md5
-  - database: codimd
-    user: codimd
-    net: 10.128.0.150/32
-    method: md5
-  - database: synapse
-    user: synapse
-    net: 10.128.0.56/32
-    method: md5
-  - database: kanboard
-    user: kanboard
-    net: 10.128.0.150/32
-    method: md5
-  - database: grafana
-    user: grafana
-    net: 10.128.0.150/32
-    method: md5
-  - database: cas
-    user: cas
-    net: 10.128.0.150/32
-    method: md5
-
-postgresql_databases:
-  - synapse
-  - codimd
-  - etherpad
-  - kanboard
-  - grafana
-  - cas
-
-postgresql_users:
-  - name: synapse
-    database: synapse
-    password: "{{ postgresql_synapse_passwd }}"
-    privs:
-      - ALL
-  - name: codimd
-    database: codimd
-    password: "{{ postgresql_codimd_passwd }}"
-    privs:
-      - ALL
-  - name: etherpad
-    database: etherpad
-    password: "{{ postgresql_etherpad_passwd }}"
-    privs:
-      - ALL
-  - name: kanboard
-    database: kanboard
-    password: "{{ postgresql_kanboard_passwd }}"
-    privs:
-      - ALL
-  - name: grafana
-    database: grafana
-    password: "{{ postgresql_grafana_passwd }}"
-    privs:
-      - ALL
-  - name: cas
-    database: cas
-    password: "{{ postgresql_cas_passwd }}"
-    privs:
-      - ALL
-...
--- a/host_vars/bdd.adm.auro.re.yml
+++ b/host_vars/bdd.adm.auro.re.yml
@ -1,50 +0,0 @@
---
-postgresql:
-  version: 13
-
-postgresql_hosts:
-  - database: nextcloud
-    user: nextcloud
-    net: 10.128.0.58/32
-    method: md5
-  - database: gitea
-    user: gitea
-    net: 10.128.0.60/32
-    method: md5
-  - database: wikijs
-    user: wikijs
-    net: 10.128.0.66/32
-    method: md5
-  - database: drone
-    user: drone
-    net: 10.128.0.64/32
-    method: md5
-
-postgresql_databases:
-  - nextcloud
-  - gitea
-  - wikijs
-  - drone
-
-postgresql_users:
-  - name: nextcloud
-    database: nextcloud
-    password: "{{ postgresql_nextcloud_passwd }}"
-    privs:
-      - ALL
-  - name: gitea
-    database: gitea
-    password: "{{ postgresql_gitea_passwd }}"
-    privs:
-      - ALL
-  - name: wikijs
-    database: wikijs
-    password: "{{ postgresql_wikijs_passwd }}"
-    privs:
-      - ALL
-  - name: drone
-    database: drone
-    password: "{{ postgresql_drone_passwd }}"
-    privs:
-      - ALL
-...
--- a/host_vars/collabora.ext.infra.auro.re.yml
+++ b/host_vars/collabora.ext.infra.auro.re.yml
@ -0,0 +1,22 @@
+---
+systemd_link__links:
+  pub0: ae:ae:ae:2C:60:35
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:128::220/64
+      - 10.128.0.220/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+
+collabora__server_name: office.auro.re
+
+collabora__post_allow_addrs:
+  - 2a09:6840:215::1:1
+  - 45.66.111.206
+
+collabora__wopi_groups:
+  - host: https://cloud.auro.re:443
+    aliases:
+      - https://nextcloud.auro.re:443
+...
--- a/host_vars/dhcp-1.isp.infra.auro.re.yml
+++ b/host_vars/dhcp-1.isp.infra.auro.re.yml
@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 02:00:00:c6:3f:6f
+  trunk0: 02:00:00:b1:8d:d6
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:1/64
+      - 10.210.1.1/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.2/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.34/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.66/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.98/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.130/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...
--- a/host_vars/dhcp-2.isp.infra.auro.re.yml
+++ b/host_vars/dhcp-2.isp.infra.auro.re.yml
@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 04:00:00:8c:d1:36
+  trunk0: 04:00:00:33:2c:3c
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:2/64
+      - 10.210.1.2/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.3/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.35/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.67/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.99/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.131/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...
--- a/host_vars/dns-1.int.infra.auro.re.yml
+++ b/host_vars/dns-1.int.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 02:00:00:9f:d9:f9
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:1/64
+      - 10.206.1.1/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/dns-2.int.infra.auro.re.yml
+++ b/host_vars/dns-2.int.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 04:00:00:3c:c0:5a
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:2/64
+      - 10.206.1.2/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/edge-1.back.infra.auro.re.yml
+++ b/host_vars/edge-1.back.infra.auro.re.yml
@ -0,0 +1,39 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:9E:3E:21
+  crans0: 02:00:00:A2:7C:68
+  zayo0: 02:00:00:35:89:82
+  rezel0: 02:00:00:8F:4A:AD
+  back0: 02:00:00:1C:3A:2E
+  viarezo0: 02:00:00:ED:70:64
+  router0: 02:00:00:5A:17:7C
+  oti0: 02:00:00:05:0E:A6
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:2/64
+      - 10.128.10.2/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::1/64
+      - 45.66.111.1/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:1/64
+      - 10.203.1.1/16
+  viarezo0:
+    addresses:
+      - 2a0c:b641:2ff::6/125
+      - 192.159.121.133/29
+  router0:
+    addresses:
+      - 2a09:6840:129::10:2/56
+      - 10.129.10.2/16
+  oti0:
+    ipv6_addrgen: false
+...
--- a/host_vars/edge-2.back.infra.auro.re.yml
+++ b/host_vars/edge-2.back.infra.auro.re.yml
@ -0,0 +1,39 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:F5:69:B9
+  crans0: 04:00:00:CF:E1:D0
+  zayo0: 04:00:00:67:7B:12
+  rezel0: 04:00:00:C6:05:B7
+  back0: 04:00:00:DE:22:E6
+  viarezo0: 04:00:00:45:FA:E6
+  router0: 04:00:00:AD:D7:71
+  oti0: 02:00:00:05:0E:A6
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:102/64
+      - 10.128.10.102/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::3/64
+      - 45.66.111.3/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:2/64
+      - 10.203.1.2/16
+  viarezo0:
+    addresses:
+      - 2a0c:b641:2ff::7/125
+      - 192.159.121.134/29
+  router0:
+    addresses:
+      - 2a09:6840:129::10:102/56
+      - 10.129.10.102/16
+  oti0:
+    ipv6_addrgen: false
+...
--- a/host_vars/infra-1.back.infra.auro.re.yml
+++ b/host_vars/infra-1.back.infra.auro.re.yml
@ -0,0 +1,63 @@
+---
+systemd_link__links:
+  ups0: 02:00:00:fe:6f:0e
+  back0: 02:00:00:f8:93:22
+  monit0: 02:00:00:da:97:7f
+  wifi0: 02:00:00:8c:c5:bf
+  int0: 02:00:00:75:40:3e
+  sw0: 02:00:00:ca:e8:d1
+  bmc0: 02:00:00:47:d1:b9
+  pve0: 02:00:00:b3:35:e7
+  isp0: 02:00:00:6b:53:14
+  ext0: 02:00:00:32:86:60
+  vpn0: 02:00:00:52:5f:85
+  th30: 02:00:00:23:a7:d3
+  pub0: 02:00:00:7d:34:06
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:3/64
+      - 10.203.1.3/16
+      - 45.66.111.210/32 # secondary
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:1/64
+      - 10.213.1.1/16
+  th30:
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.3
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:3
+    - 10.203.1.3
+  vpn:
+    - 2a09:6840:213::1:1
+    - 10.213.1.1
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:3
+  - 45.66.111.210
+...
--- a/host_vars/infra-2.back.infra.auro.re.yml
+++ b/host_vars/infra-2.back.infra.auro.re.yml
@ -0,0 +1,63 @@
+---
+systemd_link__links:
+  ups0: 04:00:00:6d:97:83
+  back0: 04:00:00:46:ba:f9
+  monit0: 04:00:00:72:0b:2d
+  wifi0: 04:00:00:ee:42:0f
+  int0: 04:00:00:21:fd:d0
+  sw0: 04:00:00:2e:5b:16
+  bmc0: 04:00:00:bb:5a:a6
+  pve0: 04:00:00:0b:2b:82
+  isp0: 04:00:00:f4:4c:5d
+  ext0: 04:00:00:1d:0e:83
+  vpn0: 04:00:00:02:ba:dd
+  th30: 04:00:00:9e:8d:4f
+  pub0: 04:00:00:f8:3b:9b
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:4/64
+      - 10.203.1.4/16
+      - 45.66.111.211/32 # secondary
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:2/64
+      - 10.213.1.2/16
+  th30:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.4
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:4
+    - 10.203.1.4
+  vpn:
+    - 2a09:6840:213:1:2
+    - 10.213.1.2
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:4
+  - 45.66.111.211
+...
--- a/host_vars/isp-1.back.infra.auro.re.yml
+++ b/host_vars/isp-1.back.infra.auro.re.yml
@ -0,0 +1,59 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:D8:37:45
+  back0: 02:00:00:BF:10:4C
+  trunk0: 02:00:00:E9:BA:15
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:5/64
+      - 10.128.10.5/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:5/64
+      - 45.66.111.211/32
+      - 10.203.1.5/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.5
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:5
+    - 10.203.1.5
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:5
+  - 45.66.111.211
+...
--- a/host_vars/isp-2.back.infra.auro.re.yml
+++ b/host_vars/isp-2.back.infra.auro.re.yml
@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:85:C3:5D
+  back0: 04:00:00:FE:2D:67
+  trunk0: 04:00:00:D8:F5:4D
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:105/64
+      - 10.128.10.105/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:6/64
+      - 10.203.1.6/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+...
--- a/host_vars/ldap-1.int.infra.auro.re.yml
+++ b/host_vars/ldap-1.int.infra.auro.re.yml
@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:38:c2:52
+  int0: 02:00:00:fe:a8:54
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:8/64
+      - 10.128.10.8/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:3/64
+      - 10.206.1.7/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/ldap-2.int.infra.auro.re.yml
+++ b/host_vars/ldap-2.int.infra.auro.re.yml
@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:f7:1c:47
+  int0: 04:00:00:e4:83:d2
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:108/64
+      - 10.128.10.108/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:4/64
+      - 10.206.1.8/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/log.adm.auro.re.yml
+++ b/host_vars/log.adm.auro.re.yml
@ -10,5 +10,7 @@ rsyslog_inputs:
    port: 20514
  - proto: udp
    port: 514
+  - proto: tcp
+    port: 6514
 rsyslog_outputs: []
 ...
--- a/host_vars/mx.test.infra.auro.re.yml
+++ b/host_vars/mx.test.infra.auro.re.yml
@ -0,0 +1,38 @@
+---
+dovecot__auth_default_realm: test.auro.re
+dovecot__auth_users:
+  jeltz@test.auro.re: "{plain}password"
+  lafeych@test.auro.re: "{plain}password"
+  toto@test.auro.re: "{plain}password"
+  root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
+dovecot__lmtp_postmaster_address: postmaster@test.auro.re
+
+ifupdown2__interfaces:
+  ext0:
+    addresses:
+      - 2a09:6840:211::1:5/64
+      - 10.211.1.5/16
+      - 45.66.111.208/30
+    gateways: "{{ ifupdown2__gateways.ext }}"
+
+postfix__hostname: mx.test.auro.re
+
+postfix__sasl_local_domain: test.auro.re
+
+postfix__virtual_aliases:
+  postmaster@test.auro.re: root@test.auro.re
+  dmarc@test.auro.re: root@test.auro.re
+
+postfix__virtual_mailbox_domains:
+ - infra.test.auro.re
+ - test.auro.re
+
+postfix__virtual_mailboxes:
+  jeltz@test.auro.re: jeltz@test.auro.re
+  root@test.auro.re: root@test.auro.re
+  toto@test.auro.re: toto@test.auro.re
+  vincent.lafeychine@test.auro.re: lafeych@test.auro.re
+
+systemd_link__links:
+  ext0: ae:ae:ae:1d:c8:b2
+...
--- a/host_vars/ns-1.pub.infra.auro.re.yml
+++ b/host_vars/ns-1.pub.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: 02:00:00:ad:62:64
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:2/64
+      - 45.66.111.205/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...
--- a/host_vars/ns-2.pub.infra.auro.re.yml
+++ b/host_vars/ns-2.pub.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: 04:00:00:1b:0a:3a
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:3/64
+      - 45.66.111.207/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...
--- a/host_vars/ns-3.ovh.infra.auro.re.yml
+++ b/host_vars/ns-3.ovh.infra.auro.re.yml
@ -0,0 +1,29 @@
+---
+systemd_link__links:
+  adm0: 96:77:96:91:e3:6c
+  ovh0: 02:00:00:97:78:6d
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::109/64
+      - 10.128.0.109/16
+  ovh0:
+    addresses:
+      - 92.222.211.194/24
+    gateways: "{{ ifupdown2__gateways.ovh }}"
+
+# TODO: remove as soon as the VPN works
+knotd__remotes:
+  xfr-master:
+    address: 2a09:6840:128::110
+    key: xfr
+
+knotd__acl:
+  notify-master:
+    address:
+      - 2a09:6840:128::110
+      - 10.128.0.110
+    key: xfr
+    action: notify
+...
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@ -0,0 +1,617 @@
+---
+knotd__listen:
+  - address: 0.0.0.0
+  - address: "::"
+
+knotd__keys:
+  xfr:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_xfr_key }}"
+  ksk-infra:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_ksk_infra_key }}"
+  update-acme-challenge:
+    algorithm: hmac-sha512
+    secret: "{{ vault_certbot_dns_secret }}"
+
+knotd__remotes:
+  xfr-ns-1:
+    address: 2a09:6840:215::1:2
+    key: xfr
+  xfr-ns-2:
+    address: 2a09:6840:215::1:3
+    key: xfr
+  xfr-ns-3:
+    address: 10.128.0.109
+    key: xfr
+  ksk-infra:
+    address: ::1
+    key: ksk-infra
+
+knotd__policies:
+  public:
+    algorithm: ECDSAP256SHA256
+    reproducible_signing: true
+    # Je n'ai pas trouvé de façon de pousser les records automatiquement
+    # sur .re, donc pour éviter d'oublier de le faire manuellement, la
+    # KSK n'expire pas
+    ksk_lifetime: 0
+    zsk_lifetime: 30d
+    nsec3: true
+  infra:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-infra
+    cds-cdnskey-publish: rollover
+    ksk-submission: infra
+  ripe:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-ripe
+    cds-cdnskey-publish: rollover
+    ksk-submission: ripe
+
+knotd__acl:
+  xfr:
+    addresses:
+      - 2a09:6840:128::109
+      - 10.128.0.109
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+    action: transfer
+    key: xfr
+  ksk-infra:
+    addresses:
+      - 127.0.0.1
+      - ::1
+    key: ksk-infra
+    action: update
+    update_types:
+      - DS
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - infra
+  update-acme-challenge:
+    addresses:
+      - 10.128.0.0/16
+      - 2a09:6840:128::/48
+    key: update-acme-challenge
+    action: update
+    update_types:
+      - TXT
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - _acme-challenge.auro.re.
+
+knotd__queryacl:
+  local:
+    addresses:
+      - 10.0.0.0/8
+
+knotd__soa_rname: root@auro.re.
+
+knotd__hosts:
+  auro.re:
+    proxy-ovh:
+      - 92.222.211.195
+    horus:
+      - 92.23.218.136
+    ns-1:
+      - 45.66.111.205
+      - 2a09:6840:215::1:2
+    ns-2:
+      - 92.222.211.194
+    serge:
+      - 92.222.211.196
+    lama:
+      - 185.230.78.220
+      - 2a0c:700:12:0:67:e5ff:fee9:108
+    vpn-ovh:
+      - 92.222.211.197
+    passerelle:
+      - 45.66.111.254
+      - 2a09:6840:111::254
+    proxy:
+      - 45.66.111.61
+      - 2a09:6840:111::61
+    camelot:
+      - 45.66.111.59
+      - 2a09:6840:111::59
+    mail:
+      - 45.66.111.62
+      - 2a09:6840:111::62
+    galene:
+      - 45.66.111.65
+      - 2a09:6840:111::65
+    aclyas:
+      - 45.66.111.231
+      - 2a09:6840:111::231
+    jitsi:
+      - 45.66.111.55
+      - 2a09:6840:111::55
+    jitsi-ng:
+      - 45.66.111.216
+      - 2a09:6840:215::1:216
+    portail-fleming:
+      - 10.13.0.247
+      - 2a09:6840:13::247
+    portail-pacaterie:
+      - 10.23.0.247
+      - 2a09:6840:23::247
+    portail-rives:
+      - 10.33.0.247
+      - 2a09:6840:33::247
+    portail-edc:
+      - 10.43.0.247
+      - 2a09:6840:43::247
+    portail-gs:
+      - 10.53.0.247
+      - 2a09:6840:53::247
+
+  adh.auro.re:
+    paon:
+      - 45.66.110.10
+      - 2a09:6840:110:0:231:92ff:fe1b:ae22
+    lyshyga0:
+      - 45.66.110.113
+      - 2a09:6840:110:0:6af7:28ff:fe91:e8d9
+    pz28910:
+      - 45.66.110.114
+    vinsing0:
+      - 45.66.110.123
+      - 2a09:6840:110:0:1e1b:dff:fe90:7d81
+    osc-routeur:
+      - 45.66.110.125
+      - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
+    odroid:
+      - 45.66.110.154
+      - 2a09:6840:110:0:21e:6ff:fe49:e00
+    amau0:
+      - 45.66.110.164
+      - 2a09:6840:110:0:3e7c:3fff:fec3:27d1
+    regulus:
+      - 45.66.110.180
+      - 2a09:6840:110:0:2ef0:5dff:fe2a:1530
+    toaster:
+      - 45.66.110.188
+      - 2a09:6840:110:0:5246:5dff:fe9a:f70
+    rpijutax:
+      - 45.66.110.190
+      - 2a09:6840:110:0:ba27:ebff:fe76:a9bc
+    polaris:
+      - 45.66.110.245
+      - 2a09:6840:110:0:dea6:32ff:feb4:d033
+    lafeychine:
+      - 92.91.154.45
+
+  infra.auro.re:
+    services-1.ceph:
+      - 2a09:6840:214::1:1
+      - 10.214.1.1
+    services-2.ceph:
+      - 2a09:6840:214::1:2
+      - 10.214.1.2
+    services-3.ceph:
+      - 2a09:6840:209::1:3
+      - 10.214.1.3
+    services-1.pve:
+      - 2a09:6840:209::2:1
+      - 10.209.2.1
+    services-2.pve:
+      - 2a09:6840:209::2:2
+      - 10.209.2.2
+    network-1.pve:
+      - 2a09:6840:209::1:1
+      - 10.209.1.1
+    network-2.pve:
+      - 2a09:6840:209::1:2
+      - 10.209.1.2
+    services-3.pve:
+      - 2a09:6840:209::2:3
+      - 10.209.2.3
+    caradoc.bmc:
+      - 2a09:6840:208::1:1
+      - 10.208.1.1
+    services-1.bmc:
+      - 2a09:6840:208::1:2
+      - 10.208.1.2
+    services-2.bmc:
+      - 2a09:6840:208::1:3
+      - 10.208.1.3
+    services-3.bmc:
+      - 2a09:6840:208::1:4
+      - 10.208.1.4
+    perceval.bmc:
+      - 2a09:6840:208::1:5
+      - 10.208.1.5
+    chapalux.bmc:
+      - 2a09:6840:208::1:6
+      - 10.208.1.6
+    loki.bmc:
+      - 2a09:6840:208::1:7
+      - 10.208.1.7
+    network-1.bmc:
+      - 2a09:6840:208::1:8
+      - 10.208.1.8
+    network-2.bmc:
+      - 2a09:6840:208::1:9
+      - 10.208.1.9
+    escalope.bmc:
+      - 2a09:6840:208::1:10
+      - 10.208.1.10
+    edge-1.back:
+      - 2a09:6840:203::1:1
+      - 10.203.1.1
+    edge-2.back:
+      - 2a09:6840:203::1:2
+      - 10.203.1.2
+    isp-1.back:
+      - 2a09:6840:203::1:5
+      - 10.203.1.5
+    isp-2.back:
+      - 2a09:6840:203::1:6
+      - 10.203.1.6
+    infra-1.back:
+      - 2a09:6840:203::1:3
+      - 10.203.1.3
+    infra-2.back:
+      - 2a09:6840:203::1:4
+      - 10.203.1.4
+    ns-master.int:
+      - 2a09:6840:128:0::110
+      - 10.128.0.110
+    log-1.int:
+      - 2a09:6840:206::1:9
+      - 10.206.1.9
+    log-2.int:
+      - 2a09:6840:206::1:10
+      - 10.206.1.10
+    dns-1.int:
+      - 2a09:6840:206::1:1
+      - 10.206.1.1
+    dns-2.int:
+      - 2a09:6840:206::1:2
+      - 10.206.1.2
+    nis2.int:
+      - 2a09:6840:206::2:1
+      - 10.206.2.1
+    ldap-1.int:
+      - 10.128.10.8
+      - 2a09:6840:128::10:8
+    ldap-2.int:
+      - 10.128.10.108
+      - 2a09:6840:128::10:108
+    ntp-1.int:
+      - 2a09:6840:206::1:5
+      - 10.206.1.5
+    ntp-2.int:
+      - 2a09:6840:206::1:6
+      - 10.206.1.6
+    wg-1.vpn:
+      - 2a09:6840:213::1:3
+      - 10.213.1.3
+    wg-2.vpn:
+      - 2a09:6840:213::1:4
+      - 10.213.1.4
+    dhcp-1.isp:
+      - 2a09:6840:210::1:1
+      - 10.210.1.1
+    dhcp-2.isp:
+      - 2a09:6840:210::1:2
+      - 10.210.1.2
+    radius-1.isp:
+      - 2a09:6840:210::1:3
+      - 10.210.1.3
+    radius-2.isp:
+      - 2a09:6840:210::1:4
+      - 10.210.1.4
+    prometheus-1.monit:
+      - 2a09:6840:204::1:1
+      - 10.204.1.1
+    prometheus-2.monit:
+      - 2a09:6840:204::1:2
+      - 10.204.1.2
+    ff-1.core.sw:
+      - 10.207.1.1
+    ff-2.core.sw:
+      - 10.207.1.2
+    fl-1.core.sw:
+      - 10.207.1.3
+    fl-2.core.sw:
+      - 10.207.1.4
+    fd-1.core.sw:
+      - 10.207.1.5
+    ff-3.core.sw:
+      - 10.207.1.6
+    gk-1.core.sw:
+      - 10.207.2.1
+    eb-1.core.sw:
+      - 10.207.3.1
+    r3-1.core.sw:
+      - 10.207.4.1
+    eb-1.ups:
+      - 2a09:6840:201::3:1
+      - 10.201.3.1
+    ec-1.ups:
+      - 2a09:6840:201::3:2
+      - 10.201.3.2
+    mx.test:
+      - 2a09:6840:211::1:5
+      - 10.211.1.5
+    collabora.ext:
+      - 2a09:6840:211::1:1
+      - 10.211.1.1
+    grafana.ext:
+      - 2a09:6840:211::1:7
+      - 10.211.1.7
+    proxy.pub:
+      - 2a09:6840:215::1:1
+      - 45.66.111.206
+    ns-1.pub:
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+    ns-2.pub:
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+    ns-3.ovh:
+      - 92.222.211.194
+    tor.pub:
+      - 45.66.111.215
+      - 2a09:6840:215::1:215
+    jitsi.pub:
+      - 45.66.111.216
+      - 2a09:6840:215::1:216
+
+knotd__zones:
+  auro.re:
+    dnssec_policy: public
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - update-acme-challenge
+      - ksk-infra
+      - xfr
+    soa:
+      mname: ns-master.int.infra
+    ns:
+      - target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+      - name: infra
+        target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+      - name: test
+        target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+      - name: adm
+        target:
+          - serge
+          - lama
+      - name: ups
+        target:
+          - serge
+          - lama
+      - name: switch
+        target:
+          - serge
+          - lama
+      - name: borne
+        target:
+          - serge
+          - lama
+    mx:
+      - exchange: mail
+        preference: 5
+      - exchange: proxy-ovh
+        preference: 10
+    txt:
+      - data: v=spf1 mx -all
+    a:
+      - address: 92.222.211.195
+    cname:
+      - name:
+          - gisti
+          - gistiti
+        target: jitsi
+      - name:
+          - element
+          - riot
+          - auth
+          - rss
+          - codimd
+          - hedgedoc
+          - grist
+          - kanboard
+          - www
+          - pad
+          - privatebin
+          - zero
+          - paste
+        target: proxy-ovh
+      - name:
+          - grafana
+          - grafana-ng
+          - nextcloud
+          - cloud
+          - office
+        target: proxy.pub.infra
+      - name:
+          - netbox
+          - wiki
+          - matrix
+          - drone
+          - gitea
+          - re2o
+          - vote
+        target: proxy
+      - name: intranet
+        target: re2o
+      - name:
+          - smtp
+          - imap
+        target: mail
+      - name:
+          - prometheus-paul.adh
+          - pma-paul.adh
+          - nextcloud-paul.adh
+          - grafana-paul.adh
+          - jellyfin.adh
+          - monitoring.adh
+          - beta-mpp.adh
+          - pz28.adh
+        target: lucepaul.myvnc.com.
+      - name:
+          - services-1.pve
+        target: services-1.pve.infra
+      - name:
+          - services-2.pve
+        target: services-2.pve.infra
+      - name:
+          - services-3.pve
+        target: services-3.pve.infra
+    hosts: "{{ knotd__hosts['auro.re']
+               | combine(knotd__hosts['adh.auro.re']
+                         | add_origin_keys('adh.auro.re.')) }}"
+  test.auro.re:
+    dnssec_policy: public
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    txt:
+      - data: v=spf1 mx -all
+      - name: _dmarc
+        data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    mx:
+      - exchange: mx
+        preference: 5
+    cname:
+      - name:
+          - www1
+          - www2
+          - www3
+        target: proxy.pub.infra.auro.re.
+    hosts:
+      mx:
+        - 2a09:6840:211::1:5
+        - 45.66.111.205
+  infra.auro.re:
+    dnssec_policy: infra
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    #queryacl: local
+    soa:
+      mname: ns-master.int
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    hosts: "{{ knotd__hosts['infra.auro.re'] }}"
+
+  108.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+  109.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+  110.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['adh.auro.re']
+                       | ip_filter(['45.66.110.0/24'])
+                       | add_origin_keys('adh.auro.re.') }}"
+  111.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['45.66.111.0/24'])
+                       | add_origin_keys('auro.re.') }}"
+  0.4.8.6.9.0.a.2.ip6.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['2a09:6840::/32'])
+                       | add_origin_keys('auro.re.')
+                       | combine(knotd__hosts['adh.auro.re']
+                                 | ip_filter(['2a09:6840::/32'])
+                                 | add_origin_keys('adh.auro.re.')) }}"
+...
--- a/host_vars/ns-master.int.infra.auro.re/main.yml
+++ b/host_vars/ns-master.int.infra.auro.re/main.yml
@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  int0: 02:00:00:e3:36:c8
+  adm0: 42:17:a7:d1:bd:6a
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::110/64
+      - 10.128.0.110/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:7/64
+      - 10.206.1.7/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/ntp-1.int.infra.auro.re.yml
+++ b/host_vars/ntp-1.int.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 02:00:00:74:71:83
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:5/64
+      - 10.206.1.5/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/ntp-2.int.infra.auro.re.yml
+++ b/host_vars/ntp-2.int.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 04:00:00:31:be:50
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:6/64
+      - 10.206.1.6/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...
--- a/host_vars/portail.adm.auro.re.yml
+++ b/host_vars/portail.adm.auro.re.yml
@ -6,7 +6,7 @@ loc_nginx:

  servers:
    - server_name:
-        - 10.13.0.247
+        - "10.13.0.247"
      locations:
        - filter: "/"
          params:
@ -24,7 +24,8 @@ loc_nginx:
          params:
            - "return 302 https://portail-fleming.auro.re/portail/"

-    - server_name:
+    - ssl: auro.re
+      server_name:
        - 10.23.0.247
      locations:
        - filter: "/"
@ -43,8 +44,9 @@ loc_nginx:
          params:
            - "return 302 https://portail-pacaterie.auro.re/portail/"

-    - server_name:
-        - 10.33.0.247
+    - ssl: auro.re
+      server_name:
+        - "10.33.0.247"
      locations:
        - filter: "/"
          params:
@ -62,8 +64,9 @@ loc_nginx:
          params:
            - "return 302 https://portail-rives.auro.re/portail/"

-    - server_name:
-        - 10.43.0.247
+    - ssl: auro.re
+      server_name:
+        - "10.43.0.247"
      locations:
        - filter: "/"
          params:
@ -81,8 +84,9 @@ loc_nginx:
          params:
            - "return 302 https://portail-edc.auro.re/portail/"

-    - server_name:
-        - 10.53.0.247
+    - ssl: auro.re
+      server_name:
+        - "10.53.0.247"
      locations:
        - filter: "/"
          params:
--- a/host_vars/prometheus-1.monit.infra.auro.re.yml
+++ b/host_vars/prometheus-1.monit.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  monit0: 02:00:00:a8:6b:51
+
+ifupdown2__interfaces:
+  monit0:
+    addresses:
+      - 2a09:6840:204::1:1/64
+      - 10.204.1.1/16
+    gateways: "{{ ifupdown2__gateways.monit }}"
+...
--- a/host_vars/prometheus-2.monit.infra.auro.re.yml
+++ b/host_vars/prometheus-2.monit.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  monit0: 04:00:00:a6:93:5a
+
+ifupdown2__interfaces:
+  monit0:
+    addresses:
+      - 2a09:6840:204::1:2/64
+      - 10.204.1.2/16
+    gateways: "{{ ifupdown2__gateways.monit }}"
+...
--- a/host_vars/proxy-ovh.adm.auro.re.yml
+++ b/host_vars/proxy-ovh.adm.auro.re.yml
@ -13,6 +13,8 @@ loc_reverseproxy:
      to: auro.re
    - from: 92.222.211.195
      to: auro.re
+    - from: codimd.auro.re
+      to: hedgedoc.auro.re

  reverseproxy_sites:
    - from: phabricator.auro.re
@ -27,6 +29,9 @@ loc_reverseproxy:
    - from: passbolt.auro.re
      to: 10.128.0.53

+    - from: auth.auro.re
+      to: 10.128.0.150:8089
+
    - from: riot.auro.re
      to: "10.128.0.150:8080"
    - from: element.auro.re
@ -34,8 +39,6 @@ loc_reverseproxy:
    - from: chat.auro.re
      to: "10.128.0.150:8080"

-    - from: codimd.auro.re
-      to: "10.128.0.150:8081"
    - from: hedgedoc.auro.re
      to: "10.128.0.150:8081"

@ -56,6 +59,8 @@ loc_reverseproxy:

    - from: cas.auro.re
      to: "10.128.0.150:8085"
+    - from: rss.auro.re
+      to: 10.128.0.150:8090
    - from: status.auro.re
      to: "10.128.0.150:8086"
    - from: "kanboard.auro.re"
--- a/host_vars/proxy.adm.auro.re.yml
+++ b/host_vars/proxy.adm.auro.re.yml
@ -41,9 +41,6 @@ loc_reverseproxy:
    - from: intranet.auro.re
      to: 10.128.0.20

-    - from: bbb.auro.re
-      to: 10.128.0.54
-
    - from: nextcloud.auro.re
      to: "10.128.0.58:8080"

@ -64,3 +61,15 @@ loc_reverseproxy:

    - from: wikijs.auro.re
      to: "10.128.0.66:3000"
+
+    - from: wiki.auro.re
+      to: "10.128.0.66:3000"
+
+    - from: netbox.auro.re
+      to: 10.128.0.97
+
+    - from: grafana.auro.re
+      to: "10.128.0.98:3000"
+
+    - from: office.auro.re
+      to: "10.128.0.220"
--- a/host_vars/proxy.pub.infra.auro.re.yml
+++ b/host_vars/proxy.pub.infra.auro.re.yml
@ -0,0 +1,103 @@
+---
+systemd_link__links:
+  pub0: ae:ae:ae:3a:71:0b
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:1/64
+      - 45.66.111.206/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+
+caddy__matrix_headers:
+  access-control-allow-headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+  access-control-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
+  access-control-allow-origin: "*"
+
+caddy__routes_https:
+  www1.test.auro.re:
+    - root: /var/www/auro.re
+    - path: /.well-known/matrix/server
+      headers: "{{ caddy__matrix_headers }}"
+      body: '{"m.server": "matrix.auro.re:8448"}'
+      status: 200
+    - path: /.well-known/matrix/client
+      headers: "{{ caddy__matrix_headers }}"
+      body: '{"m.homeserver": {"base_url": "https://matrix.auro.re"}}'
+      status: 200
+  www2.test.auro.re:
+    headers:
+      location: "https://auro.re{http.request.uri}"
+    status: 301
+  www3.test.auro.re:
+    reverse:
+      - "[2a09:6840:128::198]:3000"
+      - 10.128.0.198:3000
+  grafana.auro.re:
+    reverse:
+      - "[2a09:6840:128::98]:3000"
+      - 10.128.0.98:3000
+  grafana-ng.auro.re:
+    reverse:
+      - "[2a09:6840:211::1:7]:80"
+      - 10.211.1.7:80
+  office.auro.re:
+    reverse:
+      - "[2a09:6840:211::1:1]:9980"
+      - 10.211.1.1:9980
+  nextcloud.auro.re:
+    headers:
+      location: "https://cloud.auro.re{http.request.uri}"
+    status: 301
+  cloud.auro.re:
+    - path: /.well-known/carddav
+      headers:
+        location: /remote.php/dav/
+      status: 301
+    - path: /.well-known/caldav
+      headers:
+        location: /remote.php/dav/
+      status: 301
+    - path: /.well-known/webfinger
+      headers:
+        location: /index.php/.well-known/webfinger
+      status: 301
+    - path: /.well-known/nodeinfo
+      headers:
+        location: /index.php/.well-known/nodeinfo
+      status: 301
+    - path: /remote/*
+      rewrite: /remote.php
+    - path: /ocm-provider/*
+      rewrite: /index.php
+    - path: "*.mjs"
+      headers:
+        content-type: text/javascript
+    - reverse:
+        - "[2a09:6840:128::58]:8080"
+        - 10.128.0.58:8080
+      headers:
+        x-robots-tag: noindex, nofollow
+        referrer-policy: no-referrer
+        x-content-type-options: nosniff
+        x-frame-options: SAMEORIGIN
+        x-permitted-cross-domain-policies: none
+        x-xss-protection: "1; mode=block"
+
+caddy__contact_email: tech.aurore@lists.crans.org
+
+caddy__errors:
+  - root: "{{ caddy__error_dir }}"
+  - rewrite: /error.html
+  - file_server: true
+    templates: true
+
+caddy__servers:
+  https:
+    listen: ":443"
+    routes: "{{ caddy__routes_https }}"
+    errors: "{{ caddy__errors }}"
+  http:
+    listen: ":80"
+
+...
--- a/host_vars/radius-1.isp.infra.auro.re.yml
+++ b/host_vars/radius-1.isp.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  isp0: 02:00:00:6a:3e:f4
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:3/64
+      - 10.210.1.3/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+...
--- a/host_vars/radius-2.isp.infra.auro.re.yml
+++ b/host_vars/radius-2.isp.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  isp0: 04:00:00:29:6d:c9
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:4/64
+      - 10.210.1.4/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+...
--- a/host_vars/re2o-bdd.adm.auro.re.yml
+++ b/host_vars/re2o-bdd.adm.auro.re.yml
@ -1 +0,0 @@
-postgresql_databases: true
--- a/host_vars/sw-ec-1.yml
+++ b/host_vars/sw-ec-1.yml
@ -0,0 +1,93 @@
+---
+switch_vars:
+  name: sw-ec-1
+  location: "Local_de_Brassage_EdC"
+  host: 10.130.4.11
+  port: 80
+  username: "{{ vault_switch.username }}"
+  password: "{{ vault_switch.password }}"
+  delete_vlans: []
+  vlans:
+    - id: 40
+      name: "Filaire_EDC"
+      tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
+    - id: 41
+      name: "Wifi_EDC"
+      tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
+    - id: 42
+      name: "Banni_EDC"
+      tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
+    - id: 43
+      name: "Accueil_EDC"
+      tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
+    - id: 110
+      name: "Adherents_IP_Publiques"
+      tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
+    - id: 111
+      name: "Serveurs_IP_Publiques"
+      tagged: "{{ '25' | range2list }}"
+    - id: 131
+      name: "Onduleurs"
+      tagged: [25]
+    - id: 144
+      name: "Bornes_Wifi_EDC"
+      tagged: [25]
+      untagged: "{{ '5-8,12,14,16,18,20,22-24' | range2list }}"
+  ports:
+    - id: 1
+      name: "Room_Ouest_363"
+    - id: 2
+      name: "Room_Ouest_364"
+    - id: 3
+      name: "Room_Principale_Foyer_1"
+    - id: 4
+      name: "Room_Principale_Foyer_2"
+    - id: 5
+      name: "Borne_Principale_0_1"
+    - id: 6
+      name: "Borne_Principale_1_1"
+    - id: 7
+      name: "Borne_Principale_1_2"
+    - id: 8
+      name: "Borne_Principale_1_3"
+    - id: 9
+      name: "Room_Ouest_352"
+    - id: 10
+      name: "Borne_Adh_Ouest_252"
+    - id: 11
+      name: "Room_Ouest_273"
+    - id: 12
+      name: "Borne_Adh_Est_231"
+    - id: 13
+      name: "Room_Ouest_261"
+    - id: 14
+      name: "Borne_Adh_Ouest_272"
+    - id: 15
+      name: "Room_Ouest_262"
+    - id: 16
+      name: "Room_Est_225"
+    - id: 17
+      name: "Room_Ouest_263"
+    - id: 18
+      name: "Room_Ouest_76"
+    - id: 19
+      name: "Room_Ouest_264"
+    - id: 20
+      name: "Borne_Adh_Ouest_58"
+    - id: 21
+      name: "Room_Ouest_265"
+    - id: 22
+      name: "Not_used"
+    - id: 23
+      name: "Room_Ouest_158"
+    - id: 24
+      name: "Borne_Adh_Ouest_267"
+    # id: 25
+    # name: "Uplink_sw-ec-core"
+    - id: 26
+      name: "Not_used"
+    - id: 27
+      name: "Not_used"
+    - id: 28
+      name: "Not_used"
+...
--- a/host_vars/sw-ec-2.yml
+++ b/host_vars/sw-ec-2.yml
@ -0,0 +1,228 @@
+---
+switch_vars:
+  name: sw-ec-2
+  location: Local de Brassage EdC
+  host: 10.130.4.12
+  port: 80
+  username: "{{ vault_switch.username }}"
+  password: "{{ vault_switch.password }}"
+  delete_vlans: []
+  vlans:
+    - id: 40
+      name: "Filaire_edc"
+      tagged: [49]
+    - id: 41
+      name: "Wifi_edc"
+      tagged: [49]
+    - id: 42
+      name: "Banni_edc"
+      tagged: [49]
+    - id: 43
+      name: "Accueil_edc"
+      tagged: [49]
+    - id: 110
+      name: "Adherents_ip_publiques"
+      tagged: [49]
+    - id: 111
+      name: "Serveurs_ip_publiques"
+      tagged: [49]
+    - id: 131
+      name: "Onduleurs"
+      tagged: [49]
+    - id: 144
+      name: "Bornes_wifi_edc"
+      tagged: [49]
+  ports:
+    - id: 1
+      name: "Room_edc_Aile_Principale_115"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 2
+      name: "Room_edc_Aile_Principale_103"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 3
+      name: "Room_edc_Aile_Principale_114"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 4
+      name: "Room_edc_Aile_Principale_102"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 5
+      name: "Room_edc_Aile_Principale_113"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 6
+      name: "Room_edc_Aile_Principale_101"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 7
+      name: "Room_edc_Aile_Principale_112"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 8
+      name: "Room_edc_Aile_Principale_100"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 9
+      name: "Room_edc_Aile_Principale_111"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 10
+      name: "Room_edc_Aile_Principale_215"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 11
+      name: "Room_edc_Aile_Principale_110"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 12
+      name: "Room_edc_Aile_Principale_214"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 13
+      name: "Room_edc_Aile_Principale_207"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 14
+      name: "Room_edc_Aile_Est_24"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 15
+      name: "Room_edc_Aile_Principale_206"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 16
+      name: "Room_edc_Aile_Est_25"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 17
+      name: "Room_edc_Aile_Principale_205"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 18
+      name: "Room_edc_Aile_Est_26"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 19
+      name: "Room_edc_Aile_Principale_204"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 20
+      name: "Room_edc_Aile_Est_27"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 21
+      name: "Room_edc_Aile_Principale_203"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 22
+      name: "Room_edc_Aile_Est_28"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 23
+      name: "Room_edc_Aile_Principale_202"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 24
+      name: "Room_edc_Aile_Est_29"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 25
+      name: "Room_edc_Aile_Principale_201"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 26
+      name: "Room_edc_Aile_Est_30"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 27
+      name: "Room_edc_Aile_Principale_200"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 28
+      name: "Room_edc_Aile_Est_31"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 29
+      name: "Room_edc_Aile_Est_20"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 30
+      name: "Room_edc_Aile_Est_32"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 31
+      name: "Room_edc_Aile_Est_21"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 32
+      name: "Room_edc_Aile_Est_33"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 33
+      name: "Room_edc_Aile_Est_22"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 34
+      name: "Room_edc_Aile_Est_34"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 35
+      name: "Room_edc_Aile_Est_23"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 36
+      name: "Room_edc_Aile_Est_120"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 37
+      name: "Room_edc_Aile_Principale_109"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 38
+      name: "Room_edc_Aile_Principale_213"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 39
+      name: "Room_edc_Aile_Principale_108"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 40
+      name: "Room_edc_Aile_Principale_212"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 41
+      name: "Room_edc_Aile_Principale_107"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 42
+      name: "Room_edc_Aile_Principale_211"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 43
+      name: "Room_edc_Aile_Principale_106"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 44
+      name: "Room_edc_Aile_Principale_210"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 45
+      name: "Room_edc_Aile_Principale_105"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 46
+      name: "Room_edc_Aile_Principale_209"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 47
+      name: "Room_edc_Aile_Principale_104"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+    - id: 48
+      name: "Room_edc_Aile_Principale_208"
+      lldp: "LPAS_TX_AND_RX"
+      loop_protect: true
+...
--- a/Show more
+++ b/Show more