switchs: Add EDC access point

Reviewed-on: #107

.ansible-lint

@@ -0,0 +1,10 @@
+skip_list:
+  - no-changed-when
+  - load-failure
+  - document-start
+  - meta-no-info
+  - ignore-errors
+
+exclude_paths:
+  - group_vars/all/vault.yml
+  - utils/

.drone.yml

@@ -0,0 +1,11 @@
+---
+kind: pipeline
+type: docker
+name: check
+
+steps:
+  - name: ansible and yaml linting
+    image: quay.io/ansible/toolset:3.5.0
+    commands:
+      - ansible-lint
+...

.gitignore

@@ -1 +1,4 @@
 *.retry
+tmp
+ldap-password.txt
+__pycache__/

.gitlab-ci.yml

@@ -1,6 +0,0 @@
----
-image: quay.io/ansible/molecule:2.19
-
-yamllint:
-  script: yamllint -c .yamllint.yml .
-...

.yamllint.yml

@@ -3,5 +3,8 @@ extends: default
 
 rules:
   line-length:
+    max: 120
     level: warning
+  document-start:
+    ignore: group_vars/all/vault.yml
 ...

README.md

@@ -1,49 +1,307 @@
-# Playbook et rôles Ansible d'Aurore
+# Recettes Ansible d'Aurore
 
-## Exécution d'un playbook
+Dépendances requises :
 
-Pour appliquer le playbook `base.yml` :
-```bash
-ansible-playbook --ask-vault-pass base.yml
+* Ansible 2.9 ou plus récent.
+
+## Ansible 101
+
+Si vous n'avez jamais touché à Ansible avant, voilà une rapide introduction.
+
+**Inventory** : c'est le fichier `hosts` d'inventaire.
+Il contient la définition de chaque machine et le regroupement.
+
+Quand on regroupe avec un `:children` en réalité on groupe des groupes.
+
+Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette
+machine avec ce hostname, car c'est ce qu'Ansible fera (sauf pour les switchs,
+voir plus bas).
+
+**Playbook** : c'est une politique de déploiement.
+Il contient les associations des rôles avec les machines.
+
+L'idée au Crans est de regrouper par thème. Exemple, le playbook `monitoring.yml`
+va contenir toutes les définitions machines-rôles qui touchent au monitoring.
+Cela permet de déployer manuellement tout le monitoring sans toucher au reste.
+
+**Rôle** : un playbook donne des rôles à des machines. Ces rôles sont tous dans
+le dossier `roles/`. Un rôle installe un service précis sur un serveur.
+
+Il est préférable d'être atomique sur les rôles plutôt d'en coder un énorme
+qui sera difficilement maintenable.
+
+*Exemples de rôle* : activer les backports pour ma version de Debian, installer NodeJS,
+déployer un serveur prometheus, déployer une node prometheus…
+
+**Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
+action. Elle est associée à un module Ansible.
+
+*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une
+ligne dans un fichier avec le module `lineinfile`, copier une template avec le
+module `template`…
+
+Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand
+elle plante, récupérer son résultat dans une variable, mettre une boucle
+dessus, mettre des conditions…
+
+N'oubliez pas d'aller lire l'excellente documentation de RedHat sur tous les modules
+d'Ansible !
+
+### Gestion des groupes de machines
+
+Pour la liste complète, je vous invite à lire le fichier `hosts`.
+
+Exemple :
+
+```yaml
+[fleming_vm]
+dhcp-fleming.adm.auro.re
+dns-fleming.adm.auro.re
+prometheus-fleming.adm.auro.re
+routeur-fleming.adm.auro.re
+
+[fleming_pve]
+pve1.adm.auro.re
+
+[fleming:children]
+fleming_pve
+fleming_vm
 ```
 
-Il est souhaitable de faire un test avant avec `--check` si on a des doutes !
+> NB :
+>
+> L'exemple a été adapté de la configuration d'Aurore pour des raisons
+> pédagogiques.
 
-## FAQ
-
-### Mettre sa clé SSH sur une machine
-
-```
-ssh-copy-id -i ~/.ssh/id_rsa_aurore.pub virtu.fede-aurore.net
-```
-
-### Automatiquement ajouter fingerprint ECDSA (dangereux !)
-
-Il faut changer la variable d'environnement suivante :
-`ANSIBLE_HOST_KEY_CHECKING=0`.
-
-### Configurer la connexion au bastion
-
-Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
-
-On va utiliser plutôt ProxyJump.
-Dans la configuration SSH :
-
-```
-# Use a key to log on all Aurore servers
-# and use a bastion
-Host 10.128.0.* *.adm.auro.re
-    IdentityFile ~/.ssh/id_rsa_aurore
-    ProxyJump proxy.auro.re
-```
-
-Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées
-vers les serveurs puis détruites à la fin de l'exécution.
-Il faut donc éviter de lancer une connexion SSH persistante pendant l'exécution
-d'Ansible.
+Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
+de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
+les machines pertinentes directement dans les playbooks.
 
 ### Lister tout ce que sait Ansible sur un hôte
 
+Lors du lancement d'Ansible, il collecte un ensemble de faits sur les serveurs
+qui peuvent ensuite être utilisés dans des variables.
+Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
+on peut exécuter le module `setup` manuellement.
+
+```bash
+ansible proxy.adm.auro.re -m setup --ask-vault-pass
 ```
-ansible -i hosts ldap-replica-fleming1.adm.auro.re -m setup --ask-vault-pass
+
+Il est notamment possible de :
+
+* tester les versions de Debian,
+
+  ```YAML
+  ansible_lsb.codename == 'stretch'
+  ```
+
+* tester si c'est un CPU Intel x86_64,
+
+  ```YAML
+  ansible_processor[0].find('Intel') != -1
+  and ansible_architecture == 'x86_64'
+  ```
+
+## Exécution d'Ansible
+
+### Configurer la connexion au vlan adm
+
+Envoyer son agent SSH peut être dangereux
+([source](https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
+
+On va utiliser plutôt `ProxyJump`.
+Dans la configuration SSH :
+
+```text
+Host *.adm.auro.re *.pve.auro.re
+    # Accept new host keys
+    StrictHostKeyChecking accept-new
+
+    # Use passerelle to connect to administration VLANs
+    ProxyJump passerelle.auro.re
 ```
+
+Il faut sa clé SSH configurée sur le serveur que l'on déploie.
+
+```bash
+ssh-copy-id proxy.adm.auro.re
+```
+
+### Lancer Ansible
+
+Il faut `python3-netaddr` sur sa machine.
+
+Pour tester le playbook `base.yml` :
+
+```bash
+ansible-playbook --ask-vault-pass base.yml --check
+```
+
+Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
+
+Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
+première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.
+
+### Ajouter toutes les empreintes de serveur
+
+```bash
+#!/bin/bash
+for ip in `cat hosts|grep .adm.auro.re`; do
+    ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
+done
+```
+
+> Remarque :
+>
+> L'utilisation d'un certificat permet d'éviter d'avoir à ajouter sa clé ssh
+> sur les serveurs.
+
+### Passage à Ansible 2.10 (release: 30 juillet)
+
+Installez la version de développement d'ansible pour faire fonctionner les
+playbooks de ce repo, ainsi que les collections suivantes :
+
+```bash
+ansible-galaxy collection install community.general
+ansible-galaxy collection install ansible.posix
+```
+
+Si vous n'arrivez pas à entrer votre *become password* (bug dans ansible?), un
+workaround est le suivant :
+
+`$  export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
+
+Notez l'espace au début pour ne pas log la commande dans votre historique
+shell.
+
+## Configuration des switchs depuis Ansible
+
+Afin d'acquérir de l'indépendance vis-à-vis de re2o, un module permettant de
+configurer les switchs depuis Ansible a été créé. Il utilise l'api rest des
+switchs afin de récupérer et appliquer la configuration voulue.
+
+### Prérequis
+
+Pour utiliser le module, il faut d'abord annoncer à Ansible qu'il ne faut pas
+effectuer de connexion ssh et de ne pas récupérer les faits. Cela se fait à
+l'aide des variables `connection: httpapi` et `gather_facts: false` à placer
+dans le playbook (pour une configuration locale) ou dans ansible.cfg (pour une
+configuration globale). Ensuite, l'infrastructure actuelle de Aurore nécessite
+l'utilisation d'un proxy. Pour cela, il suffit d'exécuter la commande :
+
+```bash
+ssh -D 3000 switchs-manager.adm.auro.re
+```
+
+et d'annoncer l'utilisation du proxy dans la configuration en exportant la
+variable d'environnement `HTTP_PROXY=socks5://localhost:3000` et en
+configurant la variable du module `use_proxy: true`.
+
+Exemple :
+
+```yaml
+environment:
+  HTTP_PROXY: "socks5://localhost:3000"
+tasks:
+  - name: vlans
+    switch_config:
+      username: ****
+      password: ****
+      port: 80
+      host: 192.168.1.42
+      use_proxy: true
+      config:
+        path: vlans/42
+        data:
+          name: VLAN42
+          vlan_id: 42
+          status: VS_PORT_BASED
+          type: VT_STATIC
+```
+
+Le module est alors utilisable, il ne reste plus qu'à le configurer.
+
+### Écrire la configuration
+
+Le module se veut assez libre. Ainsi, l'ensemble de la requête doit être écrite
+dans les `tasks`. Voici un exemple pour configurer un vlan :
+
+```yaml
+tasks:
+  - name: vlans
+    switch_config:
+      username: ****
+      password: ****
+      port: 80
+      host: 192.168.1.42
+      config:
+        path: vlans/42
+        data:
+          name: VLAN42
+          vlan_id: 42
+          status: VS_PORT_BASED
+          type: VT_STATIC
+```
+
+Le `path` correspond à l'url de l'objet que l'on souhaite éditer et `data`
+correspond aux données qui seront envoyées dans une requête `PUT` (au format
+`json`). Cependant, la configuration d'un vlan peut nécessiter de le créer.
+Pour remédier à ce problème, il est possible d'utiliser la syntaxe suivante :
+
+```yaml
+
+tasks:
+  - name: vlans
+    switch_config:
+      username: ****
+      password: ****
+      port: 80
+      host: 192.168.1.42
+      config:
+        path: vlans
+        create_method: POST
+        subpath:
+          - path: 42
+            data:
+              name: VLAN42
+              vlan_id: 42
+              status: VS_PORT_BASED
+              type: VT_STATIC
+```
+
+Le variable `create_method` correspond au type de la requête pour effectuer une
+action de création de l'objet. Il s'agit généralement de `POST`. Dans le cas
+où la variable n'est pas définit, la création sera désactivée et ainsi, si
+l'url indiquée dans les `subpath` n'existe pas, alors la configuration échouera.
+Par conséquent, si le vlan 42 a besoin d'être créé, une requête `POST` sera
+effectué sur l'url `vlans` avec les données dans `data`.
+
+Il est également possible d'éxecuter une action de suppression d'un vlan à l'aide
+de la variable `delete` :
+
+```yaml
+  tasks:
+    - name: vlans
+      switch_config:
+        username: ****
+        password: ****
+        port: 80
+        host: 192.168.1.42
+        config:
+          path: vlans/42
+          delete: true
+```
+
+Si la variable `delete` est activée, alors une requête `DELETE` sera envoyée
+sur l'url indiquée. Pour vérifier si la suppression est déjà effective avant
+l'éxecution, le module vérifiera si un `GET` sur l'url retourne une 404.
+
+> Remarque :
+>
+> Si les variables `delete` et `data` sont définies (dont `delete` à `true`),
+> alors il en résultera une action de suppression malgré tout.
+
+Puisque `subpath` est une liste, il est possible de configurer plusieurs requête
+en même temps. Cela à l'avantage d'effectuer toutes les modifications à la suite
+(sans avoir à se connecter plusieurs sur l'api).

all.yml

@@ -0,0 +1,18 @@
+#!/usr/bin/env ansible-playbook
+---
+- import_playbook: playbooks/base.yml
+- import_playbook: playbooks/root.yml
+- import_playbook: playbooks/ssh.yml
+- import_playbook: playbooks/chronyd.yml
+- import_playbook: playbooks/kresd.yml
+- import_playbook: playbooks/knotd.yml
+- import_playbook: playbooks/resolvconf.yml
+- import_playbook: playbooks/ifupdown2.yml
+- import_playbook: playbooks/systemd_link.yml
+- import_playbook: playbooks/keepalived.yml
+- import_playbook: playbooks/ip_forward.yml
+- import_playbook: playbooks/dhcpd.yml
+- import_playbook: playbooks/bird.yml
+- import_playbook: playbooks/pve.yml
+- import_playbook: playbooks/prometheus.yml
+...

ansible.cfg

@@ -1,29 +1,22 @@
-# Aurore Ansible configuration
-
 [defaults]
+jinja2_native = true
 
-# Use Aurore inventory
-inventory = ./hosts
-
-# Custom header in templates
-ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
-
-# Do not create retry files
+ask_vault_pass = True
+roles_path = ./roles
 retry_files_enabled = False
-
-# Do not use cows (with cowsay)
+inventory = ./hosts
+stdout_callback = debug
+library = ./library
+filter_plugins = ./filter_plugins
+ansible_managed = Ansible managed
 nocows = 1
-
-[privilege_escalation]
-
-# Use sudo to get priviledge access
-become = True
-
-# Ask for password
-become_ask_pass = True
+forks = 15
+timeout = 60
+remote_user = root
 
 [diff]
-
-# TO know what changed
 always = yes
 
+[ssh_connection]
+pipelining = True
+retries = 3

base.yml

@@ -1,5 +0,0 @@
----
-# Put a common configuration on all servers
-- hosts: all
-  roles:
-   - baseconfig

codimd.yml

@@ -1,6 +0,0 @@
----
-# Install CodiMD on CodiMD containers
-- hosts: codimd.adm.auro.re
-  roles:
-    - debian-backports
-    - codimd

dokuwiki.yml

@@ -1,6 +0,0 @@
----
-# Install DokuWiki on the wiki TEST container
-# When it will be operational, horus-wikitest will replace horus-wiki
-- hosts: horus-wikitest
-  roles:
-   - dokuwiki

etherpad.yml

@@ -1,6 +0,0 @@
----
-# Install EtherPad on EtherPad containers
-- hosts: pad.adm.auro.re
-  roles:
-   - debian-backports
-   - etherpad

filter_plugins/enquote.py

@@ -0,0 +1,16 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "enquote": enquote,
+        }
+
+
+def enquote(string, delimiter='"', escape="\\"):
+    translation = str.maketrans(
+        {
+            delimiter: f"{escape}{delimiter}",
+            escape: f"{escape}{escape}",
+        }
+    )
+    escaped = string.translate(translation)
+    return f"{delimiter}{escaped}{delimiter}"

filter_plugins/format_rev.py

@@ -0,0 +1,9 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "format_rev": format_rev,
+        }
+
+
+def format_rev(text, fmt, *args, **kwargs):
+    return fmt.format(text, *args, **kwargs)

filter_plugins/net_utils.py

@@ -0,0 +1,68 @@
+import ipaddress
+from operator import attrgetter
+
+import dns.name
+
+
+class FilterModule:
+    def filters(self):
+        return {
+            "add_origin": add_origin,
+            "add_origin_keys": add_origin_keys,
+            "ip_filter": ip_filter,
+            "remove_domain_suffix": remove_domain_suffix,
+            "ipaddr_sort": ipaddr_sort,
+        }
+
+
+def first_addr(addresses, ipv4 = True):
+    version = ipaddress.IPv4Address if ipv4 else ipaddress.IPv6Address
+    for addr in addresses:
+        parsed = ipaddress.ip_address(xx)
+        if isinstance(parsed, version):
+            return parsed
+    raise ValueError("missing address")
+
+
+def ip_filter(addresses, networks):
+    if isinstance(addresses, dict):
+        return {k: ip_filter(v, networks) for k, v in addresses.items()}
+    ip_networks = [ipaddress.ip_network(n) for n in networks]
+    ip_addresses = [ipaddress.ip_address(a) for a in addresses]
+    return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
+
+
+def add_origin(name, origin="."):
+    return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
+
+
+def add_origin_keys(dct, origin="."):
+    return {add_origin(k, origin): v for k, v in dct.items()}
+
+
+def remove_domain_suffix(name):
+    parent = dns.name.from_text(name).parent()
+    return parent.to_text()
+
+
+def ipaddr_sort(addrs, types, unknown_after=True):
+    check_types = {
+        "global": attrgetter("is_global"),
+        "link-local": attrgetter("is_link_local"),
+        "loopback": attrgetter("is_loopback"),
+        "multicast": attrgetter("is_multicast"),
+        "private": attrgetter("is_private"),
+        "reserved": attrgetter("is_reserved"),
+        "site_local": attrgetter("is_site_local"),
+        "unspecified": attrgetter("is_unspecified"),
+    }
+
+    def addr_weight(addr):
+        if isinstance(addr, str):
+            addr = ipaddress.ip_address(addr.split("/")[0])
+        for index, ty in enumerate(types):
+            if check_types[ty](ipaddress.ip_address(addr)):
+                return index
+        return len(types) if unknown_after else -1
+
+    return sorted(addrs, key=addr_weight)

filter_plugins/suffix.py

@@ -0,0 +1,9 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "suffix": suffix,
+        }
+
+
+def suffix(value, suffix):
+    return value + suffix

filter_plugins/switch_range.py

@@ -0,0 +1,38 @@
+#!/usr/bin/python
+class FilterModule(object):
+    def filters(self):
+        return {
+            'range2list': self.range2list,
+        }
+
+    def range2list(self, port_range):
+        """
+            Convert a range into list
+
+            Exemple:
+            ```
+            >>> FilterModule.range2list("1-10,42")
+            [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 42]
+            ````
+        """
+        port_range = port_range.replace(" ", "").split(",")
+        ports = []
+        for r in port_range:
+            if "-" in r:
+                try:
+                    a, b = r.split("-")
+                except:
+                    raise Exception("A range must contain 2 values")
+                try:
+                    a = int(a)
+                    b = int(b)
+                except:
+                    raise TypeError("A range must contain integer")
+                for n in range(a, b+1):
+                    ports.append(n)
+            else:
+                try:
+                    ports.append(int(r))
+                except:
+                    raise TypeError("Value must be integer")
+        return list(set(ports))

flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1757020766,
+        "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,27 @@
+{
+  description = "Ansible Aurore";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+  };
+
+  outputs =
+    inputs@{
+      self,
+      nixpkgs,
+      flake-parts,
+      ...
+    }:
+    flake-parts.lib.mkFlake { inherit inputs; } {
+      systems = [ "x86_64-linux" ];
+
+      perSystem =
+        { config, pkgs, ... }:
+        {
+          devShells = {
+            default = pkgs.callPackage ./shell.nix {};
+          };
+        };
+    };
+}

group_vars/all/bird.yml

@@ -0,0 +1,4 @@
+---
+bird__as:
+  aurore: 43619
+...

group_vars/all/chronyd.yml

@@ -0,0 +1,5 @@
+---
+chronyd__pools:
+  - ntp-1.int.infra.auro.re
+  - ntp-2.int.infra.auro.re
+...

group_vars/all/ifupdown2.yml

@@ -0,0 +1,24 @@
+---
+ifupdown2__wireguard_proto: wireguard
+ifupdown2__gateways:
+  adm:
+    - 2a09:6840:128::254
+    - 10.128.0.254
+  int:
+    - 2a09:6840:206::1
+    - 10.206.0.1
+  ext:
+    - 2a09:6840:211::1
+    - 10.211.0.1
+  monit:
+    - 2a09:6840:204::1
+    - 10.204.0.1
+  isp:
+    - 2a09:6840:210::1
+    - 10.210.0.1
+  pub:
+    - 2a09:6840:215::1
+    - 45.66.111.204
+  ovh:
+    - 92.222.211.254
+...

group_vars/all/openssh.yml

@@ -0,0 +1,10 @@
+---
+openssh__users_ca_public_key:
+  "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
+  hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
+  F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
+
+openssh__authorized_principals:
+  - any
+  - "{{ inventory_hostname }}"
+...

group_vars/all/prometheus.yml

@@ -0,0 +1,3 @@
+---
+prometheus_node__text_dir: /var/run/prometheus-node-exporter
+...

group_vars/all/resolvconf.yml

@@ -0,0 +1,13 @@
+---
+resolvconf__nameservers:
+  - 2a09:6840:206::1:1
+  - 2a09:6840:206::1:2
+  - 10.206.1.1
+  - 10.206.1.2
+
+resolvconf__domain: auro.re.
+
+resolvconf__search:
+  - "{{ inventory_hostname | remove_domain_suffix }}"
+  - auro.re.
+...

group_vars/all/root.yml

@@ -0,0 +1,5 @@
+---
+root__shell: /bin/bash
+
+root__password: "{{ vault_root_password }}"
+...

group_vars/all/vars.yml

@@ -1,23 +1,23 @@
 ---
+# Use Python 3
+ansible_python_interpreter: /usr/bin/python3
+
 # LDAP binding
 # You can hash LDAP passwords with `slappasswd` tool
 ldap_base: 'dc=auro,dc=re'
-ldap_master_ipv4: '10.128.0.11'
-ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
+ldap_master_ipv4: '10.128.0.21'
+ldap_master_uri: "ldap://re2o-ldap.adm.auro.re"
 ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
 ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
 ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
-ldap_codimd_bind_dn: "cn=codimd,ou=service-users,{{ ldap_base }}"
-ldap_codimd_password: "{{ vault_ldap_codimd_password }}"
 ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}"
 ldap_matrix_password: "{{ vault_ldap_matrix_password }}"
 ldap_replica_password: "{{ vault_ldap_replica_password }}"
+ldap_admin_password: "{{ vault_ldap_admin_password }}"
 ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
 
 # Databases
-postgresql_services_url: 'services-bdd.adm.auro.re'
-postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
-postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
+postgresql_services_url: 'bdd-ovh.adm.auro.re'
 
 # Scripts will tell users to go there to manage their account
 intranet_url: 'https://re2o.auro.re/'
@@ -30,3 +30,81 @@ ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
 
 # Monitoring
 monitoring_mail: 'monitoring.aurore@lists.crans.org'
+
+# Matrix
+matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}"
+matrix_discord_client_id: "559305991494303747"
+matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}"
+
+###
+# DNS
+###
+
+# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque
+# résidence.
+dns_host_suffix_main: 253
+dns_host_suffix_backup: 153
+
+backup_dns_servers:
+  - "80.67.169.12"  # French Data Network (FDN) (ns0.fdn.fr)
+
+# Finally raised!
+mtu: 1500
+
+subnet_ids:
+  ap: "14{{ apartment_block_id }}"
+  users_wired: "{{ apartment_block_id }}0"
+  users_wifi: "{{ apartment_block_id }}1"
+  users_banni: "{{ apartment_block_id }}2"
+  users_accueil: "{{ apartment_block_id }}3"
+
+# Keepalived
+keepalived_password: "{{ vault_keepalived_password[apartment_block] }}"
+
+
+# Re2o config
+re2o_secret_key: "{{ vault_re2o_secret_key }}"
+re2o_db_password: "{{ vault_re2o_db_password }}"
+re2o_aes_key: "{{ vault_re2o_aes_key }}"
+
+# Radius
+radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
+radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
+radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
+radius_secret_federez: "{{ vault_radius_secrets.federez }}"
+
+radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}"
+radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
+
+
+# DHCP
+dhcp_failover_enabled: true
+apartment_block_dhcp: "{{ apartment_block }}"
+
+
+# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
+# However, we ALWAYS keep the trailing 0 to have byte alignment.
+ipv6_base_prefix: "2a09:6840"
+
+is_aurore_host: "{{ 'aurore_vm' in group_names }}"
+
+# Borgbackup
+borg_keep_daily: 7
+borg_keep_weekly: 4
+borg_keep_monthly: 12
+borg_backup_directories:
+  - /etc
+  - /var
+borg_backup_exclude:
+  - /var/log
+  - /var/lib/docker
+  - /var/lib/lxcfs
+borg_encryption_passphrase: "{{ vault_borg_encryption_passphrase }}"
+
+borg_server_host: 10.128.0.4
+
+rsyslog_outputs:
+  - proto: relp
+    address: 10.128.0.241
+    port: 20514
+...

group_vars/all/vault.yml

@@ -1,106 +1,297 @@
 $ANSIBLE_VAULT;1.1;AES256
-38616339383037366465353638383665643938633061323863386539323861633135363964303364
-6335326537383039316566623031306136633364336337320a343434623066313535363430303866
-61613635663336376530333463363037316230323339393463393465313366643438316565306564
-3263613463653764330a363330623331323762306330336465633538353637373838396231643762
-35353137306132653861343736323934326161663436653737333462333938393330393861363764
-38333837353564396563623039636438663662626330323632383234333662613835633138326161
-33626537633863393864373937306332386131626562323762616439643830626339633833313638
-65363930353162323635356430313030303734386339393730383135323937623939393233663335
-39316564396463643134636363326262343538666234333837373164646434643232623666636162
-61616637396561323166313131393163353166353764396564373330326262346666373034663465
-35326563306538653562333864383662336338656566313432633831313363663131393930336234
-61336230643539303532656437616638323266623434393863623661366237386537386232383332
-38643433626466343633626665386633663964306566643436363839363462326632393863616230
-62386662386363613737613839386436383734623461386363313832636661636334633132363433
-30383135646465353232623936366337663130376232343231376565313563303534313462336462
-39353861663230623536613735663865373238303832306636323532393734303538383837336237
-36613732623539616237663962666263393138303064646335623336343432323266663335363061
-36306361653035653334343031303663373334613365393635616362343461616535343964306666
-36663030373133346663663839373363663163653961323533356361373533643636626339356332
-34663063326363646638646330626666633564373763326636363764653831336134393131653864
-62353163613534386364323430346435316339363338666563366262336536373162346265353165
-66363834306536383465376339323462303265373263333065623837656133623035366366396335
-34313566326565333930386336353333396237633333613336666566393465616563393563633335
-33313232646466313333633564653535343564626566353863613964303732616436626535656135
-39313632346530636639333435643034666138633831313864316266376330336334333263356132
-30613865336164353433383232316637663131653231393235343262666636623461653332323664
-63323637396132666333633863393131363935626435313366646563366366356265346130373162
-66306261303539323763336130616165323863646466643336316437663266303730313433343932
-39643639376531303839636632333063323837306638373863663132386533353735343234666139
-33633462346438356338613830313533306263383263383036363566323437356235386636333432
-31383462626338346339353536653437623731643036363366666437316362356266396634383865
-65663332383837373334393863386531663831643366613131663666303436306336313935643065
-61336661313562326465393936643130393465346636363234386436616165613436393436623664
-33396165376363316334613737613261396633306233643337393936393465313763343439646136
-38643135346234653234316536363964303331303932656134323165333239623362333931323334
-62323634373764663464343031626432653131306664336130396265363964663866663538376239
-33653430366265623733376536613632646662646632653132336537383336303335623966396131
-62303136613934656664386162373433323962336134663435373730366632666135663030653133
-38613632623765616465383266356238313333336434376238396339343031323465343833323665
-61666366326363303832663164363838353739653534313235336530396330346466656432386636
-36613239613239613835633265363064316134346464616338333532376132373637356665346230
-38343461613335663061393037643466383664323263336364356364363262346236326161653362
-63653963303139616430333738373038333661333562376130363061366338346430303231363138
-66373866303331333035316533373336376466346630326166373734353834306237383462356430
-33633332366636613534313933323065633736656432656236653930623663616133336435313337
-36623031663333386362306138343231363130626131323735316562363730656230376132303439
-36323932666362613237666164653037353631353730346466303764326162366266376130316166
-32363739373437333731643936366334376463383664373139363465666538666331636535626462
-32323834616338376264393461626665393635336638383333653466336332316364363330333738
-61303161303564383563653039653263343161336362373563616237373865653965343639343465
-35363536613233313534633665373264303139393731626339646466663431363361373938623334
-38613766643861326538663563656662383665376137393333616566646136336339306333653066
-34373864353230343032386236386165616462316562363062613330636264303632396339646632
-37316630303536316436356138626533653865366137666131363064643964333838633266366365
-64663661333764616635383263376662616239323930643261613161313265633236623834376263
-31623565633964376632346533373037333166346332313266316138613665353530336562643739
-32393161396338353630363838643130323431343339376431373165313238383064616335323064
-36313366633161303635383062656538343538363039343931623736623766343762343563646134
-33626264643639333364343131636163646361626130646237326435373731613237663736393439
-37376639333930396337333938373866383133613730613162356364323265373431633836653838
-34323532613437313064383035313030306636346435396666653933626232313638656531366234
-34313837623136656361393230653637633535333063333662363137323962353232386366656264
-30303164363531343261626262653962383664313131333535313038343461303464326464373337
-34646537353031386265313066313136613533663335306636346237613264313061666233376131
-62346537666362373539626334376630633539343932623133653431393731356266623730353036
-64626133623638303132356639663538363537623739386166333337333431363939666362663137
-62303664306663376136353235613031623435393065376635353032666136396332613861376630
-65633061623466313838383664613839663033333736396536333863636435306263666466313265
-62633539623037616535333164316538616439333838633730313066366232616566646435376530
-66316164323737396230373339333936313532343266303765356530633534643439626236313136
-65373833633461393734353737363566353634353764333961643033393932353236633336393436
-61333537666263666238303736316462356138396232373839343434643730643766333535643565
-38333163353634633637393766346261613931663134363230353633336533643339353832653632
-64343438353266343937373138643635616331336164316166343536643434616665326331353161
-39303732663037653634303263386134366536333830363366663639383033323832653364393766
-30333438313361613764633239373036336230353333343262613761323930656265313031323065
-39666562393565326139373061313061396265386239343462346535623766313364343136343038
-39373462663434633731636662653966383233396163643137373530303134633465643130383265
-61376538626365396236643139336366643966306131393635623438393932313164623766353233
-61643732303837366139356236353937303036343232363537623231303661653035383831343830
-64663763383563303461633335313663643161336435343735333536393661663235636665383662
-37393139333361323136366564383132633830386335376137396563343937306431653665316161
-38323137643437383636373033326236613936396564626466386432393733633361623032326135
-61346166393964313637356330653339646365326365326130386537343535353038643538393336
-66366335316538393333613631346365393038623261303536363732383637643430346632343139
-61643265333466323666633834333462613161653165663432613934353036343937343939303033
-35636134343761666534656636383632363562633634383364323039613431666239346136616231
-37383838316338666462376133613632663633663935643563346333356464663434393734366433
-37376539366139396536323535316539643261636533303065326164643132313439313632306664
-33386136393734613739396336396635353439393531393363326137363562646363333762386135
-32376162373766393763343634326434323034336533336166666635636135393066353238626161
-37376132306339626263313663376638633337656162333431313439643930303332666138643962
-37313331616563643638343464653535653038613136313637336534636537343763376634626538
-64633133656237346461346330333061636663336262646264326237373736366337663331323764
-65353931373266336232366434356631383338386537616535656664323334363963666631363331
-37653666316236613931386161346439663935656466396137643765626632643263323163623138
-34326363373633303365353530383633623936313436616635353733643837656233613635383966
-37356665626530626532356632323338623062386332616332643061623031366366613433383734
-33623732636637363237336439373432616332643638303131363332393230663565323139303163
-36643134363861383834656539626166386164326236336266633435626163383437366338353930
-33373932333832373237343532623537363931366636346132616162343839303965386337316164
-61656233616633323933306165643666306661366632613933383932616664613663663234653431
-30306163346630653239323966396638643162303766363131646430303366303435343866353639
-66373465393764396335346131346331353561643434633364656530626238326333333731383361
-35653232373235383633616634643966636336333461663237653764626534346336
+35353866373931343963333639323431636465303562306166333735383462353032323461613232
+3666653438393936356535633661363838613233323932370a656439316234356339613532663237
+39373439366432363533303961396466623366323339383735316531653538633264393264353337
+3937323861616530640a666361323164353338306336616564663466616630393839613833373933
+65613161323164613334656631333336343262363835323962343662333133366561306139636261
+61656532666563333063356231636565626631633436623531313938663930396362343031356534
+34303565623832366664303561643137626433333164623730623639656439346639616164623865
+31613462316439613937313138313830323334373337366630323331393537633437303063353363
+66383930353930616137303436383864363439326139643361356231373939306439633332666232
+38363061636139346430373263613932336361356262656138663233386464373839366630303765
+35343064336533373238396430393536366438653534366565373733313962616364313061626133
+37666538313038643865346461626537353930366264643162376530353536623863656236303433
+31336561336131383635393238366464653934613130363831306335643935373033303162353534
+38353832653664633061646331653634393963333038306635313464636136616366313962333431
+39363934643266646131653236303138636163326663373765373761663062656463643162373038
+34656163633964626235366539663132396666623363303632363236303831613532393931373761
+65613435353162346233323533383537316231363437653239343233636533333966613066343932
+30626636306531333736613965396432373130356238313136336434356133353435643065626261
+32633732613361376261363831363866333332393132643439626639383438663438366330386534
+31303532323461303862346364386532663839323163653366356136666131363839663635343166
+38353962326430383561333630623030623536353838633231393763393238316530363939343536
+66323562336334376234613436373237303562363831323038366232393161356262653864663037
+34363436356332633363363963613635346337613438326436333836386534353738646166643333
+65356637366431326132363432663662346638383439383766646531363662356266313961356239
+31323236393538363662643662643535623633663738343266636163363835383030646661363966
+36366466386666613364313166353366333131343061353135306135656663323461303338346666
+32626231613738316233636361633337343635656334336536663865633465326639373966303137
+39383731303862353637386438306136303765333136653465663963663930383037343130316466
+33343932383033643530323136316632386230366338373362366462666233336530393561353933
+36356330386361303562666339306265663539616434336264373832636139313365633065343763
+31323633346536366635646562356266373964616338366165376331306561663938396661396164
+31363438326439343964666439356339326661666136303461343436303533363630353735633038
+38383365363739333034373031326530353962646661343039616230396132323833626162643964
+65363165333233643738373638353537343162366265316661353563353862623134663362633261
+32343364333236363738333130316538666536306664363661616536336264363438396464666533
+37616533363936356335663562366563303564623530303762363034343435326666356162316535
+61363133326263653937373037643930343565336166643939663466316232313535333965303737
+35313566353963616632313763366561633039626239353236323438383261663066323334333632
+62393265396235636461653862383830613634393431396131323439613362366463633239383761
+39343361663463633332666666346339363334366330393936373433353034653765323130383335
+63336338653333356438323264356162316638336338343033326639303237656663633233383735
+34646535633831636238316564373035353635383738356133326664626566623766366535333439
+30326437613539373163323464323635316632633930353931303466376661396135623031623133
+33653735336230666665616638353561623235343439666135386165313436306666643837616166
+37613964663837373137383736393063333037366433643632333963623038623636653639343936
+32383532613430623563623565633665663030616530643735653563303035616530313463643431
+31663361383835613631336638343338373639613532313561313231353765316237653431663462
+65366162326630656566663731316262336536303032386336666263326265316564336339316430
+31643066633438663562343730393534663338613165633635356333323635653161346136336261
+30313332383065633335396131656136613932346331343632386235643764363235376531376437
+61303130316537633830366662366237303934306561333134366463646464386530623631346264
+30356536613932613264643835356637356364653038383130366237656232333031313163643332
+34393865323162613936613264313864613734373032386266653432616535636464363463633564
+37343661623935353365333831623631386439343237383933313337393065653934303065313634
+61396163323937643837643636343337343231616265643765313932346462373735323737326663
+66316135646663376537613663373432393865623038363239356265303362326161366462356138
+65336536626634366363623865656234363335343662333134613835393635623434393036316638
+35366431653463626665663861303333363038666131643861646465663761623364333162343761
+64396131643136323634643461656339616361323030626166303930623838343438393465653364
+66633037616633316534386639306438363863363530376131363332353536656533393161313931
+34386636643737353738323265363435636239353261373466383430346461383932323634346466
+33666436343130643032626562613165396334323937353663376162643266646539353932313137
+62336162646535346631623332376334336538326530356233646239306337633365373562653166
+32383639353431666137396631663237313436393434626531316365666335306466363639626663
+63643861656537306133343138633535323737346538643063363330383366313362653933383365
+34313230663163303730326361303337373136346161353132626362623461343661663964333765
+37353165333762346539333730333731366532623531343962333037336464666530396437353666
+62313035323234643236343534663434356264643830636433323831313364663762646130306362
+32316530643230313230376662383439343639343336633431623135626134353134383030396264
+38623933356332336231343434663563653332633237653966663964646232623637313231366638
+30363966373362363432376562656436356338356561303133643432303736376234643632663137
+34336630356362303132343737376637303939623133363663306133383465613263356632383030
+61346138316538353638343833366261366534353963326162303866393430333964653333346539
+64386161663435646331613834363336373738396338653263323937623163663236366636343239
+36383135343763636139393331663139323431376562353165353662396165653235633464363035
+31393233636561366639373566623738636537363235666234633534376238323163363238393237
+64316132666530336135353434623866363739643830646463656536336136646334393064303630
+65343964613265333934306432313739633134663131666433386630303132663866343532363835
+38353237343630653561636365656561313636623065363836333663363934643162656534623864
+62373763353961646235613465646630306562386531396364386164633065643763396437316466
+32376564616562656136346563383266303963666136663863626137653462373430363363336364
+35333133303463363663356365626365613036633835323334653264626637353634373665643036
+65663736323235353964326466376163313630323265333631323866663137313665626238396130
+64653832626639626633376231326534303530373937396235366239626639356234363238633336
+34343064393334613732356332633361613633643039366537623465303739663635626365656631
+64343936613536636438313232376564376539623261623539346564303036303131366561643564
+61623630393032666636366338336266656264353631393061383162323766616530323734326134
+31623962373435323730323830373239363738663164653338623836386636626337623739366566
+61663835623038626266653062666264663639363763623139393862633061356164323530666665
+31623538333264633735643839376433653934383663333130336133653235313631336163343134
+33653533613430323834653730326661323462316338636338393063653866316335626633323137
+32653262353964653131343430383661643231383135643332616462343231323266333430373061
+62623136393239356166393964323830623239613434636361633365353862646130373865643136
+66346336363866393762353633353638663433363332356131626639326166393234313765346138
+64613431333139376139343234666664313236633031393938663431376336643133323964303938
+64616536613462306363613639613132383361393535333362363630393230636532316634373231
+63313839323263663237373937323361373533616465643830396666376661616631646561663130
+66376266363338666133313263653733646365653034653538333332623861323833633033393234
+39633834343231663166376333633635366261616561643363393137383736303436383339633734
+30623939343939373038656461333464353033313632643138393334373565383331326430653263
+66343630396135633636366337353061363730333364376664623234333434356661323935626633
+63336465343661393636333663306361386432373235313337353361333735373436633832633439
+30653766373230383364396638366237643932633364663639643661393438653339393031616338
+62396632353063376566333261356662356265373733323631363263396337383631383733393034
+65616434356530306661636633363333353138303631626565636637313738353338343334633533
+39313232356166623939383864346665626333363132663033326430366565336339306465343337
+34613736356534653534363034366431653861613534663261633739366361373134323566376335
+31313263313262353162353039623634653534346363323131633362323035633337366536366561
+64323432353236383839643662383138373938373834323262386364376162663839366232313433
+38643662613065663863636664636162333830353131636238383439323439316363383935623731
+62393964636137653935313338343465396633333461643032383730313139396462393936383630
+63353166633735623364653264643934666438383739663461373332623631323932333162303630
+39353637353437636537613935306539633163613334303833393832616338323061633532303361
+63656635333331376561363962386135303963303030396564356534333037623635613963313666
+65303664316164613835343930623338326235363933623533343961666664323836316231613465
+65373931666331326634316463663134613031363636363434643839386239333164333538393831
+65653935623431373238326231343439666635623730393639636131386162373466316164356263
+37316539656230316336303265646339303139306262396536633533366261346238393335393765
+39376630306639353862323834343830646330643737653631633361326134613666613430323433
+64363965653063316432353431386533386661386239636332323139393933653063643865646338
+34626433393731343535313766303237313866613166663333616535323661666362613439376166
+62626430363661303630346265383863613162356535306165633537383038613131346561306330
+61623435626363623762313832313031363665623933656238623131303362326137313266316630
+32366664633963626463613562643666383637383831343234666435373564306635343730373665
+36643436633066373962303965373663376266323133343233323563393065633162383237323162
+38656336306432623330616234373936306163646330313734653864386464646535666331616335
+32623163356337326665333731656438393633326638363635353733663861323934333536393338
+33656231373166313761643030363437373638366461653038363565623633623035393564643161
+38663064356239393034323761386435396437386534633734353938653239323533333531363965
+36316636353864626461303936313632663261353437396238363930626239336139323561373133
+61366330386135363039303166326231656331653632343261306531653731313465396131643330
+35616432613631636264333263363239616435303436653936386165343335356337343032386239
+37373230623366653834663031343738643063616661363138316262643635343439333838363632
+34353236393730363262303439313132663735336463323432303036366361666338363237313664
+39366434303839356163616136336237643061373633343737333036653362643635643536386436
+30336636333464626464326332343333656535666431353338336438346335346433313934346231
+32326231636262346232636366393361623830316238303537666164626339383061633765333039
+30633539666535366539383061396461313437383537656239393131326538636536356536643735
+66653336343364346635383761613731666263366465643336636661323263386364653035333062
+33616364393664613363383937653530356138316363633335386232336531373835303732383962
+65643264656134393663653333346531316365323730383363373564323133333032373330643232
+63373239366435643738353130353333646136303530643065383066313035366239326664363830
+36626366646264643130326261363536313835356638636139636434333362366363313133316130
+61383734636433313433303466323265386132363862643131613666306162396437643166393630
+32613464313530316262353938383735336262663939323730626662663235303638303065663939
+33636234383033393237303865633961333462663232363562386637333335373565663261363933
+31356436613138653765663162646566326134313736316130356336663536643466623331653039
+38616465306532666434333534356464666663613263383430336465376133393032623762323237
+63343462373834383566393466366332303235323865343730373062343739363265343164623262
+38346539343533636435626133306662623865653934666665363063356162326461316561383261
+33666362656635323262353066356330616263326134613635336261343438393838326438613435
+64343336393034303330323563346233653135633439386465653065633339643032636662313531
+38356234326632336161666666353030366238626262353831393532306166363432633939383166
+66316136333838653433383439623366333062313833616366656566393965393665613738303833
+38326139366330393863623365383963306361613665643962376664636134353533623836643362
+39626166353138646666633136363662393565336333393638626534636330313632326333353366
+39353133666532306531343137353834353133633165613566323135313362333962303637663965
+63383730663562646563333763356135613537666332393537663062653662623938353434323136
+39663965616437653232623333363762616233316530303833376332396165616635336532653035
+36306331643232336664363733376632323630616139353030343930343166623433616234616539
+34393131303363626166383037336262323662393431356463616665343463363432356132313531
+37653331336165626435343162663662386662613164336439636465363335386233383065393535
+31396466636465336164383563326236356463393831363534656536616664613361346463613837
+35366562623432353166303836353261313233663864626665663837336233653237373031393636
+64343763386361626232633032316466373161666536313363633765653365656538343130326566
+38396534323433343634333139333063633531343631316163346135643037323034633835363963
+32343963653263663438666537653963376133633661393562623131636465386266616166366566
+36343963623262656162303337366365616263376363366161373236323166353834616262393061
+39393239303335623332346236356335393836636533386432653164656334613738393533623764
+36363136353034633934323066323335626138353763333537353761303930623930353062373932
+30656339663333373431633763366433366266316563393332613334633966633339633230303166
+61346264386134623962316532343664386637303738333835343036633038323137323961323837
+33376431316465373165663338623538636136343538666235333334373664323463326336336334
+32303361393134653338646563643636356361366133633634393731343332313437643731366634
+30386466333965356135303732663433316363376438623764653464343564353835626435333230
+30646238393266643137373037326136306337306130343739633933626134643364326534386464
+65303531623335663766623037663630376366333631363165633762616564396538643866313465
+35343265663336303537663962643536653937373839313435383337353036313239653263323061
+63653865656461363334646466396135663338383065646464656631636666643030376363633333
+30333331636438656238326534656165396233633131306562336263653330396366343964313434
+66653862386531306236336339353935653335616638643831393430613533643533626135313835
+64313065373564323132663531626436623465663766663566643964353361303336386464386463
+38373036613536386436373535323664333231663437643962373339653236393339653064363530
+61393835343230356234376630613230326637636534336564383139366663663136306665363363
+66373237373530303062333935633634313766316461666439666433616236346434623535343531
+30383264303536653236363533383561613636303662663935303761353065336631353735376365
+63343162646663623736336638306465666233343031656137393037623035613236373930633131
+36366633656131633563336561323835343766356131343038643761663966656364376430366636
+36316633633736353436666539303039383231333437653666313435616536626434653833376532
+66376130653339643564646139633238643266316633363137313038363061386163613863313733
+66633665613537303834393233376463343965343664343564343832376238383064373262336162
+61313163303632373261383563363964353731363739306337333161333130656235363631343761
+61353265633338336466623830396466646233333039323065333636303035363563373366396334
+37366637306430396262376539653134396536643931643563386666623364346635363138373937
+61613232386666343033383031363439373335396362643130656235653066376537373062333363
+39373737316136303835616639363162363839376635666237353064323433373961326338393263
+34343162336336623530653531663136366136353139343561623532633139366533386263316364
+36306134356666343230643639303766343466353562643130363063343330393232663161306266
+66336435356265396330366566373137323265623431386535396665313335666332616233383664
+63656663363366613431366632306230633265306663336439306263646132626631363663643861
+30373330653637623733653165336132643965623232383839623535326336643239333133313030
+32326634643238333163383562393134623532363561393364616430366532633862396438306433
+33653235303639383333633035656533633165653137326130643961393965346266383861616333
+37306266393231336666343333643530353230383239343931303838623335303262313130616162
+65383962613965646438323065303962663965333231323139303438343631396363666330653330
+61323839333863343034356363366433313039383963303063346237366261363861643839396362
+31346637303032356463303564303562313639643563396261326538353834363737323235646430
+64343230336539663237306235623662333062396238383135616231383837366339376633663938
+65313739333065383335323437396232323564363733333437363133613766653334396431333036
+38333038656339363132346362333863643261376335666536306231316630303437306231646565
+61666334623736373832613366376438323664653531393938353234303030633532653561313665
+63613064663564646235373234326661303562646139323330343330343139633462646131353038
+62663535393738626432633564663564653663393937656634666137646363643365353930373266
+66373162373165653533383862363835346133313234326162393331666566316439633133316633
+66393733373333653630363334353833363565336338613361396335326166643630623133303466
+31663037663766356531663039386232316138393266333035613364316539353837653763616666
+32376431383965633138666536386532663761343537646266643566373132343762383966326233
+38373766353962323362366330383564636236363961333535313064313039343933346439396237
+66616631633539623537633164363665393239643633663338393765336434653930356662656164
+65366533633336313832633166376265376634613635363563643866323730343139306537323863
+61373461363237653634666331366436356335306265643639373034666131626238336632346632
+34613062346532656530626364343938636162383862653538353563363035346339623839663261
+39663438396362383866663336643035653833336466663037313764326434373061626232646333
+63336336383366333538613331303863356430373764363930363061383036343836386561663362
+63663232373563343461306131333263376437623534346562626536376138393939373064333231
+31303464656332383036616661656565313063346231623634356638326239343536316162613335
+34663232326438333966313663336465373833646634353934323361343833373661633265313239
+62656533656338376562323861396665353166623732623139353431336439386263363235316132
+35373933613236616362396363323031633166633837383634313638656430373634383563616463
+38353738636631626639636135363561623935646365316161376166653461356430326362623738
+64386537373230303239356334313663616336393439623431616639643233353662306265373232
+39343066353564316433653361333766363535636533626338386434646531653432313034393134
+62653733313636653331356363396531313136346136303661656466333138363366616530306536
+66373532626230313739306432363433313736316261383837393737356333326236323261613965
+36373064636138373134373530363533613031376362386334393464383062663663313234643432
+64363232376137613231313862386561313131376133376466393630383737306666393738613265
+66646236646632313832633366333335313239363763326464326361326263346636326332376336
+31306230373963636135643235306537623930636164346366623862303838653238373030653035
+35653634393532653566323063323761643738616532376262623163393461346334393034643862
+62653835363236303732386365626464346131363231336431316233643132383566356531346237
+66333933386539396366333565653938396564643464663165323535386262623532666237393630
+65336262636630386633626335636231616332353965356335666362313562643738306263376230
+63323938633237363431386639613830633765353232313236336233363736363566346237616637
+61656234376562323162656432393665393930313736313439316261363264333865356139343233
+63636638646332626365383839373765383864346532383236386266656635653333343032313231
+65626233313634333533653436626134373632363565653230656161613963323334613262646530
+66636331396130613934363939653238343463396639363731393363643830663362373439646337
+63396435376637666563333165623338386337613638366339656561366538366635363037366531
+32306235666231303762356665613738323336306465613531313964626631313731373963353964
+32616632376534316532643531386635386330313866326265393736376538616431323238333562
+36373238656361323336383466363563623333306634373164366134376635373262353533653330
+38643233363737356564653834316435336439663562343366353866336662356138323566363061
+63313336323435343861393164313130346438343862366530363233643266393964316265663535
+65323739306536373331326338326132383265343939663336303534633537393637353639636561
+64656432313636366434313465626562626638613232653230373530363234306537363665646633
+33326163663830353166643662386637323438366334386533303664356631653561323032666265
+61333165363636363634353461613039313362373863663739323231663230643635663466323430
+37393431333733313134326231313234353930663365646637386639643535316362626232323430
+32363631353565323663393235343336663930373439663861613661636433356366633065343935
+61356636323039656230353264646166626633316430653162383638336265653865373536643036
+35653166333765366231636163666638383262613432646334663430323565333538626665343763
+32646663356565646362646261343436383039623635666439643762616463656361386631313637
+61616164383734353634306633636338623837356230626263653161616664613266356432653335
+30646434346436383565343138623264386630333832386134666463313936383364333364383232
+39393066333666653734616463343530643537613437623766313237353033623662336137356534
+35303635623232333230363362353137656235373539316163653863326666383237303235316164
+34623138346261366238303037653764366537333561623135656236663435316565303931353939
+34663932303239393836363663343735313632333639633733323564343039346436343935373430
+66313863643361306161373634373738383462313831643161333230646435313261383534396464
+39663466643864666433366531323866333935373833663661323833623734646265393035613966
+62393165653135643737343333346232356638646437326664396466333063666135653338623266
+34663133636164386164636434666231643163343930353863306538333337643762616661366366
+63646336613433623862356365633563633235396337356535376335636633636563333738383061
+33326136393530353964666639633638643433653736376637386638336561643061323635373565
+65393836613638313165313262376166643561623131363836363531616232663333333063393039
+35643938626132383439393761623165303730396365323665613663643961663466393937333731
+30643662663034616631343336343236613437376362366234343436376563303466633030323465
+64626536333465626430333336353038336539313531303933633466333633336364363961353861
+31636135303332343733313637326461643264636236313331643438613365393733383764653432
+65346533616130396233613863633331613638316462366364346465353234373531393137336165
+36666336333036396262663661343962663763316531393765346536646236613331626139383230
+32623665353463326633646466376232343333666465616633333033663031643262663732323230
+36363439613934643037393562333237636262306330356638666235333361376136623462313736
+33373163336134316563353031616339336234623738373230323335623130376265386130333235
+64616261633232316131633062623163333135323737376462383539663137366539656261396238
+31363232356361376264373863663362346535346136313834623761333037343435326339633735
+33656465376264326334356365346437343062343631663430346561656531653662646530316133
+64396563376263306533306565623163316238326264306330393465333737303062363030343662
+65333633643635643737323231343664613735336230393835346132613331366266336434623937
+65616366633734373434333837326465613862633930626435623165633964313732373936346434
+30643161633238343435623538316134616161313461616538653161383032313038666638376432
+64646564626231656664306235633031356564373432626561386135653136313062383861323130
+34393331316439613363636631666262343334393739303631633936623964343938373334623230
+39343031663565333431333731363966623730666335346164623662373265643732306662393663
+39336137326533643533623865313934336464633634613436616438373531636562313762383666
+37386365333361626362

group_vars/aurore/main.yml

@@ -0,0 +1,8 @@
+---
+apartment_block: aurore
+apartment_block_id: 0
+router_ip_suffix: 254
+
+# We have two -aurore DHCP servers, but no failover peer functionality is needed
+# because they only give out IPs assigned by re2o.
+dhcp_failover_enabled: false

group_vars/bdd.yml

@@ -0,0 +1,5 @@
+---
+borg_keep_hourly: 6
+borg_backup_exclude:
+  - "/var/lib/postgresql/"
+...

group_vars/certbot.yml

@@ -0,0 +1,8 @@
+---
+glob_certbot:
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: auro.re
+    domains: "*.auro.re"

group_vars/dhcp/dhcpd.yml

@@ -0,0 +1,69 @@
+---
+dhcpd__omapi_key:
+  algorithm: hmac-sha512
+  secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
+
+dhcpd__interfaces:
+  - client0
+  - client1
+  - client2
+  - client3
+  - client4
+
+dhcpd__dns_servers:
+  - 10.128.10.3
+  - 10.128.10.103
+
+dhcpd__domain_search:
+  - isp.auro.re.
+  - auro.re.
+
+dhcpd__subnets:
+  - network: 100.64.0.0/27
+    routers:
+      - 100.64.0.1
+    start: 100.64.0.4
+    end: 100.64.0.30
+    domain_name: client0.isp.auro.re
+    failover: true
+  - network: 100.64.0.32/27
+    routers:
+      - 100.64.0.31
+    start: 100.64.0.33
+    end: 100.64.0.63
+    domain_name: client1.isp.auro.re
+    failover: true
+  - network: 100.64.0.64/27
+    routers:
+      - 100.64.0.65
+    start: 100.64.0.67
+    end: 100.64.0.95
+    domain_name: client2.isp.auro.re
+    failover: true
+  - network: 100.64.0.96/27
+    routers:
+      - 100.64.0.97
+    start: 100.64.0.99
+    end: 100.64.0.127
+    domain_name: client3.isp.auro.re
+    failover: true
+  - network: 100.64.0.128/27
+    routers:
+      - 100.64.0.129
+    start: 100.64.0.131
+    end: 100.64.0.159
+    domain_name: client4.isp.auro.re
+
+dhcpd__failover:
+  dhcp-1.isp.infra.auro.re: 10.210.1.1
+  dhcp-2.isp.infra.auro.re: 10.210.1.2
+
+dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
+
+dhcpd__failover_peer_address: "{{ dhcpd__failover
+                                  | dict2items
+                                  | selectattr('key', '!=',
+                                               inventory_hostname)
+                                  | map(attribute='value')
+                                  | first }}"
+...

group_vars/dns/kresd.yml

@@ -0,0 +1,24 @@
+---
+kresd__listen:
+  - address: 0.0.0.0
+    port: 53
+    kind: dns
+  - address: "::"
+    port: 53
+    kind: dns
+  - address: 0.0.0.0
+    port: 853
+    kind: tls
+  - address: "::"
+    port: 853
+    kind: tls
+  - address: 0.0.0.0
+    port: 8453
+    kind: webmgmt
+  - address: "::"
+    port: 8453
+    kind: webmgmt
+    tls: false
+
+kresd__cache_size: 512
+...

group_vars/edc/ldap_local_replica.yml

@@ -0,0 +1,3 @@
+---
+ldap_local_replica_uri:
+  - 'ldap://ldap-replica-edc.adm.auro.re'

group_vars/edc/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: edc
+apartment_block_id: 4
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/edc/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudoedc'

group_vars/edge/keepalived.yml

@@ -0,0 +1,21 @@
+---
+keepalived__virtual_router_id: 81
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  crans0:
+    - 185.230.79.254/29
+    - 2a0c:700:28::2/64
+    - fe80::1/10
+  zayo0:
+    - 2001:1b48:2:103::d7:2/126
+    - 83.167.52.69/31
+    - fe80::1/10
+  oti0:
+    - 2a00:a4c0:100c:1::b/127
+    - 77.95.70.11/31
+    - fe80::1/10
+
+keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
+...

group_vars/fleming/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: fleming
+apartment_block_id: 1
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/fleming/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudofleming'

group_vars/gs/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: gs
+apartment_block_dhcp: sand
+
+apartment_block_id: 5
+
+router_ip_suffix: 254

group_vars/gs/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudogeorgesand'

group_vars/infra/bird.yml

@@ -0,0 +1,86 @@
+---
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  import: accept
+  export:
+    protos: kernel
+  areas:
+    0:
+      broadcast:
+        - back0
+      stub:
+        - monit0
+        - wifi0
+        - int0
+        - sw0
+        - bmc0
+        - pve0
+        - isp0
+        - ext0
+        - pub0
+        - th30
+        - ups0
+    1:
+      broadcast:
+        - vpn0
+
+bird__bgp:
+  edge1:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+  edge2:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:2
+        - 10.203.1.2
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+      #wg1:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:3
+      #  - 10.213.1.3
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+      #wg2:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:4
+      #  - 10.203.1.4
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+...

group_vars/infra/firewall.yml

@@ -0,0 +1,457 @@
+---
+firewall__zones:
+  adm-legacy:
+    addrs:
+      - 2a09:6840:128::/64
+      - 10.128.0.0/16
+  ups:
+    addrs:
+      - 2a09:6840:201::/64
+      - 10.201.0.0/16
+  back:
+    addrs:
+      - 2a09:6840:203::/64
+      - 10.203.0.0/16
+  monit:
+    addrs:
+      - 2a09:6840:204::/64
+      - 10.204.0.0/16
+  wifi:
+    addrs:
+      - 2a09:6840:205::/64
+      - 10.205.0.0/16
+  int:
+    addrs:
+      - 2a09:6840:206::/64
+      - 10.206.0.0/16
+  sw:
+    addrs:
+      - 2a09:6840:207::/64
+      - 10.207.0.0/16
+  bmc:
+    addrs:
+      - 2a09:6840:208::/64
+      - 10.208.0.0/16
+  pve:
+    addrs:
+      - 2a09:6840:209::/64
+      - 10.209.0.0/16
+  isp:
+    addrs:
+      - 2a09:6840:210::/64
+      - 10.210.0.0/16
+  ext:
+    addrs:
+      - 2a09:6840:211::/64
+      - 10.211.0.0/16
+  pub:
+    addrs:
+      - 2a09:6840:215::/64
+      - 45.66.111.192/27
+  vpn-clients:
+    addrs:
+      - 2a09:6840:212::/64
+      - 10.212.0.0/16
+  vpn:
+    addrs:
+      - 2a09:6840:213::/64
+      - 10.213.0.0/16
+  infra:
+    zones:
+      - adm-legacy
+      - ups
+      - back
+      - monit
+      - wifi
+      - int
+      - sw
+      - bmc
+      - pve
+      - isp
+      - ext
+      - pub
+      - vpn
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  prometheus.int:
+    addrs:
+      - 2a09:6840:204::1:1
+      - 10.204.1.1
+      - 2a09:6840:204::1:2
+      - 10.204.1.2
+  grafana.adm:
+    addrs:
+      - 2a09:6840:128::98
+      - 10.128.0.98
+  re2o-ldap.adm:
+    addrs:
+      - 2a09:6840:128::21
+      - 10.128.0.21
+  ldap-replica-edc.adm:
+    addrs:
+      - 2a09:6840:128::4:249
+      - 10.128.4.249
+  nextcloud.adm:
+    addrs:
+      - 2a09:6840:128::58
+      - 10.128.0.58
+  dns.int:
+    addrs:
+      - 2a09:6840:206::1:1
+      - 10.206.1.1
+      - 2a09:6840:206::1:2
+      - 10.206.1.2
+  ntp.int:
+    addrs:
+      - 2a09:6840:206::1:5
+      - 10.206.1.5
+      - 2a09:6840:206::1:6
+      - 10.206.1.6
+  docker-ovh.adm:
+    addrs:
+      - 2a09:6840:128::150
+      - 10.128.0.150
+  mx.test:
+    addrs:
+      - 2a09:6840:211::1:5
+      - 45.66.111.208
+      - 10.128.1.5
+  proxy.pub:
+    addrs:
+      - 2a09:6840:215::1:1
+      - 45.66.111.206
+  collabora.ext:
+    addrs:
+      - 2a09:6840:211::1:1
+      - 10.211.1.1
+  grafana.ext:
+    addrs:
+      - 2a09:6840:211::1:7
+      - 10.211.1.7
+  ns-1.pub:
+    addrs:
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+  ns-2.pub:
+    addrs:
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+  ns-master.int:
+    addrs:
+      - 2a09:6840:206::1:7
+      - 10.206.1.7
+  tor.pub:
+    addrs:
+      - 45.66.111.215
+      - 2a09:6840:215::1:215
+  jitsi.pub:
+    addrs:
+      - 45.66.111.216
+      - 2a09:6840:215::1:216
+  log-1.int:
+    addrs:
+      - 10.206.1.9
+      - 2a09:6840:206::1:9
+  log-2.int:
+    addrs:
+      - 10.206.1.10
+      - 2a09:6840:206::1:10
+
+firewall__input:
+  - iif:
+      - back0 # FIXME link-local
+      - vpn0
+    verdict: accept
+  - src:
+      - back
+      - vpn
+    verdict: accept
+  - src: monit
+    protocols:
+      tcp:
+        dport:
+          - 9100
+          - 9700
+    verdict: accept
+  - src: monit
+    protocols:
+      tcp:
+        dport: 9324
+    verdict: accept
+  - protocols:
+      icmp: true
+    verdict: accept
+  - protocols:
+      tcp:
+        dport: 22
+    verdict: accept
+  - verdict: drop
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: back
+    dst: infra
+    verdict: accept
+  - src: infra # FIXME: temporary
+    dst: internet
+    verdict: accept
+  - src: monit
+    dst: bmc
+    protocols:
+      icmp: true
+    verdict: accept
+  - dst: mx.test
+    protocols:
+      icmp: true
+    verdict: accept
+  - dst: mx.test
+    protocols:
+      tcp:
+        dport:
+          - 25
+          - 465
+          - 993
+    verdict: accept
+  # NS
+  - dst:
+      - ns-1.pub
+      - ns-2.pub
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  - dst:
+      - ns-1.pub
+      - ns-2.pub
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src:
+      - ns-1.pub
+      - ns-2.pub
+    dst: ns-master.int
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src:
+      - ns-1.pub
+      - ns-2.pub
+    dst: ns-master.int
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  # SNMP
+  - src: monit
+    dst:
+      - sw
+      - ups
+      - bmc
+    protocols:
+      udp:
+        dport: 161
+    verdict: accept
+  - src: monit
+    dst:
+      - sw
+      - ups
+      - bmc
+    protocols:
+      tcp:
+        dport: 161
+    verdict: accept
+  # Alertmanager
+  - src: monit
+    dst: docker-ovh.adm
+    protocols:
+      tcp:
+        dport: 9093
+    verdict: accept
+  - src: adm-legacy
+    dst: bmc
+    verdict: accept
+  # Prometheus for Grafana
+  - src: grafana.adm
+    dst: prometheus.int
+    protocols:
+      tcp:
+        dport: 9090
+    verdict: accept
+  # Prometheus for Grafana nixos
+  - src: grafana.ext
+    dst: prometheus.int
+    protocols:
+      tcp:
+        dport: 9090
+    verdict: accept
+  - src: grafana.ext
+    dst: re2o-ldap.adm
+    protocols:
+      tcp:
+        dport: 389
+    verdict: accept
+  - src: grafana.ext
+    dst: ldap-replica-edc.adm
+    protocols:
+      tcp:
+        dport: 389
+    verdict: accept
+  # Admin VPN clients
+  - src: vpn-clients
+    dst: infra
+    verdict: accept
+  # Prometheus node
+  - src: monit
+    dst: infra
+    protocols:
+      tcp:
+        dport:
+          - 9100
+          - 9700
+    verdict: accept
+  # Prometheus bird
+  - src: monit
+    dst: back
+    protocols:
+      tcp:
+        dport: 9324
+    verdict: accept
+  # Prometheus kresd
+  - src: monit
+    dst: dns.int
+    protocols:
+      tcp:
+        dport: 8453
+    verdict: accept
+  # Allow DNS from infra to dns-{1,2}
+  - src: infra
+    dst: dns.int
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src: infra
+    dst: dns.int
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  # Allow NTP from infra to ntp-{1,2} 
+  - src: 
+      - infra
+      - pub
+    dst: ntp.int
+    protocols:
+      udp:
+        dport: 123
+    verdict: accept
+  # Admin Wireguard
+  - dst:
+      - 2a09:6840:211::1:1
+      - 45.66.111.204
+      - 10.211.1.1
+    protocols:
+      udp:
+        dport: 5121
+    verdict: accept
+  # Proxy web
+  - dst: 
+      - jitsi.pub
+      - proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  - src: proxy.pub
+    dst: grafana.adm
+    protocols:
+      tcp:
+        dport: 3000
+    verdict: accept
+  - src: proxy.pub
+    dst: grafana.ext
+    protocols:
+      tcp:
+        dport: 80
+    verdict: accept
+  - src: proxy.pub
+    dst: nextcloud.adm
+    protocols:
+      tcp:
+        dport: 8080
+  - src: proxy.pub
+    dst: adm-legacy
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  # ICMP to public vlan
+  - dst: pub
+    protocols:
+      icmp: true
+    verdict: accept
+  # Proxy -> Collabora
+  - src: proxy.pub
+    dst: collabora.ext
+    protocols:
+      tcp:
+        dport: 9980
+    verdict: accept
+  # Collabora -> Proxy
+  - src: collabora.ext
+    dst: proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  # Tor: SSH
+  - dst: tor.pub
+    protocols:
+      tcp:
+        dport: 
+          - 22
+          - 4444
+    verdict: accept
+  # Jitsi UDP
+  - dst: jitsi.pub
+    protocols:
+      udp:
+        dport:
+          - 3478
+          - 10000
+  # Jitsi TCP
+  - dst: jitsi.pub
+    protocols:
+      tcp:
+        dport:
+          - 5349
+
+firewall__nat:
+  - src: 10.0.0.0/8
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.200/30
+  #- src: monit
+  #  dst: adm-legacy
+  #  protocols: null
+  #  snat:
+  #    addr: 10.203.1.3/32
+...

group_vars/infra/keepalived.yml

@@ -0,0 +1,59 @@
+---
+keepalived__virtual_router_id: 82
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  ups0:
+    - 10.201.0.1/16
+    - 2a09:6840:201::1/64
+    - fe80::1/10
+  monit0:
+    - 10.204.0.1/16
+    - 2a09:6840:204::1/64
+    - fe80::1/10
+  wifi0:
+    - 10.205.0.1/16
+    - 2a09:6840:205::1/64
+    - fe80::1/10
+  int0:
+    - 10.206.0.1/16
+    - 2a09:6840:206::1/64
+    - fe80::1/10
+  sw0:
+    - 10.207.0.1/16
+    - 2a09:6840:207::1/64
+    - fe80::1/10
+  bmc0:
+    - 10.208.0.1/16
+    - 2a09:6840:208::1/64
+    - fe80::1/10
+  pve0:
+    - 10.209.0.1/16
+    - 2a09:6840:209::1/64
+    - fe80::1/10
+  isp0:
+    - 10.210.0.1/16
+    - 2a09:6840:210::1/64
+    - fe80::1/10
+  ext0:
+    - 10.211.0.1/16
+    - 2a09:6840:211::1/64
+    - fe80::1/10
+  th30:
+    - 10.126.0.6/24
+    - fe80::1/10
+  pub0:
+    - 2a09:6840:215::1/64
+    - 45.66.111.204/27
+    - fe80::1/10
+
+#keepalived__virtual_routes:
+#  ext0:
+#    - 45.66.111.204/30
+
+keepalived__virtual_blackholes:
+  - 45.66.111.200/30 # NAT
+
+keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
+...

group_vars/isp/bird.yml

@@ -0,0 +1,53 @@
+---
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  import: accept
+  export:
+    protos: kernel
+  areas:
+    0:
+      broadcast:
+        - back0
+      stub:
+        - client0
+        - client1
+        - client2
+        - client3
+        - client4
+
+bird__bgp:
+  edge1:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+
+bird__radv:
+  rdnss:
+    - 2a09:6840:206::1:1
+    - 2a09:6840:206::1:2
+  interfaces:
+    client0:
+      max_interval: 5
+      prefixes:
+        - 2a09:6841::/64
+      dnssl: client0.isp.auro.re
+      domain_search:
+        - auro.re
+...

group_vars/isp/firewall.yml

@@ -0,0 +1,40 @@
+---
+firewall__zones:
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  clients:
+    addrs:
+      - 100.64.0.0/10
+  non_clients:
+    negate: true
+    zones: clients
+  allowed_clients:
+    file:
+      path: /var/run/firewall/allowed_clients.yml
+      default: []
+
+firewall__input:
+  - verdict: accept
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: allowed_clients
+    dst: non_clients
+    verdict: accept
+
+firewall__nat:
+  - src: clients
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.220
+...

group_vars/isp/keepalived.yml

@@ -0,0 +1,32 @@
+---
+keepalived__virtual_router_id: 80
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  client0:
+    - 100.64.0.1/27
+    - 2a09:6841::1/56
+    - fe80::1/10
+  client1:
+    - 100.64.0.33/27
+    - 2a09:6841:0:1::1/64
+    - fe80::1/10
+  client2:
+    - 100.64.0.65/27
+    - 2a09:6841:0:2::1/64
+    - fe80::1/10
+  client3:
+    - 100.64.0.97/27
+    - 2a09:6841:0:3::1/64
+    - fe80::1/10
+  client4:
+    - 100.64.0.129/27
+    - 2a09:6841:0:4::1/64
+    - fe80::1/10
+
+keepalived__virtual_blackholes:
+  - 45.66.111.220/32
+
+keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
+...

group_vars/nginx.yml

@@ -0,0 +1,32 @@
+---
+glob_nginx:
+  contact: tech.aurore@lists.crans.org
+  who: "L'équipe technique d'Aurore"
+  service_name: service
+  ssl:
+    # Add adm.auro.re if necessary
+    - name: auro.re
+      cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+      cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+  servers:
+    - ssl: false  # Replace by auro.re or adm.auro.re
+      default: true
+      server_name:
+        - "default"
+        - "_"
+      root: "/var/www/html"
+      locations:
+        - filter: "/"
+          params: []
+      additional_params: []
+  upstreams: []
+
+  auth_passwd: []
+  default_server:
+  default_ssl_server:
+  default_ssl_domain: auro.re
+  real_ip_from:
+    - "10.128.0.0/16"
+    - "2a09:6840:128::/64"
+  deploy_robots_file: false

group_vars/ns/knotd.yml

@@ -0,0 +1,71 @@
+---
+knotd__listen:
+  - address: 0.0.0.0
+  - address: "::"
+
+knotd__keys:
+  xfr:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_xfr_key }}"
+
+knotd__remotes:
+  xfr-master:
+    address: 2a09:6840:206::1:7
+    key: xfr
+
+knotd__acl:
+  notify-master:
+    address:
+      - 2a09:6840:206::1:7
+      - 10.206.1.7
+    key: xfr
+    action: notify
+
+knotd__queryacl:
+  local:
+    addresses:
+      - 10.0.0.0/8
+
+knotd__zones:
+  auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    master: xfr-master
+  test.auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    master: xfr-master
+  infra.auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    #queryacl: local
+    master: xfr-master
+  108.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  109.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  110.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  111.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  0.4.8.6.9.0.a.2.ip6.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+...

group_vars/ntp/chronyd.yml

@@ -0,0 +1,13 @@
+---
+chronyd__allow_networks:
+  - 2a09:6840::/32
+  - 10.0.0.0/8
+
+chronyd__pools:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+
+chronyd__local_stratum: 10
+...

group_vars/pacaterie/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: pacaterie
+apartment_block_id: 2
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/pacaterie/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudopacaterie'

group_vars/prom/prometheus/bird.yml

@@ -0,0 +1,144 @@
+---
+prometheus__scraping_bird:
+  targets: "{{ groups.router }}"
+  address:
+    port: 9324
+
+prometheus__rules_bird:
+  - record: bird:protocol_up:bgp_all
+    expr:
+      label_replace(
+        bird_protocol_up{proto="BGP"},
+        "group", "$1",
+        "instance", "^([^0-9\\.]+)-[0-9]+.*"
+      )
+  # FIXME: sessions en cours d'installation, pas encore monitorées
+  - record: bird:protocol_up:bgp
+    expr:
+      bird:protocol_up:bgp_all
+      unless bird:protocol_up:bgp_all{
+        group="edge",
+        name=~"^(viarezo|isp[12]|rezel)[46]$"
+      }
+  # Sessions qui ne sont volontairement pas redondées
+  # au sein d'un groupe
+  - record: bird:protocol_up:bgp:non_redundant
+    expr:
+      bird:protocol_up:bgp{
+        group="edge",
+        name=~"^(oti|crans|legacy|edge)[46]$"
+      }
+  # Sessions qui le sont
+  - record: bird:protocol_up:bgp:redundant
+    expr:
+      bird:protocol_up:bgp
+      unless
+      bird:protocol_up:bgp:non_redundant
+  - alert: BirdBGPRedundancyDegraded
+    expr:
+      (
+        count by (group, name) (
+          bird:protocol_up:bgp:redundant{state="Established"}
+        ) + (
+          count by (group, name) (
+            bird:protocol_up:bgp:redundant{state!="Established"} * 0
+          )
+        )
+      ) < 2
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Count: !unsafe "{{ $value }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPDown
+    expr:
+      (
+        count by (group, name) (
+          bird:protocol_up:bgp{state="Established"}
+        ) + (
+          count by (group, name) (
+            bird:protocol_up:bgp{state!="Established"} * 0
+          )
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  # TODO: warning pour redondant ?
+  - alert: BirdBGPNoExportedPrefixRedundant
+    expr:
+      bird_protocol_prefix_export_count{
+        export_filter!="REJECT",
+      } * on (instance, name) group_left (group) (
+        bird:protocol_up:bgp:redundant{state="Established"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoImportedPrefixRedundant
+    expr:
+      bird_protocol_prefix_import_count{
+        import_filter!="REJECT",
+      } * on (instance, name) group_left (group) (
+        bird:protocol_up:bgp:redundant{state="Established"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoExportedPrefixNonRedundant
+    expr:
+      sum by (group) (
+        bird_protocol_prefix_export_count{
+          export_filter!="REJECT",
+        } * on (instance, name) group_left (group) (
+          bird:protocol_up:bgp:non_redundant{state="Established"}
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoImportedPrefixNonRedundant
+    expr:
+      sum by (group) (
+        bird_protocol_prefix_import_count{
+          import_filter!="REJECT",
+        } * on (instance, name) group_left (group) (
+          bird:protocol_up:bgp:non_redundant{state="Established"}
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdOSPFNeighboursChange
+    expr:
+      changes(bird_ospf_neighbor_count[5m]) > 0
+      or changes(bird_ospfv3_neighbor_count[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+  - alert: BirdOSPFDown
+    expr:
+      bird_ospf_running == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Instance: !unsafe "{{ $labels.name }}"
+...

group_vars/prom/prometheus/common.yml

@@ -0,0 +1,11 @@
+---
+prometheus__rules_common:
+  - alert: CollectorDown
+    expr:
+      up == 0
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      Job: !unsafe "{{ $labels.job }}"
+...

group_vars/prom/prometheus/eaton.yml

@@ -0,0 +1,11 @@
+---
+prometheus__scraping_eaton:
+  targets: "{{ groups.eaton_ups }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  params:
+    module:
+      - eaton
+
+prometheus__rules_eaton: {}
+...

group_vars/prom/prometheus/ilo.yml

@@ -0,0 +1,13 @@
+---
+prometheus__scraping_ilo:
+  targets: "{{ groups.ilo }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  timeout: 180s
+  interval: 180s
+  params:
+    module:
+      - ilo
+
+prometheus__rules_ilo: {}
+...

group_vars/prom/prometheus/jitsi.yml

@@ -0,0 +1,6 @@
+---
+prometheus__scraping_jitsi:
+  targets: ["jitsi.pub.infra.auro.re"]
+  address:
+    port: 9700
+...

group_vars/prom/prometheus/keepalived.yml

@@ -0,0 +1,23 @@
+---
+prometheus__rules_keepalived:
+  - alert: KeepalivedVrrpFault
+    expr:
+      keepalived_vrrp_state{state="fault"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Instance: !unsafe "{{ $labels.instance }}"
+  - alert: KeepalivedMasterChange
+    expr:
+      changes(
+        keepalived_vrrp_state{
+          keepalived_vvrp_state="master"
+        }[1m]
+      ) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Instance: !unsafe "{{ $labels.instance }}"
+...

group_vars/prom/prometheus/kresd.yml

@@ -0,0 +1,6 @@
+---
+prometheus__scraping_kresd:
+  targets: "{{ groups.dns }}"
+  address:
+    port: 8453
+...

group_vars/prom/prometheus/main.yml

@@ -0,0 +1,28 @@
+---
+prometheus__alertmanager_targets:
+  - docker-ovh.adm.auro.re:9093
+
+prometheus__tsdb_retention_time: 90d
+
+prometheus__scraping:
+  node: "{{ prometheus__scraping_node }}"
+  prometheus: "{{ prometheus__scraping_prometheus }}"
+  kresd: "{{ prometheus__scraping_kresd }}"
+  bird: "{{ prometheus__scraping_bird }}"
+  quanta: "{{ prometheus__scraping_quanta }}"
+  ilo: "{{ prometheus__scraping_ilo }}"
+  snmp: "{{ prometheus__scraping_snmp }}"
+  eaton: "{{ prometheus__scraping_eaton }}"
+  jitsi: "{{ prometheus__scraping_jitsi }}"
+
+prometheus__rules:
+  common: "{{ prometheus__rules_common }}"
+  switch: "{{ prometheus__rules_switch }}"
+  prometheus: "{{ prometheus__rules_prometheus }}"
+  node: "{{ prometheus__rules_node }}"
+  keepalived: "{{ prometheus__rules_keepalived }}"
+  quanta: "{{ prometheus__rules_quanta }}"
+  #ilo: "{{ prometheus__rules_ilo }}"
+  bird: "{{ prometheus__rules_bird }}"
+  #eaton: "{{ prometheus__rules_eaton }}"
+...

group_vars/prom/prometheus/node.yml

@@ -0,0 +1,200 @@
+---
+prometheus__scraping_node:
+  targets: "{{ groups.vm + groups.pve }}"
+  address:
+    port: 9100
+
+prometheus__rules_node:
+  - alert: OutOfMemory
+    expr:
+      (
+        node_memory_MemFree_bytes
+        + node_memory_Cached_bytes
+        + node_memory_Buffers_bytes
+      ) / node_memory_MemTotal_bytes < 0.1
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      FreeMemory: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostSwapIsFillingUp
+    expr:
+      (
+        1 - (
+          node_memory_SwapFree_bytes
+          / node_memory_SwapTotal_bytes
+        )
+      ) >= 0.5
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      UsedSwap: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostPhysicalComponentTooHot
+    expr:
+      node_hwmon_temp_celsius > 79
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      Temperature: !unsafe "{{ $value | humanize }} °C"
+      Chip: !unsafe "{{ $labels.chip }}"
+      Sensor: !unsafe "{{ $labels.sensor }}"
+  - alert: HostNodeOvertemperatureAlarm
+    expr:
+      node_hwmon_temp_crit_alarm_celsius == 1
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Chip: !unsafe "{{ $labels.chip }}"
+      Sensor: !unsafe "{{ $labels.sensor }}"
+  - alert: HostRaidArrayGotInactive
+    expr:
+      node_md_state{state="inactive"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Device: !unsafe "{{ $labels.device }}"
+  - alert: HostRaidDiskFailure
+    expr:
+      node_md_disks{state="failed"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      severity: !unsafe "{{ $labels.md_device }}"
+  - alert: HostOomKillDetected
+    expr:
+      increase(node_vmstat_oom_kill[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      PID: !unsafe "{{ $value }}"
+  - alert: HostEdacCorrectableErrorsDetected
+    expr:
+      increase(node_edac_correctable_errors_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      CorrectedErrors: !unsafe "{{ $value }}"
+  - alert: HostEdacUncorrectableErrorsDetected
+    expr:
+      increase(node_edac_uncorrectable_errors_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      DetectedErrors: !unsafe "{{ $value }}"
+  - alert: OutOfDiskSpace
+    expr:
+      (
+        node_filesystem_free_bytes
+        / node_filesystem_size_bytes < 0.1
+      )
+      and on (instance, device, mountpoint) (
+        node_filesystem_readonly
+      ) == 0
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
+      FreeSpace: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostConntrackLimit
+    expr:
+      (
+        node_nf_conntrack_entries
+        / node_nf_conntrack_entries_limit
+      ) > 0.8
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Filled: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostClockSkew
+    expr:
+      (
+        node_timex_offset_seconds > 0.05
+        and deriv(node_timex_offset_seconds[5m]) >= 0
+      ) or (
+        node_timex_offset_seconds < -0.05
+        and deriv(node_timex_offset_seconds[5m]) <= 0
+      )
+    for: 2m
+    labels:
+      severity: warning
+  - alert: HostClockNotSynchronising
+    expr:
+      min_over_time(node_timex_sync_status[1m]) == 0
+      and node_timex_maxerror_seconds >= 16
+    for: 2m
+    labels:
+      severity: warning
+  - alert: HostRequiresReboot
+    expr:
+      node_reboot_required > 0
+    for: 5m
+    labels:
+      severity: warning
+  - alert: OutOfInodes
+    expr:
+      node_filesystem_files_free
+      / node_filesystem_files < 0.1
+    for: 3m
+    labels:
+      severity: warning
+    annotations:
+      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
+      FreeInodes: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: CpuUsage
+    expr:
+      (
+        1 - avg by (instance) (
+          irate(node_cpu_seconds_total{mode="idle"}[5m])
+        )
+      ) > 0.75
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: SystemdServiceFailed
+    expr:
+      node_systemd_unit_state{state="failed"} == 1
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Service: !unsafe "{{ $labels.name }}"
+  - alert: LoadUsage
+    expr:
+      node_load1 > 5
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      Load1: !unsafe "{{ $value | humanize }}"
+  - alert: UnhealthyDisk
+    expr:
+      smartmon_device_smart_healthy < 1
+    for: 10m
+    labels:
+      severity: critical
+    annotations:
+      Disk: !unsafe "{{ $labels.disk }}"
+  - alert: HostCpuStealNoisyNeighbor
+    expr:
+      avg by (instance) (
+        rate(node_cpu_seconds_total{mode="steal"}[5m])
+      ) > 0.1
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Disk: !unsafe "{{ $labels.disk }}"
+      Steal: !unsafe "{{ $value | humanizePercentage }}"
+...

group_vars/prom/prometheus/prometheus.yml

@@ -0,0 +1,14 @@
+---
+prometheus__scraping_prometheus:
+  targets: "{{ groups.prom }}"
+  address:
+    port: 9090
+
+prometheus__rules_prometheus:
+  - alert: PrometheusTsdbCompactionFailed
+    expr:
+      increase(prometheus_tsdb_compactions_failed_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: critical
+...

group_vars/prom/prometheus/quanta.yml

@@ -0,0 +1,98 @@
+---
+prometheus__scraping_quanta:
+  targets: "{{ groups.quanta }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  timeout: 180s
+  interval: 180s
+  params:
+    module:
+      - quanta
+
+prometheus__rules_quanta:
+  - alert: QuantaQueueOverflow
+    expr:
+      snAgGblQueueOverflow == 1
+    for: 0m
+    labels:
+      severity: critical
+  - alert: QuantaCpuUsage
+    expr:
+      snAgGblCpuUtil1MinAvg > 50
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value }} %"
+  - alert: QuantaCpuUsage
+    expr:
+      snAgGblCpuUtil1MinAvg > 80
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      Usage: !unsafe "{{ $value }} %"
+  - alert: QuantaMemoryUsage
+    expr:
+      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 50
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      UsedMemory: !unsafe "{{ $value }} %"
+  - alert: QuantaMemoryUsage
+    expr:
+      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 80
+    for: 5m
+    labels:
+      severity: alert
+    annotations:
+      UsedMemory: !unsafe "{{ $value }} %"
+  - alert: QuantaFanHealth
+    expr:
+      snChasFanOperStatus{snChasFanOperStatus="normal"} == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Description: !unsafe "{{ $labels.shChasFanDescription }}"
+      Status: !unsafe "{{ $labels.snChasFanOperStatus }}"
+  - alert: QuantaMissingIntakeTemp
+    expr:
+      count by (instance) (
+        snAgentTempValue
+      ) - count by (instance) (
+        snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+  - alert: QuantaIntakeTemp
+    expr:
+      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 60
+    for: 10m
+    keep_firing_for: 30m
+    labels:
+      severity: warning
+    annotations:
+      Temperature: !unsafe "{{ $value }} °C"
+      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
+  - alert: QuantaIntakeTemp
+    expr:
+      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 70
+    for: 10m
+    keep_firing_for: 30m
+    labels:
+      severity: critical
+    annotations:
+      Temperature: !unsafe "{{ $value }} °C"
+      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
+  - alert: QuantaPowerRedundancyFailure
+    expr:
+      count by (instance) (
+        snChasPwrSupplyOperStatus{snChasPwrSupplyOperStatus="normal"}
+      ) < 2
+    for: 0m
+    labels:
+      severity: warning
+...

group_vars/prom/prometheus/snmp.yml

@@ -0,0 +1,6 @@
+---
+prometheus__scraping_snmp:
+  targets: "{{ groups.prom }}"
+  address:
+    port: 9116
+...

group_vars/prom/prometheus/switch.yml

@@ -0,0 +1,91 @@
+---
+prometheus__rules_switch:
+  - alert: SwitchPromiscuousChange
+    expr:
+      changes(ifPromiscuousMode[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInterfaceUpChange
+    expr:
+      changes(ifOperStatus{ifOperStatus="up"}[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInErrors
+    expr:
+      irate(ifInErrors[5m]) / (
+        irate(ifInUcastPkts[5m])
+        + irate(ifInNUcastPkts[5m])
+      ) > 0.0001
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutErrors
+    expr:
+      irate(ifOutErrors[5m]) / (
+        irate(ifOutUcastPkts[5m])
+        + irate(ifOutNUcastPkts[5m])
+      ) > 0.0001
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInLinkUsage
+    expr:
+      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInLinkUsage
+    expr:
+      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: critical
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutLinkUsage
+    expr:
+      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutLinkUsage
+    expr:
+      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+...

group_vars/prom/prometheus_snmp/eaton.yml

@@ -0,0 +1,40 @@
+---
+prometheus_snmp__modules_eaton:
+  version: 1
+  auth:
+    community: "{{ vault_snmp_eaton_community }}"
+  walk:
+    - sysUpTime
+    #- upsBattery
+    - xupsInput
+    - xupsOutput
+    - xupsBypass
+    - xupsEnvironment
+    - xupsBattery
+    - xupsConfig
+  lookups:
+    - source_indexes:
+        - xupsInputPhase
+      lookup: xupsInputName
+    - source_indexes:
+        - xupsOutputPhase
+      lookup: xupsOutputName
+    - source_indexes:
+        - xupsBypassPhase
+      lookup: xupsBypassName
+  overrides:
+    upsBatteryStatus:
+      type: EnumAsStateSet
+    xupsInputId:
+      type: EnumAsStateSet
+    xupsOutputId:
+      type: EnumAsStateSet
+    xupsBypassId:
+      type: EnumAsStateSet
+    xupsOutputSource:
+      type: EnumAsStateSet
+    xupsBatteryAbmStatus:
+      type: EnumAsStateSet
+    xupsContactType:
+      type: EnumAsStateSet
+...

group_vars/prom/prometheus_snmp/ilo.yml

@@ -0,0 +1,19 @@
+---
+prometheus_snmp__modules_ilo:
+  version: 3
+  timeout: 10s
+  retries: 10
+  auth:
+    security_level: authPriv
+    auth_protocol: SHA
+    username: aurore
+    password: "{{ vault_snmp_ilo_auth }}"
+    priv_protocol: AES
+    priv_password: "{{ vault_snmp_ilo_priv }}"
+  walk:
+    - sysUpTime
+    - cpqHeTemperatureTable
+  overrides:
+    cpqHeTemperatureThresholdType:
+      type: EnumAsStateSet
+...

group_vars/prom/prometheus_snmp/main.yml

@@ -0,0 +1,6 @@
+---
+prometheus_snmp__modules:
+  quanta: "{{ prometheus_snmp__modules_quanta }}"
+  ilo: "{{ prometheus_snmp__modules_ilo }}"
+  eaton: "{{ prometheus_snmp__modules_eaton }}"
+...

group_vars/prom/prometheus_snmp/quanta.yml

@@ -0,0 +1,125 @@
+---
+prometheus_snmp__modules_quanta:
+  auth:
+    community: "{{ vault_snmp_quanta_community }}"
+  timeout: 60s
+  retries: 3
+  walk:
+    - interfaces
+    - ifXTable
+    - snAgGblQueueOverflow
+    - snAgGblDynMemTotal
+    - snAgGblDynMemFree
+    - snAgGblCpuUtil1SecAvg
+    - snAgGblCpuUtil5SecAvg
+    - snAgGblCpuUtil1MinAvg
+    - sysUpTime
+    - snAgentCpuUtilPercent
+    - snAgent
+    - snChasFan
+    - snChasPwr
+    - snAgentTemp
+    - snAgentCpu
+    - snSwInfo
+    - snSwIfInfoTable
+    - dot3StatsTable
+    - dot3HCStatsTable
+    - dot3Errors
+    - dot3Tests
+    - dot3CollTable
+    - lldpLocChassisId
+    - lldpRemTable
+    - lldpLocPortTable
+    - dot1dBasePort
+  lookups:
+    - source_indexes:
+        - ifIndex
+      lookup: ifAlias
+    - source_indexes:
+        - ifIndex
+      lookup: ifDescr
+    - source_indexes:
+        - ifIndex
+      lookup: ifName
+    - source_indexes:
+        - snChasFanIndex
+      lookup: snChasFanDescription
+    - source_indexes:
+        - snAgentTempSlotNum
+        - snAgentTempSensorId
+      lookup: snAgentTempSensorDescr
+    - source_indexes:
+        - snSwIfInfoPortNum
+      lookup: snSwIfName
+    - source_indexes:
+        - snSwIfInfoPortNum
+      lookup: snSwIfDescr
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifAlias
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifDescr
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifName
+    - source_indexes:
+        - lldpRemTimeMark
+        - lldpRemLocalPortNum
+        - lldpRemIndex
+      lookup: lldpRemChassisId
+    #- source_indexes:
+    #    - lldpLocPortNum
+    #  lookup: lldpLocPortIdSubtype
+  overrides:
+    ifIndex:
+      ignore: true
+    ifAlias:
+      ignore: true
+    ifDescr:
+      ignore: true
+    ifName:
+      ignore: true
+    ifOperStatus:
+      type: EnumAsStateSet
+    ifAdminStatus:
+      type: EnumAsStateSet
+    snChasFanIndex:
+      ignore: true
+    snChasFanDescription:
+      ignore: true
+    snChasPwrSupplyIndex:
+      ignore: true
+    snAgentTempSensorDescr:
+      ignore: true
+    snChasFanOperStatus:
+      type: EnumAsStateSet
+    snChasPwrSupplyOperStatus:
+      type: EnumAsStateSet
+    snSwIfName:
+      ignore: true
+    snSwIfDescr:
+      ignore: true
+    snSwIfVlanId:
+      ignore: true
+    snSwIfInfoPortNum:
+      ignore: true
+    snSwIfInfoMonitorMode:
+      type: EnumAsStateSet
+    snSwIfInfoMirrorPorts:
+      ignore: true
+    snSwIfInfoMediaType:
+      type: EnumAsInfo
+    ifType:
+      type: EnumAsInfo
+    dot3StatsIndex:
+      ignore: true
+    dot3StatsEtherChipSet:
+      ignore: true
+    dot3StatsDuplexStatus:
+      type: EnumAsStateSet
+    lldpLocPortIdSubtype:
+      type: EnumAsInfo
+    lldpRemPortIdSubtype:
+      type: EnumAsInfo
+...

group_vars/pve/pve_auth.yml

@@ -0,0 +1,31 @@
+---
+pve_auth__groups:
+  admin:
+    - Administrator
+
+pve_auth__pam_users:
+  root:
+    enabled: false
+
+pve_auth__users:
+  elkmaennchen:
+    password: "{{ vault_pve_passwords.elkmaennchen }}"
+    groups:
+      - admin
+  jeltz:
+    password: "{{ vault_pve_passwords.jeltz }}"
+    groups:
+      - admin
+  korenstin:
+    password: "{{ vault_pve_passwords.korenstin }}"
+    groups:
+      - admin
+  otthorn:
+    password: "{{ vault_pve_passwords.otthorn }}"
+    groups:
+      - admin
+  v-lafeychine:
+    password: "{{ vault_pve_passwords['v-lafeychine'] }}"
+    groups:
+      - admin
+...

group_vars/radius/freeradius.yml

@@ -0,0 +1,17 @@
+---
+radiusd__guest_vlan: 1000
+
+radiusd__clients:
+  localhost:
+    addr: 127.0.0.1
+    secret: abcdef
+    type: aurore
+  wifi-ap-v4:
+    addr: 10.102.0.0/16
+    secret: abcdef
+    type: aurore
+  wifi-ap-v6:
+    addr: 2a09:6840:102::/56
+    secret: abcdef
+    type: aurore
+...

group_vars/reverseproxy.yml

@@ -0,0 +1,12 @@
+---
+loc_nginx:
+  servers: []
+
+glob_reverseproxy:
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  reverseproxy_sites: []
+
+  redirect_sites: []

group_vars/rives/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: rives
+apartment_block_id: 3
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/rives/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudorives'

group_vars/router/prometheus.yml

@@ -0,0 +1,3 @@
+---
+prometheus_keepalived__dest: /var/run/prometheus-node-exporter/keepalived.prom
+... 

group_vars/routeur.yml

@@ -0,0 +1,3 @@
+---
+rsyslog_high_density: true
+...

group_vars/switch.yml

@@ -0,0 +1,12 @@
+---
+glob_switch:
+  loop_protect:
+    port_disable_timer_in_seconds: 30
+    transmit_interval_in_seconds: 3
+  sntp:
+    operation_mode: SNTP_UNICAST_MODE
+    poll_interval: 720
+    servers:
+      - ip: 10.206.1.5
+        priority: 1
+...

group_vars/vpn/bird.yml

@@ -0,0 +1,60 @@
+---
+bird__tables:
+  - wg
+
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+  vrf:
+    learn: true
+    import:
+      sources:
+        - "{{ iproute2__custom_protos.wireguard }}"
+    export: accept
+    table: wg
+    kernel: "{{ iproute2__custom_tables.wireguard }}"
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  table: wg
+  import: accept
+  export:
+    sources:
+      - "{{ iproute2__custom_protos.wireguard }}"
+  areas:
+    1:
+      broadcast:
+        - vpn0
+
+bird__bgp:
+  infra1:
+    local:
+      address: "{{ bird__bgp_addr.vpn }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:213::1:1
+        - 10.213.1.1
+      as: "{{ bird__as.aurore }}"
+    table: wg
+    import: accept
+    export: reject
+    next_hop_self: true
+  infra2:
+    local:
+      address: "{{ bird__bgp_addr.vpn }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:213::1:2
+        - 10.213.1.2
+      as: "{{ bird__as.aurore }}"
+    table: wg
+    import: accept
+    export: reject
+    next_hop_self: true
+...

group_vars/vpn/ifupdown2.yml

@@ -0,0 +1,16 @@
+---
+ifupdown2__vrf:
+  wg-vrf:
+    table: "{{ iproute2__custom_tables.wireguard }}"
+
+ifupdown2__wireguard:
+  wg0:
+    private_key: "{{ vault_wireguard_wg0_private }}"
+    listen_port: 5121
+    vrf: wg-vrf
+    table: "{{ iproute2__custom_tables.wireguard }}"
+    peer_allowed_addresses:
+      - 2a09:6840:212::1:1/128
+      - 10.212.1.1/32
+    peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
+...

group_vars/vpn/iproute2.yml

@@ -0,0 +1,7 @@
+---
+iproute2__custom_tables:
+  wireguard: 2000
+
+iproute2__custom_protos:
+  wireguard: 200
+...

host_vars/caradoc.adm.auro.re.yml

@@ -0,0 +1,12 @@
+---
+borg_keep_hourly: 6
+borg_keep_daily: 7
+borg_keep_weekly: 4
+borg_keep_monthly: 12
+borg_backup_directories:
+  - "/etc"
+  - "/var"
+  - "/data_nextcloud"
+  - "/data_gitea"
+  - "/data_mail"
+...

host_vars/collabora.ext.infra.auro.re.yml

@@ -0,0 +1,22 @@
+---
+systemd_link__links:
+  pub0: ae:ae:ae:2C:60:35
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:128::220/64
+      - 10.128.0.220/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+
+collabora__server_name: office.auro.re
+
+collabora__post_allow_addrs:
+  - 2a09:6840:215::1:1
+  - 45.66.111.206
+
+collabora__wopi_groups:
+  - host: https://cloud.auro.re:443
+    aliases:
+      - https://nextcloud.auro.re:443
+...

host_vars/dhcp-1.isp.infra.auro.re.yml

@@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 02:00:00:c6:3f:6f
+  trunk0: 02:00:00:b1:8d:d6
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:1/64
+      - 10.210.1.1/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.2/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.34/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.66/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.98/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.130/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...

host_vars/dhcp-2.isp.infra.auro.re.yml

@@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 04:00:00:8c:d1:36
+  trunk0: 04:00:00:33:2c:3c
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:2/64
+      - 10.210.1.2/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.3/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.35/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.67/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.99/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.131/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...

host_vars/dns-1.int.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 02:00:00:9f:d9:f9
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:1/64
+      - 10.206.1.1/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/dns-2.int.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 04:00:00:3c:c0:5a
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:2/64
+      - 10.206.1.2/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/edge-1.back.infra.auro.re.yml

@@ -0,0 +1,39 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:9E:3E:21
+  crans0: 02:00:00:A2:7C:68
+  zayo0: 02:00:00:35:89:82
+  rezel0: 02:00:00:8F:4A:AD
+  back0: 02:00:00:1C:3A:2E
+  viarezo0: 02:00:00:ED:70:64
+  router0: 02:00:00:5A:17:7C
+  oti0: 02:00:00:05:0E:A6
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:2/64
+      - 10.128.10.2/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::1/64
+      - 45.66.111.1/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:1/64
+      - 10.203.1.1/16
+  viarezo0:
+    addresses:
+      - 2a0c:b641:2ff::6/125
+      - 192.159.121.133/29
+  router0:
+    addresses:
+      - 2a09:6840:129::10:2/56
+      - 10.129.10.2/16
+  oti0:
+    ipv6_addrgen: false
+...

host_vars/edge-2.back.infra.auro.re.yml

@@ -0,0 +1,39 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:F5:69:B9
+  crans0: 04:00:00:CF:E1:D0
+  zayo0: 04:00:00:67:7B:12
+  rezel0: 04:00:00:C6:05:B7
+  back0: 04:00:00:DE:22:E6
+  viarezo0: 04:00:00:45:FA:E6
+  router0: 04:00:00:AD:D7:71
+  oti0: 02:00:00:05:0E:A6
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:102/64
+      - 10.128.10.102/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::3/64
+      - 45.66.111.3/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:2/64
+      - 10.203.1.2/16
+  viarezo0:
+    addresses:
+      - 2a0c:b641:2ff::7/125
+      - 192.159.121.134/29
+  router0:
+    addresses:
+      - 2a09:6840:129::10:102/56
+      - 10.129.10.102/16
+  oti0:
+    ipv6_addrgen: false
+...

host_vars/infra-1.back.infra.auro.re.yml

@@ -0,0 +1,63 @@
+---
+systemd_link__links:
+  ups0: 02:00:00:fe:6f:0e
+  back0: 02:00:00:f8:93:22
+  monit0: 02:00:00:da:97:7f
+  wifi0: 02:00:00:8c:c5:bf
+  int0: 02:00:00:75:40:3e
+  sw0: 02:00:00:ca:e8:d1
+  bmc0: 02:00:00:47:d1:b9
+  pve0: 02:00:00:b3:35:e7
+  isp0: 02:00:00:6b:53:14
+  ext0: 02:00:00:32:86:60
+  vpn0: 02:00:00:52:5f:85
+  th30: 02:00:00:23:a7:d3
+  pub0: 02:00:00:7d:34:06
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:3/64
+      - 10.203.1.3/16
+      - 45.66.111.210/32 # secondary
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:1/64
+      - 10.213.1.1/16
+  th30:
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.3
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:3
+    - 10.203.1.3
+  vpn:
+    - 2a09:6840:213::1:1
+    - 10.213.1.1
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:3
+  - 45.66.111.210
+...

host_vars/infra-2.back.infra.auro.re.yml

@@ -0,0 +1,63 @@
+---
+systemd_link__links:
+  ups0: 04:00:00:6d:97:83
+  back0: 04:00:00:46:ba:f9
+  monit0: 04:00:00:72:0b:2d
+  wifi0: 04:00:00:ee:42:0f
+  int0: 04:00:00:21:fd:d0
+  sw0: 04:00:00:2e:5b:16
+  bmc0: 04:00:00:bb:5a:a6
+  pve0: 04:00:00:0b:2b:82
+  isp0: 04:00:00:f4:4c:5d
+  ext0: 04:00:00:1d:0e:83
+  vpn0: 04:00:00:02:ba:dd
+  th30: 04:00:00:9e:8d:4f
+  pub0: 04:00:00:f8:3b:9b
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:4/64
+      - 10.203.1.4/16
+      - 45.66.111.211/32 # secondary
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:2/64
+      - 10.213.1.2/16
+  th30:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.4
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:4
+    - 10.203.1.4
+  vpn:
+    - 2a09:6840:213:1:2
+    - 10.213.1.2
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:4
+  - 45.66.111.211
+...

host_vars/isp-1.back.infra.auro.re.yml

@@ -0,0 +1,59 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:D8:37:45
+  back0: 02:00:00:BF:10:4C
+  trunk0: 02:00:00:E9:BA:15
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:5/64
+      - 10.128.10.5/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:5/64
+      - 45.66.111.211/32
+      - 10.203.1.5/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.5
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:5
+    - 10.203.1.5
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:5
+  - 45.66.111.211
+...

host_vars/isp-2.back.infra.auro.re.yml

@@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:85:C3:5D
+  back0: 04:00:00:FE:2D:67
+  trunk0: 04:00:00:D8:F5:4D
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:105/64
+      - 10.128.10.105/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:6/64
+      - 10.203.1.6/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+...

host_vars/ldap-1.int.infra.auro.re.yml

@@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:38:c2:52
+  int0: 02:00:00:fe:a8:54
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:8/64
+      - 10.128.10.8/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:3/64
+      - 10.206.1.7/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/ldap-2.int.infra.auro.re.yml

@@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:f7:1c:47
+  int0: 04:00:00:e4:83:d2
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:108/64
+      - 10.128.10.108/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:4/64
+      - 10.206.1.8/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/log.adm.auro.re.yml

@@ -0,0 +1,16 @@
+---
+borg_backup_directories:
+  - "/etc/"
+  - "/var/"
+borg_backup_exclude: []
+
+rsyslog_collector_base_dir: /var/log/remote
+rsyslog_inputs:
+  - proto: relp
+    port: 20514
+  - proto: udp
+    port: 514
+  - proto: tcp
+    port: 6514
+rsyslog_outputs: []
+...

host_vars/mx.test.infra.auro.re.yml

@@ -0,0 +1,38 @@
+---
+dovecot__auth_default_realm: test.auro.re
+dovecot__auth_users:
+  jeltz@test.auro.re: "{plain}password"
+  lafeych@test.auro.re: "{plain}password"
+  toto@test.auro.re: "{plain}password"
+  root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
+dovecot__lmtp_postmaster_address: postmaster@test.auro.re
+
+ifupdown2__interfaces:
+  ext0:
+    addresses:
+      - 2a09:6840:211::1:5/64
+      - 10.211.1.5/16
+      - 45.66.111.208/30
+    gateways: "{{ ifupdown2__gateways.ext }}"
+
+postfix__hostname: mx.test.auro.re
+
+postfix__sasl_local_domain: test.auro.re
+
+postfix__virtual_aliases:
+  postmaster@test.auro.re: root@test.auro.re
+  dmarc@test.auro.re: root@test.auro.re
+
+postfix__virtual_mailbox_domains:
+ - infra.test.auro.re
+ - test.auro.re
+
+postfix__virtual_mailboxes:
+  jeltz@test.auro.re: jeltz@test.auro.re
+  root@test.auro.re: root@test.auro.re
+  toto@test.auro.re: toto@test.auro.re
+  vincent.lafeychine@test.auro.re: lafeych@test.auro.re
+
+systemd_link__links:
+  ext0: ae:ae:ae:1d:c8:b2
+...

host_vars/ns-1.pub.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: 02:00:00:ad:62:64
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:2/64
+      - 45.66.111.205/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...

host_vars/ns-2.pub.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: 04:00:00:1b:0a:3a
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:3/64
+      - 45.66.111.207/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...

host_vars/ns-3.ovh.infra.auro.re.yml

@@ -0,0 +1,29 @@
+---
+systemd_link__links:
+  adm0: 96:77:96:91:e3:6c
+  ovh0: 02:00:00:97:78:6d
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::109/64
+      - 10.128.0.109/16
+  ovh0:
+    addresses:
+      - 92.222.211.194/24
+    gateways: "{{ ifupdown2__gateways.ovh }}"
+
+# TODO: remove as soon as the VPN works
+knotd__remotes:
+  xfr-master:
+    address: 2a09:6840:128::110
+    key: xfr
+
+knotd__acl:
+  notify-master:
+    address:
+      - 2a09:6840:128::110
+      - 10.128.0.110
+    key: xfr
+    action: notify
+...

host_vars/ns-master.int.infra.auro.re/knotd.yml

@@ -0,0 +1,617 @@
+---
+knotd__listen:
+  - address: 0.0.0.0
+  - address: "::"
+
+knotd__keys:
+  xfr:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_xfr_key }}"
+  ksk-infra:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_ksk_infra_key }}"
+  update-acme-challenge:
+    algorithm: hmac-sha512
+    secret: "{{ vault_certbot_dns_secret }}"
+
+knotd__remotes:
+  xfr-ns-1:
+    address: 2a09:6840:215::1:2
+    key: xfr
+  xfr-ns-2:
+    address: 2a09:6840:215::1:3
+    key: xfr
+  xfr-ns-3:
+    address: 10.128.0.109
+    key: xfr
+  ksk-infra:
+    address: ::1
+    key: ksk-infra
+
+knotd__policies:
+  public:
+    algorithm: ECDSAP256SHA256
+    reproducible_signing: true
+    # Je n'ai pas trouvé de façon de pousser les records automatiquement
+    # sur .re, donc pour éviter d'oublier de le faire manuellement, la
+    # KSK n'expire pas
+    ksk_lifetime: 0
+    zsk_lifetime: 30d
+    nsec3: true
+  infra:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-infra
+    cds-cdnskey-publish: rollover
+    ksk-submission: infra
+  ripe:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-ripe
+    cds-cdnskey-publish: rollover
+    ksk-submission: ripe
+
+knotd__acl:
+  xfr:
+    addresses:
+      - 2a09:6840:128::109
+      - 10.128.0.109
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+    action: transfer
+    key: xfr
+  ksk-infra:
+    addresses:
+      - 127.0.0.1
+      - ::1
+    key: ksk-infra
+    action: update
+    update_types:
+      - DS
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - infra
+  update-acme-challenge:
+    addresses:
+      - 10.128.0.0/16
+      - 2a09:6840:128::/48
+    key: update-acme-challenge
+    action: update
+    update_types:
+      - TXT
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - _acme-challenge.auro.re.
+
+knotd__queryacl:
+  local:
+    addresses:
+      - 10.0.0.0/8
+
+knotd__soa_rname: root@auro.re.
+
+knotd__hosts:
+  auro.re:
+    proxy-ovh:
+      - 92.222.211.195
+    horus:
+      - 92.23.218.136
+    ns-1:
+      - 45.66.111.205
+      - 2a09:6840:215::1:2
+    ns-2:
+      - 92.222.211.194
+    serge:
+      - 92.222.211.196
+    lama:
+      - 185.230.78.220
+      - 2a0c:700:12:0:67:e5ff:fee9:108
+    vpn-ovh:
+      - 92.222.211.197
+    passerelle:
+      - 45.66.111.254
+      - 2a09:6840:111::254
+    proxy:
+      - 45.66.111.61
+      - 2a09:6840:111::61
+    camelot:
+      - 45.66.111.59
+      - 2a09:6840:111::59
+    mail:
+      - 45.66.111.62
+      - 2a09:6840:111::62
+    galene:
+      - 45.66.111.65
+      - 2a09:6840:111::65
+    aclyas:
+      - 45.66.111.231
+      - 2a09:6840:111::231
+    jitsi:
+      - 45.66.111.55
+      - 2a09:6840:111::55
+    jitsi-ng:
+      - 45.66.111.216
+      - 2a09:6840:215::1:216
+    portail-fleming:
+      - 10.13.0.247
+      - 2a09:6840:13::247
+    portail-pacaterie:
+      - 10.23.0.247
+      - 2a09:6840:23::247
+    portail-rives:
+      - 10.33.0.247
+      - 2a09:6840:33::247
+    portail-edc:
+      - 10.43.0.247
+      - 2a09:6840:43::247
+    portail-gs:
+      - 10.53.0.247
+      - 2a09:6840:53::247
+
+  adh.auro.re:
+    paon:
+      - 45.66.110.10
+      - 2a09:6840:110:0:231:92ff:fe1b:ae22
+    lyshyga0:
+      - 45.66.110.113
+      - 2a09:6840:110:0:6af7:28ff:fe91:e8d9
+    pz28910:
+      - 45.66.110.114
+    vinsing0:
+      - 45.66.110.123
+      - 2a09:6840:110:0:1e1b:dff:fe90:7d81
+    osc-routeur:
+      - 45.66.110.125
+      - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
+    odroid:
+      - 45.66.110.154
+      - 2a09:6840:110:0:21e:6ff:fe49:e00
+    amau0:
+      - 45.66.110.164
+      - 2a09:6840:110:0:3e7c:3fff:fec3:27d1
+    regulus:
+      - 45.66.110.180
+      - 2a09:6840:110:0:2ef0:5dff:fe2a:1530
+    toaster:
+      - 45.66.110.188
+      - 2a09:6840:110:0:5246:5dff:fe9a:f70
+    rpijutax:
+      - 45.66.110.190
+      - 2a09:6840:110:0:ba27:ebff:fe76:a9bc
+    polaris:
+      - 45.66.110.245
+      - 2a09:6840:110:0:dea6:32ff:feb4:d033
+    lafeychine:
+      - 92.91.154.45
+
+  infra.auro.re:
+    services-1.ceph:
+      - 2a09:6840:214::1:1
+      - 10.214.1.1
+    services-2.ceph:
+      - 2a09:6840:214::1:2
+      - 10.214.1.2
+    services-3.ceph:
+      - 2a09:6840:209::1:3
+      - 10.214.1.3
+    services-1.pve:
+      - 2a09:6840:209::2:1
+      - 10.209.2.1
+    services-2.pve:
+      - 2a09:6840:209::2:2
+      - 10.209.2.2
+    network-1.pve:
+      - 2a09:6840:209::1:1
+      - 10.209.1.1
+    network-2.pve:
+      - 2a09:6840:209::1:2
+      - 10.209.1.2
+    services-3.pve:
+      - 2a09:6840:209::2:3
+      - 10.209.2.3
+    caradoc.bmc:
+      - 2a09:6840:208::1:1
+      - 10.208.1.1
+    services-1.bmc:
+      - 2a09:6840:208::1:2
+      - 10.208.1.2
+    services-2.bmc:
+      - 2a09:6840:208::1:3
+      - 10.208.1.3
+    services-3.bmc:
+      - 2a09:6840:208::1:4
+      - 10.208.1.4
+    perceval.bmc:
+      - 2a09:6840:208::1:5
+      - 10.208.1.5
+    chapalux.bmc:
+      - 2a09:6840:208::1:6
+      - 10.208.1.6
+    loki.bmc:
+      - 2a09:6840:208::1:7
+      - 10.208.1.7
+    network-1.bmc:
+      - 2a09:6840:208::1:8
+      - 10.208.1.8
+    network-2.bmc:
+      - 2a09:6840:208::1:9
+      - 10.208.1.9
+    escalope.bmc:
+      - 2a09:6840:208::1:10
+      - 10.208.1.10
+    edge-1.back:
+      - 2a09:6840:203::1:1
+      - 10.203.1.1
+    edge-2.back:
+      - 2a09:6840:203::1:2
+      - 10.203.1.2
+    isp-1.back:
+      - 2a09:6840:203::1:5
+      - 10.203.1.5
+    isp-2.back:
+      - 2a09:6840:203::1:6
+      - 10.203.1.6
+    infra-1.back:
+      - 2a09:6840:203::1:3
+      - 10.203.1.3
+    infra-2.back:
+      - 2a09:6840:203::1:4
+      - 10.203.1.4
+    ns-master.int:
+      - 2a09:6840:128:0::110
+      - 10.128.0.110
+    log-1.int:
+      - 2a09:6840:206::1:9
+      - 10.206.1.9
+    log-2.int:
+      - 2a09:6840:206::1:10
+      - 10.206.1.10
+    dns-1.int:
+      - 2a09:6840:206::1:1
+      - 10.206.1.1
+    dns-2.int:
+      - 2a09:6840:206::1:2
+      - 10.206.1.2
+    nis2.int:
+      - 2a09:6840:206::2:1
+      - 10.206.2.1
+    ldap-1.int:
+      - 10.128.10.8
+      - 2a09:6840:128::10:8
+    ldap-2.int:
+      - 10.128.10.108
+      - 2a09:6840:128::10:108
+    ntp-1.int:
+      - 2a09:6840:206::1:5
+      - 10.206.1.5
+    ntp-2.int:
+      - 2a09:6840:206::1:6
+      - 10.206.1.6
+    wg-1.vpn:
+      - 2a09:6840:213::1:3
+      - 10.213.1.3
+    wg-2.vpn:
+      - 2a09:6840:213::1:4
+      - 10.213.1.4
+    dhcp-1.isp:
+      - 2a09:6840:210::1:1
+      - 10.210.1.1
+    dhcp-2.isp:
+      - 2a09:6840:210::1:2
+      - 10.210.1.2
+    radius-1.isp:
+      - 2a09:6840:210::1:3
+      - 10.210.1.3
+    radius-2.isp:
+      - 2a09:6840:210::1:4
+      - 10.210.1.4
+    prometheus-1.monit:
+      - 2a09:6840:204::1:1
+      - 10.204.1.1
+    prometheus-2.monit:
+      - 2a09:6840:204::1:2
+      - 10.204.1.2
+    ff-1.core.sw:
+      - 10.207.1.1
+    ff-2.core.sw:
+      - 10.207.1.2
+    fl-1.core.sw:
+      - 10.207.1.3
+    fl-2.core.sw:
+      - 10.207.1.4
+    fd-1.core.sw:
+      - 10.207.1.5
+    ff-3.core.sw:
+      - 10.207.1.6
+    gk-1.core.sw:
+      - 10.207.2.1
+    eb-1.core.sw:
+      - 10.207.3.1
+    r3-1.core.sw:
+      - 10.207.4.1
+    eb-1.ups:
+      - 2a09:6840:201::3:1
+      - 10.201.3.1
+    ec-1.ups:
+      - 2a09:6840:201::3:2
+      - 10.201.3.2
+    mx.test:
+      - 2a09:6840:211::1:5
+      - 10.211.1.5
+    collabora.ext:
+      - 2a09:6840:211::1:1
+      - 10.211.1.1
+    grafana.ext:
+      - 2a09:6840:211::1:7
+      - 10.211.1.7
+    proxy.pub:
+      - 2a09:6840:215::1:1
+      - 45.66.111.206
+    ns-1.pub:
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+    ns-2.pub:
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+    ns-3.ovh:
+      - 92.222.211.194
+    tor.pub:
+      - 45.66.111.215
+      - 2a09:6840:215::1:215
+    jitsi.pub:
+      - 45.66.111.216
+      - 2a09:6840:215::1:216
+
+knotd__zones:
+  auro.re:
+    dnssec_policy: public
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - update-acme-challenge
+      - ksk-infra
+      - xfr
+    soa:
+      mname: ns-master.int.infra
+    ns:
+      - target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+      - name: infra
+        target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+      - name: test
+        target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+      - name: adm
+        target:
+          - serge
+          - lama
+      - name: ups
+        target:
+          - serge
+          - lama
+      - name: switch
+        target:
+          - serge
+          - lama
+      - name: borne
+        target:
+          - serge
+          - lama
+    mx:
+      - exchange: mail
+        preference: 5
+      - exchange: proxy-ovh
+        preference: 10
+    txt:
+      - data: v=spf1 mx -all
+    a:
+      - address: 92.222.211.195
+    cname:
+      - name:
+          - gisti
+          - gistiti
+        target: jitsi
+      - name:
+          - element
+          - riot
+          - auth
+          - rss
+          - codimd
+          - hedgedoc
+          - grist
+          - kanboard
+          - www
+          - pad
+          - privatebin
+          - zero
+          - paste
+        target: proxy-ovh
+      - name:
+          - grafana
+          - grafana-ng
+          - nextcloud
+          - cloud
+          - office
+        target: proxy.pub.infra
+      - name:
+          - netbox
+          - wiki
+          - matrix
+          - drone
+          - gitea
+          - re2o
+          - vote
+        target: proxy
+      - name: intranet
+        target: re2o
+      - name:
+          - smtp
+          - imap
+        target: mail
+      - name:
+          - prometheus-paul.adh
+          - pma-paul.adh
+          - nextcloud-paul.adh
+          - grafana-paul.adh
+          - jellyfin.adh
+          - monitoring.adh
+          - beta-mpp.adh
+          - pz28.adh
+        target: lucepaul.myvnc.com.
+      - name:
+          - services-1.pve
+        target: services-1.pve.infra
+      - name:
+          - services-2.pve
+        target: services-2.pve.infra
+      - name:
+          - services-3.pve
+        target: services-3.pve.infra
+    hosts: "{{ knotd__hosts['auro.re']
+               | combine(knotd__hosts['adh.auro.re']
+                         | add_origin_keys('adh.auro.re.')) }}"
+  test.auro.re:
+    dnssec_policy: public
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    txt:
+      - data: v=spf1 mx -all
+      - name: _dmarc
+        data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    mx:
+      - exchange: mx
+        preference: 5
+    cname:
+      - name:
+          - www1
+          - www2
+          - www3
+        target: proxy.pub.infra.auro.re.
+    hosts:
+      mx:
+        - 2a09:6840:211::1:5
+        - 45.66.111.205
+  infra.auro.re:
+    dnssec_policy: infra
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    #queryacl: local
+    soa:
+      mname: ns-master.int
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    hosts: "{{ knotd__hosts['infra.auro.re'] }}"
+
+  108.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+  109.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+  110.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['adh.auro.re']
+                       | ip_filter(['45.66.110.0/24'])
+                       | add_origin_keys('adh.auro.re.') }}"
+  111.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['45.66.111.0/24'])
+                       | add_origin_keys('auro.re.') }}"
+  0.4.8.6.9.0.a.2.ip6.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['2a09:6840::/32'])
+                       | add_origin_keys('auro.re.')
+                       | combine(knotd__hosts['adh.auro.re']
+                                 | ip_filter(['2a09:6840::/32'])
+                                 | add_origin_keys('adh.auro.re.')) }}"
+...