misc: dns + locales + pve + …

Reviewed-on: #106

.gitignore

@@ -1,3 +1,4 @@
 *.retry
 tmp
 ldap-password.txt
+__pycache__/

all.yml

@@ -0,0 +1,18 @@
+#!/usr/bin/env ansible-playbook
+---
+- import_playbook: playbooks/base.yml
+- import_playbook: playbooks/root.yml
+- import_playbook: playbooks/ssh.yml
+- import_playbook: playbooks/chronyd.yml
+- import_playbook: playbooks/kresd.yml
+- import_playbook: playbooks/knotd.yml
+- import_playbook: playbooks/resolvconf.yml
+- import_playbook: playbooks/ifupdown2.yml
+- import_playbook: playbooks/systemd_link.yml
+- import_playbook: playbooks/keepalived.yml
+- import_playbook: playbooks/ip_forward.yml
+- import_playbook: playbooks/dhcpd.yml
+- import_playbook: playbooks/bird.yml
+- import_playbook: playbooks/pve.yml
+- import_playbook: playbooks/prometheus.yml
+...

ansible.cfg

@@ -3,8 +3,10 @@ ask_vault_pass = True
 roles_path = ./roles
 retry_files_enabled = False
 inventory = ./hosts
+stdout_callback = debug
+library = ./library
 filter_plugins = ./filter_plugins
-ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
+ansible_managed = Ansible managed
 nocows = 1
 forks = 15
 timeout = 60
@@ -15,3 +17,4 @@ always = yes
 
 [ssh_connection]
 pipelining = True
+retries = 3

deploy_all.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-# Deploy all playbooks
-ansible-playbook playbooks/*.yml $@

filter_plugins/enquote.py

@@ -0,0 +1,16 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "enquote": enquote,
+        }
+
+
+def enquote(string, delimiter='"', escape="\\"):
+    translation = str.maketrans(
+        {
+            delimiter: f"{escape}{delimiter}",
+            escape: f"{escape}{escape}",
+        }
+    )
+    escaped = string.translate(translation)
+    return f"{delimiter}{escaped}{delimiter}"

filter_plugins/format_rev.py

@@ -0,0 +1,9 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "format_rev": format_rev,
+        }
+
+
+def format_rev(text, fmt, *args, **kwargs):
+    return fmt.format(text, *args, **kwargs)

filter_plugins/net_utils.py

@@ -7,11 +7,39 @@ import dns.name
 class FilterModule:
     def filters(self):
         return {
+            "add_origin": add_origin,
+            "add_origin_keys": add_origin_keys,
+            "ip_filter": ip_filter,
             "remove_domain_suffix": remove_domain_suffix,
             "ipaddr_sort": ipaddr_sort,
         }
 
 
+def first_addr(addresses, ipv4 = True):
+    version = ipaddress.IPv4Address if ipv4 else ipaddress.IPv6Address
+    for addr in addresses:
+        parsed = ipaddress.ip_address(xx)
+        if isinstance(parsed, version):
+            return parsed
+    raise ValueError("missing address")
+
+
+def ip_filter(addresses, networks):
+    if isinstance(addresses, dict):
+        return {k: ip_filter(v, networks) for k, v in addresses.items()}
+    ip_networks = [ipaddress.ip_network(n) for n in networks]
+    ip_addresses = [ipaddress.ip_address(a) for a in addresses]
+    return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
+
+
+def add_origin(name, origin="."):
+    return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
+
+
+def add_origin_keys(dct, origin="."):
+    return {add_origin(k, origin): v for k, v in dct.items()}
+
+
 def remove_domain_suffix(name):
     parent = dns.name.from_text(name).parent()
     return parent.to_text()

filter_plugins/suffix.py

@@ -0,0 +1,9 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "suffix": suffix,
+        }
+
+
+def suffix(value, suffix):
+    return value + suffix

group_vars/all/bird.yml

@@ -0,0 +1,4 @@
+---
+bird__as:
+  aurore: 43619
+...

group_vars/all/chronyd.yml

@@ -0,0 +1,5 @@
+---
+chronyd__pools:
+  - ntp-1.int.infra.auro.re
+  - ntp-2.int.infra.auro.re
+...

group_vars/all/ifupdown2.yml

@@ -0,0 +1,24 @@
+---
+ifupdown2__wireguard_proto: wireguard
+ifupdown2__gateways:
+  adm:
+    - 2a09:6840:128::254
+    - 10.128.0.254
+  int:
+    - 2a09:6840:206::1
+    - 10.206.0.1
+  ext:
+    - 2a09:6840:211::1
+    - 10.211.0.1
+  monit:
+    - 2a09:6840:204::1
+    - 10.204.0.1
+  isp:
+    - 2a09:6840:210::1
+    - 10.210.0.1
+  pub:
+    - 2a09:6840:215::1
+    - 45.66.111.204
+  ovh:
+    - 92.222.211.254
+...

group_vars/all/openssh.yml

@@ -0,0 +1,10 @@
+---
+openssh__users_ca_public_key:
+  "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
+  hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
+  F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
+
+openssh__authorized_principals:
+  - any
+  - "{{ inventory_hostname }}"
+...

group_vars/all/prometheus.yml

@@ -0,0 +1,3 @@
+---
+prometheus_node__text_dir: /var/run/prometheus-node-exporter
+...

group_vars/all/resolvconf.yml

@@ -0,0 +1,13 @@
+---
+resolvconf__nameservers:
+  - 2a09:6840:206::1:1
+  - 2a09:6840:206::1:2
+  - 10.206.1.1
+  - 10.206.1.2
+
+resolvconf__domain: auro.re.
+
+resolvconf__search:
+  - "{{ inventory_hostname | remove_domain_suffix }}"
+  - auro.re.
+...

group_vars/all/root.yml

@@ -0,0 +1,5 @@
+---
+root__shell: /bin/bash
+
+root__password: "{{ vault_root_password }}"
+...

group_vars/all/vault.yml

@@ -1,246 +1,298 @@
 $ANSIBLE_VAULT;1.1;AES256
-64313161633263303464663933363265373935633862653634643862343232643432343966376438
-6134633764383937373966346538306530316539303966320a363035303038616435383366656532
-39346463396563626166333362306464343836386365303836356461323663633831636562393039
-3832636432626238350a666566323435623834396166656233306639333830343130326265616234
-61666365663963643437386530363261306438376665386463376366363662656161316263303831
-61393136363934316462616131326463333736656136643038623061313363386538393833663637
-36373565333566306632313865646538633532393731313430633462666334323762653337383338
-63313433333835653366363061343839326131666139346563306366656365316663333438363837
-33323165353936343165646464306434303161313139653561346461653537616164623434376534
-33666662343734633766356230383761353239333632613031396365346536373432363433633564
-61633762393033343336373864653438336436613630366539333731383336346665313732396265
-32356138666135383562656366353131366436363464643630656130303437623131333239386363
-66373866393064306565306565386230373638633733326661333065633136633130323963323765
-30353262323835313365383562326363343965636634376133613331363133313030346561653931
-39363636636235646131353034663861336362383263613165323230366439383561653165363764
-65366130623362623539393461363832353435616266393036386439303834316635366438393936
-33383933366262636232383066663130383965306137356363363539633661373664613738336539
-31363131616135623039346465623530376533386263343836376662316562386530336266303062
-64386531303938623939653635313163633261336339366139666135323130653862346132646636
-30363065303235346331333434653331646333616337623562643564366435613938643235333664
-30626164373030303237656366623631396138333265383566333664663061613536666363623630
-61623362383439636239336234333161366635306432363230366630383836326330343932303863
-39393232373831363863333332636362396639663831656266336430313837666463336439353332
-63303036633433323439613535326663633332346565646338353761363733643766363132666365
-34303865656262303563323665363730663062626537363461646363636461633762663237366366
-64393133656464643065633634313261336662646435313735306266316132636530393631353830
-61303939373363323131316463333136326365333430626266376636356130396239323464353937
-64616232373532396334343433636332353530386662633164353235626361623164313039336666
-31636434666437393839393133633961373139313663616366373239386163623064373836376164
-62316638366366376134386231306435616138656461373633393339653532363434393834393430
-37363335623934306661333135343266663464623438353665613330356236323036363139643064
-62383934363465316338393065383935646134353230376131613935613431656333383565353134
-34643866353131653061623236306536363163373639396564336434653839346263303930633663
-39393935636235313431303032336361313730373238333732626465346662363038636361383631
-65393433346363366337383233646166306339653533646632623262376630383265393438326135
-31643039333835666338383762336163336337343532393063323165636531353361613731363065
-65303637396332613432663636326334646635346237396461636366356133303333306239393739
-34353966653662346230383865643231313239626533643761366162613164333132373636623237
-32356335643766646266646266633366363165373861306433316561363166363865303133633939
-34633132343438363034323638376666313061383965323566646463653163313235373364386666
-62393865373137343237306637363536383939303833663532396333313931336162333837613935
-66383266343735396337663936333162323738383264376533316536376563396333343263643931
-65646535363337373865353265306434356432353066656665366638353331366334366339613538
-32373637633564613861626538373365336362313434633137613966353861393462623862663330
-64386431373066306334383863366133333564373163386433313231363366393830343230323734
-61633962356637326538336663386330653563353763663236623539363630626363323237333237
-30656139626561313064323330373032323031343137366638303966313832646365666238326337
-63306363613361653933306234386163383837666430616663383664386563323839326232383761
-35373539626438356539393266653864353066633365383437623437356464383335383039343137
-61373539343631373932373033656233323964353666626162386537616333366562346265656238
-35396130356166303564303036383664656435626534303064653363316464616335303965376330
-61646638383138323265313631613037396561626162306661653231646230343139656135333236
-63303838316266333665636335663361656262353066666430656162323236633564313337353665
-35363565303736633564356632346632343832363934343962313030646132663566346664313632
-38393061613163356265643434626166393366366634343032626637333332316361663639623534
-62323239373639393337373537646232663531653835356165313264663561623633633830373734
-31336234613633666538373961626430316530346462343061323661353564323938353338373961
-64616637303734303333626166306330613238646265636136653939363936356165356232396436
-65353731633836363433616534636330663565643561363233396538386430393964353433616437
-36343936313936303165396236393463646363383338366238363961666530623335653234656139
-65346337663437623134376137326166323933613861663032623965643538343638376234316232
-36333065323234663263343630353739313661373536316162366532336438373263303730626464
-38613136393166626663636631363064303736666235333036616435373063363762666565363136
-38333966303831313333613831313132633062616235353365313533386236613338373130303836
-61326262313833306437366364316433393931353265326131653563656131333436376338613266
-39326632613366666136643137303635336631353230396435313537656366326239626362313833
-62653039343261613265306362323234623264366664306561663839306631663465303962386462
-39353934643562383762623937643034383534393962333466613636346637323235346438666636
-31613838313535666166663063373333653439313035346266666463623666613837313933623837
-63343565663739393764353761316432626237346234663032316131306262356233333439323961
-38646664383030303832646563393836643135303731306435383338623633626638306165386637
-65393238653464623032336437643838333932366131656332333165376261383539386466343139
-65613733383837323832303738363664653138613830376333363038383839623463623631666237
-63363263396533353763373934373034643763376665316638353435663635346135333265363235
-62663432343935343964626432353563313036303761393039386231343530663737633466643035
-65343835353037643539316439666666633866356530363237373230373439373133313337653237
-66613631373637313534353862653437393234363365323032393035376438616264336661616262
-37336435326135373065353564383637626637343532396331623334643139386364316431376435
-36356566363033636539363430356565373039363863396565643730656531346364626334393436
-33343839303538383530363231366166623233333730323163323432373831313639626337346230
-30333930333064393337616564386163623436613933623466353933393733346339383534633239
-30633365313364666566643533326163336330323232353533316633313739343035383465376330
-65356139386463633565366132383832643032333234633964373437633836343435393631396166
-34633439643764623936366536353931646132373539326238303761383339643661616266646130
-30393166393465326365393130636136336433623262346435353936306133616135653734383635
-65393530633836613937346430366337626365363361663533313837363063396538663766646566
-63373639653732353135343562353266316164303863336365303635653464393232613939396131
-30636361343932663233663566656131363938656161623966316366656561343166336532613666
-65613534663762353662353262623634616264373964316336626166353330303539356130646166
-63643435353765633766626165643465386331333637366562393861613834323464363932306430
-32643836646266643031396262626136313363623663366430376432373036643835653863323631
-30613164326430633664306630333632363931656135643465363439376263386561383534633666
-64323763656466343064396639313264386239356664663461333166626332326536623132333434
-62303261643164643330333662623935383037353338306135613737306563326336336162633138
-33623066373265663362303133363032343933306336396466383034636131333837313333326531
-39336163313633623639303462313763656632633030336236643030343262653366633939643536
-31636535393864663363353930363761623264343630396336396431663330323436613462633136
-37336464353730643566393432343762333336653932333366636265343663323462626232623635
-34346136333630363539633666316561376266373032373961313437653564636537656630303261
-37313639333233333365383763333061373730623939303530303832646365323739356564626137
-35633366393636376463393961333830343232363266633931613332643134643234303733373466
-35323831623931633436626636346431303965663639666566623433383736633834626330303265
-37353337656233663938663839373931623137666662623266336537383631626631306235363064
-33313564316438633139336261623736336336326239376630316335313631376132646563333430
-33656432643130643832343065353834633366363339353964623762666564633835633636313731
-63353637636165663136623736343234393038313235333363643237643566623766393838386635
-33646233623032653233336266636335666233353032303837663162303939383262373761623261
-35366661363966346233633739663635353361303264356534366235616164316138623730623632
-62316362623736396264366632373661373835393434343364353431316362666235616635633566
-64353530633334393737346663653562346335323065356665643132353738363132623031353664
-66666639326238386634363664356664343161386435323736316636343536326435303066353035
-37363731613138393333636562386363333932386362303139643262386237353863363764643139
-64616561373239346464623165616332623434303433626638376232333733646136376431626438
-66613134343639656331626630303030366133356636663735353466353834613430356265386162
-66613332663232623438636661306332613162666561353537313336643134663664306630636639
-61613363353264373831393962333631383236666130646333336431303735333165656438363432
-38396530333631636135653534393531326434306362396237366430383166323832336434376364
-38393431646338316232373431613930326532646333386435303034356564336665346133393866
-61643533643361646265313334633463616437393437653935613261366635616430313064346532
-32363831613565313836376338646466323130373032613863323037323566643164653132633735
-65636562653535626461396666643330386333663137613333643165656336633038323036373162
-31376338613862333334643561313332326237646565633934323032626662633631633033623063
-63306664656437663732323339383735306132616531373865323835633264333639336163366466
-33373433653839393638323034623835643531393266306331313563613265616633353763653438
-65363532653163303861383531356639316331343531666666636336373634636134633331366364
-62366230366435323435613964636533353236373935626632623536396664313264653031623062
-33366166343630313839366262313234346262343336386538336335393835646138666330656361
-61313936323838653832633130346539636363613838343363663431623063333933383466353938
-65383361333561383631643938613862343236346233363466333237316339616362366565306639
-39356563656132303463346138356435303038303165363935343266396462326365363262393336
-37396235366639623761366239386165613065626431633733306234343866663266633631656237
-63643430383433393835663635356265636635363137613064353066313338346436356632346265
-38393730336465396263373137383238653337396364643061303234666266663064663265383434
-36636138643432373633313038393737663735363838396164366234643533633762383062353831
-66326231363337323666386263373438656630346336663239643030386434636264666634393631
-39313364333761343532346165396365306463393037643935666363323630326664616638313338
-39396336653738353333343835363861643166376565346463303135376439336134666235623230
-32363031303732666133386164313437366164326539373564623236356432303132633436323563
-36323634373538376133613736633133356638323861636434646465643432636366376138636232
-63633830613462613831313938326339343632393038376639623131366364623536353338363439
-32613331623863336165636364616634303264356630303665383638663737343836663831363263
-63366562393734323030306436346534626530656465396535323835316139633562363830373437
-63626530326530383538623165356532303862353763326432373966626436303465373431373762
-38613539623164353732623636376630643465343839666531306438326633343362306665366132
-39396537366266353864656232616334336130333337306463313932393832653661343036396261
-64613461633433356334623631643861303133383963336635623138326139613564343838366565
-36343130353462333162313736636139306233366466626231306561626335396262663531333839
-61336437343137356335633764373730306466326133356331333530353537616661373062656438
-35356235666464656466323937353837623535643937383866666133383633396563333338633034
-38366531613164363966323137646237393135383164643230663331306335636432656565633636
-34343031633632346533353666353034666266666561346464306665386634313263323333653330
-66323033393531343633356466613837346164393332613037636465343230623731616361336338
-61373332373636646435353734386366613334323161626437396232613534613330613532323534
-65653065386432313733663165616333663666363733623162306536303833663136353334656466
-64353931363838613761663561666639373865393438396565626661343934353662363834636535
-65363664393433313036383438643864663339626331343230343337316437336634636363303563
-35373539383535353235633730386232363539616632336566376264393832383637663330613133
-37643261363966633138373935333438393536373938383265373261363232343030373539366335
-61633162663137643061363366653135323639363838626266386262666133306461333432313738
-30313332626166303630363839396663396564633961383863326663356230343938643833303933
-34333032353935323565346633363537656639613663356130383264373739636231363364613066
-36653664346434393933383337313630623131396461343930383537633536643365306564396665
-31353861643335353538623838393335326364393738376239623431306231363739656438626265
-37666532336661306262303761616238666239623265663231386165353437366631376234343035
-33393037316563373534373765616238616639303031346430623561663430393536303163613338
-65353062336164626335376235656235343637366438353334356436653266333062663838316263
-32623732306462356162623437393035626433336631643833626463656634366332613936346465
-34653331363133373635633330363564333264623566613432383439396537343963653239336265
-33326132663434363065646265646130333935303662623037363938313464366564323734333437
-36336335303738643634653164306332636130316161393335656536386131396662616366383139
-36663863343736666665363337663537326330323437346565346465326231366563643136366365
-37636361343961326261336437616266373962643765346438333766306537303137353764396330
-39626635373631353635313935363834363730386132376363663462653330623130663266373432
-65343237326535613535386363396236336536366165306463643162346638623638373433646163
-62613935363636353639623839396231393838303135346536383037353636613563323234626131
-64373666303436393861373164376564646235366131343433623733663832653039393738343537
-65323534343464613230346532623966616462353532373064623566626563336464326336393364
-39626237646431313135323036303065343138616632343237396136366332636132303037376132
-33623031623635653162616265316366663262373666636638386130643336383130643232643662
-34326663343562613962343033396332303261636230353331313730336630633461333736626333
-66636430643330383032646634396133626339623036333963396662313234623466366634636334
-33373762386662613966353664346239666133656435353365653536356331613632666132376264
-62613433366633663065306166396166633836306139376533396165393966323465303638373563
-63326330323161303065643365343363313338326238363137663139613463613434643834613662
-64663365633965653363633165653038333335333232633434323037643936646561376431626230
-66356138373136366134373533386634373061666330663364376336383433306331386162393633
-33636330643531396464313736363061303466393861613730323563626363643731333633366532
-64646130636234653566346533323962353332653335336239353630633535623935396638663366
-37383661343636613261623833653032373764653164346634663431653664636233323734666166
-36373664306566663930353338366431623563396166356638626166333165623263636336613138
-34343936393964666564306637346561393538383137663162663630336462656663316338376236
-63633666333263663734353861633164653132663334306664643133663736663766626639393236
-32653430333163313363343731666135656662363838366132383732346130313130363365656263
-32643533393163376264653632663262353966306630333064313932616262323134326361633764
-63383837303936616434616630653833653833623263623532306363373836323431393335623530
-34316562343035326265333164643163356230643639373431326431303538346363376332373434
-31313666313663343363353130306561646136393732663164393232636330663635346434343134
-33663138663336636430373763396435323138373633666438623234363631336232366635366532
-62616239663934653462656163326134303261376635323864633435383666363065656665303538
-62626538343638366236646136363232373437336630383739656438636465326531646664366462
-36353663626634386538336239623734323234393463313034303837363164363263623065613061
-38333162646232366339333662313965663336613238386530393162346266636532353433656136
-66326436323836376432313238613165373565643233333435393361636637653361616435393438
-32383763393561343734643438346635613663393736613839623263663866336165343235663933
-66623137616561313462653631613830363666653635336534643935373739353138363934656134
-35663063396162623432373534333463376231666466393963336231653939326663396336383735
-34633763336163313432616163313638623963306666643432306661393632346339373963633265
-32303862643661376433356661383335313365306534663534396638313531373538326236636363
-37626138333437393363323261336663653163643565303063313231346131376261653763356631
-62306262336337366134626632333663363139393131306666303235303761623665356431646234
-33666461663035303066353137623762653565353533613435663839396238336337333463636465
-38353135356634626137376232613330393235383432356436393030313564306537616363383136
-66356463373138313661373565326565343066643133633630313031303132313031663739316631
-66666631386163313034306532393862393930653931363235396662366262636466363464396466
-61303962303066633764393831396632626233343633313061323838623134373036393164633139
-30303861636335636131376334376239636235653233323435623262366132663934613661333135
-61386136326435363337316363666330363431613135663661303438383664663930656564373730
-32373731393666333364633835646431646662313232383136616238303264383438663766356462
-32346664376430663934626661663039656461383738626265346162393861346163656161323333
-39323666643031376530303230626166613233383731363766373634623430633635303963313466
-34646331363539636133373134353535356265393265393635323532323134643034343663636362
-38633261613433393634396234396265623063346138363133646532366638306632396464646432
-61373961383438386535336131393633303430346162613738343839653038303035303033626535
-37343030623530333332306265373539633735616634663666356437303862636338363866613861
-38346130336338373865343866306665616530313938616366346131376262346135323537663137
-39383366313766666234323234363937623264353532323033363966313135653163343036666262
-34393832613034383239393930383063336131356364303231323966303633333331633666373764
-65383137333965663234663933303231356165376233326233303035316536666563656363343933
-36633039666432643135636331353932633164633964623661373739633665313433306561303637
-62373534346562363132643063643732343462653838393635343266626535353864656437313434
-34376538303965616539626534613431623834376337643936613137323031323139393762636463
-66346664666361623636666533663037613434353135393862376633636233656330366136646434
-30653735323961383130393763333630306131376430363436623238646632363462383739653636
-37346566663039383866323639633565366338353438386461616239313639343766333661346435
-33316538366463383733346663316564656566656165396465393461363061613239666165346661
-62346639623163363762366431313831663135643062336363323336303737393437653863303665
-36643466336566336236353166333063633830646461626262333937316162353365353130353535
-30383164363532363532306364393236303537383139643431393962333063633162313033613561
-32323434336364343061386666616639336566373461633462393130336461303531353436623065
-65663430623066336533373662306566396263376562343936666166626666323964373334613835
-64633535303365643564626562643562636363363834353865353765356665643965663861366436
-63333736613232353130616466316637613966646139323565356537666331666564623832333439
-36376131663431616430616265323039646432393166613631313762613264313765323231663961
-65616636306362386534626130636261636566626365643630616135323634343935653033653433
-3061
+61343966306561383238303434393933613538616662326430626564353466356235666537646263
+3464666132613834306435376533353564633634643931310a376435336364333437633633643537
+30636165313433333039616337633765346232326362663834396462653637636438356638616263
+6333336530663764660a316331363464616132383835646362306635623261643333313639303132
+66303137623563343066363933633939306432383331643662626130393865346237353432343035
+39643562343231623539393833386461363362363566366339323066316463363334353430666564
+62313039306234346663343934333435303636643632353336643638343532306330316238636663
+39646366396136303663343662313264363831636232303466353536643362396139346138333934
+65323463366438333838343265396261366136643662633733343737376466643636643265323964
+63323735643965653637393031323166356335623838616562366238366337636131363333613666
+64313963643138613831633436313262336431336563323337663035373138323439396231613361
+33653538336633353432623632373730666437306265616631363235646633313565316663303435
+38373933323439366664383334326364393838366436616563663062356635333635613966656262
+32343063666132646638343965336336386265623566613662313634366235363235636139396362
+33383334613032643030366433653164313538313239623062356161386535303163656637323639
+34653162386338626430643662376263316264306133323038353362386239623939333365633964
+61646264383834663038303464633334373639383961616665653362626464336136353662333630
+38343033386361626339653239363266383866656466656335633763353539333732393438616365
+31623030653365643166323230646533333563633935626436356165643036663530323331616461
+32376265393139666161643330343530643036366666336639666265613138646561393931613661
+35383839336539613738343638333636313063613935633833656564303535653831653033623131
+61343466353461656338396364313531323865333338346364363463393666656265386166303834
+36633164383839613830316434356632356436353630363666376330373762306632386533643636
+33343934313936323439393530633563666463323761363737396537336666626639376562633833
+38376434363662623136386238373339613235386361386566636563323433343431353234303732
+65663530336261656466636536393763393537613665383261636234366263393039616337343235
+31313636393166386634643635316135326264636134323032646462343861346231656237653131
+61646662343330623266613064313632636238323166616463613132353761303662633163313562
+63373361623935383466623236633232323130343064393765633038643638323437353735643832
+30333763396565376266343434646263316333336130626463336365306132663036353133316266
+39333962353862626638623464363634316239653233316435306332383934303239363930363363
+36313931643730373865393665613633333064333530663937636438306164386533623138333665
+30646239316633313164386339326132306666346633363865303861666536333662666263393034
+38363638393435633238616232363763366237653530613763333762333330353531613036336164
+36653536316532356337316262663863346333636336613830383363356537353038653065633163
+63323937306431303435343135636562323939383434666363303631313461643038313235366437
+34316563356365623130623664346435373066633832363639306237396233343531313965356232
+65323537376535313261656663316265326661316237363336656536646535666334326663623237
+64373234646261303463306362633762623735376465323536316638373165623264656135333761
+62323761626231663263363764643465303133646531386165366266636266306338353665343732
+36623765393538353139646362616638363365306565353662396638376133663761396663383533
+35353165396261346665626431613838653763613331323262613864663437323235386337323961
+34356564366230313062316139616366343132393261363564333632383934646435386261326131
+33313438663631393466343633386637396463373838363938333131666137316235343136373936
+65323235643130643638383661383837343636363266633165373436363165386264613631323261
+66353133313637376638396465323533373934383135323831363266613931336361616139313766
+61346436383330353265336330633234313334643566363066303835306263663630336439366164
+62616139663666353861313265316463323932306364386637326438633861666231626539303638
+33663361376131306365316537316637653661376637633438613366313230323138663030643061
+61393965306133353434346531656632383735363232346531636338393561396461633431373133
+35646166353538396534636663313564646339363866656336326131366465303239663363393464
+31346130353139633363393161653637353838623131393536383235393161393562356239633038
+65653933373130326466633163383066346332666662393862633334356333353032363135663834
+36323638346134343131396538646334613463383362656261623834623162623664393261663562
+37643238343461366531653761653466343165373838656566636664376435343665333534613766
+36633763656563653363376462336336343530646166313333313064666264633337643733356364
+33363865353232656464396562626530653833316233313562353137373038643165643465653430
+62633865616265363036373737366336626436396133363062313032323634323864363465353361
+32646431353733323134616162306337646332363631613563666334396131623764653463363634
+35383732623164623532303036656337373166326366313037326133353465393937353266343765
+37323965343632326361346632616161653261616333336561333730613664663133633933623835
+61303037333739316333313763653466646436363239653361653864643335646435313362343632
+35633931376562326165613236393134623235313961336332643936373835326238326633396563
+64313937623034313738303764326337666239666266613131306133386265643039393864393465
+66393964393437353965663764666338383033326633376232326565346236636136666464383861
+39363265653166643239363861353839373038336636376366346430353263323136386565313865
+62343730353265396338326463353535653939383336626630393838626132636230363139663536
+38383962323763653464656233373163343463346638363334616534373235353334623732396565
+31373162623035343938336564363964613135393435396430626232653230646239336635373735
+62363931623235303839663433323236346633366465643961303730633865316536373938303339
+63356165353538626337306130663035363432323836626136356466376362333834393937643463
+30323036623239373031396237623964373037396462363833323565393230396636633963366564
+30636330393735666563623730376336646462613365303330643634386236623436656666313862
+61333334323230383061303730353963396466356335343532656533623264373462656265633635
+32636437393866626434633066643566376334633963326465363763386665396530306462366664
+39313533656536376435386438396666323963393663356331373435616532353139656561393161
+64333838336365366164663864363263633630336162303866343434306433656263616432363735
+33373136626230363234316534316230353836623033336639643235653731623934376639643435
+36333037343636326438366531336165633064396334623334663835303736336564666132613839
+30626239343930393864663635663765343233396134326364393236666636353630303561316263
+62616639626666326631333734643665366262636531373138613930393366393762383637343435
+63363365363062376339393966613134643731376531336230633536626330306633383834646266
+34636363383734633065303336383362643130313732653436393133393963653361376561666334
+33346664353861353136643733363335646336613637666236653765383235636233356533643930
+35303361626634343565616361326233643135393963356632316663626137653733376433663565
+63303865343032383364636431363736633463373739316662386663613139306638656664636234
+35313562323234663730343162313364656231656164313766653635653961396330363536343062
+31333065633665326132326532356632353931363735313134346362616562313839306539383139
+38383463393035323462623035306464363631626361373439393632336436383931643861663263
+63366238353732643365346462636364373739613364623939326337363437643965626365383934
+62656661343538396461313634663030383336643362623637363631643766643762646364656331
+39613763616464663866373732343431656331316231393234333163366561663665303634653938
+61396161616131623166313266646632373338623966656635306635393730613238636339633734
+37363838666137386637343261643733336134396233323761396333363761613634393833636433
+33346230323066643136393165376638306235636635383632643137646335656565663039363337
+37346264333232616462643332363736653439653764386663343933633966366631363739313731
+63653532666165663161353065323866613461383162653639376666623739316361313139313935
+65626633633732313562656332643735643663313334333566643632376261396364643334303865
+30363462373036633839323833313930633862326263363634653736626330366235353635636631
+65643532633239303061393332363264643336653365626634363339303538623230373035343837
+61326662326631386234653833313663646232653939383833316266343530373166633339326135
+63366235356334343130663832346238386133663364386266373932663036346565373964376433
+65343931363538323734383339323131343337323332353163373338633634613036663331326533
+62343663646537636534386631333230396235383961303538643433343037363065356137336133
+61636462343335336431386538623037383639333735663465663864653337616534626634656138
+31616634653863663935356432313839346666326361383631613936303231323930653666306331
+36646265373538353038313563653739353030636637613930353866623433626633656532643039
+65386563373064613263663935386337623938383936396336313538326131313530643565333065
+36383334613961323237336362633833383438326331623565383966636330656163656431336537
+32326238663236326536363862396134343565336432656233663631343264653639643732313734
+30356537386439383639376165313639666237356433333964646662663032643834383930366565
+36323063653366373132623664663664313434336463653361373636313964343939633036383730
+33343261363334396639623035663436373431653366313866353263373036373733393035613531
+35636433303132356333343539393236353331653932356530616662353939663961656137616634
+61383538656363333437346535643132333163333936643361613835333861363561313930323862
+64623439383335386565396130323366383962333833383238393361636562366361316563333731
+62613037396236623461373432653261663261316530353434376665663339623464616265393931
+35646463373262366564663034333038633733353032363331643265643836643136613233653065
+32646537643562353565326332633230396235653234666637313535346530383766386130396539
+65663661323934646630373361656262643231333465653138626266663161653831303230656561
+37613431323333343936616430343434323366643535663562336535666536623365613361303861
+33613035616139363537646239376563393165373363643037383639326362383963653736616631
+63633239333265646430383630613462313933353566663765333533363863323861366566386331
+34356133333635343866613063313738393733633965663739336663316231623038623736633264
+35336631613165313532666161303265616365653038306333346136386162653861633036356664
+64616136663430623562646132306262366362353861613239663563633234386366626564333537
+65623439666139396634376534316630613461336666343162333139376461636235613639626663
+34346232643764643065313130333765363766616631373265336234386664616334633261663631
+62343439363163623731356538623061343935313366353839323665346266376631383234656135
+37343536313136656633343938336465373131313033643136666164623338313063653262383961
+61386336363932336131323735626162386264396236376330306336326331643834626537333164
+62303237333538326432363137653261333937326234373665313135643465613734333065306463
+66363662373165363337386534373965666466366566663832363433616334376139623937333435
+62363433343330643763613435303839313665393162313737313439356331376137613635383630
+38333032636564623236656236633031313838396131356431303133386364333763613534316264
+66376665656535636331663333626163633035663332653139636262613031336532353336393131
+66373861343332656131366265326230376662326162336638396365643532303666616630353537
+35656433353765333531303464323166323538656437646564393039626337303361306564333234
+62353666613439613565623932373937306130303730626332653333396631393031313031636535
+31636263303632666466346263343232306262623231323161393866376165353938616536633662
+39623962313465363561393434313331313065323665656266306338626665323863663362313264
+32346136613339306539326561383333376632643365663834646465376364643965323934303835
+39323935613463363431663333383638346665633434376232363163396664336335303866336563
+37303435393962313061303365313261633037636165663339333534383461363335353533303133
+65393834666431343630366461313563646162346232323838373834626334666532303062373236
+64653662623362363535363962333561396131613638613237643164636335346231373539376232
+61633731373632366461343630306662343130373665626138376434633963653932336233613336
+32326237363063663233616533306337373331613234376264353531633034616638323462373264
+66643238363838366430316135663161616663316165343334343533376637373632373634636339
+64386230616139316435666661306237633434623638373235646161623538363132363833646532
+65346431373439343434656630636164653766356439303530306432333931303539666131333332
+31663039303133306436373531333831633461623635663332376438326133303538636137386263
+37396263663737373264653863396233623333313930353661333264326230613466376535653933
+32363232336531323034316637663061616136613038383966346337313534623738306662326533
+34616464336239363431626537396164623562303662316564623964613630613065333630376633
+36663864646463393333616539613731653339343332363061393664613563633836383331343836
+66636538613265666430346634386561343538653730336130326333393733343866646430373930
+36313730313338303538633739316365366364333563393432336565623330313734343030393364
+32383434356330336234303666326464656537643664356565666661396161623234383262396465
+31346130386635336136666335346431303061326538633361613763656166646266666330616266
+36663662663739323032653935313766343330313133306661623237373836363863646135666434
+64373036343639306337353465656631643566373561333464323630633466373462626131356234
+38613231663833393732333663653162336466346130313833633630663965626130363065313031
+32343465623932643036373830623965356437383864383037346430393065376530353133333030
+61653032643238303338636638613464316539373761636662343935353363646434656131663435
+65326135656366666436313661303065376137333462366537643666326664323735303939643961
+37373764623733356633353236623534323734383664306166303762353135346237366462646131
+63306533663930393665333864666530666232353562373436333034626236653462336638663438
+64613564636537306530353839373366646136353039626264646463306539336261613735623461
+38323735393166383861613065386466626534373034353130653731666138643837663662383130
+66303363663635333530363630653937633332316535643261346238663932363963323932373266
+66663436343361656464333533663633633564326234363062613433346536323731333438636633
+37316464326432616432616661323635623236636361313166353230306362383437323231626237
+62663338383461613239306339323336626361656165353532633834326337656533303334613661
+65626565613337636238653031356635393062643739666661623463643633386233633634353265
+37396363636339653765643435303535393738303637313835653564306463306637353132303735
+65333236663733333262663336393266346134613435636535376462363033383062356263333263
+39356561333435643639666562363338616133386338353837336230666232646135386436343265
+35666537313862643466313635643834363138653735633364636138376162623463343330336163
+30333832663438396531333136396362636263343430393732396433316132616238333034353634
+62326133303466373662616237353865396363363932363161643939333564663335363661653939
+35356362653163613966313063326630616339373133333236636138383662616236643262393332
+39633962336366666331343537643032303337326637303466346435643730626361376132393962
+33303932373136613261396639636264353832643531653635306231616531636462616238363038
+38316439373637316465663833356539383839393236313639326364303861656333613663353231
+62323533363534363165313462656230623930373361373039313362613861363832396638386630
+65636266303661336331383562626561633035376135383164343265383432326438303163623338
+63303432663664363232333838343937353535346131613762386338346131643865333139616161
+66306237303331623339396162663966666336366632313034366130353762373031366664376639
+34346432616334356565633438346134336363386434656238343830346661326465623235656165
+30366565316666633433393663646139623234303735386430346132616239303365666432313533
+34653336303334663433303438303137313939343535303332306163346562643033653632633639
+33633632376433346333663665666339653334623934636231616637613837633731383963356434
+65316566666666666233363965303961366338653632313265353137383332633138383133363166
+37343262393330663130346361336233656361376334353332636566373339623133346264376430
+36323334326633623430353837346638653931333033373230303238303132333838373835626130
+30636639363936383236366130646331356333623132303630336263373062653230633034363431
+65333037656332353930396461633938303534396464613433393566363136366232653363313636
+31623637326163356236393732646361633134373330303166316138313630343535643863323163
+63626237313131653838303035643863663863646561343463653331393762663336346362346135
+38303134643233623134326434643534663637626466396533386464353038663561336236636237
+62313562646365346531346331646537326534366137313230386663623537623465373834646438
+35356539376565633065306134356366306563306235643132393763343164373633313463663136
+39376663623963323063636631626264356230636434386666666366333561393430613264396164
+36306436366366666461306239663438323764363130346534336334346265313631363033363134
+32346434346263343933343236306432666434653035313638626637626664383836613964353761
+66303539663239313766343661396233333236633763313037396235626136323432313236623339
+65343931343035663636363062626432613836303861653236363736356163396264633032306132
+32366238623464633031343261616665393530633264633664333063313736363331653032313164
+35313939333035373663353063633066323137336233616131623565313365373563363563623861
+38336532396531343834623330336264303964383564336664396139663765376635313333663034
+35353961663562333137613864346234326261626630623861326533323435663561663165383132
+30623631393235616136636536363032346363363032613730336238666366356131383862613862
+31626134636637336361323435656365383261383235316136393032663338653032343065363637
+61383764306630333765393533303238316466626361353937636339306666623134303565386632
+64656636643334646665336532643436343132653461356339366431653037393737383533383564
+62396663366332353735363030626165663664666465643238316237633538623664313533343062
+33393363323762393130653665336161383935303336386531656133373665613332663736646137
+32373139376263333731366164383834343365333837633736366632386139383563366131323666
+65313862626335653630623262316563386331393236383633336133343062353031346435616339
+30383534313865363162356130616130656434383133643365306462313361666361613836633763
+37383933666264646163643033323836306333633264326335316163333464623737343465373961
+35393661393664323335626639333361393034306339393164373132373665383036323566626363
+30623733306363626237626466613462623362646664346533316362333037393736363161363133
+63373539626232633565636362646637336465623734366164396663303037623333656161313331
+62303139646130316263633165653063666366383964376535343232343363393062393336663538
+36356362366665643365656566653638343361306663396661303735353536323737653338306534
+35323139616563383339656235353230316436666534366362323631316263333435316531303766
+62376263363439366236636133613634333238336237333665636662353132373134326230356133
+32383537633764663538326466663936373266376232643131393732356361353864353235303162
+32623038616231653965373538653036393864373064646366333162363639306364396363636337
+36303533663862313133336533653439623663373463633162353638313434353766633765623938
+35306432626562386331396534643261663362363861366532343831646463653330343037643832
+36333433633761633765363531356439663861313936353863366164343163646239313830346364
+65303632373335346231643662336564303764633239396232326366383662346637666336666366
+38643937306561663839383933663035393664663531353961393138333330616663396338623763
+63643165346532326565613466643066643366363237356337663239386437356234363861633066
+63313763323064633030333338613565316362346338643439396532303635633337643931656363
+34383365616364373530613864363934303837653639373831383139633765656337353764323261
+36663738393863613263356230666636616534333036663964343862333763646636653063373235
+39373639343138366530396136313435633163346264643566323537616330643639643230656430
+33613637653033313135383332373433633639393564316337633764356565306130663237393533
+65666632316562306366616536633535636635613566636336363462346533303537393132303932
+38613934653363393437316261323931346633623632363863396365346562373964313237363130
+64333137396235303765643464353931636466376437626130336366653339306335656235336235
+38636532393165346132313161316339616362623834636465396362373734646533646334313335
+34613534643764663832666139666631316334653232613036306634643337666236353931326431
+62363965663736653865373838326563363937313334373937353564363562323834383335663633
+36393731366263353565646463646464613236663232333035376531333863343261383933363764
+36303466353536633961633536333663393862396136353930333033373664616266646463333465
+31333636333337656537353631656631376432376562386235346464323933303666616661313639
+62646439633264623735343164613066623464613538666134316338356235363861643965343034
+33656664373766616137383937363738313935616162326435616630373234613161333132323230
+36366330343034646431343163626235313863376237353465373562363966366161636165353365
+61336661376162396633383939323566643730613837313233623339656433303862336665393762
+35616365343239376432363061626566653931643633373634396565623965323239396466313462
+62393466636436353763336635306365373730626161363836663137646437343330326135393231
+64343539613233353637323534306337643865623738633030373637636335626437373162336662
+30313033373336363735393435383063303133636334303531343061333133343537373239313433
+61303131353535303937636432633337323763363463366636396632663438396234343133643636
+34343938323537356465613764656239663764363161663931666631643132393538613265353235
+30326364346362353661346431316666363037633031343236363365336234353963303863636662
+36323231393433623239613065326239323866323430646530376366353035336665383536313962
+61303838376235333532643338323361356339323966343334353731373932656563306263646632
+62343164353162313164373036393139353566396638356532633234396661656633313437313732
+62396134663436663133376465636164306634343531393431383630376563343062313866363839
+66393939383138396632313962613736343431643834646564353562343938313033636166623031
+62383863613465656638646236356334346130623163333630323935326439636632663333393136
+32373265373665386164333330366535383663623235336362653634656164643635396163363930
+66346137313031636533386337653137336263323138313462343936643630383233323236613466
+65313435386565366161336631333064383734616464356134383661613665623566346131303730
+38653339643962616538373263373433396535623066373466326331323131623866613132363765
+65373433336133303839383463663861383835336337303537306136666134393631393133306666
+32353836623636343037383032663333333265393835623531323532376330326130613134396261
+64303063393332393439323930376464333338626331643261326131636434343538343761643231
+64616233376236373436396234383235343662343538383830633337373037326231313332653263
+34333830353633626136633737303138363932303534343238333234626535313433666337376162
+34366365353335396163313032663561643466393535366139626266363732633363343963383561
+61626334303635383463636163306238653830366236396632653866636533613334653737646633
+65626166323531353139313538386435363961386664653036336136636337653463376136336565
+37623531636639363434393738373038376264626163363131383835653965323566356639323239
+35396238323831356133393365666238663563333335373664313165373039373465323532333361
+38623635313838626135303262653935653539646130306138363662626664623263303661366632
+37623035336336396636383139373139353034373864653235336132626531666366653564373735
+30666364623463386465366635643935393332306630313233653234326663376137663065653937
+32306461396132313630646462363962316238363935386339333236653364643330356535646630
+36353237343961303164616236613063333163303233316666313864666363396361316337326263
+39613665366662313430306230663235393331626335623334303161643232656337313066363235
+64376635653231343031323838363931396235383936373735303965636633323530306233336264
+31343063653636616532343764623434393936363433356265633433633434343266303462626131
+65663638373565613233643566373032376434646566613835376639366539386336396134353166
+64663832343239383234393264383961663461376238373132613933643363393665663833356664
+66323064623738326636343236306639656634373263356433303264386333363933343438623531
+34306632323665613266626666623134303338306639633466356232333336363438623630303734
+30336237316235363535396633313561373931623133373564383165643339613337616437353033
+33303439616232366331393763326564613439383630316530646432353866303563643637373738
+3764

group_vars/dhcp/dhcpd.yml

@@ -0,0 +1,69 @@
+---
+dhcpd__omapi_key:
+  algorithm: hmac-sha512
+  secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
+
+dhcpd__interfaces:
+  - client0
+  - client1
+  - client2
+  - client3
+  - client4
+
+dhcpd__dns_servers:
+  - 10.128.10.3
+  - 10.128.10.103
+
+dhcpd__domain_search:
+  - isp.auro.re.
+  - auro.re.
+
+dhcpd__subnets:
+  - network: 100.64.0.0/27
+    routers:
+      - 100.64.0.1
+    start: 100.64.0.4
+    end: 100.64.0.30
+    domain_name: client0.isp.auro.re
+    failover: true
+  - network: 100.64.0.32/27
+    routers:
+      - 100.64.0.31
+    start: 100.64.0.33
+    end: 100.64.0.63
+    domain_name: client1.isp.auro.re
+    failover: true
+  - network: 100.64.0.64/27
+    routers:
+      - 100.64.0.65
+    start: 100.64.0.67
+    end: 100.64.0.95
+    domain_name: client2.isp.auro.re
+    failover: true
+  - network: 100.64.0.96/27
+    routers:
+      - 100.64.0.97
+    start: 100.64.0.99
+    end: 100.64.0.127
+    domain_name: client3.isp.auro.re
+    failover: true
+  - network: 100.64.0.128/27
+    routers:
+      - 100.64.0.129
+    start: 100.64.0.131
+    end: 100.64.0.159
+    domain_name: client4.isp.auro.re
+
+dhcpd__failover:
+  dhcp-1.isp.infra.auro.re: 10.210.1.1
+  dhcp-2.isp.infra.auro.re: 10.210.1.2
+
+dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
+
+dhcpd__failover_peer_address: "{{ dhcpd__failover
+                                  | dict2items
+                                  | selectattr('key', '!=',
+                                               inventory_hostname)
+                                  | map(attribute='value')
+                                  | first }}"
+...

group_vars/dns/kresd.yml

@@ -0,0 +1,24 @@
+---
+kresd__listen:
+  - address: 0.0.0.0
+    port: 53
+    kind: dns
+  - address: "::"
+    port: 53
+    kind: dns
+  - address: 0.0.0.0
+    port: 853
+    kind: tls
+  - address: "::"
+    port: 853
+    kind: tls
+  - address: 0.0.0.0
+    port: 8453
+    kind: webmgmt
+  - address: "::"
+    port: 8453
+    kind: webmgmt
+    tls: false
+
+kresd__cache_size: 512
+...

group_vars/edge/keepalived.yml

@@ -0,0 +1,21 @@
+---
+keepalived__virtual_router_id: 81
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  crans0:
+    - 185.230.79.254/29
+    - 2a0c:700:28::2/64
+    - fe80::1/10
+  zayo0:
+    - 2001:1b48:2:103::d7:2/126
+    - 83.167.52.69/31
+    - fe80::1/10
+  oti0:
+    - 2a00:a4c0:100c:1::b/127
+    - 77.95.70.11/31
+    - fe80::1/10
+
+keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
+...

group_vars/infra/bird.yml

@@ -0,0 +1,86 @@
+---
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  import: accept
+  export:
+    protos: kernel
+  areas:
+    0:
+      broadcast:
+        - back0
+      stub:
+        - monit0
+        - wifi0
+        - int0
+        - sw0
+        - bmc0
+        - pve0
+        - isp0
+        - ext0
+        - pub0
+        - th30
+        - ups0
+    1:
+      broadcast:
+        - vpn0
+
+bird__bgp:
+  edge1:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+  edge2:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:2
+        - 10.203.1.2
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+      #wg1:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:3
+      #  - 10.213.1.3
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+      #wg2:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:4
+      #  - 10.203.1.4
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+...

group_vars/infra/firewall.yml

@@ -0,0 +1,365 @@
+---
+firewall__zones:
+  adm-legacy:
+    addrs:
+      - 2a09:6840:128::/64
+      - 10.128.0.0/16
+  ups:
+    addrs:
+      - 2a09:6840:201::/64
+      - 10.201.0.0/16
+  back:
+    addrs:
+      - 2a09:6840:203::/64
+      - 10.203.0.0/16
+  monit:
+    addrs:
+      - 2a09:6840:204::/64
+      - 10.204.0.0/16
+  wifi:
+    addrs:
+      - 2a09:6840:205::/64
+      - 10.205.0.0/16
+  int:
+    addrs:
+      - 2a09:6840:206::/64
+      - 10.206.0.0/16
+  sw:
+    addrs:
+      - 2a09:6840:207::/64
+      - 10.207.0.0/16
+  bmc:
+    addrs:
+      - 2a09:6840:208::/64
+      - 10.208.0.0/16
+  pve:
+    addrs:
+      - 2a09:6840:209::/64
+      - 10.209.0.0/16
+  isp:
+    addrs:
+      - 2a09:6840:210::/64
+      - 10.210.0.0/16
+  ext:
+    addrs:
+      - 2a09:6840:211::/64
+      - 10.211.0.0/16
+  pub:
+    addrs:
+      - 2a09:6840:215::/64
+      - 45.66.111.192/27
+  vpn-clients:
+    addrs:
+      - 2a09:6840:212::/64
+      - 10.212.0.0/16
+  vpn:
+    addrs:
+      - 2a09:6840:213::/64
+      - 10.213.0.0/16
+  infra:
+    zones:
+      - adm-legacy
+      - ups
+      - back
+      - monit
+      - wifi
+      - int
+      - sw
+      - bmc
+      - pve
+      - isp
+      - ext
+      - pub
+      - vpn
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  prometheus.int:
+    addrs:
+      - 2a09:6840:204::1:1
+      - 10.204.1.1
+      - 2a09:6840:204::1:2
+      - 10.204.1.2
+  grafana.adm:
+    addrs:
+      - 2a09:6840:128::98
+      - 10.128.0.98
+  nextcloud.adm:
+    addrs:
+      - 2a09:6840:128::58
+      - 10.128.0.58
+  dns.int:
+    addrs:
+      - 2a09:6840:206::1:1
+      - 10.206.1.1
+      - 2a09:6840:206::1:2
+      - 10.206.1.2
+  ntp.int:
+    addrs:
+      - 2a09:6840:206::1:5
+      - 10.206.1.5
+      - 2a09:6840:206::1:6
+      - 10.206.1.6
+  docker-ovh.adm:
+    addrs:
+      - 2a09:6840:128::150
+      - 10.128.0.150
+  mx.test:
+    addrs:
+      - 2a09:6840:211::1:5
+      - 45.66.111.208
+      - 10.128.1.5
+  proxy.pub:
+    addrs:
+      - 2a09:6840:215::1:1
+      - 45.66.111.206
+  collabora.ext:
+    addrs:
+      - 2a09:6840:211::1:1
+      - 10.211.1.1
+  ns-1.pub:
+    addrs:
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+  ns-2.pub:
+    addrs:
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+  ns-master.int:
+    addrs:
+      - 2a09:6840:206::1:7
+      - 10.206.1.7
+
+firewall__input:
+  - iif:
+      - back0 # FIXME link-local
+      - vpn0
+    verdict: accept
+  - src:
+      - back
+      - vpn
+    verdict: accept
+  - src: monit
+    protocols:
+      tcp:
+        dport: 9100
+    verdict: accept
+  - src: monit
+    protocols:
+      tcp:
+        dport: 9324
+    verdict: accept
+  - protocols:
+      icmp: true
+    verdict: accept
+  - protocols:
+      tcp:
+        dport: 22
+    verdict: accept
+  - verdict: drop
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: back
+    dst: infra
+    verdict: accept
+  - src: infra # FIXME: temporary
+    dst: internet
+    verdict: accept
+  - src: monit
+    dst: bmc
+    protocols:
+      icmp: true
+    verdict: accept
+  - dst: mx.test
+    protocols:
+      icmp: true
+    verdict: accept
+  - dst: mx.test
+    protocols:
+      tcp:
+        dport:
+          - 25
+          - 465
+          - 993
+    verdict: accept
+  # NS
+  - dst:
+      - ns-1.pub
+      - ns-2.pub
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  - dst:
+      - ns-1.pub
+      - ns-2.pub
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src:
+      - ns-1.pub
+      - ns-2.pub
+    dst: ns-master.int
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src:
+      - ns-1.pub
+      - ns-2.pub
+    dst: ns-master.int
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  # SNMP
+  - src: monit
+    dst:
+      - sw
+      - ups
+    protocols:
+      udp:
+        dport: 161
+    verdict: accept
+  # Alertmanager
+  - src: monit
+    dst: docker-ovh.adm
+    protocols:
+      tcp:
+        dport: 9093
+    verdict: accept
+  - src: adm-legacy
+    dst: bmc
+    verdict: accept
+  # Prometheus for Grafana
+  - src: grafana.adm
+    dst: prometheus.int
+    protocols:
+      tcp:
+        dport: 9090
+    verdict: accept
+  # Admin VPN clients
+  - src: vpn-clients
+    dst: infra
+    verdict: accept
+  # Prometheus node
+  - src: monit
+    dst: infra
+    protocols:
+      tcp:
+        dport: 9100
+    verdict: accept
+  # Prometheus bird
+  - src: monit
+    dst: back
+    protocols:
+      tcp:
+        dport: 9324
+    verdict: accept
+  # Prometheus kresd
+  - src: monit
+    dst: dns.int
+    protocols:
+      tcp:
+        dport: 8453
+    verdict: accept
+  # Allow DNS from infra to dns-{1,2}
+  - src: infra
+    dst: dns.int
+    protocols:
+      udp:
+        dport: 53
+    verdict: accept
+  - src: infra
+    dst: dns.int
+    protocols:
+      tcp:
+        dport: 53
+    verdict: accept
+  # Allow NTP from infra to ntp-{1,2} 
+  - src: infra
+    dst: ntp.int
+    protocols:
+      udp:
+        dport: 123
+    verdict: accept
+  # Admin Wireguard
+  - dst:
+      - 2a09:6840:211::1:1
+      - 45.66.111.204
+      - 10.211.1.1
+    protocols:
+      udp:
+        dport: 5121
+    verdict: accept
+  # Proxy web
+  - dst: proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  - src: proxy.pub
+    dst: grafana.adm
+    protocols:
+      tcp:
+        dport: 3000
+    verdict: accept
+  - src: proxy.pub
+    dst: nextcloud.adm
+    protocols:
+      tcp:
+        dport: 8080
+  - src: proxy.pub
+    dst: adm-legacy
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  # ICMP to public vlan
+  - dst: pub
+    protocols:
+      icmp: true
+    verdict: accept
+  # Proxy -> Collabora
+  - src: proxy.pub
+    dst: collabora.ext
+    protocols:
+      tcp:
+        dport: 9980
+    verdict: accept
+  # Collabora -> Proxy
+  - src: collabora.ext
+    dst: proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+
+firewall__nat:
+  - src: 10.0.0.0/8
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.200/30
+  #- src: monit
+  #  dst: adm-legacy
+  #  protocols: null
+  #  snat:
+  #    addr: 10.203.1.3/32
+...

group_vars/infra/keepalived.yml

@@ -0,0 +1,59 @@
+---
+keepalived__virtual_router_id: 82
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  ups0:
+    - 10.201.0.1/16
+    - 2a09:6840:201::1/64
+    - fe80::1/10
+  monit0:
+    - 10.204.0.1/16
+    - 2a09:6840:204::1/64
+    - fe80::1/10
+  wifi0:
+    - 10.205.0.1/16
+    - 2a09:6840:205::1/64
+    - fe80::1/10
+  int0:
+    - 10.206.0.1/16
+    - 2a09:6840:206::1/64
+    - fe80::1/10
+  sw0:
+    - 10.207.0.1/16
+    - 2a09:6840:207::1/64
+    - fe80::1/10
+  bmc0:
+    - 10.208.0.1/16
+    - 2a09:6840:208::1/64
+    - fe80::1/10
+  pve0:
+    - 10.209.0.1/16
+    - 2a09:6840:209::1/64
+    - fe80::1/10
+  isp0:
+    - 10.210.0.1/16
+    - 2a09:6840:210::1/64
+    - fe80::1/10
+  ext0:
+    - 10.211.0.1/16
+    - 2a09:6840:211::1/64
+    - fe80::1/10
+  th30:
+    - 10.126.0.6/24
+    - fe80::1/10
+  pub0:
+    - 2a09:6840:215::1/64
+    - 45.66.111.204/27
+    - fe80::1/10
+
+#keepalived__virtual_routes:
+#  ext0:
+#    - 45.66.111.204/30
+
+keepalived__virtual_blackholes:
+  - 45.66.111.200/30 # NAT
+
+keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
+...

group_vars/isp/bird.yml

@@ -0,0 +1,53 @@
+---
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  import: accept
+  export:
+    protos: kernel
+  areas:
+    0:
+      broadcast:
+        - back0
+      stub:
+        - client0
+        - client1
+        - client2
+        - client3
+        - client4
+
+bird__bgp:
+  edge1:
+    local:
+      address: "{{ bird__bgp_addr.back }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      as: "{{ bird__as.aurore }}"
+    import:
+      - pref_src: "{{ bird__pref_src_addr }}"
+      - accept
+    export: reject
+
+bird__radv:
+  rdnss:
+    - 2a09:6840:206::1:1
+    - 2a09:6840:206::1:2
+  interfaces:
+    client0:
+      max_interval: 5
+      prefixes:
+        - 2a09:6841::/64
+      dnssl: client0.isp.auro.re
+      domain_search:
+        - auro.re
+...

group_vars/isp/firewall.yml

@@ -0,0 +1,40 @@
+---
+firewall__zones:
+  internet:
+    negate: true
+    addrs:
+      - 2a09:6840::/32
+      - 2a09:6841::/32
+      - 2a09:6842::/32
+      - 45.66.108.0/22
+      - 10.0.0.0/8
+      - 100.64.0.0/10
+  clients:
+    addrs:
+      - 100.64.0.0/10
+  non_clients:
+    negate: true
+    zones: clients
+  allowed_clients:
+    file:
+      path: /var/run/firewall/allowed_clients.yml
+      default: []
+
+firewall__input:
+  - verdict: accept
+
+firewall__output:
+  - verdict: accept
+
+firewall__forward:
+  - src: allowed_clients
+    dst: non_clients
+    verdict: accept
+
+firewall__nat:
+  - src: clients
+    dst: internet
+    protocols: null
+    snat:
+      addr: 45.66.111.220
+...

group_vars/isp/keepalived.yml

@@ -0,0 +1,32 @@
+---
+keepalived__virtual_router_id: 80
+
+keepalived__interface: back0
+
+keepalived__virtual_addresses:
+  client0:
+    - 100.64.0.1/27
+    - 2a09:6841::1/56
+    - fe80::1/10
+  client1:
+    - 100.64.0.33/27
+    - 2a09:6841:0:1::1/64
+    - fe80::1/10
+  client2:
+    - 100.64.0.65/27
+    - 2a09:6841:0:2::1/64
+    - fe80::1/10
+  client3:
+    - 100.64.0.97/27
+    - 2a09:6841:0:3::1/64
+    - fe80::1/10
+  client4:
+    - 100.64.0.129/27
+    - 2a09:6841:0:4::1/64
+    - fe80::1/10
+
+keepalived__virtual_blackholes:
+  - 45.66.111.220/32
+
+keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
+...

group_vars/ns/knotd.yml

@@ -0,0 +1,71 @@
+---
+knotd__listen:
+  - address: 0.0.0.0
+  - address: "::"
+
+knotd__keys:
+  xfr:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_xfr_key }}"
+
+knotd__remotes:
+  xfr-master:
+    address: 2a09:6840:206::1:7
+    key: xfr
+
+knotd__acl:
+  notify-master:
+    address:
+      - 2a09:6840:206::1:7
+      - 10.206.1.7
+    key: xfr
+    action: notify
+
+knotd__queryacl:
+  local:
+    addresses:
+      - 10.0.0.0/8
+
+knotd__zones:
+  auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    master: xfr-master
+  test.auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    master: xfr-master
+  infra.auro.re:
+    dnssec_validation: true
+    acl:
+      - notify-master
+    #queryacl: local
+    master: xfr-master
+  108.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  109.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  110.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  111.66.45.in-addr.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+  0.4.8.6.9.0.a.2.ip6.arpa:
+    dnssec_validation: false
+    acl:
+      - notify-master
+    master: xfr-master
+...

group_vars/ntp/chronyd.yml

@@ -0,0 +1,13 @@
+---
+chronyd__allow_networks:
+  - 2a09:6840::/32
+  - 10.0.0.0/8
+
+chronyd__pools:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+
+chronyd__local_stratum: 10
+...

group_vars/prom/prometheus/bird.yml

@@ -0,0 +1,144 @@
+---
+prometheus__scraping_bird:
+  targets: "{{ groups.router }}"
+  address:
+    port: 9324
+
+prometheus__rules_bird:
+  - record: bird:protocol_up:bgp_all
+    expr:
+      label_replace(
+        bird_protocol_up{proto="BGP"},
+        "group", "$1",
+        "instance", "^([^0-9\\.]+)-[0-9]+.*"
+      )
+  # FIXME: sessions en cours d'installation, pas encore monitorées
+  - record: bird:protocol_up:bgp
+    expr:
+      bird:protocol_up:bgp_all
+      unless bird:protocol_up:bgp_all{
+        group="edge",
+        name=~"^(viarezo|isp[12]|rezel)[46]$"
+      }
+  # Sessions qui ne sont volontairement pas redondées
+  # au sein d'un groupe
+  - record: bird:protocol_up:bgp:non_redundant
+    expr:
+      bird:protocol_up:bgp{
+        group="edge",
+        name=~"^(oti|crans|legacy|edge)[46]$"
+      }
+  # Sessions qui le sont
+  - record: bird:protocol_up:bgp:redundant
+    expr:
+      bird:protocol_up:bgp
+      unless
+      bird:protocol_up:bgp:non_redundant
+  - alert: BirdBGPRedundancyDegraded
+    expr:
+      (
+        count by (group, name) (
+          bird:protocol_up:bgp:redundant{state="Established"}
+        ) + (
+          count by (group, name) (
+            bird:protocol_up:bgp:redundant{state!="Established"} * 0
+          )
+        )
+      ) < 2
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Count: !unsafe "{{ $value }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPDown
+    expr:
+      (
+        count by (group, name) (
+          bird:protocol_up:bgp{state="Established"}
+        ) + (
+          count by (group, name) (
+            bird:protocol_up:bgp{state!="Established"} * 0
+          )
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  # TODO: warning pour redondant ?
+  - alert: BirdBGPNoExportedPrefixRedundant
+    expr:
+      bird_protocol_prefix_export_count{
+        export_filter!="REJECT",
+      } * on (instance, name) group_left (group) (
+        bird:protocol_up:bgp:redundant{state="Established"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoImportedPrefixRedundant
+    expr:
+      bird_protocol_prefix_import_count{
+        import_filter!="REJECT",
+      } * on (instance, name) group_left (group) (
+        bird:protocol_up:bgp:redundant{state="Established"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoExportedPrefixNonRedundant
+    expr:
+      sum by (group) (
+        bird_protocol_prefix_export_count{
+          export_filter!="REJECT",
+        } * on (instance, name) group_left (group) (
+          bird:protocol_up:bgp:non_redundant{state="Established"}
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdBGPNoImportedPrefixNonRedundant
+    expr:
+      sum by (group) (
+        bird_protocol_prefix_import_count{
+          import_filter!="REJECT",
+        } * on (instance, name) group_left (group) (
+          bird:protocol_up:bgp:non_redundant{state="Established"}
+        )
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Session: !unsafe "{{ $labels.name }}"
+      Group: !unsafe "{{ $labels.group }}"
+  - alert: BirdOSPFNeighboursChange
+    expr:
+      changes(bird_ospf_neighbor_count[5m]) > 0
+      or changes(bird_ospfv3_neighbor_count[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+  - alert: BirdOSPFDown
+    expr:
+      bird_ospf_running == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Instance: !unsafe "{{ $labels.name }}"
+...

group_vars/prom/prometheus/common.yml

@@ -0,0 +1,11 @@
+---
+prometheus__rules_common:
+  - alert: CollectorDown
+    expr:
+      up == 0
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      Job: !unsafe "{{ $labels.job }}"
+...

group_vars/prom/prometheus/eaton.yml

@@ -0,0 +1,11 @@
+---
+prometheus__scraping_eaton:
+  targets: "{{ groups.eaton_ups }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  params:
+    module:
+      - eaton
+
+prometheus__rules_eaton: {}
+...

group_vars/prom/prometheus/keepalived.yml

@@ -0,0 +1,23 @@
+---
+prometheus__rules_keepalived:
+  - alert: KeepalivedVrrpFault
+    expr:
+      keepalived_vrrp_state{state="fault"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Instance: !unsafe "{{ $labels.instance }}"
+  - alert: KeepalivedMasterChange
+    expr:
+      changes(
+        keepalived_vrrp_state{
+          keepalived_vvrp_state="master"
+        }[1m]
+      ) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Instance: !unsafe "{{ $labels.instance }}"
+...

group_vars/prom/prometheus/kresd.yml

@@ -0,0 +1,6 @@
+---
+prometheus__scraping_kresd:
+  targets: "{{ groups.dns }}"
+  address:
+    port: 8453
+...

group_vars/prom/prometheus/main.yml

@@ -0,0 +1,25 @@
+---
+prometheus__alertmanager_targets:
+  - docker-ovh.adm.auro.re:9093
+
+prometheus__tsdb_retention_time: 90d
+
+prometheus__scraping:
+  node: "{{ prometheus__scraping_node }}"
+  prometheus: "{{ prometheus__scraping_prometheus }}"
+  kresd: "{{ prometheus__scraping_kresd }}"
+  bird: "{{ prometheus__scraping_bird }}"
+  quanta: "{{ prometheus__scraping_quanta }}"
+  snmp: "{{ prometheus__scraping_snmp }}"
+  eaton: "{{ prometheus__scraping_eaton }}"
+
+prometheus__rules:
+  common: "{{ prometheus__rules_common }}"
+  switch: "{{ prometheus__rules_switch }}"
+  prometheus: "{{ prometheus__rules_prometheus }}"
+  node: "{{ prometheus__rules_node }}"
+  keepalived: "{{ prometheus__rules_keepalived }}"
+  quanta: "{{ prometheus__rules_quanta }}"
+  bird: "{{ prometheus__rules_bird }}"
+  #eaton: "{{ prometheus__rules_eaton }}"
+...

group_vars/prom/prometheus/node.yml

@@ -0,0 +1,200 @@
+---
+prometheus__scraping_node:
+  targets: "{{ groups.vm + groups.pve }}"
+  address:
+    port: 9100
+
+prometheus__rules_node:
+  - alert: OutOfMemory
+    expr:
+      (
+        node_memory_MemFree_bytes
+        + node_memory_Cached_bytes
+        + node_memory_Buffers_bytes
+      ) / node_memory_MemTotal_bytes < 0.1
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      FreeMemory: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostSwapIsFillingUp
+    expr:
+      (
+        1 - (
+          node_memory_SwapFree_bytes
+          / node_memory_SwapTotal_bytes
+        )
+      ) >= 0.5
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      UsedSwap: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostPhysicalComponentTooHot
+    expr:
+      node_hwmon_temp_celsius > 79
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      Temperature: !unsafe "{{ $value | humanize }} °C"
+      Chip: !unsafe "{{ $labels.chip }}"
+      Sensor: !unsafe "{{ $labels.sensor }}"
+  - alert: HostNodeOvertemperatureAlarm
+    expr:
+      node_hwmon_temp_crit_alarm_celsius == 1
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Chip: !unsafe "{{ $labels.chip }}"
+      Sensor: !unsafe "{{ $labels.sensor }}"
+  - alert: HostRaidArrayGotInactive
+    expr:
+      node_md_state{state="inactive"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Device: !unsafe "{{ $labels.device }}"
+  - alert: HostRaidDiskFailure
+    expr:
+      node_md_disks{state="failed"} > 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      severity: !unsafe "{{ $labels.md_device }}"
+  - alert: HostOomKillDetected
+    expr:
+      increase(node_vmstat_oom_kill[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      PID: !unsafe "{{ $value }}"
+  - alert: HostEdacCorrectableErrorsDetected
+    expr:
+      increase(node_edac_correctable_errors_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      CorrectedErrors: !unsafe "{{ $value }}"
+  - alert: HostEdacUncorrectableErrorsDetected
+    expr:
+      increase(node_edac_uncorrectable_errors_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      DetectedErrors: !unsafe "{{ $value }}"
+  - alert: OutOfDiskSpace
+    expr:
+      (
+        node_filesystem_free_bytes
+        / node_filesystem_size_bytes < 0.1
+      )
+      and on (instance, device, mountpoint) (
+        node_filesystem_readonly
+      ) == 0
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
+      FreeSpace: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostConntrackLimit
+    expr:
+      (
+        node_nf_conntrack_entries
+        / node_nf_conntrack_entries_limit
+      ) > 0.8
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Filled: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: HostClockSkew
+    expr:
+      (
+        node_timex_offset_seconds > 0.05
+        and deriv(node_timex_offset_seconds[5m]) >= 0
+      ) or (
+        node_timex_offset_seconds < -0.05
+        and deriv(node_timex_offset_seconds[5m]) <= 0
+      )
+    for: 2m
+    labels:
+      severity: warning
+  - alert: HostClockNotSynchronising
+    expr:
+      min_over_time(node_timex_sync_status[1m]) == 0
+      and node_timex_maxerror_seconds >= 16
+    for: 2m
+    labels:
+      severity: warning
+  - alert: HostRequiresReboot
+    expr:
+      node_reboot_required > 0
+    for: 5m
+    labels:
+      severity: warning
+  - alert: OutOfInodes
+    expr:
+      node_filesystem_files_free
+      / node_filesystem_files < 0.1
+    for: 3m
+    labels:
+      severity: warning
+    annotations:
+      Mountpoint: !unsafe "{{ $labels.mountpoint }}"
+      FreeInodes: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: CpuUsage
+    expr:
+      (
+        1 - avg by (instance) (
+          irate(node_cpu_seconds_total{mode="idle"}[5m])
+        )
+      ) > 0.75
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+  - alert: SystemdServiceFailed
+    expr:
+      node_systemd_unit_state{state="failed"} == 1
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Service: !unsafe "{{ $labels.name }}"
+  - alert: LoadUsage
+    expr:
+      node_load1 > 5
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      Load1: !unsafe "{{ $value | humanize }}"
+  - alert: UnhealthyDisk
+    expr:
+      smartmon_device_smart_healthy < 1
+    for: 10m
+    labels:
+      severity: critical
+    annotations:
+      Disk: !unsafe "{{ $labels.disk }}"
+  - alert: HostCpuStealNoisyNeighbor
+    expr:
+      avg by (instance) (
+        rate(node_cpu_seconds_total{mode="steal"}[5m])
+      ) > 0.1
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Disk: !unsafe "{{ $labels.disk }}"
+      Steal: !unsafe "{{ $value | humanizePercentage }}"
+...

group_vars/prom/prometheus/prometheus.yml

@@ -0,0 +1,14 @@
+---
+prometheus__scraping_prometheus:
+  targets: "{{ groups.prom }}"
+  address:
+    port: 9090
+
+prometheus__rules_prometheus:
+  - alert: PrometheusTsdbCompactionFailed
+    expr:
+      increase(prometheus_tsdb_compactions_failed_total[1m]) > 0
+    for: 0m
+    labels:
+      severity: critical
+...

group_vars/prom/prometheus/quanta.yml

@@ -0,0 +1,97 @@
+---
+prometheus__scraping_quanta:
+  targets: "{{ groups.quanta }}"
+  address: 127.0.0.1:9116
+  path: /snmp
+  timeout: 60s
+  params:
+    module:
+      - quanta
+
+prometheus__rules_quanta:
+  - alert: QuantaQueueOverflow
+    expr:
+      snAgGblQueueOverflow == 1
+    for: 0m
+    labels:
+      severity: critical
+  - alert: QuantaCpuUsage
+    expr:
+      snAgGblCpuUtil1MinAvg > 50
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value }} %"
+  - alert: QuantaCpuUsage
+    expr:
+      snAgGblCpuUtil1MinAvg > 80
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      Usage: !unsafe "{{ $value }} %"
+  - alert: QuantaMemoryUsage
+    expr:
+      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 50
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      UsedMemory: !unsafe "{{ $value }} %"
+  - alert: QuantaMemoryUsage
+    expr:
+      100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 80
+    for: 5m
+    labels:
+      severity: alert
+    annotations:
+      UsedMemory: !unsafe "{{ $value }} %"
+  - alert: QuantaFanHealth
+    expr:
+      snChasFanOperStatus{snChasFanOperStatus="normal"} == 0
+    for: 0m
+    labels:
+      severity: critical
+    annotations:
+      Description: !unsafe "{{ $labels.shChasFanDescription }}"
+      Status: !unsafe "{{ $labels.snChasFanOperStatus }}"
+  - alert: QuantaMissingIntakeTemp
+    expr:
+      count by (instance) (
+        snAgentTempValue
+      ) - count by (instance) (
+        snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"}
+      ) == 0
+    for: 0m
+    labels:
+      severity: critical
+  - alert: QuantaIntakeTemp
+    expr:
+      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 60
+    for: 10m
+    keep_firing_for: 30m
+    labels:
+      severity: warning
+    annotations:
+      Temperature: !unsafe "{{ $value }} °C"
+      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
+  - alert: QuantaIntakeTemp
+    expr:
+      0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 70
+    for: 10m
+    keep_firing_for: 30m
+    labels:
+      severity: critical
+    annotations:
+      Temperature: !unsafe "{{ $value }} °C"
+      Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
+  - alert: QuantaPowerRedundancyFailure
+    expr:
+      count by (instance) (
+        snChasPwrSupplyOperStatus{snChasPwrSupplyOperStatus="normal"}
+      ) < 2
+    for: 0m
+    labels:
+      severity: warning
+...

group_vars/prom/prometheus/snmp.yml

@@ -0,0 +1,6 @@
+---
+prometheus__scraping_snmp:
+  targets: "{{ groups.prom }}"
+  address:
+    port: 9116
+...

group_vars/prom/prometheus/switch.yml

@@ -0,0 +1,91 @@
+---
+prometheus__rules_switch:
+  - alert: SwitchPromiscuousChange
+    expr:
+      changes(ifPromiscuousMode[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInterfaceUpChange
+    expr:
+      changes(ifOperStatus{ifOperStatus="up"}[5m]) > 0
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInErrors
+    expr:
+      irate(ifInErrors[5m]) / (
+        irate(ifInUcastPkts[5m])
+        + irate(ifInNUcastPkts[5m])
+      ) > 0.0001
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutErrors
+    expr:
+      irate(ifOutErrors[5m]) / (
+        irate(ifOutUcastPkts[5m])
+        + irate(ifOutNUcastPkts[5m])
+      ) > 0.0001
+    for: 0m
+    labels:
+      severity: warning
+    annotations:
+      ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInLinkUsage
+    expr:
+      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchInLinkUsage
+    expr:
+      rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: critical
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutLinkUsage
+    expr:
+      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+  - alert: SwitchOutLinkUsage
+    expr:
+      rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
+    for: 5m
+    keep_firing_for: 10m
+    labels:
+      severity: warning
+    annotations:
+      Usage: !unsafe "{{ $value | humanizePercentage }}"
+      Interface: !unsafe "{{ $labels.ifName }}
+        {{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
+...

group_vars/prom/prometheus_snmp/eaton.yml

@@ -0,0 +1,42 @@
+---
+prometheus_snmp__modules_eaton:
+  version: 1
+  auth:
+    community: "{{ vault_snmp_eaton_community }}"
+  walk:
+    - sysUpTime
+    #- upsBattery
+    #- xupsBattery
+    #- xupsInput
+    - xupsInput
+    - xupsOutput
+    - xupsBypass
+    - xupsEnvironment
+    - xupsBattery
+    - xupsConfig
+  lookups:
+    - source_indexes:
+        - xupsInputPhase
+      lookup: xupsInputName
+    - source_indexes:
+        - xupsOutputPhase
+      lookup: xupsOutputName
+    - source_indexes:
+        - xupsBypassPhase
+      lookup: xupsBypassName
+  overrides:
+    #upsBatteryStatus:
+    #  type: EnumAsStateSet
+    xupsInputId:
+      type: EnumAsStateSet
+    xupsOutputId:
+      type: EnumAsStateSet
+    xupsBypassId:
+      type: EnumAsStateSet
+    xupsOutputSource:
+      type: EnumAsStateSet
+    xupsBatteryAbmStatus:
+      type: EnumAsStateSet
+    xupsContactType:
+      type: EnumAsStateSet
+...

group_vars/prom/prometheus_snmp/main.yml

@@ -0,0 +1,5 @@
+---
+prometheus_snmp__modules:
+  quanta: "{{ prometheus_snmp__modules_quanta }}"
+  eaton: "{{ prometheus_snmp__modules_eaton }}"
+...

group_vars/prom/prometheus_snmp/quanta.yml

@@ -0,0 +1,125 @@
+---
+prometheus_snmp__modules_quanta:
+  auth:
+    community: "{{ vault_snmp_quanta_community }}"
+  timeout: 60s
+  retries: 3
+  walk:
+    - interfaces
+    - ifXTable
+    - snAgGblQueueOverflow
+    - snAgGblDynMemTotal
+    - snAgGblDynMemFree
+    - snAgGblCpuUtil1SecAvg
+    - snAgGblCpuUtil5SecAvg
+    - snAgGblCpuUtil1MinAvg
+    - sysUpTime
+    - snAgentCpuUtilPercent
+    - snAgent
+    - snChasFan
+    - snChasPwr
+    - snAgentTemp
+    - snAgentCpu
+    - snSwInfo
+    - snSwIfInfoTable
+    - dot3StatsTable
+    - dot3HCStatsTable
+    - dot3Errors
+    - dot3Tests
+    - dot3CollTable
+    - lldpLocChassisId
+    - lldpRemTable
+    - lldpLocPortTable
+    - dot1dBasePort
+  lookups:
+    - source_indexes:
+        - ifIndex
+      lookup: ifAlias
+    - source_indexes:
+        - ifIndex
+      lookup: ifDescr
+    - source_indexes:
+        - ifIndex
+      lookup: ifName
+    - source_indexes:
+        - snChasFanIndex
+      lookup: snChasFanDescription
+    - source_indexes:
+        - snAgentTempSlotNum
+        - snAgentTempSensorId
+      lookup: snAgentTempSensorDescr
+    - source_indexes:
+        - snSwIfInfoPortNum
+      lookup: snSwIfName
+    - source_indexes:
+        - snSwIfInfoPortNum
+      lookup: snSwIfDescr
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifAlias
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifDescr
+    - source_indexes:
+        - dot3StatsIndex
+      lookup: ifName
+    - source_indexes:
+        - lldpRemTimeMark
+        - lldpRemLocalPortNum
+        - lldpRemIndex
+      lookup: lldpRemChassisId
+    #- source_indexes:
+    #    - lldpLocPortNum
+    #  lookup: lldpLocPortIdSubtype
+  overrides:
+    ifIndex:
+      ignore: true
+    ifAlias:
+      ignore: true
+    ifDescr:
+      ignore: true
+    ifName:
+      ignore: true
+    ifOperStatus:
+      type: EnumAsStateSet
+    ifAdminStatus:
+      type: EnumAsStateSet
+    snChasFanIndex:
+      ignore: true
+    snChasFanDescription:
+      ignore: true
+    snChasPwrSupplyIndex:
+      ignore: true
+    snAgentTempSensorDescr:
+      ignore: true
+    snChasFanOperStatus:
+      type: EnumAsStateSet
+    snChasPwrSupplyOperStatus:
+      type: EnumAsStateSet
+    snSwIfName:
+      ignore: true
+    snSwIfDescr:
+      ignore: true
+    snSwIfVlanId:
+      ignore: true
+    snSwIfInfoPortNum:
+      ignore: true
+    snSwIfInfoMonitorMode:
+      type: EnumAsStateSet
+    snSwIfInfoMirrorPorts:
+      ignore: true
+    snSwIfInfoMediaType:
+      type: EnumAsInfo
+    ifType:
+      type: EnumAsInfo
+    dot3StatsIndex:
+      ignore: true
+    dot3StatsEtherChipSet:
+      ignore: true
+    dot3StatsDuplexStatus:
+      type: EnumAsStateSet
+    lldpLocPortIdSubtype:
+      type: EnumAsInfo
+    lldpRemPortIdSubtype:
+      type: EnumAsInfo
+...

group_vars/pve/pve_auth.yml

@@ -0,0 +1,35 @@
+---
+pve_auth__groups:
+  admin:
+    - Administrator
+
+pve_auth__pam_users:
+  root:
+    enabled: false
+
+pve_auth__users:
+  elkmaennchen:
+    password: "{{ vault_pve_passwords.elkmaennchen }}"
+    groups:
+      - admin
+  jeltz:
+    password: "{{ vault_pve_passwords.jeltz }}"
+    groups:
+      - admin
+  otthorn:
+    password: "{{ vault_pve_passwords.otthorn }}"
+    groups:
+      - admin
+  v-lafeychine:
+    password: "{{ vault_pve_passwords['v-lafeychine'] }}"
+    groups:
+      - admin
+  pz2891:
+    password: "{{ vault_pve_passwords.pz2891 }}"
+    groups:
+      - admin
+  loutr:
+    password: "{{ vault_pve_passwords.loutr }}"
+    groups:
+      - admin
+...

group_vars/radius/freeradius.yml

@@ -0,0 +1,17 @@
+---
+radiusd__guest_vlan: 1000
+
+radiusd__clients:
+  localhost:
+    addr: 127.0.0.1
+    secret: abcdef
+    type: aurore
+  wifi-ap-v4:
+    addr: 10.102.0.0/16
+    secret: abcdef
+    type: aurore
+  wifi-ap-v6:
+    addr: 2a09:6840:102::/56
+    secret: abcdef
+    type: aurore
+...

group_vars/router/prometheus.yml

@@ -0,0 +1,3 @@
+---
+prometheus_keepalived__dest: /var/run/prometheus-node-exporter/keepalived.prom
+... 

group_vars/vpn/bird.yml

@@ -0,0 +1,60 @@
+---
+bird__tables:
+  - wg
+
+bird__kernel:
+  kernel:
+    learn: true
+    import: accept
+    export: accept
+  vrf:
+    learn: true
+    import:
+      sources:
+        - "{{ iproute2__custom_protos.wireguard }}"
+    export: accept
+    table: wg
+    kernel: "{{ iproute2__custom_tables.wireguard }}"
+
+bird__ospf:
+  limits:
+    import: 4000
+    export: 4000
+  table: wg
+  import: accept
+  export:
+    sources:
+      - "{{ iproute2__custom_protos.wireguard }}"
+  areas:
+    1:
+      broadcast:
+        - vpn0
+
+bird__bgp:
+  infra1:
+    local:
+      address: "{{ bird__bgp_addr.vpn }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:213::1:1
+        - 10.213.1.1
+      as: "{{ bird__as.aurore }}"
+    table: wg
+    import: accept
+    export: reject
+    next_hop_self: true
+  infra2:
+    local:
+      address: "{{ bird__bgp_addr.vpn }}"
+      as: "{{ bird__as.aurore }}"
+    neighbor:
+      address:
+        - 2a09:6840:213::1:2
+        - 10.213.1.2
+      as: "{{ bird__as.aurore }}"
+    table: wg
+    import: accept
+    export: reject
+    next_hop_self: true
+...

group_vars/vpn/ifupdown2.yml

@@ -0,0 +1,16 @@
+---
+ifupdown2__vrf:
+  wg-vrf:
+    table: "{{ iproute2__custom_tables.wireguard }}"
+
+ifupdown2__wireguard:
+  wg0:
+    private_key: "{{ vault_wireguard_wg0_private }}"
+    listen_port: 5121
+    vrf: wg-vrf
+    table: "{{ iproute2__custom_tables.wireguard }}"
+    peer_allowed_addresses:
+      - 2a09:6840:212::1:1/128
+      - 10.212.1.1/32
+    peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
+...

group_vars/vpn/iproute2.yml

@@ -0,0 +1,7 @@
+---
+iproute2__custom_tables:
+  wireguard: 2000
+
+iproute2__custom_protos:
+  wireguard: 200
+...

host_vars/collabora.ext.infra.auro.re.yml

@@ -0,0 +1,22 @@
+---
+systemd_link__links:
+  pub0: ae:ae:ae:2C:60:35
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:128::220/64
+      - 10.128.0.220/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+
+collabora__server_name: office.auro.re
+
+collabora__post_allow_addrs:
+  - 2a09:6840:215::1:1
+  - 45.66.111.206
+
+collabora__wopi_groups:
+  - host: https://cloud.auro.re:443
+    aliases:
+      - https://nextcloud.auro.re:443
+...

host_vars/dhcp-1.isp.infra.auro.re.yml

@@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 02:00:00:c6:3f:6f
+  trunk0: 02:00:00:b1:8d:d6
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:1/64
+      - 10.210.1.1/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.2/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.34/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.66/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.98/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.130/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...

host_vars/dhcp-2.isp.infra.auro.re.yml

@@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  isp0: 04:00:00:8c:d1:36
+  trunk0: 04:00:00:33:2c:3c
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:2/64
+      - 10.210.1.2/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    addresses:
+      - 100.64.0.3/27
+    vlan_id: 1000
+    vlan_raw_device: clients0
+  client1:
+    addresses:
+      - 100.64.0.35/27
+    vlan_id: 1001
+    vlan_raw_device: clients0
+  client2:
+    addresses:
+      - 100.64.0.67/27
+    vlan_id: 1002
+    vlan_raw_device: clients0
+  client3:
+    addresses:
+      - 100.64.0.99/27
+    vlan_id: 1003
+    vlan_raw_device: clients0
+  client4:
+    addresses:
+      - 100.64.0.131/27
+    vlan_id: 1004
+    vlan_raw_device: clients0
+...

host_vars/dns-1.int.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 02:00:00:9f:d9:f9
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:1/64
+      - 10.206.1.1/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/dns-2.int.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 04:00:00:3c:c0:5a
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:2/64
+      - 10.206.1.2/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/edge-1.back.infra.auro.re.yml

@@ -0,0 +1,39 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:9E:3E:21
+  crans0: 02:00:00:A2:7C:68
+  zayo0: 02:00:00:35:89:82
+  rezel0: 02:00:00:8F:4A:AD
+  back0: 02:00:00:1C:3A:2E
+  viarezo0: 02:00:00:ED:70:64
+  router0: 02:00:00:5A:17:7C
+  oti0: 02:00:00:05:0E:A6
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:2/64
+      - 10.128.10.2/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::1/64
+      - 45.66.111.1/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:1/64
+      - 10.203.1.1/16
+  viarezo0:
+    addresses:
+      - 2a0c:b641:2ff::6/125
+      - 192.159.121.133/29
+  router0:
+    addresses:
+      - 2a09:6840:129::10:2/56
+      - 10.129.10.2/16
+  oti0:
+    ipv6_addrgen: false
+...

host_vars/edge-2.back.infra.auro.re.yml

@@ -0,0 +1,39 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:F5:69:B9
+  crans0: 04:00:00:CF:E1:D0
+  zayo0: 04:00:00:67:7B:12
+  rezel0: 04:00:00:C6:05:B7
+  back0: 04:00:00:DE:22:E6
+  viarezo0: 04:00:00:45:FA:E6
+  router0: 04:00:00:AD:D7:71
+  oti0: 02:00:00:05:0E:A6
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:102/64
+      - 10.128.10.102/16
+  crans0:
+    ipv6_addrgen: false
+  zayo0:
+    ipv6_addrgen: false
+  rezel0:
+    addresses:
+      - 2a09:6842:19:9116::3/64
+      - 45.66.111.3/29
+  back0:
+    addresses:
+      - 2a09:6840:203::1:2/64
+      - 10.203.1.2/16
+  viarezo0:
+    addresses:
+      - 2a0c:b641:2ff::7/125
+      - 192.159.121.134/29
+  router0:
+    addresses:
+      - 2a09:6840:129::10:102/56
+      - 10.129.10.102/16
+  oti0:
+    ipv6_addrgen: false
+...

host_vars/infra-1.back.infra.auro.re.yml

@@ -0,0 +1,63 @@
+---
+systemd_link__links:
+  ups0: 02:00:00:fe:6f:0e
+  back0: 02:00:00:f8:93:22
+  monit0: 02:00:00:da:97:7f
+  wifi0: 02:00:00:8c:c5:bf
+  int0: 02:00:00:75:40:3e
+  sw0: 02:00:00:ca:e8:d1
+  bmc0: 02:00:00:47:d1:b9
+  pve0: 02:00:00:b3:35:e7
+  isp0: 02:00:00:6b:53:14
+  ext0: 02:00:00:32:86:60
+  vpn0: 02:00:00:52:5f:85
+  th30: 02:00:00:23:a7:d3
+  pub0: 02:00:00:7d:34:06
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:3/64
+      - 10.203.1.3/16
+      - 45.66.111.210/32 # secondary
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:1/64
+      - 10.213.1.1/16
+  th30:
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.3
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:3
+    - 10.203.1.3
+  vpn:
+    - 2a09:6840:213::1:1
+    - 10.213.1.1
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:3
+  - 45.66.111.210
+...

host_vars/infra-2.back.infra.auro.re.yml

@@ -0,0 +1,63 @@
+---
+systemd_link__links:
+  ups0: 04:00:00:6d:97:83
+  back0: 04:00:00:46:ba:f9
+  monit0: 04:00:00:72:0b:2d
+  wifi0: 04:00:00:ee:42:0f
+  int0: 04:00:00:21:fd:d0
+  sw0: 04:00:00:2e:5b:16
+  bmc0: 04:00:00:bb:5a:a6
+  pve0: 04:00:00:0b:2b:82
+  isp0: 04:00:00:f4:4c:5d
+  ext0: 04:00:00:1d:0e:83
+  vpn0: 04:00:00:02:ba:dd
+  th30: 04:00:00:9e:8d:4f
+  pub0: 04:00:00:f8:3b:9b
+
+ifupdown2__interfaces:
+  back0:
+    addresses:
+      - 2a09:6840:203::1:4/64
+      - 10.203.1.4/16
+      - 45.66.111.211/32 # secondary
+  ups0:
+    ipv6_addrgen: false
+  monit0:
+    ipv6_addrgen: false
+  wifi0:
+    ipv6_addrgen: false
+  int0:
+    ipv6_addrgen: false
+  sw0:
+    ipv6_addrgen: false
+  bmc0:
+    ipv6_addrgen: false
+  pve0:
+    ipv6_addrgen: false
+  isp0:
+    ipv6_addrgen: false
+  ext0:
+    ipv6_addrgen: false
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:2/64
+      - 10.213.1.2/16
+  th30:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.4
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:4
+    - 10.203.1.4
+  vpn:
+    - 2a09:6840:213:1:2
+    - 10.213.1.2
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:4
+  - 45.66.111.211
+...

host_vars/isp-1.back.infra.auro.re.yml

@@ -0,0 +1,59 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:D8:37:45
+  back0: 02:00:00:BF:10:4C
+  trunk0: 02:00:00:E9:BA:15
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:5/64
+      - 10.128.10.5/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:5/64
+      - 45.66.111.211/32
+      - 10.203.1.5/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+
+bird__router_id: 10.203.1.5
+
+bird__bgp_addr:
+  back:
+    - 2a09:6840:203::1:5
+    - 10.203.1.5
+
+bird__pref_src_addr:
+  - 2a09:6840:203::1:5
+  - 45.66.111.211
+...

host_vars/isp-2.back.infra.auro.re.yml

@@ -0,0 +1,47 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:85:C3:5D
+  back0: 04:00:00:FE:2D:67
+  trunk0: 04:00:00:D8:F5:4D
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:105/64
+      - 10.128.10.105/16
+    gateways: "{{ ifupdown2__gateways.adm }}"
+  back0:
+    addresses:
+      - 2a09:6840:203::1:6/64
+      - 10.203.1.6/16
+  trunk0:
+    ipv6_addrgen: false
+  clients0:
+    bridge_vlan_aware: true
+    bridge_ports:
+      - trunk0
+    bridge_vids:
+      - 1000-1004
+    bridge_disable_pvid: true
+    ipv6_addrgen: false
+  client0:
+    vlan_id: 1000
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client1:
+    vlan_id: 1001
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client2:
+    vlan_id: 1002
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client3:
+    vlan_id: 1003
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+  client4:
+    vlan_id: 1004
+    vlan_raw_device: clients0
+    ipv6_addrgen: false
+...

host_vars/ldap-1.int.infra.auro.re.yml

@@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 02:00:00:38:c2:52
+  int0: 02:00:00:fe:a8:54
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:8/64
+      - 10.128.10.8/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:3/64
+      - 10.206.1.7/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/ldap-2.int.infra.auro.re.yml

@@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  adm0: 04:00:00:f7:1c:47
+  int0: 04:00:00:e4:83:d2
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::10:108/64
+      - 10.128.10.108/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:4/64
+      - 10.206.1.8/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/mx.test.infra.auro.re.yml

@@ -0,0 +1,38 @@
+---
+dovecot__auth_default_realm: test.auro.re
+dovecot__auth_users:
+  jeltz@test.auro.re: "{plain}password"
+  lafeych@test.auro.re: "{plain}password"
+  toto@test.auro.re: "{plain}password"
+  root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
+dovecot__lmtp_postmaster_address: postmaster@test.auro.re
+
+ifupdown2__interfaces:
+  ext0:
+    addresses:
+      - 2a09:6840:211::1:5/64
+      - 10.211.1.5/16
+      - 45.66.111.208/30
+    gateways: "{{ ifupdown2__gateways.ext }}"
+
+postfix__hostname: mx.test.auro.re
+
+postfix__sasl_local_domain: test.auro.re
+
+postfix__virtual_aliases:
+  postmaster@test.auro.re: root@test.auro.re
+  dmarc@test.auro.re: root@test.auro.re
+
+postfix__virtual_mailbox_domains:
+ - infra.test.auro.re
+ - test.auro.re
+
+postfix__virtual_mailboxes:
+  jeltz@test.auro.re: jeltz@test.auro.re
+  root@test.auro.re: root@test.auro.re
+  toto@test.auro.re: toto@test.auro.re
+  vincent.lafeychine@test.auro.re: lafeych@test.auro.re
+
+systemd_link__links:
+  ext0: ae:ae:ae:1d:c8:b2
+...

host_vars/ns-1.pub.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: 02:00:00:ad:62:64
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:2/64
+      - 45.66.111.205/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...

host_vars/ns-2.pub.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: 04:00:00:1b:0a:3a
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:3/64
+      - 45.66.111.207/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...

host_vars/ns-3.ovh.infra.auro.re.yml

@@ -0,0 +1,29 @@
+---
+systemd_link__links:
+  adm0: 96:77:96:91:e3:6c
+  ovh0: 00:50:56:00:fd:c0
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::109/64
+      - 10.128.0.109/16
+  ovh0:
+    addresses:
+      - 92.222.211.194/24
+    gateways: "{{ ifupdown2__gateways.ovh }}"
+
+# TODO: remove as soon as the VPN works
+knotd__remotes:
+  xfr-master:
+    address: 2a09:6840:128::110
+    key: xfr
+
+knotd__acl:
+  notify-master:
+    address:
+      - 2a09:6840:128::110
+      - 10.128.0.110
+    key: xfr
+    action: notify
+...

host_vars/ns-master.int.infra.auro.re/knotd.yml

@@ -0,0 +1,615 @@
+---
+knotd__listen:
+  - address: 0.0.0.0
+  - address: "::"
+
+knotd__keys:
+  xfr:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_xfr_key }}"
+  ksk-infra:
+    algorithm: hmac-sha512
+    secret: "{{ vault_knotd_ksk_infra_key }}"
+  update-acme-challenge:
+    algorithm: hmac-sha512
+    secret: "{{ vault_certbot_dns_secret }}"
+
+knotd__remotes:
+  xfr-ns-1:
+    address: 2a09:6840:215::1:2
+    key: xfr
+  xfr-ns-2:
+    address: 2a09:6840:215::1:3
+    key: xfr
+  xfr-ns-3:
+    address: 10.128.0.109
+    key: xfr
+  ksk-infra:
+    address: ::1
+    key: ksk-infra
+
+knotd__policies:
+  public:
+    algorithm: ECDSAP256SHA256
+    reproducible_signing: true
+    # Je n'ai pas trouvé de façon de pousser les records automatiquement
+    # sur .re, donc pour éviter d'oublier de le faire manuellement, la
+    # KSK n'expire pas
+    ksk_lifetime: 0
+    zsk_lifetime: 30d
+    nsec3: true
+  infra:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-infra
+    cds-cdnskey-publish: rollover
+    ksk-submission: infra
+  ripe:
+    algorithm: ECDSAP256SHA256
+    ksk_lifetime: 365d
+    zsk_lifetime: 30d
+    nsec3: on
+    ds-push: ksk-ripe
+    cds-cdnskey-publish: rollover
+    ksk-submission: ripe
+
+knotd__acl:
+  xfr:
+    addresses:
+      - 2a09:6840:128::109
+      - 10.128.0.109
+      - 2a09:6840:215::1:2
+      - 45.66.111.205
+      - 2a09:6840:215::1:3
+      - 45.66.111.207
+    action: transfer
+    key: xfr
+  ksk-infra:
+    addresses:
+      - 127.0.0.1
+      - ::1
+    key: ksk-infra
+    action: update
+    update_types:
+      - DS
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - infra
+  update-acme-challenge:
+    addresses:
+      - 10.128.0.0/16
+      - 2a09:6840:128::/48
+    key: update-acme-challenge
+    action: update
+    update_types:
+      - TXT
+    update_owner: name
+    update_owner_match: equal
+    update_owner_name:
+      - _acme-challenge.auro.re.
+
+knotd__queryacl:
+  local:
+    addresses:
+      - 10.0.0.0/8
+
+knotd__soa_rname: root@auro.re.
+
+knotd__hosts:
+
+  auro.re:
+    proxy-ovh:
+      - 92.222.211.195
+    horus:
+      - 92.23.218.136
+    ns-1:
+      - 45.66.111.205
+      - 2a09:6840:215::1:2
+    ns-2:
+      - 92.222.211.194
+    serge:
+      - 92.222.211.196
+    lama:
+      - 185.230.78.220
+      - 2a0c:700:12:0:67:e5ff:fee9:108
+    vpn-ovh:
+      - 92.222.211.197
+    passerelle:
+      - 45.66.111.254
+      - 2a09:6840:111::254
+    proxy:
+      - 45.66.111.61
+      - 2a09:6840:111::61
+    camelot:
+      - 45.66.111.59
+      - 2a09:6840:111::59
+    mail:
+      - 45.66.111.62
+      - 2a09:6840:111::62
+    galene:
+      - 45.66.111.65
+      - 2a09:6840:111::65
+    aclyas:
+      - 45.66.111.231
+      - 2a09:6840:111::231
+    jitsi:
+      - 45.66.111.55
+      - 2a09:6840:111::55
+    portail-fleming:
+      - 10.13.0.247
+      - 2a09:6840:13::247
+    portail-pacaterie:
+      - 10.23.0.247
+      - 2a09:6840:23::247
+    portail-rives:
+      - 10.33.0.247
+      - 2a09:6840:33::247
+    portail-edc:
+      - 10.43.0.247
+      - 2a09:6840:43::247
+    portail-gs:
+      - 10.53.0.247
+      - 2a09:6840:53::247
+    grocy.bric:
+      - 45.66.111.133
+      - 2a09:6840:111::133
+
+  adh.auro.re:
+    hoffman:
+      - 45.66.110.1
+      - 2a09:6840:110:0:2d8:61ff:fe56:d7eb
+    hindley:
+      - 45.66.110.3
+      - 2a09:6840:110:0:a6ba:dbff:fe03:1f36
+    yberreby:
+      - 45.66.110.5
+      - 2a09:6840:110:0:d896:1dff:fe59:8381
+    paon:
+      - 45.66.110.10
+      - 2a09:6840:110:0:231:92ff:fe1b:ae22
+    lovelace:
+      - 45.66.110.45
+      - 2a09:6840:110:0:c634:6bff:feb5:7bcc
+    switch-leo:
+      - 45.66.110.103
+      - 2a09:6840:110:0:82cc:9cff:fe82:ca3e
+    haskell:
+      - 45.66.110.112
+      - 2a09:6840:110:0:f4ac:cbff:fe81:7f48
+    lyshyga0:
+      - 45.66.110.113
+      - 2a09:6840:110:0:6af7:28ff:fe91:e8d9
+    pz28910:
+      - 45.66.110.114
+    vinsing0:
+      - 45.66.110.123
+      - 2a09:6840:110:0:1e1b:dff:fe90:7d81
+    osc-routeur:
+      - 45.66.110.125
+      - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
+    odroid:
+      - 45.66.110.154
+      - 2a09:6840:110:0:21e:6ff:fe49:e00
+    amau0:
+      - 45.66.110.164
+      - 2a09:6840:110:0:3e7c:3fff:fec3:27d1
+    regulus:
+      - 45.66.110.180
+      - 2a09:6840:110:0:2ef0:5dff:fe2a:1530
+    toaster:
+      - 45.66.110.188
+      - 2a09:6840:110:0:5246:5dff:fe9a:f70
+    rpijutax:
+      - 45.66.110.190
+      - 2a09:6840:110:0:ba27:ebff:fe76:a9bc
+    lafeychine:
+      - 45.66.110.200
+      - 2a09:6840:110:0:46a5:6eff:fe71:1
+    polaris:
+      - 45.66.110.245
+      - 2a09:6840:110:0:dea6:32ff:feb4:d033
+
+knotd__zones:
+
+  auro.re:
+    dnssec_policy: public
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - update-acme-challenge
+      - ksk-infra
+      - xfr
+    soa:
+      mname: ns-master.int.infra
+    ns:
+      - target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+          - ns-3.ovh.infra
+      - name: infra
+        target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+          - ns-3.ovh.infra
+      - name: test
+        target:
+          - ns-1.pub.infra
+          - ns-2.pub.infra
+          - ns-3.ovh.infra
+      - name: adm
+        target:
+          - serge
+          - lama
+      - name: ups
+        target:
+          - serge
+          - lama
+      - name: switch
+        target:
+          - serge
+          - lama
+      - name: borne
+        target:
+          - serge
+          - lama
+    mx:
+      - exchange: mail
+        preference: 5
+      - exchange: proxy-ovh
+        preference: 10
+    txt:
+      - data: v=spf1 mx -all
+    a:
+      - address: 92.222.211.195
+    cname:
+      - name:
+          - gisti
+          - gistiti
+        target: jitsi
+      - name:
+          - element
+          - riot
+          - auth
+          - rss
+          - codimd
+          - hedgedoc
+          - grist
+          - kanboard
+          - www
+          - pad
+          - privatebin
+          - zero
+          - paste
+        target: proxy-ovh
+      - name:
+          - grafana
+          - nextcloud
+          - cloud
+          - office
+        target: proxy.pub.infra
+      - name:
+          - netbox
+          - wiki
+          - matrix
+          - drone
+          - gitea
+          - re2o
+          - vote
+        target: proxy
+      - name: intranet
+        target: re2o
+      - name:
+          - smtp
+          - imap
+        target: mail
+      - name:
+          - prometheus-paul.adh
+          - pma-paul.adh
+          - nextcloud-paul.adh
+          - grafana-paul.adh
+          - jellyfin.adh
+          - monitoring.adh
+          - beta-mpp.adh
+          - pz28.adh
+        target: lucepaul.myvnc.com.
+      - name:
+          - services-1.pve
+        target: services-1.pve.infra
+      - name:
+          - services-2.pve
+        target: services-2.pve.infra
+      - name:
+          - services-3.pve
+        target: services-3.pve.infra
+    hosts: "{{ knotd__hosts['auro.re']
+               | combine(knotd__hosts['adh.auro.re']
+                         | add_origin_keys('adh.auro.re.')) }}"
+
+  test.auro.re:
+    dnssec_policy: public
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    txt:
+      - data: v=spf1 mx -all
+      - name: _dmarc
+        data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+          - ns-3.ovh.infra.auro.re.
+    mx:
+      - exchange: mx
+        preference: 5
+    cname:
+      - name:
+          - www1
+          - www2
+          - www3
+        target: proxy.pub.infra.auro.re.
+    hosts:
+      mx:
+        - 2a09:6840:211::1:5
+        - 45.66.111.205
+
+  infra.auro.re:
+    dnssec_policy: infra
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    #queryacl: local
+    soa:
+      mname: ns-master.int
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+          - ns-3.ovh.infra.auro.re.
+    hosts:
+      services-1.ceph:
+        - 10.214.1.1
+        - "2a09:6840:214::1:1"
+      services-2.ceph:
+        - 10.214.1.2
+        - "2a09:6840:214::1:2"
+      services-3.ceph:
+        - 10.214.1.3
+        - "2a09:6840:209::1:3"
+      services-1.pve:
+        - 10.209.2.1
+        - 2a09:6840:209::2:1
+      services-2.pve:
+        - 10.209.2.2
+        - 2a09:6840:209::2:2
+      services-3.pve:
+        - 10.209.2.3
+        - 2a09:6840:209::2:3
+      ns-master.int:
+        - 10.128.0.110
+        - 2a09:6840:128:0::110
+      network-1.pve:
+        - 2a09:6840:209::1:1
+        - 10.209.1.1
+      network-2.pve:
+        - 2a09:6840:209::1:2
+        - 10.209.1.2
+      edge-1.back:
+        - 2a09:6840:203::1:1
+        - 10.203.1.1
+      edge-2.back:
+        - 2a09:6840:203::1:2
+        - 10.203.1.2
+      dns-1.int:
+        - 2a09:6840:206::1:1
+        - 10.206.1.1
+      dns-2.int:
+        - 2a09:6840:206::1:2
+        - 10.206.1.2
+      nis2.int:
+        - 2a09:6840:206::2:1
+        - 10.206.2.1
+      wg-1.vpn:
+        - 2a09:6840:213::1:3
+        - 10.213.1.3
+      wg-2.vpn:
+        - 2a09:6840:213::1:4
+        - 10.213.1.4
+      infra-1.back:
+        - 2a09:6840:203::1:3
+        - 10.203.1.3
+      infra-2.back:
+        - 2a09:6840:203::1:4
+        - 10.203.1.4
+      isp-1.back:
+        - 2a09:6840:203::1:5
+        - 10.203.1.5
+      isp-2.back:
+        - 2a09:6840:203::1:6
+        - 10.203.1.6
+      dhcp-1.isp:
+        - 2a09:6840:210::1:1
+        - 10.210.1.1
+      dhcp-2.isp:
+        - 2a09:6840:210::1:2
+        - 10.210.1.2
+      radius-1.isp:
+        - 2a09:6840:210::1:3
+        - 10.210.1.3
+      radius-2.isp:
+        - 2a09:6840:210::1:4
+        - 10.210.1.4
+      ldap-1.int:
+        - 10.128.10.8
+        - 2a09:6840:128::10:8
+      ldap-2.int:
+        - 10.128.10.108
+        - 2a09:6840:128::10:108
+      ntp-1.int:
+        - 2a09:6840:206::1:5
+        - 10.206.1.5
+      ntp-2.int:
+        - 2a09:6840:206::1:6
+        - 10.206.1.6
+      prometheus-1.monit:
+        - 2a09:6840:204::1:1
+        - 10.204.1.1
+      prometheus-2.monit:
+        - 2a09:6840:204::1:2
+        - 10.204.1.2
+      ff-1.core.sw:
+        #- 2a09:6840:207::1:1
+        - 10.207.1.1
+      ff-2.core.sw:
+        #- 2a09:6840:207::1:2
+        - 10.207.1.2
+      fl-1.core.sw:
+        #- 2a09:6840:207::1:3
+        - 10.207.1.3
+      fl-2.core.sw:
+        #- 2a09:6840:207::1:4
+        - 10.207.1.4
+      fd-1.core.sw:
+        #- 2a09:6840:207::1:5
+        - 10.207.1.5
+      ff-3.core.sw:
+        #- 2a09:6840:207::1:6
+        - 10.207.1.6
+      gk-1.core.sw:
+        #- 2a09:6840:207::2:1
+        - 10.207.2.1
+      eb-1.core.sw:
+        #- 2a09:6840:207::3:1
+        - 10.207.3.1
+      r3-1.core.sw:
+        #- 2a09:6840:207::4:1
+        - 10.207.4.1
+      eb-1.ups:
+        - 2a09:6840:201::3:1
+        - 10.201.3.1
+      ec-1.ups:
+        - 2a09:6840:201::3:2
+        - 10.201.3.2
+      mx.test:
+        - 2a09:6840:211::1:5
+        - 10.211.1.5
+      collabora.ext:
+        - 2a09:6840:211::1:1
+        - 10.211.1.1
+      proxy.pub:
+        - 2a09:6840:215::1:1
+        - 45.66.111.206
+      ns-1.pub:
+        - 2a09:6840:215::1:2
+        - 45.66.111.205
+      ns-2.pub:
+        - 2a09:6840:215::1:3
+        - 45.66.111.207
+      ns-3.ovh:
+        - 92.222.211.194
+
+  108.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+          - ns-3.ovh.infra.auro.re.
+
+  109.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+          - ns-3.ovh.infra.auro.re.
+
+  110.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+          - ns-3.ovh.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['adh.auro.re']
+                       | ip_filter(['45.66.110.0/24'])
+                       | add_origin_keys('adh.auro.re.') }}"
+
+  111.66.45.in-addr.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+          - ns-3.ovh.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['45.66.111.0/24'])
+                       | add_origin_keys('auro.re.') }}"
+
+  0.4.8.6.9.0.a.2.ip6.arpa:
+    dnssec_policy: ripe
+    notify:
+      - xfr-ns-1
+      - xfr-ns-2
+      - xfr-ns-3
+    acl:
+      - xfr
+    soa:
+      mname: ns-master.int.infra.auro.re.
+    ns:
+      - target:
+          - ns-1.pub.infra.auro.re.
+          - ns-2.pub.infra.auro.re.
+          - ns-3.ovh.infra.auro.re.
+    reverse_hosts: "{{ knotd__hosts['auro.re']
+                       | ip_filter(['2a09:6840::/32'])
+                       | add_origin_keys('auro.re.')
+                       | combine(knotd__hosts['adh.auro.re']
+                                 | ip_filter(['2a09:6840::/32'])
+                                 | add_origin_keys('adh.auro.re.')) }}"
+...

host_vars/ns-master.int.infra.auro.re/main.yml

@@ -0,0 +1,16 @@
+---
+systemd_link__links:
+  int0: 02:00:00:e3:36:c8
+  adm0: 42:17:a7:d1:bd:6a
+
+ifupdown2__interfaces:
+  adm0:
+    addresses:
+      - 2a09:6840:128::110/64
+      - 10.128.0.110/16
+  int0:
+    addresses:
+      - 2a09:6840:206::1:7/64
+      - 10.206.1.7/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/ntp-1.int.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 02:00:00:74:71:83
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:5/64
+      - 10.206.1.5/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/ntp-2.int.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  int0: 04:00:00:31:be:50
+
+ifupdown2__interfaces:
+  int0:
+    addresses:
+      - 2a09:6840:206::1:6/64
+      - 10.206.1.6/16
+    gateways: "{{ ifupdown2__gateways.int }}"
+...

host_vars/prometheus-1.monit.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  monit0: 02:00:00:a8:6b:51
+
+ifupdown2__interfaces:
+  monit0:
+    addresses:
+      - 2a09:6840:204::1:1/64
+      - 10.204.1.1/16
+    gateways: "{{ ifupdown2__gateways.monit }}"
+...

host_vars/prometheus-2.monit.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  monit0: 04:00:00:a6:93:5a
+
+ifupdown2__interfaces:
+  monit0:
+    addresses:
+      - 2a09:6840:204::1:2/64
+      - 10.204.1.2/16
+    gateways: "{{ ifupdown2__gateways.monit }}"
+...

host_vars/proxy.adm.auro.re.yml

@@ -70,3 +70,6 @@ loc_reverseproxy:
 
     - from: grafana.auro.re
       to: "10.128.0.98:3000"
+
+    - from: office.auro.re
+      to: "10.128.0.220"

host_vars/proxy.pub.infra.auro.re.yml

@@ -0,0 +1,99 @@
+---
+systemd_link__links:
+  pub0: ae:ae:ae:3a:71:0b
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:1/64
+      - 45.66.111.206/27
+    gateways: "{{ ifupdown2__gateways.pub }}"
+
+caddy__matrix_headers:
+  access-control-allow-headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+  access-control-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
+  access-control-allow-origin: "*"
+
+caddy__routes_https:
+  www1.test.auro.re:
+    - root: /var/www/auro.re
+    - path: /.well-known/matrix/server
+      headers: "{{ caddy__matrix_headers }}"
+      body: '{"m.server": "matrix.auro.re:8448"}'
+      status: 200
+    - path: /.well-known/matrix/client
+      headers: "{{ caddy__matrix_headers }}"
+      body: '{"m.homeserver": {"base_url": "https://matrix.auro.re"}}'
+      status: 200
+  www2.test.auro.re:
+    headers:
+      location: "https://auro.re{http.request.uri}"
+    status: 301
+  www3.test.auro.re:
+    reverse:
+      - "[2a09:6840:128::198]:3000"
+      - 10.128.0.198:3000
+  grafana.auro.re:
+    reverse:
+      - "[2a09:6840:128::98]:3000"
+      - 10.128.0.98:3000
+  office.auro.re:
+    reverse:
+      - "[2a09:6840:211::1:1]:9980"
+      - 10.211.1.1:9980
+  nextcloud.auro.re:
+    headers:
+      location: "https://cloud.auro.re{http.request.uri}"
+    status: 301
+  cloud.auro.re:
+    - path: /.well-known/carddav
+      headers:
+        location: /remote.php/dav/
+      status: 301
+    - path: /.well-known/caldav
+      headers:
+        location: /remote.php/dav/
+      status: 301
+    - path: /.well-known/webfinger
+      headers:
+        location: /index.php/.well-known/webfinger
+      status: 301
+    - path: /.well-known/nodeinfo
+      headers:
+        location: /index.php/.well-known/nodeinfo
+      status: 301
+    - path: /remote/*
+      rewrite: /remote.php
+    - path: /ocm-provider/*
+      rewrite: /index.php
+    - path: "*.mjs"
+      headers:
+        content-type: text/javascript
+    - reverse:
+        - "[2a09:6840:128::58]:8080"
+        - 10.128.0.58:8080
+      headers:
+        x-robots-tag: noindex, nofollow
+        referrer-policy: no-referrer
+        x-content-type-options: nosniff
+        x-frame-options: SAMEORIGIN
+        x-permitted-cross-domain-policies: none
+        x-xss-protection: "1; mode=block"
+
+caddy__contact_email: tech.aurore@lists.crans.org
+
+caddy__errors:
+  - root: "{{ caddy__error_dir }}"
+  - rewrite: /error.html
+  - file_server: true
+    templates: true
+
+caddy__servers:
+  https:
+    listen: ":443"
+    routes: "{{ caddy__routes_https }}"
+    errors: "{{ caddy__errors }}"
+  http:
+    listen: ":80"
+
+...

host_vars/radius-1.isp.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  isp0: 02:00:00:6a:3e:f4
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:3/64
+      - 10.210.1.3/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+...

host_vars/radius-2.isp.infra.auro.re.yml

@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  isp0: 04:00:00:29:6d:c9
+
+ifupdown2__interfaces:
+  isp0:
+    addresses:
+      - 2a09:6840:210::1:4/64
+      - 10.210.1.4/16
+    gateways: "{{ ifupdown2__gateways.isp }}"
+...

host_vars/wg-1.vpn.infra.auro.re.yml

@@ -0,0 +1,44 @@
+---
+systemd_link__links:
+  vpn0:
+    enabled: false
+  vpn: 02:00:00:b5:ca:c7
+  ext0:
+    enabled: false
+  ext: 02:00:00:e3:65:49
+
+ifupdown2__interfaces:
+  ext0:
+    gateways: "{{ ifupdown2__gateways.ext }}"
+    addresses:
+      - 2a09:6840:211::1:1/64
+      - 10.211.1.1/16
+      - 45.66.111.204/30
+  vpn0:
+    addresses:
+      - 2a09:6840:213::1:3/64
+      - 10.213.1.3/16
+    # FIXME: move to group_vars
+    goto_table: "{{ iproute2__custom_tables.wireguard }}"
+    #vrf: wg-vrf
+  ext:
+    gateways: "{{ ifupdown2__gateways.ext }}"
+    addresses:
+      - 2a09:6840:211::1:1/64
+      - 10.211.1.1/16
+      - 45.66.111.204/30
+  vpn:
+    addresses:
+      - 2a09:6840:213::1:3/64
+      - 10.213.1.3/16
+    # FIXME: move to group_vars
+    goto_table: "{{ iproute2__custom_tables.wireguard }}"
+    #vrf: wg-vrf
+
+bird__router_id: 10.213.1.3
+
+bird__bgp_addr:
+  vpn:
+    - 2a09:6840:213::1:3
+    - 10.213.1.3
+...

hosts

@@ -1,9 +1,104 @@
 # Aurore servers inventory
 
-# How to name your server ?
-# > We name servers according to location, then type, then function.
-# > Then we regroup everything in global geographic, type and function groups.
+[vm_test]
+mx.test.infra.auro.re
 
+[vm_services]
+collabora.ext.infra.auro.re
+proxy.pub.infra.auro.re
+
+[aruba]
+eb-1.acs.sw.infra.auro.re
+
+[quanta]
+ff-1.core.sw.infra.auro.re
+ff-2.core.sw.infra.auro.re
+fl-1.core.sw.infra.auro.re
+fl-2.core.sw.infra.auro.re
+fd-1.core.sw.infra.auro.re
+gk-1.core.sw.infra.auro.re
+eb-1.core.sw.infra.auro.re
+r3-1.core.sw.infra.auro.re
+
+[eaton_ups]
+eb-1.ups.infra.auro.re
+ec-1.ups.infra.auro.re
+
+[vpn]
+wg-[1:2].vpn.infra.auro.re
+
+[dns]
+dns-[1:2].int.infra.auro.re
+
+[dhcp]
+dhcp-[1:2].isp.infra.auro.re
+
+[edge]
+edge-[1:2].back.infra.auro.re
+
+[isp]
+isp-1.back.infra.auro.re
+#isp-[1:2].back.infra.auro.re
+
+[infra]
+infra-[1:2].back.infra.auro.re
+
+[prom]
+prometheus-[1:2].monit.infra.auro.re
+
+[router:children]
+isp
+infra
+edge
+
+[ns]
+ns-[1:2].pub.infra.auro.re
+ns-3.ovh.infra.auro.re
+
+[ldap]
+#ldap-[1:2].int.infra.auro.re
+
+[ntp]
+ntp-[1:2].int.infra.auro.re
+
+[radiusng]
+radius-[1:2].isp.infra.auro.re
+
+[vm:children]
+vm_network
+vm_services
+vm_ovh
+
+[vm_ovh]
+ns-3.ovh.infra.auro.re
+
+[vm_network:children]
+vpn
+edge
+dhcp
+dns
+radiusng
+ntp
+#ldap
+isp
+infra
+prom
+ns
+nsmaster
+
+[nsmaster]
+ns-master.int.infra.auro.re
+
+[pve:children]
+pve_network
+pve_services
+
+[pve_network]
+network-1.pve.infra.auro.re ansible_ssh_host=10.209.1.1
+network-2.pve.infra.auro.re
+
+[pve_services]
+services-[1:3].pve.infra.auro.re
 
 ###############################################################################
 # Aurore : main services
@@ -69,6 +164,7 @@ switchs-manager.adm.auro.re
 ldap-replica-ovh.adm.auro.re
 prometheus-ovh.adm.auro.re
 prometheus-federate.adm.auro.re
+ns-2.auro.re
 
 [ovh_testing_vm]
 #re2o-test.adm.auro.re
@@ -89,15 +185,9 @@ dhcp-fleming.adm.auro.re
 dhcp-fleming-backup.adm.auro.re
 dns-fleming.adm.auro.re
 dns-fleming-backup.adm.auro.re
-ntp-1.int.infra.auro.re
 prometheus-fleming.adm.auro.re
-#prometheus-fleming-fo.adm.auro.re
+ns-1.auro.re
 radius-fleming.adm.auro.re
-dns-1.int.infra.auro.re
-isp-1.rtr.infra.auro.re
-isp-2.rtr.infra.auro.re
-dhcp-1.isp.auro.re
-dhcp-2.isp.auro.re
 radius-fleming-backup.adm.auro.re
 unifi-fleming.adm.auro.re
 routeur-fleming.adm.auro.re
@@ -505,13 +595,13 @@ rives_unifi
 ovh_container
 
 # every virtual machine
-[vm:children]
-ovh_vm
-fleming_vm
-pacaterie_vm
-edc_vm
-gs_vm
-rives_vm
+#[vm:children]
+#ovh_vm
+#fleming_vm
+#pacaterie_vm
+#edc_vm
+#gs_vm
+#rives_vm
 
 # every server
 [server:children]
@@ -519,13 +609,13 @@ fleming_server
 edc_server
 
 # every PVE
-[pve:children]
-ovh_pve
-fleming_pve
-pacaterie_pve
-edc_pve
-gs_pve
-rives_pve
+#[pve:children]
+#ovh_pve
+#fleming_pve
+#pacaterie_pve
+#edc_pve
+#gs_pve
+#rives_pve
 
 # every unifi
 [unifi:children]

playbooks/base.yml

@@ -1,10 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Put a common configuration on all servers
-- hosts: all,!unifi
+- hosts:
+    - pve
+    - vm
   roles:
-    - baseconfig
-    - basesecurity
-    - ldap_client
-    - logrotate
-    - update_motd
+    - base_utils
+    - unattended_upgrades
+...

playbooks/bird.yml

@@ -0,0 +1,484 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - infra
+    - isp
+    - vpn
+  roles:
+    - bird
+
+#- hosts:
+#    - isp-1.back.infra.auro.re
+#    - isp-2.back.infra.auro.re
+#  vars:
+#    bird__router_ids:
+#      isp-1.back.infra.auro.re: 10.203.1.5
+#      isp-2.back.infra.auro.re: 10.203.1.6
+#    bird__router_id: "{{ bird__router_ids[inventory_hostname] }}"
+#    bird__radv_interfaces:
+#      client0:
+#        prefix:
+#          - 2a09:6841::/64
+#        domain_search:
+#          - client0.isp.auro.re
+#      client1:
+#        prefix:
+#          - 2a09:6841:0:1::/64
+#        domain_search:
+#          - client1.isp.auro.re
+#      client2:
+#        prefix:
+#          - 2a09:6841:0:2::/64
+#        domain_search:
+#          - client2.isp.auro.re
+#      client3:
+#        prefix:
+#          - 2a09:6841:0:3::/64
+#        domain_search:
+#          - client3.isp.auro.re
+#      client4:
+#        prefix:
+#          - 2a09:6841:0:400::/64
+#        domain_search:
+#          - client4.isp.auro.re
+#    bird__radv_dns_servers:
+#      - 2a09:6840:128::10:103
+#      - 2a09:6840:128::10:3
+#    bird__asn:
+#      aurore: 43619
+#    bird__bgp_addresses:
+#      isp-1.back.infra.auro.re:
+#        - 2a09:6840:203::1:5
+#        - 10.203.1.5
+#      isp-2.back.infra.auro.re:
+#        - 2a09:6840:203::1:6
+#        - 10.203.1.6
+#    bird__bgp_sessions:
+#      edge1:
+#        local:
+#          address: "{{ bird__bgp_addresses[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:203::1:1
+#            - 10.203.1.1
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: true
+#        export:
+#          - accept: false
+#      edge2:
+#        local:
+#          address: "{{ bird__bgp_addresses[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:203::1:2
+#            - 10.203.1.2
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: true
+#        export:
+#          - accept: false
+#    bird__ospf_broadcast_interfaces:
+#      back0: null
+#    bird__ospf_stub_interfaces:
+#      - client0
+#      - client1
+#      - client2
+#      - client3
+#      - client4
+#  roles:
+#    - bird
+
+
+#- hosts:
+#    - infra-1.back.infra.auro.re
+#    - infra-2.back.infra.auro.re
+#  vars:
+#    bird__router_ids:
+#      infra-1.back.infra.auro.re: 10.203.1.3
+#      infra-2.back.infra.auro.re: 10.203.1.4
+#    bird__router_id: "{{ bird__router_ids[inventory_hostname] }}"
+#    bird__ospf_broadcast_interfaces:
+#      back0: null
+#    bird__ospf_stub_interfaces:
+#      - monit0
+#      - wifi0
+#      - int0
+#      - pub0
+#      - bmc0
+#      - pve0
+#      - isp0
+#      - mgmt0
+#    bird__asn:
+#      aurore: 43619
+#    bird__bgp_addresses:
+#      infra-1.back.infra.auro.re:
+#        - 2a09:6840:203::1:3
+#        - 10.203.1.3
+#      infra-2.back.infra.auro.re:
+#        - 2a09:6840:203::1:4
+#        - 10.203.1.4
+#    bird__bgp_sessions:
+#      edge1:
+#        local:
+#          address: "{{ bird__bgp_addresses[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:203::1:1
+#            - 10.203.1.1
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: true
+#        export:
+#          - accept: false
+#      edge2:
+#        local:
+#          address: "{{ bird__bgp_addresses[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+##          address:
+#            - 2a09:6840:203::1:2
+#            - 10.203.1.2
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: true
+#        export:
+#          - accept: false
+#  roles:
+#    - bird
+
+#- hosts:
+#    - edge-1.back.infra.auro.re
+#    - edge-2.back.infra.auro.re
+#  vars:
+#    bird__router_ids:
+#      edge-1.back.infra.auro.re: 10.203.1.1
+#      edge-2.back.infra.auro.re: 10.203.1.2
+#    bird__asn:
+#      aurore: 43619
+#      crans: 204515
+#      zayo: 8218
+#      viarezo: 212424
+#      rezel: 199116
+#    bird__orig_prefixes:
+#      aurore:
+#        - 45.66.108.0/22
+#        - 2a09:6840::/32
+#        - 2a09:6841::/32
+#        - 2a09:6842::/32
+#      crans:
+#        - 185.230.76.0/22
+#        - 2a0c:700::/32
+#      viarezo:
+#        - 138.195.144.0/20
+#        - 192.159.121.0/24
+#        - 2a0c:b641:2f0::/44
+#      rezel:
+#        - 137.194.8.0/22
+#        - 2a09:6847::/32
+#      martians:
+#        - 10.0.0.0/8
+#        - 172.16.0.0/12
+#        - 192.168.0.0/16
+#        - 100.64.0.0/10
+#        - 127.0.0.0/8
+#        - 169.254.0.0/16
+#        - 192.0.0.0/24
+#        - 192.0.2.0/24
+#        - 198.18.0.0/15
+#        - 198.51.100.0/24
+#        - 203.0.113.0/24
+#        - 224.0.0.0/4
+#        - 240.0.0.0/4
+#        - ::/128
+#        - ::1/128
+#        - ::ffff:0:0/96
+#        - ::/96
+#        - 100::/64
+#        - 2001:10::/28
+#        - 2001:db8::/32
+#        - fc00::/7
+#        - fe80::/10
+#        - fec0::/10
+#        - ff00::/8
+#    bird__router_id: "{{ bird__router_ids[inventory_hostname] }}"
+#    bird__bgp_addresses:
+#      edge:
+#        edge-1.back.infra.auro.re:
+#          - 2a09:6840:203::1:1
+#          - 10.203.1.1
+#        edge-2.back.infra.auro.re:
+#            - 2a09:6840:203::1:2
+#            - 10.203.1.2
+#      legacy:
+#        edge-1.back.infra.auro.re:
+#          - 2a09:6840:129::10:2
+#          - 10.129.10.2
+#        edge-2.back.infra.auro.re:
+#          - 2a09:6840:129::10:102
+#          - 10.129.10.102
+#      rezel:
+#        edge-1.back.infra.auro.re:
+#          - 2a09:6842:19:9116::1
+#          - 45.66.111.1
+#        edge-2.back.infra.auro.re:
+#          - 2a09:6842:19:9116::3
+#          - 45.66.111.3
+#    bird__bgp_sessions:
+#      edge:
+#        local:
+#          address: "{{ bird__bgp_addresses.edge[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address: "{{ bird__bgp_addresses.edge
+#                       | dict2items
+#                       | selectattr('key', '!=', inventory_hostname)
+#                       | map(attribute='value')
+#                       | first }}"
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: true
+#        export:
+#          - local_pref: 75
+#            accept: true
+#      vpn1:
+#        local:
+#          address: "{{ bird__bgp_addresses.edge[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:203::1:7
+#            - 10.203.1.7
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: false
+#        export:
+#          - accept: true
+#      vpn2:
+#        local:
+#          address: "{{ bird__bgp_addresses.edge[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:203::1:8
+#            - 10.203.1.8
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: false
+#        export:
+#          - accept: false
+#      legacy:
+#        next_hop_self: true
+#        local:
+#          address: "{{ bird__bgp_addresses.legacy[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:129::240
+#            - 10.129.0.240
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: false
+#        export:
+#          - bgp_proto:
+#              - crans
+#              - zayo
+#              - rezel1
+#              - rezel2
+#            accept: true
+#          - accept: false
+#      zayo:
+#        local:
+#          address:
+#            - 83.167.52.69
+#            - 2001:1b48:2:103::d7:2
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 83.167.52.68
+#            - 2001:1b48:2:103::d7:1
+#          as: "{{ bird__asn.zayo }}"
+#        import:
+#          - prefix: "{{ bird__orig_prefixes.martians }}"
+#            sub: true
+#            accept: false
+#          - accept: true
+#        export:
+#          - prefix: "{{ ['aurore', 'crans', 'viarezo', 'rezel']
+#                        | map('extract', bird__orig_prefixes)
+#                        | flatten }}"
+#            sub: true
+#            accept: true
+##          - accept: false
+#      crans:
+#        local:
+#          address:
+#            - 185.230.79.254
+#            - 2a0c:700:28::2
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 185.230.79.253
+#            - 2a0c:700:28::1
+#          as: "{{ bird__asn.crans }}"
+#        import:
+#          - prefix: "{{ bird__orig_prefixes.crans }}"
+#            sub: true
+#            accept: true
+#          - accept: false
+#        export:
+#          - bgp_proto:
+#              - viarezo
+#              - rezel1
+#              - rezel2
+#              - zayo
+#            accept: true
+#          - prefix: "{{ bird__orig_prefixes.aurore }}"
+#            sub: true
+#            accept: true
+#          - accept: false
+#      rezel1:
+#        local:
+#          address: "{{ bird__bgp_addresses.rezel[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6842:19:9116::2
+#            - 45.66.111.2
+#          as: "{{ bird__asn.rezel }}"
+#        import:
+#          - prefix: "{{ bird__orig_prefixes.rezel }}"
+#            sub: true
+#            accept: true
+#          - accept: false
+#        export:
+#          - bgp_proto:
+#              - edge
+#              - viarezo
+#              - crans
+#              - zayo
+#            accept: true
+#          - prefix: "{{ bird__orig_prefixes.aurore }}"
+#            sub: true
+#            accept: true
+#          - accept: false
+#      rezel2:
+#        local:
+#          address: "{{ bird__bgp_addresses.rezel[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6842:19:9116::4
+#            - 45.66.111.4
+#          as: "{{ bird__asn.rezel }}"
+#        import:
+#          - local_pref: 75
+#          - prefix: "{{ bird__orig_prefixes.rezel }}"
+#            sub: true
+#            accept: true
+#          - accept: false
+#        export:
+#          - bgp_proto:
+#              - edge
+#              - viarezo
+#              - crans
+#              - zayo
+#            accept: true
+#          - prefix: "{{ bird__orig_prefixes.aurore }}"
+#            sub: true
+#            accept: true
+#          - accept: false
+#      viarezo:
+#        local:
+#          address:
+#            - 192.159.121.134
+#            - 2a0c:b641:2ff::6
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 192.159.121.133
+#            - 2a0c:b641:2ff::5
+#          as: "{{ bird__asn.viarezo }}"
+#        import:
+#          - prefix: "{{ bird__orig_prefixes.martians }}"
+#            accept: false
+#          - prefix: "{{ bird__orig_prefixes.viarezo }}"
+#            sub: true
+#            negate: true
+#            local_pref: 50
+#          - accept: true
+#        export:
+#          - prefix: "{{ bird__orig_prefixes.aurore }}"
+#            as_prepend:
+#              asn: "{{ bird__asn.aurore }}"
+#              size: 5
+#          - bgp_proto:
+#              - crans
+#              - zayo
+#            accept: true
+#          - accept: false
+#    bird__ospf_broadcast_interfaces:
+#      back0: null
+#    bird__ospf_stub_interfaces:
+#      - crans0
+#      - zayo0
+#      - rezel0
+#      - viarezo0
+#    bird__static_unreachable: "{{ bird__orig_prefixes.aurore }}"
+#  roles:
+#    - bird
+
+#- hosts:
+#    - vpn-1.back.infra.auro.re
+#    - vpn-2.back.infra.auro.re
+#  vars:
+#    bird__asn:
+#      aurore: 43619
+#    bird__router_ids:
+#      vpn-1.back.infra.auro.re: 10.203.1.7
+#      vpn-2.back.infra.auro.re: 10.203.1.8
+#    bird__router_id: "{{ bird__router_ids[inventory_hostname] }}"
+#    bird__bgp_addresses:
+#      vpn-1.back.infra.auro.re:
+#        - 2a09:6840:203::1:7
+#        - 10.203.1.7
+#      vpn-2.back.infra.auro.re:
+#        - 2a09:6840:203::1:8
+#        - 10.203.1.8
+#    bird__bgp_sessions:
+#      edge1:
+#        local:
+#          address: "{{ bird__bgp_addresses[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:203::1:1
+#            - 10.203.1.1
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: true
+#        export:
+#          - accept: false
+#      edge2:
+#        local:
+#          address: "{{ bird__bgp_addresses[inventory_hostname] }}"
+#          as: "{{ bird__asn.aurore }}"
+#        remote:
+#          address:
+#            - 2a09:6840:203::1:2
+#            - 10.203.1.2
+#          as: "{{ bird__asn.aurore }}"
+#        import:
+#          - accept: true
+#        export:
+#          - accept: false
+#    bird__ospf_broadcast_interfaces:
+#      back0: null
+#    bird__ospf_stub_interfaces:
+##      - wg0
+#  roles:
+#    - bird
+...

playbooks/caddy.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - proxy.pub.infra.auro.re
+  roles:
+    - caddy
+...

playbooks/chronyd.yml

@@ -1,27 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - ntp-1.int.infra.auro.re
-  vars:
-    chronyd__allow_networks:
-      - 10.128.0.0/16
-      - 2a09:6840:128::/48
-    chronyd__pools:
-      - 0.pool.ntp.org
-      - 1.pool.ntp.org
-      - 2.pool.ntp.org
-      - 3.pool.ntp.org
-    chronyd__local_stratum: 10
-  roles:
-    - chronyd
-
-- hosts:
-    - all
-    - "!ntp-1.int.infra.auro.re"
-    - "!unifi"
-  vars:
-    chronyd__pools:
-      - ntp-1.int.infra.auro.re
+    - pve_network
+    - vm_network
+    - vm_services
+    - ntp
   roles:
     - chronyd
 ...

playbooks/collabora.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - collabora.ext.infra.auro.re
+  roles:
+    - collabora
+...

playbooks/dhcpd.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - dhcp
+  roles:
+    - dhcpd
+...

playbooks/firewall.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - infra
+    - isp
+  roles:
+    - firewall
+...

playbooks/freeradius.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - radius
+  roles:
+    - freeradius
+...

playbooks/grafana.yml

@@ -17,8 +17,9 @@
         bind_password: "{{ vault_ldap_grafana_password }}"
         search_base_dns: "cn=Utilisateurs,dc=auro,dc=re"
         group_search_base_dns: "ou=posix,ou=groups,dc=auro,dc=re"
-        editors_group_dn:
+        admins_group_dn:
           - cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re
+        editors_group_dn:
           - cn=technicien,ou=posix,ou=groups,dc=auro,dc=re
     update_motd:
       grafana: Grafana est déployé (/etc/grafana).

playbooks/hostname.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - vm
+    - pve
+  roles:
+    - hostname
+...

playbooks/ifupdown2.yml

@@ -1,213 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - ntp-1.int.infra.auro.re
-    - dns-1.int.infra.auro.re
-    - dhcp-1.isp.auro.re
-    - dhcp-2.isp.auro.re
-    - isp-1.rtr.infra.auro.re
-    - isp-2.rtr.infra.auro.re
-  vars:
-    # TODO: netbox
-    ifupdown2__hosts:
-      ntp-1.int.infra.auro.re:
-        ens18:
-          gateways:
-            - 2a09:6840:128::254
-            - 10.128.0.254
-          addresses:
-            - 2a09:6840:128::203/56
-            - 10.128.0.203/16
-      dns-1.int.infra.auro.re:
-        ens18:
-          gateways:
-            - 2a09:6840:128::254
-            - 10.128.0.254
-          addresses:
-            - 2a09:6840:128::127/56
-            - 10.128.0.127/16
-      dhcp-1.isp.auro.re:
-        ens18:
-          gateways:
-            - 2a09:6840:128::254
-            - 10.128.0.254
-          addresses:
-            - 2a09:6840:128::204/56
-            - 10.128.0.204/16
-        ens19: null
-        clients:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - ens19
-          bridge_vids:
-            - 1000-1004
-        client-0:
-          addresses:
-            - 100.64.0.2/27
-          vlan_id: 1000
-          vlan_raw_device: clients
-        client-1:
-          addresses:
-            - 100.64.0.34/27
-          vlan_id: 1001
-          vlan_raw_device: clients
-        client-2:
-          addresses:
-            - 100.64.0.66/27
-          vlan_id: 1002
-          vlan_raw_device: clients
-        client-3:
-          addresses:
-            - 100.64.0.98/27
-          vlan_id: 1003
-          vlan_raw_device: clients
-        client-4:
-          addresses:
-            - 100.64.0.130/27
-          vlan_id: 1004
-          vlan_raw_device: clients
-      dhcp-2.isp.auro.re:
-        ens18:
-          gateways:
-            - 2a09:6840:128::254
-            - 10.128.0.254
-          addresses:
-            - 2a09:6840:128::91/56
-            - 10.128.0.91/16
-        ens19: null
-        clients:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - ens19
-          bridge_vids:
-            - 1000-1004
-        client-0:
-          addresses:
-            - 100.64.0.3/27
-          vlan_id: 1000
-          vlan_raw_device: clients
-        client-1:
-          addresses:
-            - 100.64.0.35/27
-          vlan_id: 1001
-          vlan_raw_device: clients
-        client-2:
-          addresses:
-            - 100.64.0.67/27
-          vlan_id: 1002
-          vlan_raw_device: clients
-        client-3:
-          addresses:
-            - 100.64.0.99/27
-          vlan_id: 1003
-          vlan_raw_device: clients
-        client-4:
-          addresses:
-            - 100.64.0.131/27
-          vlan_id: 1004
-          vlan_raw_device: clients
-      isp-1.rtr.infra.auro.re:
-        ens18:
-          gateways:
-            - 2a09:6840:128::254
-            - 10.128.0.254
-          addresses:
-            - 2a09:6840:128::255/56
-            - 10.128.0.255/16
-        ens19: null
-        clients:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - ens19
-          bridge_vids:
-            - 1000-1004
-          bridge_disable_pvid: true
-          forward: true
-          ipv6_addrgen: false
-        client-0:
-          forward: true
-          vlan_id: 1000
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-1:
-          forward: true
-          vlan_id: 1001
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-2:
-          forward: true
-          vlan_id: 1002
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-3:
-          forward: true
-          vlan_id: 1003
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-4:
-          forward: true
-          vlan_id: 1004
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-      isp-2.rtr.infra.auro.re:
-        ens18:
-          gateways:
-            - 2a09:6840:128::254
-            - 10.128.0.254
-          addresses:
-            - 2a09:6840:128::158/56
-            - 10.128.0.158/16
-        ens19: null
-        clients:
-          bridge_vlan_aware: true
-          bridge_ports:
-            - ens19
-          bridge_vids:
-            - 1000-1004
-        client-0:
-          forward: true
-          vlan_id: 1000
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-1:
-          forward: true
-          vlan_id: 1001
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-2:
-          forward: true
-          vlan_id: 1002
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-3:
-          forward: true
-          vlan_id: 1003
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-        client-4:
-          forward: true
-          vlan_id: 1004
-          vlan_raw_device: clients
-          ipv6_addrgen: false
-    ifupdown2__interfaces: "{{ ifupdown2__hosts[inventory_hostname] }}"
+    - vm
   roles:
     - ifupdown2
-
-- hosts:
-    - ntp-1.int.infra.auro.re
-    - dns-1.int.infra.auro.re
-    - dhcp-1.isp.auro.re
-    - dhcp-2.isp.auro.re
-    - isp-1.rtr.infra.auro.re
-    - isp-2.rtr.infra.auro.re
-  vars:
-    resolvconf__nameservers:
-      - 2a09:6840:128::127
-      - 10.128.0.127
-    resolvconf__domain: auro.re
-    resolvconf__search:
-      - "{{ inventory_hostname | remove_domain_suffix }}"
-      - auro.re
-  roles:
-    - resolvconf
 ...

playbooks/ip_forward.yml

@@ -0,0 +1,10 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - edge
+    - infra
+    - isp
+    - vpn
+  roles:
+    - ip_forward
+...

playbooks/iproute2.yml

@@ -0,0 +1,10 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - edge
+    - isp
+    - infra
+    - vpn
+  roles:
+    - iproute2
+...

playbooks/isc-dhcp-server.yml

@@ -1,9 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: dhcp-*.adm.auro.re
-  vars:
-    update_motd:
-      unbound: isc-dhcp-server est déployé.
-  roles:
-    - isc_dhcp_server
-    - update_motd

playbooks/keepalived.yml

@@ -1,32 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - isp-1.rtr.infra.auro.re
-    - isp-2.rtr.infra.auro.re
-  vars:
-    keepalived__virtual_router_id: 80
-    keepalived__interface: ens18
-    keepalived__virtual_addresses:
-      client-0:
-        - 100.64.0.1/27
-        - 2a09:6841::/56
-        - fe80::1/10
-      client-1:
-        - 100.64.0.33/27
-        - 2a09:6841:0:100::/56
-        - fe80::1/10
-      client-2:
-        - 100.64.0.65/27
-        - 2a09:6841:0:100::/56
-        - fe80::1/10
-      client-3:
-        - 100.64.0.97/27
-        - 2a09:6841:0:200::/56
-        - fe80::1/10
-      client-4:
-        - 100.64.0.129/27
-        - 2a09:6841:0:300::/56
-        - fe80::1/10
+    - isp
+    - edge
+    - infra
   roles:
     - keepalived
 ...

playbooks/knot.yml

@@ -1,17 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: all
-  roles: []
-
-# WIP: Deploy authoritative DNS servers
-# - hosts: authoritative_dns
-#   vars:
-#     service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
-#     service_name: dns
-#     service_version: crans
-#     service_config:
-#       hostname: re2o-server.adm.auro.re
-#       username: service-user
-#       password: "{{ vault_serviceuser_passwd }}"
-#   roles:
-#     - re2o_service

playbooks/knotd.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - ns-master.int.infra.auro.re
+    - ns
+  roles:
+    - knotd
+...

playbooks/kresd.yml

@@ -0,0 +1,6 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: dns
+  roles:
+    - kresd
+...

playbooks/locales.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - pve
+    - vm
+  roles:
+    - locales
+...

playbooks/mail.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - vm_test
+  roles:
+    - postfix
+    - dovecot
+...

playbooks/openssh.yml

@@ -0,0 +1,10 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - pve_network
+    - vm_test
+    - vm_services
+    - vm_network
+  roles:
+    - openssh_server
+...

playbooks/prometheus.yml

@@ -1,241 +1,228 @@
 #!/usr/bin/env ansible-playbook
 ---
-- hosts: prometheus-fleming.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_switch_community: "{{ vault_snmp_switch_community }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_servers_targets: |
-      {{ groups['fleming_pve'] + groups['fleming_vm'] | list | sort }}
-    prometheus_unifi_snmp_targets: |
-      {{ groups['fleming_unifi'] | list | sort }}
-    prometheus_ilo_snmp_targets: |
-      {{ groups['fleming_ilo'] | list | sort }}
-
-    update_motd:
-      prometheus: >-
-        Prometheus (en configuration fleming) est déployé (/etc/prometheus).
-  roles:
-    - prometheus
-    - update_motd
-
-- hosts: prometheus-pacaterie.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_switch_community: "{{ vault_snmp_switch_community }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_servers_targets: |
-      {{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
-    prometheus_unifi_snmp_targets: |
-      {{ groups['pacaterie_unifi'] | list | sort }}
-    prometheus_ups_snmp_targets:
-      - ups-pn-1.ups.auro.re
-      - ups-ps-1.ups.auro.re
-    prometheus_ilo_snmp_targets: |
-      {{ groups['pacaterie_ilo'] | list | sort }}
-
-    update_motd:
-      prometheus: >-
-        Prometheus (en configuration pacaterie) est déployé (/etc/prometheus).
-  roles:
-    - prometheus
-    - update_motd
-
-- hosts: prometheus-edc.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_switch_community: "{{ vault_snmp_switch_community }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_ups_snmp_targets:
-      - ups-ec-1.ups.auro.re
-      # - ups-ec-2.ups.auro.re
-      - ups-ec-3.ups.auro.re
-    prometheus_servers_targets: |
-      {{ groups['edc_pve'] + groups['edc_vm'] + groups['edc_server'] | list | sort }}
-    prometheus_unifi_snmp_targets: |
-      {{ groups['edc_unifi'] | list | sort }}
-    prometheus_ilo_snmp_targets: |
-      {{ groups['edc_ilo'] | list | sort }}
-
-    update_motd:
-      prometheus: >-
-        Prometheus (en configuration edc) est déployé (/etc/prometheus).
-  roles:
-    - prometheus
-    - update_motd
-
-- hosts: prometheus-gs.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_switch_community: "{{ vault_snmp_switch_community }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_servers_targets: |
-      {{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
-    prometheus_unifi_snmp_targets: |
-      {{ groups['gs_unifi'] | list | sort }}
-    prometheus_ups_snmp_targets:
-      - ups-gk-1.ups.auro.re
-    prometheus_apc_pdu_snmp_targets:
-      - pdu-ga-1.ups.auro.re
-    prometheus_ilo_snmp_targets: |
-      {{ groups['gs_ilo'] | list | sort }}
-
-    update_motd:
-      prometheus: >-
-        Prometheus (en configuration gs) est déployé (/etc/prometheus).
-  roles:
-    - prometheus
-    - update_motd
-
-- hosts: prometheus-rives.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_switch_community: "{{ vault_snmp_switch_community }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_ups_snmp_targets:
-      - ups-r3-1.ups.auro.re
-      - ups-r1-1.ups.auro.re
-    prometheus_servers_targets: |
-      {{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
-    prometheus_unifi_snmp_targets: |
-      {{ groups['rives_unifi'] | list | sort }}
-    prometheus_ilo_snmp_targets: |
-      {{ groups['rives_ilo'] | list | sort }}
-
-    update_motd:
-      prometheus: >-
-        Prometheus (en configuration rives) est déployé (/etc/prometheus).
-  roles:
-    - prometheus
-    - update_motd
-
-- hosts: prometheus-aurore.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_switch_community: "{{ vault_snmp_switch_community }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_servers_targets: |
-      {{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
-    prometheus_postgresql_targets: |
-      {{ groups['bdd'] + groups['radius'] | list | sort }}
-    prometheus_switch_snmp_targets:
-      - yggdrasil.switch.auro.re
-      - sw-pn-serveurs.switch.auro.re
-      - sw-ec-serveurs.switch.auro.re
-      - sw-gk-serveurs.switch.auro.re
-      - sw-fl-serveurs.switch.auro.re
-      - sw-ff-uplink.switch.auro.re
-      - sw-fl-core.switch.auro.re
-      - sw-fd-vcore.switch.auro.re
-      - sw-fl-vcore.switch.auro.re
-      - sw-ff-vcore.switch.auro.re
-      - sw-pn-core.switch.auro.re
-      - sw-ec-core.switch.auro.re
-      - sw-gk-core.switch.auro.re
-      - sw-r3-core.switch.auro.re
-    prometheus_ilo_snmp_targets: |
-      {{ groups['aurore_ilo'] | list | sort }}
-
-    update_motd:
-      prometheus: >-
-        Prometheus (en configuration aurore) est déployé (/etc/prometheus).
-  roles:
-    - prometheus
-    - update_motd
-
-- hosts: prometheus-ovh.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_switch_community: "{{ vault_snmp_switch_community }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_servers_targets: |
-      {{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
-    prometheus_postgresql_targets:
-      - bdd-ovh.adm.auro.re
-    prometheus_docker_targets:
-      - docker-ovh.adm.auro.re
-
-    update_motd:
-      prometheus: >-
-        Prometheus (en configuration ovh) est déployé (/etc/prometheus).
-  roles:
-    - prometheus
-    - update_motd
-
-- hosts: prometheus-federate.adm.auro.re
-  vars:
-    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
-    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
-    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
-    snmp_ilo_user: aurore
-    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
-    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
-
-    prometheus_servers_targets:
-      - prometheus-edc.adm.auro.re
-      - prometheus-gs.adm.auro.re
-      - prometheus-fleming.adm.auro.re
-      - prometheus-pacaterie.adm.auro.re
-      - prometheus-rives.adm.auro.re
-      - prometheus-aurore.adm.auro.re
-      - prometheus-ovh.adm.auro.re
-
-    update_motd:
-      prometheus_federate: >-
-        Prometheus (en configuration fédération) est déployé (/etc/prometheus).
-  roles:
-    - prometheus_federate
-    - update_motd
-
-# Postgres Exporters
-- hosts: bdd,radius
-  roles:
-    - prometheus_postgres
-
-# Monitor all hosts
-- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
+- hosts:
+    - pve
+    - vm
   roles:
     - prometheus_node
+
+- hosts:
+    - router
+  roles:
+    - prometheus_keepalived
+    - prometheus_bird
+
+- hosts:
+    - prom
+  roles:
+    - prometheus_snmp
+    - prometheus
+
+#- hosts: prometheus-fleming.adm.auro.re
+#  vars:
+#    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+#    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+#    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+#    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
+#    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
+#    snmp_ilo_user: aurore
+#    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
+#    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
+#
+#    prometheus_servers_targets: |
+#      {{ groups['fleming_pve'] + groups['fleming_vm'] | list | sort }}
+#    prometheus_unifi_snmp_targets: |
+#      {{ groups['fleming_unifi'] | list | sort }}
+#    prometheus_ilo_snmp_targets: |
+#      {{ groups['fleming_ilo'] | list | sort }}
+#
+#    update_motd:
+#      prometheus: >-
+#        Prometheus (en configuration fleming) est déployé (/etc/prometheus).
+#  roles:
+#    - prometheus
+#    - update_motd
+#
+#- hosts: prometheus-pacaterie.adm.auro.re
+#  vars:
+#    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+#    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+#    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+#    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
+#    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
+#    snmp_ilo_user: aurore
+#    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
+#    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
+#
+#    prometheus_servers_targets: |
+#      {{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
+#    prometheus_unifi_snmp_targets: |
+#      {{ groups['pacaterie_unifi'] | list | sort }}
+#    prometheus_ups_snmp_targets:
+#      - ups-pn-1.ups.auro.re
+#      - ups-ps-1.ups.auro.re
+#    prometheus_ilo_snmp_targets: |
+#      {{ groups['pacaterie_ilo'] | list | sort }}
+#
+#    update_motd:
+#      prometheus: >-
+#        Prometheus (en configuration pacaterie) est déployé (/etc/prometheus).
+#  roles:
+#    - prometheus
+#    - update_motd
+#
+#- hosts: prometheus-edc.adm.auro.re
+#  vars:
+#    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+#    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+#    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+#    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
+#    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
+#    snmp_ilo_user: aurore
+#    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
+#    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
+#
+#    prometheus_ups_snmp_targets:
+#      - ups-ec-1.ups.auro.re
+#      # - ups-ec-2.ups.auro.re
+#      - ups-ec-3.ups.auro.re
+#    prometheus_servers_targets: |
+#      {{ groups['edc_pve'] + groups['edc_vm'] + groups['edc_server'] | list | sort }}
+#    prometheus_unifi_snmp_targets: |
+#      {{ groups['edc_unifi'] | list | sort }}
+#    prometheus_ilo_snmp_targets: |
+#      {{ groups['edc_ilo'] | list | sort }}
+#
+#    update_motd:
+#      prometheus: >-
+#        Prometheus (en configuration edc) est déployé (/etc/prometheus).
+#  roles:
+#    - prometheus
+#    - update_motd
+#
+#- hosts: prometheus-gs.adm.auro.re
+#  vars:
+#    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+#    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+#    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+#    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
+#    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
+#    snmp_ilo_user: aurore
+#    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
+#    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
+#
+#    prometheus_servers_targets: |
+#      {{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
+#    prometheus_unifi_snmp_targets: |
+#      {{ groups['gs_unifi'] | list | sort }}
+#    prometheus_ups_snmp_targets:
+#      - ups-gk-1.ups.auro.re
+#    prometheus_apc_pdu_snmp_targets:
+#      - pdu-ga-1.ups.auro.re
+#    prometheus_ilo_snmp_targets: |
+#      {{ groups['gs_ilo'] | list | sort }}
+#
+#    update_motd:
+#      prometheus: >-
+#        Prometheus (en configuration gs) est déployé (/etc/prometheus).
+#  roles:
+#    - prometheus
+#    - update_motd
+#
+#- hosts: prometheus-rives.adm.auro.re
+#  vars:
+#    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+#    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+#    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+#    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
+#    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
+#    snmp_ilo_user: aurore
+#    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
+#    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
+#
+#    prometheus_ups_snmp_targets:
+#      - ups-r3-1.ups.auro.re
+#      - ups-r1-1.ups.auro.re
+#    prometheus_servers_targets: |
+#      {{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
+#    prometheus_unifi_snmp_targets: |
+#      {{ groups['rives_unifi'] | list | sort }}
+#    prometheus_ilo_snmp_targets: |
+#      {{ groups['rives_ilo'] | list | sort }}
+#
+#    update_motd:
+#      prometheus: >-
+#        Prometheus (en configuration rives) est déployé (/etc/prometheus).
+#  roles:
+#    - prometheus
+#    - update_motd
+#
+#- hosts: prometheus-aurore.adm.auro.re
+#  vars:
+#    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+#    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+#    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+#    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
+#    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
+#    snmp_ilo_user: aurore
+#    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
+#    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
+#
+#    prometheus_servers_targets: |
+#      {{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
+#    prometheus_postgresql_targets: |
+#      {{ groups['bdd'] + groups['radius'] | list | sort }}
+#    prometheus_switch_snmp_targets:
+#      - yggdrasil.switch.auro.re
+#      - sw-pn-serveurs.switch.auro.re
+#      - sw-ec-serveurs.switch.auro.re
+#      - sw-gk-serveurs.switch.auro.re
+#      - sw-fl-serveurs.switch.auro.re
+#      - sw-ff-uplink.switch.auro.re
+#      - sw-fl-core.switch.auro.re
+#      - sw-fd-vcore.switch.auro.re
+#      - sw-fl-vcore.switch.auro.re
+#      - sw-ff-vcore.switch.auro.re
+#      - sw-pn-core.switch.auro.re
+#      - sw-ec-core.switch.auro.re
+#      - sw-gk-core.switch.auro.re
+#      - sw-r3-core.switch.auro.re
+#    prometheus_ilo_snmp_targets: |
+#      {{ groups['aurore_ilo'] | list | sort }}
+#
+#    update_motd:
+#      prometheus: >-
+#        Prometheus (en configuration aurore) est déployé (/etc/prometheus).
+#  roles:
+#    - prometheus
+#    - update_motd
+#
+#- hosts: prometheus-ovh.adm.auro.re
+#  vars:
+#    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+#    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+#    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+#    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
+#    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
+#    snmp_ilo_user: aurore
+#    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
+#    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
+#
+#    prometheus_servers_targets: |
+#      {{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
+#    prometheus_postgresql_targets:
+#      - bdd-ovh.adm.auro.re
+#    prometheus_docker_targets:
+#      - docker-ovh.adm.auro.re
+#
+#    update_motd:
+#      prometheus: >-
+#        Prometheus (en configuration ovh) est déployé (/etc/prometheus).
+#  roles:
+#    - prometheus
+#    - update_motd
+#
+## Postgres Exporters
+#- hosts: bdd,radius
+#  roles:
+#    - prometheus_postgres

playbooks/pve.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - pve
+    - vm
+  roles:
+    - locales
+...

playbooks/qemu_guest.yml

@@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - vm_network
+    - vm_services
+    - vm_test
+  roles:
+    - qemu_guest
+...