aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Compare commits

base: aurore:master
Branches Tags
aurore:master
aurore:new-infra
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server
..
compare: aurore:mail_server
Branches Tags
aurore:new-infra
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:master
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server

1 commit
master ... mail_serve

Author SHA1 Message Date
Alexandre Iooss 26456e2373 First postfix tests 2019-03-04 12:51:13 +01:00
306 changed files with 1265 additions and 11896 deletions
Show stats Expand all files Collapse all files

10
.ansible-lint
View file

@ -1,10 +0,0 @@
skip_list:
- no-changed-when
- load-failure
- document-start
- meta-no-info
- ignore-errors
exclude_paths:
- group_vars/all/vault.yml
- utils/

11
.drone.yml
View file

@ -1,11 +0,0 @@
---
kind: pipeline
type: docker
name: check
steps:
- name: ansible and yaml linting
image: quay.io/ansible/toolset:3.5.0
commands:
- ansible-lint
...

2
.gitignore vendored
View file

@ -1,3 +1 @@
*.retry
tmp
ldap-password.txt

6
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,6 @@
---
image: quay.io/ansible/molecule:2.19
yamllint:
script: yamllint -c .yamllint.yml .
...

3
.yamllint.yml
View file

@ -3,8 +3,5 @@ extends: default
rules:
line-length:
max: 120
level: warning
document-start:
ignore: group_vars/all/vault.yml
...

167
README.md
View file

@ -1,146 +1,49 @@
[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
# Playbook et rôles Ansible d'Aurore
# Recettes Ansible d'Aurore
## Exécution d'un playbook
Dépendances requises :
* Ansible 2.9 ou plus récent.
## Ansible 101
Si vous n'avez jamais touché à Ansible avant, voilà une rapide introduction.
**Inventory** : c'est le fichier `hosts` d'inventaire.
Il contient la définition de chaque machine et le regroupement.
Quand on regroupe avec un `:children` en réalité on groupe des groupes.
Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine
avec ce hostname, car c'est ce qu'Ansible fera.
**Playbook** : c'est une politique de déploiement.
Il contient les associations des rôles avec les machines.
L'idée au Crans est de regrouper par thème. Exemple, le playbook `monitoring.yml`
va contenir toutes les définitions machines-rôles qui touchent au monitoring.
Cela permet de déployer manuellement tout le monitoring sans toucher au reste.
**Rôle** : un playbook donne des rôles à des machines. Ces rôles sont tous dans
le dossier `roles/`. Un rôle installe un service précis sur un serveur.
Il est préférable d'être atomique sur les rôles plutôt d'en coder un énorme
qui sera difficilement maintenable.
*Exemples de rôle* : activer les backports pour ma version de Debian, installer NodeJS,
déployer un serveur prometheus, déployer une node prometheus…
**Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
action. Elle est associée à un module Ansible.
*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans
un fichier avec le module `lineinfile`, copier une template avec le module `template`
Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante,
récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions…
N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules
d'Ansible !
### Gestion des groupes de machines
Pour la liste complète, je vous invite à lire le fichier `hosts`.
* pour tester les versions de Debian,
```YAML
ansible_lsb.codename == 'stretch'
```
* pour tester si c'est un CPU Intel x86_64,
```YAML
ansible_processor[0].find('Intel') != -1
and ansible_architecture == 'x86_64'
```
Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
les machines pertinentes directement dans les playbooks.
### Lister tout ce que sait Ansible sur un hôte
Lors du lancement d'Ansible, il collecte un ensemble de faits sur les serveurs
qui peuvent ensuite être utilisés dans des variables.
Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
on peut exécuter le module `setup` manuellement.
```
ansible proxy.adm.auro.re -m setup --ask-vault-pass
Pour appliquer le playbook `base.yml` :
```bash
ansible-playbook --ask-vault-pass base.yml
```
## Exécution d'Ansible
Il est souhaitable de faire un test avant avec `--check` si on a des doutes !
### Configurer la connexion au vlan adm
## FAQ
Envoyer son agent SSH peut être dangereux
([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
### Mettre sa clé SSH sur une machine
On va utiliser plutôt `ProxyJump`.
```
ssh-copy-id -i ~/.ssh/id_rsa_aurore.pub virtu.fede-aurore.net
```
### Automatiquement ajouter fingerprint ECDSA (dangereux !)
Il faut changer la variable d'environnement suivante :
`ANSIBLE_HOST_KEY_CHECKING=0`.
### Configurer la connexion au bastion
Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
On va utiliser plutôt ProxyJump.
Dans la configuration SSH :
```
Host *.adm.auro.re *.pve.auro.re
# Accept new host keys
StrictHostKeyChecking accept-new
# Use passerelle to connect to administration VLANs
ProxyJump passerelle.auro.re
# Use a key to log on all Aurore servers
# and use a bastion
Host 10.128.0.* *.adm.auro.re
IdentityFile ~/.ssh/id_rsa_aurore
ProxyJump proxy.auro.re
```
Il faut sa clé SSH configurée sur le serveur que l'on déploit.
```bash
ssh-copy-id proxy.adm.auro.re
Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées
vers les serveurs puis détruites à la fin de l'exécution.
Il faut donc éviter de lancer une connexion SSH persistante pendant l'exécution
d'Ansible.
### Lister tout ce que sait Ansible sur un hôte
```
### Lancer Ansible
Il faut `python3-netaddr` sur sa machine.
Pour tester le playbook `base.yml` :
```bash
ansible-playbook --ask-vault-pass base.yml --check
ansible -i hosts ldap-replica-fleming1.adm.auro.re -m setup --ask-vault-pass
```
Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.
### Ajouter tous les empruntes de serveur
```bash
#!/bin/bash
for ip in `cat hosts|grep .adm.auro.re`; do
ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
done
```
### Passage à Ansible 2.10 (release: 30 juillet)
Installez la version de développement d'ansible pour faire fonctionner les
playbooks de ce repo, ainsi que les collections suivantes :
```bash
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
```
Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
workaround est le suivant :
`$ export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
Notez l'espace au début pour ne pas log la commande dans votre historique
shell.

32
ansible.cfg
View file

@ -1,17 +1,29 @@
# Aurore Ansible configuration
[defaults]
ask_vault_pass = True
roles_path = ./roles
retry_files_enabled = False
# Use Aurore inventory
inventory = ./hosts
filter_plugins = ./filter_plugins
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
# Custom header in templates
ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
# Do not create retry files
retry_files_enabled = False
# Do not use cows (with cowsay)
nocows = 1
forks = 15
timeout = 60
remote_user = root
[privilege_escalation]
# Use sudo to get priviledge access
become = True
# Ask for password
become_ask_pass = True
[diff]
# TO know what changed
always = yes
[ssh_connection]
pipelining = True

5
base.yml Normal file
View file

@ -0,0 +1,5 @@
---
# Put a common configuration on all servers
- hosts: all
roles:
- baseconfig

6
codimd.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Install CodiMD on CodiMD containers
- hosts: codimd.adm.auro.re
roles:
- debian-backports
- codimd

3
deploy_all.sh
View file

@ -1,3 +0,0 @@
#!/usr/bin/env bash
# Deploy all playbooks
ansible-playbook playbooks/*.yml $@

6
dokuwiki.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Install DokuWiki on the wiki TEST container
# When it will be operational, horus-wikitest will replace horus-wiki
- hosts: horus-wikitest
roles:
- dokuwiki

6
etherpad.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Install EtherPad on EtherPad containers
- hosts: pad.adm.auro.re
roles:
- debian-backports
- etherpad

40
filter_plugins/net_utils.py
View file

@ -1,40 +0,0 @@
import ipaddress
from operator import attrgetter
import dns.name
class FilterModule:
def filters(self):
return {
"remove_domain_suffix": remove_domain_suffix,
"ipaddr_sort": ipaddr_sort,
}
def remove_domain_suffix(name):
parent = dns.name.from_text(name).parent()
return parent.to_text()
def ipaddr_sort(addrs, types, unknown_after=True):
check_types = {
"global": attrgetter("is_global"),
"link-local": attrgetter("is_link_local"),
"loopback": attrgetter("is_loopback"),
"multicast": attrgetter("is_multicast"),
"private": attrgetter("is_private"),
"reserved": attrgetter("is_reserved"),
"site_local": attrgetter("is_site_local"),
"unspecified": attrgetter("is_unspecified"),
}
def addr_weight(addr):
if isinstance(addr, str):
addr = ipaddress.ip_address(addr.split("/")[0])
for index, ty in enumerate(types):
if check_types[ty](ipaddress.ip_address(addr)):
return index
return len(types) if unknown_after else -1
return sorted(addrs, key=addr_weight)

92
group_vars/all/vars.yml
View file

@ -1,23 +1,23 @@
---
# Use Python 3
ansible_python_interpreter: /usr/bin/python3
# LDAP binding
# You can hash LDAP passwords with `slappasswd` tool
ldap_base: 'dc=auro,dc=re'
ldap_master_ipv4: '10.128.0.21'
ldap_master_uri: "ldap://re2o-ldap.adm.auro.re"
ldap_master_ipv4: '10.128.0.11'
ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
ldap_codimd_bind_dn: "cn=codimd,ou=service-users,{{ ldap_base }}"
ldap_codimd_password: "{{ vault_ldap_codimd_password }}"
ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}"
ldap_matrix_password: "{{ vault_ldap_matrix_password }}"
ldap_replica_password: "{{ vault_ldap_replica_password }}"
ldap_admin_password: "{{ vault_ldap_admin_password }}"
ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
# Databases
postgresql_services_url: 'bdd-ovh.adm.auro.re'
postgresql_services_url: 'services-bdd.adm.auro.re'
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
# Scripts will tell users to go there to manage their account
intranet_url: 'https://re2o.auro.re/'
@ -30,81 +30,3 @@ ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
# Monitoring
monitoring_mail: 'monitoring.aurore@lists.crans.org'
# Matrix
matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}"
matrix_discord_client_id: "559305991494303747"
matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}"
###
# DNS
###
# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque
# résidence.
dns_host_suffix_main: 253
dns_host_suffix_backup: 153
backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
# Finally raised!
mtu: 1500
subnet_ids:
ap: "14{{ apartment_block_id }}"
users_wired: "{{ apartment_block_id }}0"
users_wifi: "{{ apartment_block_id }}1"
users_banni: "{{ apartment_block_id }}2"
users_accueil: "{{ apartment_block_id }}3"
# Keepalived
keepalived_password: "{{ vault_keepalived_password[apartment_block] }}"
# Re2o config
re2o_secret_key: "{{ vault_re2o_secret_key }}"
re2o_db_password: "{{ vault_re2o_db_password }}"
re2o_aes_key: "{{ vault_re2o_aes_key }}"
# Radius
radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
radius_secret_federez: "{{ vault_radius_secrets.federez }}"
radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}"
radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
# DHCP
dhcp_failover_enabled: true
apartment_block_dhcp: "{{ apartment_block }}"
# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
# However, we ALWAYS keep the trailing 0 to have byte alignment.
ipv6_base_prefix: "2a09:6840"
is_aurore_host: "{{ 'aurore_vm' in group_names }}"
# Borgbackup
borg_keep_daily: 7
borg_keep_weekly: 4
borg_keep_monthly: 12
borg_backup_directories:
- /etc
- /var
borg_backup_exclude:
- /var/log
- /var/lib/docker
- /var/lib/lxcfs
borg_encryption_passphrase: "{{ vault_borg_encryption_passphrase }}"
borg_server_host: 10.128.0.4
rsyslog_outputs:
- proto: relp
address: 10.128.0.241
port: 20514
...

350
group_vars/all/vault.yml
View file

@ -1,246 +1,106 @@
$ANSIBLE_VAULT;1.1;AES256
64313161633263303464663933363265373935633862653634643862343232643432343966376438
6134633764383937373966346538306530316539303966320a363035303038616435383366656532
39346463396563626166333362306464343836386365303836356461323663633831636562393039
3832636432626238350a666566323435623834396166656233306639333830343130326265616234
61666365663963643437386530363261306438376665386463376366363662656161316263303831
61393136363934316462616131326463333736656136643038623061313363386538393833663637
36373565333566306632313865646538633532393731313430633462666334323762653337383338
63313433333835653366363061343839326131666139346563306366656365316663333438363837
33323165353936343165646464306434303161313139653561346461653537616164623434376534
33666662343734633766356230383761353239333632613031396365346536373432363433633564
61633762393033343336373864653438336436613630366539333731383336346665313732396265
32356138666135383562656366353131366436363464643630656130303437623131333239386363
66373866393064306565306565386230373638633733326661333065633136633130323963323765
30353262323835313365383562326363343965636634376133613331363133313030346561653931
39363636636235646131353034663861336362383263613165323230366439383561653165363764
65366130623362623539393461363832353435616266393036386439303834316635366438393936
33383933366262636232383066663130383965306137356363363539633661373664613738336539
31363131616135623039346465623530376533386263343836376662316562386530336266303062
64386531303938623939653635313163633261336339366139666135323130653862346132646636
30363065303235346331333434653331646333616337623562643564366435613938643235333664
30626164373030303237656366623631396138333265383566333664663061613536666363623630
61623362383439636239336234333161366635306432363230366630383836326330343932303863
39393232373831363863333332636362396639663831656266336430313837666463336439353332
63303036633433323439613535326663633332346565646338353761363733643766363132666365
34303865656262303563323665363730663062626537363461646363636461633762663237366366
64393133656464643065633634313261336662646435313735306266316132636530393631353830
61303939373363323131316463333136326365333430626266376636356130396239323464353937
64616232373532396334343433636332353530386662633164353235626361623164313039336666
31636434666437393839393133633961373139313663616366373239386163623064373836376164
62316638366366376134386231306435616138656461373633393339653532363434393834393430
37363335623934306661333135343266663464623438353665613330356236323036363139643064
62383934363465316338393065383935646134353230376131613935613431656333383565353134
34643866353131653061623236306536363163373639396564336434653839346263303930633663
39393935636235313431303032336361313730373238333732626465346662363038636361383631
65393433346363366337383233646166306339653533646632623262376630383265393438326135
31643039333835666338383762336163336337343532393063323165636531353361613731363065
65303637396332613432663636326334646635346237396461636366356133303333306239393739
34353966653662346230383865643231313239626533643761366162613164333132373636623237
32356335643766646266646266633366363165373861306433316561363166363865303133633939
34633132343438363034323638376666313061383965323566646463653163313235373364386666
62393865373137343237306637363536383939303833663532396333313931336162333837613935
66383266343735396337663936333162323738383264376533316536376563396333343263643931
65646535363337373865353265306434356432353066656665366638353331366334366339613538
32373637633564613861626538373365336362313434633137613966353861393462623862663330
64386431373066306334383863366133333564373163386433313231363366393830343230323734
61633962356637326538336663386330653563353763663236623539363630626363323237333237
30656139626561313064323330373032323031343137366638303966313832646365666238326337
63306363613361653933306234386163383837666430616663383664386563323839326232383761
35373539626438356539393266653864353066633365383437623437356464383335383039343137
61373539343631373932373033656233323964353666626162386537616333366562346265656238
35396130356166303564303036383664656435626534303064653363316464616335303965376330
61646638383138323265313631613037396561626162306661653231646230343139656135333236
63303838316266333665636335663361656262353066666430656162323236633564313337353665
35363565303736633564356632346632343832363934343962313030646132663566346664313632
38393061613163356265643434626166393366366634343032626637333332316361663639623534
62323239373639393337373537646232663531653835356165313264663561623633633830373734
31336234613633666538373961626430316530346462343061323661353564323938353338373961
64616637303734303333626166306330613238646265636136653939363936356165356232396436
65353731633836363433616534636330663565643561363233396538386430393964353433616437
36343936313936303165396236393463646363383338366238363961666530623335653234656139
65346337663437623134376137326166323933613861663032623965643538343638376234316232
36333065323234663263343630353739313661373536316162366532336438373263303730626464
38613136393166626663636631363064303736666235333036616435373063363762666565363136
38333966303831313333613831313132633062616235353365313533386236613338373130303836
61326262313833306437366364316433393931353265326131653563656131333436376338613266
39326632613366666136643137303635336631353230396435313537656366326239626362313833
62653039343261613265306362323234623264366664306561663839306631663465303962386462
39353934643562383762623937643034383534393962333466613636346637323235346438666636
31613838313535666166663063373333653439313035346266666463623666613837313933623837
63343565663739393764353761316432626237346234663032316131306262356233333439323961
38646664383030303832646563393836643135303731306435383338623633626638306165386637
65393238653464623032336437643838333932366131656332333165376261383539386466343139
65613733383837323832303738363664653138613830376333363038383839623463623631666237
63363263396533353763373934373034643763376665316638353435663635346135333265363235
62663432343935343964626432353563313036303761393039386231343530663737633466643035
65343835353037643539316439666666633866356530363237373230373439373133313337653237
66613631373637313534353862653437393234363365323032393035376438616264336661616262
37336435326135373065353564383637626637343532396331623334643139386364316431376435
36356566363033636539363430356565373039363863396565643730656531346364626334393436
33343839303538383530363231366166623233333730323163323432373831313639626337346230
30333930333064393337616564386163623436613933623466353933393733346339383534633239
30633365313364666566643533326163336330323232353533316633313739343035383465376330
65356139386463633565366132383832643032333234633964373437633836343435393631396166
34633439643764623936366536353931646132373539326238303761383339643661616266646130
30393166393465326365393130636136336433623262346435353936306133616135653734383635
65393530633836613937346430366337626365363361663533313837363063396538663766646566
63373639653732353135343562353266316164303863336365303635653464393232613939396131
30636361343932663233663566656131363938656161623966316366656561343166336532613666
65613534663762353662353262623634616264373964316336626166353330303539356130646166
63643435353765633766626165643465386331333637366562393861613834323464363932306430
32643836646266643031396262626136313363623663366430376432373036643835653863323631
30613164326430633664306630333632363931656135643465363439376263386561383534633666
64323763656466343064396639313264386239356664663461333166626332326536623132333434
62303261643164643330333662623935383037353338306135613737306563326336336162633138
33623066373265663362303133363032343933306336396466383034636131333837313333326531
39336163313633623639303462313763656632633030336236643030343262653366633939643536
31636535393864663363353930363761623264343630396336396431663330323436613462633136
37336464353730643566393432343762333336653932333366636265343663323462626232623635
34346136333630363539633666316561376266373032373961313437653564636537656630303261
37313639333233333365383763333061373730623939303530303832646365323739356564626137
35633366393636376463393961333830343232363266633931613332643134643234303733373466
35323831623931633436626636346431303965663639666566623433383736633834626330303265
37353337656233663938663839373931623137666662623266336537383631626631306235363064
33313564316438633139336261623736336336326239376630316335313631376132646563333430
33656432643130643832343065353834633366363339353964623762666564633835633636313731
63353637636165663136623736343234393038313235333363643237643566623766393838386635
33646233623032653233336266636335666233353032303837663162303939383262373761623261
35366661363966346233633739663635353361303264356534366235616164316138623730623632
62316362623736396264366632373661373835393434343364353431316362666235616635633566
64353530633334393737346663653562346335323065356665643132353738363132623031353664
66666639326238386634363664356664343161386435323736316636343536326435303066353035
37363731613138393333636562386363333932386362303139643262386237353863363764643139
64616561373239346464623165616332623434303433626638376232333733646136376431626438
66613134343639656331626630303030366133356636663735353466353834613430356265386162
66613332663232623438636661306332613162666561353537313336643134663664306630636639
61613363353264373831393962333631383236666130646333336431303735333165656438363432
38396530333631636135653534393531326434306362396237366430383166323832336434376364
38393431646338316232373431613930326532646333386435303034356564336665346133393866
61643533643361646265313334633463616437393437653935613261366635616430313064346532
32363831613565313836376338646466323130373032613863323037323566643164653132633735
65636562653535626461396666643330386333663137613333643165656336633038323036373162
31376338613862333334643561313332326237646565633934323032626662633631633033623063
63306664656437663732323339383735306132616531373865323835633264333639336163366466
33373433653839393638323034623835643531393266306331313563613265616633353763653438
65363532653163303861383531356639316331343531666666636336373634636134633331366364
62366230366435323435613964636533353236373935626632623536396664313264653031623062
33366166343630313839366262313234346262343336386538336335393835646138666330656361
61313936323838653832633130346539636363613838343363663431623063333933383466353938
65383361333561383631643938613862343236346233363466333237316339616362366565306639
39356563656132303463346138356435303038303165363935343266396462326365363262393336
37396235366639623761366239386165613065626431633733306234343866663266633631656237
63643430383433393835663635356265636635363137613064353066313338346436356632346265
38393730336465396263373137383238653337396364643061303234666266663064663265383434
36636138643432373633313038393737663735363838396164366234643533633762383062353831
66326231363337323666386263373438656630346336663239643030386434636264666634393631
39313364333761343532346165396365306463393037643935666363323630326664616638313338
39396336653738353333343835363861643166376565346463303135376439336134666235623230
32363031303732666133386164313437366164326539373564623236356432303132633436323563
36323634373538376133613736633133356638323861636434646465643432636366376138636232
63633830613462613831313938326339343632393038376639623131366364623536353338363439
32613331623863336165636364616634303264356630303665383638663737343836663831363263
63366562393734323030306436346534626530656465396535323835316139633562363830373437
63626530326530383538623165356532303862353763326432373966626436303465373431373762
38613539623164353732623636376630643465343839666531306438326633343362306665366132
39396537366266353864656232616334336130333337306463313932393832653661343036396261
64613461633433356334623631643861303133383963336635623138326139613564343838366565
36343130353462333162313736636139306233366466626231306561626335396262663531333839
61336437343137356335633764373730306466326133356331333530353537616661373062656438
35356235666464656466323937353837623535643937383866666133383633396563333338633034
38366531613164363966323137646237393135383164643230663331306335636432656565633636
34343031633632346533353666353034666266666561346464306665386634313263323333653330
66323033393531343633356466613837346164393332613037636465343230623731616361336338
61373332373636646435353734386366613334323161626437396232613534613330613532323534
65653065386432313733663165616333663666363733623162306536303833663136353334656466
64353931363838613761663561666639373865393438396565626661343934353662363834636535
65363664393433313036383438643864663339626331343230343337316437336634636363303563
35373539383535353235633730386232363539616632336566376264393832383637663330613133
37643261363966633138373935333438393536373938383265373261363232343030373539366335
61633162663137643061363366653135323639363838626266386262666133306461333432313738
30313332626166303630363839396663396564633961383863326663356230343938643833303933
34333032353935323565346633363537656639613663356130383264373739636231363364613066
36653664346434393933383337313630623131396461343930383537633536643365306564396665
31353861643335353538623838393335326364393738376239623431306231363739656438626265
37666532336661306262303761616238666239623265663231386165353437366631376234343035
33393037316563373534373765616238616639303031346430623561663430393536303163613338
65353062336164626335376235656235343637366438353334356436653266333062663838316263
32623732306462356162623437393035626433336631643833626463656634366332613936346465
34653331363133373635633330363564333264623566613432383439396537343963653239336265
33326132663434363065646265646130333935303662623037363938313464366564323734333437
36336335303738643634653164306332636130316161393335656536386131396662616366383139
36663863343736666665363337663537326330323437346565346465326231366563643136366365
37636361343961326261336437616266373962643765346438333766306537303137353764396330
39626635373631353635313935363834363730386132376363663462653330623130663266373432
65343237326535613535386363396236336536366165306463643162346638623638373433646163
62613935363636353639623839396231393838303135346536383037353636613563323234626131
64373666303436393861373164376564646235366131343433623733663832653039393738343537
65323534343464613230346532623966616462353532373064623566626563336464326336393364
39626237646431313135323036303065343138616632343237396136366332636132303037376132
33623031623635653162616265316366663262373666636638386130643336383130643232643662
34326663343562613962343033396332303261636230353331313730336630633461333736626333
66636430643330383032646634396133626339623036333963396662313234623466366634636334
33373762386662613966353664346239666133656435353365653536356331613632666132376264
62613433366633663065306166396166633836306139376533396165393966323465303638373563
63326330323161303065643365343363313338326238363137663139613463613434643834613662
64663365633965653363633165653038333335333232633434323037643936646561376431626230
66356138373136366134373533386634373061666330663364376336383433306331386162393633
33636330643531396464313736363061303466393861613730323563626363643731333633366532
64646130636234653566346533323962353332653335336239353630633535623935396638663366
37383661343636613261623833653032373764653164346634663431653664636233323734666166
36373664306566663930353338366431623563396166356638626166333165623263636336613138
34343936393964666564306637346561393538383137663162663630336462656663316338376236
63633666333263663734353861633164653132663334306664643133663736663766626639393236
32653430333163313363343731666135656662363838366132383732346130313130363365656263
32643533393163376264653632663262353966306630333064313932616262323134326361633764
63383837303936616434616630653833653833623263623532306363373836323431393335623530
34316562343035326265333164643163356230643639373431326431303538346363376332373434
31313666313663343363353130306561646136393732663164393232636330663635346434343134
33663138663336636430373763396435323138373633666438623234363631336232366635366532
62616239663934653462656163326134303261376635323864633435383666363065656665303538
62626538343638366236646136363232373437336630383739656438636465326531646664366462
36353663626634386538336239623734323234393463313034303837363164363263623065613061
38333162646232366339333662313965663336613238386530393162346266636532353433656136
66326436323836376432313238613165373565643233333435393361636637653361616435393438
32383763393561343734643438346635613663393736613839623263663866336165343235663933
66623137616561313462653631613830363666653635336534643935373739353138363934656134
35663063396162623432373534333463376231666466393963336231653939326663396336383735
34633763336163313432616163313638623963306666643432306661393632346339373963633265
32303862643661376433356661383335313365306534663534396638313531373538326236636363
37626138333437393363323261336663653163643565303063313231346131376261653763356631
62306262336337366134626632333663363139393131306666303235303761623665356431646234
33666461663035303066353137623762653565353533613435663839396238336337333463636465
38353135356634626137376232613330393235383432356436393030313564306537616363383136
66356463373138313661373565326565343066643133633630313031303132313031663739316631
66666631386163313034306532393862393930653931363235396662366262636466363464396466
61303962303066633764393831396632626233343633313061323838623134373036393164633139
30303861636335636131376334376239636235653233323435623262366132663934613661333135
61386136326435363337316363666330363431613135663661303438383664663930656564373730
32373731393666333364633835646431646662313232383136616238303264383438663766356462
32346664376430663934626661663039656461383738626265346162393861346163656161323333
39323666643031376530303230626166613233383731363766373634623430633635303963313466
34646331363539636133373134353535356265393265393635323532323134643034343663636362
38633261613433393634396234396265623063346138363133646532366638306632396464646432
61373961383438386535336131393633303430346162613738343839653038303035303033626535
37343030623530333332306265373539633735616634663666356437303862636338363866613861
38346130336338373865343866306665616530313938616366346131376262346135323537663137
39383366313766666234323234363937623264353532323033363966313135653163343036666262
34393832613034383239393930383063336131356364303231323966303633333331633666373764
65383137333965663234663933303231356165376233326233303035316536666563656363343933
36633039666432643135636331353932633164633964623661373739633665313433306561303637
62373534346562363132643063643732343462653838393635343266626535353864656437313434
34376538303965616539626534613431623834376337643936613137323031323139393762636463
66346664666361623636666533663037613434353135393862376633636233656330366136646434
30653735323961383130393763333630306131376430363436623238646632363462383739653636
37346566663039383866323639633565366338353438386461616239313639343766333661346435
33316538366463383733346663316564656566656165396465393461363061613239666165346661
62346639623163363762366431313831663135643062336363323336303737393437653863303665
36643466336566336236353166333063633830646461626262333937316162353365353130353535
30383164363532363532306364393236303537383139643431393962333063633162313033613561
32323434336364343061386666616639336566373461633462393130336461303531353436623065
65663430623066336533373662306566396263376562343936666166626666323964373334613835
64633535303365643564626562643562636363363834353865353765356665643965663861366436
63333736613232353130616466316637613966646139323565356537666331666564623832333439
36376131663431616430616265323039646432393166613631313762613264313765323231663961
65616636306362386534626130636261636566626365643630616135323634343935653033653433
3061
38616339383037366465353638383665643938633061323863386539323861633135363964303364
6335326537383039316566623031306136633364336337320a343434623066313535363430303866
61613635663336376530333463363037316230323339393463393465313366643438316565306564
3263613463653764330a363330623331323762306330336465633538353637373838396231643762
35353137306132653861343736323934326161663436653737333462333938393330393861363764
38333837353564396563623039636438663662626330323632383234333662613835633138326161
33626537633863393864373937306332386131626562323762616439643830626339633833313638
65363930353162323635356430313030303734386339393730383135323937623939393233663335
39316564396463643134636363326262343538666234333837373164646434643232623666636162
61616637396561323166313131393163353166353764396564373330326262346666373034663465
35326563306538653562333864383662336338656566313432633831313363663131393930336234
61336230643539303532656437616638323266623434393863623661366237386537386232383332
38643433626466343633626665386633663964306566643436363839363462326632393863616230
62386662386363613737613839386436383734623461386363313832636661636334633132363433
30383135646465353232623936366337663130376232343231376565313563303534313462336462
39353861663230623536613735663865373238303832306636323532393734303538383837336237
36613732623539616237663962666263393138303064646335623336343432323266663335363061
36306361653035653334343031303663373334613365393635616362343461616535343964306666
36663030373133346663663839373363663163653961323533356361373533643636626339356332
34663063326363646638646330626666633564373763326636363764653831336134393131653864
62353163613534386364323430346435316339363338666563366262336536373162346265353165
66363834306536383465376339323462303265373263333065623837656133623035366366396335
34313566326565333930386336353333396237633333613336666566393465616563393563633335
33313232646466313333633564653535343564626566353863613964303732616436626535656135
39313632346530636639333435643034666138633831313864316266376330336334333263356132
30613865336164353433383232316637663131653231393235343262666636623461653332323664
63323637396132666333633863393131363935626435313366646563366366356265346130373162
66306261303539323763336130616165323863646466643336316437663266303730313433343932
39643639376531303839636632333063323837306638373863663132386533353735343234666139
33633462346438356338613830313533306263383263383036363566323437356235386636333432
31383462626338346339353536653437623731643036363366666437316362356266396634383865
65663332383837373334393863386531663831643366613131663666303436306336313935643065
61336661313562326465393936643130393465346636363234386436616165613436393436623664
33396165376363316334613737613261396633306233643337393936393465313763343439646136
38643135346234653234316536363964303331303932656134323165333239623362333931323334
62323634373764663464343031626432653131306664336130396265363964663866663538376239
33653430366265623733376536613632646662646632653132336537383336303335623966396131
62303136613934656664386162373433323962336134663435373730366632666135663030653133
38613632623765616465383266356238313333336434376238396339343031323465343833323665
61666366326363303832663164363838353739653534313235336530396330346466656432386636
36613239613239613835633265363064316134346464616338333532376132373637356665346230
38343461613335663061393037643466383664323263336364356364363262346236326161653362
63653963303139616430333738373038333661333562376130363061366338346430303231363138
66373866303331333035316533373336376466346630326166373734353834306237383462356430
33633332366636613534313933323065633736656432656236653930623663616133336435313337
36623031663333386362306138343231363130626131323735316562363730656230376132303439
36323932666362613237666164653037353631353730346466303764326162366266376130316166
32363739373437333731643936366334376463383664373139363465666538666331636535626462
32323834616338376264393461626665393635336638383333653466336332316364363330333738
61303161303564383563653039653263343161336362373563616237373865653965343639343465
35363536613233313534633665373264303139393731626339646466663431363361373938623334
38613766643861326538663563656662383665376137393333616566646136336339306333653066
34373864353230343032386236386165616462316562363062613330636264303632396339646632
37316630303536316436356138626533653865366137666131363064643964333838633266366365
64663661333764616635383263376662616239323930643261613161313265633236623834376263
31623565633964376632346533373037333166346332313266316138613665353530336562643739
32393161396338353630363838643130323431343339376431373165313238383064616335323064
36313366633161303635383062656538343538363039343931623736623766343762343563646134
33626264643639333364343131636163646361626130646237326435373731613237663736393439
37376639333930396337333938373866383133613730613162356364323265373431633836653838
34323532613437313064383035313030306636346435396666653933626232313638656531366234
34313837623136656361393230653637633535333063333662363137323962353232386366656264
30303164363531343261626262653962383664313131333535313038343461303464326464373337
34646537353031386265313066313136613533663335306636346237613264313061666233376131
62346537666362373539626334376630633539343932623133653431393731356266623730353036
64626133623638303132356639663538363537623739386166333337333431363939666362663137
62303664306663376136353235613031623435393065376635353032666136396332613861376630
65633061623466313838383664613839663033333736396536333863636435306263666466313265
62633539623037616535333164316538616439333838633730313066366232616566646435376530
66316164323737396230373339333936313532343266303765356530633534643439626236313136
65373833633461393734353737363566353634353764333961643033393932353236633336393436
61333537666263666238303736316462356138396232373839343434643730643766333535643565
38333163353634633637393766346261613931663134363230353633336533643339353832653632
64343438353266343937373138643635616331336164316166343536643434616665326331353161
39303732663037653634303263386134366536333830363366663639383033323832653364393766
30333438313361613764633239373036336230353333343262613761323930656265313031323065
39666562393565326139373061313061396265386239343462346535623766313364343136343038
39373462663434633731636662653966383233396163643137373530303134633465643130383265
61376538626365396236643139336366643966306131393635623438393932313164623766353233
61643732303837366139356236353937303036343232363537623231303661653035383831343830
64663763383563303461633335313663643161336435343735333536393661663235636665383662
37393139333361323136366564383132633830386335376137396563343937306431653665316161
38323137643437383636373033326236613936396564626466386432393733633361623032326135
61346166393964313637356330653339646365326365326130386537343535353038643538393336
66366335316538393333613631346365393038623261303536363732383637643430346632343139
61643265333466323666633834333462613161653165663432613934353036343937343939303033
35636134343761666534656636383632363562633634383364323039613431666239346136616231
37383838316338666462376133613632663633663935643563346333356464663434393734366433
37376539366139396536323535316539643261636533303065326164643132313439313632306664
33386136393734613739396336396635353439393531393363326137363562646363333762386135
32376162373766393763343634326434323034336533336166666635636135393066353238626161
37376132306339626263313663376638633337656162333431313439643930303332666138643962
37313331616563643638343464653535653038613136313637336534636537343763376634626538
64633133656237346461346330333061636663336262646264326237373736366337663331323764
65353931373266336232366434356631383338386537616535656664323334363963666631363331
37653666316236613931386161346439663935656466396137643765626632643263323163623138
34326363373633303365353530383633623936313436616635353733643837656233613635383966
37356665626530626532356632323338623062386332616332643061623031366366613433383734
33623732636637363237336439373432616332643638303131363332393230663565323139303163
36643134363861383834656539626166386164326236336266633435626163383437366338353930
33373932333832373237343532623537363931366636346132616162343839303965386337316164
61656233616633323933306165643666306661366632613933383932616664613663663234653431
30306163346630653239323966396638643162303766363131646430303366303435343866353639
66373465393764396335346131346331353561643434633364656530626238326333333731383361
35653232373235383633616634643966636336333461663237653764626534346336

8
group_vars/aurore/main.yml
View file

@ -1,8 +0,0 @@
---
apartment_block: aurore
apartment_block_id: 0
router_ip_suffix: 254
# We have two -aurore DHCP servers, but no failover peer functionality is needed
# because they only give out IPs assigned by re2o.
dhcp_failover_enabled: false

5
group_vars/bdd.yml
View file

@ -1,5 +0,0 @@
---
borg_keep_hourly: 6
borg_backup_exclude:
- "/var/lib/postgresql/"
...

8
group_vars/certbot.yml
View file

@ -1,8 +0,0 @@
---
glob_certbot:
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "*.auro.re"

3
group_vars/edc/ldap_local_replica.yml
View file

@ -1,3 +0,0 @@
---
ldap_local_replica_uri:
- 'ldap://ldap-replica-edc.adm.auro.re'

7
group_vars/edc/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: edc
apartment_block_id: 4
router_ip_suffix: 254
mtu: 1500

3
group_vars/edc/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudoedc'

7
group_vars/fleming/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: fleming
apartment_block_id: 1
router_ip_suffix: 254
mtu: 1500

3
group_vars/fleming/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudofleming'

7
group_vars/gs/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: gs
apartment_block_dhcp: sand
apartment_block_id: 5
router_ip_suffix: 254

3
group_vars/gs/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudogeorgesand'

32
group_vars/nginx.yml
View file

@ -1,32 +0,0 @@
---
glob_nginx:
contact: tech.aurore@lists.crans.org
who: "L'équipe technique d'Aurore"
service_name: service
ssl:
# Add adm.auro.re if necessary
- name: auro.re
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
servers:
- ssl: false # Replace by auro.re or adm.auro.re
default: true
server_name:
- "default"
- "_"
root: "/var/www/html"
locations:
- filter: "/"
params: []
additional_params: []
upstreams: []
auth_passwd: []
default_server:
default_ssl_server:
default_ssl_domain: auro.re
real_ip_from:
- "10.128.0.0/16"
- "2a09:6840:128::/64"
deploy_robots_file: false

7
group_vars/pacaterie/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: pacaterie
apartment_block_id: 2
router_ip_suffix: 254
mtu: 1500

3
group_vars/pacaterie/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudopacaterie'

12
group_vars/reverseproxy.yml
View file

@ -1,12 +0,0 @@
---
loc_nginx:
servers: []
glob_reverseproxy:
redirect_dnames:
- aurores.net
- fede-aurore.net
reverseproxy_sites: []
redirect_sites: []

7
group_vars/rives/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: rives
apartment_block_id: 3
router_ip_suffix: 254
mtu: 1500

3
group_vars/rives/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudorives'

3
group_vars/routeur.yml
View file

@ -1,3 +0,0 @@
---
rsyslog_high_density: true
...

12
host_vars/caradoc.adm.auro.re.yml
View file

@ -1,12 +0,0 @@
---
borg_keep_hourly: 6
borg_keep_daily: 7
borg_keep_weekly: 4
borg_keep_monthly: 12
borg_backup_directories:
- "/etc"
- "/var"
- "/data_nextcloud"
- "/data_gitea"
- "/data_mail"
...

16
host_vars/log.adm.auro.re.yml
View file

@ -1,16 +0,0 @@
---
borg_backup_directories:
- "/etc/"
- "/var/"
borg_backup_exclude: []
rsyslog_collector_base_dir: /var/log/remote
rsyslog_inputs:
- proto: relp
port: 20514
- proto: udp
port: 514
- proto: tcp
port: 6514
rsyslog_outputs: []
...

3
host_vars/perceval.adm.auro.re.yml
View file

@ -1,3 +0,0 @@
---
borg_server_backups_dir: /borg
...

105
host_vars/portail.adm.auro.re.yml
View file

@ -1,105 +0,0 @@
---
loc_nginx:
service_name: captive_portal
default_server: '$server_addr'
default_ssl_server: '$server_addr'
servers:
- server_name:
- "10.13.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-fleming.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: auro.re
server_name:
- 10.23.0.247
locations:
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-pacaterie.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.33.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-rives.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.43.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-edc.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.53.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-gs.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"

68
host_vars/proxy-ovh.adm.auro.re.yml
View file

@ -1,68 +0,0 @@
---
loc_certbot:
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "auro.re, *.auro.re"
loc_reverseproxy:
redirect_sites:
- from: www.auro.re
to: auro.re
- from: 92.222.211.195
to: auro.re
- from: codimd.auro.re
to: hedgedoc.auro.re
reverseproxy_sites:
- from: phabricator.auro.re
to: 10.128.0.50
- from: wiki.auro.re
to: 10.128.0.51
- from: www.auro.re
to: 10.128.0.52
- from: passbolt.auro.re
to: 10.128.0.53
- from: auth.auro.re
to: 10.128.0.150:8089
- from: riot.auro.re
to: "10.128.0.150:8080"
- from: element.auro.re
to: "10.128.0.150:8080"
- from: chat.auro.re
to: "10.128.0.150:8080"
- from: hedgedoc.auro.re
to: "10.128.0.150:8081"
- from: grafana.auro.re
to: "10.128.0.150:8082"
- from: privatebin.auro.re
to: "10.128.0.150:8083"
- from: zero.auro.re
to: "10.128.0.150:8083"
- from: paste.auro.re
to: "10.128.0.150:8083"
- from: pad.auro.re
to: "10.128.0.150:8084"
- from: etherpad.auro.re
to: "10.128.0.150:8084"
- from: cas.auro.re
to: "10.128.0.150:8085"
- from: rss.auro.re
to: 10.128.0.150:8090
- from: status.auro.re
to: "10.128.0.150:8086"
- from: "kanboard.auro.re"
to: "10.128.0.150:8088"
...

72
host_vars/proxy.adm.auro.re.yml
View file

@ -1,72 +0,0 @@
---
loc_certbot:
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_adm_challenge.
dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: adm.auro.re
domains: "*.adm.auro.re"
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "*.auro.re"
loc_nginx:
servers: []
ssl:
- name: adm.auro.re
cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
- name: auro.re
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
loc_reverseproxy:
redirect_tcp:
- name: Gitea
port: 2222
destination: "10.128.0.60:2222"
redirect_sites:
- from: 45.66.111.61
to: intranet.auro.re
reverseproxy_sites:
- from: re2o.auro.re
to: 10.128.0.20
- from: intranet.auro.re
to: 10.128.0.20
- from: nextcloud.auro.re
to: "10.128.0.58:8080"
- from: gitea.auro.re
to: "10.128.0.60:3000"
- from: git.adm.auro.re
to: "10.128.0.60:3000"
ssl: adm.auro.re
- from: drone.auro.re
to: "10.128.0.64:8000"
- from: litl.auro.re
to: 10.128.0.35
- from: re2o-test.auro.re
to: 10.128.0.80
- from: wikijs.auro.re
to: "10.128.0.66:3000"
- from: wiki.auro.re
to: "10.128.0.66:3000"
- from: netbox.auro.re
to: 10.128.0.97
- from: grafana.auro.re
to: "10.128.0.98:3000"

635
hosts
View file

@ -1,623 +1,70 @@
# Aurore servers inventory
# How to name your server ?
# > We name servers according to location, then type, then function.
# > Then we regroup everything in global geographic, type and function groups.
# > We name servers according to location, then type.
# > So all containers at OVH are in ovh-container.
# > Then we regroup everything in global geographic and type groups.
[ovh-pve]
horus ansible_host=10.128.0.1
###############################################################################
# Aurore : main services
[aurore_pve]
escalope.adm.auro.re
services-1.pve.auro.re
services-2.pve.auro.re
services-3.pve.auro.re
[aurore_vm]
routeur-aurore.adm.auro.re
routeur-aurore-backup.adm.auro.re
radius-aurore.adm.auro.re
dhcp-aurore.adm.auro.re
dhcp-aurore-backup.adm.auro.re
dns-aurore.adm.auro.re
[ovh-container]
riot.adm.auro.re
synapse.adm.auro.re
codimd.adm.auro.re
services-bdd.adm.auro.re
phabricator.adm.auro.re
wiki.adm.auro.re
www.adm.auro.re
pad.adm.auro.re
proxy.adm.auro.re
camelot.adm.auro.re
gitea.adm.auro.re
drone.adm.auro.re
nextcloud.adm.auro.re
galene.adm.auro.re
[ovh-vm]
re2o-server.adm.auro.re
re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
mail.adm.auro.re
wikijs.adm.auro.re
prometheus-aurore.adm.auro.re
portail.adm.auro.re
jitsi-aurore.adm.auro.re
log.adm.auro.re
bdd.adm.auro.re
bdd-ovh.adm.auro.re
litl.adm.auro.re
log.adm.auro.re
netbox.adm.auro.re
grafana.adm.auro.re
dolibarr.adm.auro.re
infra-1.router.auro.re ansible_host=10.129.0.245
infra-2.router.auro.re ansible_host=10.129.0.246
[aurore_testing_vm]
[aurore_ilo]
escalope-ilo.adm.auro.re
###############################################################################
# OVH
[ovh_pve]
horus.adm.auro.re
[ovh_container]
synapse.adm.auro.re
www.adm.auro.re
proxy-ovh.adm.auro.re
[ovh_vm]
serge.adm.auro.re
docker-ovh.adm.auro.re
switchs-manager.adm.auro.re
ldap-replica-ovh.adm.auro.re
prometheus-ovh.adm.auro.re
prometheus-federate.adm.auro.re
[ovh_testing_vm]
#re2o-test.adm.auro.re
[ovh-testing-vm]
re2o-test.adm.auro.re
[fleming-pve]
#freya.adm.auro.re
#odin.adm.auro.re
###############################################################################
# Les Jardins de Fleming
[fleming_server]
perceval.adm.auro.re
[fleming_pve]
marki.adm.auro.re
[fleming_vm]
ldap-replica-fleming.adm.auro.re
dhcp-fleming.adm.auro.re
dhcp-fleming-backup.adm.auro.re
dns-fleming.adm.auro.re
dns-fleming-backup.adm.auro.re
ntp-1.int.infra.auro.re
prometheus-fleming.adm.auro.re
#prometheus-fleming-fo.adm.auro.re
radius-fleming.adm.auro.re
dns-1.int.infra.auro.re
isp-1.rtr.infra.auro.re
isp-2.rtr.infra.auro.re
dhcp-1.isp.auro.re
dhcp-2.isp.auro.re
radius-fleming-backup.adm.auro.re
unifi-fleming.adm.auro.re
routeur-fleming.adm.auro.re
routeur-fleming-backup.adm.auro.re
[fleming_ilo]
marki-ilo.adm.auro.re
[fleming_unifi]
fa-0-1.borne.auro.re
fa-1-1.borne.auro.re
fa-2-1.borne.auro.re
fa-3-1.borne.auro.re
fa-4-1.borne.auro.re
fa-j-1.borne.auro.re
fb-0-1.borne.auro.re
fb-1-1.borne.auro.re
fb-2-1.borne.auro.re
fb-3-1.borne.auro.re
fb-4-1.borne.auro.re
fc-0-1.borne.auro.re
fc-1-1.borne.auro.re
fc-2-1.borne.auro.re
fc-3-1.borne.auro.re
fc-4-1.borne.auro.re
fd-0-1.borne.auro.re
fd-1-1.borne.auro.re
fd-2-1.borne.auro.re
fd-3-1.borne.auro.re
fe-0-1.borne.auro.re
fe-1-1.borne.auro.re
fe-1-2.borne.auro.re
fe-2-1.borne.auro.re
fe-2-2.borne.auro.re
fe-3-1.borne.auro.re
fe-3-2.borne.auro.re
fe-4-1.borne.auro.re
fe-4-2.borne.auro.re
ff-0-1.borne.auro.re
ff-0-f.borne.auro.re
ff-1-1.borne.auro.re
ff-1-2.borne.auro.re
ff-2-1.borne.auro.re
ff-2-2.borne.auro.re
ff-3-1.borne.auro.re
ff-3-2.borne.auro.re
ff-4-1.borne.auro.re
ff-4-2.borne.auro.re
fg-0-1.borne.auro.re
fg-1-1.borne.auro.re
fg-1-2.borne.auro.re
fg-2-1.borne.auro.re
fg-2-2.borne.auro.re
fg-3-1.borne.auro.re
fg-3-2.borne.auro.re
fg-4-1.borne.auro.re
fh-0-1.borne.auro.re
fh-1-1.borne.auro.re
fh-1-2.borne.auro.re
fh-2-1.borne.auro.re
fh-2-2.borne.auro.re
fh-3-1.borne.auro.re
fh-3-2.borne.auro.re
fh-4-1.borne.auro.re
fh-4-2.borne.auro.re
fi-0-1.borne.auro.re
fi-0-2.borne.auro.re
fi-1-1.borne.auro.re
fi-1-2.borne.auro.re
fi-2-1.borne.auro.re
fi-2-2.borne.auro.re
fi-3-1.borne.auro.re
fi-3-2.borne.auro.re
fi-4-1.borne.auro.re
fi-4-2.borne.auro.re
fj-0-1.borne.auro.re
fj-1-1.borne.auro.re
fj-1-2.borne.auro.re
fj-2-1.borne.auro.re
fj-2-2.borne.auro.re
fj-3-1.borne.auro.re
fj-3-2.borne.auro.re
fj-4-1.borne.auro.re
fj-4-2.borne.auro.re
fk-0-1.borne.auro.re
fk-1-1.borne.auro.re
fk-1-2.borne.auro.re
fk-2-1.borne.auro.re
fk-2-2.borne.auro.re
fk-3-1.borne.auro.re
fk-3-2.borne.auro.re
fk-4-1.borne.auro.re
fk-4-2.borne.auro.re
fl-0-1.borne.auro.re
fl-1-1.borne.auro.re
fl-1-2.borne.auro.re
fl-2-1.borne.auro.re
fl-2-2.borne.auro.re
fl-3-1.borne.auro.re
fl-3-2.borne.auro.re
fl-4-1.borne.auro.re
fl-4-2.borne.auro.re
###############################################################################
# Pacaterie
[pacaterie_pve]
mordred.adm.auro.re
titan.adm.auro.re
[pacaterie_vm]
ldap-replica-pacaterie.adm.auro.re
dhcp-pacaterie.adm.auro.re
dhcp-pacaterie-backup.adm.auro.re
dns-pacaterie.adm.auro.re
dns-pacaterie-backup.adm.auro.re
prometheus-pacaterie.adm.auro.re
#prometheus-pacaterie-fo.adm.auro.re
radius-pacaterie.adm.auro.re
radius-pacaterie-backup.adm.auro.re
unifi-pacaterie.adm.auro.re
routeur-pacaterie.adm.auro.re
routeur-pacaterie-backup.adm.auro.re
[pacaterie_ilo]
mordred-ilo.adm.auro.re
titan-ilo.adm.auro.re
[pacaterie_unifi]
pc-1-1.borne.auro.re
pn-0-1.borne.auro.re
pn-0-2.borne.auro.re
pn-0-3.borne.auro.re
pn-1-1.borne.auro.re
pn-1-2.borne.auro.re
pn-1-3.borne.auro.re
pn-2-1.borne.auro.re
pn-2-2.borne.auro.re
pn-2-3.borne.auro.re
pn-3-1.borne.auro.re
pn-3-2.borne.auro.re
pn-3-3.borne.auro.re
pn-4-1.borne.auro.re
pn-4-2.borne.auro.re
pn-4-3.borne.auro.re
ps-0-1.borne.auro.re
ps-0-2.borne.auro.re
ps-0-3.borne.auro.re
ps-1-1.borne.auro.re
ps-1-2.borne.auro.re
ps-1-3.borne.auro.re
ps-2-1.borne.auro.re
ps-2-2.borne.auro.re
ps-2-3.borne.auro.re
ps-3-1.borne.auro.re
ps-3-2.borne.auro.re
ps-3-3.borne.auro.re
ps-4-1.borne.auro.re
ps-4-2.borne.auro.re
ps-4-3.borne.auro.re
###############################################################################
# Emilie du Chatelet
[edc_server]
caradoc.adm.auro.re
[edc_pve]
chapalux.adm.auro.re
[edc_vm]
routeur-edc.adm.auro.re
routeur-edc-backup.adm.auro.re
dns-edc.adm.auro.re
dns-edc-backup.adm.auro.re
dhcp-edc.adm.auro.re
dhcp-edc-backup.adm.auro.re
unifi-edc.adm.auro.re
radius-edc.adm.auro.re
radius-edc-backup.adm.auro.re
ldap-replica-edc.adm.auro.re
prometheus-edc.adm.auro.re
[edc_ilo]
caradoc-ilo.adm.auro.re
chapalux-ilo.adm.auro.re
[edc_unifi]
ee-2-1.borne.auro.re
ee-2-2.borne.auro.re
eo-0-1.borne.auro.re
eo-2-1.borne.auro.re
ep-0-1.borne.auro.re
ep-1-1.borne.auro.re
ep-1-2.borne.auro.re
ep-1-3.borne.auro.re
###############################################################################
# George Sand
[gs_pve]
lancelot.adm.auro.re
odin.adm.auro.re
[gs_vm]
dhcp-gs.adm.auro.re
dhcp-gs-backup.adm.auro.re
dns-gs.adm.auro.re
dns-gs-backup.adm.auro.re
routeur-gs.adm.auro.re
routeur-gs-backup.adm.auro.re
unifi-gs.adm.auro.re
radius-gs.adm.auro.re
radius-gs-backup.adm.auro.re
prometheus-gs.adm.auro.re
ldap-replica-gs.adm.auro.re
[gs_ilo]
lancelot-ilo.adm.auro.re
odin-ilo.adm.auro.re
[gs_unifi]
ga-0-1.borne.auro.re
ga-1-1.borne.auro.re
ga-1-2.borne.auro.re
ga-2-1.borne.auro.re
ga-2-2.borne.auro.re
ga-3-1.borne.auro.re
ga-4-1.borne.auro.re
ga-5-1.borne.auro.re
ga-5-2.borne.auro.re
gb-1-1.borne.auro.re
gb-2-1.borne.auro.re
gb-3-1.borne.auro.re
gb-4-1.borne.auro.re
gb-4-2.borne.auro.re
gb-5-1.borne.auro.re
gc-1-1.borne.auro.re
gc-2-1.borne.auro.re
gc-3-1.borne.auro.re
gc-4-1.borne.auro.re
gc-5-1.borne.auro.re
gc-5-2.borne.auro.re
gd-1-1.borne.auro.re
gd-1-2.borne.auro.re
gd-2-1.borne.auro.re
gd-3-1.borne.auro.re
gd-4-1.borne.auro.re
gd-4-2.borne.auro.re
gd-5-1.borne.auro.re
gd-5-2.borne.auro.re
gd-garage-1.borne.auro.re
ge-0-1.borne.auro.re
ge-1-1.borne.auro.re
ge-1-2.borne.auro.re
ge-2-1.borne.auro.re
ge-2-2.borne.auro.re
ge-3-1.borne.auro.re
ge-3-2.borne.auro.re
ge-4-1.borne.auro.re
ge-5-1.borne.auro.re
gf-0-1.borne.auro.re
gf-1-1.borne.auro.re
gf-2-1.borne.auro.re
gf-3-1.borne.auro.re
gf-3-2.borne.auro.re
gf-4-1.borne.auro.re
gf-5-1.borne.auro.re
gg-5-1.borne.auro.re
gg-5-2.borne.auro.re
gh-1-2.borne.auro.re
###############################################################################
# Les Rives
[rives_pve]
loki.adm.auro.re
[rives_vm]
dhcp-rives-backup.adm.auro.re
unifi-rives.adm.auro.re
dns-rives-backup.adm.auro.re
radius-rives-backup.adm.auro.re
routeur-rives-backup.adm.auro.re
ldap-replica-rives.adm.auro.re
prometheus-rives.adm.auro.re
dhcp-rives.adm.auro.re
dns-rives.adm.auro.re
radius-rives.adm.auro.re
routeur-rives.adm.auro.re
[rives_ilo]
loki-ilo.adm.auro.re
[rives_unifi]
r1-1-1.borne.auro.re
r1-1-2.borne.auro.re
r1-1-3.borne.auro.re
r1-1-4.borne.auro.re
r1-1-5.borne.auro.re
r1-1-6.borne.auro.re
r1-2-1.borne.auro.re
r1-2-2.borne.auro.re
r1-2-3.borne.auro.re
r1-2-4.borne.auro.re
r1-3-1.borne.auro.re
r1-3-2.borne.auro.re
r1-3-3.borne.auro.re
r1-3-4.borne.auro.re
r1-3-5.borne.auro.re
r1-3-6.borne.auro.re
r2-1-1.borne.auro.re
r2-1-2.borne.auro.re
r2-1-3.borne.auro.re
r2-1-4.borne.auro.re
r2-2-1.borne.auro.re
r2-2-2.borne.auro.re
r2-2-3.borne.auro.re
r2-3-1.borne.auro.re
r2-3-2.borne.auro.re
r2-3-3.borne.auro.re
r2-3-4.borne.auro.re
r3-0-1.borne.auro.re
r3-0-2.borne.auro.re
r3-0-3.borne.auro.re
r3-0-4.borne.auro.re
r3-1-1.borne.auro.re
r3-1-2.borne.auro.re
r3-1-3.borne.auro.re
r3-1-4.borne.auro.re
r3-1-5.borne.auro.re
r3-1-6.borne.auro.re
r3-1-7.borne.auro.re
r3-2-1.borne.auro.re
r3-2-2.borne.auro.re
r3-2-3.borne.auro.re
r3-2-4.borne.auro.re
r3-2-5.borne.auro.re
r3-2-6.borne.auro.re
r3-2-7.borne.auro.re
r3-2-8.borne.auro.re
r3-3-1.borne.auro.re
r3-3-2.borne.auro.re
r3-3-3.borne.auro.re
r3-3-4.borne.auro.re
r3-3-5.borne.auro.re
r3-3-6.borne.auro.re
r3-4-1.borne.auro.re
r3-4-2.borne.auro.re
r3-4-3.borne.auro.re
r3-4-4.borne.auro.re
r3-4-5.borne.auro.re
r3-4-6.borne.auro.re
r3-4-7.borne.auro.re
r3-4-8.borne.auro.re
# -aurore services
[aurore:children]
aurore_vm
[fleming-vm-ldap-replica]
#ldap-replica-fleming1.adm.auro.re
#ldap-replica-fleming2.adm.auro.re
# everything at ovh
[ovh:children]
ovh_pve
ovh_container
ovh_vm
ovh-pve
ovh-container
ovh-vm
# everything at ovh-testing
[ovh-testing:children]
ovh-testing-vm
# everything at fleming
[fleming:children]
fleming_server
fleming_pve
fleming_vm
fleming_unifi
# everything at pacaterie
[pacaterie:children]
pacaterie_pve
pacaterie_vm
pacaterie_unifi
# everything at edc
[edc:children]
edc_server
edc_pve
edc_vm
edc_unifi
# everything at georgesand
[gs:children]
gs_pve
gs_vm
gs_unifi
# everything at Les Rives
[rives:children]
rives_pve
rives_vm
rives_unifi
###############################################################################
# Groups by type
fleming-pve
fleming-vm-ldap-replica
# every LXC container
[container:children]
ovh_container
ovh-container
# every virtual machine
[vm:children]
ovh_vm
fleming_vm
pacaterie_vm
edc_vm
gs_vm
rives_vm
# every server
[server:children]
fleming_server
edc_server
ovh-vm
fleming-vm-ldap-replica
# every PVE
[pve:children]
ovh_pve
fleming_pve
pacaterie_pve
edc_pve
gs_pve
rives_pve
ovh-pve
fleming-pve
# every unifi
[unifi:children]
gs_unifi
edc_unifi
fleming_unifi
rives_unifi
pacaterie_unifi
###############################################################################
# Groups by service
[routeur]
routeur-fleming.adm.auro.re
routeur-fleming-backup.adm.auro.re
routeur-pacaterie.adm.auro.re
routeur-pacaterie-backup.adm.auro.re
routeur-edc.adm.auro.re
routeur-edc-backup.adm.auro.re
routeur-gs.adm.auro.re
routeur-gs-backup.adm.auro.re
routeur-rives.adm.auro.re
routeur-rives-backup.adm.auro.re
routeur-aurore.adm.auro.re
routeur-aurore-backup.adm.auro.re
[ldap_replica:children]
ldap_replica_fleming
ldap_replica_pacaterie
ldap_replica_edc
ldap_replica_gs
ldap_replica_ovh
ldap_replica_rives
[ldap_replica_fleming]
ldap-replica-fleming.adm.auro.re
[ldap_replica_pacaterie]
ldap-replica-pacaterie.adm.auro.re
[ldap_replica_edc]
ldap-replica-edc.adm.auro.re
[ldap_replica_gs]
ldap-replica-gs.adm.auro.re
[ldap_replica_ovh]
ldap-replica-ovh.adm.auro.re
[ldap_replica_rives]
ldap-replica-rives.adm.auro.re
[certbot]
portail.adm.auro.re
[certbot:children]
reverseproxy
[nginx]
portail.adm.auro.re
[nginx:children]
reverseproxy
[reverseproxy]
proxy-ovh.adm.auro.re
proxy.adm.auro.re
[bdd]
bdd.adm.auro.re
bdd-ovh.adm.auro.re
re2o-db.adm.auro.re
[radius]
radius-aurore.adm.auro.re
radius-fleming.adm.auro.re
radius-fleming-backup.adm.auro.re
radius-edc.adm.auro.re
radius-edc-backup.adm.auro.re
radius-gs.adm.auro.re
radius-gs-backup.adm.auro.re
radius-pacaterie.adm.auro.re
radius-pacaterie-backup.adm.auro.re
radius-rives.adm.auro.re
radius-rives-backup.adm.auro.re
[prometheus]
prometheus-ovh.adm.auro.re
prometheus-aurore.adm.auro.re
prometheus-rives.adm.auro.re
prometheus-gs.adm.auro.re
prometheus-edc.adm.auro.re
prometheus-pacaterie.adm.auro.re
prometheus-fleming.adm.auro.re
prometheus-federate.adm.auro.re
# every LDAP replica
[ldap-replica:children]
fleming-vm-ldap-replica

9
playbooks/ldap_replica.yml → ldap.yml Executable file → Normal file
View file

@ -1,10 +1,11 @@
#!/usr/bin/env ansible-playbook
---
# Plug LDAP on all servers
- hosts: all
roles: []
roles:
- ldap-client
# Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA
# - hosts: ldap_replica
# - hosts: ldap-replica
# roles:
# - ldap_replica
# - ldap-replica

15
matrix.yml Normal file
View file

@ -0,0 +1,15 @@
---
# Install Matrix Synapse on corresponding containers
- hosts: synapse.adm.auro.re
vars:
mxisd_version: 1.3.1
synapse_rest_auth_url: https://raw.githubusercontent.com/kamax-matrix/matrix-synapse-rest-auth/master/rest_auth_provider.py
roles:
- debian-backports
- matrix-synapse
- matrix-mxisd
# Install Matrix Riot on corresponding containers
- hosts: riot.adm.auro.re
roles:
- matrix-riot

34
nginx-reverse-proxy.yml Normal file
View file

@ -0,0 +1,34 @@
---
# Install NGINX with reverse proxy conf
- hosts: proxy.adm.auro.re
vars:
reversed_proxy_subdomains:
- name: re2o
from: re2o.auro.re
to: re2o-server.adm.auro.re
- name: intranet
from: intranet.auro.re
to: re2o-server.adm.auro.re
- name: pad
from: pad.auro.re
to: pad.adm.auro.re:9001
- name: phabricator
from: phabricator.auro.re
to: phabricator.adm.auro.re
- name: wiki
from: wiki.auro.re
to: wiki.adm.auro.re
- name: www
from: www.auro.re
to: www.adm.auro.re
- name: re2o-test
from: re2o-test.auro.re
to: re2o-test.adm.auro.re
- name: riot
from: riot.auro.re
to: riot.adm.auro.re
- name: codimd
from: codimd.auro.re
to: codimd.adm.auro.re:8080
roles:
- nginx-reverse-proxy

10
playbooks/base.yml
View file

@ -1,10 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Put a common configuration on all servers
- hosts: all,!unifi
roles:
- baseconfig
- basesecurity
- ldap_client
- logrotate
- update_motd

32
playbooks/borgbackup.yml
View file

@ -1,32 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: perceval.adm.auro.re
vars:
update_motd:
borgbackup_server: >-
Les sauvegardes (borg) sont stockées dans
{{ borg_server_backups_dir }}.
roles:
- borgbackup_server
- update_motd
- hosts: all,!unifi,!unifi-*,!bdd
vars:
update_motd:
borgbackup_client: >-
BorgBackup est déployé (/etc/borgmatic/config.yaml)
roles:
- borgbackup_client
- update_motd
# On databases server, also backup databases
- hosts: bdd
vars:
borg_postgresql_databases: true
update_motd:
borgbackup_client: >-
BorgBackup est déployé (/etc/borgmatic/config.yaml)
roles:
- borgbackup_client
- update_motd
...

27
playbooks/chronyd.yml
View file

@ -1,27 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- ntp-1.int.infra.auro.re
vars:
chronyd__allow_networks:
- 10.128.0.0/16
- 2a09:6840:128::/48
chronyd__pools:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
chronyd__local_stratum: 10
roles:
- chronyd
- hosts:
- all
- "!ntp-1.int.infra.auro.re"
- "!unifi"
vars:
chronyd__pools:
- ntp-1.int.infra.auro.re
roles:
- chronyd
...

10
playbooks/docker.yml
View file

@ -1,10 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
vars:
update_motd:
docker: Docker est déployé.
roles:
- docker
- update_motd

27
playbooks/grafana.yml
View file

@ -1,27 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Grafana
- hosts: grafana.adm.auro.re
vars:
grafana:
root_url: https://grafana.auro.re
database:
type: postgres
host: 10.128.0.95
name: grafana
user: grafana
password: "{{ vault_postgresql_grafana_passwd }}"
ldap:
host: "re2o-ldap.adm.auro.re ldap-replica-ovh.adm.auro.re 10.128.0.21 10.128.0.149"
bind_dn: cn=grafana,ou=service-users,dc=auro,dc=re
bind_password: "{{ vault_ldap_grafana_password }}"
search_base_dns: "cn=Utilisateurs,dc=auro,dc=re"
group_search_base_dns: "ou=posix,ou=groups,dc=auro,dc=re"
editors_group_dn:
- cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re
- cn=technicien,ou=posix,ou=groups,dc=auro,dc=re
update_motd:
grafana: Grafana est déployé (/etc/grafana).
roles:
- grafana
- update_motd

213
playbooks/ifupdown2.yml
View file

@ -1,213 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- ntp-1.int.infra.auro.re
- dns-1.int.infra.auro.re
- dhcp-1.isp.auro.re
- dhcp-2.isp.auro.re
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
vars:
# TODO: netbox
ifupdown2__hosts:
ntp-1.int.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::203/56
- 10.128.0.203/16
dns-1.int.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::127/56
- 10.128.0.127/16
dhcp-1.isp.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::204/56
- 10.128.0.204/16
ens19: null
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
bridge_vids:
- 1000-1004
client-0:
addresses:
- 100.64.0.2/27
vlan_id: 1000
vlan_raw_device: clients
client-1:
addresses:
- 100.64.0.34/27
vlan_id: 1001
vlan_raw_device: clients
client-2:
addresses:
- 100.64.0.66/27
vlan_id: 1002
vlan_raw_device: clients
client-3:
addresses:
- 100.64.0.98/27
vlan_id: 1003
vlan_raw_device: clients
client-4:
addresses:
- 100.64.0.130/27
vlan_id: 1004
vlan_raw_device: clients
dhcp-2.isp.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::91/56
- 10.128.0.91/16
ens19: null
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
bridge_vids:
- 1000-1004
client-0:
addresses:
- 100.64.0.3/27
vlan_id: 1000
vlan_raw_device: clients
client-1:
addresses:
- 100.64.0.35/27
vlan_id: 1001
vlan_raw_device: clients
client-2:
addresses:
- 100.64.0.67/27
vlan_id: 1002
vlan_raw_device: clients
client-3:
addresses:
- 100.64.0.99/27
vlan_id: 1003
vlan_raw_device: clients
client-4:
addresses:
- 100.64.0.131/27
vlan_id: 1004
vlan_raw_device: clients
isp-1.rtr.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::255/56
- 10.128.0.255/16
ens19: null
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
forward: true
ipv6_addrgen: false
client-0:
forward: true
vlan_id: 1000
vlan_raw_device: clients
ipv6_addrgen: false
client-1:
forward: true
vlan_id: 1001
vlan_raw_device: clients
ipv6_addrgen: false
client-2:
forward: true
vlan_id: 1002
vlan_raw_device: clients
ipv6_addrgen: false
client-3:
forward: true
vlan_id: 1003
vlan_raw_device: clients
ipv6_addrgen: false
client-4:
forward: true
vlan_id: 1004
vlan_raw_device: clients
ipv6_addrgen: false
isp-2.rtr.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::158/56
- 10.128.0.158/16
ens19: null
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
bridge_vids:
- 1000-1004
client-0:
forward: true
vlan_id: 1000
vlan_raw_device: clients
ipv6_addrgen: false
client-1:
forward: true
vlan_id: 1001
vlan_raw_device: clients
ipv6_addrgen: false
client-2:
forward: true
vlan_id: 1002
vlan_raw_device: clients
ipv6_addrgen: false
client-3:
forward: true
vlan_id: 1003
vlan_raw_device: clients
ipv6_addrgen: false
client-4:
forward: true
vlan_id: 1004
vlan_raw_device: clients
ipv6_addrgen: false
ifupdown2__interfaces: "{{ ifupdown2__hosts[inventory_hostname] }}"
roles:
- ifupdown2
- hosts:
- ntp-1.int.infra.auro.re
- dns-1.int.infra.auro.re
- dhcp-1.isp.auro.re
- dhcp-2.isp.auro.re
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
vars:
resolvconf__nameservers:
- 2a09:6840:128::127
- 10.128.0.127
resolvconf__domain: auro.re
resolvconf__search:
- "{{ inventory_hostname | remove_domain_suffix }}"
- auro.re
roles:
- resolvconf
...

9
playbooks/isc-dhcp-server.yml
View file

@ -1,9 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: dhcp-*.adm.auro.re
vars:
update_motd:
unbound: isc-dhcp-server est déployé.
roles:
- isc_dhcp_server
- update_motd

32
playbooks/keepalived.yml
View file

@ -1,32 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
vars:
keepalived__virtual_router_id: 80
keepalived__interface: ens18
keepalived__virtual_addresses:
client-0:
- 100.64.0.1/27
- 2a09:6841::/56
- fe80::1/10
client-1:
- 100.64.0.33/27
- 2a09:6841:0:100::/56
- fe80::1/10
client-2:
- 100.64.0.65/27
- 2a09:6841:0:100::/56
- fe80::1/10
client-3:
- 100.64.0.97/27
- 2a09:6841:0:200::/56
- fe80::1/10
client-4:
- 100.64.0.129/27
- 2a09:6841:0:300::/56
- fe80::1/10
roles:
- keepalived
...

17
playbooks/knot.yml
View file

@ -1,17 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

18
playbooks/matrix-synapse.yml
View file

@ -1,18 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Install Matrix Synapse
- hosts: synapse.adm.auro.re
vars:
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb"
update_motd:
matrix-synapse: matrix-synapse est déployé.
matrix-appservice-irc: matrix-appservice-irc est déployé.
matrix-appservice-webhooks: matrix-appservice-webhooks est déployé.
roles:
- debian_backports
- nodejs
- matrix_synapse
- matrix_appservice_irc
- matrix_appservice_webhooks
- update_motd

26
playbooks/nginx.yml
View file

@ -1,26 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: reverseproxy
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
update_motd:
nginx: >-
Le reverse-proxy NGINX est déployé (/etc/nginx).
roles:
- certbot
- nginx
- update_motd
- hosts: nginx,!reverseproxy
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
update_motd:
nginx: >-
NGINX avec certbot est déployé (/etc/nginx).
roles:
- certbot
- nginx
- update_motd

22
playbooks/postfix.yml
View file

@ -1,22 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost
# Deploy Re2o mail service
- hosts: mail.auro.re
vars:
service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
service_name: mail-server
service_version: aurore
service_config:
hostname: re2o-test.adm.auro.re # use test instance for now, should be changed for prod!
username: service-user
password: "{{ vault_serviceuser_passwd }}"
roles:
- re2o_service

170
playbooks/postgresql.yml
View file

@ -1,170 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Install and configure database servers at Saclay
- hosts: bdd.adm.auro.re
vars:
postgresql:
version: 13
hosts:
- database: nextcloud
user: nextcloud
net: 10.128.0.58/32
method: md5
- database: gitea
user: gitea
net: 10.128.0.60/32
method: md5
- database: wikijs
user: wikijs
net: 10.128.0.66/32
method: md5
- database: drone
user: drone
net: 10.128.0.64/32
method: md5
- database: netbox
user: netbox
net: 10.128.0.97/32
method: md5
- database: grafana
user: grafana
net: 10.128.0.98/32
method: md5
- database: dolibarr
user: dolibarr
net: 10.128.0.236/32
method: md5
- database: rt5
user: rt5
net: 10.128.0.123/32
method: md5
databases:
- nextcloud
- gitea
- wikijs
- drone
- netbox
- grafana
- dolibarr
- rt5
users:
- name: nextcloud
database: nextcloud
password: "{{ vault_postgresql_nextcloud_passwd }}"
privs:
- ALL
- name: gitea
database: gitea
password: "{{ vault_postgresql_gitea_passwd }}"
privs:
- ALL
- name: wikijs
database: wikijs
password: "{{ vault_postgresql_wikijs_passwd }}"
privs:
- ALL
- name: drone
database: drone
password: "{{ vault_postgresql_drone_passwd }}"
privs:
- ALL
- name: netbox
database: netbox
password: "{{ vault_postgresql_netbox_passwd }}"
privs:
- ALL
- name: grafana
database: grafana
password: "{{ vault_postgresql_grafana_passwd }}"
privs:
- ALL
- name: dolibarr
database: dolibarr
password: "{{ vault_postgresql_dolibarr_passwd }}"
privs:
- ALL
- name: rt5
database: rt5
password: "{{ vault_postgresql_rt5_passwd }}"
privs:
- ALL
update_motd:
postgresql: PostgreSQL est déployé.
roles:
- postgresql
- update_motd
# Install and configure database servers at OVH
- hosts: bdd-ovh.adm.auro.re
vars:
postgresql:
version: 13
hosts:
- database: etherpad
user: etherpad
net: 10.128.0.150/32
method: md5
- database: codimd
user: codimd
net: 10.128.0.150/32
method: md5
- database: synapse
user: synapse
net: 10.128.0.56/32
method: md5
- database: kanboard
user: kanboard
net: 10.128.0.150/32
method: md5
- database: cas
user: cas
net: 10.128.0.150/32
method: md5
- database: appservice-discord
user: appservice-discord
net: 10.128.0.150/32
method: md5
databases:
- synapse
- codimd
- etherpad
- kanboard
- cas
- appservice-discord
users:
- name: synapse
database: synapse
password: "{{ vault_postgresql_synapse_passwd }}"
privs:
- ALL
- name: codimd
database: codimd
password: "{{ vault_postgresql_codimd_passwd }}"
privs:
- ALL
- name: etherpad
database: etherpad
password: "{{ vault_postgresql_etherpad_passwd }}"
privs:
- ALL
- name: kanboard
database: kanboard
password: "{{ vault_postgresql_kanboard_passwd }}"
privs:
- ALL
- name: cas
database: cas
password: "{{ vault_postgresql_cas_passwd }}"
privs:
- ALL
- name: appservice-discord
database: appservice-discord
password: "{{ vault_postgresql_appservice_discord_passwd }}"
privs:
- ALL
update_motd:
postgresql: PostgreSQL est déployé.
roles:
- postgresql
- update_motd
...

241
playbooks/prometheus.yml
View file

@ -1,241 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: prometheus-fleming.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_servers_targets: |
{{ groups['fleming_pve'] + groups['fleming_vm'] | list | sort }}
prometheus_unifi_snmp_targets: |
{{ groups['fleming_unifi'] | list | sort }}
prometheus_ilo_snmp_targets: |
{{ groups['fleming_ilo'] | list | sort }}
update_motd:
prometheus: >-
Prometheus (en configuration fleming) est déployé (/etc/prometheus).
roles:
- prometheus
- update_motd
- hosts: prometheus-pacaterie.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_servers_targets: |
{{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
prometheus_unifi_snmp_targets: |
{{ groups['pacaterie_unifi'] | list | sort }}
prometheus_ups_snmp_targets:
- ups-pn-1.ups.auro.re
- ups-ps-1.ups.auro.re
prometheus_ilo_snmp_targets: |
{{ groups['pacaterie_ilo'] | list | sort }}
update_motd:
prometheus: >-
Prometheus (en configuration pacaterie) est déployé (/etc/prometheus).
roles:
- prometheus
- update_motd
- hosts: prometheus-edc.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_ups_snmp_targets:
- ups-ec-1.ups.auro.re
# - ups-ec-2.ups.auro.re
- ups-ec-3.ups.auro.re
prometheus_servers_targets: |
{{ groups['edc_pve'] + groups['edc_vm'] + groups['edc_server'] | list | sort }}
prometheus_unifi_snmp_targets: |
{{ groups['edc_unifi'] | list | sort }}
prometheus_ilo_snmp_targets: |
{{ groups['edc_ilo'] | list | sort }}
update_motd:
prometheus: >-
Prometheus (en configuration edc) est déployé (/etc/prometheus).
roles:
- prometheus
- update_motd
- hosts: prometheus-gs.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_servers_targets: |
{{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
prometheus_unifi_snmp_targets: |
{{ groups['gs_unifi'] | list | sort }}
prometheus_ups_snmp_targets:
- ups-gk-1.ups.auro.re
prometheus_apc_pdu_snmp_targets:
- pdu-ga-1.ups.auro.re
prometheus_ilo_snmp_targets: |
{{ groups['gs_ilo'] | list | sort }}
update_motd:
prometheus: >-
Prometheus (en configuration gs) est déployé (/etc/prometheus).
roles:
- prometheus
- update_motd
- hosts: prometheus-rives.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_ups_snmp_targets:
- ups-r3-1.ups.auro.re
- ups-r1-1.ups.auro.re
prometheus_servers_targets: |
{{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
prometheus_unifi_snmp_targets: |
{{ groups['rives_unifi'] | list | sort }}
prometheus_ilo_snmp_targets: |
{{ groups['rives_ilo'] | list | sort }}
update_motd:
prometheus: >-
Prometheus (en configuration rives) est déployé (/etc/prometheus).
roles:
- prometheus
- update_motd
- hosts: prometheus-aurore.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_servers_targets: |
{{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
prometheus_postgresql_targets: |
{{ groups['bdd'] + groups['radius'] | list | sort }}
prometheus_switch_snmp_targets:
- yggdrasil.switch.auro.re
- sw-pn-serveurs.switch.auro.re
- sw-ec-serveurs.switch.auro.re
- sw-gk-serveurs.switch.auro.re
- sw-fl-serveurs.switch.auro.re
- sw-ff-uplink.switch.auro.re
- sw-fl-core.switch.auro.re
- sw-fd-vcore.switch.auro.re
- sw-fl-vcore.switch.auro.re
- sw-ff-vcore.switch.auro.re
- sw-pn-core.switch.auro.re
- sw-ec-core.switch.auro.re
- sw-gk-core.switch.auro.re
- sw-r3-core.switch.auro.re
prometheus_ilo_snmp_targets: |
{{ groups['aurore_ilo'] | list | sort }}
update_motd:
prometheus: >-
Prometheus (en configuration aurore) est déployé (/etc/prometheus).
roles:
- prometheus
- update_motd
- hosts: prometheus-ovh.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_servers_targets: |
{{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
prometheus_postgresql_targets:
- bdd-ovh.adm.auro.re
prometheus_docker_targets:
- docker-ovh.adm.auro.re
update_motd:
prometheus: >-
Prometheus (en configuration ovh) est déployé (/etc/prometheus).
roles:
- prometheus
- update_motd
- hosts: prometheus-federate.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
snmp_ilo_user: aurore
snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
prometheus_servers_targets:
- prometheus-edc.adm.auro.re
- prometheus-gs.adm.auro.re
- prometheus-fleming.adm.auro.re
- prometheus-pacaterie.adm.auro.re
- prometheus-rives.adm.auro.re
- prometheus-aurore.adm.auro.re
- prometheus-ovh.adm.auro.re
update_motd:
prometheus_federate: >-
Prometheus (en configuration fédération) est déployé (/etc/prometheus).
roles:
- prometheus_federate
- update_motd
# Postgres Exporters
- hosts: bdd,radius
roles:
- prometheus_postgres
# Monitor all hosts
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
roles:
- prometheus_node

10
playbooks/radius.yml
View file

@ -1,10 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Radius
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd

9
playbooks/root.yml
View file

@ -1,9 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all,!unifi
vars:
root_shell: /bin/bash
root_password: "{{ vault_root_password }}"
roles:
- root_account
...

23
playbooks/router.yml
View file

@ -1,23 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy firewall and keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec radvd) est déployé.
roles:
- router
- radvd
- update_motd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec DHCPv6) est déployé.
roles:
- router
- ipv6_edge_router
- update_motd

10
playbooks/rsyslog.yml
View file

@ -1,10 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: log.adm.auro.re
roles:
- rsyslog_collector
- hosts: all,!unifi
roles:
- rsyslog_common
...

14
playbooks/ssh.yml
View file

@ -1,14 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all,!unifi
vars:
openssh_users_ca_public_key:
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
openssh_authorized_principals:
- any
- "{{ inventory_hostname }}"
roles:
- openssh_server
...

17
playbooks/switchs-manager.yml
View file

@ -1,17 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

10
playbooks/unbound.yml
View file

@ -1,10 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
vars:
update_motd:
unbound: Unbound est déployé.
roles:
- unbound
- update_motd

9
playbooks/unifi.yml
View file

@ -1,9 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller

17
postfix.yml Normal file
View file

@ -0,0 +1,17 @@
---
# All ovh servers should send mail throught proxy
- hosts: ovh:!proxy.adm.auro.re
vars:
local_network: 10.128.0.0/16
relayhost: proxy.adm.auro.re
myorigin: auro.re
roles:
- postfix-non-mailhost
# Proxy should send emails
- hosts: proxy.adm.auro.re
vars:
local_network: 10.128.0.0/16
myorigin: auro.re
roles:
- postfix-mailhost

21
roles/update_motd/templates/00-logo → roles/baseconfig/files/update-motd.d/00-logo Normal file → Executable file
View file

@ -1,23 +1,24 @@
#!/bin/sh
{{ ansible_managed | comment }}
# /etc/update-motd.d/00-logo
# Deployed with Aurore Ansible !
# Pretty uptime
upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)"
mins="$((upSeconds / 60 % 60))"
hours="$((upSeconds / 3600 % 24))"
days="$((upSeconds / 86400))"
UPTIME="$(printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins")"
mins=$((${upSeconds}/60%60))
hours=$((${upSeconds}/3600%24))
days=$((${upSeconds}/86400))
UPTIME=`printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins"`
# RAM
RAM="$(free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2}')"
DISK="$(df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}')"
RAM=`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'`
DISK=`df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}'`
# Text font
bold="$(tput bold)"
normal="$(tput sgr0)"
bold=$(tput bold)
normal=$(tput sgr0)
# Logo
cat <<EOF
cat << EOF

      ${bold}Uptime${normal} : ${UPTIME}
    ${bold}Mémoire${normal} : ${RAM}

29
roles/baseconfig/tasks/apt-listchanges.yml
View file

@ -6,27 +6,14 @@
name: apt-listchanges
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
# Send email when there is something new
- name: Configure apt-listchanges
ini_file:
path: /etc/apt/listchanges.conf
no_extra_spaces: true
section: apt
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
mode: 0644
loop:
- option: confirm
value: "true"
- option: email_address
value: "{{ monitoring_mail }}"
- option: which
value: both
...
lineinfile:
dest: /etc/apt/listchanges.conf
regexp: "^{{ item.key }}="
line: "{{ item.value }}"
with_dict:
confirm: 'confirm=true'
email_address: "email_address={{ monitoring_mail }}"
which: 'which=both'

21
roles/baseconfig/tasks/apt-unattended.yml
View file

@ -1,21 +0,0 @@
---
- name: Install unattended-upgrades
when: ansible_os_family == "Debian"
apt:
name: unattended-upgrades
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure unattended-upgrades
template:
src: "apt/{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
mode: u=rw,g=r,o=r
loop:
- 50unattended-upgrades
- 20auto-upgrades
...

91
roles/baseconfig/tasks/main.yml
View file

@ -3,31 +3,29 @@
- name: Install basic tools
when: ansible_os_family == "Debian"
apt:
name:
- acl # advanced ACL
- apt # better than apt-get
- aptitude # nice to have for Ansible
- bash-completion # because bash
- curl # better than wget
- git # code versioning
- htop # better than top
- iotop # monitor i/o
- less # i like cats
- lsb-release
- molly-guard # prevent reboot
- nano # for vulcain
- ntp # network time sync
- screen # Vulcain asked for this
- sudo
- tmux # For shirenn
- tree # create a graphical tree of files
- vim # better than nano
- zsh # to be able to ssh @erdnaxe
- dnsutils # dig
name: "{{ packages }}"
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
vars:
packages:
- bash-completion # for bash users
- zsh # alternative shell
- sudo # to gain root access
- git # code versioning
- nano # basic text editor
- vim # like nano but more powerful and complex
- htop # better than top
- less # i like cats
- tree # create a graphical tree of files
- ipython # better Python shell
- acl # for Ansible become support
# Pimp my server
- name: Customize motd
copy:
src: 'update-motd.d/00-logo'
dest: '/etc/update-motd.d/00-logo'
mode: 0755
# Configure APT mirrors on Debian Stretch
- name: Configure APT mirrors
@ -35,8 +33,8 @@
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: apt/sources.list.j2
dest: /etc/apt/sources.list
src: 'apt/sources.list.j2'
dest: '/etc/apt/sources.list'
mode: 0644
# Patriotisme
@ -52,41 +50,20 @@
question: locales/default_environment_locale
value: fr_FR.UTF-8
vtype: select
notify: Reconfigure locales
notify:
- Reconfigure locales
# Molly-Guard : prevent accidental shutdowns
- include_tasks: molly-guard.yml
# APT-List Changes : send email with changelog
- include_tasks: apt-listchanges.yml
# APT Unattended upgrades
- include_tasks: apt-unattended.yml
# User skeleton
- name: Configure user skeleton
copy:
src: "skel/dot_{{ item }}"
dest: "/etc/skel/.{{ item }}"
mode: 0644
loop:
- zshrc
- zshrc.local
- name: Configure resolvconf
template:
src: resolv.conf
dest: /etc/resolv.conf
mode: 0644
- name: Remove smartmontols
apt:
pkg: smartmontools
state: absent
autoremove: true
when: ansible_system_vendor == "QEMU"
- name: Remove useless packages from the cache
apt:
autoclean: true
- name: Remove dependencies that are no longer required
apt:
autoremove: true
src: skel/{{ item.key }}
dest: /etc/skel/{{ item.value }}
with_dict:
dot_zshrc: .zshrc
dot_zshrc.local: .zshrc.local

15
roles/baseconfig/tasks/molly-guard.yml Normal file
View file

@ -0,0 +1,15 @@
---
# Install molly-guard
- name: Install molly-guard
when: ansible_os_family == "Debian"
apt:
name: molly-guard
state: present
update_cache: true
# Always ask for hostname
- name: Configure molly-guard
lineinfile:
dest: /etc/molly-guard/rc
regexp: '^#*\s*ALWAYS_QUERY_HOSTNAME.*$'
line: 'ALWAYS_QUERY_HOSTNAME=true'

4
roles/baseconfig/templates/apt/20auto-upgrades.j2
View file

@ -1,4 +0,0 @@
// {{ ansible_managed }}
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
View file

@ -1,22 +0,0 @@
// {{ ansible_managed }}
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {};
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Mail "{{ monitoring_mail }}";
// Unattended-Upgrade::MailOnlyOnError "false";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";

4
roles/baseconfig/templates/resolv.conf
View file

@ -1,4 +0,0 @@
domain adm.auro.re
nameserver 10.128.0.253
nameserver 2a09:6840:128::253
nameserver 80.67.169.12

10
roles/basesecurity/handlers/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Restart sshd service
service:
name: sshd
state: restarted
- name: Restart fail2ban service
service:
name: fail2ban
state: restarted

87
roles/basesecurity/tasks/main.yml
View file

@ -1,87 +0,0 @@
---
- name: Configure sysctl
template:
src: sysctl.d/local.conf.j2
dest: /etc/sysctl.d/local.conf
mode: 0644
# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
file:
path: "{{ item }}"
mode: u-s,g-s
loop:
- /usr/lib/openssh/sshkeysign # Not used
- /usr/bin/gpasswd # No group auth
- /usr/bin/passwd # Only root should change passwd
- /usr/bin/expiry # With re2o
- /usr/bin/newgrp # No group auth
- /usr/bin/chage # With re2o
- /usr/bin/chsh # With re2o
- /usr/bin/chfn # With re2o
- /bin/mount # Only root should mount
- /bin/umount # Only root should umount
ignore_errors: true # Sometimes file won't exist
# Only SSH keys to log on root
- name: Prohibit root SSH with password
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^{{ item.0 }}'
insertafter: '^#{{ item.0 }}'
line: '{{ item.0 }} {{ item.1 }}'
loop:
- ["PermitRootLogin", "prohibit-password"]
- ["AllowAgentForwarding", "no"]
- ["X11Forwarding", "no"]
- ["TCPKeepAlive", "yes"]
notify: Restart sshd service
# See banned client with `fail2ban-client status sshd`
- name: Install fail2ban
apt:
name: fail2ban
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure fail2ban
ini_file:
path: /etc/fail2ban/jail.d/local.conf
section: "{{ item.section }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
mode: 0644
notify: Restart fail2ban service
loop:
- section: sshd
option: ignoreip
value: 10.128.0.254 # Whitelist bastion
- section: sshd
option: enabled
value: "true"
- section: sshd
option: bantime
value: 600
- section: sshd
option: findtime
value: 600
- section: sshd
option: maxretry
value: 5
# See altered packages and configurations with `debsums -ca`
- name: Install debsums
apt:
name: debsums
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

13
roles/basesecurity/templates/sysctl.d/local.conf.j2
View file

@ -1,13 +0,0 @@
# {{ ansible_managed }}
# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
# Disable core dump of setuid executables
# So an user can't read privileged information in memory
fs.suid_dumpable = 0
# Obfuscate kernel memory addresses
kernel.kptr_restrict = 1
# Restrict dmesg access
# This can leak specific harware failures to exploit
kernel.dmesg_restrict = 1

8
roles/borgbackup_client/defaults/main.yml
View file

@ -1,8 +0,0 @@
---
borg_keep_hourly: 0
borg_keep_daily: 0
borg_keep_weekly: 0
borg_keep_monthly: 0
borg_server_user: borgbackup
borg_server_group: borgbackup
...

5
roles/borgbackup_client/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: Run systemd daemon-reload
systemd:
daemon_reload: true
...

110
roles/borgbackup_client/tasks/main.yml
View file

@ -1,110 +0,0 @@
---
- name: Pin borgmatic
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: u=rw,g=r,o=
loop:
- src: apt/list.j2
dest: /etc/apt/sources.list.d/bullseye.list
- src: apt/preferences.j2
dest: /etc/apt/preferences.d/borgmatic-bullseye
when:
- "ansible_distribution == 'Debian'"
- "ansible_distribution_major_version in ('stretch', 'buster', '9', '10')"
- name: Install borgmatic
apt:
name: borgmatic
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create configuration directory for borgmatic
file:
path: /etc/borgmatic
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=
- name: Add borgmatic configuration file
become: true
template:
src: config.yaml.j2
dest: /etc/borgmatic/config.yaml
owner: root
group: root
mode: u=rw,g=r,o=
vars:
borg_host_dir: "/borg/{{ inventory_hostname }}"
- name: Create SSH key
openssh_keypair:
path: "/etc/borgmatic/id_remote"
type: ed25519
regenerate: full_idempotence
owner: root
group: root
mode: u=rw,g=,o=
register: ssh_key
- name: Gather SSH host keys
delegate_to: "{{ borg_server_host }}"
command: "ssh-keyscan {{ borg_server_host }}"
register: keys
- name: Add server key to known hosts
known_hosts:
hash_host: true
host: "{{ borg_server_host }}"
key: "{{ item }}"
loop: "{{ keys.stdout_lines }}"
- name: Add public key to remote
delegate_to: "{{ borg_server_host }}"
become: true
authorized_key:
exclusive: false
user: "{{ borg_server_user }}"
key: "{{ ssh_key.public_key }}"
key_options: "{{ options | join(',') }}"
vars:
borg_host_dir: "/borg/{{ inventory_hostname }}"
options:
- 'command="borg serve --restrict-to-path {{ borg_host_dir }}"'
- no-agent-forwarding
- no-port-forwarding
- no-pty
- no-user-rc
- no-X11-forwarding
- name: Init repository
command: borgmatic init --encryption repokey
- name: Install timer and service for borgmatic
template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
owner: root
group: root
mode: u=rw,g=r,o=
loop:
- borgmatic.timer
- borgmatic.service
notify:
- Run systemd daemon-reload
- name: Run systemd deamon-reload
systemd:
daemon_reload: true
- name: Start and enable borgmatic timer
systemd:
name: borgmatic.timer
state: started
enabled: true
...

3
roles/borgbackup_client/templates/apt/list.j2
View file

@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
deb https://deb.debian.org/debian/ bullseye main

9
roles/borgbackup_client/templates/apt/preferences.j2
View file

@ -1,9 +0,0 @@
{{ ansible_managed | comment }}
Package: *
Pin: release n=bullseye
Pin-Priority: 1
Package: borgmatic
Pin: release n=bullseye
Pin-Priority: 900

32
roles/borgbackup_client/templates/borgmatic.service.j2
View file

@ -1,32 +0,0 @@
{{ ansible_managed | comment }}
[Unit]
Description=Service for borgmatic backup
Wants=network-online.target
After=network-online.target
ConditionACPower=true
[Service]
Type=simple
ProtectSystem=full
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100
Restart=no
# Prevent rate limiting of borgmatic log events. If you are using an older
# version of systemd that doesn't support this (pre-240 or so), you may have
# to remove this option.
LogRateLimitIntervalSec=0
# Delay start to prevent backups running during boot. Note that
# systemd-inhibit requires dbus and dbus-user-session to be installed.
# ExecStartPre=sleep 1m
ExecStart=systemd-inhibit --who="borgmatic" \
--why="Prevent interrupting scheduled backup" \
/usr/bin/borgmatic -v 2

17
roles/borgbackup_client/templates/borgmatic.timer.j2
View file

@ -1,17 +0,0 @@
{{ ansible_managed | comment }}
[Unit]
Description=Timer for borgmatic backup
[Timer]
{% if borg_keep_hourly > 0 %}
OnCalendar=hourly
RandomizedDelaySec=60m
{% else %}
OnCalendar=daily
RandomizedDelaySec=24h
{% endif %}
FixedRandomDelay=true
[Install]
WantedBy=timers.target

51
roles/borgbackup_client/templates/config.yaml.j2
View file

@ -1,51 +0,0 @@
---
{{ ansible_managed | comment }}
location:
source_directories:
{% for source in borg_backup_directories %}
- {{ source }}
{% endfor %}
exclude_patterns:
{% for exclude in borg_backup_exclude %}
- {{ exclude }}
{% endfor %}
repositories:
- {{ borg_server_user }}@{{ borg_server_host }}:{{ borg_host_dir }}
borgmatic_source_directory: /var/backups
storage:
encryption_passphrase: "{{ borg_encryption_passphrase }}"
ssh_command: ssh -i /etc/borgmatic/id_remote
# compression: 'lz4'
# umask: 0077
# lock_wait: 5
# archive_name_format: '{hostname}-{now}'
retention:
{% if borg_keep_hourly > 0 %}
keep_hourly: {{ borg_keep_hourly }}
{% endif %}
{% if borg_keep_daily > 0 %}
keep_daily: {{ borg_keep_daily }}
{% endif %}
{% if borg_keep_weekly > 0 %}
keep_weekly: {{ borg_keep_weekly }}
{% endif %}
{% if borg_keep_monthly > 0 %}
keep_monthly: {{ borg_keep_monthly }}
{% endif %}
consistency:
checks:
- repository
- archives
{% if borg_postgresql_databases is defined %}
hooks:
postgresql_databases:
- name: all
username: postgres
{% endif %}
...

5
roles/borgbackup_server/defaults/main.yml
View file

@ -1,5 +0,0 @@
---
borg_server_user: borgbackup
borg_server_group: borgbackup
borg_home_dir: /var/lib/borgbackup
...

38
roles/borgbackup_server/tasks/main.yml
View file

@ -1,38 +0,0 @@
---
- name: Install borg
apt:
name: borgbackup
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create a local group for borg
become: true
group:
name: "{{ borg_server_group }}"
system: true
- name: Create a local user for borg
become: true
user:
home: "{{ borg_home_dir }}"
create_home: true
comment: Local user for borgbackup server
name: "{{ borg_server_user }}"
group: "{{ borg_server_group }}"
system: true
# Does not constitute a valid hash, preventing from login via password
password: "*"
update_password: always
- name: Create backup directory
become: true
file:
path: "{{ borg_server_backups_dir }}"
state: directory
owner: "{{ borg_server_user }}"
group: "{{ borg_server_group }}"
mode: u=rwx,g=,o=
...

51
roles/certbot/tasks/main.yml
View file

@ -1,51 +0,0 @@
---
- name: Install certbot and RFC2136 plugin
apt:
update_cache: true
name:
- certbot
- python3-certbot-dns-rfc2136
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
mode: 0600
owner: root
loop: "{{ certbot }}"
- name: Add dhparam
template:
src: "letsencrypt/dhparam.j2"
dest: "/etc/letsencrypt/dhparam"
mode: 0600
- name: Create /etc/letsencrypt/conf.d
file:
path: /etc/letsencrypt/conf.d
state: directory
mode: 0755
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
mode: 0644
loop: "{{ certbot }}"
- name: Run certbot
command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
loop: "{{ certbot }}"
- name: Clean old files
file:
path: "{{ item }}"
state: absent
loop:
- "/etc/letsencrypt/options-ssl-nginx.conf"
- "/etc/letsencrypt/ssl-dhparams.pem"
- "/etc/letsencrypt/rfc2136.ini"

28
roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
View file

@ -1,28 +0,0 @@
{{ ansible_managed | comment(decoration='# ') }}
# To generate the certificate, please use the following command
# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = {{ item.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
# Yes I want to sell my soul and my guinea pig.
agree-tos = True
# Use DNS-01 challenge
authenticator = dns-rfc2136
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
cert-name = {{ item.certname }}
domains = {{ item.domains }}

8
roles/certbot/templates/letsencrypt/dhparam.j2
View file

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
View file

@ -1,7 +0,0 @@
{{ ansible_managed | comment(decoration='# ') }}
dns_rfc2136_server = {{ item.dns_rfc2136_server }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ item.dns_rfc2136_name }}
dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512

11
roles/chronyd/defaults/main.yml
View file

@ -1,11 +0,0 @@
---
chronyd__pools: []
chronyd__key_file: /etc/chrony/chrony.keys
chronyd__drift_file: /var/lib/chrony/chrony.drift
chronyd__nts_dump_dir: /var/lib/chrony
chronyd__log_dir: /var/log/chrony
chronyd__max_update_skew: 100.0
chronyd__rtcsync: true
chronyd__allow_networks: []
chronyd__log_change_seconds: 0.5
...

6
roles/chronyd/handlers/main.yml
View file

@ -1,6 +0,0 @@
---
- name: Restart chronyd
systemd:
name: chrony.service
state: restarted
...

32
roles/chronyd/tasks/main.yml
View file

@ -1,32 +0,0 @@
---
- name: Uninstall ntp and sntp
apt:
name:
- sntp
- ntp
- systemd-timesyncd
state: absent
- name: Install chronyd
apt:
name: chrony
- name: Configure chronyd
template:
src: "{{ item }}.j2"
dest: "/etc/chrony/{{ item }}"
owner: root
group: root
mode: u=rw,g=r,o=
loop:
- chrony.conf
- chrony.keys
notify:
- Restart chronyd
- name: Enable and start chronyd
systemd:
name: chrony.service
enabled: true
state: started
...

30
roles/chronyd/templates/chrony.conf.j2
View file

@ -1,30 +0,0 @@
{{ ansible_managed | comment }}
{% for pool in chronyd__pools %}
pool {{ pool }} iburst
{% endfor %}
keyfile {{ chronyd__key_file }}
driftfile {{ chronyd__drift_file }}
ntsdumpdir {{ chronyd__nts_dump_dir }}
logdir {{ chronyd__log_dir }}
log tracking measurements statistics
maxupdateskew {{ chronyd__max_update_skew | float }}
{% if chronyd__rtcsync %}
rtcsync
{% endif %}
{% if chronyd__local_stratum is defined %}
local stratum {{ chronyd__local_stratum | int }}
{% endif %}
logchange {{ chronyd__log_change_seconds | float }}
leapsectz right/UTC
{% for network in chronyd__allow_networks %}
allow {{ network | ipaddr }}
{% endfor %}

1
roles/chronyd/templates/chrony.keys.j2
View file

@ -1 +0,0 @@
{{ ansible_managed | comment }}

12
roles/codimd/handlers/main.yml Normal file
View file

@ -0,0 +1,12 @@
---
# Build front-end bundle
- name: Build front-end for CodiMD
command: npm run build
args:
chdir: /var/local/codimd/codimd
become: true
become_user: codimd
# Reload systemd daemons when a service file changes
- name: Reload systemd daemons
command: systemctl daemon-reload

23
roles/codimd/tasks/0_apt_dependencies.yml Normal file
View file

@ -0,0 +1,23 @@
---
# For NodeJS package
- name: Configure NodeJS pin
when:
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: apt/nodejs.j2
dest: /etc/apt/preferences.d/nodejs
mode: 0644
# Install CodiMD dependencies
- name: Install required packages
apt:
name: "{{ item }}"
state: present
update_cache: true
with_items:
- git
- nodejs
- npm
- build-essential
- zlib1g-dev # uws module

26
roles/codimd/tasks/1_user_group.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Security #1
- name: Create CodiMD system group
group:
name: codimd
system: yes
state: present
# Security #2
- name: Create CodiMD user
user:
name: codimd
group: codimd
home: /var/local/codimd
comment: CodiMD
system: yes
state: present
# Security #3
- name: Secure CodiMD home directory
file:
path: /var/local/codimd
state: directory
owner: codimd
group: codimd
mode: 0750

68
roles/codimd/tasks/main.yml Normal file
View file

@ -0,0 +1,68 @@
---
# Install APT dependencies
- include_tasks: 0_apt_dependencies.yml
# Create CodiMD user and group
- include_tasks: 1_user_group.yml
# Download CodiMD
# TODO : temporally disabled until 1.3.0 is out (because of uws bug)
# - name: Clone CodiMD project
# git:
# repo: https://github.com/hackmdio/codimd.git
# dest: /var/local/codimd/codimd
# version: 1.2.1
# become: true
# become_user: codimd
# notify: Build front-end for CodiMD
# Setup dependencies and configs
- name: Install CodiMD depedencies
command: bin/setup
args:
chdir: /var/local/codimd/codimd
become: true
become_user: codimd
# Connection to database
- name: Connect CodiMD to PostgreSQL db
template:
src: sequelizerc.j2
dest: /var/local/codimd/codimd/.sequelizerc
owner: codimd
group: codimd
mode: 0600
# Update database
- name: Migrate the db to the latest schema
command: node_modules/.bin/sequelize db:migrate
args:
chdir: /var/local/codimd/codimd
become: true
become_user: codimd
# Configure
- name: Configure CodiMD
template:
src: config.json.j2
dest: /var/local/codimd/codimd/config.json
owner: codimd
group: codimd
mode: 0600
# Service file
- name: Install CodiMD systemd unit
template:
src: 'systemd/codimd.service.j2'
dest: '/etc/systemd/system/codimd.service'
owner: root
group: root
mode: 0644
notify: Reload systemd daemons
# Run
- name: Ensure that CodiMD is started
service:
name: codimd
state: started
enabled: true

0
roles/nodejs/templates/apt/nodejs.j2 → roles/codimd/templates/apt/nodejs.j2
View file

Some files were not shown because too many files have changed in this diff Show more