Use Afone network as triggers

Indent nftables sets literals
Use group vars and rename some nftables vars
2021-03-10 09:46:41 +01:00 · 2021-03-10 09:43:31 +01:00 · 2021-03-10 08:29:15 +01:00 · 2021-03-10 08:28:16 +01:00 · 2021-03-10 06:57:59 +01:00 · 2021-03-10 06:23:21 +01:00
226 changed files with 2980 additions and 6663 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,10 +1,7 @@
 skip_list:
-  - no-changed-when
+  - '301'
  - load-failure
  - document-start
  - meta-no-info
  - ignore-errors
-exclude_paths:
+warn_list:
-  - group_vars/all/vault.yml
+  - '305'  # Use shell only when shell functionality is required
-  - utils/
+  - '503'  # Tasks that run when changed should likely be handlers
  - experimental  # all rules tagged as experimental
--- a/.drone.yml
+++ b/.drone.yml
@ -4,8 +4,16 @@ type: docker
 name: check
 steps:
-  - name: ansible and yaml linting
+  - name: yamllint
-    image: quay.io/ansible/toolset:3.5.0
+    image: python:3.9-alpine
    commands:
-      - ansible-lint
+      - pip install yamllint==1.25.0
      - yamllint -c .yamllint.yml .
  - name: ansible-lint
    image: python:3.9-alpine
    commands:
      - apk add --no-cache gcc libc-dev libffi-dev openssl-dev
      - pip install ansible-lint==4.3.7
      - ansible-lint *.yml
 ...
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,19 @@
 ---
 image: python:3.9-alpine
 stages:
  - lint
 yamllint:
  stage: lint
  script:
    - pip install yamllint==1.25.0
    - yamllint -c .yamllint.yml .
 ansible-lint:
  stage: lint
  script:
    - apk add gcc libc-dev libffi-dev openssl-dev
    - pip install ansible-lint==4.3.7
    - ansible-lint *.yml
 ...
--- a/.yamllint.yml
+++ b/.yamllint.yml
@ -6,5 +6,6 @@ rules:
    max: 120
    level: warning
  document-start:
-    ignore: group_vars/all/vault.yml
+    ignore: |
      /groups_var/all/vault.yml
 ...
--- a/README.md
+++ b/README.md
@ -1,10 +1,7 @@
 [![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
 # Recettes Ansible d'Aurore
-Dépendances requises :
+Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
-
+Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
 * Ansible 2.9 ou plus récent.
 ## Ansible 101
@ -89,11 +86,8 @@ On va utiliser plutôt `ProxyJump`.
 Dans la configuration SSH :
 ```
-Host *.adm.auro.re *.pve.auro.re
+# Use a proxy jump server to log on all Aurore inventory
-    # Accept new host keys
+Host 10.128.0.* *.adm.auro.re
    StrictHostKeyChecking accept-new
    # Use passerelle to connect to administration VLANs
    ProxyJump passerelle.auro.re
 ```
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,17 +1,38 @@
 # Ansible configuration
 [defaults]
-ask_vault_pass = True
+
-roles_path = ./roles
+# Do not create .retry files
 retry_files_enabled = False
 # Use inventory
 inventory = ./hosts
-filter_plugins = ./filter_plugins
+
-ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
+# Custom header in templates
 ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
 # Do not use cows (with cowsay)
 nocows = 1
 # Do more parallelism
 forks = 15
 # Some SSH connection will take time
 timeout = 60
-remote_user = root
+
 [privilege_escalation]
 # Use sudo to get priviledge access
 become = True
 # Ask for password
 become_ask_pass = True
 [diff]
 # TO know what changed
 always = yes
 [ssh_connection]
 pipelining = True
--- a/playbooks/base.yml
+++ b/playbooks/base.yml
@ -5,6 +5,13 @@
  roles:
    - baseconfig
    - basesecurity
 # Plug LDAP on all servers
 - hosts: all,!unifi
  roles:
    - ldap_client
 # Install logrotate
 - hosts: all,!unifi,!pve
  roles:
    - logrotate
    - update_motd
--- a/copy-keys.sh
+++ b/copy-keys.sh
@ -0,0 +1,20 @@
 #!/bin/bash
 set -e
 # Grab valid unique hostnames from the Ansible inventory.
 HOSTS=$(grep -ve '^[#\[]' hosts \
 | grep -F adm.auro.re \
 | sort -u)
 # Ask password
 read -s -p "Hello adventurer, what is your LDAP password? " passwd
 echo
 for host in $HOSTS; do
  echo "[+] Handling host $host"
  # sshpass can be used for non-interactive password authentication.
  # place your password in ldap-password.txt.
  SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host"
 done
--- a/deploy_all.sh
+++ b/deploy_all.sh
@ -1,3 +0,0 @@
 #!/usr/bin/env bash
 # Deploy all playbooks
 ansible-playbook playbooks/*.yml $@
--- a/filter_plugins/net_utils.py
+++ b/filter_plugins/net_utils.py
@ -1,40 +0,0 @@
 import ipaddress
 from operator import attrgetter
 import dns.name
 class FilterModule:
    def filters(self):
        return {
            "remove_domain_suffix": remove_domain_suffix,
            "ipaddr_sort": ipaddr_sort,
        }
 def remove_domain_suffix(name):
    parent = dns.name.from_text(name).parent()
    return parent.to_text()
 def ipaddr_sort(addrs, types, unknown_after=True):
    check_types = {
        "global": attrgetter("is_global"),
        "link-local": attrgetter("is_link_local"),
        "loopback": attrgetter("is_loopback"),
        "multicast": attrgetter("is_multicast"),
        "private": attrgetter("is_private"),
        "reserved": attrgetter("is_reserved"),
        "site_local": attrgetter("is_site_local"),
        "unspecified": attrgetter("is_unspecified"),
    }
    def addr_weight(addr):
        if isinstance(addr, str):
            addr = ipaddress.ip_address(addr.split("/")[0])
        for index, ty in enumerate(types):
            if check_types[ty](ipaddress.ip_address(addr)):
                return index
        return len(types) if unknown_after else -1
    return sorted(addrs, key=addr_weight)
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -17,7 +17,9 @@ ldap_admin_password: "{{ vault_ldap_admin_password }}"
 ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
 # Databases
-postgresql_services_url: 'bdd-ovh.adm.auro.re'
+postgresql_services_url: 'services-bdd.adm.auro.re'
 postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
 postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
 # Scripts will tell users to go there to manage their account
 intranet_url: 'https://re2o.auro.re/'
@ -88,23 +90,85 @@ ipv6_base_prefix: "2a09:6840"
 is_aurore_host: "{{ 'aurore_vm' in group_names }}"
-# Borgbackup
+nftables_interco_v4:
-borg_keep_daily: 7
+  - 10.129.0.0/16
-borg_keep_weekly: 4
+  - 192.168.0.0/31
-borg_keep_monthly: 12
+  - 192.168.0.2/31
 borg_backup_directories:
  - /etc
  - /var
 borg_backup_exclude:
  - /var/log
  - /var/lib/docker
  - /var/lib/lxcfs
 borg_encryption_passphrase: "{{ vault_borg_encryption_passphrase }}"
-borg_server_host: 10.128.0.4
+nftables_interco_v6:
  - 2a09:6840:129::0/48
-rsyslog_outputs:
+nftables_adm_v4:
-  - proto: relp
+  - 10.133.0.0/16
-    address: 10.128.0.241
+
-    port: 20514
+nftables_adm_v6:
  - 2a09:6840:133::0/48
 nftables_bastions_v4:
  - 10.133.0.250
 nftables_bastions_v6:
  - 2a09:6840:133::250
 nftables_svc_v4:
  - 10.128.0.0/16
  - 10.132.0.0/16
 nftables_svc_v6:
  - 2a09:6840:128::0/48
  - 2a09:6840:132::0/48
 nftables_members_v4:
  - 10.10.0.0/16
  - 10.11.0.0/16
  - 10.20.0.0/16
  - 10.21.0.0/16
  - 10.30.0.0/16
  - 10.31.0.0/16
  - 10.40.0.0/16
  - 10.41.0.0/16
  - 10.50.0.0/16
  - 10.51.0.0/16
 nftables_members_v6:
  - 2a09:6840:10::0/48
  - 2a09:6840:11::0/48
  - 2a09:6840:12::0/48
  - 2a09:6840:20::0/48
  - 2a09:6840:21::0/48
  - 2a09:6840:22::0/48
  - 2a09:6840:30::0/48
  - 2a09:6840:31::0/48
  - 2a09:6840:32::0/48
  - 2a09:6840:40::0/48
  - 2a09:6840:41::0/48
  - 2a09:6840:42::0/48
  - 2a09:6840:50::0/48
  - 2a09:6840:51::0/48
  - 2a09:6840:52::0/48
 nftables_signup_v4:
  - 10.13.0.0/16
  - 10.23.0.0/16
  - 10.33.0.0/16
  - 10.43.0.0/16
  - 10.53.0.0/16
 nftables_signup_v6:
  - 2a09:6840:13::0/48
  - 2a09:6840:23::0/48
  - 2a09:6840:33::0/48
  - 2a09:6840:43::0/48
  - 2a09:6840:53::0/48
 # Afone network
 nftables_signup_triggers_v4:
  - 217.112.64.0/20
  - 46.255.48.0/21
  - 77.74.240.0/21
  - 93.191.184.0/21
 # Afone network
 nftables_signup_triggers_v6:
  - 2a02:20f8::/32
 ...
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,246 +1,199 @@
 $ANSIBLE_VAULT;1.1;AES256
-64313161633263303464663933363265373935633862653634643862343232643432343966376438
+61303436333132666364303233623130666161303631316436336533656130366363356436626331
-6134633764383937373966346538306530316539303966320a363035303038616435383366656532
+6362656232663832643837303964636330393239386531650a383635343032633566393536653439
-39346463396563626166333362306464343836386365303836356461323663633831636562393039
+66326133633561323362643730356461366633306363333265663964393962646534656463333865
-3832636432626238350a666566323435623834396166656233306639333830343130326265616234
+3962653036363361390a303538383036383733643231363936653161306635396365323339643261
-61666365663963643437386530363261306438376665386463376366363662656161316263303831
+30373263656337613535643137616634633737363264396230336631643366643130623835383233
-61393136363934316462616131326463333736656136643038623061313363386538393833663637
+65616632666135636261303665323537626230656537326538363332653565353031643739366237
-36373565333566306632313865646538633532393731313430633462666334323762653337383338
+37336666376133383136353062666435373738353333386130633265333333663463396236393565
-63313433333835653366363061343839326131666139346563306366656365316663333438363837
+62366332323939353335613535306235316530316339643537363538633432373532323833373162
-33323165353936343165646464306434303161313139653561346461653537616164623434376534
+35666261363862623433636266303236663439303737313136343632623661623837616136643438
-33666662343734633766356230383761353239333632613031396365346536373432363433633564
+33336237306136376165653236303261643563393134313636376237313436373830366531643261
-61633762393033343336373864653438336436613630366539333731383336346665313732396265
+39633364333633343835333763663230373862326431383130353237353662346362343330383264
-32356138666135383562656366353131366436363464643630656130303437623131333239386363
+63333137626464363638643762383162616437373366316565313131636635636665653937636565
-66373866393064306565306565386230373638633733326661333065633136633130323963323765
+36356236643364616262343837393631646363373432626534633064393930316330653930656465
-30353262323835313365383562326363343965636634376133613331363133313030346561653931
+66306335313164306134636664623331393766373337373438306130363137666366383737643634
-39363636636235646131353034663861336362383263613165323230366439383561653165363764
+65336130616431626331393330313263366132663766663662376461313431373838303562656361
-65366130623362623539393461363832353435616266393036386439303834316635366438393936
+65626161653164663730353562383833313334343761313533636437373061376634303662646633
-33383933366262636232383066663130383965306137356363363539633661373664613738336539
+34666666333461353437353564633939393731336664393238376566306234653834323431663666
-31363131616135623039346465623530376533386263343836376662316562386530336266303062
+62386665306437643735326133366131366132613438366662383530666632353964636634363236
-64386531303938623939653635313163633261336339366139666135323130653862346132646636
+61333261323731633236353161616130653566333432313631633766343937653532616165626133
-30363065303235346331333434653331646333616337623562643564366435613938643235333664
+65376635336434336263333362383864313831616362373535306265303330336436363865343234
-30626164373030303237656366623631396138333265383566333664663061613536666363623630
+63393461303739316536353466666665316135373333336363333661353761376363313963613165
-61623362383439636239336234333161366635306432363230366630383836326330343932303863
+63666137376333643165346134613164373065646334306537663765346538343439663337373938
-39393232373831363863333332636362396639663831656266336430313837666463336439353332
+31313334333561626631613332353234303139363033663362616236386536326466303662643861
-63303036633433323439613535326663633332346565646338353761363733643766363132666365
+36376261636332323264336136633634663330353562373731626133646163323965373161306631
-34303865656262303563323665363730663062626537363461646363636461633762663237366366
+35653136323133323733656439643732366564633437346334613337356461393563343063626337
-64393133656464643065633634313261336662646435313735306266316132636530393631353830
+30633030653133616239616332356661373265616139383234613933653462626563623166656632
-61303939373363323131316463333136326365333430626266376636356130396239323464353937
+62643739313436343162656339656231363534646363646437613839383935336436306230613534
-64616232373532396334343433636332353530386662633164353235626361623164313039336666
+64353436373134336435643062306163636231636466386662616138376535633536323766333566
-31636434666437393839393133633961373139313663616366373239386163623064373836376164
+39343135643263356439663030643364613264363766643663353131343538343361383166353232
-62316638366366376134386231306435616138656461373633393339653532363434393834393430
+61343261613234326565323334626266373362656335323638613661363236386463353232646563
-37363335623934306661333135343266663464623438353665613330356236323036363139643064
+37383339333338653165663665366165366436386439313032643864333863646634323439613861
-62383934363465316338393065383935646134353230376131613935613431656333383565353134
+33353032663466623962313033393139336562666331656162313938643439643762626666653662
-34643866353131653061623236306536363163373639396564336434653839346263303930633663
+35313436646231313131623631326438343166376339656431356235613436316130626631323130
-39393935636235313431303032336361313730373238333732626465346662363038636361383631
+31336131396237623339663866646531663737366532396138343261653564376562383664343636
-65393433346363366337383233646166306339653533646632623262376630383265393438326135
+34656236646665346663366231643831346237646338343063376266336363366462333932373162
-31643039333835666338383762336163336337343532393063323165636531353361613731363065
+37333665326438663539623233356565636133656566323761386139313032386330366166623235
-65303637396332613432663636326334646635346237396461636366356133303333306239393739
+65653964616262666233396338633233333037356562623236636233313666343266353162366136
-34353966653662346230383865643231313239626533643761366162613164333132373636623237
+64656330306263636362646163366165333937366230646132636431343034343430643336623638
-32356335643766646266646266633366363165373861306433316561363166363865303133633939
+34333862303133313336303163343031376535346235343164383535633666373332343365386634
-34633132343438363034323638376666313061383965323566646463653163313235373364386666
+38363937343061376435313330323566366539323733363266653665623064356532323464633531
-62393865373137343237306637363536383939303833663532396333313931336162333837613935
+31646539626339643263333166636565666362373564643332376436636238633837376436356335
-66383266343735396337663936333162323738383264376533316536376563396333343263643931
+39366561366537386130613737643036303034333137373234393133393439656563343463626564
-65646535363337373865353265306434356432353066656665366638353331366334366339613538
+64353666373834356336336131613438623263663731343462623539623830343538393336643961
-32373637633564613861626538373365336362313434633137613966353861393462623862663330
+38633962393932363737653564353935666136623063333131663335646263383365616262386337
-64386431373066306334383863366133333564373163386433313231363366393830343230323734
+61353537636330333166383364386234626264373366633233313733636539633733646363376562
-61633962356637326538336663386330653563353763663236623539363630626363323237333237
+36356537393832313465626230356332393634393138623063623438356235633761643465383565
-30656139626561313064323330373032323031343137366638303966313832646365666238326337
+66623262616433383032396465633161663663623761643039343066326464353832353165623736
-63306363613361653933306234386163383837666430616663383664386563323839326232383761
+64393830643936323131326635366239383239643864313264333430353863663634626366663236
-35373539626438356539393266653864353066633365383437623437356464383335383039343137
+61653630356465346239363338323131346263373262646331653561663635343739653930373332
-61373539343631373932373033656233323964353666626162386537616333366562346265656238
+63643930356533643066313132623235623066393231653834363032303632663862346637366638
-35396130356166303564303036383664656435626534303064653363316464616335303965376330
+64646339373466333630343936306531656438323539303334346665306534303063383963376161
-61646638383138323265313631613037396561626162306661653231646230343139656135333236
+33313532656133386232663432386631643335666562613635623938636564393065643737373138
-63303838316266333665636335663361656262353066666430656162323236633564313337353665
+63336264373363663132616136636231323464353134663233363135663061333562333135633630
-35363565303736633564356632346632343832363934343962313030646132663566346664313632
+66313137353362613534383832393432333531333730386633633631666139646332343261383635
-38393061613163356265643434626166393366366634343032626637333332316361663639623534
+33623334386131353265396532353330346231666430343632323633373331376330643538646636
-62323239373639393337373537646232663531653835356165313264663561623633633830373734
+65366164663033303766663965633764633366336434613031386534353735336634343733613537
-31336234613633666538373961626430316530346462343061323661353564323938353338373961
+33303932336434306564363233646333393863356139656664393330653564633930646233663038
-64616637303734303333626166306330613238646265636136653939363936356165356232396436
+66363030666331333662343662623262343434613062333732663361346164633135343539313531
-65353731633836363433616534636330663565643561363233396538386430393964353433616437
+32383237323239663431623937383439323433393032383061623030363963373339643930323435
-36343936313936303165396236393463646363383338366238363961666530623335653234656139
+38343339343332633139306335633566373831346231643633363461623766313632373832343436
-65346337663437623134376137326166323933613861663032623965643538343638376234316232
+30653433643133303733613866303063316661346564336436643630663936643430393231643237
-36333065323234663263343630353739313661373536316162366532336438373263303730626464
+62636131643832613862653464383237643035313039333430656439623231363465333762613061
-38613136393166626663636631363064303736666235333036616435373063363762666565363136
+66313766633032353239653235633532616235633562333431353037643435343763663565316536
-38333966303831313333613831313132633062616235353365313533386236613338373130303836
+36333833636237393639386362656365653639396139386462323435613136373137373331383231
-61326262313833306437366364316433393931353265326131653563656131333436376338613266
+61653139653233373962393835656139313833656433363764366161663964346562343763313666
-39326632613366666136643137303635336631353230396435313537656366326239626362313833
+32643331363931303665333262333761303262393939316639373132666430626264366265373733
-62653039343261613265306362323234623264366664306561663839306631663465303962386462
+66316138383033636431366664393238633433653238373266323137643933366539343563623564
-39353934643562383762623937643034383534393962333466613636346637323235346438666636
+34616233336435656265353235643962663937646234336435653765366462316434666431383266
-31613838313535666166663063373333653439313035346266666463623666613837313933623837
+30626638383233623833356434333164333365633962303131306364653133313236333861323839
-63343565663739393764353761316432626237346234663032316131306262356233333439323961
+37313634633838303232343465333737613733653933323930646237333431666232383235613563
-38646664383030303832646563393836643135303731306435383338623633626638306165386637
+32653866653533616164306435346336396363626633303932363331356362656461313130623331
-65393238653464623032336437643838333932366131656332333165376261383539386466343139
+37333064356236303265626637393462303366363938633361646231326539363666616135666661
-65613733383837323832303738363664653138613830376333363038383839623463623631666237
+36626264373532356633393465363730383565306636626565373265316436356434363833363766
-63363263396533353763373934373034643763376665316638353435663635346135333265363235
+31653462333661313432343634376530333230343535393133323033663132393436303238356166
-62663432343935343964626432353563313036303761393039386231343530663737633466643035
+35353332613433376337343936303066666639306432343730333665383331373234353562613764
-65343835353037643539316439666666633866356530363237373230373439373133313337653237
+62313865303161393864656233383832386138366133373736326530646632316162626432636534
-66613631373637313534353862653437393234363365323032393035376438616264336661616262
+34623232306364333031616637343036323835336532616432393238653665613766356434313161
-37336435326135373065353564383637626637343532396331623334643139386364316431376435
+37666230303066333662653339353064663766373761656463613363623234653534313132383365
-36356566363033636539363430356565373039363863396565643730656531346364626334393436
+65376430623734613735663866613837396232633462366563666463333533383932356462386165
-33343839303538383530363231366166623233333730323163323432373831313639626337346230
+65323134333838323534643237366133326234323039373263663032653035363133653664616266
-30333930333064393337616564386163623436613933623466353933393733346339383534633239
+33353966623939333962633366383163613630373537326562303638303064333736353831383634
-30633365313364666566643533326163336330323232353533316633313739343035383465376330
+34646663643034323035356131333537613966396232323363366262366535373632663931306237
-65356139386463633565366132383832643032333234633964373437633836343435393631396166
+31313461653430343461356164326466383165333833633266333536326537663964613832326435
-34633439643764623936366536353931646132373539326238303761383339643661616266646130
+62633061666165383966633264376439633333663766323864313564373962373664346238353432
-30393166393465326365393130636136336433623262346435353936306133616135653734383635
+38663430386665336533303066353130336334336532643866623036373437303064643234353539
-65393530633836613937346430366337626365363361663533313837363063396538663766646566
+34356664383464303361326336633839313634626365333137626164623261646561646137326537
-63373639653732353135343562353266316164303863336365303635653464393232613939396131
+63376330373432356661383133343230366338386164386630623266376461663463346136366666
-30636361343932663233663566656131363938656161623966316366656561343166336532613666
+32663633313462643831396365373464663365663737323432626563643633393064386338376465
-65613534663762353662353262623634616264373964316336626166353330303539356130646166
+38636538373834373761393331353837356165303562633563636538656135653763646236396162
-63643435353765633766626165643465386331333637366562393861613834323464363932306430
+62343137323036363532643836326364313137363162633663353532383732363634626632343430
-32643836646266643031396262626136313363623663366430376432373036643835653863323631
+65393436623337326430323630636263363239396361656663656631386431663230363631613465
-30613164326430633664306630333632363931656135643465363439376263386561383534633666
+39343733333033383134343139636633333034366532353737663565326334323338326363393236
-64323763656466343064396639313264386239356664663461333166626332326536623132333434
+31396231623361323866396139623331616438646361393362616630313563393537353031643935
-62303261643164643330333662623935383037353338306135613737306563326336336162633138
+31356464353035366361656566346632383061376138386662313736376338363331373530336332
-33623066373265663362303133363032343933306336396466383034636131333837313333326531
+37346664623461356635656566363936613339313135303764383636373938373932623632303435
-39336163313633623639303462313763656632633030336236643030343262653366633939643536
+33383838303639343730626433333337313135306463663839323735376132353838306162313864
-31636535393864663363353930363761623264343630396336396431663330323436613462633136
+65313939343466623039373462306533336532616365343639623765316532396236393239303265
-37336464353730643566393432343762333336653932333366636265343663323462626232623635
+30316133616364653638386635303964366161303161396562373835656339666439313231386530
-34346136333630363539633666316561376266373032373961313437653564636537656630303261
+65656438623536393032633064363631613265383239613563613533396263393131623161373662
-37313639333233333365383763333061373730623939303530303832646365323739356564626137
+65306564666235376561643462613434653839373237663964343333366231306166623661663639
-35633366393636376463393961333830343232363266633931613332643134643234303733373466
+33316465666431636439316661646337643763306466323165643735353162333361376534343362
-35323831623931633436626636346431303965663639666566623433383736633834626330303265
+30326336643537643932336362313635373865323531663730663436333461633536323561623763
-37353337656233663938663839373931623137666662623266336537383631626631306235363064
+35353137633265353930626535306234636338326335346664383735356132643363366362643864
-33313564316438633139336261623736336336326239376630316335313631376132646563333430
+66323734313839653330396266346537633035363538663964643839366533333438643239306561
-33656432643130643832343065353834633366363339353964623762666564633835633636313731
+62656639366565323739373164653536316664326664393530633236396334363731313237643636
-63353637636165663136623736343234393038313235333363643237643566623766393838386635
+65643737666134653331383737633531643463356162306231326261653162316264383961396333
-33646233623032653233336266636335666233353032303837663162303939383262373761623261
+34303335336465613230343133626364633935393139366263613533343230646561363736323536
-35366661363966346233633739663635353361303264356534366235616164316138623730623632
+64313661343061623864326331653032303661393834643435396162363830353933653038613965
-62316362623736396264366632373661373835393434343364353431316362666235616635633566
+66383039316165656130316363356533653065303866616630636135666265643639376336336235
-64353530633334393737346663653562346335323065356665643132353738363132623031353664
+32666539383638623534356539653236366265326634396335663166313461353931653634313434
-66666639326238386634363664356664343161386435323736316636343536326435303066353035
+35353461613139626463346362363636623363313965376437643865343132346530396333326234
-37363731613138393333636562386363333932386362303139643262386237353863363764643139
+33636237326565643766343437663330646632393538643865373664353435663530376333386233
-64616561373239346464623165616332623434303433626638376232333733646136376431626438
+38666266386336313234303435326138346330653763326462333331323233653462353264346163
-66613134343639656331626630303030366133356636663735353466353834613430356265386162
+38666462633066333136343233663137313439663138663037663537633434643561316362643439
-66613332663232623438636661306332613162666561353537313336643134663664306630636639
+30383637366237383937373161623131356136623230386131623166363365326139373235636538
-61613363353264373831393962333631383236666130646333336431303735333165656438363432
+37343861656363656662373262336663653233663639313031613962653562323739616336656539
-38396530333631636135653534393531326434306362396237366430383166323832336434376364
+38636333343562663165623537376366343863653764363361383161663361363531326335313633
-38393431646338316232373431613930326532646333386435303034356564336665346133393866
+39333162626462613935383534373566336665303631396135333463663432616437356532356465
-61643533643361646265313334633463616437393437653935613261366635616430313064346532
+37316334613365333037316365373731386239323363643231653839306539376664623366653934
-32363831613565313836376338646466323130373032613863323037323566643164653132633735
+31373065646362366562306130346366653366333039633237646539326665646262393231636137
-65636562653535626461396666643330386333663137613333643165656336633038323036373162
+61376439306630623930306332356566363833373635646562386232306431306466363139386430
-31376338613862333334643561313332326237646565633934323032626662633631633033623063
+64383439366138316130636234663263343930316639383738303937363732316366303332643837
-63306664656437663732323339383735306132616531373865323835633264333639336163366466
+64336364633336366562303131383831613331346334353064386161363366623565653236313337
-33373433653839393638323034623835643531393266306331313563613265616633353763653438
+37656362396231616333646334306232343030366139626339386464326564636632666138313132
-65363532653163303861383531356639316331343531666666636336373634636134633331366364
+62613439316231336635623537303234333139366431663965386637653237376463636136613465
-62366230366435323435613964636533353236373935626632623536396664313264653031623062
+32633666383863643266663536353064663231663033373637616564376230636261383532383837
-33366166343630313839366262313234346262343336386538336335393835646138666330656361
+31623062616466313031306630373839623431376239653237623863666331316130346661316230
-61313936323838653832633130346539636363613838343363663431623063333933383466353938
+36333164323033343162653464633461363632383634323431616332366461303166316361383937
-65383361333561383631643938613862343236346233363466333237316339616362366565306639
+64313662613362613339346339323038363166666461663861613062393765666664396431363735
-39356563656132303463346138356435303038303165363935343266396462326365363262393336
+32373366373964653432323536343163626361393935376330303563386465356238353231653636
-37396235366639623761366239386165613065626431633733306234343866663266633631656237
+65663839323432663561306464356165326331656231656662616562303661316238626136303439
-63643430383433393835663635356265636635363137613064353066313338346436356632346265
+65353439633865656630313761353665363231346262633134393638646661643231663134343066
-38393730336465396263373137383238653337396364643061303234666266663064663265383434
+62666335323563353863623638343663633565653466376335396238366531313165366331656430
-36636138643432373633313038393737663735363838396164366234643533633762383062353831
+65643862653265313136353661623633316132353638373763313036346362616262363763306539
-66326231363337323666386263373438656630346336663239643030386434636264666634393631
+64623563393435626636396132616137313962363636326533393662373537636137373637356666
-39313364333761343532346165396365306463393037643935666363323630326664616638313338
+30373862353966616333393861323130306366636432363661613639636137316430613032613666
-39396336653738353333343835363861643166376565346463303135376439336134666235623230
+34333635356136313337343730393839373237363334333466373231396530326438353339363464
-32363031303732666133386164313437366164326539373564623236356432303132633436323563
+34663038613165333335376630346535336138383238306339636563613964363665643334613836
-36323634373538376133613736633133356638323861636434646465643432636366376138636232
+66616234336634653237623766343466613632383836623630633763613265323638653437333665
-63633830613462613831313938326339343632393038376639623131366364623536353338363439
+65623733376631303261623363306139626539393631393435623164316137313835653138376137
-32613331623863336165636364616634303264356630303665383638663737343836663831363263
+62643737616564333562326434383336393563386266383065616361643563616439666536363563
-63366562393734323030306436346534626530656465396535323835316139633562363830373437
+65373933343438376233626564376131396130323335333965666134646132646230396639623638
-63626530326530383538623165356532303862353763326432373966626436303465373431373762
+39646437383537633362653966623832303535313435393064616266646335663136613061613631
-38613539623164353732623636376630643465343839666531306438326633343362306665366132
+31633639383437616635633066386163343733666439353565336237366334373838333730336434
-39396537366266353864656232616334336130333337306463313932393832653661343036396261
+36393830616431656136396465663132343530333735323138653835333730393135393738353865
-64613461633433356334623631643861303133383963336635623138326139613564343838366565
+32376664323961646361653639353439316164623962393737333634383266323661626539383464
-36343130353462333162313736636139306233366466626231306561626335396262663531333839
+62366439636236373732666661393739616239333135393732623739636632386136656638393032
-61336437343137356335633764373730306466326133356331333530353537616661373062656438
+64623261633237333936353466633836343866643661343334313064386432323061316164346565
-35356235666464656466323937353837623535643937383866666133383633396563333338633034
+38653734316538653832313432323434666639346666396630363336363231333561303861363536
-38366531613164363966323137646237393135383164643230663331306335636432656565633636
+66343465323936383533353733333431313261336332363964366461656239356230366533646635
-34343031633632346533353666353034666266666561346464306665386634313263323333653330
+34363565383137393662613263343732656437363739323339643038646439316139613565613331
-66323033393531343633356466613837346164393332613037636465343230623731616361336338
+35666635316639623932633765303131613132346637643263633664326637633433623137383831
-61373332373636646435353734386366613334323161626437396232613534613330613532323534
+35666235653466396432323031353162393035373235343661333664633866323936373034306163
-65653065386432313733663165616333663666363733623162306536303833663136353334656466
+34396232316232663762323138643334363362343538343335653333386433386632653262393235
-64353931363838613761663561666639373865393438396565626661343934353662363834636535
+36323430316166363330363861386339623631373062646339396231356566336632363639616531
-65363664393433313036383438643864663339626331343230343337316437336634636363303563
+65333237376564363936336132323733323237396331306264643239363633666439363432313236
-35373539383535353235633730386232363539616632336566376264393832383637663330613133
+38663138623531666337346332633366633234636230343066363437623561393662636432343965
-37643261363966633138373935333438393536373938383265373261363232343030373539366335
+65616132363733393262643137653238396364323637623033643564333533363032633834633563
-61633162663137643061363366653135323639363838626266386262666133306461333432313738
+64313061303063346636633734353338396333613933313632323935636131623364643066303632
-30313332626166303630363839396663396564633961383863326663356230343938643833303933
+37366464323964336231653233313261353336636138376461636434373933353166323937386662
-34333032353935323565346633363537656639613663356130383264373739636231363364613066
+66333037633038396333663661626266643032346331333966363763643464306535653231373436
-36653664346434393933383337313630623131396461343930383537633536643365306564396665
+32623064633235393265653865613431626535616439646165646631653430663630306634626232
-31353861643335353538623838393335326364393738376239623431306231363739656438626265
+39393661376164353934323934643137613239303864313465326264376265623437326663303035
-37666532336661306262303761616238666239623265663231386165353437366631376234343035
+65616463633161656334646664613339646633623361363737663639333361613062396665656132
-33393037316563373534373765616238616639303031346430623561663430393536303163613338
+32633838313633653465633163323531376438626661653966393462316666313538666362303561
-65353062336164626335376235656235343637366438353334356436653266333062663838316263
+64396563386137333538373137633065303732373039366533336230393561316330666633383433
-32623732306462356162623437393035626433336631643833626463656634366332613936346465
+36333932333133313637663733653031623266666566346464393530653035656437616266373230
-34653331363133373635633330363564333264623566613432383439396537343963653239336265
+32373736636464356333613438353437323636363962386464393838626564636434663063613334
-33326132663434363065646265646130333935303662623037363938313464366564323734333437
+62326565353239343031633466303963366362653061366432636662326664316334623036626165
-36336335303738643634653164306332636130316161393335656536386131396662616366383139
+30346365313137663234323930633064303335643464633737316164373266623031313839333034
-36663863343736666665363337663537326330323437346565346465326231366563643136366365
+39336231666630616232346363396332363663396335386534373235663032376166613763393465
-37636361343961326261336437616266373962643765346438333766306537303137353764396330
+36323261316465623336366434653737323236313739623438616338666536633431616265313032
-39626635373631353635313935363834363730386132376363663462653330623130663266373432
+33663335623366616231366436363037353464626233343438653061386539343830633139343865
-65343237326535613535386363396236336536366165306463643162346638623638373433646163
+62613134333762386436303966353830313761396331623262656630616565363239333766626331
-62613935363636353639623839396231393838303135346536383037353636613563323234626131
+39313937316238363866366365633434333233643664356533643839373063323436626435643937
-64373666303436393861373164376564646235366131343433623733663832653039393738343537
+30303363346334663765336566373865356361623935623736313331396133313637313765386366
-65323534343464613230346532623966616462353532373064623566626563336464326336393364
+65343863633865316332663463663937623762316138346462653435613466323264663730656433
-39626237646431313135323036303065343138616632343237396136366332636132303037376132
+37373662383436386233393539303536613031633537326465333030646136666532363935393634
-33623031623635653162616265316366663262373666636638386130643336383130643232643662
+33343735376634363763616639626339643431303863663964653132336236636538613035396464
-34326663343562613962343033396332303261636230353331313730336630633461333736626333
+66383437346664633536303162353430666638636439366539356263303934373933313131393162
-66636430643330383032646634396133626339623036333963396662313234623466366634636334
+35353837633232323330643736376162636232303830313037336263323536356531363338636661
-33373762386662613966353664346239666133656435353365653536356331613632666132376264
+30653162663931626636343036306236393063326338373466633330343363616666366261626638
-62613433366633663065306166396166633836306139376533396165393966323465303638373563
+37376539613564386339373434616139623237623461383434613738626433323065333766306431
-63326330323161303065643365343363313338326238363137663139613463613434643834613662
+33343638396263376537396163613962636334646631346363393366353665356132306263663831
-64663365633965653363633165653038333335333232633434323037643936646561376431626230
+34353665356563636462333738383936343539316435646361623633316365643935393538653738
-66356138373136366134373533386634373061666330663364376336383433306331386162393633
+34376530623837313330353035633761336336666132623334323839626666366362653836643632
-33636330643531396464313736363061303466393861613730323563626363643731333633366532
+38383637343431633235656337353331313863373930623636333235656137633461303739396563
-64646130636234653566346533323962353332653335336239353630633535623935396638663366
+39396433343262383136663636343231643739316664363839656233623633323638363236343435
-37383661343636613261623833653032373764653164346634663431653664636233323734666166
+32323739353138306530616531376636323336356664656533313961356535333061353732643337
-36373664306566663930353338366431623563396166356638626166333165623263636336613138
+37313432323231333066396362326335613935356235366265646563623232353866336565323237
-34343936393964666564306637346561393538383137663162663630336462656663316338376236
+30643766303738363039383566656535343864373837353861666265623963623436376664663966
-63633666333263663734353861633164653132663334306664643133663736663766626639393236
+61363532393262666636616538626434366338303832646631626134336134313131616166616136
-32653430333163313363343731666135656662363838366132383732346130313130363365656263
+33663734336336613738333833653130613561366633343561643839323266393038356539383230
-32643533393163376264653632663262353966306630333064313932616262323134326361633764
+63623834316363313232366638306262623633363366303136336536336663353865303435383333
-63383837303936616434616630653833653833623263623532306363373836323431393335623530
+63316434616666656466343737626233326161386462363631643531356131376161633466303736
-34316562343035326265333164643163356230643639373431326431303538346363376332373434
+38383833663965663835356635323537626536306437323861366635386562353063373132326465
-31313666313663343363353130306561646136393732663164393232636330663635346434343134
+63343234303633393138343862336662663361653930636461326435303635623562373634363032
-33663138663336636430373763396435323138373633666438623234363631336232366635366532
+6661396564633461353336313466366163393535646238326639
 62616239663934653462656163326134303261376635323864633435383666363065656665303538
 62626538343638366236646136363232373437336630383739656438636465326531646664366462
 36353663626634386538336239623734323234393463313034303837363164363263623065613061
 38333162646232366339333662313965663336613238386530393162346266636532353433656136
 66326436323836376432313238613165373565643233333435393361636637653361616435393438
 32383763393561343734643438346635613663393736613839623263663866336165343235663933
 66623137616561313462653631613830363666653635336534643935373739353138363934656134
 35663063396162623432373534333463376231666466393963336231653939326663396336383735
 34633763336163313432616163313638623963306666643432306661393632346339373963633265
 32303862643661376433356661383335313365306534663534396638313531373538326236636363
 37626138333437393363323261336663653163643565303063313231346131376261653763356631
 62306262336337366134626632333663363139393131306666303235303761623665356431646234
 33666461663035303066353137623762653565353533613435663839396238336337333463636465
 38353135356634626137376232613330393235383432356436393030313564306537616363383136
 66356463373138313661373565326565343066643133633630313031303132313031663739316631
 66666631386163313034306532393862393930653931363235396662366262636466363464396466
 61303962303066633764393831396632626233343633313061323838623134373036393164633139
 30303861636335636131376334376239636235653233323435623262366132663934613661333135
 61386136326435363337316363666330363431613135663661303438383664663930656564373730
 32373731393666333364633835646431646662313232383136616238303264383438663766356462
 32346664376430663934626661663039656461383738626265346162393861346163656161323333
 39323666643031376530303230626166613233383731363766373634623430633635303963313466
 34646331363539636133373134353535356265393265393635323532323134643034343663636362
 38633261613433393634396234396265623063346138363133646532366638306632396464646432
 61373961383438386535336131393633303430346162613738343839653038303035303033626535
 37343030623530333332306265373539633735616634663666356437303862636338363866613861
 38346130336338373865343866306665616530313938616366346131376262346135323537663137
 39383366313766666234323234363937623264353532323033363966313135653163343036666262
 34393832613034383239393930383063336131356364303231323966303633333331633666373764
 65383137333965663234663933303231356165376233326233303035316536666563656363343933
 36633039666432643135636331353932633164633964623661373739633665313433306561303637
 62373534346562363132643063643732343462653838393635343266626535353864656437313434
 34376538303965616539626534613431623834376337643936613137323031323139393762636463
 66346664666361623636666533663037613434353135393862376633636233656330366136646434
 30653735323961383130393763333630306131376430363436623238646632363462383739653636
 37346566663039383866323639633565366338353438386461616239313639343766333661346435
 33316538366463383733346663316564656566656165396465393461363061613239666165346661
 62346639623163363762366431313831663135643062336363323336303737393437653863303665
 36643466336566336236353166333063633830646461626262333937316162353365353130353535
 30383164363532363532306364393236303537383139643431393962333063633162313033613561
 32323434336364343061386666616639336566373461633462393130336461303531353436623065
 65663430623066336533373662306566396263376562343936666166626666323964373334613835
 64633535303365643564626562643562636363363834353865353765356665643965663861366436
 63333736613232353130616466316637613966646139323565356537666331666564623832333439
 36376131663431616430616265323039646432393166613631313762613264313765323231663961
 65616636306362386534626130636261636566626365643630616135323634343935653033653433
 3061
--- a/group_vars/bdd.yml
+++ b/group_vars/bdd.yml
@ -1,5 +0,0 @@
 ---
 borg_keep_hourly: 6
 borg_backup_exclude:
  - "/var/lib/postgresql/"
 ...
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@ -1,8 +0,0 @@
 ---
 glob_certbot:
  - dns_rfc2136_server: '10.128.0.30'
    dns_rfc2136_name: certbot_challenge.
    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
    mail: tech.aurore@lists.crans.org
    certname: auro.re
    domains: "*.auro.re"
--- a/group_vars/nginx.yml
+++ b/group_vars/nginx.yml
@ -1,32 +0,0 @@
 ---
 glob_nginx:
  contact: tech.aurore@lists.crans.org
  who: "L'équipe technique d'Aurore"
  service_name: service
  ssl:
    # Add adm.auro.re if necessary
    - name: auro.re
      cert: /etc/letsencrypt/live/auro.re/fullchain.pem
      cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
      trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
  servers:
    - ssl: false  # Replace by auro.re or adm.auro.re
      default: true
      server_name:
        - "default"
        - "_"
      root: "/var/www/html"
      locations:
        - filter: "/"
          params: []
      additional_params: []
  upstreams: []
  auth_passwd: []
  default_server:
  default_ssl_server:
  default_ssl_domain: auro.re
  real_ip_from:
    - "10.128.0.0/16"
    - "2a09:6840:128::/64"
  deploy_robots_file: false
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@ -1,12 +0,0 @@
 ---
 loc_nginx:
  servers: []
 glob_reverseproxy:
  redirect_dnames:
    - aurores.net
    - fede-aurore.net
  reverseproxy_sites: []
  redirect_sites: []
--- a/group_vars/routeur.yml
+++ b/group_vars/routeur.yml
@ -1,3 +0,0 @@
 ---
 rsyslog_high_density: true
 ...
--- a/host_vars/caradoc.adm.auro.re.yml
+++ b/host_vars/caradoc.adm.auro.re.yml
@ -1,12 +0,0 @@
 ---
 borg_keep_hourly: 6
 borg_keep_daily: 7
 borg_keep_weekly: 4
 borg_keep_monthly: 12
 borg_backup_directories:
  - "/etc"
  - "/var"
  - "/data_nextcloud"
  - "/data_gitea"
  - "/data_mail"
 ...
--- a/host_vars/log.adm.auro.re.yml
+++ b/host_vars/log.adm.auro.re.yml
@ -1,16 +0,0 @@
 ---
 borg_backup_directories:
  - "/etc/"
  - "/var/"
 borg_backup_exclude: []
 rsyslog_collector_base_dir: /var/log/remote
 rsyslog_inputs:
  - proto: relp
    port: 20514
  - proto: udp
    port: 514
  - proto: tcp
    port: 6514
 rsyslog_outputs: []
 ...
--- a/host_vars/perceval.adm.auro.re.yml
+++ b/host_vars/perceval.adm.auro.re.yml
@ -1,3 +0,0 @@
 ---
 borg_server_backups_dir: /borg
 ...
--- a/host_vars/portail.adm.auro.re.yml
+++ b/host_vars/portail.adm.auro.re.yml
@ -1,105 +0,0 @@
 ---
 loc_nginx:
  service_name: captive_portal
  default_server: '$server_addr'
  default_ssl_server: '$server_addr'
  servers:
    - server_name:
        - "10.13.0.247"
      locations:
        - filter: "/"
          params:
            - "return 302 https://portail-fleming.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - portail-fleming.auro.re
      locations:
        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
          params:
            - "proxy_pass http://10.128.0.20"
            - "include /etc/nginx/snippets/options-proxypass.conf"
        - filter: "/"
          params:
            - "return 302 https://portail-fleming.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - 10.23.0.247
      locations:
        - filter: "/"
          params:
            - "return 302 https://portail-pacaterie.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - portail-pacaterie.auro.re
      locations:
        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
          params:
            - "proxy_pass http://10.128.0.20"
            - "include /etc/nginx/snippets/options-proxypass.conf"
        - filter: "/"
          params:
            - "return 302 https://portail-pacaterie.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - "10.33.0.247"
      locations:
        - filter: "/"
          params:
            - "return 302 https://portail-rives.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - portail-rives.auro.re
      locations:
        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
          params:
            - "proxy_pass http://10.128.0.20"
            - "include /etc/nginx/snippets/options-proxypass.conf"
        - filter: "/"
          params:
            - "return 302 https://portail-rives.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - "10.43.0.247"
      locations:
        - filter: "/"
          params:
            - "return 302 https://portail-edc.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - portail-edc.auro.re
      locations:
        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
          params:
            - "proxy_pass http://10.128.0.20"
            - "include /etc/nginx/snippets/options-proxypass.conf"
        - filter: "/"
          params:
            - "return 302 https://portail-edc.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - "10.53.0.247"
      locations:
        - filter: "/"
          params:
            - "return 302 https://portail-gs.auro.re/portail/"
    - ssl: auro.re
      server_name:
        - portail-gs.auro.re
      locations:
        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
          params:
            - "proxy_pass http://10.128.0.20"
            - "include /etc/nginx/snippets/options-proxypass.conf"
        - filter: "/"
          params:
            - "return 302 https://portail-gs.auro.re/portail/"
--- a/host_vars/proxy-ovh.adm.auro.re.yml
+++ b/host_vars/proxy-ovh.adm.auro.re.yml
@ -1,20 +1,44 @@
 ---
-loc_certbot:
+certbot:
-  - dns_rfc2136_server: '10.128.0.30'
+  domains:
-    dns_rfc2136_name: certbot_challenge.
+    - auro.re
-    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    - chat.auro.re  # cname to riot.auro.re
-    mail: tech.aurore@lists.crans.org
+    - codimd.auro.re
-    certname: auro.re
+    - element.auro.re  # cname to riot.auro.re
-    domains: "auro.re, *.auro.re"
+    - ehterpad.auro.re  # cname to pad.auro.re
    - grafana.auro.re
    - hedgedoc.auro.re  # cname to codimd.auro.re
    - pad.auro.re
    - passbolt.auro.re
    - paste.auro.re  # cname to privatebin.auro.re
    - phabricator.auro.re
    - privatebin.auro.re
    - riot.auro.re
    - sharelatex.auro.re
    - status.auro.re
    - wiki.auro.re
    - www.auro.re
    - zero.auro.re  # cname to privatebin.auro.re
  mail: tech.aurore@lists.crans.org
  certname: auro.re
 nginx:
  ssl:
    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
  redirect_dnames:
    - aurores.net
    - fede-aurore.net
  redirect_tcp: {}
 loc_reverseproxy:
  redirect_sites:
    - from: www.auro.re
      to: auro.re
    - from: 92.222.211.195
      to: auro.re
    - from: codimd.auro.re
      to: hedgedoc.auro.re
  reverseproxy_sites:
    - from: phabricator.auro.re
@ -29,9 +53,6 @@ loc_reverseproxy:
    - from: passbolt.auro.re
      to: 10.128.0.53
    - from: auth.auro.re
      to: 10.128.0.150:8089
    - from: riot.auro.re
      to: "10.128.0.150:8080"
    - from: element.auro.re
@ -39,6 +60,8 @@ loc_reverseproxy:
    - from: chat.auro.re
      to: "10.128.0.150:8080"
    - from: codimd.auro.re
      to: "10.128.0.150:8081"
    - from: hedgedoc.auro.re
      to: "10.128.0.150:8081"
@ -59,10 +82,5 @@ loc_reverseproxy:
    - from: cas.auro.re
      to: "10.128.0.150:8085"
    - from: rss.auro.re
      to: 10.128.0.150:8090
    - from: status.auro.re
      to: "10.128.0.150:8086"
    - from: "kanboard.auro.re"
      to: "10.128.0.150:8088"
 ...
--- a/host_vars/proxy.adm.auro.re.yml
+++ b/host_vars/proxy.adm.auro.re.yml
@ -1,31 +1,31 @@
 ---
-loc_certbot:
+certbot:
-  - dns_rfc2136_server: '10.128.0.30'
+  domains:
-    dns_rfc2136_name: certbot_adm_challenge.
+    - bbb.auro.re
-    dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+    - drone.auro.re
-    mail: tech.aurore@lists.crans.org
+    - gitea.auro.re
-    certname: adm.auro.re
+    - intranet.auro.re
-    domains: "*.adm.auro.re"
+    - litl.auro.re
-  - dns_rfc2136_server: '10.128.0.30'
+    - nextcloud.auro.re
-    dns_rfc2136_name: certbot_challenge.
+    - re2o.auro.re
-    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    - vote.auro.re
-    mail: tech.aurore@lists.crans.org
+    - re2o-server.auro.re
-    certname: auro.re
+    - re2o-test.auro.re
-    domains: "*.auro.re"
+    - wikijs.auro.re
-loc_nginx:
+  mail: tech.aurore@lists.crans.org
-  servers: []
+  certname: auro.re
 nginx:
  ssl:
-    - name: adm.auro.re
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-      cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-      cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-      trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
+
-    - name: auro.re
+  redirect_dnames:
-      cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    - aurores.net
-      cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    - fede-aurore.net
      trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
 loc_reverseproxy:
  redirect_tcp:
    - name: Gitea
      port: 2222
@ -33,7 +33,7 @@ loc_reverseproxy:
  redirect_sites:
    - from: 45.66.111.61
-      to: intranet.auro.re
+      to: auro.re
  reverseproxy_sites:
    - from: re2o.auro.re
@ -41,14 +41,14 @@ loc_reverseproxy:
    - from: intranet.auro.re
      to: 10.128.0.20
    - from: bbb.auro.re
      to: 10.128.0.54
    - from: nextcloud.auro.re
      to: "10.128.0.58:8080"
    - from: gitea.auro.re
      to: "10.128.0.60:3000"
    - from: git.adm.auro.re
      to: "10.128.0.60:3000"
      ssl: adm.auro.re
    - from: drone.auro.re
      to: "10.128.0.64:8000"
@ -61,12 +61,3 @@ loc_reverseproxy:
    - from: wikijs.auro.re
      to: "10.128.0.66:3000"
    - from: wiki.auro.re
      to: "10.128.0.66:3000"
    - from: netbox.auro.re
      to: 10.128.0.97
    - from: grafana.auro.re
      to: "10.128.0.98:3000"
--- a/host_vars/vpn-ng-backup.adm.auro.re.yml
+++ b/host_vars/vpn-ng-backup.adm.auro.re.yml
@ -0,0 +1,25 @@
 ---
 wireguard_endpoints:
  - name: ovh
    addr: 192.168.0.2/31
    private_key: "{{ vault_wireguard_secrets.edc.private }}"
    peer:
      public_key: "{{ vault_wireguard_secrets.ovh_edc.public }}"
      allowed_addrs:
        - 0.0.0.0/0
        - ::/0
      keepalive: 5
      endpoint: 92.222.211.198:5413
 bird_router_id: 10.128.0.124
 bird_router_prefsrc: 10.128.0.124
 bird_ospf_ifaces:
  ens18:
    stub: true
  ovh:
    type: pointopoint
    cost: 4000
  ens19:
    type: broadcast
    cost: 1000
 ...
--- a/host_vars/vpn-ng.adm.auro.re.yml
+++ b/host_vars/vpn-ng.adm.auro.re.yml
@ -0,0 +1,25 @@
 ---
 wireguard_endpoints:
  - name: ovh
    addr: 192.168.0.0/31
    private_key: "{{ vault_wireguard_secrets.gs.private }}"
    peer:
      public_key: "{{ vault_wireguard_secrets.ovh_gs.public }}"
      allowed_addrs:
        - 0.0.0.0/0
        - ::/0
      keepalive: 5
      endpoint: 92.222.211.198:5412
 bird_router_id: 10.128.0.224
 bird_router_prefsrc: 10.128.0.224
 bird_ospf_ifaces:
  ens18:
    stub: true
  ovh:
    type: pointopoint
    cost: 2000
  ens19:
    type: broadcast
    cost: 1000
 ...
--- a/host_vars/vpn-ovh-ng.auro.re.yml
+++ b/host_vars/vpn-ovh-ng.auro.re.yml
@ -0,0 +1,37 @@
 ---
 wireguard_endpoints:
  - name: gs
    addr: 192.168.0.1/31
    listen_port: 5412
    private_key: "{{ vault_wireguard_secrets.ovh_gs.private }}"
    peer:
      public_key: "{{ vault_wireguard_secrets.gs.public }}"
      allowed_addrs:
        - 0.0.0.0/0
        - ::/0
      keepalive: 5
  - name: edc
    addr: 192.168.0.3/31
    listen_port: 5413
    private_key: "{{ vault_wireguard_secrets.ovh_edc.private }}"
    peer:
      public_key: "{{ vault_wireguard_secrets.edc.public }}"
      allowed_addrs:
        - 0.0.0.0/0
        - ::/0
      keepalive: 5
 bird_router_id: 10.132.0.254
 bird_router_prefsrc: 10.132.0.254
 bird_ospf_ifaces:
  ens19:
    stub: true
  ens20:
    stub: true
  gs:
    type: pointopoint
    cost: 2000
  edc:
    type: pointopoint
    cost: 4000
 ...
--- a/380
+++ b/380
@ -8,11 +8,10 @@
 ###############################################################################
 # Aurore : main services
 viviane.adm.auro.re
 [aurore_pve]
-escalope.adm.auro.re
+merlin.adm.auro.re
 services-1.pve.auro.re
 services-2.pve.auro.re
 services-3.pve.auro.re
 [aurore_vm]
 routeur-aurore.adm.auro.re
@ -26,30 +25,21 @@ camelot.adm.auro.re
 gitea.adm.auro.re
 drone.adm.auro.re
 nextcloud.adm.auro.re
-galene.adm.auro.re
+stream.adm.auro.re
 re2o-server.adm.auro.re
 re2o-ldap.adm.auro.re
 re2o-db.adm.auro.re
 services-bdd-local.adm.auro.re
 backup.adm.auro.re
 services-web.adm.auro.re
 mail.adm.auro.re
 wikijs.adm.auro.re
 prometheus-aurore.adm.auro.re
-portail.adm.auro.re
+vpn-ng.adm.auro.re
-jitsi-aurore.adm.auro.re
+vpn-ng-backup.adm.auro.re
 log.adm.auro.re
 bdd.adm.auro.re
 bdd-ovh.adm.auro.re
 litl.adm.auro.re
 log.adm.auro.re
 netbox.adm.auro.re
 grafana.adm.auro.re
 dolibarr.adm.auro.re
 infra-1.router.auro.re ansible_host=10.129.0.245
 infra-2.router.auro.re ansible_host=10.129.0.246
 [aurore_testing_vm]
-
+pendragon.adm.auro.re
 [aurore_ilo]
 escalope-ilo.adm.auro.re
 ###############################################################################
 # OVH
@ -59,16 +49,21 @@ horus.adm.auro.re
 [ovh_container]
 synapse.adm.auro.re
 services-bdd.adm.auro.re
 phabricator.adm.auro.re
 wiki.adm.auro.re
 www.adm.auro.re
 proxy-ovh.adm.auro.re
 matrix-services.adm.auro.re
 [ovh_vm]
 serge.adm.auro.re
 passbolt.adm.auro.re
 vpn-ovh.adm.auro.re
 vpn-ovh-ng.auro.re
 docker-ovh.adm.auro.re
 switchs-manager.adm.auro.re
 ldap-replica-ovh.adm.auro.re
 prometheus-ovh.adm.auro.re
 prometheus-federate.adm.auro.re
 [ovh_testing_vm]
 #re2o-test.adm.auro.re
@ -77,10 +72,8 @@ prometheus-federate.adm.auro.re
 ###############################################################################
 # Les Jardins de Fleming
 [fleming_server]
 perceval.adm.auro.re
 [fleming_pve]
 freya.adm.auro.re
 marki.adm.auro.re
 [fleming_vm]
@ -89,30 +82,37 @@ dhcp-fleming.adm.auro.re
 dhcp-fleming-backup.adm.auro.re
 dns-fleming.adm.auro.re
 dns-fleming-backup.adm.auro.re
 ntp-1.int.infra.auro.re
 prometheus-fleming.adm.auro.re
 #prometheus-fleming-fo.adm.auro.re
 radius-fleming.adm.auro.re
 dns-1.int.infra.auro.re
 isp-1.rtr.infra.auro.re
 isp-2.rtr.infra.auro.re
 dhcp-1.isp.auro.re
 dhcp-2.isp.auro.re
 radius-fleming-backup.adm.auro.re
 unifi-fleming.adm.auro.re
 routeur-fleming.adm.auro.re
 routeur-fleming-backup.adm.auro.re
 [fleming_ilo]
 marki-ilo.adm.auro.re
 [fleming_unifi]
-fa-0-1.borne.auro.re
+ff-1-2.borne.auro.re
 fe-1-2.borne.auro.re
 ff-2-2.borne.auro.re
 ff-3-2.borne.auro.re
 ff-4-2.borne.auro.re
 fh-1-2.borne.auro.re
 fh-2-2.borne.auro.re
 fe-3-2.borne.auro.re
 fe-2-2.borne.auro.re
 fe-4-2.borne.auro.re
 fh-3-2.borne.auro.re
 fh-4-2.borne.auro.re
 fg-3-2.borne.auro.re
 fg-2-2.borne.auro.re
 fi-1-2.borne.auro.re
 fi-2-2.borne.auro.re
 fi-3-2.borne.auro.re
 fi-4-2.borne.auro.re
 fa-1-1.borne.auro.re
 fa-2-1.borne.auro.re
 fa-3-1.borne.auro.re
 fa-4-1.borne.auro.re
 fa-j-1.borne.auro.re
 fb-0-1.borne.auro.re
 fb-1-1.borne.auro.re
 fb-2-1.borne.auro.re
@ -123,83 +123,67 @@ fc-1-1.borne.auro.re
 fc-2-1.borne.auro.re
 fc-3-1.borne.auro.re
 fc-4-1.borne.auro.re
 fd-2-1.borne.auro.re
 fd-0-1.borne.auro.re
 fd-1-1.borne.auro.re
-fd-2-1.borne.auro.re
+fa-0-1.borne.auro.re
 fd-3-1.borne.auro.re
 fe-0-1.borne.auro.re
 fe-1-1.borne.auro.re
 fe-1-2.borne.auro.re
 fe-2-1.borne.auro.re
 fe-2-2.borne.auro.re
 fe-3-1.borne.auro.re
 fe-3-2.borne.auro.re
 fe-4-1.borne.auro.re
 fe-4-2.borne.auro.re
 ff-0-1.borne.auro.re
 ff-0-f.borne.auro.re
 ff-1-1.borne.auro.re
 ff-1-2.borne.auro.re
 ff-2-1.borne.auro.re
 ff-2-2.borne.auro.re
 ff-3-1.borne.auro.re
 ff-3-2.borne.auro.re
 ff-4-1.borne.auro.re
 ff-4-2.borne.auro.re
 fg-0-1.borne.auro.re
 fg-1-1.borne.auro.re
 fg-1-2.borne.auro.re
 fg-2-1.borne.auro.re
 fg-2-2.borne.auro.re
 fg-3-1.borne.auro.re
 fg-3-2.borne.auro.re
 fg-4-1.borne.auro.re
 fh-0-1.borne.auro.re
 fh-1-1.borne.auro.re
 fh-1-2.borne.auro.re
 fh-2-1.borne.auro.re
 fh-2-2.borne.auro.re
 fh-3-1.borne.auro.re
-fh-3-2.borne.auro.re
+fe-2-1.borne.auro.re
 fh-4-1.borne.auro.re
 fh-4-2.borne.auro.re
 fi-0-1.borne.auro.re
 fi-0-2.borne.auro.re
 fi-1-1.borne.auro.re
 fi-1-2.borne.auro.re
 fi-2-1.borne.auro.re
 fi-2-2.borne.auro.re
 fi-3-1.borne.auro.re
 fi-3-2.borne.auro.re
 fi-4-1.borne.auro.re
 fi-4-2.borne.auro.re
 fj-0-1.borne.auro.re
 fj-1-1.borne.auro.re
 fj-1-2.borne.auro.re
 fj-2-1.borne.auro.re
 fj-2-2.borne.auro.re
 fj-3-1.borne.auro.re
 fj-3-2.borne.auro.re
 fj-4-1.borne.auro.re
 fj-4-2.borne.auro.re
 fk-0-1.borne.auro.re
 fk-1-1.borne.auro.re
 fk-1-2.borne.auro.re
 fk-2-1.borne.auro.re
 fk-2-2.borne.auro.re
 fk-3-1.borne.auro.re
 fk-3-2.borne.auro.re
 fk-4-1.borne.auro.re
 fk-4-2.borne.auro.re
 fl-0-1.borne.auro.re
 fl-1-1.borne.auro.re
 fl-1-2.borne.auro.re
 fl-2-1.borne.auro.re
 fl-2-2.borne.auro.re
 fl-3-1.borne.auro.re
 fl-3-2.borne.auro.re
 fl-4-1.borne.auro.re
 fe-1-1.borne.auro.re
 ff-0-f.borne.auro.re
 fj-4-2.borne.auro.re
 fj-3-2.borne.auro.re
 fj-2-2.borne.auro.re
 fj-1-2.borne.auro.re
 fk-4-2.borne.auro.re
 fk-3-2.borne.auro.re
 fk-2-2.borne.auro.re
 fk-1-2.borne.auro.re
 fl-4-2.borne.auro.re
 fl-3-2.borne.auro.re
 fl-2-2.borne.auro.re
 fl-1-2.borne.auro.re
 fa-j-1.borne.auro.re
 fg-1-2.borne.auro.re
 fi-0-2.borne.auro.re
 ###############################################################################
 # Pacaterie
@ -222,51 +206,48 @@ unifi-pacaterie.adm.auro.re
 routeur-pacaterie.adm.auro.re
 routeur-pacaterie-backup.adm.auro.re
 [pacaterie_ilo]
 mordred-ilo.adm.auro.re
 titan-ilo.adm.auro.re
 [pacaterie_unifi]
-pc-1-1.borne.auro.re
+pn-1-1.borne.auro.re
 pn-0-1.borne.auro.re
 pn-0-2.borne.auro.re
 pn-0-3.borne.auro.re
 pn-1-1.borne.auro.re
 pn-1-2.borne.auro.re
 pn-1-3.borne.auro.re
-pn-2-1.borne.auro.re
+pn-3-1.borne.auro.re
 pn-2-2.borne.auro.re
 pn-2-3.borne.auro.re
 pn-3-1.borne.auro.re
 pn-3-2.borne.auro.re
 pn-3-3.borne.auro.re
 pn-4-1.borne.auro.re
 pn-4-2.borne.auro.re
 pn-4-3.borne.auro.re
-ps-0-1.borne.auro.re
+pn-2-1.borne.auro.re
-ps-0-2.borne.auro.re
+pn-3-2.borne.auro.re
 pn-0-1.borne.auro.re
 pn-1-2.borne.auro.re
 pc-1-1.borne.auro.re
 pn-4-2.borne.auro.re
 pn-4-1.borne.auro.re
 ps-0-3.borne.auro.re
-ps-1-1.borne.auro.re
+ps-0-1.borne.auro.re
 ps-1-2.borne.auro.re
 ps-1-3.borne.auro.re
 ps-2-1.borne.auro.re
 ps-2-2.borne.auro.re
 ps-2-3.borne.auro.re
-ps-3-1.borne.auro.re
+ps-1-2.borne.auro.re
 ps-3-2.borne.auro.re
 ps-3-3.borne.auro.re
 ps-4-1.borne.auro.re
-ps-4-2.borne.auro.re
+ps-2-1.borne.auro.re
 ps-3-1.borne.auro.re
 ps-4-3.borne.auro.re
 ps-2-2.borne.auro.re
 ps-1-1.borne.auro.re
 ps-4-2.borne.auro.re
 ps-0-2.borne.auro.re
 ps-3-3.borne.auro.re
 ###############################################################################
 # Emilie du Chatelet
 [edc_server]
-caradoc.adm.auro.re
+perceval.adm.auro.re
 [edc_pve]
 chapalux.adm.auro.re
 escalope.adm.auro.re
 [edc_vm]
 routeur-edc.adm.auro.re
@ -281,20 +262,12 @@ radius-edc-backup.adm.auro.re
 ldap-replica-edc.adm.auro.re
 prometheus-edc.adm.auro.re
 [edc_ilo]
 caradoc-ilo.adm.auro.re
 chapalux-ilo.adm.auro.re
 [edc_unifi]
 ee-2-1.borne.auro.re
 ee-2-2.borne.auro.re
 eo-0-1.borne.auro.re
 eo-2-1.borne.auro.re
 ep-0-1.borne.auro.re
 ep-1-1.borne.auro.re
 ep-1-2.borne.auro.re
 ep-1-3.borne.auro.re
-
+ep-1-2.borne.auro.re
 ep-0-1.borne.auro.re
 eo-2-1.borne.auro.re
 ###############################################################################
 # George Sand
@ -316,64 +289,59 @@ radius-gs-backup.adm.auro.re
 prometheus-gs.adm.auro.re
 ldap-replica-gs.adm.auro.re
 [gs_ilo]
 lancelot-ilo.adm.auro.re
 odin-ilo.adm.auro.re
 [gs_unifi]
 ga-1-2.borne.auro.re
 ge-3-2.borne.auro.re
 gb-4-2.borne.auro.re
 gg-5-2.borne.auro.re
 gd-5-2.borne.auro.re
 gc-5-2.borne.auro.re
 gc-3-1.borne.auro.re
 gc-4-1.borne.auro.re
 gg-5-1.borne.auro.re
 ge-1-2.borne.auro.re
 gh-1-2.borne.auro.re
 gd-1-2.borne.auro.re
 gf-3-2.borne.auro.re
 gd-4-2.borne.auro.re
 ga-0-1.borne.auro.re
 ga-1-1.borne.auro.re
 ga-1-2.borne.auro.re
 ga-2-1.borne.auro.re
 ga-2-2.borne.auro.re
 ga-3-1.borne.auro.re
 ga-4-1.borne.auro.re
 ga-5-1.borne.auro.re
 ga-5-2.borne.auro.re
 gb-1-1.borne.auro.re
 gc-1-1.borne.auro.re
 gc-2-1.borne.auro.re
 gc-5-1.borne.auro.re
 gb-2-1.borne.auro.re
 gb-3-1.borne.auro.re
 gb-4-1.borne.auro.re
 gb-4-2.borne.auro.re
 gb-5-1.borne.auro.re
 gc-1-1.borne.auro.re
 gc-2-1.borne.auro.re
 gc-3-1.borne.auro.re
 gc-4-1.borne.auro.re
 gc-5-1.borne.auro.re
 gc-5-2.borne.auro.re
 gd-1-1.borne.auro.re
 gd-1-2.borne.auro.re
 gd-2-1.borne.auro.re
 gd-3-1.borne.auro.re
 gd-4-1.borne.auro.re
 gd-4-2.borne.auro.re
 gd-5-1.borne.auro.re
 gd-5-2.borne.auro.re
 gd-garage-1.borne.auro.re
 ge-0-1.borne.auro.re
 ge-1-1.borne.auro.re
 ge-1-2.borne.auro.re
 ge-2-1.borne.auro.re
 ge-2-2.borne.auro.re
 ge-3-1.borne.auro.re
 ge-3-2.borne.auro.re
 ge-4-1.borne.auro.re
 ge-5-1.borne.auro.re
 gf-0-1.borne.auro.re
 gf-1-1.borne.auro.re
 gf-2-1.borne.auro.re
 gf-3-1.borne.auro.re
 gf-3-2.borne.auro.re
 gf-4-1.borne.auro.re
 gf-1-1.borne.auro.re
 gd-garage-1.borne.auro.re
 gf-5-1.borne.auro.re
-gg-5-1.borne.auro.re
+
 gg-5-2.borne.auro.re
 gh-1-2.borne.auro.re
 ###############################################################################
 # Les Rives
 [rives_pve]
 thor.adm.auro.re
 loki.adm.auro.re
 [rives_vm]
@ -384,75 +352,41 @@ radius-rives-backup.adm.auro.re
 routeur-rives-backup.adm.auro.re
 ldap-replica-rives.adm.auro.re
 prometheus-rives.adm.auro.re
 dhcp-rives.adm.auro.re
 dns-rives.adm.auro.re
 radius-rives.adm.auro.re
 routeur-rives.adm.auro.re
 [rives_ilo]
 loki-ilo.adm.auro.re
 [rives_unifi]
-r1-1-1.borne.auro.re
+r3-4-4.borne.auro.re
-r1-1-2.borne.auro.re
+r3-4-3.borne.auro.re
-r1-1-3.borne.auro.re
+r3-2-1.borne.auro.re
-r1-1-4.borne.auro.re
+r3-4-1.borne.auro.re
-r1-1-5.borne.auro.re
+r3-2-8.borne.auro.re
-r1-1-6.borne.auro.re
+r3-3-4.borne.auro.re
 r1-2-1.borne.auro.re
 r1-2-2.borne.auro.re
 r1-2-3.borne.auro.re
 r1-2-4.borne.auro.re
 r1-3-1.borne.auro.re
 r1-3-2.borne.auro.re
 r1-3-3.borne.auro.re
 r1-3-4.borne.auro.re
 r1-3-5.borne.auro.re
 r1-3-6.borne.auro.re
 r2-1-1.borne.auro.re
 r2-1-2.borne.auro.re
 r2-1-3.borne.auro.re
 r2-1-4.borne.auro.re
 r2-2-1.borne.auro.re
 r2-2-2.borne.auro.re
 r2-2-3.borne.auro.re
 r2-3-1.borne.auro.re
 r2-3-2.borne.auro.re
 r2-3-3.borne.auro.re
 r2-3-4.borne.auro.re
 r3-0-1.borne.auro.re
 r3-0-2.borne.auro.re
 r3-0-3.borne.auro.re
 r3-0-4.borne.auro.re
 r3-1-1.borne.auro.re
 r3-1-2.borne.auro.re
 r3-1-3.borne.auro.re
-r3-1-4.borne.auro.re
+r3-3-5.borne.auro.re
-r3-1-5.borne.auro.re
+r3-2-4.borne.auro.re
 r3-3-6.borne.auro.re
 r3-1-2.borne.auro.re
 r3-4-5.borne.auro.re
 r3-2-2.borne.auro.re
 r3-4-6.borne.auro.re
 r3-1-1.borne.auro.re
 r3-4-7.borne.auro.re
 r3-4-2.borne.auro.re
 r3-4-8.borne.auro.re
 r3-2-3.borne.auro.re
 r3-1-6.borne.auro.re
 r3-1-7.borne.auro.re
 r3-2-1.borne.auro.re
 r3-2-2.borne.auro.re
 r3-2-3.borne.auro.re
 r3-2-4.borne.auro.re
 r3-2-5.borne.auro.re
 r3-2-6.borne.auro.re
 r3-2-7.borne.auro.re
 r3-2-8.borne.auro.re
 r3-3-1.borne.auro.re
 r3-3-2.borne.auro.re
 r3-3-3.borne.auro.re
-r3-3-4.borne.auro.re
+r3-0-1.borne.auro.re
-r3-3-5.borne.auro.re
+r3-3-2.borne.auro.re
-r3-3-6.borne.auro.re
+r3-0-2.borne.auro.re
-r3-4-1.borne.auro.re
+r3-3-1.borne.auro.re
-r3-4-2.borne.auro.re
+r3-0-3.borne.auro.re
-r3-4-3.borne.auro.re
+r3-1-5.borne.auro.re
-r3-4-4.borne.auro.re
+r3-0-4.borne.auro.re
-r3-4-5.borne.auro.re
+r3-1-4.borne.auro.re
 r3-4-6.borne.auro.re
 r3-4-7.borne.auro.re
 r3-4-8.borne.auro.re
 # -aurore services
 [aurore:children]
@ -467,7 +401,6 @@ ovh_vm
 # everything at fleming
 [fleming:children]
 fleming_server
 fleming_pve
 fleming_vm
 fleming_unifi
@ -480,7 +413,6 @@ pacaterie_unifi
 # everything at edc
 [edc:children]
 edc_server
 edc_pve
 edc_vm
 edc_unifi
@ -513,11 +445,6 @@ edc_vm
 gs_vm
 rives_vm
 # every server
 [server:children]
 fleming_server
 edc_server
 # every PVE
 [pve:children]
 ovh_pve
@ -538,20 +465,6 @@ pacaterie_unifi
 ###############################################################################
 # Groups by service
 [routeur]
 routeur-fleming.adm.auro.re
 routeur-fleming-backup.adm.auro.re
 routeur-pacaterie.adm.auro.re
 routeur-pacaterie-backup.adm.auro.re
 routeur-edc.adm.auro.re
 routeur-edc-backup.adm.auro.re
 routeur-gs.adm.auro.re
 routeur-gs-backup.adm.auro.re
 routeur-rives.adm.auro.re
 routeur-rives-backup.adm.auro.re
 routeur-aurore.adm.auro.re
 routeur-aurore-backup.adm.auro.re
 [ldap_replica:children]
 ldap_replica_fleming
 ldap_replica_pacaterie
@ -578,46 +491,3 @@ ldap-replica-ovh.adm.auro.re
 [ldap_replica_rives]
 ldap-replica-rives.adm.auro.re
 [certbot]
 portail.adm.auro.re
 [certbot:children]
 reverseproxy
 [nginx]
 portail.adm.auro.re
 [nginx:children]
 reverseproxy
 [reverseproxy]
 proxy-ovh.adm.auro.re
 proxy.adm.auro.re
 [bdd]
 bdd.adm.auro.re
 bdd-ovh.adm.auro.re
 re2o-db.adm.auro.re
 [radius]
 radius-aurore.adm.auro.re
 radius-fleming.adm.auro.re
 radius-fleming-backup.adm.auro.re
 radius-edc.adm.auro.re
 radius-edc-backup.adm.auro.re
 radius-gs.adm.auro.re
 radius-gs-backup.adm.auro.re
 radius-pacaterie.adm.auro.re
 radius-pacaterie-backup.adm.auro.re
 radius-rives.adm.auro.re
 radius-rives-backup.adm.auro.re
 [prometheus]
 prometheus-ovh.adm.auro.re
 prometheus-aurore.adm.auro.re
 prometheus-rives.adm.auro.re
 prometheus-gs.adm.auro.re
 prometheus-edc.adm.auro.re
 prometheus-pacaterie.adm.auro.re
 prometheus-fleming.adm.auro.re
 prometheus-federate.adm.auro.re
--- a/playbooks/ldap_replica.yml
+++ b/playbooks/ldap_replica.yml
@ -1,10 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: all
  roles: []
 # Clone LDAP on local geographic location
 # DON'T DO THIS AS IT RECREATES THE REPLICA
-# - hosts: ldap_replica
+- hosts: ldap_replica
-#   roles:
+  roles:
-#     - ldap_replica
+    - ldap_replica
--- a/utils/logrotate.yml
+++ b/utils/logrotate.yml
--- a/playbooks/matrix-synapse.yml
+++ b/playbooks/matrix-synapse.yml
@ -1,18 +1,18 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Install Matrix Synapse
+# Install Matrix Synapse on corresponding containers
 - hosts: synapse.adm.auro.re
  vars:
    mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
    mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb"
    update_motd:
      matrix-synapse: matrix-synapse est déployé.
      matrix-appservice-irc: matrix-appservice-irc est déployé.
      matrix-appservice-webhooks: matrix-appservice-webhooks est déployé.
  roles:
    - debian_backports
    - nodejs
    - matrix_synapse
    - matrix_appservice_irc
    - matrix_appservice_webhooks
-    - update_motd
+
 # Install Matrix services
 - hosts: matrix-services.adm.auro.re
  roles:
    - debian_backports
--- a/monitoring.yml
+++ b/monitoring.yml
@ -0,0 +1,99 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    # Prometheus targets.json
    prometheus_targets:
      - targets: |
          {{ groups['fleming_pve'] + groups['fleming_vm'] | list | sort }}
    prometheus_unifi_snmp_targets:
      - targets: "{{ groups['fleming_unifi'] | list | sort }}"
  roles:
    - prometheus
 - hosts: prometheus-pacaterie.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    # Prometheus targets.json
    prometheus_targets:
      - targets: |
          {{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
    prometheus_unifi_snmp_targets:
      - targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
    prometheus_ups_snmp_targets:
      - ups-pn-1.ups.auro.re
  roles:
    - prometheus
 - hosts: prometheus-edc.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    # Prometheus targets.json
    prometheus_ups_snmp_targets:
      - ups-ec-1.ups.auro.re
    prometheus_targets:
      - targets: |
          {{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
    prometheus_unifi_snmp_targets:
      - targets: "{{ groups['edc_unifi'] | list | sort }}"
  roles:
    - prometheus
 - hosts: prometheus-gs.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    # Prometheus targets.json
    prometheus_targets:
      - targets: |
          {{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
    prometheus_unifi_snmp_targets:
      - targets: "{{ groups['gs_unifi'] | list | sort }}"
    prometheus_ups_snmp_targets:
      - ups-gk-1.ups.auro.re
  roles:
    - prometheus
 - hosts: prometheus-rives.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    # Prometheus targets.json
    prometheus_ups_snmp_targets:
      - ups-r3-1.ups.auro.re
    prometheus_targets:
      - targets: |
          {{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
    prometheus_unifi_snmp_targets:
      - targets: "{{ groups['rives_unifi'] | list | sort }}"
  roles:
    - prometheus
 - hosts: prometheus-aurore.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    # Prometheus targets.json
    prometheus_targets:
      - targets: |
          {{ groups['aurore_pve'] + groups['aurore_vm'] + groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
  roles:
    - prometheus
 # Monitor all hosts
 - hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
  roles:
    - prometheus_node
--- a/network.yml
+++ b/network.yml
@ -0,0 +1,65 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Set up DHCP servers.
 - hosts: dhcp-*.adm.auro.re
  roles:
    - isc_dhcp_server
 # Deploy unbound DNS server (recursive).
 - hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
  roles:
    - unbound
 # Déploiement du service re2o aurore-firewall et keepalived
 # radvd: IPv6 SLAAC (/64 subnets, private IPs).
 #   Must NOT be on routeur-aurore-*, or will with DHCPv6!
 - hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
  roles:
    - router
    - radvd
 # No radvd here
 - hosts: ~routeur-aurore.*\.adm\.auro\.re
  roles:
    - router
    - ipv6_edge_router
 # Radius (backup only for now)
 - hosts: radius-*.adm.auro.re
  roles:
    - radius
 # WIP: Deploy authoritative DNS servers
 # - hosts: authoritative_dns
 #   vars:
 #     service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
 #     service_name: dns
 #     service_version: crans
 #     service_config:
 #       hostname: re2o-server.adm.auro.re
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
 #     - re2o-service
 # Deploy Unifi Controller
 # - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
 #   roles:
 #     - unifi-controller
 # Deploy Re2o switch service
 # - hosts: switchs-manager.adm.auro.re
 #   vars:
 #     service_repo: https://gitlab.federez.net/re2o/switchs.git
 #     service_name: switchs
 #     service_version: master
 #     service_config:
 #       hostname: re2o-server.adm.auro.re
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
 #     - re2o-service
--- a/utils/nuke_radius_dbs.yml
+++ b/utils/nuke_radius_dbs.yml
--- a/playbooks/borgbackup.yml
+++ b/playbooks/borgbackup.yml
@ -1,32 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: perceval.adm.auro.re
  vars:
    update_motd:
      borgbackup_server: >-
        Les sauvegardes (borg) sont stockées dans
        {{ borg_server_backups_dir }}.
  roles:
    - borgbackup_server
    - update_motd
 - hosts: all,!unifi,!unifi-*,!bdd
  vars:
    update_motd:
      borgbackup_client: >-
        BorgBackup est déployé (/etc/borgmatic/config.yaml)
  roles:
    - borgbackup_client
    - update_motd
 # On databases server, also backup databases
 - hosts: bdd
  vars:
    borg_postgresql_databases: true
    update_motd:
      borgbackup_client: >-
        BorgBackup est déployé (/etc/borgmatic/config.yaml)
  roles:
    - borgbackup_client
    - update_motd
 ...
--- a/playbooks/chronyd.yml
+++ b/playbooks/chronyd.yml
@ -1,27 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
    - ntp-1.int.infra.auro.re
  vars:
    chronyd__allow_networks:
      - 10.128.0.0/16
      - 2a09:6840:128::/48
    chronyd__pools:
      - 0.pool.ntp.org
      - 1.pool.ntp.org
      - 2.pool.ntp.org
      - 3.pool.ntp.org
    chronyd__local_stratum: 10
  roles:
    - chronyd
 - hosts:
    - all
    - "!ntp-1.int.infra.auro.re"
    - "!unifi"
  vars:
    chronyd__pools:
      - ntp-1.int.infra.auro.re
  roles:
    - chronyd
 ...
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@ -1,10 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Docker hosts
 - hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
  vars:
    update_motd:
      docker: Docker est déployé.
  roles:
    - docker
    - update_motd
--- a/playbooks/grafana.yml
+++ b/playbooks/grafana.yml
@ -1,27 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Grafana
 - hosts: grafana.adm.auro.re
  vars:
    grafana:
      root_url: https://grafana.auro.re
      database:
        type: postgres
        host: 10.128.0.95
        name: grafana
        user: grafana
        password: "{{ vault_postgresql_grafana_passwd }}"
      ldap:
        host: "re2o-ldap.adm.auro.re ldap-replica-ovh.adm.auro.re 10.128.0.21 10.128.0.149"
        bind_dn: cn=grafana,ou=service-users,dc=auro,dc=re
        bind_password: "{{ vault_ldap_grafana_password }}"
        search_base_dns: "cn=Utilisateurs,dc=auro,dc=re"
        group_search_base_dns: "ou=posix,ou=groups,dc=auro,dc=re"
        editors_group_dn:
          - cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re
          - cn=technicien,ou=posix,ou=groups,dc=auro,dc=re
    update_motd:
      grafana: Grafana est déployé (/etc/grafana).
  roles:
    - grafana
    - update_motd
--- a/playbooks/ifupdown2.yml
+++ b/playbooks/ifupdown2.yml
@ -1,213 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
    - ntp-1.int.infra.auro.re
    - dns-1.int.infra.auro.re
    - dhcp-1.isp.auro.re
    - dhcp-2.isp.auro.re
    - isp-1.rtr.infra.auro.re
    - isp-2.rtr.infra.auro.re
  vars:
    # TODO: netbox
    ifupdown2__hosts:
      ntp-1.int.infra.auro.re:
        ens18:
          gateways:
            - 2a09:6840:128::254
            - 10.128.0.254
          addresses:
            - 2a09:6840:128::203/56
            - 10.128.0.203/16
      dns-1.int.infra.auro.re:
        ens18:
          gateways:
            - 2a09:6840:128::254
            - 10.128.0.254
          addresses:
            - 2a09:6840:128::127/56
            - 10.128.0.127/16
      dhcp-1.isp.auro.re:
        ens18:
          gateways:
            - 2a09:6840:128::254
            - 10.128.0.254
          addresses:
            - 2a09:6840:128::204/56
            - 10.128.0.204/16
        ens19: null
        clients:
          bridge_vlan_aware: true
          bridge_ports:
            - ens19
          bridge_vids:
            - 1000-1004
        client-0:
          addresses:
            - 100.64.0.2/27
          vlan_id: 1000
          vlan_raw_device: clients
        client-1:
          addresses:
            - 100.64.0.34/27
          vlan_id: 1001
          vlan_raw_device: clients
        client-2:
          addresses:
            - 100.64.0.66/27
          vlan_id: 1002
          vlan_raw_device: clients
        client-3:
          addresses:
            - 100.64.0.98/27
          vlan_id: 1003
          vlan_raw_device: clients
        client-4:
          addresses:
            - 100.64.0.130/27
          vlan_id: 1004
          vlan_raw_device: clients
      dhcp-2.isp.auro.re:
        ens18:
          gateways:
            - 2a09:6840:128::254
            - 10.128.0.254
          addresses:
            - 2a09:6840:128::91/56
            - 10.128.0.91/16
        ens19: null
        clients:
          bridge_vlan_aware: true
          bridge_ports:
            - ens19
          bridge_vids:
            - 1000-1004
        client-0:
          addresses:
            - 100.64.0.3/27
          vlan_id: 1000
          vlan_raw_device: clients
        client-1:
          addresses:
            - 100.64.0.35/27
          vlan_id: 1001
          vlan_raw_device: clients
        client-2:
          addresses:
            - 100.64.0.67/27
          vlan_id: 1002
          vlan_raw_device: clients
        client-3:
          addresses:
            - 100.64.0.99/27
          vlan_id: 1003
          vlan_raw_device: clients
        client-4:
          addresses:
            - 100.64.0.131/27
          vlan_id: 1004
          vlan_raw_device: clients
      isp-1.rtr.infra.auro.re:
        ens18:
          gateways:
            - 2a09:6840:128::254
            - 10.128.0.254
          addresses:
            - 2a09:6840:128::255/56
            - 10.128.0.255/16
        ens19: null
        clients:
          bridge_vlan_aware: true
          bridge_ports:
            - ens19
          bridge_vids:
            - 1000-1004
          bridge_disable_pvid: true
          forward: true
          ipv6_addrgen: false
        client-0:
          forward: true
          vlan_id: 1000
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-1:
          forward: true
          vlan_id: 1001
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-2:
          forward: true
          vlan_id: 1002
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-3:
          forward: true
          vlan_id: 1003
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-4:
          forward: true
          vlan_id: 1004
          vlan_raw_device: clients
          ipv6_addrgen: false
      isp-2.rtr.infra.auro.re:
        ens18:
          gateways:
            - 2a09:6840:128::254
            - 10.128.0.254
          addresses:
            - 2a09:6840:128::158/56
            - 10.128.0.158/16
        ens19: null
        clients:
          bridge_vlan_aware: true
          bridge_ports:
            - ens19
          bridge_vids:
            - 1000-1004
        client-0:
          forward: true
          vlan_id: 1000
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-1:
          forward: true
          vlan_id: 1001
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-2:
          forward: true
          vlan_id: 1002
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-3:
          forward: true
          vlan_id: 1003
          vlan_raw_device: clients
          ipv6_addrgen: false
        client-4:
          forward: true
          vlan_id: 1004
          vlan_raw_device: clients
          ipv6_addrgen: false
    ifupdown2__interfaces: "{{ ifupdown2__hosts[inventory_hostname] }}"
  roles:
    - ifupdown2
 - hosts:
    - ntp-1.int.infra.auro.re
    - dns-1.int.infra.auro.re
    - dhcp-1.isp.auro.re
    - dhcp-2.isp.auro.re
    - isp-1.rtr.infra.auro.re
    - isp-2.rtr.infra.auro.re
  vars:
    resolvconf__nameservers:
      - 2a09:6840:128::127
      - 10.128.0.127
    resolvconf__domain: auro.re
    resolvconf__search:
      - "{{ inventory_hostname | remove_domain_suffix }}"
      - auro.re
  roles:
    - resolvconf
 ...
--- a/playbooks/isc-dhcp-server.yml
+++ b/playbooks/isc-dhcp-server.yml
@ -1,9 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: dhcp-*.adm.auro.re
  vars:
    update_motd:
      unbound: isc-dhcp-server est déployé.
  roles:
    - isc_dhcp_server
    - update_motd
--- a/playbooks/keepalived.yml
+++ b/playbooks/keepalived.yml
@ -1,32 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
    - isp-1.rtr.infra.auro.re
    - isp-2.rtr.infra.auro.re
  vars:
    keepalived__virtual_router_id: 80
    keepalived__interface: ens18
    keepalived__virtual_addresses:
      client-0:
        - 100.64.0.1/27
        - 2a09:6841::/56
        - fe80::1/10
      client-1:
        - 100.64.0.33/27
        - 2a09:6841:0:100::/56
        - fe80::1/10
      client-2:
        - 100.64.0.65/27
        - 2a09:6841:0:100::/56
        - fe80::1/10
      client-3:
        - 100.64.0.97/27
        - 2a09:6841:0:200::/56
        - fe80::1/10
      client-4:
        - 100.64.0.129/27
        - 2a09:6841:0:300::/56
        - fe80::1/10
  roles:
    - keepalived
 ...
--- a/playbooks/knot.yml
+++ b/playbooks/knot.yml
@ -1,17 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: all
  roles: []
 # WIP: Deploy authoritative DNS servers
 # - hosts: authoritative_dns
 #   vars:
 #     service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
 #     service_name: dns
 #     service_version: crans
 #     service_config:
 #       hostname: re2o-server.adm.auro.re
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
 #     - re2o_service
--- a/playbooks/nginx.yml
+++ b/playbooks/nginx.yml
@ -1,26 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: reverseproxy
  vars:
    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
    reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
    update_motd:
      nginx: >-
        Le reverse-proxy NGINX est déployé (/etc/nginx).
  roles:
    - certbot
    - nginx
    - update_motd
 - hosts: nginx,!reverseproxy
  vars:
    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
    update_motd:
      nginx: >-
        NGINX avec certbot est déployé (/etc/nginx).
  roles:
    - certbot
    - nginx
    - update_motd
--- a/playbooks/postfix.yml
+++ b/playbooks/postfix.yml
@ -1,22 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Postfix on non mailhost servers
 - hosts: all,!unifi
  vars:
    local_network: 10.128.0.0/16
    relay_host: proxy.adm.auro.re
  roles:
    - postfix_non_mailhost
 # Deploy Re2o mail service
 - hosts: mail.auro.re
  vars:
    service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
    service_name: mail-server
    service_version: aurore
    service_config:
      hostname: re2o-test.adm.auro.re  # use test instance for now, should be changed for prod!
      username: service-user
      password: "{{ vault_serviceuser_passwd }}"
  roles:
    - re2o_service
--- a/playbooks/postgresql.yml
+++ b/playbooks/postgresql.yml
@ -1,170 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Install and configure database servers at Saclay
 - hosts: bdd.adm.auro.re
  vars:
    postgresql:
      version: 13
      hosts:
        - database: nextcloud
          user: nextcloud
          net: 10.128.0.58/32
          method: md5
        - database: gitea
          user: gitea
          net: 10.128.0.60/32
          method: md5
        - database: wikijs
          user: wikijs
          net: 10.128.0.66/32
          method: md5
        - database: drone
          user: drone
          net: 10.128.0.64/32
          method: md5
        - database: netbox
          user: netbox
          net: 10.128.0.97/32
          method: md5
        - database: grafana
          user: grafana
          net: 10.128.0.98/32
          method: md5
        - database: dolibarr
          user: dolibarr
          net: 10.128.0.236/32
          method: md5
        - database: rt5
          user: rt5
          net: 10.128.0.123/32
          method: md5
      databases:
        - nextcloud
        - gitea
        - wikijs
        - drone
        - netbox
        - grafana
        - dolibarr
        - rt5
      users:
        - name: nextcloud
          database: nextcloud
          password: "{{ vault_postgresql_nextcloud_passwd }}"
          privs:
            - ALL
        - name: gitea
          database: gitea
          password: "{{ vault_postgresql_gitea_passwd }}"
          privs:
            - ALL
        - name: wikijs
          database: wikijs
          password: "{{ vault_postgresql_wikijs_passwd }}"
          privs:
            - ALL
        - name: drone
          database: drone
          password: "{{ vault_postgresql_drone_passwd }}"
          privs:
            - ALL
        - name: netbox
          database: netbox
          password: "{{ vault_postgresql_netbox_passwd }}"
          privs:
            - ALL
        - name: grafana
          database: grafana
          password: "{{ vault_postgresql_grafana_passwd }}"
          privs:
            - ALL
        - name: dolibarr
          database: dolibarr
          password: "{{ vault_postgresql_dolibarr_passwd }}"
          privs:
            - ALL
        - name: rt5
          database: rt5
          password: "{{ vault_postgresql_rt5_passwd }}"
          privs:
            - ALL
    update_motd:
      postgresql: PostgreSQL est déployé.
  roles:
    - postgresql
    - update_motd
 # Install and configure database servers at OVH
 - hosts: bdd-ovh.adm.auro.re
  vars:
    postgresql:
      version: 13
      hosts:
        - database: etherpad
          user: etherpad
          net: 10.128.0.150/32
          method: md5
        - database: codimd
          user: codimd
          net: 10.128.0.150/32
          method: md5
        - database: synapse
          user: synapse
          net: 10.128.0.56/32
          method: md5
        - database: kanboard
          user: kanboard
          net: 10.128.0.150/32
          method: md5
        - database: cas
          user: cas
          net: 10.128.0.150/32
          method: md5
        - database: appservice-discord
          user: appservice-discord
          net: 10.128.0.150/32
          method: md5
      databases:
        - synapse
        - codimd
        - etherpad
        - kanboard
        - cas
        - appservice-discord
      users:
        - name: synapse
          database: synapse
          password: "{{ vault_postgresql_synapse_passwd }}"
          privs:
            - ALL
        - name: codimd
          database: codimd
          password: "{{ vault_postgresql_codimd_passwd }}"
          privs:
            - ALL
        - name: etherpad
          database: etherpad
          password: "{{ vault_postgresql_etherpad_passwd }}"
          privs:
            - ALL
        - name: kanboard
          database: kanboard
          password: "{{ vault_postgresql_kanboard_passwd }}"
          privs:
            - ALL
        - name: cas
          database: cas
          password: "{{ vault_postgresql_cas_passwd }}"
          privs:
            - ALL
        - name: appservice-discord
          database: appservice-discord
          password: "{{ vault_postgresql_appservice_discord_passwd }}"
          privs:
            - ALL
    update_motd:
      postgresql: PostgreSQL est déployé.
  roles:
    - postgresql
    - update_motd
 ...
--- a/playbooks/prometheus.yml
+++ b/playbooks/prometheus.yml
@ -1,241 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: prometheus-fleming.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_switch_community: "{{ vault_snmp_switch_community }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_servers_targets: |
      {{ groups['fleming_pve'] + groups['fleming_vm'] | list | sort }}
    prometheus_unifi_snmp_targets: |
      {{ groups['fleming_unifi'] | list | sort }}
    prometheus_ilo_snmp_targets: |
      {{ groups['fleming_ilo'] | list | sort }}
    update_motd:
      prometheus: >-
        Prometheus (en configuration fleming) est déployé (/etc/prometheus).
  roles:
    - prometheus
    - update_motd
 - hosts: prometheus-pacaterie.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_switch_community: "{{ vault_snmp_switch_community }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_servers_targets: |
      {{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
    prometheus_unifi_snmp_targets: |
      {{ groups['pacaterie_unifi'] | list | sort }}
    prometheus_ups_snmp_targets:
      - ups-pn-1.ups.auro.re
      - ups-ps-1.ups.auro.re
    prometheus_ilo_snmp_targets: |
      {{ groups['pacaterie_ilo'] | list | sort }}
    update_motd:
      prometheus: >-
        Prometheus (en configuration pacaterie) est déployé (/etc/prometheus).
  roles:
    - prometheus
    - update_motd
 - hosts: prometheus-edc.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_switch_community: "{{ vault_snmp_switch_community }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_ups_snmp_targets:
      - ups-ec-1.ups.auro.re
      # - ups-ec-2.ups.auro.re
      - ups-ec-3.ups.auro.re
    prometheus_servers_targets: |
      {{ groups['edc_pve'] + groups['edc_vm'] + groups['edc_server'] | list | sort }}
    prometheus_unifi_snmp_targets: |
      {{ groups['edc_unifi'] | list | sort }}
    prometheus_ilo_snmp_targets: |
      {{ groups['edc_ilo'] | list | sort }}
    update_motd:
      prometheus: >-
        Prometheus (en configuration edc) est déployé (/etc/prometheus).
  roles:
    - prometheus
    - update_motd
 - hosts: prometheus-gs.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_switch_community: "{{ vault_snmp_switch_community }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_servers_targets: |
      {{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
    prometheus_unifi_snmp_targets: |
      {{ groups['gs_unifi'] | list | sort }}
    prometheus_ups_snmp_targets:
      - ups-gk-1.ups.auro.re
    prometheus_apc_pdu_snmp_targets:
      - pdu-ga-1.ups.auro.re
    prometheus_ilo_snmp_targets: |
      {{ groups['gs_ilo'] | list | sort }}
    update_motd:
      prometheus: >-
        Prometheus (en configuration gs) est déployé (/etc/prometheus).
  roles:
    - prometheus
    - update_motd
 - hosts: prometheus-rives.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_switch_community: "{{ vault_snmp_switch_community }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_ups_snmp_targets:
      - ups-r3-1.ups.auro.re
      - ups-r1-1.ups.auro.re
    prometheus_servers_targets: |
      {{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
    prometheus_unifi_snmp_targets: |
      {{ groups['rives_unifi'] | list | sort }}
    prometheus_ilo_snmp_targets: |
      {{ groups['rives_ilo'] | list | sort }}
    update_motd:
      prometheus: >-
        Prometheus (en configuration rives) est déployé (/etc/prometheus).
  roles:
    - prometheus
    - update_motd
 - hosts: prometheus-aurore.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_switch_community: "{{ vault_snmp_switch_community }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_servers_targets: |
      {{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
    prometheus_postgresql_targets: |
      {{ groups['bdd'] + groups['radius'] | list | sort }}
    prometheus_switch_snmp_targets:
      - yggdrasil.switch.auro.re
      - sw-pn-serveurs.switch.auro.re
      - sw-ec-serveurs.switch.auro.re
      - sw-gk-serveurs.switch.auro.re
      - sw-fl-serveurs.switch.auro.re
      - sw-ff-uplink.switch.auro.re
      - sw-fl-core.switch.auro.re
      - sw-fd-vcore.switch.auro.re
      - sw-fl-vcore.switch.auro.re
      - sw-ff-vcore.switch.auro.re
      - sw-pn-core.switch.auro.re
      - sw-ec-core.switch.auro.re
      - sw-gk-core.switch.auro.re
      - sw-r3-core.switch.auro.re
    prometheus_ilo_snmp_targets: |
      {{ groups['aurore_ilo'] | list | sort }}
    update_motd:
      prometheus: >-
        Prometheus (en configuration aurore) est déployé (/etc/prometheus).
  roles:
    - prometheus
    - update_motd
 - hosts: prometheus-ovh.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_switch_community: "{{ vault_snmp_switch_community }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_servers_targets: |
      {{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
    prometheus_postgresql_targets:
      - bdd-ovh.adm.auro.re
    prometheus_docker_targets:
      - docker-ovh.adm.auro.re
    update_motd:
      prometheus: >-
        Prometheus (en configuration ovh) est déployé (/etc/prometheus).
  roles:
    - prometheus
    - update_motd
 - hosts: prometheus-federate.adm.auro.re
  vars:
    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
    snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
    snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
    snmp_ilo_user: aurore
    snmp_ilo_auth: "{{ vault_snmp_ilo_auth }}"
    snmp_ilo_priv: "{{ vault_snmp_ilo_priv }}"
    prometheus_servers_targets:
      - prometheus-edc.adm.auro.re
      - prometheus-gs.adm.auro.re
      - prometheus-fleming.adm.auro.re
      - prometheus-pacaterie.adm.auro.re
      - prometheus-rives.adm.auro.re
      - prometheus-aurore.adm.auro.re
      - prometheus-ovh.adm.auro.re
    update_motd:
      prometheus_federate: >-
        Prometheus (en configuration fédération) est déployé (/etc/prometheus).
  roles:
    - prometheus_federate
    - update_motd
 # Postgres Exporters
 - hosts: bdd,radius
  roles:
    - prometheus_postgres
 # Monitor all hosts
 - hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
  roles:
    - prometheus_node
--- a/playbooks/radius.yml
+++ b/playbooks/radius.yml
@ -1,10 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Radius
 - hosts: radius-*.adm.auro.re
  vars:
    update_motd:
      unbound: FreeRADIUS est déployé.
  roles:
    - radius
    - update_motd
--- a/playbooks/root.yml
+++ b/playbooks/root.yml
@ -1,9 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: all,!unifi
  vars:
    root_shell: /bin/bash
    root_password: "{{ vault_root_password }}"
  roles:
    - root_account
 ...
--- a/playbooks/router.yml
+++ b/playbooks/router.yml
@ -1,23 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy firewall and keepalived
 # radvd: IPv6 SLAAC (/64 subnets, private IPs).
 #   Must NOT be on routeur-aurore-*, or will with DHCPv6!
 - hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
  vars:
    update_motd:
      unbound: Le routage (avec radvd) est déployé.
  roles:
    - router
    - radvd
    - update_motd
 # No radvd here
 - hosts: ~routeur-aurore.*\.adm\.auro\.re
  vars:
    update_motd:
      unbound: Le routage (avec DHCPv6) est déployé.
  roles:
    - router
    - ipv6_edge_router
    - update_motd
--- a/playbooks/rsyslog.yml
+++ b/playbooks/rsyslog.yml
@ -1,10 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: log.adm.auro.re
  roles:
    - rsyslog_collector
 - hosts: all,!unifi
  roles:
    - rsyslog_common
 ...
--- a/playbooks/ssh.yml
+++ b/playbooks/ssh.yml
@ -1,14 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: all,!unifi
  vars:
    openssh_users_ca_public_key:
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
      hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
      F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
    openssh_authorized_principals:
      - any
      - "{{ inventory_hostname }}"
  roles:
    - openssh_server
 ...
--- a/playbooks/switchs-manager.yml
+++ b/playbooks/switchs-manager.yml
@ -1,17 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: all
  roles: []
 # Deploy Re2o switch service
 # - hosts: switchs-manager.adm.auro.re
 #   vars:
 #     service_repo: https://gitlab.federez.net/re2o/switchs.git
 #     service_name: switchs
 #     service_version: master
 #     service_config:
 #       hostname: re2o-server.adm.auro.re
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
 #     - re2o_service
--- a/playbooks/unbound.yml
+++ b/playbooks/unbound.yml
@ -1,10 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy unbound DNS server (recursive).
 - hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
  vars:
    update_motd:
      unbound: Unbound est déployé.
  roles:
    - unbound
    - update_motd
--- a/playbooks/unifi.yml
+++ b/playbooks/unifi.yml
@ -1,9 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: all
  roles: []
 # Deploy Unifi Controller
 # - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
 #   roles:
 #     - unifi-controller
--- a/proxmox.yml
+++ b/proxmox.yml
@ -0,0 +1,432 @@
 #!/usr/bin/env ansible-playbook
 ---
 # This is a special playbook to create a new VM !
 - hosts: proxy.adm.auro.re  # Host with python-proxmoxer and python-requests
  become: false  # We do not need root as we use Proxmox API
  vars:
    vm_definitions:
      # Réseau Pacaterie
      - name: ldap-replica-pacaterie
        virtu: mordred
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dhcp-pacaterie
        virtu: mordred
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dns-pacaterie
        virtu: mordred
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: prometheus-pacaterie
        virtu: mordred
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: radius-pacaterie
        virtu: mordred
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: unifi-pacaterie
        virtu: mordred
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-9.9.0-amd64-netinst.iso
      # Réseau Fleming
      - name: ldap-replica-fleming1
        virtu: freya
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dhcp-fleming
        virtu: freya
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dns-fleming
        virtu: freya
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: prometheus-fleming
        virtu: freya
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: radius-fleming
        virtu: freya
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: unifi-fleming
        virtu: freya
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-9.9.0-amd64-netinst.iso
      # Réseau EdC
      - name: ldap-replica-edc1
        virtu: chapalux
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dhcp-edc
        virtu: chapalux
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dns-edc
        virtu: chapalux
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: prometheus-edc
        virtu: chapalux
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: radius-edc
        virtu: chapalux
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: unifi-edc
        virtu: chapalux
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-9.9.0-amd64-netinst.iso
      # Réseau George Sand
      - name: ldap-replica-gs1
        virtu: perceval
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dhcp-gs
        virtu: perceval
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: dns-gs
        virtu: perceval
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: prometheus-gs
        virtu: perceval
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: radius-gs
        virtu: perceval
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-10.0.0-amd64-netinst.iso
      - name: unifi-gs
        virtu: perceval
        cores: 2  # 2 mimimum, 10 maximum
        memory: 1024  # M
        disksize: 16  # G
        installiso: debian-9.9.0-amd64-netinst.iso
  vars_prompt:
    - name: "password"
      prompt: "Enter LDAP password for your user"
      private: true
  tasks:
    - name: Define a virtual machine in Proxmox
      proxmox_kvm:
        api_user: "{{ ansible_user_id }}@pam"
        api_password: "{{ password }}"
        api_host: "{{ item.virtu }}.adm.auro.re"
        name: "{{ item.name }}"
        node: "{{ item.virtu }}"
        scsihw: virtio-scsi-pci
        scsi: '{"scsi0":"{{ item.virtu }}:{{ item.disksize }},format=raw"}'
        sata: '{"sata0":"local:iso/{{ item.installiso }},media=cdrom"}'
        net: '{"net0":"virtio,bridge=vmbr2"}'  # Adm only by default
        cores: "{{ item.cores }}"
        memory: "{{ item.memory }}"
        balloon: "{{ item.memory // 2 }}"
        bios: seabios  # Ansible module doesn't support UEFI boot disk
      loop:
        # Réseau Fleming
        - name: ldap-replica-fleming
          virtu: freya
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dhcp-fleming
          virtu: freya
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dns-fleming
          virtu: freya
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: prometheus-fleming
          virtu: freya
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: radius-fleming
          virtu: freya
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: unifi-fleming
          virtu: freya
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-9.9.0-amd64-netinst.iso
        - name: routeur-fleming
          virtu: freya
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: ldap-replica-fleming-fo
          virtu: marki
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dhcp-fleming-fo
          virtu: marki
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dns-fleming-fo
          virtu: marki
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: prometheus-fleming-fo
          virtu: marki
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: radius-fleming-fo
          virtu: marki
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: routeur-fleming-fo
          virtu: marki
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        # Réseau Pacaterie
        - name: ldap-replica-pacaterie
          virtu: mordred
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dhcp-pacaterie
          virtu: mordred
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dns-pacaterie
          virtu: mordred
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: prometheus-pacaterie
          virtu: mordred
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: radius-pacaterie
          virtu: mordred
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: unifi-pacaterie
          virtu: mordred
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-9.9.0-amd64-netinst.iso
        - name: routeur-pacaterie
          virtu: mordred
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: ldap-replica-pacaterie-fo
          virtu: titan
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dhcp-pacaterie-fo
          virtu: titan
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dns-pacaterie-fo
          virtu: titan
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: prometheus-pacaterie-fo
          virtu: titan
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: radius-pacaterie-fo
          virtu: titan
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: routeur-pacaterie-fo
          virtu: titan
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        # Réseau EDC
        - name: ldap-replica-edc
          virtu: chapalux
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dhcp-edc
          virtu: chapalux
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dns-edc
          virtu: chapalux
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: prometheus-edc
          virtu: chapalux
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: radius-edc
          virtu: chapalux
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: unifi-edc
          virtu: chapalux
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-9.9.0-amd64-netinst.iso
        - name: routeur-edc
          virtu: chapalux
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        # Réseau George Sand
        - name: ldap-replica-georgesand
          virtu: perceval
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dhcp-georgesand
          virtu: perceval
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: dns-georgesand
          virtu: perceval
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: prometheus-georgesand
          virtu: perceval
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: radius-georgesand
          virtu: perceval
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
        - name: unifi-georgesand
          virtu: perceval
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-9.9.0-amd64-netinst.iso
        - name: routeur-georgesand
          virtu: perceval
          cores: 2  # 2 mimimum, 10 maximum
          memory: 1024  # M
          disksize: 16  # G
          installiso: debian-10.0.0-amd64-netinst.iso
--- a/roles/baseconfig/files/update-motd.d/00-logo
+++ b/roles/baseconfig/files/update-motd.d/00-logo
@ -1,23 +1,23 @@
 #!/bin/sh
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 # Pretty uptime
 upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)"
-mins="$((upSeconds / 60 % 60))"
+mins=$((${upSeconds}/60%60))
-hours="$((upSeconds / 3600 % 24))"
+hours=$((${upSeconds}/3600%24))
-days="$((upSeconds / 86400))"
+days=$((${upSeconds}/86400))
-UPTIME="$(printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins")"
+UPTIME=`printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins"`
 # RAM
-RAM="$(free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2}')"
+RAM=`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'`
-DISK="$(df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}')"
+DISK=`df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}'`
 # Text font
-bold="$(tput bold)"
+bold=$(tput bold)
-normal="$(tput sgr0)"
+normal=$(tput sgr0)
 # Logo
-cat <<EOF
+cat << EOF
 [49m[K[0m
 [0m               [48;5;160m[38;5;160m            [48;5;124m[38;5;124m [48;5;160m[38;5;160m [0m            [49m   ${bold}Uptime${normal} : ${UPTIME}
 [0m           [48;5;160m[38;5;160m                     [0m         [49m   ${bold}Mémoire${normal} : ${RAM}
--- a/roles/baseconfig/files/update-motd.d/10-uname
+++ b/roles/baseconfig/files/update-motd.d/10-uname
@ -0,0 +1,3 @@
 #!/bin/sh
 # {{ ansible_managed }}
 uname -snrvm
--- a/roles/baseconfig/tasks/main.yml
+++ b/roles/baseconfig/tasks/main.yml
@ -9,6 +9,8 @@
      - aptitude  # nice to have for Ansible
      - bash-completion  # because bash
      - curl  # better than wget
      - emacs-nox  # for maman
      - fish  # to motivate @edpibu
      - git  # code versioning
      - htop  # better than top
      - iotop  # monitor i/o
@ -16,19 +18,34 @@
      - lsb-release
      - molly-guard  # prevent reboot
      - nano  # for vulcain
      - net-tools
      - ntp  # network time sync
      - oidentd  # postgresql identification
      - screen  # Vulcain asked for this
      - sudo
      - tmux  # For shirenn
      - tree  # create a graphical tree of files
      - vim  # better than nano
      - zsh  # to be able to ssh @erdnaxe
      - dnsutils  # dig
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 # Pimp my server
 - name: Customize motd
  copy:
    src: "update-motd.d/{{ item }}"
    dest: "/etc/update-motd.d/{{ item }}"
    mode: 0755
  loop:
    - 00-logo
    - 10-uname
 - name: Remove Debian warranty motd
  file:
    path: /etc/motd
    state: absent
 # Configure APT mirrors on Debian Stretch
 - name: Configure APT mirrors
  when:
--- a/roles/bird/defaults/main.yml
+++ b/roles/bird/defaults/main.yml
@ -0,0 +1,6 @@
 ---
 bird_ospf_hello: 2
 bird_ospf_retransmit: 2
 bird_ospf_wait: 10
 bird_ospf_dead: 30
 ...
--- a/roles/bird/handlers/main.yml
+++ b/roles/bird/handlers/main.yml
@ -0,0 +1,6 @@
 ---
 - name: Reload bird
  systemd:
    name: bird.service
    state: reloaded
 ...
--- a/roles/bird/tasks/main.yml
+++ b/roles/bird/tasks/main.yml
@ -0,0 +1,20 @@
 ---
 - name: Install bird
  apt:
    name: bird
    state: latest
 - name: Configure bird
  template:
    src: bird.conf.j2
    dest: /etc/bird/bird.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=
 - name: Enable and start bird
  systemd:
    name: bird.service
    state: started
    enabled: true
 ...
--- a/roles/bird/templates/bird.conf.j2
+++ b/roles/bird/templates/bird.conf.j2
@ -0,0 +1,42 @@
 log syslog all;
 router id {{ bird_router_id }};
 protocol kernel {
    scan time 15;
    import none;
    export filter {
        krt_prefsrc = {{ bird_router_prefsrc }};
        accept;
    };
 };
 protocol device {
    scan time 15;
 };
 {% if bird_ospf_ifaces is defined %}
 protocol ospf {
    import all;
    export all;
    area 0 {
 {% for name, attrs in bird_ospf_ifaces.items() %}
        interface "{{ name }}" {
 {% if "stub" in attrs %}
            stub;
 {% else %}
            hello {{ attrs.hello | default(bird_ospf_hello) }};
            retransmit {{ attrs.retransmit | default(bird_ospf_retransmit) }};
            wait {{ attrs.wait | default(bird_ospf_wait) }};
            dead {{ attrs.dead | default(bird_ospf_dead) }};
            type {{ attrs.type }};
            cost {{ attrs.cost }};
 {% endif %}
        };
 {% endfor %}
    };
 };
 {% endif %}
--- a/roles/borgbackup_client/defaults/main.yml
+++ b/roles/borgbackup_client/defaults/main.yml
@ -1,8 +0,0 @@
 ---
 borg_keep_hourly: 0
 borg_keep_daily: 0
 borg_keep_weekly: 0
 borg_keep_monthly: 0
 borg_server_user: borgbackup
 borg_server_group: borgbackup
 ...
--- a/roles/borgbackup_client/handlers/main.yml
+++ b/roles/borgbackup_client/handlers/main.yml
@ -1,5 +0,0 @@
 ---
 - name: Run systemd daemon-reload
  systemd:
    daemon_reload: true
 ...
--- a/roles/borgbackup_client/tasks/main.yml
+++ b/roles/borgbackup_client/tasks/main.yml
@ -1,110 +0,0 @@
 ---
 - name: Pin borgmatic
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  loop:
    - src: apt/list.j2
      dest: /etc/apt/sources.list.d/bullseye.list
    - src: apt/preferences.j2
      dest: /etc/apt/preferences.d/borgmatic-bullseye
  when:
    - "ansible_distribution == 'Debian'"
    - "ansible_distribution_major_version in ('stretch', 'buster', '9', '10')"
 - name: Install borgmatic
  apt:
    name: borgmatic
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Create configuration directory for borgmatic
  file:
    path: /etc/borgmatic
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=
 - name: Add borgmatic configuration file
  become: true
  template:
    src: config.yaml.j2
    dest: /etc/borgmatic/config.yaml
    owner: root
    group: root
    mode: u=rw,g=r,o=
  vars:
    borg_host_dir: "/borg/{{ inventory_hostname }}"
 - name: Create SSH key
  openssh_keypair:
    path: "/etc/borgmatic/id_remote"
    type: ed25519
    regenerate: full_idempotence
    owner: root
    group: root
    mode: u=rw,g=,o=
  register: ssh_key
 - name: Gather SSH host keys
  delegate_to: "{{ borg_server_host }}"
  command: "ssh-keyscan {{ borg_server_host }}"
  register: keys
 - name: Add server key to known hosts
  known_hosts:
    hash_host: true
    host: "{{ borg_server_host }}"
    key: "{{ item }}"
  loop: "{{ keys.stdout_lines }}"
 - name: Add public key to remote
  delegate_to: "{{ borg_server_host }}"
  become: true
  authorized_key:
    exclusive: false
    user: "{{ borg_server_user }}"
    key: "{{ ssh_key.public_key }}"
    key_options: "{{ options | join(',') }}"
  vars:
    borg_host_dir: "/borg/{{ inventory_hostname }}"
    options:
      - 'command="borg serve --restrict-to-path {{ borg_host_dir }}"'
      - no-agent-forwarding
      - no-port-forwarding
      - no-pty
      - no-user-rc
      - no-X11-forwarding
 - name: Init repository
  command: borgmatic init --encryption repokey
 - name: Install timer and service for borgmatic
  template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  loop:
    - borgmatic.timer
    - borgmatic.service
  notify:
    - Run systemd daemon-reload
 - name: Run systemd deamon-reload
  systemd:
    daemon_reload: true
 - name: Start and enable borgmatic timer
  systemd:
    name: borgmatic.timer
    state: started
    enabled: true
 ...
--- a/roles/borgbackup_client/templates/apt/list.j2
+++ b/roles/borgbackup_client/templates/apt/list.j2
@ -1,3 +0,0 @@
 {{ ansible_managed | comment }}
 deb https://deb.debian.org/debian/ bullseye main
--- a/roles/borgbackup_client/templates/apt/preferences.j2
+++ b/roles/borgbackup_client/templates/apt/preferences.j2
@ -1,9 +0,0 @@
 {{ ansible_managed | comment }}
 Package: *
 Pin: release n=bullseye
 Pin-Priority: 1
 Package: borgmatic
 Pin: release n=bullseye
 Pin-Priority: 900
--- a/roles/borgbackup_client/templates/borgmatic.service.j2
+++ b/roles/borgbackup_client/templates/borgmatic.service.j2
@ -1,32 +0,0 @@
 {{ ansible_managed | comment }}
 [Unit]
 Description=Service for borgmatic backup
 Wants=network-online.target
 After=network-online.target
 ConditionACPower=true
 [Service]
 Type=simple
 ProtectSystem=full
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
 # Lower CPU and I/O priority.
 Nice=19
 CPUSchedulingPolicy=batch
 IOSchedulingClass=best-effort
 IOSchedulingPriority=7
 IOWeight=100
 Restart=no
 # Prevent rate limiting of borgmatic log events. If you are using an older
 # version of systemd that doesn't support this (pre-240 or so), you may have
 # to remove this option.
 LogRateLimitIntervalSec=0
 # Delay start to prevent backups running during boot. Note that
 # systemd-inhibit requires dbus and dbus-user-session to be installed.
 # ExecStartPre=sleep 1m
 ExecStart=systemd-inhibit --who="borgmatic" \
    --why="Prevent interrupting scheduled backup" \
    /usr/bin/borgmatic -v 2
--- a/roles/borgbackup_client/templates/borgmatic.timer.j2
+++ b/roles/borgbackup_client/templates/borgmatic.timer.j2
@ -1,17 +0,0 @@
 {{ ansible_managed | comment }}
 [Unit]
 Description=Timer for borgmatic backup
 [Timer]
 {% if borg_keep_hourly > 0 %}
 OnCalendar=hourly
 RandomizedDelaySec=60m
 {% else %}
 OnCalendar=daily
 RandomizedDelaySec=24h
 {% endif %}
 FixedRandomDelay=true
 [Install]
 WantedBy=timers.target
--- a/roles/borgbackup_client/templates/config.yaml.j2
+++ b/roles/borgbackup_client/templates/config.yaml.j2
@ -1,51 +0,0 @@
 ---
 {{ ansible_managed | comment }}
 location:
  source_directories:
 {% for source in borg_backup_directories %}
   - {{ source }}
 {% endfor %}
  exclude_patterns:
 {% for exclude in borg_backup_exclude %}
  - {{ exclude }}
 {% endfor %}
  repositories:
   - {{ borg_server_user }}@{{ borg_server_host }}:{{ borg_host_dir }}
  borgmatic_source_directory: /var/backups
 storage:
  encryption_passphrase: "{{ borg_encryption_passphrase }}"
  ssh_command: ssh -i /etc/borgmatic/id_remote
  # compression: 'lz4'
  # umask: 0077
  # lock_wait: 5
  # archive_name_format: '{hostname}-{now}'
 retention:
 {% if borg_keep_hourly > 0 %}
  keep_hourly: {{ borg_keep_hourly }}
 {% endif %}
 {% if borg_keep_daily > 0 %}
  keep_daily: {{ borg_keep_daily }}
 {% endif %}
 {% if borg_keep_weekly > 0 %}
  keep_weekly: {{ borg_keep_weekly }}
 {% endif %}
 {% if borg_keep_monthly > 0 %}
  keep_monthly: {{ borg_keep_monthly }}
 {% endif %}
 consistency:
  checks:
    - repository
    - archives
 {% if borg_postgresql_databases is defined %}
 hooks:
  postgresql_databases:
    - name: all
      username: postgres
 {% endif %}
 ...
--- a/roles/borgbackup_server/defaults/main.yml
+++ b/roles/borgbackup_server/defaults/main.yml
@ -1,5 +0,0 @@
 ---
 borg_server_user: borgbackup
 borg_server_group: borgbackup
 borg_home_dir: /var/lib/borgbackup
 ...
--- a/roles/borgbackup_server/tasks/main.yml
+++ b/roles/borgbackup_server/tasks/main.yml
@ -1,38 +0,0 @@
 ---
 - name: Install borg
  apt:
    name: borgbackup
    state: present
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Create a local group for borg
  become: true
  group:
    name: "{{ borg_server_group }}"
    system: true
 - name: Create a local user for borg
  become: true
  user:
    home: "{{ borg_home_dir }}"
    create_home: true
    comment: Local user for borgbackup server
    name: "{{ borg_server_user }}"
    group: "{{ borg_server_group }}"
    system: true
    # Does not constitute a valid hash, preventing from login via password
    password: "*"
    update_password: always
 - name: Create backup directory
  become: true
  file:
    path: "{{ borg_server_backups_dir }}"
    state: directory
    owner: "{{ borg_server_user }}"
    group: "{{ borg_server_group }}"
    mode: u=rwx,g=,o=
 ...
--- a/roles/certbot/handlers/main.yml
+++ b/roles/certbot/handlers/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Reload nginx
  service:
    name: nginx
    state: reloaded
 - name: Generate certificates
  command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -1,28 +1,13 @@
 ---
- name: Install certbot and RFC2136 plugin
+- name: Install certbot and nginx plugin
  apt:
    update_cache: true
    name:
      - certbot
-      - python3-certbot-dns-rfc2136
+      - python3-certbot-nginx
-    state: present
+  register: pkg_result
  register: apt_result
  retries: 3
-  until: apt_result is succeeded
+  until: pkg_result is succeeded
 - name: Add DNS credentials
  template:
    src: letsencrypt/rfc2136.ini.j2
    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
    mode: 0600
    owner: root
  loop: "{{ certbot }}"
 - name: Add dhparam
  template:
    src: "letsencrypt/dhparam.j2"
    dest: "/etc/letsencrypt/dhparam"
    mode: 0600
 - name: Create /etc/letsencrypt/conf.d
  file:
@ -33,19 +18,8 @@
 - name: Add Certbot configuration
  template:
    src: "letsencrypt/conf.d/certname.ini.j2"
-    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
+    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
    mode: 0644
-  loop: "{{ certbot }}"
+  notify:
-
+    - Generate certificates
- name: Run certbot
+    - Reload nginx
  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
  loop: "{{ certbot }}"
 - name: Clean old files
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - "/etc/letsencrypt/options-ssl-nginx.conf"
    - "/etc/letsencrypt/ssl-dhparams.pem"
    - "/etc/letsencrypt/rfc2136.ini"
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@ -1,7 +1,7 @@
-{{ ansible_managed | comment(decoration='# ') }}
+# {{ ansible_managed }}
-# To generate the certificate, please use the following command
+# Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@ -10,19 +10,14 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory
 # Uncomment and update to register with the specified e-mail address
-email = {{ item.mail }}
+email = {{ certbot.mail }}
 # Uncomment to use a text interface instead of ncurses
 text = True
-# Yes I want to sell my soul and my guinea pig.
+# Use nginx challenge
-agree-tos = True
+authenticator = nginx
 # Use DNS-01 challenge
 authenticator = dns-rfc2136
 dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
 dns-rfc2136-propagation-seconds = 30
 # Wildcard the domain
-cert-name = {{ item.certname }}
+cert-name = {{ certbot.certname }}
-domains = {{ item.domains }}
+domains = {{ ", ".join(certbot.domains) }}
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@ -1,7 +0,0 @@
 {{ ansible_managed | comment(decoration='# ') }}
 dns_rfc2136_server = {{ item.dns_rfc2136_server }}
 dns_rfc2136_port = 53
 dns_rfc2136_name = {{ item.dns_rfc2136_name }}
 dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
 dns_rfc2136_algorithm = HMAC-SHA512
--- a/roles/chronyd/defaults/main.yml
+++ b/roles/chronyd/defaults/main.yml
@ -1,11 +0,0 @@
 ---
 chronyd__pools: []
 chronyd__key_file: /etc/chrony/chrony.keys
 chronyd__drift_file: /var/lib/chrony/chrony.drift
 chronyd__nts_dump_dir: /var/lib/chrony
 chronyd__log_dir: /var/log/chrony
 chronyd__max_update_skew: 100.0
 chronyd__rtcsync: true
 chronyd__allow_networks: []
 chronyd__log_change_seconds: 0.5
 ...
--- a/roles/chronyd/handlers/main.yml
+++ b/roles/chronyd/handlers/main.yml
@ -1,6 +0,0 @@
 ---
 - name: Restart chronyd
  systemd:
    name: chrony.service
    state: restarted
 ...
--- a/roles/chronyd/tasks/main.yml
+++ b/roles/chronyd/tasks/main.yml
@ -1,32 +0,0 @@
 ---
 - name: Uninstall ntp and sntp
  apt:
    name:
      - sntp
      - ntp
      - systemd-timesyncd
    state: absent
 - name: Install chronyd
  apt:
    name: chrony
 - name: Configure chronyd
  template:
    src: "{{ item }}.j2"
    dest: "/etc/chrony/{{ item }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  loop:
    - chrony.conf
    - chrony.keys
  notify:
    - Restart chronyd
 - name: Enable and start chronyd
  systemd:
    name: chrony.service
    enabled: true
    state: started
 ...
--- a/roles/chronyd/templates/chrony.conf.j2
+++ b/roles/chronyd/templates/chrony.conf.j2
@ -1,30 +0,0 @@
 {{ ansible_managed | comment }}
 {% for pool in chronyd__pools %}
 pool {{ pool }} iburst
 {% endfor %}
 keyfile {{ chronyd__key_file }}
 driftfile {{ chronyd__drift_file }}
 ntsdumpdir {{ chronyd__nts_dump_dir }}
 logdir {{ chronyd__log_dir }}
 log tracking measurements statistics
 maxupdateskew {{ chronyd__max_update_skew | float }}
 {% if chronyd__rtcsync %}
 rtcsync
 {% endif %}
 {% if chronyd__local_stratum is defined %}
 local stratum {{ chronyd__local_stratum | int }}
 {% endif %}
 logchange {{ chronyd__log_change_seconds | float }}
 leapsectz right/UTC
 {% for network in chronyd__allow_networks %}
 allow {{ network | ipaddr }}
 {% endfor %}
--- a/roles/chronyd/templates/chrony.keys.j2
+++ b/roles/chronyd/templates/chrony.keys.j2
@ -1 +0,0 @@
 {{ ansible_managed | comment }}
--- a/roles/debian-backports/tasks/main.yml
+++ b/roles/debian-backports/tasks/main.yml
--- a/roles/debian-backports/templates/backports.list.j2
+++ b/roles/debian-backports/templates/backports.list.j2
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -50,4 +50,9 @@
    url: https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64
    dest: /usr/local/bin/docker-compose
    mode: "0755"
-...
+
 - name: Indicate role in motd
  template:
    src: update-motd.d/05-service.j2
    dest: /etc/update-motd.d/05-docker
    mode: 0755
--- a/roles/docker/templates/update-motd.d/05-service.j2
+++ b/roles/docker/templates/update-motd.d/05-service.j2
@ -0,0 +1,3 @@
 #!/bin/sh
 # {{ ansible_managed }}
 echo "> Les recettes Docker-compose se trouvent dans /var/local/ansible-docker"
--- a/roles/dokuwiki/tasks/main.yml
+++ b/roles/dokuwiki/tasks/main.yml
@ -0,0 +1,30 @@
 ---
 # For DokuWiki package
 - name: Configure Debian Buster mirrors
  when:
    - ansible_distribution == 'Debian'
    - ansible_distribution_release == 'stretch'
  template:
    src: apt/buster.list.j2
    dest: /etc/apt/sources.list.d/buster.list
    mode: 0644
 # For DokuWiki package
 - name: Configure DokuWiki pin
  when:
    - ansible_distribution == 'Debian'
    - ansible_distribution_release == 'stretch'
  template:
    src: apt/dokuwiki.j2
    dest: /etc/apt/preferences.d/dokuwiki
    mode: 0644
 # Install
 - name: Install DokuWiki
  apt:
    update_cache: true
    name: dokuwiki
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
--- a/roles/dokuwiki/templates/apt/buster.list.j2
+++ b/roles/dokuwiki/templates/apt/buster.list.j2
@ -0,0 +1,9 @@
 # {{ ansible_managed }}
 {# #}
 {# Default mirror #}
 {% if debian_mirror is not defined %}
 {% set debian_mirror = 'http://ftp.fr.debian.org/debian' %}
 {% endif %}
 deb {{ debian_mirror }} buster main
 deb-src {{ debian_mirror }} buster main
--- a/roles/dokuwiki/templates/apt/dokuwiki.j2
+++ b/roles/dokuwiki/templates/apt/dokuwiki.j2
@ -0,0 +1,9 @@
 # {{ ansible_managed }}
 Package: *
 Pin: release n=stretch*
 Pin-Priority: 990
 Package: dokuwiki
 Pin: release n=buster
 Pin-Priority: 990
--- a/roles/grafana/handlers/main.yml
+++ b/roles/grafana/handlers/main.yml
@ -1,5 +0,0 @@
 ---
 - name: Restart grafana
  service:
    name: grafana-server
    state: restarted
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@ -1,111 +0,0 @@
 ---
 - name: Install gpg (to import Grafana key)
  apt:
    name: gpg
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Import Grafana GPG signing key
  apt_key:
    url: https://packages.grafana.com/gpg.key
    state: present
  register: apt_key_result
  retries: 3
  until: apt_key_result is succeeded
 - name: Add Grafana repository
  apt_repository:
    repo: deb https://packages.grafana.com/oss/deb stable main
    state: present
    update_cache: true
 - name: Install Grafana
  apt:
    name: grafana
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Configure Grafana
  ini_file:
    path: /etc/grafana/grafana.ini
    section: "{{ item.section }}"
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    mode: 0640
  loop:
    - section: server
      option: root_url
      value: "{{ grafana.root_url }}"
    - section: analytics
      option: reporting_enabled
      value: "false"
    - section: analytics
      option: check_for_updates
      value: "false"
    - section: security
      option: disable_initial_admin_creation
      value: "true"
    - section: security
      option: cookie_secure
      value: "true"
    - section: security
      option: disable_gravatar
      value: "true"
    - section: snapshots
      option: external_enabled
      value: "false"
    - section: users
      option: allow_sign_up
      value: "false"
    - section: users
      option: allow_org_create
      value: "false"
    - section: auth.anonymous
      option: enabled
      value: "false"  # no public access
    - section: auth.anonymous
      option: hide_version
      value: "true"
    - section: auth.basic  # only LDAP auth
      option: enabled
      value: "false"
    - section: auth.ldap
      option: enabled
      value: "true"
    - section: alerting
      option: enabled
      value: "false"
    - section: database
      option: type
      value: "{{ grafana.database.type }}"
    - section: database
      option: host
      value: "{{ grafana.database.host }}"
    - section: database
      option: name
      value: "{{ grafana.database.name }}"
    - section: database
      option: user
      value: "{{ grafana.database.user }}"
    - section: database
      option: password
      value: "{{ grafana.database.password }}"
  notify: Restart grafana
 - name: Configure Grafana LDAP
  template:
    src: ldap.toml.j2
    dest: /etc/grafana/ldap.toml
    mode: 0640
  notify: Restart grafana
 - name: Enable and start Grafana
  systemd:
    name: grafana-server
    enabled: true
    state: started
    daemon_reload: true
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@ -1,61 +0,0 @@
 {{ ansible_managed | comment }}
 # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
 # [log]
 # filters = ldap:debug
 [[servers]]
 # Ldap server host (specify multiple hosts space separated)
 host = "{{ grafana.ldap.host }}"
 # Default port is 389 or 636 if use_ssl = true
 port = 389
 # Set to true if ldap server supports TLS
 use_ssl = false
 # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
 start_tls = false
 # set to true if you want to skip ssl cert validation
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults
 # root_ca_cert = "/path/to/certificate.crt"
 # Authentication against LDAP servers requiring client certificates
 # client_cert = "/path/to/client.crt"
 # client_key = "/path/to/client.key"
 # Search user bind dn
 bind_dn = "{{ grafana.ldap.bind_dn }}"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 bind_password = '{{ grafana.ldap.bind_password }}'
 # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
 search_filter = "(cn=%s)"
 # An array of base dns to search through
 search_base_dns = ["{{ grafana.ldap.search_base_dns }}"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
 group_search_base_dns = ["{{ grafana.ldap.group_search_base_dns }}"]
 group_search_filter_user_attribute = "cn"
 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
 name = "sn"
 surname = ""
 username = "cn"
 member_of = "dn"
 email =  "mail"
 # Editors
 {% for group_dn in grafana.ldap.editors_group_dn %}
 [[servers.group_mappings]]
 group_dn = "{{ group_dn }}"
 org_role = "Editor"
 {% endfor %}
 # Viewers
 [[servers.group_mappings]]
 # If you want to match all (or no ldap groups) then you can use wildcard
 group_dn = "*"
 org_role = "Viewer"
--- a/roles/ifupdown2/defaults/main.yml
+++ b/roles/ifupdown2/defaults/main.yml
@ -1,3 +0,0 @@
 ---
 ifupdown2__interfaces: {}
 ...
--- a/roles/ifupdown2/handlers/main.yml
+++ b/roles/ifupdown2/handlers/main.yml
@ -1,9 +0,0 @@
 ---
 - name: Restart networking
  systemd:
    name: networking.service
    state: restarted
 - name: Bring all interfaces up
  shell: /usr/sbin/ifup -a
 ...
--- a/roles/ifupdown2/tasks/main.yml
+++ b/roles/ifupdown2/tasks/main.yml
@ -1,42 +0,0 @@
 ---
 - name: Gather package facts
  package_facts:
    manager: apt
 - name: Check if ifupdown2 is installed
  set_fact:
    must_mask: "{{ 'ifupdown2' not in ansible_facts.packages }}"
 - name: Mask networking before installing ifupdown2
  systemd:
    name: networking.service
    masked: true
  when: must_mask
 - name: Install ifupdown2
  apt:
    name: ifupdown2
 - name: Unmask networking now that ifupdown2 is installed
  systemd:
    name: networking.service
    masked: false
  when: must_mask
 - name: Configure ifupdown2
  template:
    src: interfaces.j2
    dest: /etc/network/interfaces
    owner: root
    group: root
    mode: u=rw,g=r,o=
  notify:
    - Restart networking
    - Bring all interfaces up
 - name: Enable and start networking
  systemd:
    name: networking.service
    state: started
    enabled: true
 ...
--- a/roles/ifupdown2/templates/interfaces.j2
+++ b/roles/ifupdown2/templates/interfaces.j2
@ -1,41 +0,0 @@
 {{ ansible_managed | comment }}
 {% for name, iface in ifupdown2__interfaces.items() %}
 auto {{ name }}
 iface {{ name }}
 {% for address in iface.addresses | default([]) %}
    address {{ address | ipaddr }}
 {% endfor %}
 {% for gateway in iface.gateways | default([]) %}
    gateway {{ gateway | ipaddr }}
 {% endfor %}
 {% if iface.bridge_ports is defined %}
    bridge-ports {{ iface.bridge_ports | join(" ") }}
 {% endif %}
 {% if iface.bridge_vlan_aware is defined %}
    bridge-vlan-aware {{ iface.bridge_vlan_aware
                         | ternary("yes", "no") }}
 {% endif %}
 {% if iface.bridge_vids is defined %}
    bridge-vids {{ iface.bridge_vids | join(",") }}
 {% endif %}
 {% if iface.vlan_id is defined %}
    vlan-id {{ iface.vlan_id | int }}
 {% endif %}
 {% if iface.vlan_raw_device is defined %}
    vlan-raw-device {{ iface.vlan_raw_device }}
 {% endif %}
 {% if iface.bridge_disable_pvid | default(false) %}
    bridge-pvid 0
    post-up bridge vlan del dev {{ name }} vid 1 self
 {% endif %}
 {% if iface.forward | default(false) %}
    ip-forward yes
    ip6-forward yes
 {% endif %}
 {% if iface.ipv6_addrgen is defined %}
    ipv6-addrgen {{ iface.ipv6_addrgen
                    | ternary("yes", "no") }}
 {% endif %}
 {% endfor %}
--- a/roles/isc_dhcp_server/handlers/main.yml
+++ b/roles/isc_dhcp_server/handlers/main.yml
@ -1,6 +1,6 @@
 ---
 - name: force run dhcp re2o-service
-  command: /var/local/re2o-services/dhcp/main.py --force
+  shell: /var/local/re2o-services/dhcp/main.py --force
  become_user: re2o-services
 - name: restart dhcpd
--- a/roles/isc_dhcp_server/tasks/main.yml
+++ b/roles/isc_dhcp_server/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: Install dhcp (re2o-service)
  import_role:
-    name: re2o_service
+    name: re2o-service
  vars:
    service_repo: https://gitlab.federez.net/re2o/dhcp.git
    service_name: dhcp
@ -18,7 +18,7 @@
    owner: re2o-services
    group: nogroup
    recurse: true
-    mode: 0755
+    mode: 755
 - name: Install isc-dhcp-server
  apt:
--- a/roles/keepalived/defaults/main.yml
+++ b/roles/keepalived/defaults/main.yml
@ -1,7 +0,0 @@
 ---
 keepalived__virtual_addresses: {}
 keepalived__notify_master: []
 keepalived__notify_backup: []
 keepalived__notify_fault: []
 keepalived__max_auto_priority: -1
 ...
--- a/roles/keepalived/handlers/main.yml
+++ b/roles/keepalived/handlers/main.yml
@ -1,6 +0,0 @@
 ---
 - name: Reload keepalived
  systemd:
    name: keepalived.service
    state: reloaded
 ...
--- a/roles/keepalived/tasks/main.yml
+++ b/roles/keepalived/tasks/main.yml
@ -1,28 +0,0 @@
 ---
 - name: Install keepalived
  apt:
    name: keepalived
 - name: Configure keepalived
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
    mode: "{{ item.mode }}"
  loop:
    - src: keepalived.conf.j2
      dest: /etc/keepalived/keepalived.conf
      mode: u=rw,g=,o=
    - src: notify.sh.j2
      dest: /etc/keepalived/notify.sh
      mode: u=rwx,g=,o=
  notify:
    - Reload keepalived
 - name: Enable and start keepalived
  systemd:
    name: keepalived
    enabled: true
    state: started
 ...
--- a/roles/keepalived/templates/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived.conf.j2
@ -1,92 +0,0 @@
 {{ ansible_managed | comment }}
 global_defs {
    dynamic_interfaces
    script_user root
    enable_script_security
    vrrp_version 3
 {% if keepalived__max_auto_priority is defined %}
    max_auto_priority {{ keepalived__max_auto_priority | int }}
 {% endif %}
 }
 {%
 set ipv4_enabled =
    keepalived__ipv4_enabled
    | default(keepalived__virtual_addresses.values()
              | flatten | ansible.utils.ipv4)
 %}
 {%
 set ipv6_enabled =
    keepalived__ipv6_enabled
    | default(keepalived__virtual_addresses.values()
              | flatten | ansible.utils.ipv6)
 %}
 {% if ipv4_enabled and ipv6_enabled %}
 vrrp_sync_group group {
    group {
 {% if ipv4_enabled %}
        instance_v4
 {% endif %}
 {% if ipv6_enabled %}
        instance_v6
 {% endif %}
    }
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
 }
 {% endif %}
 {% if ipv4_enabled %}
 vrrp_instance instance_v4 {
    virtual_router_id {{ keepalived__virtual_router_id | int }}
    interface {{ keepalived__interface }}
    state BACKUP
    priority 250
    nopreempt
    advert_int 1
    accept
    virtual_ipaddress {
 {% for dev, addresses in keepalived__virtual_addresses.items() %}
 {% for address in addresses %}
 {% if address | ansible.utils.ipv4 %}
        {{ address }} dev {{ dev }}
 {% endif %}
 {% endfor %}
 {% endfor %}
    }
 {% if not (ipv4_enabled and ipv6_enabled) %}
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
 {% endif %}
 }
 {% endif %}
 {% if ipv6_enabled %}
 vrrp_instance instance_v6 {
    virtual_router_id {{ keepalived__virtual_router_id | int }}
    interface {{ keepalived__interface }}
    state BACKUP
    priority 250
    nopreempt
    advert_int 1
    accept
    virtual_ipaddress {
 {% for dev, addresses in keepalived__virtual_addresses.items() %}
 {% for address in addresses | ipaddr_sort(["link-local"]) %}
 {% if address | ansible.utils.ipv6 %}
        {{ address }} dev {{ dev }}
 {% endif %}
 {% endfor %}
 {% endfor %}
    }
 {% if not (ipv4_enabled and ipv6_enabled) %}
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
 {% endif %}
 }
 {% endif %}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Jeltz	bba0cb7a4d	Use Afone network as triggers Some checks failed continuous-integration/drone/push Build is failing Details	2021-03-10 09:46:41 +01:00
Jeltz	6dabcb0966	Indent nftables sets literals	2021-03-10 09:43:31 +01:00
Jeltz	f24a3e1d29	Use group vars and rename some nftables vars Some checks failed continuous-integration/drone/push Build is failing Details	2021-03-10 08:29:15 +01:00
Jeltz	93c229203a	Add config vars for nftables_router	2021-03-10 08:28:16 +01:00
Jeltz	8e7701423d	Add internet access to signup network Some checks failed continuous-integration/drone/push Build is failing Details	2021-03-10 06:57:59 +01:00
Jeltz	2a57b43184	Reload sysctl (wireguard_endpoint)	2021-03-10 06:23:21 +01:00
Jeltz	94c49143ac	Use '{{ ansible_managed \| comment }}'	2021-03-10 05:44:10 +01:00
Jeltz	1d4e03d521	Remove nftables config from wireguard_endpoint	2021-03-10 05:43:44 +01:00
Jeltz	bdcd5095ed	Rename 'wireguard-endpoint' to 'wireguard_endpoint'	2021-03-10 05:40:33 +01:00
Jeltz	fed9c9f6cc	Typo 'prerouting' v. 'postrouting' Some checks failed continuous-integration/drone/push Build is failing Details	2021-03-10 04:08:10 +01:00
Jeltz	a9a734f51d	Typo 'udp' v. 'tcp' for SMTP	2021-03-10 03:41:38 +01:00
Jeltz	ba171135b1	Add explicit permissions for nftables config Some checks failed continuous-integration/drone/push Build is failing Details	2021-03-10 03:27:19 +01:00
Jeltz	592d3a630a	Create role for nftables router Some checks failed continuous-integration/drone/push Build is failing Details	2021-03-10 03:17:35 +01:00
Jeltz	22c970d9b4	Add missing ';' in bird config Some checks failed continuous-integration/drone/push Build is failing Details	2021-03-07 23:49:37 +01:00
Jeltz	9954c9e7d5	Configure bird daemons on VPNs Some checks failed continuous-integration/drone/push Build is failing Details	2021-02-24 22:11:50 +01:00
Jeltz	259c2afeab	Create bird role for OSPF.	2021-02-24 22:09:23 +01:00
Jeltz	85c1d905e7	Use different interfaces for GS and EdC tunnels Some checks failed continuous-integration/drone/push Build is failing Details	2021-02-21 10:57:44 +01:00
Jeltz	227c585b88	Configure vpn-ng-backup Some checks failed continuous-integration/drone/push Build is failing Details	2021-02-20 23:41:10 +01:00
Jeltz	63a26b74d0	Notify ifreload handler on wg config change	2021-02-20 23:40:19 +01:00
Jeltz	f1605415fe	Configure endpoints + "point-to-point" network Some checks failed continuous-integration/drone/push Build is failing Details	2021-02-20 21:03:35 +01:00
Jeltz	d1822b3b21	Restore 'no_log' in Wireguard role	2021-02-20 21:03:06 +01:00
Jeltz	5c7360aded	Add support for 'Endpoint' in Wireguard role	2021-02-20 21:02:24 +01:00
Jeltz	0fbcd687d3	Temporarily disable nftables configuration Some checks failed continuous-integration/drone/push Build is failing Details	2021-02-20 17:06:31 +01:00
Jeltz	7d7444183f	Configure Wireguard endpoints for vpn(-ovh)?-ng	2021-02-20 17:05:10 +01:00
Jeltz	40527da466	FIX: Use 'peer' in place of 'item'	2021-02-20 17:03:34 +01:00
Yohaï-Eliel BERREBY	8399078c2f	set up base on vpn-ng{,-backup} Some checks failed continuous-integration/drone/push Build is failing Details	2021-02-20 16:16:47 +01:00
Jeltz	ea87aa7ec1	WIP: Create a role for a Wireguard VPN endpoint Some checks failed continuous-integration/drone/push Build is failing Details	2021-01-31 06:07:05 +01:00
		`@ -1,3 +0,0 @@`
			`{{ ansible_managed \| comment }}`

			`deb https://deb.debian.org/debian/ bullseye main`