aurore/ansible
aurore/ansible
10
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Compare commits

base: aurore:new-infra
Branches Tags
aurore:new-infra
aurore:connection_aruba
aurore:switch_rest
aurore:zfs-backup
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:master
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server
..
compare: aurore:crans
Branches Tags
aurore:new-infra
aurore:connection_aruba
aurore:switch_rest
aurore:zfs-backup
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:master
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server

17 commits
new-infra ... crans

Author SHA1 Message Date
Yohann D'ANELLO
b2b310a8ed
Remove fixme 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-19 22:04:53 +02:00
Yohann D'ANELLO
b1449f5b1a
[keepalived] Use KA IP as gateway on VLAN 129 rather than add buggy gateway (may generate self loops but this is more stable) 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-19 21:31:01 +02:00
Yohann D'ANELLO
a0b05c51b3
Add static IPv6 link for Crans/Aurore interconnection 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-19 21:21:09 +02:00
Yohann D'ANELLO
3559932cef
[bird] Indicate which IP address should be used for local as 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-19 21:14:44 +02:00
Yohann D'ANELLO
e030b26475
Enable IP forwarding on routed interfaces 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-19 21:07:42 +02:00
Yohann D'ANELLO
4ebb4b6ad3
Update IP for Crans/Aurore interconnection 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-19 20:55:37 +02:00
Yohann D'ANELLO
9002b5f089
NAT on ens1 (Zayo), not ens18 (routage) 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 16:35:54 +02:00
Yohann D'ANELLO
fe454a8422
Again, RELOAD don't restart 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 14:34:47 +02:00
Yohann D'ANELLO
24cca4516b
Fix Crans interconnction IP 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 14:22:30 +02:00
Yohann D'ANELLO
a1ed04cab8
RELOAD keepalived, don't restart it 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 14:20:52 +02:00
Yohann D'ANELLO
6f4c39dbd8
[bird] Use Bird to do BGP with Zayo and Crans 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 14:20:30 +02:00
Yohann D'ANELLO
9ff166b1b7
[keepalived] Interco Crans 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 13:46:51 +02:00
Yohann D'ANELLO
8645cc9c26
Add gateway to other routeur-aurore in BACKUP state, but we should do better 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 13:45:40 +02:00
Yohann D'ANELLO
fc8e8de428
IPv4 routing is now managed by routeur-aurore 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 13:16:46 +02:00
Yohann D'ANELLO
a6ebdd0d3e
Hello Crans! 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 12:28:41 +02:00
Yohann D'ANELLO
300fb02f8b
We don't need a gateway under adm for routers 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 12:16:03 +02:00
Yohann D'ANELLO
55a4dfacfe
Add test playbook if needed 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-07-04 12:07:11 +02:00
439 changed files with 4634 additions and 98541 deletions
Show stats Expand all files Collapse all files

4
.ansible-lint
View file

@ -3,7 +3,9 @@ skip_list:
- load-failure
- document-start
- meta-no-info
- ignore-errors
warn_list:
- experimental # all rules tagged as experimental
exclude_paths:
- group_vars/all/vault.yml

3
.drone.yml
View file

@ -5,7 +5,8 @@ name: check
steps:
- name: ansible and yaml linting
image: quay.io/ansible/toolset:3.5.0
pull: never
image: aurore-ansible-lint-image
commands:
- ansible-lint
...

2
.gitignore vendored
View file

@ -1,4 +1,4 @@
*.retry
tmp
ldap-password.txt
__pycache__/
debug.yml

223
README.md
View file

@ -1,8 +1,9 @@
[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
# Recettes Ansible d'Aurore
Dépendances requises :
* Ansible 2.9 ou plus récent.
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
## Ansible 101
@ -13,9 +14,8 @@ Il contient la définition de chaque machine et le regroupement.
Quand on regroupe avec un `:children` en réalité on groupe des groupes.
Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette
machine avec ce hostname, car c'est ce qu'Ansible fera (sauf pour les switchs,
voir plus bas).
Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine
avec ce hostname, car c'est ce qu'Ansible fera.
**Playbook** : c'est une politique de déploiement.
Il contient les associations des rôles avec les machines.
@ -36,42 +36,31 @@ déployer un serveur prometheus, déployer une node prometheus…
**Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
action. Elle est associée à un module Ansible.
*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une
ligne dans un fichier avec le module `lineinfile`, copier une template avec le
module `template`
*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans
un fichier avec le module `lineinfile`, copier une template avec le module `template`
Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand
elle plante, récupérer son résultat dans une variable, mettre une boucle
dessus, mettre des conditions…
Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante,
récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions…
N'oubliez pas d'aller lire l'excellente documentation de RedHat sur tous les modules
N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules
d'Ansible !
### Gestion des groupes de machines
Pour la liste complète, je vous invite à lire le fichier `hosts`.
Exemple :
* pour tester les versions de Debian,
```yaml
[fleming_vm]
dhcp-fleming.adm.auro.re
dns-fleming.adm.auro.re
prometheus-fleming.adm.auro.re
routeur-fleming.adm.auro.re
```YAML
ansible_lsb.codename == 'stretch'
```
[fleming_pve]
pve1.adm.auro.re
* pour tester si c'est un CPU Intel x86_64,
[fleming:children]
fleming_pve
fleming_vm
```
> NB :
>
> L'exemple a été adapté de la configuration d'Aurore pour des raisons
> pédagogiques.
```YAML
ansible_processor[0].find('Intel') != -1
and ansible_architecture == 'x86_64'
```
Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
@ -84,46 +73,27 @@ qui peuvent ensuite être utilisés dans des variables.
Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
on peut exécuter le module `setup` manuellement.
```bash
```
ansible proxy.adm.auro.re -m setup --ask-vault-pass
```
Il est notamment possible de :
* tester les versions de Debian,
```YAML
ansible_lsb.codename == 'stretch'
```
* tester si c'est un CPU Intel x86_64,
```YAML
ansible_processor[0].find('Intel') != -1
and ansible_architecture == 'x86_64'
```
## Exécution d'Ansible
### Configurer la connexion au vlan adm
Envoyer son agent SSH peut être dangereux
([source](https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
On va utiliser plutôt `ProxyJump`.
Dans la configuration SSH :
```text
Host *.adm.auro.re *.pve.auro.re
# Accept new host keys
StrictHostKeyChecking accept-new
# Use passerelle to connect to administration VLANs
```
# Use a proxy jump server to log on all Aurore inventory
Host 10.128.0.* *.adm.auro.re
ProxyJump passerelle.auro.re
```
Il faut sa clé SSH configurée sur le serveur que l'on déploie.
Il faut sa clé SSH configurée sur le serveur que l'on déploit.
```bash
ssh-copy-id proxy.adm.auro.re
```
@ -133,7 +103,6 @@ ssh-copy-id proxy.adm.auro.re
Il faut `python3-netaddr` sur sa machine.
Pour tester le playbook `base.yml` :
```bash
ansible-playbook --ask-vault-pass base.yml --check
```
@ -143,7 +112,7 @@ Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.
### Ajouter toutes les empreintes de serveur
### Ajouter tous les empruntes de serveur
```bash
#!/bin/bash
@ -152,10 +121,6 @@ for ip in `cat hosts|grep .adm.auro.re`; do
done
```
> Remarque :
>
> L'utilisation d'un certificat permet d'éviter d'avoir à ajouter sa clé ssh
> sur les serveurs.
### Passage à Ansible 2.10 (release: 30 juillet)
@ -167,141 +132,11 @@ ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
```
Si vous n'arrivez pas à entrer votre *become password* (bug dans ansible?), un
Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
workaround est le suivant :
`$ export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
Notez l'espace au début pour ne pas log la commande dans votre historique
shell.
## Configuration des switchs depuis Ansible
Afin d'acquérir de l'indépendance vis-à-vis de re2o, un module permettant de
configurer les switchs depuis Ansible a été créé. Il utilise l'api rest des
switchs afin de récupérer et appliquer la configuration voulue.
### Prérequis
Pour utiliser le module, il faut d'abord annoncer à Ansible qu'il ne faut pas
effectuer de connexion ssh et de ne pas récupérer les faits. Cela se fait à
l'aide des variables `connection: httpapi` et `gather_facts: false` à placer
dans le playbook (pour une configuration locale) ou dans ansible.cfg (pour une
configuration globale). Ensuite, l'infrastructure actuelle de Aurore nécessite
l'utilisation d'un proxy. Pour cela, il suffit d'exécuter la commande :
```bash
ssh -D 3000 switchs-manager.adm.auro.re
```
et d'annoncer l'utilisation du proxy dans la configuration en exportant la
variable d'environnement `HTTP_PROXY=socks5://localhost:3000` et en
configurant la variable du module `use_proxy: true`.
Exemple :
```yaml
environment:
HTTP_PROXY: "socks5://localhost:3000"
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
use_proxy: true
config:
path: vlans/42
data:
name: VLAN42
vlan_id: 42
status: VS_PORT_BASED
type: VT_STATIC
```
Le module est alors utilisable, il ne reste plus qu'à le configurer.
### Écrire la configuration
Le module se veut assez libre. Ainsi, l'ensemble de la requête doit être écrite
dans les `tasks`. Voici un exemple pour configurer un vlan :
```yaml
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
config:
path: vlans/42
data:
name: VLAN42
vlan_id: 42
status: VS_PORT_BASED
type: VT_STATIC
```
Le `path` correspond à l'url de l'objet que l'on souhaite éditer et `data`
correspond aux données qui seront envoyées dans une requête `PUT` (au format
`json`). Cependant, la configuration d'un vlan peut nécessiter de le créer.
Pour remédier à ce problème, il est possible d'utiliser la syntaxe suivante :
```yaml
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
config:
path: vlans
create_method: POST
subpath:
- path: 42
data:
name: VLAN42
vlan_id: 42
status: VS_PORT_BASED
type: VT_STATIC
```
Le variable `create_method` correspond au type de la requête pour effectuer une
action de création de l'objet. Il s'agit généralement de `POST`. Dans le cas
où la variable n'est pas définit, la création sera désactivée et ainsi, si
l'url indiquée dans les `subpath` n'existe pas, alors la configuration échouera.
Par conséquent, si le vlan 42 a besoin d'être créé, une requête `POST` sera
effectué sur l'url `vlans` avec les données dans `data`.
Il est également possible d'éxecuter une action de suppression d'un vlan à l'aide
de la variable `delete` :
```yaml
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
config:
path: vlans/42
delete: true
```
Si la variable `delete` est activée, alors une requête `DELETE` sera envoyée
sur l'url indiquée. Pour vérifier si la suppression est déjà effective avant
l'éxecution, le module vérifiera si un `GET` sur l'url retourne une 404.
> Remarque :
>
> Si les variables `delete` et `data` sont définies (dont `delete` à `true`),
> alors il en résultera une action de suppression malgré tout.
Puisque `subpath` est une liste, il est possible de configurer plusieurs requête
en même temps. Cela à l'avantage d'effectuer toutes les modifications à la suite
(sans avoir à se connecter plusieurs sur l'api).

18
all.yml
View file

@ -1,18 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- import_playbook: playbooks/base.yml
- import_playbook: playbooks/root.yml
- import_playbook: playbooks/ssh.yml
- import_playbook: playbooks/chronyd.yml
- import_playbook: playbooks/kresd.yml
- import_playbook: playbooks/knotd.yml
- import_playbook: playbooks/resolvconf.yml
- import_playbook: playbooks/ifupdown2.yml
- import_playbook: playbooks/systemd_link.yml
- import_playbook: playbooks/keepalived.yml
- import_playbook: playbooks/ip_forward.yml
- import_playbook: playbooks/dhcpd.yml
- import_playbook: playbooks/bird.yml
- import_playbook: playbooks/pve.yml
- import_playbook: playbooks/prometheus.yml
...

36
ansible.cfg
View file

@ -1,22 +1,38 @@
[defaults]
jinja2_native = true
# Ansible configuration
ask_vault_pass = True
roles_path = ./roles
[defaults]
# Do not create .retry files
retry_files_enabled = False
# Use inventory
inventory = ./hosts
stdout_callback = debug
library = ./library
filter_plugins = ./filter_plugins
ansible_managed = Ansible managed
# Custom header in templates
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
# Do not use cows (with cowsay)
nocows = 1
# Do more parallelism
forks = 15
# Some SSH connection will take time
timeout = 60
remote_user = root
[privilege_escalation]
# Use sudo to get priviledge access
become = True
# Ask for password
become_ask_pass = True
[diff]
# TO know what changed
always = yes
[ssh_connection]
pipelining = True
retries = 3

9
backups.yml Normal file
View file

@ -0,0 +1,9 @@
---
- hosts: perceval.adm.auro.re
roles:
- borgbackup_server
- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
roles:
- borgbackup_client
...

17
base.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
# Put a common configuration on all servers
- hosts: all,!unifi
roles:
- baseconfig
- basesecurity
# Plug LDAP on all servers
- hosts: all,!unifi
roles:
- ldap_client
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate

7
bdd.yml Normal file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Install and configure bdd servers at Saclay and at OVH
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
roles:
- postgresql_server
...

20
copy-keys.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
set -e
# Grab valid unique hostnames from the Ansible inventory.
HOSTS=$(grep -ve '^[#\[]' hosts \
| grep -F adm.auro.re \
| sort -u)
# Ask password
read -s -p "Hello adventurer, what is your LDAP password? " passwd
echo
for host in $HOSTS; do
echo "[+] Handling host $host"
# sshpass can be used for non-interactive password authentication.
# place your password in ldap-password.txt.
SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host"
done

8
deploy_postfix_non_mailhost.yml Normal file
View file

@ -0,0 +1,8 @@
---
# Deploy a correclty configured postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost

7
docker-ansible-lint/Dockerfile Normal file
View file

@ -0,0 +1,7 @@
FROM python:3.9-alpine
LABEL description="Aurore's docker image for ansible-lint"
RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
RUN pip install --no-cache-dir "yamllint>=1.26.0,<2.0"
RUN pip install --no-cache-dir "ansible-lint>=5.0.0"
RUN pip install --no-cache-dir "ansible>=2.10,<2.11"

18
docker-ansible-lint/README.md Normal file
View file

@ -0,0 +1,18 @@
# Ansible-lint image
In order to build this image when a new version comes out, you need to
1. ssh into the `drone.adm.auro.re` server
2. git pull this repo to the lastest version
3. optionally make the changes if it has not been done yet
4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
5. ???
6. enjoy
You can verify that the image was correclty built by running
```
# list the images present
sudo docker image ls
# run your image with an interactive shell
sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
```

16
filter_plugins/enquote.py
View file

@ -1,16 +0,0 @@
class FilterModule:
def filters(self):
return {
"enquote": enquote,
}
def enquote(string, delimiter='"', escape="\\"):
translation = str.maketrans(
{
delimiter: f"{escape}{delimiter}",
escape: f"{escape}{escape}",
}
)
escaped = string.translate(translation)
return f"{delimiter}{escaped}{delimiter}"

9
filter_plugins/format_rev.py
View file

@ -1,9 +0,0 @@
class FilterModule:
def filters(self):
return {
"format_rev": format_rev,
}
def format_rev(text, fmt, *args, **kwargs):
return fmt.format(text, *args, **kwargs)

68
filter_plugins/net_utils.py
View file

@ -1,68 +0,0 @@
import ipaddress
from operator import attrgetter
import dns.name
class FilterModule:
def filters(self):
return {
"add_origin": add_origin,
"add_origin_keys": add_origin_keys,
"ip_filter": ip_filter,
"remove_domain_suffix": remove_domain_suffix,
"ipaddr_sort": ipaddr_sort,
}
def first_addr(addresses, ipv4 = True):
version = ipaddress.IPv4Address if ipv4 else ipaddress.IPv6Address
for addr in addresses:
parsed = ipaddress.ip_address(xx)
if isinstance(parsed, version):
return parsed
raise ValueError("missing address")
def ip_filter(addresses, networks):
if isinstance(addresses, dict):
return {k: ip_filter(v, networks) for k, v in addresses.items()}
ip_networks = [ipaddress.ip_network(n) for n in networks]
ip_addresses = [ipaddress.ip_address(a) for a in addresses]
return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
def add_origin(name, origin="."):
return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
def add_origin_keys(dct, origin="."):
return {add_origin(k, origin): v for k, v in dct.items()}
def remove_domain_suffix(name):
parent = dns.name.from_text(name).parent()
return parent.to_text()
def ipaddr_sort(addrs, types, unknown_after=True):
check_types = {
"global": attrgetter("is_global"),
"link-local": attrgetter("is_link_local"),
"loopback": attrgetter("is_loopback"),
"multicast": attrgetter("is_multicast"),
"private": attrgetter("is_private"),
"reserved": attrgetter("is_reserved"),
"site_local": attrgetter("is_site_local"),
"unspecified": attrgetter("is_unspecified"),
}
def addr_weight(addr):
if isinstance(addr, str):
addr = ipaddress.ip_address(addr.split("/")[0])
for index, ty in enumerate(types):
if check_types[ty](ipaddress.ip_address(addr)):
return index
return len(types) if unknown_after else -1
return sorted(addrs, key=addr_weight)

9
filter_plugins/suffix.py
View file

@ -1,9 +0,0 @@
class FilterModule:
def filters(self):
return {
"suffix": suffix,
}
def suffix(value, suffix):
return value + suffix

38
filter_plugins/switch_range.py
View file

@ -1,38 +0,0 @@
#!/usr/bin/python
class FilterModule(object):
def filters(self):
return {
'range2list': self.range2list,
}
def range2list(self, port_range):
"""
Convert a range into list
Exemple:
```
>>> FilterModule.range2list("1-10,42")
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 42]
````
"""
port_range = port_range.replace(" ", "").split(",")
ports = []
for r in port_range:
if "-" in r:
try:
a, b = r.split("-")
except:
raise Exception("A range must contain 2 values")
try:
a = int(a)
b = int(b)
except:
raise TypeError("A range must contain integer")
for n in range(a, b+1):
ports.append(n)
else:
try:
ports.append(int(r))
except:
raise TypeError("Value must be integer")
return list(set(ports))

61
flake.lock
View file

@ -1,61 +0,0 @@
{
"nodes": {
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1756770412,
"narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "4524271976b625a4a605beefd893f270620fd751",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1757020766,
"narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1754788789,
"narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

27
flake.nix
View file

@ -1,27 +0,0 @@
{
description = "Ansible Aurore";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
flake-parts.url = "github:hercules-ci/flake-parts";
};
outputs =
inputs@{
self,
nixpkgs,
flake-parts,
...
}:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ "x86_64-linux" ];
perSystem =
{ config, pkgs, ... }:
{
devShells = {
default = pkgs.callPackage ./shell.nix {};
};
};
};
}

4
group_vars/all/bird.yml
View file

@ -1,4 +0,0 @@
---
bird__as:
aurore: 43619
...

5
group_vars/all/chronyd.yml
View file

@ -1,5 +0,0 @@
---
chronyd__pools:
- ntp-1.int.infra.auro.re
- ntp-2.int.infra.auro.re
...

24
group_vars/all/ifupdown2.yml
View file

@ -1,24 +0,0 @@
---
ifupdown2__wireguard_proto: wireguard
ifupdown2__gateways:
adm:
- 2a09:6840:128::254
- 10.128.0.254
int:
- 2a09:6840:206::1
- 10.206.0.1
ext:
- 2a09:6840:211::1
- 10.211.0.1
monit:
- 2a09:6840:204::1
- 10.204.0.1
isp:
- 2a09:6840:210::1
- 10.210.0.1
pub:
- 2a09:6840:215::1
- 45.66.111.204
ovh:
- 92.222.211.254
...

10
group_vars/all/openssh.yml
View file

@ -1,10 +0,0 @@
---
openssh__users_ca_public_key:
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
openssh__authorized_principals:
- any
- "{{ inventory_hostname }}"
...

3
group_vars/all/prometheus.yml
View file

@ -1,3 +0,0 @@
---
prometheus_node__text_dir: /var/run/prometheus-node-exporter
...

13
group_vars/all/resolvconf.yml
View file

@ -1,13 +0,0 @@
---
resolvconf__nameservers:
- 2a09:6840:206::1:1
- 2a09:6840:206::1:2
- 10.206.1.1
- 10.206.1.2
resolvconf__domain: auro.re.
resolvconf__search:
- "{{ inventory_hostname | remove_domain_suffix }}"
- auro.re.
...

5
group_vars/all/root.yml
View file

@ -1,5 +0,0 @@
---
root__shell: /bin/bash
root__password: "{{ vault_root_password }}"
...

10
group_vars/all/vars.yml
View file

@ -18,6 +18,16 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
# Databases
postgresql_services_url: 'bdd-ovh.adm.auro.re'
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
postgresql_grafana_passwd: "{{ vault_postgresql_grafana_passwd }}"
postgresql_cas_passwd: "{{ vault_postgresql_cas_passwd }}"
postgresql_drone_passwd: "{{ vault_postgresql_drone_passwd }}"
postgresql_wikijs_passwd: "{{ vault_postgresql_wikijs_passwd }}"
postgresql_nextcloud_passwd: "{{ vault_postgresql_nextcloud_passwd }}"
postgresql_gitea_passwd: "{{ vault_postgresql_gitea_passwd }}"
# Scripts will tell users to go there to manage their account
intranet_url: 'https://re2o.auro.re/'

509
group_vars/all/vault.yml
View file

@ -1,297 +1,214 @@
$ANSIBLE_VAULT;1.1;AES256
35353866373931343963333639323431636465303562306166333735383462353032323461613232
3666653438393936356535633661363838613233323932370a656439316234356339613532663237
39373439366432363533303961396466623366323339383735316531653538633264393264353337
3937323861616530640a666361323164353338306336616564663466616630393839613833373933
65613161323164613334656631333336343262363835323962343662333133366561306139636261
61656532666563333063356231636565626631633436623531313938663930396362343031356534
34303565623832366664303561643137626433333164623730623639656439346639616164623865
31613462316439613937313138313830323334373337366630323331393537633437303063353363
66383930353930616137303436383864363439326139643361356231373939306439633332666232
38363061636139346430373263613932336361356262656138663233386464373839366630303765
35343064336533373238396430393536366438653534366565373733313962616364313061626133
37666538313038643865346461626537353930366264643162376530353536623863656236303433
31336561336131383635393238366464653934613130363831306335643935373033303162353534
38353832653664633061646331653634393963333038306635313464636136616366313962333431
39363934643266646131653236303138636163326663373765373761663062656463643162373038
34656163633964626235366539663132396666623363303632363236303831613532393931373761
65613435353162346233323533383537316231363437653239343233636533333966613066343932
30626636306531333736613965396432373130356238313136336434356133353435643065626261
32633732613361376261363831363866333332393132643439626639383438663438366330386534
31303532323461303862346364386532663839323163653366356136666131363839663635343166
38353962326430383561333630623030623536353838633231393763393238316530363939343536
66323562336334376234613436373237303562363831323038366232393161356262653864663037
34363436356332633363363963613635346337613438326436333836386534353738646166643333
65356637366431326132363432663662346638383439383766646531363662356266313961356239
31323236393538363662643662643535623633663738343266636163363835383030646661363966
36366466386666613364313166353366333131343061353135306135656663323461303338346666
32626231613738316233636361633337343635656334336536663865633465326639373966303137
39383731303862353637386438306136303765333136653465663963663930383037343130316466
33343932383033643530323136316632386230366338373362366462666233336530393561353933
36356330386361303562666339306265663539616434336264373832636139313365633065343763
31323633346536366635646562356266373964616338366165376331306561663938396661396164
31363438326439343964666439356339326661666136303461343436303533363630353735633038
38383365363739333034373031326530353962646661343039616230396132323833626162643964
65363165333233643738373638353537343162366265316661353563353862623134663362633261
32343364333236363738333130316538666536306664363661616536336264363438396464666533
37616533363936356335663562366563303564623530303762363034343435326666356162316535
61363133326263653937373037643930343565336166643939663466316232313535333965303737
35313566353963616632313763366561633039626239353236323438383261663066323334333632
62393265396235636461653862383830613634393431396131323439613362366463633239383761
39343361663463633332666666346339363334366330393936373433353034653765323130383335
63336338653333356438323264356162316638336338343033326639303237656663633233383735
34646535633831636238316564373035353635383738356133326664626566623766366535333439
30326437613539373163323464323635316632633930353931303466376661396135623031623133
33653735336230666665616638353561623235343439666135386165313436306666643837616166
37613964663837373137383736393063333037366433643632333963623038623636653639343936
32383532613430623563623565633665663030616530643735653563303035616530313463643431
31663361383835613631336638343338373639613532313561313231353765316237653431663462
65366162326630656566663731316262336536303032386336666263326265316564336339316430
31643066633438663562343730393534663338613165633635356333323635653161346136336261
30313332383065633335396131656136613932346331343632386235643764363235376531376437
61303130316537633830366662366237303934306561333134366463646464386530623631346264
30356536613932613264643835356637356364653038383130366237656232333031313163643332
34393865323162613936613264313864613734373032386266653432616535636464363463633564
37343661623935353365333831623631386439343237383933313337393065653934303065313634
61396163323937643837643636343337343231616265643765313932346462373735323737326663
66316135646663376537613663373432393865623038363239356265303362326161366462356138
65336536626634366363623865656234363335343662333134613835393635623434393036316638
35366431653463626665663861303333363038666131643861646465663761623364333162343761
64396131643136323634643461656339616361323030626166303930623838343438393465653364
66633037616633316534386639306438363863363530376131363332353536656533393161313931
34386636643737353738323265363435636239353261373466383430346461383932323634346466
33666436343130643032626562613165396334323937353663376162643266646539353932313137
62336162646535346631623332376334336538326530356233646239306337633365373562653166
32383639353431666137396631663237313436393434626531316365666335306466363639626663
63643861656537306133343138633535323737346538643063363330383366313362653933383365
34313230663163303730326361303337373136346161353132626362623461343661663964333765
37353165333762346539333730333731366532623531343962333037336464666530396437353666
62313035323234643236343534663434356264643830636433323831313364663762646130306362
32316530643230313230376662383439343639343336633431623135626134353134383030396264
38623933356332336231343434663563653332633237653966663964646232623637313231366638
30363966373362363432376562656436356338356561303133643432303736376234643632663137
34336630356362303132343737376637303939623133363663306133383465613263356632383030
61346138316538353638343833366261366534353963326162303866393430333964653333346539
64386161663435646331613834363336373738396338653263323937623163663236366636343239
36383135343763636139393331663139323431376562353165353662396165653235633464363035
31393233636561366639373566623738636537363235666234633534376238323163363238393237
64316132666530336135353434623866363739643830646463656536336136646334393064303630
65343964613265333934306432313739633134663131666433386630303132663866343532363835
38353237343630653561636365656561313636623065363836333663363934643162656534623864
62373763353961646235613465646630306562386531396364386164633065643763396437316466
32376564616562656136346563383266303963666136663863626137653462373430363363336364
35333133303463363663356365626365613036633835323334653264626637353634373665643036
65663736323235353964326466376163313630323265333631323866663137313665626238396130
64653832626639626633376231326534303530373937396235366239626639356234363238633336
34343064393334613732356332633361613633643039366537623465303739663635626365656631
64343936613536636438313232376564376539623261623539346564303036303131366561643564
61623630393032666636366338336266656264353631393061383162323766616530323734326134
31623962373435323730323830373239363738663164653338623836386636626337623739366566
61663835623038626266653062666264663639363763623139393862633061356164323530666665
31623538333264633735643839376433653934383663333130336133653235313631336163343134
33653533613430323834653730326661323462316338636338393063653866316335626633323137
32653262353964653131343430383661643231383135643332616462343231323266333430373061
62623136393239356166393964323830623239613434636361633365353862646130373865643136
66346336363866393762353633353638663433363332356131626639326166393234313765346138
64613431333139376139343234666664313236633031393938663431376336643133323964303938
64616536613462306363613639613132383361393535333362363630393230636532316634373231
63313839323263663237373937323361373533616465643830396666376661616631646561663130
66376266363338666133313263653733646365653034653538333332623861323833633033393234
39633834343231663166376333633635366261616561643363393137383736303436383339633734
30623939343939373038656461333464353033313632643138393334373565383331326430653263
66343630396135633636366337353061363730333364376664623234333434356661323935626633
63336465343661393636333663306361386432373235313337353361333735373436633832633439
30653766373230383364396638366237643932633364663639643661393438653339393031616338
62396632353063376566333261356662356265373733323631363263396337383631383733393034
65616434356530306661636633363333353138303631626565636637313738353338343334633533
39313232356166623939383864346665626333363132663033326430366565336339306465343337
34613736356534653534363034366431653861613534663261633739366361373134323566376335
31313263313262353162353039623634653534346363323131633362323035633337366536366561
64323432353236383839643662383138373938373834323262386364376162663839366232313433
38643662613065663863636664636162333830353131636238383439323439316363383935623731
62393964636137653935313338343465396633333461643032383730313139396462393936383630
63353166633735623364653264643934666438383739663461373332623631323932333162303630
39353637353437636537613935306539633163613334303833393832616338323061633532303361
63656635333331376561363962386135303963303030396564356534333037623635613963313666
65303664316164613835343930623338326235363933623533343961666664323836316231613465
65373931666331326634316463663134613031363636363434643839386239333164333538393831
65653935623431373238326231343439666635623730393639636131386162373466316164356263
37316539656230316336303265646339303139306262396536633533366261346238393335393765
39376630306639353862323834343830646330643737653631633361326134613666613430323433
64363965653063316432353431386533386661386239636332323139393933653063643865646338
34626433393731343535313766303237313866613166663333616535323661666362613439376166
62626430363661303630346265383863613162356535306165633537383038613131346561306330
61623435626363623762313832313031363665623933656238623131303362326137313266316630
32366664633963626463613562643666383637383831343234666435373564306635343730373665
36643436633066373962303965373663376266323133343233323563393065633162383237323162
38656336306432623330616234373936306163646330313734653864386464646535666331616335
32623163356337326665333731656438393633326638363635353733663861323934333536393338
33656231373166313761643030363437373638366461653038363565623633623035393564643161
38663064356239393034323761386435396437386534633734353938653239323533333531363965
36316636353864626461303936313632663261353437396238363930626239336139323561373133
61366330386135363039303166326231656331653632343261306531653731313465396131643330
35616432613631636264333263363239616435303436653936386165343335356337343032386239
37373230623366653834663031343738643063616661363138316262643635343439333838363632
34353236393730363262303439313132663735336463323432303036366361666338363237313664
39366434303839356163616136336237643061373633343737333036653362643635643536386436
30336636333464626464326332343333656535666431353338336438346335346433313934346231
32326231636262346232636366393361623830316238303537666164626339383061633765333039
30633539666535366539383061396461313437383537656239393131326538636536356536643735
66653336343364346635383761613731666263366465643336636661323263386364653035333062
33616364393664613363383937653530356138316363633335386232336531373835303732383962
65643264656134393663653333346531316365323730383363373564323133333032373330643232
63373239366435643738353130353333646136303530643065383066313035366239326664363830
36626366646264643130326261363536313835356638636139636434333362366363313133316130
61383734636433313433303466323265386132363862643131613666306162396437643166393630
32613464313530316262353938383735336262663939323730626662663235303638303065663939
33636234383033393237303865633961333462663232363562386637333335373565663261363933
31356436613138653765663162646566326134313736316130356336663536643466623331653039
38616465306532666434333534356464666663613263383430336465376133393032623762323237
63343462373834383566393466366332303235323865343730373062343739363265343164623262
38346539343533636435626133306662623865653934666665363063356162326461316561383261
33666362656635323262353066356330616263326134613635336261343438393838326438613435
64343336393034303330323563346233653135633439386465653065633339643032636662313531
38356234326632336161666666353030366238626262353831393532306166363432633939383166
66316136333838653433383439623366333062313833616366656566393965393665613738303833
38326139366330393863623365383963306361613665643962376664636134353533623836643362
39626166353138646666633136363662393565336333393638626534636330313632326333353366
39353133666532306531343137353834353133633165613566323135313362333962303637663965
63383730663562646563333763356135613537666332393537663062653662623938353434323136
39663965616437653232623333363762616233316530303833376332396165616635336532653035
36306331643232336664363733376632323630616139353030343930343166623433616234616539
34393131303363626166383037336262323662393431356463616665343463363432356132313531
37653331336165626435343162663662386662613164336439636465363335386233383065393535
31396466636465336164383563326236356463393831363534656536616664613361346463613837
35366562623432353166303836353261313233663864626665663837336233653237373031393636
64343763386361626232633032316466373161666536313363633765653365656538343130326566
38396534323433343634333139333063633531343631316163346135643037323034633835363963
32343963653263663438666537653963376133633661393562623131636465386266616166366566
36343963623262656162303337366365616263376363366161373236323166353834616262393061
39393239303335623332346236356335393836636533386432653164656334613738393533623764
36363136353034633934323066323335626138353763333537353761303930623930353062373932
30656339663333373431633763366433366266316563393332613334633966633339633230303166
61346264386134623962316532343664386637303738333835343036633038323137323961323837
33376431316465373165663338623538636136343538666235333334373664323463326336336334
32303361393134653338646563643636356361366133633634393731343332313437643731366634
30386466333965356135303732663433316363376438623764653464343564353835626435333230
30646238393266643137373037326136306337306130343739633933626134643364326534386464
65303531623335663766623037663630376366333631363165633762616564396538643866313465
35343265663336303537663962643536653937373839313435383337353036313239653263323061
63653865656461363334646466396135663338383065646464656631636666643030376363633333
30333331636438656238326534656165396233633131306562336263653330396366343964313434
66653862386531306236336339353935653335616638643831393430613533643533626135313835
64313065373564323132663531626436623465663766663566643964353361303336386464386463
38373036613536386436373535323664333231663437643962373339653236393339653064363530
61393835343230356234376630613230326637636534336564383139366663663136306665363363
66373237373530303062333935633634313766316461666439666433616236346434623535343531
30383264303536653236363533383561613636303662663935303761353065336631353735376365
63343162646663623736336638306465666233343031656137393037623035613236373930633131
36366633656131633563336561323835343766356131343038643761663966656364376430366636
36316633633736353436666539303039383231333437653666313435616536626434653833376532
66376130653339643564646139633238643266316633363137313038363061386163613863313733
66633665613537303834393233376463343965343664343564343832376238383064373262336162
61313163303632373261383563363964353731363739306337333161333130656235363631343761
61353265633338336466623830396466646233333039323065333636303035363563373366396334
37366637306430396262376539653134396536643931643563386666623364346635363138373937
61613232386666343033383031363439373335396362643130656235653066376537373062333363
39373737316136303835616639363162363839376635666237353064323433373961326338393263
34343162336336623530653531663136366136353139343561623532633139366533386263316364
36306134356666343230643639303766343466353562643130363063343330393232663161306266
66336435356265396330366566373137323265623431386535396665313335666332616233383664
63656663363366613431366632306230633265306663336439306263646132626631363663643861
30373330653637623733653165336132643965623232383839623535326336643239333133313030
32326634643238333163383562393134623532363561393364616430366532633862396438306433
33653235303639383333633035656533633165653137326130643961393965346266383861616333
37306266393231336666343333643530353230383239343931303838623335303262313130616162
65383962613965646438323065303962663965333231323139303438343631396363666330653330
61323839333863343034356363366433313039383963303063346237366261363861643839396362
31346637303032356463303564303562313639643563396261326538353834363737323235646430
64343230336539663237306235623662333062396238383135616231383837366339376633663938
65313739333065383335323437396232323564363733333437363133613766653334396431333036
38333038656339363132346362333863643261376335666536306231316630303437306231646565
61666334623736373832613366376438323664653531393938353234303030633532653561313665
63613064663564646235373234326661303562646139323330343330343139633462646131353038
62663535393738626432633564663564653663393937656634666137646363643365353930373266
66373162373165653533383862363835346133313234326162393331666566316439633133316633
66393733373333653630363334353833363565336338613361396335326166643630623133303466
31663037663766356531663039386232316138393266333035613364316539353837653763616666
32376431383965633138666536386532663761343537646266643566373132343762383966326233
38373766353962323362366330383564636236363961333535313064313039343933346439396237
66616631633539623537633164363665393239643633663338393765336434653930356662656164
65366533633336313832633166376265376634613635363563643866323730343139306537323863
61373461363237653634666331366436356335306265643639373034666131626238336632346632
34613062346532656530626364343938636162383862653538353563363035346339623839663261
39663438396362383866663336643035653833336466663037313764326434373061626232646333
63336336383366333538613331303863356430373764363930363061383036343836386561663362
63663232373563343461306131333263376437623534346562626536376138393939373064333231
31303464656332383036616661656565313063346231623634356638326239343536316162613335
34663232326438333966313663336465373833646634353934323361343833373661633265313239
62656533656338376562323861396665353166623732623139353431336439386263363235316132
35373933613236616362396363323031633166633837383634313638656430373634383563616463
38353738636631626639636135363561623935646365316161376166653461356430326362623738
64386537373230303239356334313663616336393439623431616639643233353662306265373232
39343066353564316433653361333766363535636533626338386434646531653432313034393134
62653733313636653331356363396531313136346136303661656466333138363366616530306536
66373532626230313739306432363433313736316261383837393737356333326236323261613965
36373064636138373134373530363533613031376362386334393464383062663663313234643432
64363232376137613231313862386561313131376133376466393630383737306666393738613265
66646236646632313832633366333335313239363763326464326361326263346636326332376336
31306230373963636135643235306537623930636164346366623862303838653238373030653035
35653634393532653566323063323761643738616532376262623163393461346334393034643862
62653835363236303732386365626464346131363231336431316233643132383566356531346237
66333933386539396366333565653938396564643464663165323535386262623532666237393630
65336262636630386633626335636231616332353965356335666362313562643738306263376230
63323938633237363431386639613830633765353232313236336233363736363566346237616637
61656234376562323162656432393665393930313736313439316261363264333865356139343233
63636638646332626365383839373765383864346532383236386266656635653333343032313231
65626233313634333533653436626134373632363565653230656161613963323334613262646530
66636331396130613934363939653238343463396639363731393363643830663362373439646337
63396435376637666563333165623338386337613638366339656561366538366635363037366531
32306235666231303762356665613738323336306465613531313964626631313731373963353964
32616632376534316532643531386635386330313866326265393736376538616431323238333562
36373238656361323336383466363563623333306634373164366134376635373262353533653330
38643233363737356564653834316435336439663562343366353866336662356138323566363061
63313336323435343861393164313130346438343862366530363233643266393964316265663535
65323739306536373331326338326132383265343939663336303534633537393637353639636561
64656432313636366434313465626562626638613232653230373530363234306537363665646633
33326163663830353166643662386637323438366334386533303664356631653561323032666265
61333165363636363634353461613039313362373863663739323231663230643635663466323430
37393431333733313134326231313234353930663365646637386639643535316362626232323430
32363631353565323663393235343336663930373439663861613661636433356366633065343935
61356636323039656230353264646166626633316430653162383638336265653865373536643036
35653166333765366231636163666638383262613432646334663430323565333538626665343763
32646663356565646362646261343436383039623635666439643762616463656361386631313637
61616164383734353634306633636338623837356230626263653161616664613266356432653335
30646434346436383565343138623264386630333832386134666463313936383364333364383232
39393066333666653734616463343530643537613437623766313237353033623662336137356534
35303635623232333230363362353137656235373539316163653863326666383237303235316164
34623138346261366238303037653764366537333561623135656236663435316565303931353939
34663932303239393836363663343735313632333639633733323564343039346436343935373430
66313863643361306161373634373738383462313831643161333230646435313261383534396464
39663466643864666433366531323866333935373833663661323833623734646265393035613966
62393165653135643737343333346232356638646437326664396466333063666135653338623266
34663133636164386164636434666231643163343930353863306538333337643762616661366366
63646336613433623862356365633563633235396337356535376335636633636563333738383061
33326136393530353964666639633638643433653736376637386638336561643061323635373565
65393836613638313165313262376166643561623131363836363531616232663333333063393039
35643938626132383439393761623165303730396365323665613663643961663466393937333731
30643662663034616631343336343236613437376362366234343436376563303466633030323465
64626536333465626430333336353038336539313531303933633466333633336364363961353861
31636135303332343733313637326461643264636236313331643438613365393733383764653432
65346533616130396233613863633331613638316462366364346465353234373531393137336165
36666336333036396262663661343962663763316531393765346536646236613331626139383230
32623665353463326633646466376232343333666465616633333033663031643262663732323230
36363439613934643037393562333237636262306330356638666235333361376136623462313736
33373163336134316563353031616339336234623738373230323335623130376265386130333235
64616261633232316131633062623163333135323737376462383539663137366539656261396238
31363232356361376264373863663362346535346136313834623761333037343435326339633735
33656465376264326334356365346437343062343631663430346561656531653662646530316133
64396563376263306533306565623163316238326264306330393465333737303062363030343662
65333633643635643737323231343664613735336230393835346132613331366266336434623937
65616366633734373434333837326465613862633930626435623165633964313732373936346434
30643161633238343435623538316134616161313461616538653161383032313038666638376432
64646564626231656664306235633031356564373432626561386135653136313062383861323130
34393331316439613363636631666262343334393739303631633936623964343938373334623230
39343031663565333431333731363966623730666335346164623662373265643732306662393663
39336137326533643533623865313934336464633634613436616438373531636562313762383666
37386365333361626362
65616665376265626636393064366339323264623332323337356438303634646361303530626536
3134646236376339666130646239626333613866383766340a366465373839396639623862636436
34336636326332313432373162356565383034636366613135353037393138363466626235353261
3634306231333966350a323133396531626565633433313761343433303964316163643365626466
33376632643937663566386232383161303231326638356338383536626531313462636335363166
35353138393964663063613331386138363030356661633530313533336138336362306437626431
34613435383966333538363734613730386634393532653334393766613262666434303666386537
33643832653236313136663761613762656334356466623431383533333563646135336332653331
39376164363533383930343237366638323534313232613561643936336330353538393136363534
37353536623939386131616638623531326531316233656166383133316564393731623366353833
31613665303532303435363765373434653933386530356433653061623232306239316534653432
39663938616637363238623866303439326666303438613066633866343830303762633233383333
65343332616430613839636337396238666466666430383031663939323239383964346638356538
65306463303330373534316438313932373864626637643935636165333835373662623737613734
36373161386163383831623065323763356637313364303539343763653065383139623934353638
34373861616336363861363761373665393465623566393063346331333861326337316363373163
31633532373966656565303866653335356364633063313665386335663863363163303431656165
61383231666665346162303635393838323462613261663231356531393734313063663231616632
30343562366433363261393037313062343036663139353431663330383263316662313330636534
33666463393664636538376365663236613536633663303738373034303136383939343039316463
38363731333435333262383064336138303062303836303735383836626430623738666635383637
36383031646561666632666339616632366138383534393030636331323037643564306363303864
33616664326330656136336538363539623039376565383166373032386230383639326564343961
39623465366233383663383433313862306366643432623130363037643033366531376163386165
64353930386233373561356530316361623665643531333632376266633963303262346532386633
34363938363765313366636134636364616634393061333264386262386261383236386532393966
62636332633165383730313365366631303032336339346138633231656165646465643039666362
39613534303532616433646433616261653739663366383566303862386666383363633736306265
65366434626634303033616463316433393730373034666463663333376633656630386665313934
36626337383236373533623830326134303931653434613837353961366130623665623336303139
63616265366638393064666166343331306530313438636436306264636235643762623564653762
65393435363564366266313161393631383836396464643635643361363034306134626535353962
63393530313438383731303666343637303666616239643334626338393864613635363330653062
31633030396362666237376232306238373065616238373934313930313234353433343934363432
35633636656632643964613431333435656532653038373532343036396136636231306436326639
36376163656634303236396133316664613164346661346565646165303664343735303233636164
38393361343561396336333133326539346561373038613265666364316630363339336565363265
64623063346232346334373836346231353336383931393663373365623838363036643232646330
37303139663166653634336363626637653666363965383632313261326530323236303961343130
39663165303836346339396536313137636462373765313135303039386339393536303263636236
31333534323735373638666364643365396435636533393932643432386630663135633839643965
34346330613132383533393361626333636132616130343266663835616534616562646366366336
38303337373331303638643639373535633331626461613862333562653165306663383237383232
63303331656338656137613162323138333661613834323863633265353737633666336263636665
34393064376330306562343930376337626165373562336630633938316566343434633734613561
39363531383233666437373562663136303834373838383632356436643638306633346434316362
63343866353465396630383562306230313737353863363935346630396134393534353531336535
65366634316230323264366662376133303565626638386635616536303839363737663538353338
32663834636363643034316165303164386430346663303635323634373465326537653132366230
38376361663233646266663330363236666533663861303365303833386465653864656331616162
66323532643737643539643562653335393338643465373838656464326133393466373733343666
39613331376538653934333061376664323230636663336232333361623136393836326262336430
35663930336364376230356537326131323666343330373030303765653763323863646631666136
39623936613762393332303763633966303966396536643236366534316539386136633230653433
65326634323062313730376338343965386338306135393033333161313839333963326134653966
66363365353537323034646537633331336134363239393465363164663263313731666335613032
61643935623064626464346430353033313961326164316637316664363830633137383335316538
31646133623461386434343663313365376230613237326638393464366166633635646462373939
31313165616363373730393733386430633065373433643935643931363965393465323264626164
65333431653566646134646132626136323035323362313163303463393962306631363631383762
63333063633934646332303966666461663566626564643365643232323732646530303834616639
63616262316563636636613764663563323063636331643063373364373337373664333763363464
31346663633866653162323934613532333934626430643138613631653164343063323661383163
36633431376463633334306663346462373166613531663064323238323434346439333936313539
33663036663234383934626661383530666566323336363734336265346235306135336136373864
38313937663965313334653139366430316632313737303639636135666235346633303861626430
34373938633331666535336438313363626636363063333265316166333562616330306563386335
65366366303937376438313032643037656465393263393434623462336430393031373433383532
66306566656437323530323434353835303838303438613662356134343136386630643338333264
30643039666535323736303930336239643730653233393538633235303938623161343437616136
34613337383363656536373737396261396261653264373362313161336435623466366436623736
61313036383063656537613664633437336361396665633764313062396265323766346363656666
33656130316566633563353631323438343532393563633830343131653063353331323961343636
38303239623566383337356262313538316437323731326166366139623665356132313563663734
34353065316164653638313439303466316338373565323435343937653632313566656438333730
62373366333335643366356438613838373963363436393035623132626233373830666238323464
33356562636261376665303262633665323830316137306239626432323330393863613938313539
33613438373733633661633266353866373834346436383466636138393736373638623136383639
38653439373230353265386166663562633738306232623132636333396135343461646136303162
36343636306333376564383764356433653362356434306566376565653736643035336433303331
38626430623633313336653261633834323430323137313533333166393966633662613561643863
65653237636436373739633862313132623831623461643063626361613231343537383032346132
61383666383134373061643061656164366364656231343434616366356237303766343166613964
36376461366663373132326263616263316663323039626239643361363362306334633636343064
66336533626562323832633133653366323137616431363566653561363233626239616262346165
30396466343639383665383762383765396638323761653065356339343965373032306136656563
31353033343532366339303331366235373838356461353564623430333561356635336163396466
38303438616436383763386538663039393862636333326630623862353732343961646162653933
35633235303530353065343434333164306530363839663366316235333563663965623934383634
32616565313232373964366163323739353261643432363037666639663664303861383033333462
62333633626263393637306365353565306636386238613365643537353861396638643065616236
63303130313363326333663936393765623930636331663837313835333862386263303238386262
35646634663163626438356536346239666461306462326465613339653337326436356638323666
38323134396238356532623430303233303636343839646436363066383136366436336536313766
33373036386465623737316435643430616434336165343832386539666432613365326664663237
61333166343438313131643635663234626638623139363034616263643463356632353932383938
61383065343231633438313536633039633266323563336531663365326137666535623230336134
34646661306330653631383364343566386531313137643233376265313461396538373132396366
66313534386133346161373130386465383139623831653566326434646461306139633433656630
64623164376361643062396139356464373131653036336361623738633263326234323066613661
31306163313038333861656561356661383436363534366665376362346661616464633065303234
61616237313434363761636261313630356639346434636465363763373235636462666338343265
34336533376366393339306539633238326663656266373965623962623665626238366333393734
35646636666535396638373134376362396134353035633566336461326630323833383734356161
62303738343662633735663965336435316630653061373736643035653337363635623863626533
31306138313839616131363333326439323863646236613133333163366162353063366561656631
61623237633361313631633463666335643935616237656134383830393335346632393066666632
66326331653430633165333037316637303138353133313264643739626566353137383265366264
38353533613863353431656665363339633265303463613565636565393836616230643932333762
30353437343761613236613431626536666538336234633166623961363031393235333763626337
65623836323538653730393533383532626133393834376339303630626533613339623666353839
38613833623830306566333035336334383733626166363239356661353965353462393161626136
37336365663863393963653031303337396666653262646635386337386230383562616564653966
34393831383639303562333464653736363330326462623266383038326561323264363563623065
30366435323961613463653636666238383632353661326439346430356134643866396531623039
66663830353732663863393762626161383263663535333032393632633066363836363939316262
30373766363637316535306538663235656137363038623936366465376636393535326437666334
30343437326362613761376262383265313264383464383838386638653065313864353235373331
62646366333137643931316339373761663731633766363864633461323266663236613231656633
31653132343031313535656538663761386266333062646439383633336531373764366166646165
64343439386336323064616634363532353166353531633332663862653666666436666564356236
62336332386437626137386566333934393636313933386466366361633232383135383066396263
38343432323865353563363631646535633438336333316134343862336666313063643036343030
62323732353837363639376564336665343265663861303938316564646533346337306338623834
62353835356465303561346337366136396664383961663237653538643462666263346638303363
32663564646333343532613861336132396530363435626361643631666464383364613336383235
64376465636238633765643234383665663637643565626663393066316538313563393730396430
36373037396264613731353337393261346534343263393862376464393565353739393431313031
61353538366439383234316530326338633635393035376335616565356630633964636639386639
63356666653532666435663564393332303234363465636335316365326365633837663930616233
61343933653232666138613866666430376439396336353535663361373564366262646663653064
31353765386537656235613131323763323930363162646236333632663034356237363231313762
39323531333264633863363163333735303636333866653763373362626265396265356564303533
31353838333337393732633961353561633430616637396235626261316433366339356239633737
64333636333566366237303231376337613539643464663839303438313532323538643738353866
38626438303033346531323836336534633732366631376665663139323037643161326561363635
34633237623537383466316433336636633962623161383338656339613139346138366132356365
38363635666234616532316333366236396639353130646234626533666133363661393038353666
38343530306239336234336463646332356462356565376463383930656561336239656465303231
61323862333032343137636434643335383163366236373161653366323139646235306564366637
31313335653732633434616436636532343037383861393931323734383964346437323933653737
39653633663064313933346231663931343163336166663662333239376634386135666230393563
34333163653935326532386662613537373161366331633737653539333161386461313638643034
62323433613164383731653534383662316364333538613433623731376234306538663766363965
64376432396361636637343539393330323835353562393031616137393363333662346332616464
32643939663266343038356539656464393665616637383030666630333834613830373837353738
63623130653465386135636635643637366231383765623761356563323061343337306538633031
66326334303539623763636362333534643431383962383539613964613531353135663463373266
37326632353861383964653430656362613930353138316566636531323733396231333361663431
66356561366634323832386437336130363535343132333436633761613731636561333039303965
33336532373764303334636461646464633866656237656466613361613131613764366339336233
38373030366130613230636365303233393631383538316230366434326137336532333261383236
64306566343964643139646438633066373261363836386361316138326362373361316536313839
39663633343330663732376230633638626533313963306266363030306431373862633833383532
36623537323532373934613962613761376463363337393666316434383463393962616366643436
34326566383666663266396165613534633464656130313535383963353238623238393837353133
66396661626432313038306362393136616166653962363736363133303835376264616561343736
38383531623733326366333661393262613335653238343235353165613339393535316236353563
35663037363935386634623064636333666135313361303837383630643665613863373931626333
36316138343462636538616466383461353639613264653831323133333262626633353766643730
63343030346536616539643832303238393539383362316137386437356630313438623436636465
35363436306634393764386362616330373732623763373064306562326337303732333733346563
63356231343165653132303338343439356666646162626639646232623064656664336133666233
36366366363264663033333731616632383438306435663631613439646466663434343931663764
36623437666232323336366363333333373430303639393761636463333135626263333066656538
35336431623265663239633963353162366534653864653530623935333137653761336234616133
61643231663033393535383063373236363538623964303435623337383031653734626461623731
62306565303739313166333663363935313362356362303066323635626638393961623138613864
33626639323030306461326232323533303131633630316437333936653839626362613162336339
39373339626238303238306363356166646532623963306438626264633961643765353434326430
65323535306566343537663632393866616239613732643032356536303764636564306630383633
66356435616237376538653539366636636533343866623764316462346634313032333636336166
33653231336563363336303936336430343137653966393530393532323563393532353434393231
38363662613161626132383266323635613165363433623630653663396562366262376634326561
66643938306331663931386535613833613761313639363038616139343966656662646432663666
63393931373738373536323631353361303366343330306565393230396332373932303866333034
35396166633165396537373638333730303730613939386663653032626439363466623231303833
63656338656435383531613734643165613536353632393535646132303034663731396631303237
64376438373538373362353766303963396639333732373266343766363534623063313138616139
39313861616164613031643934313466633431316230656566306666303932343039383737313565
66356432336663636631666138636538323238303462376330663134616365323536386234666136
63343032383465616437303437303063626335363333656166393435343834646634313435653334
31366465386238393133366364376565656639656230343161613463393931373537383564353866
31313464663531353165646665356231646634383936643539323866376631666635306334616261
39383439366664386563386133356239333133306162316466343334356631616434623363643535
38663530623063373965666530386632323034623139303839323761376638313362316430373536
62363265366537656237633663663266653631653561303965616635363438613061306362336430
35303461633864353735613330643966396230623434323132383135623331353361633134663931
33333435306635313161613930656239346461623931356430306364383937353433626435633832
64613437313464323861356338643733386432656233663333343437353935353236346561366330
32396465333833343732653136616636663736623434363765336161383433356333313135313161
33373764393265376661613465626638353636653931323162363031666262653062626166363930
39613931356338393862356537343332633635366134343037633765616634316362386335663036
32666465323538356634346662383238326663333339623430376362306534363630613337626266
39326361383435623939663163373835626439643433393839383730666166666266356361633731
33336265613531303735613239316362633538386632343836613230326164366165616265313066
35333361303734343231633930346230343432336665383337343431303031383962383366343433
63363364333063313632663765633831323863626636643862323865356461366361343563383363
33363138646366333136326435376537356338633862623531393938373935353466376266333664
31633039336362363237376266346561313064393537613832663130653761636633313562316639
36633432613931663263343861396632356136366636336163343333323661666663346365626564
32613734313663656164333537653666313033643262336239623961313638306634343666303938
62636236353161336134323430336263643038623663353965656236623465326661633766363765
35653261663335313065383266383833393431333631653363363030363939323862653262316637
62343263623037643435656165623466326365363532353434643665336632383765313937666535
37663463303034363531386465383663393534393435633764646138313962373735393334326137
61653933316435363130333335323066386532626234626534396435383061333961363739333033
61656364313963303132623837666463633066653165316633373166373161343539393132316665
37646631643265333665643262666265653339616530336361333333633939373839323264613761
62643363356431306330313761623933623333383066333364663439646536333232386232623238
62356533636632396330353430653935613965383938643638353632643865323832623737646635
32636464343734653765396236653538343463373662653733326362363330643038663766383861
34316338343064393862353364613037393231343366633364393535343965623431

69
group_vars/dhcp/dhcpd.yml
View file

@ -1,69 +0,0 @@
---
dhcpd__omapi_key:
algorithm: hmac-sha512
secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
dhcpd__interfaces:
- client0
- client1
- client2
- client3
- client4
dhcpd__dns_servers:
- 10.128.10.3
- 10.128.10.103
dhcpd__domain_search:
- isp.auro.re.
- auro.re.
dhcpd__subnets:
- network: 100.64.0.0/27
routers:
- 100.64.0.1
start: 100.64.0.4
end: 100.64.0.30
domain_name: client0.isp.auro.re
failover: true
- network: 100.64.0.32/27
routers:
- 100.64.0.31
start: 100.64.0.33
end: 100.64.0.63
domain_name: client1.isp.auro.re
failover: true
- network: 100.64.0.64/27
routers:
- 100.64.0.65
start: 100.64.0.67
end: 100.64.0.95
domain_name: client2.isp.auro.re
failover: true
- network: 100.64.0.96/27
routers:
- 100.64.0.97
start: 100.64.0.99
end: 100.64.0.127
domain_name: client3.isp.auro.re
failover: true
- network: 100.64.0.128/27
routers:
- 100.64.0.129
start: 100.64.0.131
end: 100.64.0.159
domain_name: client4.isp.auro.re
dhcpd__failover:
dhcp-1.isp.infra.auro.re: 10.210.1.1
dhcp-2.isp.infra.auro.re: 10.210.1.2
dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
dhcpd__failover_peer_address: "{{ dhcpd__failover
| dict2items
| selectattr('key', '!=',
inventory_hostname)
| map(attribute='value')
| first }}"
...

24
group_vars/dns/kresd.yml
View file

@ -1,24 +0,0 @@
---
kresd__listen:
- address: 0.0.0.0
port: 53
kind: dns
- address: "::"
port: 53
kind: dns
- address: 0.0.0.0
port: 853
kind: tls
- address: "::"
port: 853
kind: tls
- address: 0.0.0.0
port: 8453
kind: webmgmt
- address: "::"
port: 8453
kind: webmgmt
tls: false
kresd__cache_size: 512
...

21
group_vars/edge/keepalived.yml
View file

@ -1,21 +0,0 @@
---
keepalived__virtual_router_id: 81
keepalived__interface: back0
keepalived__virtual_addresses:
crans0:
- 185.230.79.254/29
- 2a0c:700:28::2/64
- fe80::1/10
zayo0:
- 2001:1b48:2:103::d7:2/126
- 83.167.52.69/31
- fe80::1/10
oti0:
- 2a00:a4c0:100c:1::b/127
- 77.95.70.11/31
- fe80::1/10
keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
...

86
group_vars/infra/bird.yml
View file

@ -1,86 +0,0 @@
---
bird__kernel:
kernel:
learn: true
import: accept
export: accept
bird__ospf:
limits:
import: 4000
export: 4000
import: accept
export:
protos: kernel
areas:
0:
broadcast:
- back0
stub:
- monit0
- wifi0
- int0
- sw0
- bmc0
- pve0
- isp0
- ext0
- pub0
- th30
- ups0
1:
broadcast:
- vpn0
bird__bgp:
edge1:
local:
address: "{{ bird__bgp_addr.back }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:203::1:1
- 10.203.1.1
as: "{{ bird__as.aurore }}"
import:
- pref_src: "{{ bird__pref_src_addr }}"
- accept
export: reject
edge2:
local:
address: "{{ bird__bgp_addr.back }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:203::1:2
- 10.203.1.2
as: "{{ bird__as.aurore }}"
import:
- pref_src: "{{ bird__pref_src_addr }}"
- accept
export: reject
#wg1:
#local:
#address: "{{ bird__bgp_addr.vpn }}"
#as: "{{ bird__as.aurore }}"
#neighbor:
#address:
# - 2a09:6840:213::1:3
# - 10.213.1.3
#as: "{{ bird__as.aurore }}"
#rr_cluster_client: 10.203.1.1
#import: reject
#export: accept
#wg2:
#local:
#address: "{{ bird__bgp_addr.vpn }}"
#as: "{{ bird__as.aurore }}"
#neighbor:
#address:
# - 2a09:6840:213::1:4
# - 10.203.1.4
#as: "{{ bird__as.aurore }}"
#rr_cluster_client: 10.203.1.1
#import: reject
#export: accept
...

457
group_vars/infra/firewall.yml
View file

@ -1,457 +0,0 @@
---
firewall__zones:
adm-legacy:
addrs:
- 2a09:6840:128::/64
- 10.128.0.0/16
ups:
addrs:
- 2a09:6840:201::/64
- 10.201.0.0/16
back:
addrs:
- 2a09:6840:203::/64
- 10.203.0.0/16
monit:
addrs:
- 2a09:6840:204::/64
- 10.204.0.0/16
wifi:
addrs:
- 2a09:6840:205::/64
- 10.205.0.0/16
int:
addrs:
- 2a09:6840:206::/64
- 10.206.0.0/16
sw:
addrs:
- 2a09:6840:207::/64
- 10.207.0.0/16
bmc:
addrs:
- 2a09:6840:208::/64
- 10.208.0.0/16
pve:
addrs:
- 2a09:6840:209::/64
- 10.209.0.0/16
isp:
addrs:
- 2a09:6840:210::/64
- 10.210.0.0/16
ext:
addrs:
- 2a09:6840:211::/64
- 10.211.0.0/16
pub:
addrs:
- 2a09:6840:215::/64
- 45.66.111.192/27
vpn-clients:
addrs:
- 2a09:6840:212::/64
- 10.212.0.0/16
vpn:
addrs:
- 2a09:6840:213::/64
- 10.213.0.0/16
infra:
zones:
- adm-legacy
- ups
- back
- monit
- wifi
- int
- sw
- bmc
- pve
- isp
- ext
- pub
- vpn
internet:
negate: true
addrs:
- 2a09:6840::/32
- 2a09:6841::/32
- 2a09:6842::/32
- 45.66.108.0/22
- 10.0.0.0/8
- 100.64.0.0/10
prometheus.int:
addrs:
- 2a09:6840:204::1:1
- 10.204.1.1
- 2a09:6840:204::1:2
- 10.204.1.2
grafana.adm:
addrs:
- 2a09:6840:128::98
- 10.128.0.98
re2o-ldap.adm:
addrs:
- 2a09:6840:128::21
- 10.128.0.21
ldap-replica-edc.adm:
addrs:
- 2a09:6840:128::4:249
- 10.128.4.249
nextcloud.adm:
addrs:
- 2a09:6840:128::58
- 10.128.0.58
dns.int:
addrs:
- 2a09:6840:206::1:1
- 10.206.1.1
- 2a09:6840:206::1:2
- 10.206.1.2
ntp.int:
addrs:
- 2a09:6840:206::1:5
- 10.206.1.5
- 2a09:6840:206::1:6
- 10.206.1.6
docker-ovh.adm:
addrs:
- 2a09:6840:128::150
- 10.128.0.150
mx.test:
addrs:
- 2a09:6840:211::1:5
- 45.66.111.208
- 10.128.1.5
proxy.pub:
addrs:
- 2a09:6840:215::1:1
- 45.66.111.206
collabora.ext:
addrs:
- 2a09:6840:211::1:1
- 10.211.1.1
grafana.ext:
addrs:
- 2a09:6840:211::1:7
- 10.211.1.7
ns-1.pub:
addrs:
- 2a09:6840:215::1:2
- 45.66.111.205
ns-2.pub:
addrs:
- 2a09:6840:215::1:3
- 45.66.111.207
ns-master.int:
addrs:
- 2a09:6840:206::1:7
- 10.206.1.7
tor.pub:
addrs:
- 45.66.111.215
- 2a09:6840:215::1:215
jitsi.pub:
addrs:
- 45.66.111.216
- 2a09:6840:215::1:216
log-1.int:
addrs:
- 10.206.1.9
- 2a09:6840:206::1:9
log-2.int:
addrs:
- 10.206.1.10
- 2a09:6840:206::1:10
firewall__input:
- iif:
- back0 # FIXME link-local
- vpn0
verdict: accept
- src:
- back
- vpn
verdict: accept
- src: monit
protocols:
tcp:
dport:
- 9100
- 9700
verdict: accept
- src: monit
protocols:
tcp:
dport: 9324
verdict: accept
- protocols:
icmp: true
verdict: accept
- protocols:
tcp:
dport: 22
verdict: accept
- verdict: drop
firewall__output:
- verdict: accept
firewall__forward:
- src: back
dst: infra
verdict: accept
- src: infra # FIXME: temporary
dst: internet
verdict: accept
- src: monit
dst: bmc
protocols:
icmp: true
verdict: accept
- dst: mx.test
protocols:
icmp: true
verdict: accept
- dst: mx.test
protocols:
tcp:
dport:
- 25
- 465
- 993
verdict: accept
# NS
- dst:
- ns-1.pub
- ns-2.pub
protocols:
tcp:
dport: 53
verdict: accept
- dst:
- ns-1.pub
- ns-2.pub
protocols:
udp:
dport: 53
verdict: accept
- src:
- ns-1.pub
- ns-2.pub
dst: ns-master.int
protocols:
udp:
dport: 53
verdict: accept
- src:
- ns-1.pub
- ns-2.pub
dst: ns-master.int
protocols:
tcp:
dport: 53
verdict: accept
# SNMP
- src: monit
dst:
- sw
- ups
- bmc
protocols:
udp:
dport: 161
verdict: accept
- src: monit
dst:
- sw
- ups
- bmc
protocols:
tcp:
dport: 161
verdict: accept
# Alertmanager
- src: monit
dst: docker-ovh.adm
protocols:
tcp:
dport: 9093
verdict: accept
- src: adm-legacy
dst: bmc
verdict: accept
# Prometheus for Grafana
- src: grafana.adm
dst: prometheus.int
protocols:
tcp:
dport: 9090
verdict: accept
# Prometheus for Grafana nixos
- src: grafana.ext
dst: prometheus.int
protocols:
tcp:
dport: 9090
verdict: accept
- src: grafana.ext
dst: re2o-ldap.adm
protocols:
tcp:
dport: 389
verdict: accept
- src: grafana.ext
dst: ldap-replica-edc.adm
protocols:
tcp:
dport: 389
verdict: accept
# Admin VPN clients
- src: vpn-clients
dst: infra
verdict: accept
# Prometheus node
- src: monit
dst: infra
protocols:
tcp:
dport:
- 9100
- 9700
verdict: accept
# Prometheus bird
- src: monit
dst: back
protocols:
tcp:
dport: 9324
verdict: accept
# Prometheus kresd
- src: monit
dst: dns.int
protocols:
tcp:
dport: 8453
verdict: accept
# Allow DNS from infra to dns-{1,2}
- src: infra
dst: dns.int
protocols:
udp:
dport: 53
verdict: accept
- src: infra
dst: dns.int
protocols:
tcp:
dport: 53
verdict: accept
# Allow NTP from infra to ntp-{1,2}
- src:
- infra
- pub
dst: ntp.int
protocols:
udp:
dport: 123
verdict: accept
# Admin Wireguard
- dst:
- 2a09:6840:211::1:1
- 45.66.111.204
- 10.211.1.1
protocols:
udp:
dport: 5121
verdict: accept
# Proxy web
- dst:
- jitsi.pub
- proxy.pub
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
- src: proxy.pub
dst: grafana.adm
protocols:
tcp:
dport: 3000
verdict: accept
- src: proxy.pub
dst: grafana.ext
protocols:
tcp:
dport: 80
verdict: accept
- src: proxy.pub
dst: nextcloud.adm
protocols:
tcp:
dport: 8080
- src: proxy.pub
dst: adm-legacy
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
# ICMP to public vlan
- dst: pub
protocols:
icmp: true
verdict: accept
# Proxy -> Collabora
- src: proxy.pub
dst: collabora.ext
protocols:
tcp:
dport: 9980
verdict: accept
# Collabora -> Proxy
- src: collabora.ext
dst: proxy.pub
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
# Tor: SSH
- dst: tor.pub
protocols:
tcp:
dport:
- 22
- 4444
verdict: accept
# Jitsi UDP
- dst: jitsi.pub
protocols:
udp:
dport:
- 3478
- 10000
# Jitsi TCP
- dst: jitsi.pub
protocols:
tcp:
dport:
- 5349
firewall__nat:
- src: 10.0.0.0/8
dst: internet
protocols: null
snat:
addr: 45.66.111.200/30
#- src: monit
# dst: adm-legacy
# protocols: null
# snat:
# addr: 10.203.1.3/32
...

59
group_vars/infra/keepalived.yml
View file

@ -1,59 +0,0 @@
---
keepalived__virtual_router_id: 82
keepalived__interface: back0
keepalived__virtual_addresses:
ups0:
- 10.201.0.1/16
- 2a09:6840:201::1/64
- fe80::1/10
monit0:
- 10.204.0.1/16
- 2a09:6840:204::1/64
- fe80::1/10
wifi0:
- 10.205.0.1/16
- 2a09:6840:205::1/64
- fe80::1/10
int0:
- 10.206.0.1/16
- 2a09:6840:206::1/64
- fe80::1/10
sw0:
- 10.207.0.1/16
- 2a09:6840:207::1/64
- fe80::1/10
bmc0:
- 10.208.0.1/16
- 2a09:6840:208::1/64
- fe80::1/10
pve0:
- 10.209.0.1/16
- 2a09:6840:209::1/64
- fe80::1/10
isp0:
- 10.210.0.1/16
- 2a09:6840:210::1/64
- fe80::1/10
ext0:
- 10.211.0.1/16
- 2a09:6840:211::1/64
- fe80::1/10
th30:
- 10.126.0.6/24
- fe80::1/10
pub0:
- 2a09:6840:215::1/64
- 45.66.111.204/27
- fe80::1/10
#keepalived__virtual_routes:
# ext0:
# - 45.66.111.204/30
keepalived__virtual_blackholes:
- 45.66.111.200/30 # NAT
keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
...

53
group_vars/isp/bird.yml
View file

@ -1,53 +0,0 @@
---
bird__kernel:
kernel:
learn: true
import: accept
export: accept
bird__ospf:
limits:
import: 4000
export: 4000
import: accept
export:
protos: kernel
areas:
0:
broadcast:
- back0
stub:
- client0
- client1
- client2
- client3
- client4
bird__bgp:
edge1:
local:
address: "{{ bird__bgp_addr.back }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:203::1:1
- 10.203.1.1
as: "{{ bird__as.aurore }}"
import:
- pref_src: "{{ bird__pref_src_addr }}"
- accept
export: reject
bird__radv:
rdnss:
- 2a09:6840:206::1:1
- 2a09:6840:206::1:2
interfaces:
client0:
max_interval: 5
prefixes:
- 2a09:6841::/64
dnssl: client0.isp.auro.re
domain_search:
- auro.re
...

40
group_vars/isp/firewall.yml
View file

@ -1,40 +0,0 @@
---
firewall__zones:
internet:
negate: true
addrs:
- 2a09:6840::/32
- 2a09:6841::/32
- 2a09:6842::/32
- 45.66.108.0/22
- 10.0.0.0/8
- 100.64.0.0/10
clients:
addrs:
- 100.64.0.0/10
non_clients:
negate: true
zones: clients
allowed_clients:
file:
path: /var/run/firewall/allowed_clients.yml
default: []
firewall__input:
- verdict: accept
firewall__output:
- verdict: accept
firewall__forward:
- src: allowed_clients
dst: non_clients
verdict: accept
firewall__nat:
- src: clients
dst: internet
protocols: null
snat:
addr: 45.66.111.220
...

32
group_vars/isp/keepalived.yml
View file

@ -1,32 +0,0 @@
---
keepalived__virtual_router_id: 80
keepalived__interface: back0
keepalived__virtual_addresses:
client0:
- 100.64.0.1/27
- 2a09:6841::1/56
- fe80::1/10
client1:
- 100.64.0.33/27
- 2a09:6841:0:1::1/64
- fe80::1/10
client2:
- 100.64.0.65/27
- 2a09:6841:0:2::1/64
- fe80::1/10
client3:
- 100.64.0.97/27
- 2a09:6841:0:3::1/64
- fe80::1/10
client4:
- 100.64.0.129/27
- 2a09:6841:0:4::1/64
- fe80::1/10
keepalived__virtual_blackholes:
- 45.66.111.220/32
keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
...

71
group_vars/ns/knotd.yml
View file

@ -1,71 +0,0 @@
---
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
knotd__remotes:
xfr-master:
address: 2a09:6840:206::1:7
key: xfr
knotd__acl:
notify-master:
address:
- 2a09:6840:206::1:7
- 10.206.1.7
key: xfr
action: notify
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__zones:
auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
test.auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
infra.auro.re:
dnssec_validation: true
acl:
- notify-master
#queryacl: local
master: xfr-master
108.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
109.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
110.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
111.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
...

13
group_vars/ntp/chronyd.yml
View file

@ -1,13 +0,0 @@
---
chronyd__allow_networks:
- 2a09:6840::/32
- 10.0.0.0/8
chronyd__pools:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
chronyd__local_stratum: 10
...

144
group_vars/prom/prometheus/bird.yml
View file

@ -1,144 +0,0 @@
---
prometheus__scraping_bird:
targets: "{{ groups.router }}"
address:
port: 9324
prometheus__rules_bird:
- record: bird:protocol_up:bgp_all
expr:
label_replace(
bird_protocol_up{proto="BGP"},
"group", "$1",
"instance", "^([^0-9\\.]+)-[0-9]+.*"
)
# FIXME: sessions en cours d'installation, pas encore monitorées
- record: bird:protocol_up:bgp
expr:
bird:protocol_up:bgp_all
unless bird:protocol_up:bgp_all{
group="edge",
name=~"^(viarezo|isp[12]|rezel)[46]$"
}
# Sessions qui ne sont volontairement pas redondées
# au sein d'un groupe
- record: bird:protocol_up:bgp:non_redundant
expr:
bird:protocol_up:bgp{
group="edge",
name=~"^(oti|crans|legacy|edge)[46]$"
}
# Sessions qui le sont
- record: bird:protocol_up:bgp:redundant
expr:
bird:protocol_up:bgp
unless
bird:protocol_up:bgp:non_redundant
- alert: BirdBGPRedundancyDegraded
expr:
(
count by (group, name) (
bird:protocol_up:bgp:redundant{state="Established"}
) + (
count by (group, name) (
bird:protocol_up:bgp:redundant{state!="Established"} * 0
)
)
) < 2
for: 0m
labels:
severity: warning
annotations:
Session: !unsafe "{{ $labels.name }}"
Count: !unsafe "{{ $value }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPDown
expr:
(
count by (group, name) (
bird:protocol_up:bgp{state="Established"}
) + (
count by (group, name) (
bird:protocol_up:bgp{state!="Established"} * 0
)
)
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
# TODO: warning pour redondant ?
- alert: BirdBGPNoExportedPrefixRedundant
expr:
bird_protocol_prefix_export_count{
export_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:redundant{state="Established"}
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPNoImportedPrefixRedundant
expr:
bird_protocol_prefix_import_count{
import_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:redundant{state="Established"}
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPNoExportedPrefixNonRedundant
expr:
sum by (group) (
bird_protocol_prefix_export_count{
export_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:non_redundant{state="Established"}
)
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPNoImportedPrefixNonRedundant
expr:
sum by (group) (
bird_protocol_prefix_import_count{
import_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:non_redundant{state="Established"}
)
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdOSPFNeighboursChange
expr:
changes(bird_ospf_neighbor_count[5m]) > 0
or changes(bird_ospfv3_neighbor_count[5m]) > 0
for: 0m
labels:
severity: warning
- alert: BirdOSPFDown
expr:
bird_ospf_running == 0
for: 0m
labels:
severity: critical
annotations:
Instance: !unsafe "{{ $labels.name }}"
...

11
group_vars/prom/prometheus/common.yml
View file

@ -1,11 +0,0 @@
---
prometheus__rules_common:
- alert: CollectorDown
expr:
up == 0
for: 3m
labels:
severity: critical
annotations:
Job: !unsafe "{{ $labels.job }}"
...

11
group_vars/prom/prometheus/eaton.yml
View file

@ -1,11 +0,0 @@
---
prometheus__scraping_eaton:
targets: "{{ groups.eaton_ups }}"
address: 127.0.0.1:9116
path: /snmp
params:
module:
- eaton
prometheus__rules_eaton: {}
...

13
group_vars/prom/prometheus/ilo.yml
View file

@ -1,13 +0,0 @@
---
prometheus__scraping_ilo:
targets: "{{ groups.ilo }}"
address: 127.0.0.1:9116
path: /snmp
timeout: 180s
interval: 180s
params:
module:
- ilo
prometheus__rules_ilo: {}
...

6
group_vars/prom/prometheus/jitsi.yml
View file

@ -1,6 +0,0 @@
---
prometheus__scraping_jitsi:
targets: ["jitsi.pub.infra.auro.re"]
address:
port: 9700
...

23
group_vars/prom/prometheus/keepalived.yml
View file

@ -1,23 +0,0 @@
---
prometheus__rules_keepalived:
- alert: KeepalivedVrrpFault
expr:
keepalived_vrrp_state{state="fault"} > 0
for: 0m
labels:
severity: critical
annotations:
Instance: !unsafe "{{ $labels.instance }}"
- alert: KeepalivedMasterChange
expr:
changes(
keepalived_vrrp_state{
keepalived_vvrp_state="master"
}[1m]
) > 0
for: 0m
labels:
severity: warning
annotations:
Instance: !unsafe "{{ $labels.instance }}"
...

6
group_vars/prom/prometheus/kresd.yml
View file

@ -1,6 +0,0 @@
---
prometheus__scraping_kresd:
targets: "{{ groups.dns }}"
address:
port: 8453
...

28
group_vars/prom/prometheus/main.yml
View file

@ -1,28 +0,0 @@
---
prometheus__alertmanager_targets:
- docker-ovh.adm.auro.re:9093
prometheus__tsdb_retention_time: 90d
prometheus__scraping:
node: "{{ prometheus__scraping_node }}"
prometheus: "{{ prometheus__scraping_prometheus }}"
kresd: "{{ prometheus__scraping_kresd }}"
bird: "{{ prometheus__scraping_bird }}"
quanta: "{{ prometheus__scraping_quanta }}"
ilo: "{{ prometheus__scraping_ilo }}"
snmp: "{{ prometheus__scraping_snmp }}"
eaton: "{{ prometheus__scraping_eaton }}"
jitsi: "{{ prometheus__scraping_jitsi }}"
prometheus__rules:
common: "{{ prometheus__rules_common }}"
switch: "{{ prometheus__rules_switch }}"
prometheus: "{{ prometheus__rules_prometheus }}"
node: "{{ prometheus__rules_node }}"
keepalived: "{{ prometheus__rules_keepalived }}"
quanta: "{{ prometheus__rules_quanta }}"
#ilo: "{{ prometheus__rules_ilo }}"
bird: "{{ prometheus__rules_bird }}"
#eaton: "{{ prometheus__rules_eaton }}"
...

200
group_vars/prom/prometheus/node.yml
View file

@ -1,200 +0,0 @@
---
prometheus__scraping_node:
targets: "{{ groups.vm + groups.pve }}"
address:
port: 9100
prometheus__rules_node:
- alert: OutOfMemory
expr:
(
node_memory_MemFree_bytes
+ node_memory_Cached_bytes
+ node_memory_Buffers_bytes
) / node_memory_MemTotal_bytes < 0.1
for: 5m
labels:
severity: warning
annotations:
FreeMemory: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostSwapIsFillingUp
expr:
(
1 - (
node_memory_SwapFree_bytes
/ node_memory_SwapTotal_bytes
)
) >= 0.5
for: 3m
labels:
severity: critical
annotations:
UsedSwap: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostPhysicalComponentTooHot
expr:
node_hwmon_temp_celsius > 79
for: 3m
labels:
severity: critical
annotations:
Temperature: !unsafe "{{ $value | humanize }} °C"
Chip: !unsafe "{{ $labels.chip }}"
Sensor: !unsafe "{{ $labels.sensor }}"
- alert: HostNodeOvertemperatureAlarm
expr:
node_hwmon_temp_crit_alarm_celsius == 1
for: 0m
labels:
severity: critical
annotations:
Chip: !unsafe "{{ $labels.chip }}"
Sensor: !unsafe "{{ $labels.sensor }}"
- alert: HostRaidArrayGotInactive
expr:
node_md_state{state="inactive"} > 0
for: 0m
labels:
severity: critical
annotations:
Device: !unsafe "{{ $labels.device }}"
- alert: HostRaidDiskFailure
expr:
node_md_disks{state="failed"} > 0
for: 0m
labels:
severity: critical
annotations:
severity: !unsafe "{{ $labels.md_device }}"
- alert: HostOomKillDetected
expr:
increase(node_vmstat_oom_kill[1m]) > 0
for: 0m
labels:
severity: warning
annotations:
PID: !unsafe "{{ $value }}"
- alert: HostEdacCorrectableErrorsDetected
expr:
increase(node_edac_correctable_errors_total[1m]) > 0
for: 0m
labels:
severity: warning
annotations:
CorrectedErrors: !unsafe "{{ $value }}"
- alert: HostEdacUncorrectableErrorsDetected
expr:
increase(node_edac_uncorrectable_errors_total[1m]) > 0
for: 0m
labels:
severity: warning
annotations:
DetectedErrors: !unsafe "{{ $value }}"
- alert: OutOfDiskSpace
expr:
(
node_filesystem_free_bytes
/ node_filesystem_size_bytes < 0.1
)
and on (instance, device, mountpoint) (
node_filesystem_readonly
) == 0
for: 5m
labels:
severity: critical
annotations:
Mountpoint: !unsafe "{{ $labels.mountpoint }}"
FreeSpace: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostConntrackLimit
expr:
(
node_nf_conntrack_entries
/ node_nf_conntrack_entries_limit
) > 0.8
for: 5m
labels:
severity: warning
annotations:
Filled: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostClockSkew
expr:
(
node_timex_offset_seconds > 0.05
and deriv(node_timex_offset_seconds[5m]) >= 0
) or (
node_timex_offset_seconds < -0.05
and deriv(node_timex_offset_seconds[5m]) <= 0
)
for: 2m
labels:
severity: warning
- alert: HostClockNotSynchronising
expr:
min_over_time(node_timex_sync_status[1m]) == 0
and node_timex_maxerror_seconds >= 16
for: 2m
labels:
severity: warning
- alert: HostRequiresReboot
expr:
node_reboot_required > 0
for: 5m
labels:
severity: warning
- alert: OutOfInodes
expr:
node_filesystem_files_free
/ node_filesystem_files < 0.1
for: 3m
labels:
severity: warning
annotations:
Mountpoint: !unsafe "{{ $labels.mountpoint }}"
FreeInodes: !unsafe "{{ $value | humanizePercentage }}"
- alert: CpuUsage
expr:
(
1 - avg by (instance) (
irate(node_cpu_seconds_total{mode="idle"}[5m])
)
) > 0.75
for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
- alert: SystemdServiceFailed
expr:
node_systemd_unit_state{state="failed"} == 1
for: 10m
labels:
severity: warning
annotations:
Service: !unsafe "{{ $labels.name }}"
- alert: LoadUsage
expr:
node_load1 > 5
for: 2m
labels:
severity: warning
annotations:
Load1: !unsafe "{{ $value | humanize }}"
- alert: UnhealthyDisk
expr:
smartmon_device_smart_healthy < 1
for: 10m
labels:
severity: critical
annotations:
Disk: !unsafe "{{ $labels.disk }}"
- alert: HostCpuStealNoisyNeighbor
expr:
avg by (instance) (
rate(node_cpu_seconds_total{mode="steal"}[5m])
) > 0.1
for: 5m
labels:
severity: warning
annotations:
Disk: !unsafe "{{ $labels.disk }}"
Steal: !unsafe "{{ $value | humanizePercentage }}"
...

14
group_vars/prom/prometheus/prometheus.yml
View file

@ -1,14 +0,0 @@
---
prometheus__scraping_prometheus:
targets: "{{ groups.prom }}"
address:
port: 9090
prometheus__rules_prometheus:
- alert: PrometheusTsdbCompactionFailed
expr:
increase(prometheus_tsdb_compactions_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
...

98
group_vars/prom/prometheus/quanta.yml
View file

@ -1,98 +0,0 @@
---
prometheus__scraping_quanta:
targets: "{{ groups.quanta }}"
address: 127.0.0.1:9116
path: /snmp
timeout: 180s
interval: 180s
params:
module:
- quanta
prometheus__rules_quanta:
- alert: QuantaQueueOverflow
expr:
snAgGblQueueOverflow == 1
for: 0m
labels:
severity: critical
- alert: QuantaCpuUsage
expr:
snAgGblCpuUtil1MinAvg > 50
for: 5m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value }} %"
- alert: QuantaCpuUsage
expr:
snAgGblCpuUtil1MinAvg > 80
for: 5m
labels:
severity: critical
annotations:
Usage: !unsafe "{{ $value }} %"
- alert: QuantaMemoryUsage
expr:
100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 50
for: 5m
labels:
severity: warning
annotations:
UsedMemory: !unsafe "{{ $value }} %"
- alert: QuantaMemoryUsage
expr:
100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 80
for: 5m
labels:
severity: alert
annotations:
UsedMemory: !unsafe "{{ $value }} %"
- alert: QuantaFanHealth
expr:
snChasFanOperStatus{snChasFanOperStatus="normal"} == 0
for: 0m
labels:
severity: critical
annotations:
Description: !unsafe "{{ $labels.shChasFanDescription }}"
Status: !unsafe "{{ $labels.snChasFanOperStatus }}"
- alert: QuantaMissingIntakeTemp
expr:
count by (instance) (
snAgentTempValue
) - count by (instance) (
snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"}
) == 0
for: 0m
labels:
severity: critical
- alert: QuantaIntakeTemp
expr:
0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 60
for: 10m
keep_firing_for: 30m
labels:
severity: warning
annotations:
Temperature: !unsafe "{{ $value }} °C"
Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
- alert: QuantaIntakeTemp
expr:
0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 70
for: 10m
keep_firing_for: 30m
labels:
severity: critical
annotations:
Temperature: !unsafe "{{ $value }} °C"
Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
- alert: QuantaPowerRedundancyFailure
expr:
count by (instance) (
snChasPwrSupplyOperStatus{snChasPwrSupplyOperStatus="normal"}
) < 2
for: 0m
labels:
severity: warning
...

6
group_vars/prom/prometheus/snmp.yml
View file

@ -1,6 +0,0 @@
---
prometheus__scraping_snmp:
targets: "{{ groups.prom }}"
address:
port: 9116
...

91
group_vars/prom/prometheus/switch.yml
View file

@ -1,91 +0,0 @@
---
prometheus__rules_switch:
- alert: SwitchPromiscuousChange
expr:
changes(ifPromiscuousMode[5m]) > 0
for: 0m
labels:
severity: warning
annotations:
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInterfaceUpChange
expr:
changes(ifOperStatus{ifOperStatus="up"}[5m]) > 0
for: 0m
labels:
severity: warning
annotations:
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInErrors
expr:
irate(ifInErrors[5m]) / (
irate(ifInUcastPkts[5m])
+ irate(ifInNUcastPkts[5m])
) > 0.0001
for: 0m
labels:
severity: warning
annotations:
ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchOutErrors
expr:
irate(ifOutErrors[5m]) / (
irate(ifOutUcastPkts[5m])
+ irate(ifOutNUcastPkts[5m])
) > 0.0001
for: 0m
labels:
severity: warning
annotations:
ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInLinkUsage
expr:
rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
for: 5m
keep_firing_for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInLinkUsage
expr:
rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
for: 5m
keep_firing_for: 10m
labels:
severity: critical
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchOutLinkUsage
expr:
rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
for: 5m
keep_firing_for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchOutLinkUsage
expr:
rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
for: 5m
keep_firing_for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
...

40
group_vars/prom/prometheus_snmp/eaton.yml
View file

@ -1,40 +0,0 @@
---
prometheus_snmp__modules_eaton:
version: 1
auth:
community: "{{ vault_snmp_eaton_community }}"
walk:
- sysUpTime
#- upsBattery
- xupsInput
- xupsOutput
- xupsBypass
- xupsEnvironment
- xupsBattery
- xupsConfig
lookups:
- source_indexes:
- xupsInputPhase
lookup: xupsInputName
- source_indexes:
- xupsOutputPhase
lookup: xupsOutputName
- source_indexes:
- xupsBypassPhase
lookup: xupsBypassName
overrides:
upsBatteryStatus:
type: EnumAsStateSet
xupsInputId:
type: EnumAsStateSet
xupsOutputId:
type: EnumAsStateSet
xupsBypassId:
type: EnumAsStateSet
xupsOutputSource:
type: EnumAsStateSet
xupsBatteryAbmStatus:
type: EnumAsStateSet
xupsContactType:
type: EnumAsStateSet
...

19
group_vars/prom/prometheus_snmp/ilo.yml
View file

@ -1,19 +0,0 @@
---
prometheus_snmp__modules_ilo:
version: 3
timeout: 10s
retries: 10
auth:
security_level: authPriv
auth_protocol: SHA
username: aurore
password: "{{ vault_snmp_ilo_auth }}"
priv_protocol: AES
priv_password: "{{ vault_snmp_ilo_priv }}"
walk:
- sysUpTime
- cpqHeTemperatureTable
overrides:
cpqHeTemperatureThresholdType:
type: EnumAsStateSet
...

6
group_vars/prom/prometheus_snmp/main.yml
View file

@ -1,6 +0,0 @@
---
prometheus_snmp__modules:
quanta: "{{ prometheus_snmp__modules_quanta }}"
ilo: "{{ prometheus_snmp__modules_ilo }}"
eaton: "{{ prometheus_snmp__modules_eaton }}"
...

125
group_vars/prom/prometheus_snmp/quanta.yml
View file

@ -1,125 +0,0 @@
---
prometheus_snmp__modules_quanta:
auth:
community: "{{ vault_snmp_quanta_community }}"
timeout: 60s
retries: 3
walk:
- interfaces
- ifXTable
- snAgGblQueueOverflow
- snAgGblDynMemTotal
- snAgGblDynMemFree
- snAgGblCpuUtil1SecAvg
- snAgGblCpuUtil5SecAvg
- snAgGblCpuUtil1MinAvg
- sysUpTime
- snAgentCpuUtilPercent
- snAgent
- snChasFan
- snChasPwr
- snAgentTemp
- snAgentCpu
- snSwInfo
- snSwIfInfoTable
- dot3StatsTable
- dot3HCStatsTable
- dot3Errors
- dot3Tests
- dot3CollTable
- lldpLocChassisId
- lldpRemTable
- lldpLocPortTable
- dot1dBasePort
lookups:
- source_indexes:
- ifIndex
lookup: ifAlias
- source_indexes:
- ifIndex
lookup: ifDescr
- source_indexes:
- ifIndex
lookup: ifName
- source_indexes:
- snChasFanIndex
lookup: snChasFanDescription
- source_indexes:
- snAgentTempSlotNum
- snAgentTempSensorId
lookup: snAgentTempSensorDescr
- source_indexes:
- snSwIfInfoPortNum
lookup: snSwIfName
- source_indexes:
- snSwIfInfoPortNum
lookup: snSwIfDescr
- source_indexes:
- dot3StatsIndex
lookup: ifAlias
- source_indexes:
- dot3StatsIndex
lookup: ifDescr
- source_indexes:
- dot3StatsIndex
lookup: ifName
- source_indexes:
- lldpRemTimeMark
- lldpRemLocalPortNum
- lldpRemIndex
lookup: lldpRemChassisId
#- source_indexes:
# - lldpLocPortNum
# lookup: lldpLocPortIdSubtype
overrides:
ifIndex:
ignore: true
ifAlias:
ignore: true
ifDescr:
ignore: true
ifName:
ignore: true
ifOperStatus:
type: EnumAsStateSet
ifAdminStatus:
type: EnumAsStateSet
snChasFanIndex:
ignore: true
snChasFanDescription:
ignore: true
snChasPwrSupplyIndex:
ignore: true
snAgentTempSensorDescr:
ignore: true
snChasFanOperStatus:
type: EnumAsStateSet
snChasPwrSupplyOperStatus:
type: EnumAsStateSet
snSwIfName:
ignore: true
snSwIfDescr:
ignore: true
snSwIfVlanId:
ignore: true
snSwIfInfoPortNum:
ignore: true
snSwIfInfoMonitorMode:
type: EnumAsStateSet
snSwIfInfoMirrorPorts:
ignore: true
snSwIfInfoMediaType:
type: EnumAsInfo
ifType:
type: EnumAsInfo
dot3StatsIndex:
ignore: true
dot3StatsEtherChipSet:
ignore: true
dot3StatsDuplexStatus:
type: EnumAsStateSet
lldpLocPortIdSubtype:
type: EnumAsInfo
lldpRemPortIdSubtype:
type: EnumAsInfo
...

31
group_vars/pve/pve_auth.yml
View file

@ -1,31 +0,0 @@
---
pve_auth__groups:
admin:
- Administrator
pve_auth__pam_users:
root:
enabled: false
pve_auth__users:
elkmaennchen:
password: "{{ vault_pve_passwords.elkmaennchen }}"
groups:
- admin
jeltz:
password: "{{ vault_pve_passwords.jeltz }}"
groups:
- admin
korenstin:
password: "{{ vault_pve_passwords.korenstin }}"
groups:
- admin
otthorn:
password: "{{ vault_pve_passwords.otthorn }}"
groups:
- admin
v-lafeychine:
password: "{{ vault_pve_passwords['v-lafeychine'] }}"
groups:
- admin
...

17
group_vars/radius/freeradius.yml
View file

@ -1,17 +0,0 @@
---
radiusd__guest_vlan: 1000
radiusd__clients:
localhost:
addr: 127.0.0.1
secret: abcdef
type: aurore
wifi-ap-v4:
addr: 10.102.0.0/16
secret: abcdef
type: aurore
wifi-ap-v6:
addr: 2a09:6840:102::/56
secret: abcdef
type: aurore
...

1
group_vars/reverseproxy.yml
View file

@ -1,4 +1,3 @@
---
loc_nginx:
servers: []

3
group_vars/router/prometheus.yml
View file

@ -1,3 +0,0 @@
---
prometheus_keepalived__dest: /var/run/prometheus-node-exporter/keepalived.prom
...

12
group_vars/switch.yml
View file

@ -1,12 +0,0 @@
---
glob_switch:
loop_protect:
port_disable_timer_in_seconds: 30
transmit_interval_in_seconds: 3
sntp:
operation_mode: SNTP_UNICAST_MODE
poll_interval: 720
servers:
- ip: 10.206.1.5
priority: 1
...

60
group_vars/vpn/bird.yml
View file

@ -1,60 +0,0 @@
---
bird__tables:
- wg
bird__kernel:
kernel:
learn: true
import: accept
export: accept
vrf:
learn: true
import:
sources:
- "{{ iproute2__custom_protos.wireguard }}"
export: accept
table: wg
kernel: "{{ iproute2__custom_tables.wireguard }}"
bird__ospf:
limits:
import: 4000
export: 4000
table: wg
import: accept
export:
sources:
- "{{ iproute2__custom_protos.wireguard }}"
areas:
1:
broadcast:
- vpn0
bird__bgp:
infra1:
local:
address: "{{ bird__bgp_addr.vpn }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:213::1:1
- 10.213.1.1
as: "{{ bird__as.aurore }}"
table: wg
import: accept
export: reject
next_hop_self: true
infra2:
local:
address: "{{ bird__bgp_addr.vpn }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:213::1:2
- 10.213.1.2
as: "{{ bird__as.aurore }}"
table: wg
import: accept
export: reject
next_hop_self: true
...

16
group_vars/vpn/ifupdown2.yml
View file

@ -1,16 +0,0 @@
---
ifupdown2__vrf:
wg-vrf:
table: "{{ iproute2__custom_tables.wireguard }}"
ifupdown2__wireguard:
wg0:
private_key: "{{ vault_wireguard_wg0_private }}"
listen_port: 5121
vrf: wg-vrf
table: "{{ iproute2__custom_tables.wireguard }}"
peer_allowed_addresses:
- 2a09:6840:212::1:1/128
- 10.212.1.1/32
peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
...

7
group_vars/vpn/iproute2.yml
View file

@ -1,7 +0,0 @@
---
iproute2__custom_tables:
wireguard: 2000
iproute2__custom_protos:
wireguard: 200
...

70
host_vars/bdd-ovh.adm.auro.re.yml Normal file
View file

@ -0,0 +1,70 @@
---
postgresql:
version: 13
postgresql_hosts:
- database: etherpad
user: etherpad
net: 10.128.0.150/32
method: md5
- database: codimd
user: codimd
net: 10.128.0.150/32
method: md5
- database: synapse
user: synapse
net: 10.128.0.56/32
method: md5
- database: kanboard
user: kanboard
net: 10.128.0.150/32
method: md5
- database: grafana
user: grafana
net: 10.128.0.150/32
method: md5
- database: cas
user: cas
net: 10.128.0.150/32
method: md5
postgresql_databases:
- synapse
- codimd
- etherpad
- kanboard
- grafana
- cas
postgresql_users:
- name: synapse
database: synapse
password: "{{ postgresql_synapse_passwd }}"
privs:
- ALL
- name: codimd
database: codimd
password: "{{ postgresql_codimd_passwd }}"
privs:
- ALL
- name: etherpad
database: etherpad
password: "{{ postgresql_etherpad_passwd }}"
privs:
- ALL
- name: kanboard
database: kanboard
password: "{{ postgresql_kanboard_passwd }}"
privs:
- ALL
- name: grafana
database: grafana
password: "{{ postgresql_grafana_passwd }}"
privs:
- ALL
- name: cas
database: cas
password: "{{ postgresql_cas_passwd }}"
privs:
- ALL
...

50
host_vars/bdd.adm.auro.re.yml Normal file
View file

@ -0,0 +1,50 @@
---
postgresql:
version: 13
postgresql_hosts:
- database: nextcloud
user: nextcloud
net: 10.128.0.58/32
method: md5
- database: gitea
user: gitea
net: 10.128.0.60/32
method: md5
- database: wikijs
user: wikijs
net: 10.128.0.66/32
method: md5
- database: drone
user: drone
net: 10.128.0.64/32
method: md5
postgresql_databases:
- nextcloud
- gitea
- wikijs
- drone
postgresql_users:
- name: nextcloud
database: nextcloud
password: "{{ postgresql_nextcloud_passwd }}"
privs:
- ALL
- name: gitea
database: gitea
password: "{{ postgresql_gitea_passwd }}"
privs:
- ALL
- name: wikijs
database: wikijs
password: "{{ postgresql_wikijs_passwd }}"
privs:
- ALL
- name: drone
database: drone
password: "{{ postgresql_drone_passwd }}"
privs:
- ALL
...

22
host_vars/collabora.ext.infra.auro.re.yml
View file

@ -1,22 +0,0 @@
---
systemd_link__links:
pub0: ae:ae:ae:2C:60:35
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:128::220/64
- 10.128.0.220/16
gateways: "{{ ifupdown2__gateways.adm }}"
collabora__server_name: office.auro.re
collabora__post_allow_addrs:
- 2a09:6840:215::1:1
- 45.66.111.206
collabora__wopi_groups:
- host: https://cloud.auro.re:443
aliases:
- https://nextcloud.auro.re:443
...

47
host_vars/dhcp-1.isp.infra.auro.re.yml
View file

@ -1,47 +0,0 @@
---
systemd_link__links:
isp0: 02:00:00:c6:3f:6f
trunk0: 02:00:00:b1:8d:d6
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:1/64
- 10.210.1.1/16
gateways: "{{ ifupdown2__gateways.isp }}"
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
addresses:
- 100.64.0.2/27
vlan_id: 1000
vlan_raw_device: clients0
client1:
addresses:
- 100.64.0.34/27
vlan_id: 1001
vlan_raw_device: clients0
client2:
addresses:
- 100.64.0.66/27
vlan_id: 1002
vlan_raw_device: clients0
client3:
addresses:
- 100.64.0.98/27
vlan_id: 1003
vlan_raw_device: clients0
client4:
addresses:
- 100.64.0.130/27
vlan_id: 1004
vlan_raw_device: clients0
...

47
host_vars/dhcp-2.isp.infra.auro.re.yml
View file

@ -1,47 +0,0 @@
---
systemd_link__links:
isp0: 04:00:00:8c:d1:36
trunk0: 04:00:00:33:2c:3c
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:2/64
- 10.210.1.2/16
gateways: "{{ ifupdown2__gateways.isp }}"
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
addresses:
- 100.64.0.3/27
vlan_id: 1000
vlan_raw_device: clients0
client1:
addresses:
- 100.64.0.35/27
vlan_id: 1001
vlan_raw_device: clients0
client2:
addresses:
- 100.64.0.67/27
vlan_id: 1002
vlan_raw_device: clients0
client3:
addresses:
- 100.64.0.99/27
vlan_id: 1003
vlan_raw_device: clients0
client4:
addresses:
- 100.64.0.131/27
vlan_id: 1004
vlan_raw_device: clients0
...

11
host_vars/dns-1.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 02:00:00:9f:d9:f9
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:1/64
- 10.206.1.1/16
gateways: "{{ ifupdown2__gateways.int }}"
...

11
host_vars/dns-2.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 04:00:00:3c:c0:5a
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:2/64
- 10.206.1.2/16
gateways: "{{ ifupdown2__gateways.int }}"
...

39
host_vars/edge-1.back.infra.auro.re.yml
View file

@ -1,39 +0,0 @@
---
systemd_link__links:
adm0: 02:00:00:9E:3E:21
crans0: 02:00:00:A2:7C:68
zayo0: 02:00:00:35:89:82
rezel0: 02:00:00:8F:4A:AD
back0: 02:00:00:1C:3A:2E
viarezo0: 02:00:00:ED:70:64
router0: 02:00:00:5A:17:7C
oti0: 02:00:00:05:0E:A6
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:2/64
- 10.128.10.2/16
crans0:
ipv6_addrgen: false
zayo0:
ipv6_addrgen: false
rezel0:
addresses:
- 2a09:6842:19:9116::1/64
- 45.66.111.1/29
back0:
addresses:
- 2a09:6840:203::1:1/64
- 10.203.1.1/16
viarezo0:
addresses:
- 2a0c:b641:2ff::6/125
- 192.159.121.133/29
router0:
addresses:
- 2a09:6840:129::10:2/56
- 10.129.10.2/16
oti0:
ipv6_addrgen: false
...

39
host_vars/edge-2.back.infra.auro.re.yml
View file

@ -1,39 +0,0 @@
---
systemd_link__links:
adm0: 04:00:00:F5:69:B9
crans0: 04:00:00:CF:E1:D0
zayo0: 04:00:00:67:7B:12
rezel0: 04:00:00:C6:05:B7
back0: 04:00:00:DE:22:E6
viarezo0: 04:00:00:45:FA:E6
router0: 04:00:00:AD:D7:71
oti0: 02:00:00:05:0E:A6
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:102/64
- 10.128.10.102/16
crans0:
ipv6_addrgen: false
zayo0:
ipv6_addrgen: false
rezel0:
addresses:
- 2a09:6842:19:9116::3/64
- 45.66.111.3/29
back0:
addresses:
- 2a09:6840:203::1:2/64
- 10.203.1.2/16
viarezo0:
addresses:
- 2a0c:b641:2ff::7/125
- 192.159.121.134/29
router0:
addresses:
- 2a09:6840:129::10:102/56
- 10.129.10.102/16
oti0:
ipv6_addrgen: false
...

63
host_vars/infra-1.back.infra.auro.re.yml
View file

@ -1,63 +0,0 @@
---
systemd_link__links:
ups0: 02:00:00:fe:6f:0e
back0: 02:00:00:f8:93:22
monit0: 02:00:00:da:97:7f
wifi0: 02:00:00:8c:c5:bf
int0: 02:00:00:75:40:3e
sw0: 02:00:00:ca:e8:d1
bmc0: 02:00:00:47:d1:b9
pve0: 02:00:00:b3:35:e7
isp0: 02:00:00:6b:53:14
ext0: 02:00:00:32:86:60
vpn0: 02:00:00:52:5f:85
th30: 02:00:00:23:a7:d3
pub0: 02:00:00:7d:34:06
ifupdown2__interfaces:
back0:
addresses:
- 2a09:6840:203::1:3/64
- 10.203.1.3/16
- 45.66.111.210/32 # secondary
ups0:
ipv6_addrgen: false
monit0:
ipv6_addrgen: false
wifi0:
ipv6_addrgen: false
int0:
ipv6_addrgen: false
sw0:
ipv6_addrgen: false
bmc0:
ipv6_addrgen: false
pve0:
ipv6_addrgen: false
isp0:
ipv6_addrgen: false
ext0:
ipv6_addrgen: false
pub0:
ipv6_addrgen: false
vpn0:
addresses:
- 2a09:6840:213::1:1/64
- 10.213.1.1/16
th30:
ipv6_addrgen: false
bird__router_id: 10.203.1.3
bird__bgp_addr:
back:
- 2a09:6840:203::1:3
- 10.203.1.3
vpn:
- 2a09:6840:213::1:1
- 10.213.1.1
bird__pref_src_addr:
- 2a09:6840:203::1:3
- 45.66.111.210
...

63
host_vars/infra-2.back.infra.auro.re.yml
View file

@ -1,63 +0,0 @@
---
systemd_link__links:
ups0: 04:00:00:6d:97:83
back0: 04:00:00:46:ba:f9
monit0: 04:00:00:72:0b:2d
wifi0: 04:00:00:ee:42:0f
int0: 04:00:00:21:fd:d0
sw0: 04:00:00:2e:5b:16
bmc0: 04:00:00:bb:5a:a6
pve0: 04:00:00:0b:2b:82
isp0: 04:00:00:f4:4c:5d
ext0: 04:00:00:1d:0e:83
vpn0: 04:00:00:02:ba:dd
th30: 04:00:00:9e:8d:4f
pub0: 04:00:00:f8:3b:9b
ifupdown2__interfaces:
back0:
addresses:
- 2a09:6840:203::1:4/64
- 10.203.1.4/16
- 45.66.111.211/32 # secondary
ups0:
ipv6_addrgen: false
monit0:
ipv6_addrgen: false
wifi0:
ipv6_addrgen: false
int0:
ipv6_addrgen: false
sw0:
ipv6_addrgen: false
bmc0:
ipv6_addrgen: false
pve0:
ipv6_addrgen: false
isp0:
ipv6_addrgen: false
ext0:
ipv6_addrgen: false
vpn0:
addresses:
- 2a09:6840:213::1:2/64
- 10.213.1.2/16
th30:
ipv6_addrgen: false
pub0:
ipv6_addrgen: false
bird__router_id: 10.203.1.4
bird__bgp_addr:
back:
- 2a09:6840:203::1:4
- 10.203.1.4
vpn:
- 2a09:6840:213:1:2
- 10.213.1.2
bird__pref_src_addr:
- 2a09:6840:203::1:4
- 45.66.111.211
...

59
host_vars/isp-1.back.infra.auro.re.yml
View file

@ -1,59 +0,0 @@
---
systemd_link__links:
adm0: 02:00:00:D8:37:45
back0: 02:00:00:BF:10:4C
trunk0: 02:00:00:E9:BA:15
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:5/64
- 10.128.10.5/16
gateways: "{{ ifupdown2__gateways.adm }}"
back0:
addresses:
- 2a09:6840:203::1:5/64
- 45.66.111.211/32
- 10.203.1.5/16
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
vlan_id: 1000
vlan_raw_device: clients0
ipv6_addrgen: false
client1:
vlan_id: 1001
vlan_raw_device: clients0
ipv6_addrgen: false
client2:
vlan_id: 1002
vlan_raw_device: clients0
ipv6_addrgen: false
client3:
vlan_id: 1003
vlan_raw_device: clients0
ipv6_addrgen: false
client4:
vlan_id: 1004
vlan_raw_device: clients0
ipv6_addrgen: false
bird__router_id: 10.203.1.5
bird__bgp_addr:
back:
- 2a09:6840:203::1:5
- 10.203.1.5
bird__pref_src_addr:
- 2a09:6840:203::1:5
- 45.66.111.211
...

47
host_vars/isp-2.back.infra.auro.re.yml
View file

@ -1,47 +0,0 @@
---
systemd_link__links:
adm0: 04:00:00:85:C3:5D
back0: 04:00:00:FE:2D:67
trunk0: 04:00:00:D8:F5:4D
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:105/64
- 10.128.10.105/16
gateways: "{{ ifupdown2__gateways.adm }}"
back0:
addresses:
- 2a09:6840:203::1:6/64
- 10.203.1.6/16
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
vlan_id: 1000
vlan_raw_device: clients0
ipv6_addrgen: false
client1:
vlan_id: 1001
vlan_raw_device: clients0
ipv6_addrgen: false
client2:
vlan_id: 1002
vlan_raw_device: clients0
ipv6_addrgen: false
client3:
vlan_id: 1003
vlan_raw_device: clients0
ipv6_addrgen: false
client4:
vlan_id: 1004
vlan_raw_device: clients0
ipv6_addrgen: false
...

16
host_vars/ldap-1.int.infra.auro.re.yml
View file

@ -1,16 +0,0 @@
---
systemd_link__links:
adm0: 02:00:00:38:c2:52
int0: 02:00:00:fe:a8:54
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:8/64
- 10.128.10.8/16
int0:
addresses:
- 2a09:6840:206::1:3/64
- 10.206.1.7/16
gateways: "{{ ifupdown2__gateways.int }}"
...

16
host_vars/ldap-2.int.infra.auro.re.yml
View file

@ -1,16 +0,0 @@
---
systemd_link__links:
adm0: 04:00:00:f7:1c:47
int0: 04:00:00:e4:83:d2
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:108/64
- 10.128.10.108/16
int0:
addresses:
- 2a09:6840:206::1:4/64
- 10.206.1.8/16
gateways: "{{ ifupdown2__gateways.int }}"
...

2
host_vars/log.adm.auro.re.yml
View file

@ -10,7 +10,5 @@ rsyslog_inputs:
port: 20514
- proto: udp
port: 514
- proto: tcp
port: 6514
rsyslog_outputs: []
...

38
host_vars/mx.test.infra.auro.re.yml
View file

@ -1,38 +0,0 @@
---
dovecot__auth_default_realm: test.auro.re
dovecot__auth_users:
jeltz@test.auro.re: "{plain}password"
lafeych@test.auro.re: "{plain}password"
toto@test.auro.re: "{plain}password"
root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
dovecot__lmtp_postmaster_address: postmaster@test.auro.re
ifupdown2__interfaces:
ext0:
addresses:
- 2a09:6840:211::1:5/64
- 10.211.1.5/16
- 45.66.111.208/30
gateways: "{{ ifupdown2__gateways.ext }}"
postfix__hostname: mx.test.auro.re
postfix__sasl_local_domain: test.auro.re
postfix__virtual_aliases:
postmaster@test.auro.re: root@test.auro.re
dmarc@test.auro.re: root@test.auro.re
postfix__virtual_mailbox_domains:
- infra.test.auro.re
- test.auro.re
postfix__virtual_mailboxes:
jeltz@test.auro.re: jeltz@test.auro.re
root@test.auro.re: root@test.auro.re
toto@test.auro.re: toto@test.auro.re
vincent.lafeychine@test.auro.re: lafeych@test.auro.re
systemd_link__links:
ext0: ae:ae:ae:1d:c8:b2
...

11
host_vars/ns-1.pub.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
pub0: 02:00:00:ad:62:64
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:215::1:2/64
- 45.66.111.205/27
gateways: "{{ ifupdown2__gateways.pub }}"
...

11
host_vars/ns-2.pub.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
pub0: 04:00:00:1b:0a:3a
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:215::1:3/64
- 45.66.111.207/27
gateways: "{{ ifupdown2__gateways.pub }}"
...

29
host_vars/ns-3.ovh.infra.auro.re.yml
View file

@ -1,29 +0,0 @@
---
systemd_link__links:
adm0: 96:77:96:91:e3:6c
ovh0: 02:00:00:97:78:6d
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::109/64
- 10.128.0.109/16
ovh0:
addresses:
- 92.222.211.194/24
gateways: "{{ ifupdown2__gateways.ovh }}"
# TODO: remove as soon as the VPN works
knotd__remotes:
xfr-master:
address: 2a09:6840:128::110
key: xfr
knotd__acl:
notify-master:
address:
- 2a09:6840:128::110
- 10.128.0.110
key: xfr
action: notify
...

617
host_vars/ns-master.int.infra.auro.re/knotd.yml
View file

@ -1,617 +0,0 @@
---
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
ksk-infra:
algorithm: hmac-sha512
secret: "{{ vault_knotd_ksk_infra_key }}"
update-acme-challenge:
algorithm: hmac-sha512
secret: "{{ vault_certbot_dns_secret }}"
knotd__remotes:
xfr-ns-1:
address: 2a09:6840:215::1:2
key: xfr
xfr-ns-2:
address: 2a09:6840:215::1:3
key: xfr
xfr-ns-3:
address: 10.128.0.109
key: xfr
ksk-infra:
address: ::1
key: ksk-infra
knotd__policies:
public:
algorithm: ECDSAP256SHA256
reproducible_signing: true
# Je n'ai pas trouvé de façon de pousser les records automatiquement
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
# KSK n'expire pas
ksk_lifetime: 0
zsk_lifetime: 30d
nsec3: true
infra:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-infra
cds-cdnskey-publish: rollover
ksk-submission: infra
ripe:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-ripe
cds-cdnskey-publish: rollover
ksk-submission: ripe
knotd__acl:
xfr:
addresses:
- 2a09:6840:128::109
- 10.128.0.109
- 2a09:6840:215::1:2
- 45.66.111.205
- 2a09:6840:215::1:3
- 45.66.111.207
action: transfer
key: xfr
ksk-infra:
addresses:
- 127.0.0.1
- ::1
key: ksk-infra
action: update
update_types:
- DS
update_owner: name
update_owner_match: equal
update_owner_name:
- infra
update-acme-challenge:
addresses:
- 10.128.0.0/16
- 2a09:6840:128::/48
key: update-acme-challenge
action: update
update_types:
- TXT
update_owner: name
update_owner_match: equal
update_owner_name:
- _acme-challenge.auro.re.
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__soa_rname: root@auro.re.
knotd__hosts:
auro.re:
proxy-ovh:
- 92.222.211.195
horus:
- 92.23.218.136
ns-1:
- 45.66.111.205
- 2a09:6840:215::1:2
ns-2:
- 92.222.211.194
serge:
- 92.222.211.196
lama:
- 185.230.78.220
- 2a0c:700:12:0:67:e5ff:fee9:108
vpn-ovh:
- 92.222.211.197
passerelle:
- 45.66.111.254
- 2a09:6840:111::254
proxy:
- 45.66.111.61
- 2a09:6840:111::61
camelot:
- 45.66.111.59
- 2a09:6840:111::59
mail:
- 45.66.111.62
- 2a09:6840:111::62
galene:
- 45.66.111.65
- 2a09:6840:111::65
aclyas:
- 45.66.111.231
- 2a09:6840:111::231
jitsi:
- 45.66.111.55
- 2a09:6840:111::55
jitsi-ng:
- 45.66.111.216
- 2a09:6840:215::1:216
portail-fleming:
- 10.13.0.247
- 2a09:6840:13::247
portail-pacaterie:
- 10.23.0.247
- 2a09:6840:23::247
portail-rives:
- 10.33.0.247
- 2a09:6840:33::247
portail-edc:
- 10.43.0.247
- 2a09:6840:43::247
portail-gs:
- 10.53.0.247
- 2a09:6840:53::247
adh.auro.re:
paon:
- 45.66.110.10
- 2a09:6840:110:0:231:92ff:fe1b:ae22
lyshyga0:
- 45.66.110.113
- 2a09:6840:110:0:6af7:28ff:fe91:e8d9
pz28910:
- 45.66.110.114
vinsing0:
- 45.66.110.123
- 2a09:6840:110:0:1e1b:dff:fe90:7d81
osc-routeur:
- 45.66.110.125
- 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
odroid:
- 45.66.110.154
- 2a09:6840:110:0:21e:6ff:fe49:e00
amau0:
- 45.66.110.164
- 2a09:6840:110:0:3e7c:3fff:fec3:27d1
regulus:
- 45.66.110.180
- 2a09:6840:110:0:2ef0:5dff:fe2a:1530
toaster:
- 45.66.110.188
- 2a09:6840:110:0:5246:5dff:fe9a:f70
rpijutax:
- 45.66.110.190
- 2a09:6840:110:0:ba27:ebff:fe76:a9bc
polaris:
- 45.66.110.245
- 2a09:6840:110:0:dea6:32ff:feb4:d033
lafeychine:
- 92.91.154.45
infra.auro.re:
services-1.ceph:
- 2a09:6840:214::1:1
- 10.214.1.1
services-2.ceph:
- 2a09:6840:214::1:2
- 10.214.1.2
services-3.ceph:
- 2a09:6840:209::1:3
- 10.214.1.3
services-1.pve:
- 2a09:6840:209::2:1
- 10.209.2.1
services-2.pve:
- 2a09:6840:209::2:2
- 10.209.2.2
network-1.pve:
- 2a09:6840:209::1:1
- 10.209.1.1
network-2.pve:
- 2a09:6840:209::1:2
- 10.209.1.2
services-3.pve:
- 2a09:6840:209::2:3
- 10.209.2.3
caradoc.bmc:
- 2a09:6840:208::1:1
- 10.208.1.1
services-1.bmc:
- 2a09:6840:208::1:2
- 10.208.1.2
services-2.bmc:
- 2a09:6840:208::1:3
- 10.208.1.3
services-3.bmc:
- 2a09:6840:208::1:4
- 10.208.1.4
perceval.bmc:
- 2a09:6840:208::1:5
- 10.208.1.5
chapalux.bmc:
- 2a09:6840:208::1:6
- 10.208.1.6
loki.bmc:
- 2a09:6840:208::1:7
- 10.208.1.7
network-1.bmc:
- 2a09:6840:208::1:8
- 10.208.1.8
network-2.bmc:
- 2a09:6840:208::1:9
- 10.208.1.9
escalope.bmc:
- 2a09:6840:208::1:10
- 10.208.1.10
edge-1.back:
- 2a09:6840:203::1:1
- 10.203.1.1
edge-2.back:
- 2a09:6840:203::1:2
- 10.203.1.2
isp-1.back:
- 2a09:6840:203::1:5
- 10.203.1.5
isp-2.back:
- 2a09:6840:203::1:6
- 10.203.1.6
infra-1.back:
- 2a09:6840:203::1:3
- 10.203.1.3
infra-2.back:
- 2a09:6840:203::1:4
- 10.203.1.4
ns-master.int:
- 2a09:6840:128:0::110
- 10.128.0.110
log-1.int:
- 2a09:6840:206::1:9
- 10.206.1.9
log-2.int:
- 2a09:6840:206::1:10
- 10.206.1.10
dns-1.int:
- 2a09:6840:206::1:1
- 10.206.1.1
dns-2.int:
- 2a09:6840:206::1:2
- 10.206.1.2
nis2.int:
- 2a09:6840:206::2:1
- 10.206.2.1
ldap-1.int:
- 10.128.10.8
- 2a09:6840:128::10:8
ldap-2.int:
- 10.128.10.108
- 2a09:6840:128::10:108
ntp-1.int:
- 2a09:6840:206::1:5
- 10.206.1.5
ntp-2.int:
- 2a09:6840:206::1:6
- 10.206.1.6
wg-1.vpn:
- 2a09:6840:213::1:3
- 10.213.1.3
wg-2.vpn:
- 2a09:6840:213::1:4
- 10.213.1.4
dhcp-1.isp:
- 2a09:6840:210::1:1
- 10.210.1.1
dhcp-2.isp:
- 2a09:6840:210::1:2
- 10.210.1.2
radius-1.isp:
- 2a09:6840:210::1:3
- 10.210.1.3
radius-2.isp:
- 2a09:6840:210::1:4
- 10.210.1.4
prometheus-1.monit:
- 2a09:6840:204::1:1
- 10.204.1.1
prometheus-2.monit:
- 2a09:6840:204::1:2
- 10.204.1.2
ff-1.core.sw:
- 10.207.1.1
ff-2.core.sw:
- 10.207.1.2
fl-1.core.sw:
- 10.207.1.3
fl-2.core.sw:
- 10.207.1.4
fd-1.core.sw:
- 10.207.1.5
ff-3.core.sw:
- 10.207.1.6
gk-1.core.sw:
- 10.207.2.1
eb-1.core.sw:
- 10.207.3.1
r3-1.core.sw:
- 10.207.4.1
eb-1.ups:
- 2a09:6840:201::3:1
- 10.201.3.1
ec-1.ups:
- 2a09:6840:201::3:2
- 10.201.3.2
mx.test:
- 2a09:6840:211::1:5
- 10.211.1.5
collabora.ext:
- 2a09:6840:211::1:1
- 10.211.1.1
grafana.ext:
- 2a09:6840:211::1:7
- 10.211.1.7
proxy.pub:
- 2a09:6840:215::1:1
- 45.66.111.206
ns-1.pub:
- 2a09:6840:215::1:2
- 45.66.111.205
ns-2.pub:
- 2a09:6840:215::1:3
- 45.66.111.207
ns-3.ovh:
- 92.222.211.194
tor.pub:
- 45.66.111.215
- 2a09:6840:215::1:215
jitsi.pub:
- 45.66.111.216
- 2a09:6840:215::1:216
knotd__zones:
auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- update-acme-challenge
- ksk-infra
- xfr
soa:
mname: ns-master.int.infra
ns:
- target:
- ns-1.pub.infra
- ns-2.pub.infra
- name: infra
target:
- ns-1.pub.infra
- ns-2.pub.infra
- name: test
target:
- ns-1.pub.infra
- ns-2.pub.infra
- name: adm
target:
- serge
- lama
- name: ups
target:
- serge
- lama
- name: switch
target:
- serge
- lama
- name: borne
target:
- serge
- lama
mx:
- exchange: mail
preference: 5
- exchange: proxy-ovh
preference: 10
txt:
- data: v=spf1 mx -all
a:
- address: 92.222.211.195
cname:
- name:
- gisti
- gistiti
target: jitsi
- name:
- element
- riot
- auth
- rss
- codimd
- hedgedoc
- grist
- kanboard
- www
- pad
- privatebin
- zero
- paste
target: proxy-ovh
- name:
- grafana
- grafana-ng
- nextcloud
- cloud
- office
target: proxy.pub.infra
- name:
- netbox
- wiki
- matrix
- drone
- gitea
- re2o
- vote
target: proxy
- name: intranet
target: re2o
- name:
- smtp
- imap
target: mail
- name:
- prometheus-paul.adh
- pma-paul.adh
- nextcloud-paul.adh
- grafana-paul.adh
- jellyfin.adh
- monitoring.adh
- beta-mpp.adh
- pz28.adh
target: lucepaul.myvnc.com.
- name:
- services-1.pve
target: services-1.pve.infra
- name:
- services-2.pve
target: services-2.pve.infra
- name:
- services-3.pve
target: services-3.pve.infra
hosts: "{{ knotd__hosts['auro.re']
| combine(knotd__hosts['adh.auro.re']
| add_origin_keys('adh.auro.re.')) }}"
test.auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
txt:
- data: v=spf1 mx -all
- name: _dmarc
data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
mx:
- exchange: mx
preference: 5
cname:
- name:
- www1
- www2
- www3
target: proxy.pub.infra.auro.re.
hosts:
mx:
- 2a09:6840:211::1:5
- 45.66.111.205
infra.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
hosts: "{{ knotd__hosts['infra.auro.re'] }}"
108.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
109.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
110.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['adh.auro.re']
| ip_filter(['45.66.110.0/24'])
| add_origin_keys('adh.auro.re.') }}"
111.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['45.66.111.0/24'])
| add_origin_keys('auro.re.') }}"
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('auro.re.')
| combine(knotd__hosts['adh.auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('adh.auro.re.')) }}"
...

16
host_vars/ns-master.int.infra.auro.re/main.yml
View file

@ -1,16 +0,0 @@
---
systemd_link__links:
int0: 02:00:00:e3:36:c8
adm0: 42:17:a7:d1:bd:6a
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::110/64
- 10.128.0.110/16
int0:
addresses:
- 2a09:6840:206::1:7/64
- 10.206.1.7/16
gateways: "{{ ifupdown2__gateways.int }}"
...

11
host_vars/ntp-1.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 02:00:00:74:71:83
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:5/64
- 10.206.1.5/16
gateways: "{{ ifupdown2__gateways.int }}"
...

11
host_vars/ntp-2.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 04:00:00:31:be:50
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:6/64
- 10.206.1.6/16
gateways: "{{ ifupdown2__gateways.int }}"
...

11
host_vars/prometheus-1.monit.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
monit0: 02:00:00:a8:6b:51
ifupdown2__interfaces:
monit0:
addresses:
- 2a09:6840:204::1:1/64
- 10.204.1.1/16
gateways: "{{ ifupdown2__gateways.monit }}"
...

11
host_vars/prometheus-2.monit.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
monit0: 04:00:00:a6:93:5a
ifupdown2__interfaces:
monit0:
addresses:
- 2a09:6840:204::1:2/64
- 10.204.1.2/16
gateways: "{{ ifupdown2__gateways.monit }}"
...

9
host_vars/proxy-ovh.adm.auro.re.yml
View file

@ -13,8 +13,6 @@ loc_reverseproxy:
to: auro.re
- from: 92.222.211.195
to: auro.re
- from: codimd.auro.re
to: hedgedoc.auro.re
reverseproxy_sites:
- from: phabricator.auro.re
@ -29,9 +27,6 @@ loc_reverseproxy:
- from: passbolt.auro.re
to: 10.128.0.53
- from: auth.auro.re
to: 10.128.0.150:8089
- from: riot.auro.re
to: "10.128.0.150:8080"
- from: element.auro.re
@ -39,6 +34,8 @@ loc_reverseproxy:
- from: chat.auro.re
to: "10.128.0.150:8080"
- from: codimd.auro.re
to: "10.128.0.150:8081"
- from: hedgedoc.auro.re
to: "10.128.0.150:8081"
@ -59,8 +56,6 @@ loc_reverseproxy:
- from: cas.auro.re
to: "10.128.0.150:8085"
- from: rss.auro.re
to: 10.128.0.150:8090
- from: status.auro.re
to: "10.128.0.150:8086"
- from: "kanboard.auro.re"

15
host_vars/proxy.adm.auro.re.yml
View file

@ -41,6 +41,9 @@ loc_reverseproxy:
- from: intranet.auro.re
to: 10.128.0.20
- from: bbb.auro.re
to: 10.128.0.54
- from: nextcloud.auro.re
to: "10.128.0.58:8080"
@ -61,15 +64,3 @@ loc_reverseproxy:
- from: wikijs.auro.re
to: "10.128.0.66:3000"
- from: wiki.auro.re
to: "10.128.0.66:3000"
- from: netbox.auro.re
to: 10.128.0.97
- from: grafana.auro.re
to: "10.128.0.98:3000"
- from: office.auro.re
to: "10.128.0.220"

103
host_vars/proxy.pub.infra.auro.re.yml
View file

@ -1,103 +0,0 @@
---
systemd_link__links:
pub0: ae:ae:ae:3a:71:0b
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:215::1:1/64
- 45.66.111.206/27
gateways: "{{ ifupdown2__gateways.pub }}"
caddy__matrix_headers:
access-control-allow-headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
access-control-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
access-control-allow-origin: "*"
caddy__routes_https:
www1.test.auro.re:
- root: /var/www/auro.re
- path: /.well-known/matrix/server
headers: "{{ caddy__matrix_headers }}"
body: '{"m.server": "matrix.auro.re:8448"}'
status: 200
- path: /.well-known/matrix/client
headers: "{{ caddy__matrix_headers }}"
body: '{"m.homeserver": {"base_url": "https://matrix.auro.re"}}'
status: 200
www2.test.auro.re:
headers:
location: "https://auro.re{http.request.uri}"
status: 301
www3.test.auro.re:
reverse:
- "[2a09:6840:128::198]:3000"
- 10.128.0.198:3000
grafana.auro.re:
reverse:
- "[2a09:6840:128::98]:3000"
- 10.128.0.98:3000
grafana-ng.auro.re:
reverse:
- "[2a09:6840:211::1:7]:80"
- 10.211.1.7:80
office.auro.re:
reverse:
- "[2a09:6840:211::1:1]:9980"
- 10.211.1.1:9980
nextcloud.auro.re:
headers:
location: "https://cloud.auro.re{http.request.uri}"
status: 301
cloud.auro.re:
- path: /.well-known/carddav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/caldav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/webfinger
headers:
location: /index.php/.well-known/webfinger
status: 301
- path: /.well-known/nodeinfo
headers:
location: /index.php/.well-known/nodeinfo
status: 301
- path: /remote/*
rewrite: /remote.php
- path: /ocm-provider/*
rewrite: /index.php
- path: "*.mjs"
headers:
content-type: text/javascript
- reverse:
- "[2a09:6840:128::58]:8080"
- 10.128.0.58:8080
headers:
x-robots-tag: noindex, nofollow
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: "1; mode=block"
caddy__contact_email: tech.aurore@lists.crans.org
caddy__errors:
- root: "{{ caddy__error_dir }}"
- rewrite: /error.html
- file_server: true
templates: true
caddy__servers:
https:
listen: ":443"
routes: "{{ caddy__routes_https }}"
errors: "{{ caddy__errors }}"
http:
listen: ":80"
...

11
host_vars/radius-1.isp.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
isp0: 02:00:00:6a:3e:f4
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:3/64
- 10.210.1.3/16
gateways: "{{ ifupdown2__gateways.isp }}"
...

11
host_vars/radius-2.isp.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
isp0: 04:00:00:29:6d:c9
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:4/64
- 10.210.1.4/16
gateways: "{{ ifupdown2__gateways.isp }}"
...

1
host_vars/re2o-bdd.adm.auro.re.yml Normal file
View file

@ -0,0 +1 @@
postgresql_databases: true

93
host_vars/sw-ec-1.yml
View file

@ -1,93 +0,0 @@
---
switch_vars:
name: sw-ec-1
location: "Local_de_Brassage_EdC"
host: 10.130.4.11
port: 80
username: "{{ vault_switch.username }}"
password: "{{ vault_switch.password }}"
delete_vlans: []
vlans:
- id: 40
name: "Filaire_EDC"
tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
- id: 41
name: "Wifi_EDC"
tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
- id: 42
name: "Banni_EDC"
tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
- id: 43
name: "Accueil_EDC"
tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
- id: 110
name: "Adherents_IP_Publiques"
tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
- id: 111
name: "Serveurs_IP_Publiques"
tagged: "{{ '25' | range2list }}"
- id: 131
name: "Onduleurs"
tagged: [25]
- id: 144
name: "Bornes_Wifi_EDC"
tagged: [25]
untagged: "{{ '5-8,12,14,16,18,20,22-24' | range2list }}"
ports:
- id: 1
name: "Room_Ouest_363"
- id: 2
name: "Room_Ouest_364"
- id: 3
name: "Room_Principale_Foyer_1"
- id: 4
name: "Room_Principale_Foyer_2"
- id: 5
name: "Borne_Principale_0_1"
- id: 6
name: "Borne_Principale_1_1"
- id: 7
name: "Borne_Principale_1_2"
- id: 8
name: "Borne_Principale_1_3"
- id: 9
name: "Room_Ouest_352"
- id: 10
name: "Borne_Adh_Ouest_252"
- id: 11
name: "Room_Ouest_273"
- id: 12
name: "Borne_Adh_Est_231"
- id: 13
name: "Room_Ouest_261"
- id: 14
name: "Borne_Adh_Ouest_272"
- id: 15
name: "Room_Ouest_262"
- id: 16
name: "Room_Est_225"
- id: 17
name: "Room_Ouest_263"
- id: 18
name: "Room_Ouest_76"
- id: 19
name: "Room_Ouest_264"
- id: 20
name: "Borne_Adh_Ouest_58"
- id: 21
name: "Room_Ouest_265"
- id: 22
name: "Not_used"
- id: 23
name: "Room_Ouest_158"
- id: 24
name: "Borne_Adh_Ouest_267"
# id: 25
# name: "Uplink_sw-ec-core"
- id: 26
name: "Not_used"
- id: 27
name: "Not_used"
- id: 28
name: "Not_used"
...

228
host_vars/sw-ec-2.yml
View file

@ -1,228 +0,0 @@
---
switch_vars:
name: sw-ec-2
location: Local de Brassage EdC
host: 10.130.4.12
port: 80
username: "{{ vault_switch.username }}"
password: "{{ vault_switch.password }}"
delete_vlans: []
vlans:
- id: 40
name: "Filaire_edc"
tagged: [49]
- id: 41
name: "Wifi_edc"
tagged: [49]
- id: 42
name: "Banni_edc"
tagged: [49]
- id: 43
name: "Accueil_edc"
tagged: [49]
- id: 110
name: "Adherents_ip_publiques"
tagged: [49]
- id: 111
name: "Serveurs_ip_publiques"
tagged: [49]
- id: 131
name: "Onduleurs"
tagged: [49]
- id: 144
name: "Bornes_wifi_edc"
tagged: [49]
ports:
- id: 1
name: "Room_edc_Aile_Principale_115"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 2
name: "Room_edc_Aile_Principale_103"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 3
name: "Room_edc_Aile_Principale_114"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 4
name: "Room_edc_Aile_Principale_102"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 5
name: "Room_edc_Aile_Principale_113"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 6
name: "Room_edc_Aile_Principale_101"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 7
name: "Room_edc_Aile_Principale_112"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 8
name: "Room_edc_Aile_Principale_100"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 9
name: "Room_edc_Aile_Principale_111"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 10
name: "Room_edc_Aile_Principale_215"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 11
name: "Room_edc_Aile_Principale_110"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 12
name: "Room_edc_Aile_Principale_214"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 13
name: "Room_edc_Aile_Principale_207"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 14
name: "Room_edc_Aile_Est_24"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 15
name: "Room_edc_Aile_Principale_206"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 16
name: "Room_edc_Aile_Est_25"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 17
name: "Room_edc_Aile_Principale_205"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 18
name: "Room_edc_Aile_Est_26"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 19
name: "Room_edc_Aile_Principale_204"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 20
name: "Room_edc_Aile_Est_27"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 21
name: "Room_edc_Aile_Principale_203"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 22
name: "Room_edc_Aile_Est_28"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 23
name: "Room_edc_Aile_Principale_202"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 24
name: "Room_edc_Aile_Est_29"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 25
name: "Room_edc_Aile_Principale_201"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 26
name: "Room_edc_Aile_Est_30"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 27
name: "Room_edc_Aile_Principale_200"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 28
name: "Room_edc_Aile_Est_31"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 29
name: "Room_edc_Aile_Est_20"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 30
name: "Room_edc_Aile_Est_32"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 31
name: "Room_edc_Aile_Est_21"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 32
name: "Room_edc_Aile_Est_33"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 33
name: "Room_edc_Aile_Est_22"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 34
name: "Room_edc_Aile_Est_34"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 35
name: "Room_edc_Aile_Est_23"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 36
name: "Room_edc_Aile_Est_120"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 37
name: "Room_edc_Aile_Principale_109"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 38
name: "Room_edc_Aile_Principale_213"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 39
name: "Room_edc_Aile_Principale_108"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 40
name: "Room_edc_Aile_Principale_212"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 41
name: "Room_edc_Aile_Principale_107"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 42
name: "Room_edc_Aile_Principale_211"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 43
name: "Room_edc_Aile_Principale_106"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 44
name: "Room_edc_Aile_Principale_210"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 45
name: "Room_edc_Aile_Principale_105"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 46
name: "Room_edc_Aile_Principale_209"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 47
name: "Room_edc_Aile_Principale_104"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 48
name: "Room_edc_Aile_Principale_208"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
...

220
host_vars/sw-ec-3.yml
View file

@ -1,220 +0,0 @@
---
switch_vars:
name: sw-ec-3
location: Local de Brassage EdC
host: 10.130.4.13
port: 80
username: "{{ vault_switch.username }}"
password: "{{ vault_switch.password }}"
delete_vlans: []
vlans:
- id: 40
name: "Filaire_edc"
tagged: [49]
- id: 41
name: "Wifi_edc"
tagged: [49]
- id: 42
name: "Banni_edc"
tagged: [49]
- id: 43
name: "Accueil_edc"
tagged: [49]
- id: 110
name: "Adherents_ip_publiques"
tagged: [49]
- id: 111
name: "Serveurs_ip_publiques"
tagged: [49]
- id: 131
name: "Onduleurs"
tagged: [49]
- id: 144
name: "Bornes_wifi_edc"
tagged: [49]
ports:
- id: 1
name: "Room_edc_Aile_Est_121"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 2
name: "Room_edc_Aile_Est_133"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 3
name: "Room_edc_Aile_Est_122"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 4
name: "Room_edc_Aile_Est_134"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 5
name: "Room_edc_Aile_Est_123"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 6
name: "Room_edc_Aile_Est_135"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 7
name: "Room_edc_Aile_Est_124"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 8
name: "Room_edc_Aile_Est_136"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 9
name: "Room_edc_Aile_Est_125"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 10
name: "Room_edc_Aile_Est_137"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 11
name: "Room_edc_Aile_Est_126"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 12
name: "Room_edc_Aile_Est_138"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 14
name: "Room_edc_Aile_Est_237"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 15
name: "Room_edc_Aile_Est_226"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 16
name: "Room_edc_Aile_Est_238"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 17
name: "Room_edc_Aile_Est_227"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 18
name: "Room_edc_Aile_Est_239"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 19
name: "Room_edc_Aile_Est_228"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 20
name: "Room_edc_Aile_Est_333"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 21
name: "Room_edc_Aile_Est_229"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 22
name: "Room_edc_Aile_Est_332"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 24
name: "Room_edc_Aile_Est_331"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 25
name: "Room_edc_Aile_Est_231"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 26
name: "Room_edc_Aile_Est_330"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 27
name: "Room_edc_Aile_Est_232"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 28
name: "Room_edc_Aile_Est_329"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 29
name: "Room_edc_Aile_Est_233"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 30
name: "Room_edc_Aile_Est_328"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 31
name: "Room_edc_Aile_Est_234"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 32
name: "Room_edc_Aile_Est_327"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 33
name: "Room_edc_Aile_Est_235"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 34
name: "Room_edc_Aile_Est_326"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 35
name: "Room_edc_Aile_Est_236"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 36
name: "Room_edc_Aile_Est_325"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 37
name: "Room_edc_Aile_Est_127"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 38
name: "Room_edc_Aile_Est_139"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 39
name: "Room_edc_Aile_Est_128"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 40
name: "Room_edc_Aile_Est_220"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 41
name: "Room_edc_Aile_Est_129"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 42
name: "Room_edc_Aile_Est_221"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 43
name: "Room_edc_Aile_Est_130"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 44
name: "Room_edc_Aile_Est_222"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 45
name: "Room_edc_Aile_Est_131"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 46
name: "Room_edc_Aile_Est_223"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 47
name: "Room_edc_Aile_Est_132"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 48
name: "Room_edc_Aile_Est_224"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
...

Some files were not shown because too many files have changed in this diff Show more