aurore/ansible
aurore/ansible
10
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Compare commits

base: aurore:new-infra
Branches Tags
aurore:new-infra
aurore:connection_aruba
aurore:switch_rest
aurore:zfs-backup
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:master
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server
..
compare: aurore:re2o-master
Branches Tags
aurore:new-infra
aurore:connection_aruba
aurore:switch_rest
aurore:zfs-backup
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:master
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server

1 commit
new-infra ... re2o-maste

Author SHA1 Message Date
Yohann D'ANELLO
5d59fdcd90
Re2o follows now master
Some checks failed
continuous-integration/drone/push Build is failing
Details 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-01-26 19:29:49 +01:00
509 changed files with 3699 additions and 101118 deletions
Show stats Expand all files Collapse all files

13
.ansible-lint
View file

@ -1,10 +1,7 @@
skip_list: skip_list:
- no-changed-when - '301'
- load-failure
- document-start
- meta-no-info
- ignore-errors
exclude_paths: warn_list:
- group_vars/all/vault.yml - '305' # Use shell only when shell functionality is required
- utils/ - '503' # Tasks that run when changed should likely be handlers
- experimental # all rules tagged as experimental

14
.drone.yml
View file

@ -4,8 +4,16 @@ type: docker
name: check name: check
steps: steps:
- name: ansible and yaml linting - name: yamllint
image: quay.io/ansible/toolset:3.5.0 image: python:3.9-alpine
commands: commands:
- ansible-lint - pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
- name: ansible-lint
image: python:3.9-alpine
commands:
- apk add --no-cache gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
... ...

1
.gitignore vendored
View file

@ -1,4 +1,3 @@
*.retry *.retry
tmp tmp
ldap-password.txt ldap-password.txt
__pycache__/

19
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,19 @@
---
image: python:3.9-alpine
stages:
- lint
yamllint:
stage: lint
script:
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
ansible-lint:
stage: lint
script:
- apk add gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
...

3
.yamllint.yml
View file

@ -6,5 +6,6 @@ rules:
max: 120 max: 120
level: warning level: warning
document-start: document-start:
ignore: group_vars/all/vault.yml ignore: |
/groups_var/all/vault.yml
... ...

221
README.md
View file

@ -1,8 +1,7 @@
# Recettes Ansible d'Aurore # Recettes Ansible d'Aurore
Dépendances requises : Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
* Ansible 2.9 ou plus récent.
## Ansible 101 ## Ansible 101
@ -13,9 +12,8 @@ Il contient la définition de chaque machine et le regroupement.
Quand on regroupe avec un `:children` en réalité on groupe des groupes. Quand on regroupe avec un `:children` en réalité on groupe des groupes.
Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine
machine avec ce hostname, car c'est ce qu'Ansible fera (sauf pour les switchs, avec ce hostname, car c'est ce qu'Ansible fera.
voir plus bas).
**Playbook** : c'est une politique de déploiement. **Playbook** : c'est une politique de déploiement.
Il contient les associations des rôles avec les machines. Il contient les associations des rôles avec les machines.
@ -36,42 +34,31 @@ déployer un serveur prometheus, déployer une node prometheus…
**Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule **Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
action. Elle est associée à un module Ansible. action. Elle est associée à un module Ansible.
*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une *Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans
ligne dans un fichier avec le module `lineinfile`, copier une template avec le un fichier avec le module `lineinfile`, copier une template avec le module `template`
module `template`
Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante,
elle plante, récupérer son résultat dans une variable, mettre une boucle récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions…
dessus, mettre des conditions…
N'oubliez pas d'aller lire l'excellente documentation de RedHat sur tous les modules N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules
d'Ansible ! d'Ansible !
### Gestion des groupes de machines ### Gestion des groupes de machines
Pour la liste complète, je vous invite à lire le fichier `hosts`. Pour la liste complète, je vous invite à lire le fichier `hosts`.
Exemple : * pour tester les versions de Debian,
```yaml ```YAML
[fleming_vm] ansible_lsb.codename == 'stretch'
dhcp-fleming.adm.auro.re ```
dns-fleming.adm.auro.re
prometheus-fleming.adm.auro.re
routeur-fleming.adm.auro.re
[fleming_pve] * pour tester si c'est un CPU Intel x86_64,
pve1.adm.auro.re
[fleming:children] ```YAML
fleming_pve ansible_processor[0].find('Intel') != -1
fleming_vm and ansible_architecture == 'x86_64'
``` ```
> NB :
>
> L'exemple a été adapté de la configuration d'Aurore pour des raisons
> pédagogiques.
Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
@ -84,46 +71,27 @@ qui peuvent ensuite être utilisés dans des variables.
Pour lister tous les faits qu'Ansible collecte nativement d'un serveur Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
on peut exécuter le module `setup` manuellement. on peut exécuter le module `setup` manuellement.
```bash ```
ansible proxy.adm.auro.re -m setup --ask-vault-pass ansible proxy.adm.auro.re -m setup --ask-vault-pass
``` ```
Il est notamment possible de :
* tester les versions de Debian,
```YAML
ansible_lsb.codename == 'stretch'
```
* tester si c'est un CPU Intel x86_64,
```YAML
ansible_processor[0].find('Intel') != -1
and ansible_architecture == 'x86_64'
```
## Exécution d'Ansible ## Exécution d'Ansible
### Configurer la connexion au vlan adm ### Configurer la connexion au vlan adm
Envoyer son agent SSH peut être dangereux Envoyer son agent SSH peut être dangereux
([source](https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)). ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
On va utiliser plutôt `ProxyJump`. On va utiliser plutôt `ProxyJump`.
Dans la configuration SSH : Dans la configuration SSH :
```text ```
Host *.adm.auro.re *.pve.auro.re # Use a proxy jump server to log on all Aurore inventory
# Accept new host keys Host 10.128.0.* *.adm.auro.re
StrictHostKeyChecking accept-new
# Use passerelle to connect to administration VLANs
ProxyJump passerelle.auro.re ProxyJump passerelle.auro.re
``` ```
Il faut sa clé SSH configurée sur le serveur que l'on déploie. Il faut sa clé SSH configurée sur le serveur que l'on déploit.
```bash ```bash
ssh-copy-id proxy.adm.auro.re ssh-copy-id proxy.adm.auro.re
``` ```
@ -133,7 +101,6 @@ ssh-copy-id proxy.adm.auro.re
Il faut `python3-netaddr` sur sa machine. Il faut `python3-netaddr` sur sa machine.
Pour tester le playbook `base.yml` : Pour tester le playbook `base.yml` :
```bash ```bash
ansible-playbook --ask-vault-pass base.yml --check ansible-playbook --ask-vault-pass base.yml --check
``` ```
@ -143,7 +110,7 @@ Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`. première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.
### Ajouter toutes les empreintes de serveur ### Ajouter tous les empruntes de serveur
```bash ```bash
#!/bin/bash #!/bin/bash
@ -152,10 +119,6 @@ for ip in `cat hosts|grep .adm.auro.re`; do
done done
``` ```
> Remarque :
>
> L'utilisation d'un certificat permet d'éviter d'avoir à ajouter sa clé ssh
> sur les serveurs.
### Passage à Ansible 2.10 (release: 30 juillet) ### Passage à Ansible 2.10 (release: 30 juillet)
@ -167,141 +130,11 @@ ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix ansible-galaxy collection install ansible.posix
``` ```
Si vous n'arrivez pas à entrer votre *become password* (bug dans ansible?), un
Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
workaround est le suivant : workaround est le suivant :
`$ export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'` `$ export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
Notez l'espace au début pour ne pas log la commande dans votre historique Notez l'espace au début pour ne pas log la commande dans votre historique
shell. shell.
## Configuration des switchs depuis Ansible
Afin d'acquérir de l'indépendance vis-à-vis de re2o, un module permettant de
configurer les switchs depuis Ansible a été créé. Il utilise l'api rest des
switchs afin de récupérer et appliquer la configuration voulue.
### Prérequis
Pour utiliser le module, il faut d'abord annoncer à Ansible qu'il ne faut pas
effectuer de connexion ssh et de ne pas récupérer les faits. Cela se fait à
l'aide des variables `connection: httpapi` et `gather_facts: false` à placer
dans le playbook (pour une configuration locale) ou dans ansible.cfg (pour une
configuration globale). Ensuite, l'infrastructure actuelle de Aurore nécessite
l'utilisation d'un proxy. Pour cela, il suffit d'exécuter la commande :
```bash
ssh -D 3000 switchs-manager.adm.auro.re
```
et d'annoncer l'utilisation du proxy dans la configuration en exportant la
variable d'environnement `HTTP_PROXY=socks5://localhost:3000` et en
configurant la variable du module `use_proxy: true`.
Exemple :
```yaml
environment:
HTTP_PROXY: "socks5://localhost:3000"
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
use_proxy: true
config:
path: vlans/42
data:
name: VLAN42
vlan_id: 42
status: VS_PORT_BASED
type: VT_STATIC
```
Le module est alors utilisable, il ne reste plus qu'à le configurer.
### Écrire la configuration
Le module se veut assez libre. Ainsi, l'ensemble de la requête doit être écrite
dans les `tasks`. Voici un exemple pour configurer un vlan :
```yaml
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
config:
path: vlans/42
data:
name: VLAN42
vlan_id: 42
status: VS_PORT_BASED
type: VT_STATIC
```
Le `path` correspond à l'url de l'objet que l'on souhaite éditer et `data`
correspond aux données qui seront envoyées dans une requête `PUT` (au format
`json`). Cependant, la configuration d'un vlan peut nécessiter de le créer.
Pour remédier à ce problème, il est possible d'utiliser la syntaxe suivante :
```yaml
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
config:
path: vlans
create_method: POST
subpath:
- path: 42
data:
name: VLAN42
vlan_id: 42
status: VS_PORT_BASED
type: VT_STATIC
```
Le variable `create_method` correspond au type de la requête pour effectuer une
action de création de l'objet. Il s'agit généralement de `POST`. Dans le cas
où la variable n'est pas définit, la création sera désactivée et ainsi, si
l'url indiquée dans les `subpath` n'existe pas, alors la configuration échouera.
Par conséquent, si le vlan 42 a besoin d'être créé, une requête `POST` sera
effectué sur l'url `vlans` avec les données dans `data`.
Il est également possible d'éxecuter une action de suppression d'un vlan à l'aide
de la variable `delete` :
```yaml
tasks:
- name: vlans
switch_config:
username: ****
password: ****
port: 80
host: 192.168.1.42
config:
path: vlans/42
delete: true
```
Si la variable `delete` est activée, alors une requête `DELETE` sera envoyée
sur l'url indiquée. Pour vérifier si la suppression est déjà effective avant
l'éxecution, le module vérifiera si un `GET` sur l'url retourne une 404.
> Remarque :
>
> Si les variables `delete` et `data` sont définies (dont `delete` à `true`),
> alors il en résultera une action de suppression malgré tout.
Puisque `subpath` est une liste, il est possible de configurer plusieurs requête
en même temps. Cela à l'avantage d'effectuer toutes les modifications à la suite
(sans avoir à se connecter plusieurs sur l'api).

18
all.yml
View file

@ -1,18 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- import_playbook: playbooks/base.yml
- import_playbook: playbooks/root.yml
- import_playbook: playbooks/ssh.yml
- import_playbook: playbooks/chronyd.yml
- import_playbook: playbooks/kresd.yml
- import_playbook: playbooks/knotd.yml
- import_playbook: playbooks/resolvconf.yml
- import_playbook: playbooks/ifupdown2.yml
- import_playbook: playbooks/systemd_link.yml
- import_playbook: playbooks/keepalived.yml
- import_playbook: playbooks/ip_forward.yml
- import_playbook: playbooks/dhcpd.yml
- import_playbook: playbooks/bird.yml
- import_playbook: playbooks/pve.yml
- import_playbook: playbooks/prometheus.yml
...

36
ansible.cfg
View file

@ -1,22 +1,38 @@
[defaults] # Ansible configuration
jinja2_native = true
ask_vault_pass = True [defaults]
roles_path = ./roles
# Do not create .retry files
retry_files_enabled = False retry_files_enabled = False
# Use inventory
inventory = ./hosts inventory = ./hosts
stdout_callback = debug
library = ./library # Custom header in templates
filter_plugins = ./filter_plugins ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
ansible_managed = Ansible managed
# Do not use cows (with cowsay)
nocows = 1 nocows = 1
# Do more parallelism
forks = 15 forks = 15
# Some SSH connection will take time
timeout = 60 timeout = 60
remote_user = root
[privilege_escalation]
# Use sudo to get priviledge access
become = True
# Ask for password
become_ask_pass = True
[diff] [diff]
# TO know what changed
always = yes always = yes
[ssh_connection] [ssh_connection]
pipelining = True pipelining = True
retries = 3

17
base.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
# Put a common configuration on all servers
- hosts: all,!unifi
roles:
- baseconfig
- basesecurity
# Plug LDAP on all servers
- hosts: all,!unifi
roles:
- ldap_client
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate

20
copy-keys.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
set -e
# Grab valid unique hostnames from the Ansible inventory.
HOSTS=$(grep -ve '^[#\[]' hosts \
| grep -F adm.auro.re \
| sort -u)
# Ask password
read -s -p "Hello adventurer, what is your LDAP password? " passwd
echo
for host in $HOSTS; do
echo "[+] Handling host $host"
# sshpass can be used for non-interactive password authentication.
# place your password in ldap-password.txt.
SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host"
done

16
filter_plugins/enquote.py
View file

@ -1,16 +0,0 @@
class FilterModule:
def filters(self):
return {
"enquote": enquote,
}
def enquote(string, delimiter='"', escape="\\"):
translation = str.maketrans(
{
delimiter: f"{escape}{delimiter}",
escape: f"{escape}{escape}",
}
)
escaped = string.translate(translation)
return f"{delimiter}{escaped}{delimiter}"

9
filter_plugins/format_rev.py
View file

@ -1,9 +0,0 @@
class FilterModule:
def filters(self):
return {
"format_rev": format_rev,
}
def format_rev(text, fmt, *args, **kwargs):
return fmt.format(text, *args, **kwargs)

68
filter_plugins/net_utils.py
View file

@ -1,68 +0,0 @@
import ipaddress
from operator import attrgetter
import dns.name
class FilterModule:
def filters(self):
return {
"add_origin": add_origin,
"add_origin_keys": add_origin_keys,
"ip_filter": ip_filter,
"remove_domain_suffix": remove_domain_suffix,
"ipaddr_sort": ipaddr_sort,
}
def first_addr(addresses, ipv4 = True):
version = ipaddress.IPv4Address if ipv4 else ipaddress.IPv6Address
for addr in addresses:
parsed = ipaddress.ip_address(xx)
if isinstance(parsed, version):
return parsed
raise ValueError("missing address")
def ip_filter(addresses, networks):
if isinstance(addresses, dict):
return {k: ip_filter(v, networks) for k, v in addresses.items()}
ip_networks = [ipaddress.ip_network(n) for n in networks]
ip_addresses = [ipaddress.ip_address(a) for a in addresses]
return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
def add_origin(name, origin="."):
return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
def add_origin_keys(dct, origin="."):
return {add_origin(k, origin): v for k, v in dct.items()}
def remove_domain_suffix(name):
parent = dns.name.from_text(name).parent()
return parent.to_text()
def ipaddr_sort(addrs, types, unknown_after=True):
check_types = {
"global": attrgetter("is_global"),
"link-local": attrgetter("is_link_local"),
"loopback": attrgetter("is_loopback"),
"multicast": attrgetter("is_multicast"),
"private": attrgetter("is_private"),
"reserved": attrgetter("is_reserved"),
"site_local": attrgetter("is_site_local"),
"unspecified": attrgetter("is_unspecified"),
}
def addr_weight(addr):
if isinstance(addr, str):
addr = ipaddress.ip_address(addr.split("/")[0])
for index, ty in enumerate(types):
if check_types[ty](ipaddress.ip_address(addr)):
return index
return len(types) if unknown_after else -1
return sorted(addrs, key=addr_weight)

9
filter_plugins/suffix.py
View file

@ -1,9 +0,0 @@
class FilterModule:
def filters(self):
return {
"suffix": suffix,
}
def suffix(value, suffix):
return value + suffix

38
filter_plugins/switch_range.py
View file

@ -1,38 +0,0 @@
#!/usr/bin/python
class FilterModule(object):
def filters(self):
return {
'range2list': self.range2list,
}
def range2list(self, port_range):
"""
Convert a range into list
Exemple:
```
>>> FilterModule.range2list("1-10,42")
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 42]
````
"""
port_range = port_range.replace(" ", "").split(",")
ports = []
for r in port_range:
if "-" in r:
try:
a, b = r.split("-")
except:
raise Exception("A range must contain 2 values")
try:
a = int(a)
b = int(b)
except:
raise TypeError("A range must contain integer")
for n in range(a, b+1):
ports.append(n)
else:
try:
ports.append(int(r))
except:
raise TypeError("Value must be integer")
return list(set(ports))

61
flake.lock
View file

@ -1,61 +0,0 @@
{
"nodes": {
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1756770412,
"narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "4524271976b625a4a605beefd893f270620fd751",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1757020766,
"narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1754788789,
"narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

27
flake.nix
View file

@ -1,27 +0,0 @@
{
description = "Ansible Aurore";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
flake-parts.url = "github:hercules-ci/flake-parts";
};
outputs =
inputs@{
self,
nixpkgs,
flake-parts,
...
}:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ "x86_64-linux" ];
perSystem =
{ config, pkgs, ... }:
{
devShells = {
default = pkgs.callPackage ./shell.nix {};
};
};
};
}

4
group_vars/all/bird.yml
View file

@ -1,4 +0,0 @@
---
bird__as:
aurore: 43619
...

5
group_vars/all/chronyd.yml
View file

@ -1,5 +0,0 @@
---
chronyd__pools:
- ntp-1.int.infra.auro.re
- ntp-2.int.infra.auro.re
...

24
group_vars/all/ifupdown2.yml
View file

@ -1,24 +0,0 @@
---
ifupdown2__wireguard_proto: wireguard
ifupdown2__gateways:
adm:
- 2a09:6840:128::254
- 10.128.0.254
int:
- 2a09:6840:206::1
- 10.206.0.1
ext:
- 2a09:6840:211::1
- 10.211.0.1
monit:
- 2a09:6840:204::1
- 10.204.0.1
isp:
- 2a09:6840:210::1
- 10.210.0.1
pub:
- 2a09:6840:215::1
- 45.66.111.204
ovh:
- 92.222.211.254
...

10
group_vars/all/openssh.yml
View file

@ -1,10 +0,0 @@
---
openssh__users_ca_public_key:
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
openssh__authorized_principals:
- any
- "{{ inventory_hostname }}"
...

3
group_vars/all/prometheus.yml
View file

@ -1,3 +0,0 @@
---
prometheus_node__text_dir: /var/run/prometheus-node-exporter
...

13
group_vars/all/resolvconf.yml
View file

@ -1,13 +0,0 @@
---
resolvconf__nameservers:
- 2a09:6840:206::1:1
- 2a09:6840:206::1:2
- 10.206.1.1
- 10.206.1.2
resolvconf__domain: auro.re.
resolvconf__search:
- "{{ inventory_hostname | remove_domain_suffix }}"
- auro.re.
...

5
group_vars/all/root.yml
View file

@ -1,5 +0,0 @@
---
root__shell: /bin/bash
root__password: "{{ vault_root_password }}"
...

25
group_vars/all/vars.yml
View file

@ -17,7 +17,9 @@ ldap_admin_password: "{{ vault_ldap_admin_password }}"
ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}" ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
# Databases # Databases
postgresql_services_url: 'bdd-ovh.adm.auro.re' postgresql_services_url: 'services-bdd.adm.auro.re'
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
# Scripts will tell users to go there to manage their account # Scripts will tell users to go there to manage their account
intranet_url: 'https://re2o.auro.re/' intranet_url: 'https://re2o.auro.re/'
@ -87,24 +89,3 @@ apartment_block_dhcp: "{{ apartment_block }}"
ipv6_base_prefix: "2a09:6840" ipv6_base_prefix: "2a09:6840"
is_aurore_host: "{{ 'aurore_vm' in group_names }}" is_aurore_host: "{{ 'aurore_vm' in group_names }}"
# Borgbackup
borg_keep_daily: 7
borg_keep_weekly: 4
borg_keep_monthly: 12
borg_backup_directories:
- /etc
- /var
borg_backup_exclude:
- /var/log
- /var/lib/docker
- /var/lib/lxcfs
borg_encryption_passphrase: "{{ vault_borg_encryption_passphrase }}"
borg_server_host: 10.128.0.4
rsyslog_outputs:
- proto: relp
address: 10.128.0.241
port: 20514
...

469
group_vars/all/vault.yml
View file

@ -1,297 +1,174 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35353866373931343963333639323431636465303562306166333735383462353032323461613232 34336231623938346631313932323131336439623837626366646338396137633436646365386639
3666653438393936356535633661363838613233323932370a656439316234356339613532663237 6332383765386235396331373836366230663563376665380a616436373136633933376435653230
39373439366432363533303961396466623366323339383735316531653538633264393264353337 64333963663436393265666434653164643164616134353665306462326666623530383838343135
3937323861616530640a666361323164353338306336616564663466616630393839613833373933 3531343533656332350a343432336636316131386132306238653736633966363235623833343638
65613161323164613334656631333336343262363835323962343662333133366561306139636261 38643061383963396466346536343061653034333037393664356661376565643765306462626231
61656532666563333063356231636565626631633436623531313938663930396362343031356534 39326233363962373839303464333833306532343834306232653731326135653934643836323639
34303565623832366664303561643137626433333164623730623639656439346639616164623865 36343937626536346331613263663865346634666534646266623061303639626636393230616261
31613462316439613937313138313830323334373337366630323331393537633437303063353363 32336366356439353738633234326138656464656630303362623664616634306230623538373965
66383930353930616137303436383864363439326139643361356231373939306439633332666232 32346439306337623737616666353830626630373562366436653131393532313035303836326430
38363061636139346430373263613932336361356262656138663233386464373839366630303765 64613235646366616533313065396663366434363832333535336631323366336437396664303834
35343064336533373238396430393536366438653534366565373733313962616364313061626133 30336466313064636565326564356435306136396363373464326534303366323262303732626661
37666538313038643865346461626537353930366264643162376530353536623863656236303433 38326663313332633530353739346538343434316133343066313530366637376135323564306537
31336561336131383635393238366464653934613130363831306335643935373033303162353534 65626261303231656432333364333965663065346436626631666466643934623064333163626339
38353832653664633061646331653634393963333038306635313464636136616366313962333431 32633565303734303862326365336339346133393431636266303530626564326361653230626536
39363934643266646131653236303138636163326663373765373761663062656463643162373038 32313231373037633134623761663832393666353732613965613436323939343233613433343538
34656163633964626235366539663132396666623363303632363236303831613532393931373761 37326438383130303861316663396333376662386337353964633930353536653437653061356635
65613435353162346233323533383537316231363437653239343233636533333966613066343932 35646232343535313130646237643835376162623639333961323964353830653366626438346237
30626636306531333736613965396432373130356238313136336434356133353435643065626261 36343663346332656537363434396633336161373730663364306239306432343930643230656465
32633732613361376261363831363866333332393132643439626639383438663438366330386534 37633537616232656661313764626232303535383563353861396431643735326162383866626231
31303532323461303862346364386532663839323163653366356136666131363839663635343166 61383165613332666537656137636430323332326335323763303537386662646263353539613964
38353962326430383561333630623030623536353838633231393763393238316530363939343536 37323966306364306436653033393931663239383435613836356164633135306233356364313036
66323562336334376234613436373237303562363831323038366232393161356262653864663037 39356661613434633930633066646437636535313565356366303732613731333062643231313035
34363436356332633363363963613635346337613438326436333836386534353738646166643333 65333461396131663764626665393562623030343561313136363964393664376136303839333664
65356637366431326132363432663662346638383439383766646531363662356266313961356239 65313465623331333538393734373264313562643232666130303930333662616465656432363039
31323236393538363662643662643535623633663738343266636163363835383030646661363966 66616530336666343861336434633063343561323931323931346132376263376565313366306639
36366466386666613364313166353366333131343061353135306135656663323461303338346666 64646465303432333136353661323936633965666364356633653861363139616562653834313861
32626231613738316233636361633337343635656334336536663865633465326639373966303137 63306133613066373462383236613939316130623937643939323134343936356638376335323836
39383731303862353637386438306136303765333136653465663963663930383037343130316466 39383334656236633037633230313138326238303863623231353465346661663162623138353461
33343932383033643530323136316632386230366338373362366462666233336530393561353933 33343738613137366364633730346261366564646161373837613865393233663431636361663962
36356330386361303562666339306265663539616434336264373832636139313365633065343763 38313230363737306265636435353533666262333666383639343364633464396566333433333538
31323633346536366635646562356266373964616338366165376331306561663938396661396164 39643934646537653234336361613664333434623739353831316531313666396638333136343638
31363438326439343964666439356339326661666136303461343436303533363630353735633038 33653034366362363562633462303165626333306664326366353334363964663936616430643662
38383365363739333034373031326530353962646661343039616230396132323833626162643964 30616334326638323133366632663237356238353934323361376237613632396134663536336364
65363165333233643738373638353537343162366265316661353563353862623134663362633261 39363439326335363437373939353564646663616464663763353931323233316135656634343137
32343364333236363738333130316538666536306664363661616536336264363438396464666533 34396130386134386331643534353461663963323435656337653032376565313635623231343135
37616533363936356335663562366563303564623530303762363034343435326666356162316535 34303130316239303065386134663332393938636332363665643832326439653733633231346537
61363133326263653937373037643930343565336166643939663466316232313535333965303737 63383634333034323434376237663932613638363835393837613632663265616363303233653539
35313566353963616632313763366561633039626239353236323438383261663066323334333632 61333765313463616665613136303533343230303735626437343635303934613365326166333966
62393265396235636461653862383830613634393431396131323439613362366463633239383761 66613538393466666630363333643730653239393435616634303430396635383631613439623433
39343361663463633332666666346339363334366330393936373433353034653765323130383335 36646431393865666162373232343335356366366633633264326639643434396234313863333163
63336338653333356438323264356162316638336338343033326639303237656663633233383735 63396534623931633833656565396635333133376165613031663831633564663061656131303564
34646535633831636238316564373035353635383738356133326664626566623766366535333439 61303132666264636139313738643161313134643733633366376538366135663135333333333564
30326437613539373163323464323635316632633930353931303466376661396135623031623133 64366262353837363061653663616265393264373230346330636465336439623063636639356136
33653735336230666665616638353561623235343439666135386165313436306666643837616166 65383638643961326661396336373163643832366561363764626461623662333436373136616437
37613964663837373137383736393063333037366433643632333963623038623636653639343936 30316537653432356133616338353165633462643634323563306366343965326635363863316232
32383532613430623563623565633665663030616530643735653563303035616530313463643431 61633135643861333635383464383937306236626632366235363433313335663431366531356337
31663361383835613631336638343338373639613532313561313231353765316237653431663462 37303465323638383930336138356665343966336137356137656564303733373565366162343330
65366162326630656566663731316262336536303032386336666263326265316564336339316430 38326366653733376138356339313564616165626235356363343430353239616339656239323964
31643066633438663562343730393534663338613165633635356333323635653161346136336261 31643734653263653461333135386261646265323134633334376262323330396634643764323635
30313332383065633335396131656136613932346331343632386235643764363235376531376437 30336262323035613338333166353364333836623865393132613338393237363734616330366463
61303130316537633830366662366237303934306561333134366463646464386530623631346264 64646163303337323531636532383438356237306337656439663565643032633462316366663164
30356536613932613264643835356637356364653038383130366237656232333031313163643332 33613039326337353531303831313136653539353261373930613030383134653261363833653439
34393865323162613936613264313864613734373032386266653432616535636464363463633564 31343662623035393238646263633066653362323434306137633339393330376462356139333362
37343661623935353365333831623631386439343237383933313337393065653934303065313634 35363436356530363134663064653031376561343732346262383333353733363136396262643135
61396163323937643837643636343337343231616265643765313932346462373735323737326663 31326566303535343833326562376464643632363434323839366366626134303830323563633237
66316135646663376537613663373432393865623038363239356265303362326161366462356138 37313964353033316163303738636632346137353437333463303135323631383132623133663130
65336536626634366363623865656234363335343662333134613835393635623434393036316638 32373163393861366137303138363134653534613236636439623731393837306130626638343134
35366431653463626665663861303333363038666131643861646465663761623364333162343761 39313532386338343662333134353761653162663665396664366239633536613132313735373334
64396131643136323634643461656339616361323030626166303930623838343438393465653364 37613161383633653861376433633632333163653439633938386137313632396137616337373465
66633037616633316534386639306438363863363530376131363332353536656533393161313931 65383238396439666537313833663364333731613434333739393161363437306665363834653761
34386636643737353738323265363435636239353261373466383430346461383932323634346466 34303464386633633163353636643964393233383232623765373239376633393139326630653765
33666436343130643032626562613165396334323937353663376162643266646539353932313137 62646439646534376234323661383063656463313437323231333165626163626262626562376338
62336162646535346631623332376334336538326530356233646239306337633365373562653166 62646362346261313738323830613037663035666361386139666432613230346334323063326239
32383639353431666137396631663237313436393434626531316365666335306466363639626663 65303065343061613736343663363630336333623439383032313137616131623933323636306331
63643861656537306133343138633535323737346538643063363330383366313362653933383365 34636130626338303039356137353532346562363531623936316162336663306437386532363236
34313230663163303730326361303337373136346161353132626362623461343661663964333765 36333661316161613237343032623764396435346632363963643438316430666539393566353939
37353165333762346539333730333731366532623531343962333037336464666530396437353666 33333234313839636537366465356364303438313830663261373563346538626432313139303030
62313035323234643236343534663434356264643830636433323831313364663762646130306362 33333066626463663663643833323764643737386162663766356665643064313263376434353038
32316530643230313230376662383439343639343336633431623135626134353134383030396264 37643630643737663566653562353261333734636262626437393239383063613661643166626630
38623933356332336231343434663563653332633237653966663964646232623637313231366638 31313564346239396561326162333534376264616435313762623032636432363832383630343964
30363966373362363432376562656436356338356561303133643432303736376234643632663137 30343663643935633465393465626131633931623930653962303830333065363435383237653566
34336630356362303132343737376637303939623133363663306133383465613263356632383030 65646632376330306437663334313932653230653562356338663366616463303466366263366137
61346138316538353638343833366261366534353963326162303866393430333964653333346539 64633934626339633235386630396561376130373763313137386531356637633863393035306634
64386161663435646331613834363336373738396338653263323937623163663236366636343239 65353432323235363135633832373032623837376333346131303162303464616234313062316563
36383135343763636139393331663139323431376562353165353662396165653235633464363035 64646634633963663032613533636665333335656539323238623362306363313835626632306236
31393233636561366639373566623738636537363235666234633534376238323163363238393237 30663637356463363530316434316639326639633539333335633330333834643035353932313638
64316132666530336135353434623866363739643830646463656536336136646334393064303630 64356565653065666131373538356462306633343161376537323762313666373235353236313963
65343964613265333934306432313739633134663131666433386630303132663866343532363835 65613561633266306632616538616461626532666435663038646138386430376164663766363138
38353237343630653561636365656561313636623065363836333663363934643162656534623864 35316262393065653739323035666531333330326235386133383834383865356635666537333533
62373763353961646235613465646630306562386531396364386164633065643763396437316466 31376138353231313262646334386566376264323066373934666363313431643738383064666437
32376564616562656136346563383266303963666136663863626137653462373430363363336364 36656437313039656666373530346534393735353163646635663839326366643333393665626464
35333133303463363663356365626365613036633835323334653264626637353634373665643036 36616637303631653661373433653865323634363065303433386534363064356564636465366265
65663736323235353964326466376163313630323265333631323866663137313665626238396130 31333064383233636538393032376234663663353162343530376631356533653231303730396465
64653832626639626633376231326534303530373937396235366239626639356234363238633336 33366162376464633633313664303939306330613865663431653037303061633130626635653638
34343064393334613732356332633361613633643039366537623465303739663635626365656631 66626264363333376463386666313663333964333137333231303361616533393236373861656534
64343936613536636438313232376564376539623261623539346564303036303131366561643564 32326335306566623332396638383133353434363565316432353963353062313662326361336537
61623630393032666636366338336266656264353631393061383162323766616530323734326134 34396632656234333263663831326566353434316234613365316132363730643665373761666562
31623962373435323730323830373239363738663164653338623836386636626337623739366566 31393565653663653731633333633730326265376135666162656132623238333765333363653130
61663835623038626266653062666264663639363763623139393862633061356164323530666665 61353632313532616266363139336162336565356365316531336364623930636430353831623233
31623538333264633735643839376433653934383663333130336133653235313631336163343134 61616131313438306633333066613764313161333934316139633738623164623564646365663566
33653533613430323834653730326661323462316338636338393063653866316335626633323137 66356464376133363137313036623930373362306166623838373131313330393837396261656561
32653262353964653131343430383661643231383135643332616462343231323266333430373061 66396233313530643164353264656563383632363139333262626532376562613630643437666266
62623136393239356166393964323830623239613434636361633365353862646130373865643136 66656335656634613138316138643666623430363833663035616138336461303035633731636262
66346336363866393762353633353638663433363332356131626639326166393234313765346138 36393939333765346239666433323032323361343934656463396365333366623337316663396263
64613431333139376139343234666664313236633031393938663431376336643133323964303938 36616431626633663963636135643833666234613830366434636532373031343263316436306162
64616536613462306363613639613132383361393535333362363630393230636532316634373231 39356365376561643665323866656465313434623138326238353662653735613565623264333336
63313839323263663237373937323361373533616465643830396666376661616631646561663130 61393763363862613766653064636130323732663466366133666361636339356464313037353462
66376266363338666133313263653733646365653034653538333332623861323833633033393234 63633936653235656538383433393065393162643034393538666433616131343462346235393164
39633834343231663166376333633635366261616561643363393137383736303436383339633734 39353663373338626665663563663162633430343330373430376336326432346233663365376533
30623939343939373038656461333464353033313632643138393334373565383331326430653263 32656465343538643137326366653232343530363834383831386634366262303333636261353863
66343630396135633636366337353061363730333364376664623234333434356661323935626633 32633437343432653936643766363338636535613532323362656435613363393238626466303861
63336465343661393636333663306361386432373235313337353361333735373436633832633439 38633861333638613466306338613932353964393365356637306261626535323732316362623731
30653766373230383364396638366237643932633364663639643661393438653339393031616338 33313963623439613939333639346461663338373334396165636231666266613065323731373964
62396632353063376566333261356662356265373733323631363263396337383631383733393034 64313133383435333935376531313432663766633133633863356563663535333263636237386136
65616434356530306661636633363333353138303631626565636637313738353338343334633533 61653963633166383135333436646465383536373039383538326366636634313061613730653962
39313232356166623939383864346665626333363132663033326430366565336339306465343337 37623962643866396637336231363038373465393637356463656566666661313130313863383233
34613736356534653534363034366431653861613534663261633739366361373134323566376335 37343636346535363832626365396262303862393535336565393635663637323730373564336634
31313263313262353162353039623634653534346363323131633362323035633337366536366561 37363036323733306535336366373630356531353737303165376530656433626634343365626239
64323432353236383839643662383138373938373834323262386364376162663839366232313433 64346136363030663862313431653761666432393933366665346361626361623039326434633835
38643662613065663863636664636162333830353131636238383439323439316363383935623731 32666538653037613361343536383634643762356234366433663639653461303933306434333864
62393964636137653935313338343465396633333461643032383730313139396462393936383630 37386436393465323139306161333738383265323436376536656264356230303163326134323864
63353166633735623364653264643934666438383739663461373332623631323932333162303630 63396331666431666464656161633466333764653631623131646566303366333030653834333335
39353637353437636537613935306539633163613334303833393832616338323061633532303361 31323365353239366232643863386365633861376235643034303563613363663661616564363663
63656635333331376561363962386135303963303030396564356534333037623635613963313666 63326562613365653539383336383339646164623864323830653434623365393432666466323134
65303664316164613835343930623338326235363933623533343961666664323836316231613465 33626330373361393734656632393232363866613863373135636537613934343065306265623964
65373931666331326634316463663134613031363636363434643839386239333164333538393831 34643765636165393336356630353663343065333431656164363638646233663762346536343362
65653935623431373238326231343439666635623730393639636131386162373466316164356263 65653364343537383336373933313464663464653465383830363631316336303464313731356230
37316539656230316336303265646339303139306262396536633533366261346238393335393765 34336130323766386465373162346535396565346630353734303937396130656132376331326563
39376630306639353862323834343830646330643737653631633361326134613666613430323433 36386339383338346533646331666262396432336434646333653664326635386238333763626637
64363965653063316432353431386533386661386239636332323139393933653063643865646338 31363464306465666339316436323265623437636533643431363161323139653065323534636533
34626433393731343535313766303237313866613166663333616535323661666362613439376166 64386334353439373133313937343234373963353331646233346432646430636530663336316134
62626430363661303630346265383863613162356535306165633537383038613131346561306330 66303337313034396232643531643262343036313762633165353665653938313665386363353865
61623435626363623762313832313031363665623933656238623131303362326137313266316630 66333166303636626565613136653365313763303263313239333033353638616566656134396131
32366664633963626463613562643666383637383831343234666435373564306635343730373665 38356434343931303134303362313363343634613361353538636634336332373132356165326163
36643436633066373962303965373663376266323133343233323563393065633162383237323162 30386130326239366532363962316435663862393836326439623862366166376234343439306465
38656336306432623330616234373936306163646330313734653864386464646535666331616335 36346639623939353232366333643963646336383833386565643435393734653936313638663930
32623163356337326665333731656438393633326638363635353733663861323934333536393338 32323065343737663564333961373034393261613862333431663562353964666561643831316432
33656231373166313761643030363437373638366461653038363565623633623035393564643161 35313832356639333937333266306166656538643065386639346337306134613536356137316331
38663064356239393034323761386435396437386534633734353938653239323533333531363965 38376434666332366531393639303561663934353130333161636530383932653236313530616531
36316636353864626461303936313632663261353437396238363930626239336139323561373133 61656664626663373164343863333039356362343034326131376666623264663732303734366363
61366330386135363039303166326231656331653632343261306531653731313465396131643330 30306430353732616131346637626332656434393163313661356465393263393235396662623962
35616432613631636264333263363239616435303436653936386165343335356337343032386239 62643538623331646265643561623366383937313136383939366164613235666234663137653432
37373230623366653834663031343738643063616661363138316262643635343439333838363632 34316138643139336331356663333632656539653632626136613431393736613630353237356164
34353236393730363262303439313132663735336463323432303036366361666338363237313664 33623632643335663163656236633134343464353837346237316162346634633336663564656531
39366434303839356163616136336237643061373633343737333036653362643635643536386436 39373730346130363963376463326238366235613539613466653139306237343164336462353236
30336636333464626464326332343333656535666431353338336438346335346433313934346231 39323361636333353661633863663162633563343937366461346338363061623730633537626562
32326231636262346232636366393361623830316238303537666164626339383061633765333039 30353938383664333861366431343033313961376436363065373430353736343563313531386663
30633539666535366539383061396461313437383537656239393131326538636536356536643735 37313534303564333237616331396437376436383833373936376664666366373235613533663239
66653336343364346635383761613731666263366465643336636661323263386364653035333062 64653863613531356666646233393533646131333961343730663461346235633961306263343831
33616364393664613363383937653530356138316363633335386232336531373835303732383962 64386332653330323937643266373437633465363933653833343930616134626566363339366362
65643264656134393663653333346531316365323730383363373564323133333032373330643232 36356163333730656233653431326430326566386264343330666131393166323537623137396237
63373239366435643738353130353333646136303530643065383066313035366239326664363830 65386234653231666631366533383762643830333261363532666138386263643662633932626335
36626366646264643130326261363536313835356638636139636434333362366363313133316130 66303363613035643931393933303035323566373634663037313338616132373162366334373962
61383734636433313433303466323265386132363862643131613666306162396437643166393630 33666463613435396331326565353433336361303562326562663035313639333232333430373266
32613464313530316262353938383735336262663939323730626662663235303638303065663939 65383235356132353838636565636436356361653831356430663935613766613237366564316566
33636234383033393237303865633961333462663232363562386637333335373565663261363933 37396130393363386566306162346466326165353863636633306335383265306139396339383866
31356436613138653765663162646566326134313736316130356336663536643466623331653039 34326335323962633032386162623033353036643437313832323166363764653339343638343964
38616465306532666434333534356464666663613263383430336465376133393032623762323237 66626662326234306362656162336538353131366337643761643930306163333661653062663832
63343462373834383566393466366332303235323865343730373062343739363265343164623262 61303963623433313565633235306132366663336662616232613339366363373934613631623431
38346539343533636435626133306662623865653934666665363063356162326461316561383261 34323736383366333032343364373533363761323338346163323836653235653136646162306166
33666362656635323262353066356330616263326134613635336261343438393838326438613435 65333734623663346233343961396566313838653036396430396134393839326535363237363638
64343336393034303330323563346233653135633439386465653065633339643032636662313531 38333232333863396334366561303136333863356666656335633630616531363766343535616533
38356234326632336161666666353030366238626262353831393532306166363432633939383166 35656166303837653365303436623431613931336331356531666665346562613263363666626238
66316136333838653433383439623366333062313833616366656566393965393665613738303833 62626236323863383366643162356462306163653032626130333863656337623136646439316337
38326139366330393863623365383963306361613665643962376664636134353533623836643362 33306432663134383038646133346131333732633932383239643733643138303434646565663266
39626166353138646666633136363662393565336333393638626534636330313632326333353366 34616265383733343963323538656138656331396438616133393063356638633965323363653066
39353133666532306531343137353834353133633165613566323135313362333962303637663965 65353837333363613762333839313631373137363064383830353565333832356162323862393030
63383730663562646563333763356135613537666332393537663062653662623938353434323136 35373038613133643466636537626437393837633865363566343565626633376262373766613738
39663965616437653232623333363762616233316530303833376332396165616635336532653035 39343334336238363131373762646564653839623531323066356430326263376534373664363331
36306331643232336664363733376632323630616139353030343930343166623433616234616539 64373735383933303638303661333964333464306338613363326261623438336530636262373766
34393131303363626166383037336262323662393431356463616665343463363432356132313531 35346339643939666162386232666236326131366366303432393838326239313730323431376231
37653331336165626435343162663662386662613164336439636465363335386233383065393535 39363032616666393431326533643865643937363937356431623763363037373333653266376561
31396466636465336164383563326236356463393831363534656536616664613361346463613837 63323462363063343234373534663063353865363037383932386231313338343239653131633561
35366562623432353166303836353261313233663864626665663837336233653237373031393636 34623439396232633265616438623562666333303932396366663330326565363736633461333463
64343763386361626232633032316466373161666536313363633765653365656538343130326566 66346537323061306662323062393061353565393165363532306439343262343632616465363364
38396534323433343634333139333063633531343631316163346135643037323034633835363963 30376331346430313536313963333136663833323064633631653935326366633862336163316538
32343963653263663438666537653963376133633661393562623131636465386266616166366566 33383434336666303434363236396662366664393637656462363331356631613332353766636663
36343963623262656162303337366365616263376363366161373236323166353834616262393061 62323264336235306532343065323834313730353237616463373766303439663533336366363565
39393239303335623332346236356335393836636533386432653164656334613738393533623764 35646461636263646633343634323735383235376330616334373937646165623639363663353361
36363136353034633934323066323335626138353763333537353761303930623930353062373932 65613034353736633332663333616564356265323731613537393430633137333337643663323137
30656339663333373431633763366433366266316563393332613334633966633339633230303166 31623732663331653935316337306433333633353565343265666333363864346562363961333439
61346264386134623962316532343664386637303738333835343036633038323137323961323837 30656136636661396335623566386362333861616663393738626632633537613564636261383138
33376431316465373165663338623538636136343538666235333334373664323463326336336334 3233
32303361393134653338646563643636356361366133633634393731343332313437643731366634
30386466333965356135303732663433316363376438623764653464343564353835626435333230
30646238393266643137373037326136306337306130343739633933626134643364326534386464
65303531623335663766623037663630376366333631363165633762616564396538643866313465
35343265663336303537663962643536653937373839313435383337353036313239653263323061
63653865656461363334646466396135663338383065646464656631636666643030376363633333
30333331636438656238326534656165396233633131306562336263653330396366343964313434
66653862386531306236336339353935653335616638643831393430613533643533626135313835
64313065373564323132663531626436623465663766663566643964353361303336386464386463
38373036613536386436373535323664333231663437643962373339653236393339653064363530
61393835343230356234376630613230326637636534336564383139366663663136306665363363
66373237373530303062333935633634313766316461666439666433616236346434623535343531
30383264303536653236363533383561613636303662663935303761353065336631353735376365
63343162646663623736336638306465666233343031656137393037623035613236373930633131
36366633656131633563336561323835343766356131343038643761663966656364376430366636
36316633633736353436666539303039383231333437653666313435616536626434653833376532
66376130653339643564646139633238643266316633363137313038363061386163613863313733
66633665613537303834393233376463343965343664343564343832376238383064373262336162
61313163303632373261383563363964353731363739306337333161333130656235363631343761
61353265633338336466623830396466646233333039323065333636303035363563373366396334
37366637306430396262376539653134396536643931643563386666623364346635363138373937
61613232386666343033383031363439373335396362643130656235653066376537373062333363
39373737316136303835616639363162363839376635666237353064323433373961326338393263
34343162336336623530653531663136366136353139343561623532633139366533386263316364
36306134356666343230643639303766343466353562643130363063343330393232663161306266
66336435356265396330366566373137323265623431386535396665313335666332616233383664
63656663363366613431366632306230633265306663336439306263646132626631363663643861
30373330653637623733653165336132643965623232383839623535326336643239333133313030
32326634643238333163383562393134623532363561393364616430366532633862396438306433
33653235303639383333633035656533633165653137326130643961393965346266383861616333
37306266393231336666343333643530353230383239343931303838623335303262313130616162
65383962613965646438323065303962663965333231323139303438343631396363666330653330
61323839333863343034356363366433313039383963303063346237366261363861643839396362
31346637303032356463303564303562313639643563396261326538353834363737323235646430
64343230336539663237306235623662333062396238383135616231383837366339376633663938
65313739333065383335323437396232323564363733333437363133613766653334396431333036
38333038656339363132346362333863643261376335666536306231316630303437306231646565
61666334623736373832613366376438323664653531393938353234303030633532653561313665
63613064663564646235373234326661303562646139323330343330343139633462646131353038
62663535393738626432633564663564653663393937656634666137646363643365353930373266
66373162373165653533383862363835346133313234326162393331666566316439633133316633
66393733373333653630363334353833363565336338613361396335326166643630623133303466
31663037663766356531663039386232316138393266333035613364316539353837653763616666
32376431383965633138666536386532663761343537646266643566373132343762383966326233
38373766353962323362366330383564636236363961333535313064313039343933346439396237
66616631633539623537633164363665393239643633663338393765336434653930356662656164
65366533633336313832633166376265376634613635363563643866323730343139306537323863
61373461363237653634666331366436356335306265643639373034666131626238336632346632
34613062346532656530626364343938636162383862653538353563363035346339623839663261
39663438396362383866663336643035653833336466663037313764326434373061626232646333
63336336383366333538613331303863356430373764363930363061383036343836386561663362
63663232373563343461306131333263376437623534346562626536376138393939373064333231
31303464656332383036616661656565313063346231623634356638326239343536316162613335
34663232326438333966313663336465373833646634353934323361343833373661633265313239
62656533656338376562323861396665353166623732623139353431336439386263363235316132
35373933613236616362396363323031633166633837383634313638656430373634383563616463
38353738636631626639636135363561623935646365316161376166653461356430326362623738
64386537373230303239356334313663616336393439623431616639643233353662306265373232
39343066353564316433653361333766363535636533626338386434646531653432313034393134
62653733313636653331356363396531313136346136303661656466333138363366616530306536
66373532626230313739306432363433313736316261383837393737356333326236323261613965
36373064636138373134373530363533613031376362386334393464383062663663313234643432
64363232376137613231313862386561313131376133376466393630383737306666393738613265
66646236646632313832633366333335313239363763326464326361326263346636326332376336
31306230373963636135643235306537623930636164346366623862303838653238373030653035
35653634393532653566323063323761643738616532376262623163393461346334393034643862
62653835363236303732386365626464346131363231336431316233643132383566356531346237
66333933386539396366333565653938396564643464663165323535386262623532666237393630
65336262636630386633626335636231616332353965356335666362313562643738306263376230
63323938633237363431386639613830633765353232313236336233363736363566346237616637
61656234376562323162656432393665393930313736313439316261363264333865356139343233
63636638646332626365383839373765383864346532383236386266656635653333343032313231
65626233313634333533653436626134373632363565653230656161613963323334613262646530
66636331396130613934363939653238343463396639363731393363643830663362373439646337
63396435376637666563333165623338386337613638366339656561366538366635363037366531
32306235666231303762356665613738323336306465613531313964626631313731373963353964
32616632376534316532643531386635386330313866326265393736376538616431323238333562
36373238656361323336383466363563623333306634373164366134376635373262353533653330
38643233363737356564653834316435336439663562343366353866336662356138323566363061
63313336323435343861393164313130346438343862366530363233643266393964316265663535
65323739306536373331326338326132383265343939663336303534633537393637353639636561
64656432313636366434313465626562626638613232653230373530363234306537363665646633
33326163663830353166643662386637323438366334386533303664356631653561323032666265
61333165363636363634353461613039313362373863663739323231663230643635663466323430
37393431333733313134326231313234353930663365646637386639643535316362626232323430
32363631353565323663393235343336663930373439663861613661636433356366633065343935
61356636323039656230353264646166626633316430653162383638336265653865373536643036
35653166333765366231636163666638383262613432646334663430323565333538626665343763
32646663356565646362646261343436383039623635666439643762616463656361386631313637
61616164383734353634306633636338623837356230626263653161616664613266356432653335
30646434346436383565343138623264386630333832386134666463313936383364333364383232
39393066333666653734616463343530643537613437623766313237353033623662336137356534
35303635623232333230363362353137656235373539316163653863326666383237303235316164
34623138346261366238303037653764366537333561623135656236663435316565303931353939
34663932303239393836363663343735313632333639633733323564343039346436343935373430
66313863643361306161373634373738383462313831643161333230646435313261383534396464
39663466643864666433366531323866333935373833663661323833623734646265393035613966
62393165653135643737343333346232356638646437326664396466333063666135653338623266
34663133636164386164636434666231643163343930353863306538333337643762616661366366
63646336613433623862356365633563633235396337356535376335636633636563333738383061
33326136393530353964666639633638643433653736376637386638336561643061323635373565
65393836613638313165313262376166643561623131363836363531616232663333333063393039
35643938626132383439393761623165303730396365323665613663643961663466393937333731
30643662663034616631343336343236613437376362366234343436376563303466633030323465
64626536333465626430333336353038336539313531303933633466333633336364363961353861
31636135303332343733313637326461643264636236313331643438613365393733383764653432
65346533616130396233613863633331613638316462366364346465353234373531393137336165
36666336333036396262663661343962663763316531393765346536646236613331626139383230
32623665353463326633646466376232343333666465616633333033663031643262663732323230
36363439613934643037393562333237636262306330356638666235333361376136623462313736
33373163336134316563353031616339336234623738373230323335623130376265386130333235
64616261633232316131633062623163333135323737376462383539663137366539656261396238
31363232356361376264373863663362346535346136313834623761333037343435326339633735
33656465376264326334356365346437343062343631663430346561656531653662646530316133
64396563376263306533306565623163316238326264306330393465333737303062363030343662
65333633643635643737323231343664613735336230393835346132613331366266336434623937
65616366633734373434333837326465613862633930626435623165633964313732373936346434
30643161633238343435623538316134616161313461616538653161383032313038666638376432
64646564626231656664306235633031356564373432626561386135653136313062383861323130
34393331316439613363636631666262343334393739303631633936623964343938373334623230
39343031663565333431333731363966623730666335346164623662373265643732306662393663
39336137326533643533623865313934336464633634613436616438373531636562313762383666
37386365333361626362

5
group_vars/bdd.yml
View file

@ -1,5 +0,0 @@
---
borg_keep_hourly: 6
borg_backup_exclude:
- "/var/lib/postgresql/"
...

8
group_vars/certbot.yml
View file

@ -1,8 +0,0 @@
---
glob_certbot:
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "*.auro.re"

69
group_vars/dhcp/dhcpd.yml
View file

@ -1,69 +0,0 @@
---
dhcpd__omapi_key:
algorithm: hmac-sha512
secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA==
dhcpd__interfaces:
- client0
- client1
- client2
- client3
- client4
dhcpd__dns_servers:
- 10.128.10.3
- 10.128.10.103
dhcpd__domain_search:
- isp.auro.re.
- auro.re.
dhcpd__subnets:
- network: 100.64.0.0/27
routers:
- 100.64.0.1
start: 100.64.0.4
end: 100.64.0.30
domain_name: client0.isp.auro.re
failover: true
- network: 100.64.0.32/27
routers:
- 100.64.0.31
start: 100.64.0.33
end: 100.64.0.63
domain_name: client1.isp.auro.re
failover: true
- network: 100.64.0.64/27
routers:
- 100.64.0.65
start: 100.64.0.67
end: 100.64.0.95
domain_name: client2.isp.auro.re
failover: true
- network: 100.64.0.96/27
routers:
- 100.64.0.97
start: 100.64.0.99
end: 100.64.0.127
domain_name: client3.isp.auro.re
failover: true
- network: 100.64.0.128/27
routers:
- 100.64.0.129
start: 100.64.0.131
end: 100.64.0.159
domain_name: client4.isp.auro.re
dhcpd__failover:
dhcp-1.isp.infra.auro.re: 10.210.1.1
dhcp-2.isp.infra.auro.re: 10.210.1.2
dhcpd__failover_address: "{{ dhcpd__failover[inventory_hostname] }}"
dhcpd__failover_peer_address: "{{ dhcpd__failover
| dict2items
| selectattr('key', '!=',
inventory_hostname)
| map(attribute='value')
| first }}"
...

24
group_vars/dns/kresd.yml
View file

@ -1,24 +0,0 @@
---
kresd__listen:
- address: 0.0.0.0
port: 53
kind: dns
- address: "::"
port: 53
kind: dns
- address: 0.0.0.0
port: 853
kind: tls
- address: "::"
port: 853
kind: tls
- address: 0.0.0.0
port: 8453
kind: webmgmt
- address: "::"
port: 8453
kind: webmgmt
tls: false
kresd__cache_size: 512
...

21
group_vars/edge/keepalived.yml
View file

@ -1,21 +0,0 @@
---
keepalived__virtual_router_id: 81
keepalived__interface: back0
keepalived__virtual_addresses:
crans0:
- 185.230.79.254/29
- 2a0c:700:28::2/64
- fe80::1/10
zayo0:
- 2001:1b48:2:103::d7:2/126
- 83.167.52.69/31
- fe80::1/10
oti0:
- 2a00:a4c0:100c:1::b/127
- 77.95.70.11/31
- fe80::1/10
keepalived__main: "{{ inventory_hostname_short == 'edge-1' }}"
...

86
group_vars/infra/bird.yml
View file

@ -1,86 +0,0 @@
---
bird__kernel:
kernel:
learn: true
import: accept
export: accept
bird__ospf:
limits:
import: 4000
export: 4000
import: accept
export:
protos: kernel
areas:
0:
broadcast:
- back0
stub:
- monit0
- wifi0
- int0
- sw0
- bmc0
- pve0
- isp0
- ext0
- pub0
- th30
- ups0
1:
broadcast:
- vpn0
bird__bgp:
edge1:
local:
address: "{{ bird__bgp_addr.back }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:203::1:1
- 10.203.1.1
as: "{{ bird__as.aurore }}"
import:
- pref_src: "{{ bird__pref_src_addr }}"
- accept
export: reject
edge2:
local:
address: "{{ bird__bgp_addr.back }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:203::1:2
- 10.203.1.2
as: "{{ bird__as.aurore }}"
import:
- pref_src: "{{ bird__pref_src_addr }}"
- accept
export: reject
#wg1:
#local:
#address: "{{ bird__bgp_addr.vpn }}"
#as: "{{ bird__as.aurore }}"
#neighbor:
#address:
# - 2a09:6840:213::1:3
# - 10.213.1.3
#as: "{{ bird__as.aurore }}"
#rr_cluster_client: 10.203.1.1
#import: reject
#export: accept
#wg2:
#local:
#address: "{{ bird__bgp_addr.vpn }}"
#as: "{{ bird__as.aurore }}"
#neighbor:
#address:
# - 2a09:6840:213::1:4
# - 10.203.1.4
#as: "{{ bird__as.aurore }}"
#rr_cluster_client: 10.203.1.1
#import: reject
#export: accept
...

457
group_vars/infra/firewall.yml
View file

@ -1,457 +0,0 @@
---
firewall__zones:
adm-legacy:
addrs:
- 2a09:6840:128::/64
- 10.128.0.0/16
ups:
addrs:
- 2a09:6840:201::/64
- 10.201.0.0/16
back:
addrs:
- 2a09:6840:203::/64
- 10.203.0.0/16
monit:
addrs:
- 2a09:6840:204::/64
- 10.204.0.0/16
wifi:
addrs:
- 2a09:6840:205::/64
- 10.205.0.0/16
int:
addrs:
- 2a09:6840:206::/64
- 10.206.0.0/16
sw:
addrs:
- 2a09:6840:207::/64
- 10.207.0.0/16
bmc:
addrs:
- 2a09:6840:208::/64
- 10.208.0.0/16
pve:
addrs:
- 2a09:6840:209::/64
- 10.209.0.0/16
isp:
addrs:
- 2a09:6840:210::/64
- 10.210.0.0/16
ext:
addrs:
- 2a09:6840:211::/64
- 10.211.0.0/16
pub:
addrs:
- 2a09:6840:215::/64
- 45.66.111.192/27
vpn-clients:
addrs:
- 2a09:6840:212::/64
- 10.212.0.0/16
vpn:
addrs:
- 2a09:6840:213::/64
- 10.213.0.0/16
infra:
zones:
- adm-legacy
- ups
- back
- monit
- wifi
- int
- sw
- bmc
- pve
- isp
- ext
- pub
- vpn
internet:
negate: true
addrs:
- 2a09:6840::/32
- 2a09:6841::/32
- 2a09:6842::/32
- 45.66.108.0/22
- 10.0.0.0/8
- 100.64.0.0/10
prometheus.int:
addrs:
- 2a09:6840:204::1:1
- 10.204.1.1
- 2a09:6840:204::1:2
- 10.204.1.2
grafana.adm:
addrs:
- 2a09:6840:128::98
- 10.128.0.98
re2o-ldap.adm:
addrs:
- 2a09:6840:128::21
- 10.128.0.21
ldap-replica-edc.adm:
addrs:
- 2a09:6840:128::4:249
- 10.128.4.249
nextcloud.adm:
addrs:
- 2a09:6840:128::58
- 10.128.0.58
dns.int:
addrs:
- 2a09:6840:206::1:1
- 10.206.1.1
- 2a09:6840:206::1:2
- 10.206.1.2
ntp.int:
addrs:
- 2a09:6840:206::1:5
- 10.206.1.5
- 2a09:6840:206::1:6
- 10.206.1.6
docker-ovh.adm:
addrs:
- 2a09:6840:128::150
- 10.128.0.150
mx.test:
addrs:
- 2a09:6840:211::1:5
- 45.66.111.208
- 10.128.1.5
proxy.pub:
addrs:
- 2a09:6840:215::1:1
- 45.66.111.206
collabora.ext:
addrs:
- 2a09:6840:211::1:1
- 10.211.1.1
grafana.ext:
addrs:
- 2a09:6840:211::1:7
- 10.211.1.7
ns-1.pub:
addrs:
- 2a09:6840:215::1:2
- 45.66.111.205
ns-2.pub:
addrs:
- 2a09:6840:215::1:3
- 45.66.111.207
ns-master.int:
addrs:
- 2a09:6840:206::1:7
- 10.206.1.7
tor.pub:
addrs:
- 45.66.111.215
- 2a09:6840:215::1:215
jitsi.pub:
addrs:
- 45.66.111.216
- 2a09:6840:215::1:216
log-1.int:
addrs:
- 10.206.1.9
- 2a09:6840:206::1:9
log-2.int:
addrs:
- 10.206.1.10
- 2a09:6840:206::1:10
firewall__input:
- iif:
- back0 # FIXME link-local
- vpn0
verdict: accept
- src:
- back
- vpn
verdict: accept
- src: monit
protocols:
tcp:
dport:
- 9100
- 9700
verdict: accept
- src: monit
protocols:
tcp:
dport: 9324
verdict: accept
- protocols:
icmp: true
verdict: accept
- protocols:
tcp:
dport: 22
verdict: accept
- verdict: drop
firewall__output:
- verdict: accept
firewall__forward:
- src: back
dst: infra
verdict: accept
- src: infra # FIXME: temporary
dst: internet
verdict: accept
- src: monit
dst: bmc
protocols:
icmp: true
verdict: accept
- dst: mx.test
protocols:
icmp: true
verdict: accept
- dst: mx.test
protocols:
tcp:
dport:
- 25
- 465
- 993
verdict: accept
# NS
- dst:
- ns-1.pub
- ns-2.pub
protocols:
tcp:
dport: 53
verdict: accept
- dst:
- ns-1.pub
- ns-2.pub
protocols:
udp:
dport: 53
verdict: accept
- src:
- ns-1.pub
- ns-2.pub
dst: ns-master.int
protocols:
udp:
dport: 53
verdict: accept
- src:
- ns-1.pub
- ns-2.pub
dst: ns-master.int
protocols:
tcp:
dport: 53
verdict: accept
# SNMP
- src: monit
dst:
- sw
- ups
- bmc
protocols:
udp:
dport: 161
verdict: accept
- src: monit
dst:
- sw
- ups
- bmc
protocols:
tcp:
dport: 161
verdict: accept
# Alertmanager
- src: monit
dst: docker-ovh.adm
protocols:
tcp:
dport: 9093
verdict: accept
- src: adm-legacy
dst: bmc
verdict: accept
# Prometheus for Grafana
- src: grafana.adm
dst: prometheus.int
protocols:
tcp:
dport: 9090
verdict: accept
# Prometheus for Grafana nixos
- src: grafana.ext
dst: prometheus.int
protocols:
tcp:
dport: 9090
verdict: accept
- src: grafana.ext
dst: re2o-ldap.adm
protocols:
tcp:
dport: 389
verdict: accept
- src: grafana.ext
dst: ldap-replica-edc.adm
protocols:
tcp:
dport: 389
verdict: accept
# Admin VPN clients
- src: vpn-clients
dst: infra
verdict: accept
# Prometheus node
- src: monit
dst: infra
protocols:
tcp:
dport:
- 9100
- 9700
verdict: accept
# Prometheus bird
- src: monit
dst: back
protocols:
tcp:
dport: 9324
verdict: accept
# Prometheus kresd
- src: monit
dst: dns.int
protocols:
tcp:
dport: 8453
verdict: accept
# Allow DNS from infra to dns-{1,2}
- src: infra
dst: dns.int
protocols:
udp:
dport: 53
verdict: accept
- src: infra
dst: dns.int
protocols:
tcp:
dport: 53
verdict: accept
# Allow NTP from infra to ntp-{1,2}
- src:
- infra
- pub
dst: ntp.int
protocols:
udp:
dport: 123
verdict: accept
# Admin Wireguard
- dst:
- 2a09:6840:211::1:1
- 45.66.111.204
- 10.211.1.1
protocols:
udp:
dport: 5121
verdict: accept
# Proxy web
- dst:
- jitsi.pub
- proxy.pub
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
- src: proxy.pub
dst: grafana.adm
protocols:
tcp:
dport: 3000
verdict: accept
- src: proxy.pub
dst: grafana.ext
protocols:
tcp:
dport: 80
verdict: accept
- src: proxy.pub
dst: nextcloud.adm
protocols:
tcp:
dport: 8080
- src: proxy.pub
dst: adm-legacy
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
# ICMP to public vlan
- dst: pub
protocols:
icmp: true
verdict: accept
# Proxy -> Collabora
- src: proxy.pub
dst: collabora.ext
protocols:
tcp:
dport: 9980
verdict: accept
# Collabora -> Proxy
- src: collabora.ext
dst: proxy.pub
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
# Tor: SSH
- dst: tor.pub
protocols:
tcp:
dport:
- 22
- 4444
verdict: accept
# Jitsi UDP
- dst: jitsi.pub
protocols:
udp:
dport:
- 3478
- 10000
# Jitsi TCP
- dst: jitsi.pub
protocols:
tcp:
dport:
- 5349
firewall__nat:
- src: 10.0.0.0/8
dst: internet
protocols: null
snat:
addr: 45.66.111.200/30
#- src: monit
# dst: adm-legacy
# protocols: null
# snat:
# addr: 10.203.1.3/32
...

59
group_vars/infra/keepalived.yml
View file

@ -1,59 +0,0 @@
---
keepalived__virtual_router_id: 82
keepalived__interface: back0
keepalived__virtual_addresses:
ups0:
- 10.201.0.1/16
- 2a09:6840:201::1/64
- fe80::1/10
monit0:
- 10.204.0.1/16
- 2a09:6840:204::1/64
- fe80::1/10
wifi0:
- 10.205.0.1/16
- 2a09:6840:205::1/64
- fe80::1/10
int0:
- 10.206.0.1/16
- 2a09:6840:206::1/64
- fe80::1/10
sw0:
- 10.207.0.1/16
- 2a09:6840:207::1/64
- fe80::1/10
bmc0:
- 10.208.0.1/16
- 2a09:6840:208::1/64
- fe80::1/10
pve0:
- 10.209.0.1/16
- 2a09:6840:209::1/64
- fe80::1/10
isp0:
- 10.210.0.1/16
- 2a09:6840:210::1/64
- fe80::1/10
ext0:
- 10.211.0.1/16
- 2a09:6840:211::1/64
- fe80::1/10
th30:
- 10.126.0.6/24
- fe80::1/10
pub0:
- 2a09:6840:215::1/64
- 45.66.111.204/27
- fe80::1/10
#keepalived__virtual_routes:
# ext0:
# - 45.66.111.204/30
keepalived__virtual_blackholes:
- 45.66.111.200/30 # NAT
keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
...

53
group_vars/isp/bird.yml
View file

@ -1,53 +0,0 @@
---
bird__kernel:
kernel:
learn: true
import: accept
export: accept
bird__ospf:
limits:
import: 4000
export: 4000
import: accept
export:
protos: kernel
areas:
0:
broadcast:
- back0
stub:
- client0
- client1
- client2
- client3
- client4
bird__bgp:
edge1:
local:
address: "{{ bird__bgp_addr.back }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:203::1:1
- 10.203.1.1
as: "{{ bird__as.aurore }}"
import:
- pref_src: "{{ bird__pref_src_addr }}"
- accept
export: reject
bird__radv:
rdnss:
- 2a09:6840:206::1:1
- 2a09:6840:206::1:2
interfaces:
client0:
max_interval: 5
prefixes:
- 2a09:6841::/64
dnssl: client0.isp.auro.re
domain_search:
- auro.re
...

40
group_vars/isp/firewall.yml
View file

@ -1,40 +0,0 @@
---
firewall__zones:
internet:
negate: true
addrs:
- 2a09:6840::/32
- 2a09:6841::/32
- 2a09:6842::/32
- 45.66.108.0/22
- 10.0.0.0/8
- 100.64.0.0/10
clients:
addrs:
- 100.64.0.0/10
non_clients:
negate: true
zones: clients
allowed_clients:
file:
path: /var/run/firewall/allowed_clients.yml
default: []
firewall__input:
- verdict: accept
firewall__output:
- verdict: accept
firewall__forward:
- src: allowed_clients
dst: non_clients
verdict: accept
firewall__nat:
- src: clients
dst: internet
protocols: null
snat:
addr: 45.66.111.220
...

32
group_vars/isp/keepalived.yml
View file

@ -1,32 +0,0 @@
---
keepalived__virtual_router_id: 80
keepalived__interface: back0
keepalived__virtual_addresses:
client0:
- 100.64.0.1/27
- 2a09:6841::1/56
- fe80::1/10
client1:
- 100.64.0.33/27
- 2a09:6841:0:1::1/64
- fe80::1/10
client2:
- 100.64.0.65/27
- 2a09:6841:0:2::1/64
- fe80::1/10
client3:
- 100.64.0.97/27
- 2a09:6841:0:3::1/64
- fe80::1/10
client4:
- 100.64.0.129/27
- 2a09:6841:0:4::1/64
- fe80::1/10
keepalived__virtual_blackholes:
- 45.66.111.220/32
keepalived__main: "{{ inventory_hostname_short == 'isp-1' }}"
...

32
group_vars/nginx.yml
View file

@ -1,32 +0,0 @@
---
glob_nginx:
contact: tech.aurore@lists.crans.org
who: "L'équipe technique d'Aurore"
service_name: service
ssl:
# Add adm.auro.re if necessary
- name: auro.re
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
servers:
- ssl: false # Replace by auro.re or adm.auro.re
default: true
server_name:
- "default"
- "_"
root: "/var/www/html"
locations:
- filter: "/"
params: []
additional_params: []
upstreams: []
auth_passwd: []
default_server:
default_ssl_server:
default_ssl_domain: auro.re
real_ip_from:
- "10.128.0.0/16"
- "2a09:6840:128::/64"
deploy_robots_file: false

71
group_vars/ns/knotd.yml
View file

@ -1,71 +0,0 @@
---
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
knotd__remotes:
xfr-master:
address: 2a09:6840:206::1:7
key: xfr
knotd__acl:
notify-master:
address:
- 2a09:6840:206::1:7
- 10.206.1.7
key: xfr
action: notify
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__zones:
auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
test.auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
infra.auro.re:
dnssec_validation: true
acl:
- notify-master
#queryacl: local
master: xfr-master
108.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
109.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
110.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
111.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
...

13
group_vars/ntp/chronyd.yml
View file

@ -1,13 +0,0 @@
---
chronyd__allow_networks:
- 2a09:6840::/32
- 10.0.0.0/8
chronyd__pools:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
chronyd__local_stratum: 10
...

144
group_vars/prom/prometheus/bird.yml
View file

@ -1,144 +0,0 @@
---
prometheus__scraping_bird:
targets: "{{ groups.router }}"
address:
port: 9324
prometheus__rules_bird:
- record: bird:protocol_up:bgp_all
expr:
label_replace(
bird_protocol_up{proto="BGP"},
"group", "$1",
"instance", "^([^0-9\\.]+)-[0-9]+.*"
)
# FIXME: sessions en cours d'installation, pas encore monitorées
- record: bird:protocol_up:bgp
expr:
bird:protocol_up:bgp_all
unless bird:protocol_up:bgp_all{
group="edge",
name=~"^(viarezo|isp[12]|rezel)[46]$"
}
# Sessions qui ne sont volontairement pas redondées
# au sein d'un groupe
- record: bird:protocol_up:bgp:non_redundant
expr:
bird:protocol_up:bgp{
group="edge",
name=~"^(oti|crans|legacy|edge)[46]$"
}
# Sessions qui le sont
- record: bird:protocol_up:bgp:redundant
expr:
bird:protocol_up:bgp
unless
bird:protocol_up:bgp:non_redundant
- alert: BirdBGPRedundancyDegraded
expr:
(
count by (group, name) (
bird:protocol_up:bgp:redundant{state="Established"}
) + (
count by (group, name) (
bird:protocol_up:bgp:redundant{state!="Established"} * 0
)
)
) < 2
for: 0m
labels:
severity: warning
annotations:
Session: !unsafe "{{ $labels.name }}"
Count: !unsafe "{{ $value }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPDown
expr:
(
count by (group, name) (
bird:protocol_up:bgp{state="Established"}
) + (
count by (group, name) (
bird:protocol_up:bgp{state!="Established"} * 0
)
)
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
# TODO: warning pour redondant ?
- alert: BirdBGPNoExportedPrefixRedundant
expr:
bird_protocol_prefix_export_count{
export_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:redundant{state="Established"}
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPNoImportedPrefixRedundant
expr:
bird_protocol_prefix_import_count{
import_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:redundant{state="Established"}
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPNoExportedPrefixNonRedundant
expr:
sum by (group) (
bird_protocol_prefix_export_count{
export_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:non_redundant{state="Established"}
)
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdBGPNoImportedPrefixNonRedundant
expr:
sum by (group) (
bird_protocol_prefix_import_count{
import_filter!="REJECT",
} * on (instance, name) group_left (group) (
bird:protocol_up:bgp:non_redundant{state="Established"}
)
) == 0
for: 0m
labels:
severity: critical
annotations:
Session: !unsafe "{{ $labels.name }}"
Group: !unsafe "{{ $labels.group }}"
- alert: BirdOSPFNeighboursChange
expr:
changes(bird_ospf_neighbor_count[5m]) > 0
or changes(bird_ospfv3_neighbor_count[5m]) > 0
for: 0m
labels:
severity: warning
- alert: BirdOSPFDown
expr:
bird_ospf_running == 0
for: 0m
labels:
severity: critical
annotations:
Instance: !unsafe "{{ $labels.name }}"
...

11
group_vars/prom/prometheus/common.yml
View file

@ -1,11 +0,0 @@
---
prometheus__rules_common:
- alert: CollectorDown
expr:
up == 0
for: 3m
labels:
severity: critical
annotations:
Job: !unsafe "{{ $labels.job }}"
...

11
group_vars/prom/prometheus/eaton.yml
View file

@ -1,11 +0,0 @@
---
prometheus__scraping_eaton:
targets: "{{ groups.eaton_ups }}"
address: 127.0.0.1:9116
path: /snmp
params:
module:
- eaton
prometheus__rules_eaton: {}
...

13
group_vars/prom/prometheus/ilo.yml
View file

@ -1,13 +0,0 @@
---
prometheus__scraping_ilo:
targets: "{{ groups.ilo }}"
address: 127.0.0.1:9116
path: /snmp
timeout: 180s
interval: 180s
params:
module:
- ilo
prometheus__rules_ilo: {}
...

6
group_vars/prom/prometheus/jitsi.yml
View file

@ -1,6 +0,0 @@
---
prometheus__scraping_jitsi:
targets: ["jitsi.pub.infra.auro.re"]
address:
port: 9700
...

23
group_vars/prom/prometheus/keepalived.yml
View file

@ -1,23 +0,0 @@
---
prometheus__rules_keepalived:
- alert: KeepalivedVrrpFault
expr:
keepalived_vrrp_state{state="fault"} > 0
for: 0m
labels:
severity: critical
annotations:
Instance: !unsafe "{{ $labels.instance }}"
- alert: KeepalivedMasterChange
expr:
changes(
keepalived_vrrp_state{
keepalived_vvrp_state="master"
}[1m]
) > 0
for: 0m
labels:
severity: warning
annotations:
Instance: !unsafe "{{ $labels.instance }}"
...

6
group_vars/prom/prometheus/kresd.yml
View file

@ -1,6 +0,0 @@
---
prometheus__scraping_kresd:
targets: "{{ groups.dns }}"
address:
port: 8453
...

28
group_vars/prom/prometheus/main.yml
View file

@ -1,28 +0,0 @@
---
prometheus__alertmanager_targets:
- docker-ovh.adm.auro.re:9093
prometheus__tsdb_retention_time: 90d
prometheus__scraping:
node: "{{ prometheus__scraping_node }}"
prometheus: "{{ prometheus__scraping_prometheus }}"
kresd: "{{ prometheus__scraping_kresd }}"
bird: "{{ prometheus__scraping_bird }}"
quanta: "{{ prometheus__scraping_quanta }}"
ilo: "{{ prometheus__scraping_ilo }}"
snmp: "{{ prometheus__scraping_snmp }}"
eaton: "{{ prometheus__scraping_eaton }}"
jitsi: "{{ prometheus__scraping_jitsi }}"
prometheus__rules:
common: "{{ prometheus__rules_common }}"
switch: "{{ prometheus__rules_switch }}"
prometheus: "{{ prometheus__rules_prometheus }}"
node: "{{ prometheus__rules_node }}"
keepalived: "{{ prometheus__rules_keepalived }}"
quanta: "{{ prometheus__rules_quanta }}"
#ilo: "{{ prometheus__rules_ilo }}"
bird: "{{ prometheus__rules_bird }}"
#eaton: "{{ prometheus__rules_eaton }}"
...

200
group_vars/prom/prometheus/node.yml
View file

@ -1,200 +0,0 @@
---
prometheus__scraping_node:
targets: "{{ groups.vm + groups.pve }}"
address:
port: 9100
prometheus__rules_node:
- alert: OutOfMemory
expr:
(
node_memory_MemFree_bytes
+ node_memory_Cached_bytes
+ node_memory_Buffers_bytes
) / node_memory_MemTotal_bytes < 0.1
for: 5m
labels:
severity: warning
annotations:
FreeMemory: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostSwapIsFillingUp
expr:
(
1 - (
node_memory_SwapFree_bytes
/ node_memory_SwapTotal_bytes
)
) >= 0.5
for: 3m
labels:
severity: critical
annotations:
UsedSwap: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostPhysicalComponentTooHot
expr:
node_hwmon_temp_celsius > 79
for: 3m
labels:
severity: critical
annotations:
Temperature: !unsafe "{{ $value | humanize }} °C"
Chip: !unsafe "{{ $labels.chip }}"
Sensor: !unsafe "{{ $labels.sensor }}"
- alert: HostNodeOvertemperatureAlarm
expr:
node_hwmon_temp_crit_alarm_celsius == 1
for: 0m
labels:
severity: critical
annotations:
Chip: !unsafe "{{ $labels.chip }}"
Sensor: !unsafe "{{ $labels.sensor }}"
- alert: HostRaidArrayGotInactive
expr:
node_md_state{state="inactive"} > 0
for: 0m
labels:
severity: critical
annotations:
Device: !unsafe "{{ $labels.device }}"
- alert: HostRaidDiskFailure
expr:
node_md_disks{state="failed"} > 0
for: 0m
labels:
severity: critical
annotations:
severity: !unsafe "{{ $labels.md_device }}"
- alert: HostOomKillDetected
expr:
increase(node_vmstat_oom_kill[1m]) > 0
for: 0m
labels:
severity: warning
annotations:
PID: !unsafe "{{ $value }}"
- alert: HostEdacCorrectableErrorsDetected
expr:
increase(node_edac_correctable_errors_total[1m]) > 0
for: 0m
labels:
severity: warning
annotations:
CorrectedErrors: !unsafe "{{ $value }}"
- alert: HostEdacUncorrectableErrorsDetected
expr:
increase(node_edac_uncorrectable_errors_total[1m]) > 0
for: 0m
labels:
severity: warning
annotations:
DetectedErrors: !unsafe "{{ $value }}"
- alert: OutOfDiskSpace
expr:
(
node_filesystem_free_bytes
/ node_filesystem_size_bytes < 0.1
)
and on (instance, device, mountpoint) (
node_filesystem_readonly
) == 0
for: 5m
labels:
severity: critical
annotations:
Mountpoint: !unsafe "{{ $labels.mountpoint }}"
FreeSpace: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostConntrackLimit
expr:
(
node_nf_conntrack_entries
/ node_nf_conntrack_entries_limit
) > 0.8
for: 5m
labels:
severity: warning
annotations:
Filled: !unsafe "{{ $value | humanizePercentage }}"
- alert: HostClockSkew
expr:
(
node_timex_offset_seconds > 0.05
and deriv(node_timex_offset_seconds[5m]) >= 0
) or (
node_timex_offset_seconds < -0.05
and deriv(node_timex_offset_seconds[5m]) <= 0
)
for: 2m
labels:
severity: warning
- alert: HostClockNotSynchronising
expr:
min_over_time(node_timex_sync_status[1m]) == 0
and node_timex_maxerror_seconds >= 16
for: 2m
labels:
severity: warning
- alert: HostRequiresReboot
expr:
node_reboot_required > 0
for: 5m
labels:
severity: warning
- alert: OutOfInodes
expr:
node_filesystem_files_free
/ node_filesystem_files < 0.1
for: 3m
labels:
severity: warning
annotations:
Mountpoint: !unsafe "{{ $labels.mountpoint }}"
FreeInodes: !unsafe "{{ $value | humanizePercentage }}"
- alert: CpuUsage
expr:
(
1 - avg by (instance) (
irate(node_cpu_seconds_total{mode="idle"}[5m])
)
) > 0.75
for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
- alert: SystemdServiceFailed
expr:
node_systemd_unit_state{state="failed"} == 1
for: 10m
labels:
severity: warning
annotations:
Service: !unsafe "{{ $labels.name }}"
- alert: LoadUsage
expr:
node_load1 > 5
for: 2m
labels:
severity: warning
annotations:
Load1: !unsafe "{{ $value | humanize }}"
- alert: UnhealthyDisk
expr:
smartmon_device_smart_healthy < 1
for: 10m
labels:
severity: critical
annotations:
Disk: !unsafe "{{ $labels.disk }}"
- alert: HostCpuStealNoisyNeighbor
expr:
avg by (instance) (
rate(node_cpu_seconds_total{mode="steal"}[5m])
) > 0.1
for: 5m
labels:
severity: warning
annotations:
Disk: !unsafe "{{ $labels.disk }}"
Steal: !unsafe "{{ $value | humanizePercentage }}"
...

14
group_vars/prom/prometheus/prometheus.yml
View file

@ -1,14 +0,0 @@
---
prometheus__scraping_prometheus:
targets: "{{ groups.prom }}"
address:
port: 9090
prometheus__rules_prometheus:
- alert: PrometheusTsdbCompactionFailed
expr:
increase(prometheus_tsdb_compactions_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
...

98
group_vars/prom/prometheus/quanta.yml
View file

@ -1,98 +0,0 @@
---
prometheus__scraping_quanta:
targets: "{{ groups.quanta }}"
address: 127.0.0.1:9116
path: /snmp
timeout: 180s
interval: 180s
params:
module:
- quanta
prometheus__rules_quanta:
- alert: QuantaQueueOverflow
expr:
snAgGblQueueOverflow == 1
for: 0m
labels:
severity: critical
- alert: QuantaCpuUsage
expr:
snAgGblCpuUtil1MinAvg > 50
for: 5m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value }} %"
- alert: QuantaCpuUsage
expr:
snAgGblCpuUtil1MinAvg > 80
for: 5m
labels:
severity: critical
annotations:
Usage: !unsafe "{{ $value }} %"
- alert: QuantaMemoryUsage
expr:
100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 50
for: 5m
labels:
severity: warning
annotations:
UsedMemory: !unsafe "{{ $value }} %"
- alert: QuantaMemoryUsage
expr:
100 * (1 - (snAgGblDynMemFree / snAgGblDynMemTotal)) > 80
for: 5m
labels:
severity: alert
annotations:
UsedMemory: !unsafe "{{ $value }} %"
- alert: QuantaFanHealth
expr:
snChasFanOperStatus{snChasFanOperStatus="normal"} == 0
for: 0m
labels:
severity: critical
annotations:
Description: !unsafe "{{ $labels.shChasFanDescription }}"
Status: !unsafe "{{ $labels.snChasFanOperStatus }}"
- alert: QuantaMissingIntakeTemp
expr:
count by (instance) (
snAgentTempValue
) - count by (instance) (
snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"}
) == 0
for: 0m
labels:
severity: critical
- alert: QuantaIntakeTemp
expr:
0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 60
for: 10m
keep_firing_for: 30m
labels:
severity: warning
annotations:
Temperature: !unsafe "{{ $value }} °C"
Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
- alert: QuantaIntakeTemp
expr:
0.5 * snAgentTempValue{snAgentTempSensorDescr=~".*Intake.*"} > 70
for: 10m
keep_firing_for: 30m
labels:
severity: critical
annotations:
Temperature: !unsafe "{{ $value }} °C"
Description: !unsafe "{{ $labels.snAgentTempSensorDescr }}"
- alert: QuantaPowerRedundancyFailure
expr:
count by (instance) (
snChasPwrSupplyOperStatus{snChasPwrSupplyOperStatus="normal"}
) < 2
for: 0m
labels:
severity: warning
...

6
group_vars/prom/prometheus/snmp.yml
View file

@ -1,6 +0,0 @@
---
prometheus__scraping_snmp:
targets: "{{ groups.prom }}"
address:
port: 9116
...

91
group_vars/prom/prometheus/switch.yml
View file

@ -1,91 +0,0 @@
---
prometheus__rules_switch:
- alert: SwitchPromiscuousChange
expr:
changes(ifPromiscuousMode[5m]) > 0
for: 0m
labels:
severity: warning
annotations:
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInterfaceUpChange
expr:
changes(ifOperStatus{ifOperStatus="up"}[5m]) > 0
for: 0m
labels:
severity: warning
annotations:
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInErrors
expr:
irate(ifInErrors[5m]) / (
irate(ifInUcastPkts[5m])
+ irate(ifInNUcastPkts[5m])
) > 0.0001
for: 0m
labels:
severity: warning
annotations:
ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchOutErrors
expr:
irate(ifOutErrors[5m]) / (
irate(ifOutUcastPkts[5m])
+ irate(ifOutNUcastPkts[5m])
) > 0.0001
for: 0m
labels:
severity: warning
annotations:
ErrorRate: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInLinkUsage
expr:
rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
for: 5m
keep_firing_for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchInLinkUsage
expr:
rate(ifHCInOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
for: 5m
keep_firing_for: 10m
labels:
severity: critical
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchOutLinkUsage
expr:
rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.5
for: 5m
keep_firing_for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
- alert: SwitchOutLinkUsage
expr:
rate(ifHCOutOctets[5m]) / (ifHighSpeed * 1000000 / 8) > 0.8
for: 5m
keep_firing_for: 10m
labels:
severity: warning
annotations:
Usage: !unsafe "{{ $value | humanizePercentage }}"
Interface: !unsafe "{{ $labels.ifName }}
{{ if $labels.ifAlias }}- {{ $labels.ifAlias }}{{ end }}"
...

40
group_vars/prom/prometheus_snmp/eaton.yml
View file

@ -1,40 +0,0 @@
---
prometheus_snmp__modules_eaton:
version: 1
auth:
community: "{{ vault_snmp_eaton_community }}"
walk:
- sysUpTime
#- upsBattery
- xupsInput
- xupsOutput
- xupsBypass
- xupsEnvironment
- xupsBattery
- xupsConfig
lookups:
- source_indexes:
- xupsInputPhase
lookup: xupsInputName
- source_indexes:
- xupsOutputPhase
lookup: xupsOutputName
- source_indexes:
- xupsBypassPhase
lookup: xupsBypassName
overrides:
upsBatteryStatus:
type: EnumAsStateSet
xupsInputId:
type: EnumAsStateSet
xupsOutputId:
type: EnumAsStateSet
xupsBypassId:
type: EnumAsStateSet
xupsOutputSource:
type: EnumAsStateSet
xupsBatteryAbmStatus:
type: EnumAsStateSet
xupsContactType:
type: EnumAsStateSet
...

19
group_vars/prom/prometheus_snmp/ilo.yml
View file

@ -1,19 +0,0 @@
---
prometheus_snmp__modules_ilo:
version: 3
timeout: 10s
retries: 10
auth:
security_level: authPriv
auth_protocol: SHA
username: aurore
password: "{{ vault_snmp_ilo_auth }}"
priv_protocol: AES
priv_password: "{{ vault_snmp_ilo_priv }}"
walk:
- sysUpTime
- cpqHeTemperatureTable
overrides:
cpqHeTemperatureThresholdType:
type: EnumAsStateSet
...

6
group_vars/prom/prometheus_snmp/main.yml
View file

@ -1,6 +0,0 @@
---
prometheus_snmp__modules:
quanta: "{{ prometheus_snmp__modules_quanta }}"
ilo: "{{ prometheus_snmp__modules_ilo }}"
eaton: "{{ prometheus_snmp__modules_eaton }}"
...

125
group_vars/prom/prometheus_snmp/quanta.yml
View file

@ -1,125 +0,0 @@
---
prometheus_snmp__modules_quanta:
auth:
community: "{{ vault_snmp_quanta_community }}"
timeout: 60s
retries: 3
walk:
- interfaces
- ifXTable
- snAgGblQueueOverflow
- snAgGblDynMemTotal
- snAgGblDynMemFree
- snAgGblCpuUtil1SecAvg
- snAgGblCpuUtil5SecAvg
- snAgGblCpuUtil1MinAvg
- sysUpTime
- snAgentCpuUtilPercent
- snAgent
- snChasFan
- snChasPwr
- snAgentTemp
- snAgentCpu
- snSwInfo
- snSwIfInfoTable
- dot3StatsTable
- dot3HCStatsTable
- dot3Errors
- dot3Tests
- dot3CollTable
- lldpLocChassisId
- lldpRemTable
- lldpLocPortTable
- dot1dBasePort
lookups:
- source_indexes:
- ifIndex
lookup: ifAlias
- source_indexes:
- ifIndex
lookup: ifDescr
- source_indexes:
- ifIndex
lookup: ifName
- source_indexes:
- snChasFanIndex
lookup: snChasFanDescription
- source_indexes:
- snAgentTempSlotNum
- snAgentTempSensorId
lookup: snAgentTempSensorDescr
- source_indexes:
- snSwIfInfoPortNum
lookup: snSwIfName
- source_indexes:
- snSwIfInfoPortNum
lookup: snSwIfDescr
- source_indexes:
- dot3StatsIndex
lookup: ifAlias
- source_indexes:
- dot3StatsIndex
lookup: ifDescr
- source_indexes:
- dot3StatsIndex
lookup: ifName
- source_indexes:
- lldpRemTimeMark
- lldpRemLocalPortNum
- lldpRemIndex
lookup: lldpRemChassisId
#- source_indexes:
# - lldpLocPortNum
# lookup: lldpLocPortIdSubtype
overrides:
ifIndex:
ignore: true
ifAlias:
ignore: true
ifDescr:
ignore: true
ifName:
ignore: true
ifOperStatus:
type: EnumAsStateSet
ifAdminStatus:
type: EnumAsStateSet
snChasFanIndex:
ignore: true
snChasFanDescription:
ignore: true
snChasPwrSupplyIndex:
ignore: true
snAgentTempSensorDescr:
ignore: true
snChasFanOperStatus:
type: EnumAsStateSet
snChasPwrSupplyOperStatus:
type: EnumAsStateSet
snSwIfName:
ignore: true
snSwIfDescr:
ignore: true
snSwIfVlanId:
ignore: true
snSwIfInfoPortNum:
ignore: true
snSwIfInfoMonitorMode:
type: EnumAsStateSet
snSwIfInfoMirrorPorts:
ignore: true
snSwIfInfoMediaType:
type: EnumAsInfo
ifType:
type: EnumAsInfo
dot3StatsIndex:
ignore: true
dot3StatsEtherChipSet:
ignore: true
dot3StatsDuplexStatus:
type: EnumAsStateSet
lldpLocPortIdSubtype:
type: EnumAsInfo
lldpRemPortIdSubtype:
type: EnumAsInfo
...

31
group_vars/pve/pve_auth.yml
View file

@ -1,31 +0,0 @@
---
pve_auth__groups:
admin:
- Administrator
pve_auth__pam_users:
root:
enabled: false
pve_auth__users:
elkmaennchen:
password: "{{ vault_pve_passwords.elkmaennchen }}"
groups:
- admin
jeltz:
password: "{{ vault_pve_passwords.jeltz }}"
groups:
- admin
korenstin:
password: "{{ vault_pve_passwords.korenstin }}"
groups:
- admin
otthorn:
password: "{{ vault_pve_passwords.otthorn }}"
groups:
- admin
v-lafeychine:
password: "{{ vault_pve_passwords['v-lafeychine'] }}"
groups:
- admin
...

17
group_vars/radius/freeradius.yml
View file

@ -1,17 +0,0 @@
---
radiusd__guest_vlan: 1000
radiusd__clients:
localhost:
addr: 127.0.0.1
secret: abcdef
type: aurore
wifi-ap-v4:
addr: 10.102.0.0/16
secret: abcdef
type: aurore
wifi-ap-v6:
addr: 2a09:6840:102::/56
secret: abcdef
type: aurore
...

12
group_vars/reverseproxy.yml
View file

@ -1,12 +0,0 @@
---
loc_nginx:
servers: []
glob_reverseproxy:
redirect_dnames:
- aurores.net
- fede-aurore.net
reverseproxy_sites: []
redirect_sites: []

3
group_vars/router/prometheus.yml
View file

@ -1,3 +0,0 @@
---
prometheus_keepalived__dest: /var/run/prometheus-node-exporter/keepalived.prom
...

3
group_vars/routeur.yml
View file

@ -1,3 +0,0 @@
---
rsyslog_high_density: true
...

12
group_vars/switch.yml
View file

@ -1,12 +0,0 @@
---
glob_switch:
loop_protect:
port_disable_timer_in_seconds: 30
transmit_interval_in_seconds: 3
sntp:
operation_mode: SNTP_UNICAST_MODE
poll_interval: 720
servers:
- ip: 10.206.1.5
priority: 1
...

60
group_vars/vpn/bird.yml
View file

@ -1,60 +0,0 @@
---
bird__tables:
- wg
bird__kernel:
kernel:
learn: true
import: accept
export: accept
vrf:
learn: true
import:
sources:
- "{{ iproute2__custom_protos.wireguard }}"
export: accept
table: wg
kernel: "{{ iproute2__custom_tables.wireguard }}"
bird__ospf:
limits:
import: 4000
export: 4000
table: wg
import: accept
export:
sources:
- "{{ iproute2__custom_protos.wireguard }}"
areas:
1:
broadcast:
- vpn0
bird__bgp:
infra1:
local:
address: "{{ bird__bgp_addr.vpn }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:213::1:1
- 10.213.1.1
as: "{{ bird__as.aurore }}"
table: wg
import: accept
export: reject
next_hop_self: true
infra2:
local:
address: "{{ bird__bgp_addr.vpn }}"
as: "{{ bird__as.aurore }}"
neighbor:
address:
- 2a09:6840:213::1:2
- 10.213.1.2
as: "{{ bird__as.aurore }}"
table: wg
import: accept
export: reject
next_hop_self: true
...

16
group_vars/vpn/ifupdown2.yml
View file

@ -1,16 +0,0 @@
---
ifupdown2__vrf:
wg-vrf:
table: "{{ iproute2__custom_tables.wireguard }}"
ifupdown2__wireguard:
wg0:
private_key: "{{ vault_wireguard_wg0_private }}"
listen_port: 5121
vrf: wg-vrf
table: "{{ iproute2__custom_tables.wireguard }}"
peer_allowed_addresses:
- 2a09:6840:212::1:1/128
- 10.212.1.1/32
peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
...

7
group_vars/vpn/iproute2.yml
View file

@ -1,7 +0,0 @@
---
iproute2__custom_tables:
wireguard: 2000
iproute2__custom_protos:
wireguard: 200
...

12
host_vars/caradoc.adm.auro.re.yml
View file

@ -1,12 +0,0 @@
---
borg_keep_hourly: 6
borg_keep_daily: 7
borg_keep_weekly: 4
borg_keep_monthly: 12
borg_backup_directories:
- "/etc"
- "/var"
- "/data_nextcloud"
- "/data_gitea"
- "/data_mail"
...

22
host_vars/collabora.ext.infra.auro.re.yml
View file

@ -1,22 +0,0 @@
---
systemd_link__links:
pub0: ae:ae:ae:2C:60:35
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:128::220/64
- 10.128.0.220/16
gateways: "{{ ifupdown2__gateways.adm }}"
collabora__server_name: office.auro.re
collabora__post_allow_addrs:
- 2a09:6840:215::1:1
- 45.66.111.206
collabora__wopi_groups:
- host: https://cloud.auro.re:443
aliases:
- https://nextcloud.auro.re:443
...

47
host_vars/dhcp-1.isp.infra.auro.re.yml
View file

@ -1,47 +0,0 @@
---
systemd_link__links:
isp0: 02:00:00:c6:3f:6f
trunk0: 02:00:00:b1:8d:d6
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:1/64
- 10.210.1.1/16
gateways: "{{ ifupdown2__gateways.isp }}"
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
addresses:
- 100.64.0.2/27
vlan_id: 1000
vlan_raw_device: clients0
client1:
addresses:
- 100.64.0.34/27
vlan_id: 1001
vlan_raw_device: clients0
client2:
addresses:
- 100.64.0.66/27
vlan_id: 1002
vlan_raw_device: clients0
client3:
addresses:
- 100.64.0.98/27
vlan_id: 1003
vlan_raw_device: clients0
client4:
addresses:
- 100.64.0.130/27
vlan_id: 1004
vlan_raw_device: clients0
...

47
host_vars/dhcp-2.isp.infra.auro.re.yml
View file

@ -1,47 +0,0 @@
---
systemd_link__links:
isp0: 04:00:00:8c:d1:36
trunk0: 04:00:00:33:2c:3c
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:2/64
- 10.210.1.2/16
gateways: "{{ ifupdown2__gateways.isp }}"
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
addresses:
- 100.64.0.3/27
vlan_id: 1000
vlan_raw_device: clients0
client1:
addresses:
- 100.64.0.35/27
vlan_id: 1001
vlan_raw_device: clients0
client2:
addresses:
- 100.64.0.67/27
vlan_id: 1002
vlan_raw_device: clients0
client3:
addresses:
- 100.64.0.99/27
vlan_id: 1003
vlan_raw_device: clients0
client4:
addresses:
- 100.64.0.131/27
vlan_id: 1004
vlan_raw_device: clients0
...

11
host_vars/dns-1.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 02:00:00:9f:d9:f9
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:1/64
- 10.206.1.1/16
gateways: "{{ ifupdown2__gateways.int }}"
...

11
host_vars/dns-2.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 04:00:00:3c:c0:5a
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:2/64
- 10.206.1.2/16
gateways: "{{ ifupdown2__gateways.int }}"
...

39
host_vars/edge-1.back.infra.auro.re.yml
View file

@ -1,39 +0,0 @@
---
systemd_link__links:
adm0: 02:00:00:9E:3E:21
crans0: 02:00:00:A2:7C:68
zayo0: 02:00:00:35:89:82
rezel0: 02:00:00:8F:4A:AD
back0: 02:00:00:1C:3A:2E
viarezo0: 02:00:00:ED:70:64
router0: 02:00:00:5A:17:7C
oti0: 02:00:00:05:0E:A6
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:2/64
- 10.128.10.2/16
crans0:
ipv6_addrgen: false
zayo0:
ipv6_addrgen: false
rezel0:
addresses:
- 2a09:6842:19:9116::1/64
- 45.66.111.1/29
back0:
addresses:
- 2a09:6840:203::1:1/64
- 10.203.1.1/16
viarezo0:
addresses:
- 2a0c:b641:2ff::6/125
- 192.159.121.133/29
router0:
addresses:
- 2a09:6840:129::10:2/56
- 10.129.10.2/16
oti0:
ipv6_addrgen: false
...

39
host_vars/edge-2.back.infra.auro.re.yml
View file

@ -1,39 +0,0 @@
---
systemd_link__links:
adm0: 04:00:00:F5:69:B9
crans0: 04:00:00:CF:E1:D0
zayo0: 04:00:00:67:7B:12
rezel0: 04:00:00:C6:05:B7
back0: 04:00:00:DE:22:E6
viarezo0: 04:00:00:45:FA:E6
router0: 04:00:00:AD:D7:71
oti0: 02:00:00:05:0E:A6
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:102/64
- 10.128.10.102/16
crans0:
ipv6_addrgen: false
zayo0:
ipv6_addrgen: false
rezel0:
addresses:
- 2a09:6842:19:9116::3/64
- 45.66.111.3/29
back0:
addresses:
- 2a09:6840:203::1:2/64
- 10.203.1.2/16
viarezo0:
addresses:
- 2a0c:b641:2ff::7/125
- 192.159.121.134/29
router0:
addresses:
- 2a09:6840:129::10:102/56
- 10.129.10.102/16
oti0:
ipv6_addrgen: false
...

63
host_vars/infra-1.back.infra.auro.re.yml
View file

@ -1,63 +0,0 @@
---
systemd_link__links:
ups0: 02:00:00:fe:6f:0e
back0: 02:00:00:f8:93:22
monit0: 02:00:00:da:97:7f
wifi0: 02:00:00:8c:c5:bf
int0: 02:00:00:75:40:3e
sw0: 02:00:00:ca:e8:d1
bmc0: 02:00:00:47:d1:b9
pve0: 02:00:00:b3:35:e7
isp0: 02:00:00:6b:53:14
ext0: 02:00:00:32:86:60
vpn0: 02:00:00:52:5f:85
th30: 02:00:00:23:a7:d3
pub0: 02:00:00:7d:34:06
ifupdown2__interfaces:
back0:
addresses:
- 2a09:6840:203::1:3/64
- 10.203.1.3/16
- 45.66.111.210/32 # secondary
ups0:
ipv6_addrgen: false
monit0:
ipv6_addrgen: false
wifi0:
ipv6_addrgen: false
int0:
ipv6_addrgen: false
sw0:
ipv6_addrgen: false
bmc0:
ipv6_addrgen: false
pve0:
ipv6_addrgen: false
isp0:
ipv6_addrgen: false
ext0:
ipv6_addrgen: false
pub0:
ipv6_addrgen: false
vpn0:
addresses:
- 2a09:6840:213::1:1/64
- 10.213.1.1/16
th30:
ipv6_addrgen: false
bird__router_id: 10.203.1.3
bird__bgp_addr:
back:
- 2a09:6840:203::1:3
- 10.203.1.3
vpn:
- 2a09:6840:213::1:1
- 10.213.1.1
bird__pref_src_addr:
- 2a09:6840:203::1:3
- 45.66.111.210
...

63
host_vars/infra-2.back.infra.auro.re.yml
View file

@ -1,63 +0,0 @@
---
systemd_link__links:
ups0: 04:00:00:6d:97:83
back0: 04:00:00:46:ba:f9
monit0: 04:00:00:72:0b:2d
wifi0: 04:00:00:ee:42:0f
int0: 04:00:00:21:fd:d0
sw0: 04:00:00:2e:5b:16
bmc0: 04:00:00:bb:5a:a6
pve0: 04:00:00:0b:2b:82
isp0: 04:00:00:f4:4c:5d
ext0: 04:00:00:1d:0e:83
vpn0: 04:00:00:02:ba:dd
th30: 04:00:00:9e:8d:4f
pub0: 04:00:00:f8:3b:9b
ifupdown2__interfaces:
back0:
addresses:
- 2a09:6840:203::1:4/64
- 10.203.1.4/16
- 45.66.111.211/32 # secondary
ups0:
ipv6_addrgen: false
monit0:
ipv6_addrgen: false
wifi0:
ipv6_addrgen: false
int0:
ipv6_addrgen: false
sw0:
ipv6_addrgen: false
bmc0:
ipv6_addrgen: false
pve0:
ipv6_addrgen: false
isp0:
ipv6_addrgen: false
ext0:
ipv6_addrgen: false
vpn0:
addresses:
- 2a09:6840:213::1:2/64
- 10.213.1.2/16
th30:
ipv6_addrgen: false
pub0:
ipv6_addrgen: false
bird__router_id: 10.203.1.4
bird__bgp_addr:
back:
- 2a09:6840:203::1:4
- 10.203.1.4
vpn:
- 2a09:6840:213:1:2
- 10.213.1.2
bird__pref_src_addr:
- 2a09:6840:203::1:4
- 45.66.111.211
...

59
host_vars/isp-1.back.infra.auro.re.yml
View file

@ -1,59 +0,0 @@
---
systemd_link__links:
adm0: 02:00:00:D8:37:45
back0: 02:00:00:BF:10:4C
trunk0: 02:00:00:E9:BA:15
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:5/64
- 10.128.10.5/16
gateways: "{{ ifupdown2__gateways.adm }}"
back0:
addresses:
- 2a09:6840:203::1:5/64
- 45.66.111.211/32
- 10.203.1.5/16
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
vlan_id: 1000
vlan_raw_device: clients0
ipv6_addrgen: false
client1:
vlan_id: 1001
vlan_raw_device: clients0
ipv6_addrgen: false
client2:
vlan_id: 1002
vlan_raw_device: clients0
ipv6_addrgen: false
client3:
vlan_id: 1003
vlan_raw_device: clients0
ipv6_addrgen: false
client4:
vlan_id: 1004
vlan_raw_device: clients0
ipv6_addrgen: false
bird__router_id: 10.203.1.5
bird__bgp_addr:
back:
- 2a09:6840:203::1:5
- 10.203.1.5
bird__pref_src_addr:
- 2a09:6840:203::1:5
- 45.66.111.211
...

47
host_vars/isp-2.back.infra.auro.re.yml
View file

@ -1,47 +0,0 @@
---
systemd_link__links:
adm0: 04:00:00:85:C3:5D
back0: 04:00:00:FE:2D:67
trunk0: 04:00:00:D8:F5:4D
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:105/64
- 10.128.10.105/16
gateways: "{{ ifupdown2__gateways.adm }}"
back0:
addresses:
- 2a09:6840:203::1:6/64
- 10.203.1.6/16
trunk0:
ipv6_addrgen: false
clients0:
bridge_vlan_aware: true
bridge_ports:
- trunk0
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
client0:
vlan_id: 1000
vlan_raw_device: clients0
ipv6_addrgen: false
client1:
vlan_id: 1001
vlan_raw_device: clients0
ipv6_addrgen: false
client2:
vlan_id: 1002
vlan_raw_device: clients0
ipv6_addrgen: false
client3:
vlan_id: 1003
vlan_raw_device: clients0
ipv6_addrgen: false
client4:
vlan_id: 1004
vlan_raw_device: clients0
ipv6_addrgen: false
...

16
host_vars/ldap-1.int.infra.auro.re.yml
View file

@ -1,16 +0,0 @@
---
systemd_link__links:
adm0: 02:00:00:38:c2:52
int0: 02:00:00:fe:a8:54
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:8/64
- 10.128.10.8/16
int0:
addresses:
- 2a09:6840:206::1:3/64
- 10.206.1.7/16
gateways: "{{ ifupdown2__gateways.int }}"
...

16
host_vars/ldap-2.int.infra.auro.re.yml
View file

@ -1,16 +0,0 @@
---
systemd_link__links:
adm0: 04:00:00:f7:1c:47
int0: 04:00:00:e4:83:d2
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::10:108/64
- 10.128.10.108/16
int0:
addresses:
- 2a09:6840:206::1:4/64
- 10.206.1.8/16
gateways: "{{ ifupdown2__gateways.int }}"
...

16
host_vars/log.adm.auro.re.yml
View file

@ -1,16 +0,0 @@
---
borg_backup_directories:
- "/etc/"
- "/var/"
borg_backup_exclude: []
rsyslog_collector_base_dir: /var/log/remote
rsyslog_inputs:
- proto: relp
port: 20514
- proto: udp
port: 514
- proto: tcp
port: 6514
rsyslog_outputs: []
...

38
host_vars/mx.test.infra.auro.re.yml
View file

@ -1,38 +0,0 @@
---
dovecot__auth_default_realm: test.auro.re
dovecot__auth_users:
jeltz@test.auro.re: "{plain}password"
lafeych@test.auro.re: "{plain}password"
toto@test.auro.re: "{plain}password"
root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
dovecot__lmtp_postmaster_address: postmaster@test.auro.re
ifupdown2__interfaces:
ext0:
addresses:
- 2a09:6840:211::1:5/64
- 10.211.1.5/16
- 45.66.111.208/30
gateways: "{{ ifupdown2__gateways.ext }}"
postfix__hostname: mx.test.auro.re
postfix__sasl_local_domain: test.auro.re
postfix__virtual_aliases:
postmaster@test.auro.re: root@test.auro.re
dmarc@test.auro.re: root@test.auro.re
postfix__virtual_mailbox_domains:
- infra.test.auro.re
- test.auro.re
postfix__virtual_mailboxes:
jeltz@test.auro.re: jeltz@test.auro.re
root@test.auro.re: root@test.auro.re
toto@test.auro.re: toto@test.auro.re
vincent.lafeychine@test.auro.re: lafeych@test.auro.re
systemd_link__links:
ext0: ae:ae:ae:1d:c8:b2
...

11
host_vars/ns-1.pub.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
pub0: 02:00:00:ad:62:64
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:215::1:2/64
- 45.66.111.205/27
gateways: "{{ ifupdown2__gateways.pub }}"
...

11
host_vars/ns-2.pub.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
pub0: 04:00:00:1b:0a:3a
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:215::1:3/64
- 45.66.111.207/27
gateways: "{{ ifupdown2__gateways.pub }}"
...

29
host_vars/ns-3.ovh.infra.auro.re.yml
View file

@ -1,29 +0,0 @@
---
systemd_link__links:
adm0: 96:77:96:91:e3:6c
ovh0: 02:00:00:97:78:6d
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::109/64
- 10.128.0.109/16
ovh0:
addresses:
- 92.222.211.194/24
gateways: "{{ ifupdown2__gateways.ovh }}"
# TODO: remove as soon as the VPN works
knotd__remotes:
xfr-master:
address: 2a09:6840:128::110
key: xfr
knotd__acl:
notify-master:
address:
- 2a09:6840:128::110
- 10.128.0.110
key: xfr
action: notify
...

617
host_vars/ns-master.int.infra.auro.re/knotd.yml
View file

@ -1,617 +0,0 @@
---
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
ksk-infra:
algorithm: hmac-sha512
secret: "{{ vault_knotd_ksk_infra_key }}"
update-acme-challenge:
algorithm: hmac-sha512
secret: "{{ vault_certbot_dns_secret }}"
knotd__remotes:
xfr-ns-1:
address: 2a09:6840:215::1:2
key: xfr
xfr-ns-2:
address: 2a09:6840:215::1:3
key: xfr
xfr-ns-3:
address: 10.128.0.109
key: xfr
ksk-infra:
address: ::1
key: ksk-infra
knotd__policies:
public:
algorithm: ECDSAP256SHA256
reproducible_signing: true
# Je n'ai pas trouvé de façon de pousser les records automatiquement
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
# KSK n'expire pas
ksk_lifetime: 0
zsk_lifetime: 30d
nsec3: true
infra:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-infra
cds-cdnskey-publish: rollover
ksk-submission: infra
ripe:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-ripe
cds-cdnskey-publish: rollover
ksk-submission: ripe
knotd__acl:
xfr:
addresses:
- 2a09:6840:128::109
- 10.128.0.109
- 2a09:6840:215::1:2
- 45.66.111.205
- 2a09:6840:215::1:3
- 45.66.111.207
action: transfer
key: xfr
ksk-infra:
addresses:
- 127.0.0.1
- ::1
key: ksk-infra
action: update
update_types:
- DS
update_owner: name
update_owner_match: equal
update_owner_name:
- infra
update-acme-challenge:
addresses:
- 10.128.0.0/16
- 2a09:6840:128::/48
key: update-acme-challenge
action: update
update_types:
- TXT
update_owner: name
update_owner_match: equal
update_owner_name:
- _acme-challenge.auro.re.
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__soa_rname: root@auro.re.
knotd__hosts:
auro.re:
proxy-ovh:
- 92.222.211.195
horus:
- 92.23.218.136
ns-1:
- 45.66.111.205
- 2a09:6840:215::1:2
ns-2:
- 92.222.211.194
serge:
- 92.222.211.196
lama:
- 185.230.78.220
- 2a0c:700:12:0:67:e5ff:fee9:108
vpn-ovh:
- 92.222.211.197
passerelle:
- 45.66.111.254
- 2a09:6840:111::254
proxy:
- 45.66.111.61
- 2a09:6840:111::61
camelot:
- 45.66.111.59
- 2a09:6840:111::59
mail:
- 45.66.111.62
- 2a09:6840:111::62
galene:
- 45.66.111.65
- 2a09:6840:111::65
aclyas:
- 45.66.111.231
- 2a09:6840:111::231
jitsi:
- 45.66.111.55
- 2a09:6840:111::55
jitsi-ng:
- 45.66.111.216
- 2a09:6840:215::1:216
portail-fleming:
- 10.13.0.247
- 2a09:6840:13::247
portail-pacaterie:
- 10.23.0.247
- 2a09:6840:23::247
portail-rives:
- 10.33.0.247
- 2a09:6840:33::247
portail-edc:
- 10.43.0.247
- 2a09:6840:43::247
portail-gs:
- 10.53.0.247
- 2a09:6840:53::247
adh.auro.re:
paon:
- 45.66.110.10
- 2a09:6840:110:0:231:92ff:fe1b:ae22
lyshyga0:
- 45.66.110.113
- 2a09:6840:110:0:6af7:28ff:fe91:e8d9
pz28910:
- 45.66.110.114
vinsing0:
- 45.66.110.123
- 2a09:6840:110:0:1e1b:dff:fe90:7d81
osc-routeur:
- 45.66.110.125
- 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
odroid:
- 45.66.110.154
- 2a09:6840:110:0:21e:6ff:fe49:e00
amau0:
- 45.66.110.164
- 2a09:6840:110:0:3e7c:3fff:fec3:27d1
regulus:
- 45.66.110.180
- 2a09:6840:110:0:2ef0:5dff:fe2a:1530
toaster:
- 45.66.110.188
- 2a09:6840:110:0:5246:5dff:fe9a:f70
rpijutax:
- 45.66.110.190
- 2a09:6840:110:0:ba27:ebff:fe76:a9bc
polaris:
- 45.66.110.245
- 2a09:6840:110:0:dea6:32ff:feb4:d033
lafeychine:
- 92.91.154.45
infra.auro.re:
services-1.ceph:
- 2a09:6840:214::1:1
- 10.214.1.1
services-2.ceph:
- 2a09:6840:214::1:2
- 10.214.1.2
services-3.ceph:
- 2a09:6840:209::1:3
- 10.214.1.3
services-1.pve:
- 2a09:6840:209::2:1
- 10.209.2.1
services-2.pve:
- 2a09:6840:209::2:2
- 10.209.2.2
network-1.pve:
- 2a09:6840:209::1:1
- 10.209.1.1
network-2.pve:
- 2a09:6840:209::1:2
- 10.209.1.2
services-3.pve:
- 2a09:6840:209::2:3
- 10.209.2.3
caradoc.bmc:
- 2a09:6840:208::1:1
- 10.208.1.1
services-1.bmc:
- 2a09:6840:208::1:2
- 10.208.1.2
services-2.bmc:
- 2a09:6840:208::1:3
- 10.208.1.3
services-3.bmc:
- 2a09:6840:208::1:4
- 10.208.1.4
perceval.bmc:
- 2a09:6840:208::1:5
- 10.208.1.5
chapalux.bmc:
- 2a09:6840:208::1:6
- 10.208.1.6
loki.bmc:
- 2a09:6840:208::1:7
- 10.208.1.7
network-1.bmc:
- 2a09:6840:208::1:8
- 10.208.1.8
network-2.bmc:
- 2a09:6840:208::1:9
- 10.208.1.9
escalope.bmc:
- 2a09:6840:208::1:10
- 10.208.1.10
edge-1.back:
- 2a09:6840:203::1:1
- 10.203.1.1
edge-2.back:
- 2a09:6840:203::1:2
- 10.203.1.2
isp-1.back:
- 2a09:6840:203::1:5
- 10.203.1.5
isp-2.back:
- 2a09:6840:203::1:6
- 10.203.1.6
infra-1.back:
- 2a09:6840:203::1:3
- 10.203.1.3
infra-2.back:
- 2a09:6840:203::1:4
- 10.203.1.4
ns-master.int:
- 2a09:6840:128:0::110
- 10.128.0.110
log-1.int:
- 2a09:6840:206::1:9
- 10.206.1.9
log-2.int:
- 2a09:6840:206::1:10
- 10.206.1.10
dns-1.int:
- 2a09:6840:206::1:1
- 10.206.1.1
dns-2.int:
- 2a09:6840:206::1:2
- 10.206.1.2
nis2.int:
- 2a09:6840:206::2:1
- 10.206.2.1
ldap-1.int:
- 10.128.10.8
- 2a09:6840:128::10:8
ldap-2.int:
- 10.128.10.108
- 2a09:6840:128::10:108
ntp-1.int:
- 2a09:6840:206::1:5
- 10.206.1.5
ntp-2.int:
- 2a09:6840:206::1:6
- 10.206.1.6
wg-1.vpn:
- 2a09:6840:213::1:3
- 10.213.1.3
wg-2.vpn:
- 2a09:6840:213::1:4
- 10.213.1.4
dhcp-1.isp:
- 2a09:6840:210::1:1
- 10.210.1.1
dhcp-2.isp:
- 2a09:6840:210::1:2
- 10.210.1.2
radius-1.isp:
- 2a09:6840:210::1:3
- 10.210.1.3
radius-2.isp:
- 2a09:6840:210::1:4
- 10.210.1.4
prometheus-1.monit:
- 2a09:6840:204::1:1
- 10.204.1.1
prometheus-2.monit:
- 2a09:6840:204::1:2
- 10.204.1.2
ff-1.core.sw:
- 10.207.1.1
ff-2.core.sw:
- 10.207.1.2
fl-1.core.sw:
- 10.207.1.3
fl-2.core.sw:
- 10.207.1.4
fd-1.core.sw:
- 10.207.1.5
ff-3.core.sw:
- 10.207.1.6
gk-1.core.sw:
- 10.207.2.1
eb-1.core.sw:
- 10.207.3.1
r3-1.core.sw:
- 10.207.4.1
eb-1.ups:
- 2a09:6840:201::3:1
- 10.201.3.1
ec-1.ups:
- 2a09:6840:201::3:2
- 10.201.3.2
mx.test:
- 2a09:6840:211::1:5
- 10.211.1.5
collabora.ext:
- 2a09:6840:211::1:1
- 10.211.1.1
grafana.ext:
- 2a09:6840:211::1:7
- 10.211.1.7
proxy.pub:
- 2a09:6840:215::1:1
- 45.66.111.206
ns-1.pub:
- 2a09:6840:215::1:2
- 45.66.111.205
ns-2.pub:
- 2a09:6840:215::1:3
- 45.66.111.207
ns-3.ovh:
- 92.222.211.194
tor.pub:
- 45.66.111.215
- 2a09:6840:215::1:215
jitsi.pub:
- 45.66.111.216
- 2a09:6840:215::1:216
knotd__zones:
auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- update-acme-challenge
- ksk-infra
- xfr
soa:
mname: ns-master.int.infra
ns:
- target:
- ns-1.pub.infra
- ns-2.pub.infra
- name: infra
target:
- ns-1.pub.infra
- ns-2.pub.infra
- name: test
target:
- ns-1.pub.infra
- ns-2.pub.infra
- name: adm
target:
- serge
- lama
- name: ups
target:
- serge
- lama
- name: switch
target:
- serge
- lama
- name: borne
target:
- serge
- lama
mx:
- exchange: mail
preference: 5
- exchange: proxy-ovh
preference: 10
txt:
- data: v=spf1 mx -all
a:
- address: 92.222.211.195
cname:
- name:
- gisti
- gistiti
target: jitsi
- name:
- element
- riot
- auth
- rss
- codimd
- hedgedoc
- grist
- kanboard
- www
- pad
- privatebin
- zero
- paste
target: proxy-ovh
- name:
- grafana
- grafana-ng
- nextcloud
- cloud
- office
target: proxy.pub.infra
- name:
- netbox
- wiki
- matrix
- drone
- gitea
- re2o
- vote
target: proxy
- name: intranet
target: re2o
- name:
- smtp
- imap
target: mail
- name:
- prometheus-paul.adh
- pma-paul.adh
- nextcloud-paul.adh
- grafana-paul.adh
- jellyfin.adh
- monitoring.adh
- beta-mpp.adh
- pz28.adh
target: lucepaul.myvnc.com.
- name:
- services-1.pve
target: services-1.pve.infra
- name:
- services-2.pve
target: services-2.pve.infra
- name:
- services-3.pve
target: services-3.pve.infra
hosts: "{{ knotd__hosts['auro.re']
| combine(knotd__hosts['adh.auro.re']
| add_origin_keys('adh.auro.re.')) }}"
test.auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
txt:
- data: v=spf1 mx -all
- name: _dmarc
data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
mx:
- exchange: mx
preference: 5
cname:
- name:
- www1
- www2
- www3
target: proxy.pub.infra.auro.re.
hosts:
mx:
- 2a09:6840:211::1:5
- 45.66.111.205
infra.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
hosts: "{{ knotd__hosts['infra.auro.re'] }}"
108.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
109.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
110.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['adh.auro.re']
| ip_filter(['45.66.110.0/24'])
| add_origin_keys('adh.auro.re.') }}"
111.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['45.66.111.0/24'])
| add_origin_keys('auro.re.') }}"
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('auro.re.')
| combine(knotd__hosts['adh.auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('adh.auro.re.')) }}"
...

16
host_vars/ns-master.int.infra.auro.re/main.yml
View file

@ -1,16 +0,0 @@
---
systemd_link__links:
int0: 02:00:00:e3:36:c8
adm0: 42:17:a7:d1:bd:6a
ifupdown2__interfaces:
adm0:
addresses:
- 2a09:6840:128::110/64
- 10.128.0.110/16
int0:
addresses:
- 2a09:6840:206::1:7/64
- 10.206.1.7/16
gateways: "{{ ifupdown2__gateways.int }}"
...

11
host_vars/ntp-1.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 02:00:00:74:71:83
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:5/64
- 10.206.1.5/16
gateways: "{{ ifupdown2__gateways.int }}"
...

11
host_vars/ntp-2.int.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
int0: 04:00:00:31:be:50
ifupdown2__interfaces:
int0:
addresses:
- 2a09:6840:206::1:6/64
- 10.206.1.6/16
gateways: "{{ ifupdown2__gateways.int }}"
...

3
host_vars/perceval.adm.auro.re.yml
View file

@ -1,3 +0,0 @@
---
borg_server_backups_dir: /borg
...

105
host_vars/portail.adm.auro.re.yml
View file

@ -1,105 +0,0 @@
---
loc_nginx:
service_name: captive_portal
default_server: '$server_addr'
default_ssl_server: '$server_addr'
servers:
- server_name:
- "10.13.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-fleming.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: auro.re
server_name:
- 10.23.0.247
locations:
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-pacaterie.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.33.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-rives.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.43.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-edc.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.53.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-gs.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"

11
host_vars/prometheus-1.monit.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
monit0: 02:00:00:a8:6b:51
ifupdown2__interfaces:
monit0:
addresses:
- 2a09:6840:204::1:1/64
- 10.204.1.1/16
gateways: "{{ ifupdown2__gateways.monit }}"
...

11
host_vars/prometheus-2.monit.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
monit0: 04:00:00:a6:93:5a
ifupdown2__interfaces:
monit0:
addresses:
- 2a09:6840:204::1:2/64
- 10.204.1.2/16
gateways: "{{ ifupdown2__gateways.monit }}"
...

50
host_vars/proxy-ovh.adm.auro.re.yml
View file

@ -1,20 +1,44 @@
--- ---
loc_certbot: certbot:
- dns_rfc2136_server: '10.128.0.30' domains:
dns_rfc2136_name: certbot_challenge. - auro.re
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" - chat.auro.re # cname to riot.auro.re
- codimd.auro.re
- element.auro.re # cname to riot.auro.re
- ehterpad.auro.re # cname to pad.auro.re
- grafana.auro.re
- hedgedoc.auro.re # cname to codimd.auro.re
- pad.auro.re
- passbolt.auro.re
- paste.auro.re # cname to privatebin.auro.re
- phabricator.auro.re
- privatebin.auro.re
- riot.auro.re
- sharelatex.auro.re
- status.auro.re
- wiki.auro.re
- www.auro.re
- zero.auro.re # cname to privatebin.auro.re
mail: tech.aurore@lists.crans.org mail: tech.aurore@lists.crans.org
certname: auro.re certname: auro.re
domains: "auro.re, *.auro.re"
loc_reverseproxy: nginx:
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
redirect_tcp: {}
redirect_sites: redirect_sites:
- from: www.auro.re - from: www.auro.re
to: auro.re to: auro.re
- from: 92.222.211.195 - from: 92.222.211.195
to: auro.re to: auro.re
- from: codimd.auro.re
to: hedgedoc.auro.re
reverseproxy_sites: reverseproxy_sites:
- from: phabricator.auro.re - from: phabricator.auro.re
@ -29,9 +53,6 @@ loc_reverseproxy:
- from: passbolt.auro.re - from: passbolt.auro.re
to: 10.128.0.53 to: 10.128.0.53
- from: auth.auro.re
to: 10.128.0.150:8089
- from: riot.auro.re - from: riot.auro.re
to: "10.128.0.150:8080" to: "10.128.0.150:8080"
- from: element.auro.re - from: element.auro.re
@ -39,6 +60,8 @@ loc_reverseproxy:
- from: chat.auro.re - from: chat.auro.re
to: "10.128.0.150:8080" to: "10.128.0.150:8080"
- from: codimd.auro.re
to: "10.128.0.150:8081"
- from: hedgedoc.auro.re - from: hedgedoc.auro.re
to: "10.128.0.150:8081" to: "10.128.0.150:8081"
@ -59,10 +82,5 @@ loc_reverseproxy:
- from: cas.auro.re - from: cas.auro.re
to: "10.128.0.150:8085" to: "10.128.0.150:8085"
- from: rss.auro.re
to: 10.128.0.150:8090
- from: status.auro.re - from: status.auro.re
to: "10.128.0.150:8086" to: "10.128.0.150:8086"
- from: "kanboard.auro.re"
to: "10.128.0.150:8088"
...

58
host_vars/proxy.adm.auro.re.yml
View file

@ -1,31 +1,31 @@
--- ---
loc_certbot: certbot:
- dns_rfc2136_server: '10.128.0.30' domains:
dns_rfc2136_name: certbot_adm_challenge. - bbb.auro.re
dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}" - drone.auro.re
mail: tech.aurore@lists.crans.org - gitea.auro.re
certname: adm.auro.re - intranet.auro.re
domains: "*.adm.auro.re" - litl.auro.re
- dns_rfc2136_server: '10.128.0.30' - nextcloud.auro.re
dns_rfc2136_name: certbot_challenge. - re2o.auro.re
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" - vote.auro.re
- re2o-server.auro.re
- re2o-test.auro.re
- wikijs.auro.re
mail: tech.aurore@lists.crans.org mail: tech.aurore@lists.crans.org
certname: auro.re certname: auro.re
domains: "*.auro.re"
loc_nginx: nginx:
servers: []
ssl: ssl:
- name: adm.auro.re
cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
- name: auro.re
cert: /etc/letsencrypt/live/auro.re/fullchain.pem cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
loc_reverseproxy: redirect_dnames:
- aurores.net
- fede-aurore.net
redirect_tcp: redirect_tcp:
- name: Gitea - name: Gitea
port: 2222 port: 2222
@ -33,7 +33,7 @@ loc_reverseproxy:
redirect_sites: redirect_sites:
- from: 45.66.111.61 - from: 45.66.111.61
to: intranet.auro.re to: auro.re
reverseproxy_sites: reverseproxy_sites:
- from: re2o.auro.re - from: re2o.auro.re
@ -41,14 +41,14 @@ loc_reverseproxy:
- from: intranet.auro.re - from: intranet.auro.re
to: 10.128.0.20 to: 10.128.0.20
- from: bbb.auro.re
to: 10.128.0.54
- from: nextcloud.auro.re - from: nextcloud.auro.re
to: "10.128.0.58:8080" to: "10.128.0.58:8080"
- from: gitea.auro.re - from: gitea.auro.re
to: "10.128.0.60:3000" to: "10.128.0.60:3000"
- from: git.adm.auro.re
to: "10.128.0.60:3000"
ssl: adm.auro.re
- from: drone.auro.re - from: drone.auro.re
to: "10.128.0.64:8000" to: "10.128.0.64:8000"
@ -61,15 +61,3 @@ loc_reverseproxy:
- from: wikijs.auro.re - from: wikijs.auro.re
to: "10.128.0.66:3000" to: "10.128.0.66:3000"
- from: wiki.auro.re
to: "10.128.0.66:3000"
- from: netbox.auro.re
to: 10.128.0.97
- from: grafana.auro.re
to: "10.128.0.98:3000"
- from: office.auro.re
to: "10.128.0.220"

103
host_vars/proxy.pub.infra.auro.re.yml
View file

@ -1,103 +0,0 @@
---
systemd_link__links:
pub0: ae:ae:ae:3a:71:0b
ifupdown2__interfaces:
pub0:
addresses:
- 2a09:6840:215::1:1/64
- 45.66.111.206/27
gateways: "{{ ifupdown2__gateways.pub }}"
caddy__matrix_headers:
access-control-allow-headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
access-control-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
access-control-allow-origin: "*"
caddy__routes_https:
www1.test.auro.re:
- root: /var/www/auro.re
- path: /.well-known/matrix/server
headers: "{{ caddy__matrix_headers }}"
body: '{"m.server": "matrix.auro.re:8448"}'
status: 200
- path: /.well-known/matrix/client
headers: "{{ caddy__matrix_headers }}"
body: '{"m.homeserver": {"base_url": "https://matrix.auro.re"}}'
status: 200
www2.test.auro.re:
headers:
location: "https://auro.re{http.request.uri}"
status: 301
www3.test.auro.re:
reverse:
- "[2a09:6840:128::198]:3000"
- 10.128.0.198:3000
grafana.auro.re:
reverse:
- "[2a09:6840:128::98]:3000"
- 10.128.0.98:3000
grafana-ng.auro.re:
reverse:
- "[2a09:6840:211::1:7]:80"
- 10.211.1.7:80
office.auro.re:
reverse:
- "[2a09:6840:211::1:1]:9980"
- 10.211.1.1:9980
nextcloud.auro.re:
headers:
location: "https://cloud.auro.re{http.request.uri}"
status: 301
cloud.auro.re:
- path: /.well-known/carddav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/caldav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/webfinger
headers:
location: /index.php/.well-known/webfinger
status: 301
- path: /.well-known/nodeinfo
headers:
location: /index.php/.well-known/nodeinfo
status: 301
- path: /remote/*
rewrite: /remote.php
- path: /ocm-provider/*
rewrite: /index.php
- path: "*.mjs"
headers:
content-type: text/javascript
- reverse:
- "[2a09:6840:128::58]:8080"
- 10.128.0.58:8080
headers:
x-robots-tag: noindex, nofollow
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: "1; mode=block"
caddy__contact_email: tech.aurore@lists.crans.org
caddy__errors:
- root: "{{ caddy__error_dir }}"
- rewrite: /error.html
- file_server: true
templates: true
caddy__servers:
https:
listen: ":443"
routes: "{{ caddy__routes_https }}"
errors: "{{ caddy__errors }}"
http:
listen: ":80"
...

11
host_vars/radius-1.isp.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
isp0: 02:00:00:6a:3e:f4
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:3/64
- 10.210.1.3/16
gateways: "{{ ifupdown2__gateways.isp }}"
...

11
host_vars/radius-2.isp.infra.auro.re.yml
View file

@ -1,11 +0,0 @@
---
systemd_link__links:
isp0: 04:00:00:29:6d:c9
ifupdown2__interfaces:
isp0:
addresses:
- 2a09:6840:210::1:4/64
- 10.210.1.4/16
gateways: "{{ ifupdown2__gateways.isp }}"
...

93
host_vars/sw-ec-1.yml
View file

@ -1,93 +0,0 @@
---
switch_vars:
name: sw-ec-1
location: "Local_de_Brassage_EdC"
host: 10.130.4.11
port: 80
username: "{{ vault_switch.username }}"
password: "{{ vault_switch.password }}"
delete_vlans: []
vlans:
- id: 40
name: "Filaire_EDC"
tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
- id: 41
name: "Wifi_EDC"
tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
- id: 42
name: "Banni_EDC"
tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
- id: 43
name: "Accueil_EDC"
tagged: "{{ '5-10,12,14,16,18,20,22-25' | range2list }}"
- id: 110
name: "Adherents_IP_Publiques"
tagged: "{{ '9-10,12,14,16,18,20,22-25' | range2list }}"
- id: 111
name: "Serveurs_IP_Publiques"
tagged: "{{ '25' | range2list }}"
- id: 131
name: "Onduleurs"
tagged: [25]
- id: 144
name: "Bornes_Wifi_EDC"
tagged: [25]
untagged: "{{ '5-8,12,14,16,18,20,22-24' | range2list }}"
ports:
- id: 1
name: "Room_Ouest_363"
- id: 2
name: "Room_Ouest_364"
- id: 3
name: "Room_Principale_Foyer_1"
- id: 4
name: "Room_Principale_Foyer_2"
- id: 5
name: "Borne_Principale_0_1"
- id: 6
name: "Borne_Principale_1_1"
- id: 7
name: "Borne_Principale_1_2"
- id: 8
name: "Borne_Principale_1_3"
- id: 9
name: "Room_Ouest_352"
- id: 10
name: "Borne_Adh_Ouest_252"
- id: 11
name: "Room_Ouest_273"
- id: 12
name: "Borne_Adh_Est_231"
- id: 13
name: "Room_Ouest_261"
- id: 14
name: "Borne_Adh_Ouest_272"
- id: 15
name: "Room_Ouest_262"
- id: 16
name: "Room_Est_225"
- id: 17
name: "Room_Ouest_263"
- id: 18
name: "Room_Ouest_76"
- id: 19
name: "Room_Ouest_264"
- id: 20
name: "Borne_Adh_Ouest_58"
- id: 21
name: "Room_Ouest_265"
- id: 22
name: "Not_used"
- id: 23
name: "Room_Ouest_158"
- id: 24
name: "Borne_Adh_Ouest_267"
# id: 25
# name: "Uplink_sw-ec-core"
- id: 26
name: "Not_used"
- id: 27
name: "Not_used"
- id: 28
name: "Not_used"
...

228
host_vars/sw-ec-2.yml
View file

@ -1,228 +0,0 @@
---
switch_vars:
name: sw-ec-2
location: Local de Brassage EdC
host: 10.130.4.12
port: 80
username: "{{ vault_switch.username }}"
password: "{{ vault_switch.password }}"
delete_vlans: []
vlans:
- id: 40
name: "Filaire_edc"
tagged: [49]
- id: 41
name: "Wifi_edc"
tagged: [49]
- id: 42
name: "Banni_edc"
tagged: [49]
- id: 43
name: "Accueil_edc"
tagged: [49]
- id: 110
name: "Adherents_ip_publiques"
tagged: [49]
- id: 111
name: "Serveurs_ip_publiques"
tagged: [49]
- id: 131
name: "Onduleurs"
tagged: [49]
- id: 144
name: "Bornes_wifi_edc"
tagged: [49]
ports:
- id: 1
name: "Room_edc_Aile_Principale_115"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 2
name: "Room_edc_Aile_Principale_103"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 3
name: "Room_edc_Aile_Principale_114"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 4
name: "Room_edc_Aile_Principale_102"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 5
name: "Room_edc_Aile_Principale_113"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 6
name: "Room_edc_Aile_Principale_101"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 7
name: "Room_edc_Aile_Principale_112"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 8
name: "Room_edc_Aile_Principale_100"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 9
name: "Room_edc_Aile_Principale_111"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 10
name: "Room_edc_Aile_Principale_215"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 11
name: "Room_edc_Aile_Principale_110"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 12
name: "Room_edc_Aile_Principale_214"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 13
name: "Room_edc_Aile_Principale_207"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 14
name: "Room_edc_Aile_Est_24"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 15
name: "Room_edc_Aile_Principale_206"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 16
name: "Room_edc_Aile_Est_25"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 17
name: "Room_edc_Aile_Principale_205"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 18
name: "Room_edc_Aile_Est_26"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 19
name: "Room_edc_Aile_Principale_204"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 20
name: "Room_edc_Aile_Est_27"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 21
name: "Room_edc_Aile_Principale_203"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 22
name: "Room_edc_Aile_Est_28"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 23
name: "Room_edc_Aile_Principale_202"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 24
name: "Room_edc_Aile_Est_29"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 25
name: "Room_edc_Aile_Principale_201"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 26
name: "Room_edc_Aile_Est_30"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 27
name: "Room_edc_Aile_Principale_200"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 28
name: "Room_edc_Aile_Est_31"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 29
name: "Room_edc_Aile_Est_20"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 30
name: "Room_edc_Aile_Est_32"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 31
name: "Room_edc_Aile_Est_21"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 32
name: "Room_edc_Aile_Est_33"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 33
name: "Room_edc_Aile_Est_22"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 34
name: "Room_edc_Aile_Est_34"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 35
name: "Room_edc_Aile_Est_23"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 36
name: "Room_edc_Aile_Est_120"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 37
name: "Room_edc_Aile_Principale_109"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 38
name: "Room_edc_Aile_Principale_213"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 39
name: "Room_edc_Aile_Principale_108"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 40
name: "Room_edc_Aile_Principale_212"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 41
name: "Room_edc_Aile_Principale_107"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 42
name: "Room_edc_Aile_Principale_211"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 43
name: "Room_edc_Aile_Principale_106"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 44
name: "Room_edc_Aile_Principale_210"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 45
name: "Room_edc_Aile_Principale_105"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 46
name: "Room_edc_Aile_Principale_209"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 47
name: "Room_edc_Aile_Principale_104"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
- id: 48
name: "Room_edc_Aile_Principale_208"
lldp: "LPAS_TX_AND_RX"
loop_protect: true
...

Some files were not shown because too many files have changed in this diff Show more