Fix: keep the logs for 90 days #36

Merged
jeltz merged 3 commits from logrotate-fix-90-jours into master 2021-03-11 14:38:35 +01:00
89 changed files with 2515 additions and 464 deletions
Showing only changes of commit 38386fa1a0 - Show all commits

View file

@ -1,7 +1,10 @@
skip_list:
- '301'
- no-changed-when
- load-failure
- document-start
warn_list:
- '305' # Use shell only when shell functionality is required
- '503' # Tasks that run when changed should likely be handlers
- experimental # all rules tagged as experimental
exclude_paths:
- group_vars/all/vault.yml

View file

@ -4,16 +4,9 @@ type: docker
name: check
steps:
- name: yamllint
image: python:3.9-alpine
- name: ansible and yaml linting
pull: never
image: aurore-ansible-lint-image
commands:
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
- name: ansible-lint
image: python:3.9-alpine
commands:
- apk add --no-cache gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
- ansible-lint
...

View file

@ -1,19 +0,0 @@
---
image: python:3.9-alpine
stages:
- lint
yamllint:
stage: lint
script:
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
ansible-lint:
stage: lint
script:
- apk add gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
...

View file

@ -6,6 +6,5 @@ rules:
max: 120
level: warning
document-start:
ignore: |
/groups_var/all/vault.yml
ignore: group_vars/all/vault.yml
...

View file

@ -1,3 +1,5 @@
[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
# Recettes Ansible d'Aurore
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.

7
bdd.yml Normal file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Install and configure bdd servers at Saclay and at OVH
- hosts: bdd
roles:
- postgresql_server
...

View file

@ -0,0 +1,8 @@
---
# Deploy a correclty configured postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost

View file

@ -0,0 +1,7 @@
FROM python:3.9-alpine
LABEL description="Aurore's docker image for ansible-lint"
RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
RUN pip install "yamllint>=1.26.0,<2.0"
RUN pip install "ansible-lint==5.0.0"
RUN pip install "ansible>=2.10,<2.11"

View file

@ -0,0 +1,18 @@
# Ansible-lint image
In order to build this image when a new version comes out, you need to
1. ssh into the `drone.adm.auro.re` server
2. git pull this repo to the lastest version
3. optionally make the changes if it has not been done yet
4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
5. ???
6. enjoy
You can verify that the image was correclty built by running
```
# list the images present
sudo docker image ls
# run your image with an interactive shell
sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
```

View file

@ -20,6 +20,8 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
postgresql_services_url: 'services-bdd.adm.auro.re'
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
# Scripts will tell users to go there to manage their account
intranet_url: 'https://re2o.auro.re/'

View file

@ -1,174 +1,186 @@
$ANSIBLE_VAULT;1.1;AES256
34336231623938346631313932323131336439623837626366646338396137633436646365386639
6332383765386235396331373836366230663563376665380a616436373136633933376435653230
64333963663436393265666434653164643164616134353665306462326666623530383838343135
3531343533656332350a343432336636316131386132306238653736633966363235623833343638
38643061383963396466346536343061653034333037393664356661376565643765306462626231
39326233363962373839303464333833306532343834306232653731326135653934643836323639
36343937626536346331613263663865346634666534646266623061303639626636393230616261
32336366356439353738633234326138656464656630303362623664616634306230623538373965
32346439306337623737616666353830626630373562366436653131393532313035303836326430
64613235646366616533313065396663366434363832333535336631323366336437396664303834
30336466313064636565326564356435306136396363373464326534303366323262303732626661
38326663313332633530353739346538343434316133343066313530366637376135323564306537
65626261303231656432333364333965663065346436626631666466643934623064333163626339
32633565303734303862326365336339346133393431636266303530626564326361653230626536
32313231373037633134623761663832393666353732613965613436323939343233613433343538
37326438383130303861316663396333376662386337353964633930353536653437653061356635
35646232343535313130646237643835376162623639333961323964353830653366626438346237
36343663346332656537363434396633336161373730663364306239306432343930643230656465
37633537616232656661313764626232303535383563353861396431643735326162383866626231
61383165613332666537656137636430323332326335323763303537386662646263353539613964
37323966306364306436653033393931663239383435613836356164633135306233356364313036
39356661613434633930633066646437636535313565356366303732613731333062643231313035
65333461396131663764626665393562623030343561313136363964393664376136303839333664
65313465623331333538393734373264313562643232666130303930333662616465656432363039
66616530336666343861336434633063343561323931323931346132376263376565313366306639
64646465303432333136353661323936633965666364356633653861363139616562653834313861
63306133613066373462383236613939316130623937643939323134343936356638376335323836
39383334656236633037633230313138326238303863623231353465346661663162623138353461
33343738613137366364633730346261366564646161373837613865393233663431636361663962
38313230363737306265636435353533666262333666383639343364633464396566333433333538
39643934646537653234336361613664333434623739353831316531313666396638333136343638
33653034366362363562633462303165626333306664326366353334363964663936616430643662
30616334326638323133366632663237356238353934323361376237613632396134663536336364
39363439326335363437373939353564646663616464663763353931323233316135656634343137
34396130386134386331643534353461663963323435656337653032376565313635623231343135
34303130316239303065386134663332393938636332363665643832326439653733633231346537
63383634333034323434376237663932613638363835393837613632663265616363303233653539
61333765313463616665613136303533343230303735626437343635303934613365326166333966
66613538393466666630363333643730653239393435616634303430396635383631613439623433
36646431393865666162373232343335356366366633633264326639643434396234313863333163
63396534623931633833656565396635333133376165613031663831633564663061656131303564
61303132666264636139313738643161313134643733633366376538366135663135333333333564
64366262353837363061653663616265393264373230346330636465336439623063636639356136
65383638643961326661396336373163643832366561363764626461623662333436373136616437
30316537653432356133616338353165633462643634323563306366343965326635363863316232
61633135643861333635383464383937306236626632366235363433313335663431366531356337
37303465323638383930336138356665343966336137356137656564303733373565366162343330
38326366653733376138356339313564616165626235356363343430353239616339656239323964
31643734653263653461333135386261646265323134633334376262323330396634643764323635
30336262323035613338333166353364333836623865393132613338393237363734616330366463
64646163303337323531636532383438356237306337656439663565643032633462316366663164
33613039326337353531303831313136653539353261373930613030383134653261363833653439
31343662623035393238646263633066653362323434306137633339393330376462356139333362
35363436356530363134663064653031376561343732346262383333353733363136396262643135
31326566303535343833326562376464643632363434323839366366626134303830323563633237
37313964353033316163303738636632346137353437333463303135323631383132623133663130
32373163393861366137303138363134653534613236636439623731393837306130626638343134
39313532386338343662333134353761653162663665396664366239633536613132313735373334
37613161383633653861376433633632333163653439633938386137313632396137616337373465
65383238396439666537313833663364333731613434333739393161363437306665363834653761
34303464386633633163353636643964393233383232623765373239376633393139326630653765
62646439646534376234323661383063656463313437323231333165626163626262626562376338
62646362346261313738323830613037663035666361386139666432613230346334323063326239
65303065343061613736343663363630336333623439383032313137616131623933323636306331
34636130626338303039356137353532346562363531623936316162336663306437386532363236
36333661316161613237343032623764396435346632363963643438316430666539393566353939
33333234313839636537366465356364303438313830663261373563346538626432313139303030
33333066626463663663643833323764643737386162663766356665643064313263376434353038
37643630643737663566653562353261333734636262626437393239383063613661643166626630
31313564346239396561326162333534376264616435313762623032636432363832383630343964
30343663643935633465393465626131633931623930653962303830333065363435383237653566
65646632376330306437663334313932653230653562356338663366616463303466366263366137
64633934626339633235386630396561376130373763313137386531356637633863393035306634
65353432323235363135633832373032623837376333346131303162303464616234313062316563
64646634633963663032613533636665333335656539323238623362306363313835626632306236
30663637356463363530316434316639326639633539333335633330333834643035353932313638
64356565653065666131373538356462306633343161376537323762313666373235353236313963
65613561633266306632616538616461626532666435663038646138386430376164663766363138
35316262393065653739323035666531333330326235386133383834383865356635666537333533
31376138353231313262646334386566376264323066373934666363313431643738383064666437
36656437313039656666373530346534393735353163646635663839326366643333393665626464
36616637303631653661373433653865323634363065303433386534363064356564636465366265
31333064383233636538393032376234663663353162343530376631356533653231303730396465
33366162376464633633313664303939306330613865663431653037303061633130626635653638
66626264363333376463386666313663333964333137333231303361616533393236373861656534
32326335306566623332396638383133353434363565316432353963353062313662326361336537
34396632656234333263663831326566353434316234613365316132363730643665373761666562
31393565653663653731633333633730326265376135666162656132623238333765333363653130
61353632313532616266363139336162336565356365316531336364623930636430353831623233
61616131313438306633333066613764313161333934316139633738623164623564646365663566
66356464376133363137313036623930373362306166623838373131313330393837396261656561
66396233313530643164353264656563383632363139333262626532376562613630643437666266
66656335656634613138316138643666623430363833663035616138336461303035633731636262
36393939333765346239666433323032323361343934656463396365333366623337316663396263
36616431626633663963636135643833666234613830366434636532373031343263316436306162
39356365376561643665323866656465313434623138326238353662653735613565623264333336
61393763363862613766653064636130323732663466366133666361636339356464313037353462
63633936653235656538383433393065393162643034393538666433616131343462346235393164
39353663373338626665663563663162633430343330373430376336326432346233663365376533
32656465343538643137326366653232343530363834383831386634366262303333636261353863
32633437343432653936643766363338636535613532323362656435613363393238626466303861
38633861333638613466306338613932353964393365356637306261626535323732316362623731
33313963623439613939333639346461663338373334396165636231666266613065323731373964
64313133383435333935376531313432663766633133633863356563663535333263636237386136
61653963633166383135333436646465383536373039383538326366636634313061613730653962
37623962643866396637336231363038373465393637356463656566666661313130313863383233
37343636346535363832626365396262303862393535336565393635663637323730373564336634
37363036323733306535336366373630356531353737303165376530656433626634343365626239
64346136363030663862313431653761666432393933366665346361626361623039326434633835
32666538653037613361343536383634643762356234366433663639653461303933306434333864
37386436393465323139306161333738383265323436376536656264356230303163326134323864
63396331666431666464656161633466333764653631623131646566303366333030653834333335
31323365353239366232643863386365633861376235643034303563613363663661616564363663
63326562613365653539383336383339646164623864323830653434623365393432666466323134
33626330373361393734656632393232363866613863373135636537613934343065306265623964
34643765636165393336356630353663343065333431656164363638646233663762346536343362
65653364343537383336373933313464663464653465383830363631316336303464313731356230
34336130323766386465373162346535396565346630353734303937396130656132376331326563
36386339383338346533646331666262396432336434646333653664326635386238333763626637
31363464306465666339316436323265623437636533643431363161323139653065323534636533
64386334353439373133313937343234373963353331646233346432646430636530663336316134
66303337313034396232643531643262343036313762633165353665653938313665386363353865
66333166303636626565613136653365313763303263313239333033353638616566656134396131
38356434343931303134303362313363343634613361353538636634336332373132356165326163
30386130326239366532363962316435663862393836326439623862366166376234343439306465
36346639623939353232366333643963646336383833386565643435393734653936313638663930
32323065343737663564333961373034393261613862333431663562353964666561643831316432
35313832356639333937333266306166656538643065386639346337306134613536356137316331
38376434666332366531393639303561663934353130333161636530383932653236313530616531
61656664626663373164343863333039356362343034326131376666623264663732303734366363
30306430353732616131346637626332656434393163313661356465393263393235396662623962
62643538623331646265643561623366383937313136383939366164613235666234663137653432
34316138643139336331356663333632656539653632626136613431393736613630353237356164
33623632643335663163656236633134343464353837346237316162346634633336663564656531
39373730346130363963376463326238366235613539613466653139306237343164336462353236
39323361636333353661633863663162633563343937366461346338363061623730633537626562
30353938383664333861366431343033313961376436363065373430353736343563313531386663
37313534303564333237616331396437376436383833373936376664666366373235613533663239
64653863613531356666646233393533646131333961343730663461346235633961306263343831
64386332653330323937643266373437633465363933653833343930616134626566363339366362
36356163333730656233653431326430326566386264343330666131393166323537623137396237
65386234653231666631366533383762643830333261363532666138386263643662633932626335
66303363613035643931393933303035323566373634663037313338616132373162366334373962
33666463613435396331326565353433336361303562326562663035313639333232333430373266
65383235356132353838636565636436356361653831356430663935613766613237366564316566
37396130393363386566306162346466326165353863636633306335383265306139396339383866
34326335323962633032386162623033353036643437313832323166363764653339343638343964
66626662326234306362656162336538353131366337643761643930306163333661653062663832
61303963623433313565633235306132366663336662616232613339366363373934613631623431
34323736383366333032343364373533363761323338346163323836653235653136646162306166
65333734623663346233343961396566313838653036396430396134393839326535363237363638
38333232333863396334366561303136333863356666656335633630616531363766343535616533
35656166303837653365303436623431613931336331356531666665346562613263363666626238
62626236323863383366643162356462306163653032626130333863656337623136646439316337
33306432663134383038646133346131333732633932383239643733643138303434646565663266
34616265383733343963323538656138656331396438616133393063356638633965323363653066
65353837333363613762333839313631373137363064383830353565333832356162323862393030
35373038613133643466636537626437393837633865363566343565626633376262373766613738
39343334336238363131373762646564653839623531323066356430326263376534373664363331
64373735383933303638303661333964333464306338613363326261623438336530636262373766
35346339643939666162386232666236326131366366303432393838326239313730323431376231
39363032616666393431326533643865643937363937356431623763363037373333653266376561
63323462363063343234373534663063353865363037383932386231313338343239653131633561
34623439396232633265616438623562666333303932396366663330326565363736633461333463
66346537323061306662323062393061353565393165363532306439343262343632616465363364
30376331346430313536313963333136663833323064633631653935326366633862336163316538
33383434336666303434363236396662366664393637656462363331356631613332353766636663
62323264336235306532343065323834313730353237616463373766303439663533336366363565
35646461636263646633343634323735383235376330616334373937646165623639363663353361
65613034353736633332663333616564356265323731613537393430633137333337643663323137
31623732663331653935316337306433333633353565343265666333363864346562363961333439
30656136636661396335623566386362333861616663393738626632633537613564636261383138
3233
65623030336636323834313162306633623333666663633162356162313233393137646365363161
3334363038323835666431626538383433626162373330360a656162303733653437633637663535
62626630663332373761656137633165666531303137303565313236663564623061643631373333
3164306333653734350a333333653630616462386637613432623039303931393661393563306137
37326564333837306230326637626131666232646564383130623137613939633163313532653836
62393766623065376135343062346362623466336234633239343530366432313336653863346534
34346563666638643136316236626561396534316332623730633936646631623866383631633763
32306236316334626632393736643135306333363135333566353062653866313161653763646336
34636465663639396335353562343936333263616363653535303934646361656135383938626134
34376335303564623436643735363262346334316465366435373435343338373666383635393666
36643032613636643138373432393739626230326437386366386132636535313137313765616464
31623461373166613237356362663939323633653565623830303334353834363561373832623163
35316137633630633736383265333666636436326433653134313038626132633537316162376539
37323338333235333836326161396236666661636464373163333934376662636639356432366565
63363266633266643332663934356564323466646666656530336662353336346333366639613130
33633039343666633536616237386265313863323537353466363432303632323265656265323166
33313135333932363934386432663863383836333862333162333935313562626430353663636335
34653231343964376531306366313264363930613432343864396130653666636332366239636236
33343431353737323534396235613931666262626430303637626236393134386136366164306138
64396238363030616465303634366339353731363461383432353434373735336363656266316336
66313064653233653965646630313632336536643530363562613039313439366437353663363265
30386238363562326263303164366436653334316164646633356666366631653636303835303738
39366163613434623861376138363134616662343231306536396531366433313963383234373764
64326664343736663264626432643664326563383633353364383963353733343864373766666534
34393638613864333265313732333632373565303537316463623337326363383539336566646664
66363764323261323330346338336133346136623431616333373235313565643164613432613861
61346137356133343063636562336633646537373666323763626430633439323632326635383562
36373461623931613162663466333065336237656265366437663035663831616363383066623731
62326462313238373631386362393737323731643865623763333833316637323533656562663536
30326465323164356436326463386137336439326231623534326164323530303239363161643762
61313261333265366631656631326366313464336264626163653363333565353137313863646631
62636534346534336136643164383766323631353837326561616436633139653531356533303432
32616434653237376664353134363464613231366136323330646439623132306464623138393162
34613931633736633532346634303535366430323164313764653832336464303337626634313861
37333863316666353935363663613531643039613534393539343762363732383362333639356435
61303663363438383733636663346362373033383130636431386636616366666537393937396633
33653836343865326433316233306661653831613239376561393834653032633462306238373730
61336266333364616533633433383663363564373334313934633132626238303036326339313932
37323435663537376563343336666262343065316436346663623432333064326136316630633763
65343538313163346539346336643237663431623861653433616639333130643162366539633238
61306335346366363935373438353765333238323037343033626132323730326437656163353765
39343863363366343764613533346537363661353234646364663037623030306334653264386630
36653030316134656236373336616435363337643637623539633865333963363137363433383338
62636330626631393438326365396331656361646263343863326635393666383638636337343339
64313462623564326462636131313163353036393938393634376436306163663863653462663431
66363334353039303266333430316239646533653337383164303837396130333366353465643965
35383939633336386537626662316263383331336565643237396334643737313232306464363638
34393131656232323865333739666639346335646336376666643065353538653530323338356639
64623965326161386430323337326433343334363435316237626666363161353362383361326438
35336431653033333261396632393966653463366637636539663165356532616331633837343435
66356536313037623139613966356139363737656437356238636433366635313137623639366230
36373837383462623966343535383434633932656133326565353063343530363066343365323462
32333666373263353063346535343639623230613733363832323636313830636234326436613438
30363765356637626134353763663938376134653539336436336336303834633533616664376535
32613061363262303839313062666261363032363364366662333364653532373163653434366261
39336233313232393331303732333735346434656436353466313932656239306631383237626565
63313166326538663732363438393263643533636536333665663038383739383334366136646564
33383936393463323235623038393138386164656164623439393734656336343835313135393165
37616232633036383237643730313061323563643163633662393334353133343730656630643762
39333937303931666161613037313837343836643330356538343264633761343432373161393061
63393933383238356235613663343362656466353330383333393636386438306161623434343836
35313030383235663461306539663666393234306332306536653862616138656135393131343462
61633735303134326639663061643935373533336430306538363365623063663536376234356363
65653432636430333330303131633263386265386662656131353833393138643732356336376335
31393438393734336465396633306565343139626135386432343061623232363337326664366632
36613434616662373431613238326464396437363935646437306665313936323732396165633266
33343166333665373937656338333930343338373061633639393463316538373630626561333761
63323336643133323962613435303134613230343033666336646132303462323037383139656166
31323038653738666463323164366662363138663833393637313437633861353462663935616632
65653939353435653337353966373135333036653061333438353136616434643563393465323735
65373230373036353466356338343835363035653031363864316232613232323365353932313061
62626432303334646365616330626261633066306661303537353264653235643632386466336236
30316261666461616337363562323865636234356638653661336261373761383365386639303638
38663763313931323266373162303136323433656466393330646462643438336236613530363636
35353763373463376531323536613563643865346334646164326561663962393034643438326437
30306437343331346233383036656663613038623137363962626462613762653262633035623539
31613932313237343263373333313434386562623465663365306433333635366339616333393430
63626466333934336130313038626136626466323563323630373965303435626664633138333838
37643538353138303332653435343139383265363933646134636236656131643932353932303135
65353438656431613335653838656462333731316665303063623464316462633961656464313933
36366161623661393865346162383966323531396432646432383663326231373162373462633539
31303138626662326637376536303532393636326530366362336437633639306436366531313636
31613332656466343832316632313161336135663661333739646136313137386634633066316535
66613334303139353463613866323431613037333239353839623165356233653361613063646335
33386263616164303631653162633330633136666635376635623437656263306466623462366563
61636334616134376230343265623336373863303463623833663761333039333335626665613661
62626133316338303333613863373663623166323438656566653936616532343065383232323437
38353731643561663461336561313637656563333230353963366632396637333033303365626562
65373463653735313732353165643530336232396562653030623037303463326565643465363764
38316663356535373432656563336538633765393031663339666638366138346564366162303436
66363164633432326632306561643662663265666465373537383335303432616138613939366133
39396430386437353163323935366265306339326563343530366161333330376535313737396537
39353330323938326662303863323738626535643465656438376339643437653639666133633663
39303464326237653933616238663839313730343731383132613062613736376232646366346365
37653136393335396338346536393865316134343365623338623761303661343637336332316535
31633133356263336534643230383034383164396630343131396533313864333963316433366130
38653461303736343861333161343832363934386230393662616463386534336264626363386562
62633832316664323032353835663266653534393733343166303763333434323633616233656131
37333266356337656532386336373563353634656265313061363063356637353366636236653333
31643535373762353663613035316464323033303438623635336637636265363363393961396435
33646438366139323230623235666630663863633961393036376463386538313633626163323365
36633266646330623463336434363934376438326465303938316432643035373236626437663766
36303737386132383261663764386333343532626334633961373666376232633739663164323132
61323230316266333837363537316165376261363738363762373231356533666332376333663239
30646161666434363236633432616163323530643766363533653733346436303461643235343038
65663738633032643334303737666565666137616437613662363062636664326235663737613863
37653164653437356136623563653238366236613964663337336132326232653762643363623664
66656166346230643930653232323234653266393730323735636164303230623766393630393262
63333661396231323430343462656339653466363562303830643233636164303162376631383733
38346231623835333762656135663366616566313963323732663037323338326231613465343462
65616432626432333538396336353965353636636339336239653536613865643265353939656333
66663933343664366163323730336337356634656436326661336636313363663165336161396333
31626163303863653332613733663666383234303164346564646531366261323262636263353036
64666135336264343636396466396564303665623965346163373337376331396233396561613765
32636331376665396132313839653232306535613737653936366438323962333235336530396338
63633737633630646164376361363631623862643363363066376364653965313837373462393832
66336138366132626536323766393832386261396436336537316661383633613065393032636530
63323866643266666637363633616535613032653930663734636663363865336565663864356234
34626262663363376436346463393164646534386135303065623462623861353133656437323861
33623938366635343930633264303530323164396661393338303163386539353938373237633436
35663762353762313935313832383338663430363865343537663530613761303239356563363533
37306162663831663464316464303136396539343030303631613964313165396531303665653761
61383061653364383962663138356366373039366139613536633936633739343133376337613038
62393730636433613037383665303430663666363663646564343935313063386135323963623965
35643734656336623961363432363362393132613432303239393761353136636265613334373634
34396335663037383661663832373937653639633531653064303732656332643962643866306337
34303232623963623562613162623562366539393464663966366464643639343432663338616331
30323461396138663334396265313134646263613033353833656465633537356261366261393261
39303764633636376438656435633737366464343630653735313630386539623462653133396161
36353235343635386636646361623465323135323239613161346563343263646235326232353863
62646434333866653830316166656439643464393337306132376433633439376131366664383464
36393635343265333530653166306263383236656136313136376436393531653334323564663236
30653235343233636334626330363031373433396565663439333033623062313261643632306164
66616338633261356136313334313365356234316262313439623563383330356233363438313833
63313131316461333438363939626636346463366665393433653036663931643537613162393561
34626662303462343239313265653838313634323230656130373163313863313162383736363835
39663337353638613836636263373136623266373732373665353164376534623732313532306366
31353930343062653532386237616433373437663239636230386133393766376238353064656366
61666637646433333366313661353438313337643861333932313662636462346463643664356165
62373338313237353936636138666539643166626631646163653262343365326637626133353361
33663961373334376137393036383833356361383539653362343866386438633366353439323832
38663461313431636562613435303237363163323936323530393966663361326365623564633865
66356433626637376238653865303236646433316164666366303131336331616562323865643566
36643664363363323566353730303339666262663434393863376234656136643865653135383861
61396366383939656130616661396263396331666137666662323932303032623162396633346335
65326362353933663437356235656530343833313136313662643236626661653332613539393638
62656232326238313333623263333366366533313335336330643666383033333038336164316135
61346335633139303163326433353633616562363866396234636138386638356235343035363436
35633737336262383264383065343234373534663564316133643738306638393539353136356630
63613238663066666336626262343933346433393438356565646565613566386566336138386661
30373162333837656131653238393533646663323730626538316437363865626335626635666437
34366663636366303438373032343235333634666637666336313061663239316663613861646133
30383639666362346634303437383035306661623735643139643062653836366631336261643137
36393135633338646238653763613935366566363032343730313666656539353866643564336661
61643261393134303362303666393465643933363962653734646664643033386263346566316332
36633166356665666161616530356439653832323064633662656138356435386434336431396664
34373737643936316133343364353165653130376434646639633866336536373534396235633035
33333734343835323565323863316364613132656665356639623364376538613539626137353564
66343833653435383465376332363533326661373333303435303562396366616231306463396562
65353966613832386235646539643033653335376131333333646237393431363163643630353135
35666264626564623732346565613662303938643034326130646332663530383136333865386266
31313633613739633865363736646138353937306438646532363033383539613534666437663961
61313632613433353437306233626463373335366564653661643038373338303937316366316332
64386132326633306336653134333038316639363538653735383266366239663861333830656438
34393734363665656337626461376234306632623937353863333531313231616365316431303732
32323436663736396439396361663965653632333066373764353561303030666134383836393537
65323038373363316537323533646566396431326634336564306562636232316563613734366339
37326465623137303436346430333263373437656632373039303338626130333834663564633535
39353865376134383637633866356536393766376132396666656235396363656635633630656165
38303439626438623166326331373036386263393331366266356539333533323864613932643335
36303537636131386231613062383163346664643261323263393264343862386562313931616261
34666533613831343764663630623139616634636531393861306337636239346131323437396337
61633064663938613135666334396330363463636166653966653333326235343563633834666634
38353937646265363964626661343565306331646363303038666264613833653962663237353538
64393465363061653837343131373566336139643632323461323635343535313164383766343233
61393136636536366433333766303263663839383064323430366666646163663663316138663532
66363061626363396561353435386266653832313430633337346234333430393338353632383335
64323765636634303632663135306533366232333665383333383936653033373332333331656261
37326164666235323538633963616562633938626131346266366531333133333832393966326637
62376661383562633834353631393933626237316431366237613634356666343031623566666330
61623137336433383139633233356263643237393966613366326632303865353866643332316662
35343239643933313031656534336165666161393566636435663039653438643832636232386566
34326266353631333731636433333639316638643162653234346365353762353333316138303861
36353932656264336165363532313366636536386661663934363761653362623362346431336530
63663064656539343361383963663366626566306431353238633832353335383535

8
group_vars/certbot.yml Normal file
View file

@ -0,0 +1,8 @@
---
glob_certbot:
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "*.auro.re"

32
group_vars/nginx.yml Normal file
View file

@ -0,0 +1,32 @@
---
glob_nginx:
contact: tech.aurore@lists.crans.org
who: "L'équipe technique d'Aurore"
service_name: service
ssl:
# Add adm.auro.re if necessary
- name: auro.re
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
servers:
- ssl: false # Replace by auro.re or adm.auro.re
default: true
server_name:
- "default"
- "_"
root: "/var/www/html"
locations:
- filter: "/"
params: []
additional_params: []
upstreams: []
auth_passwd: []
default_server:
default_ssl_server:
default_ssl_domain: auro.re
real_ip_from:
- "10.128.0.0/16"
- "2a09:6840:128::/64"
deploy_robots_file: false

View file

@ -0,0 +1,11 @@
loc_nginx:
servers: []
glob_reverseproxy:
redirect_dnames:
- aurores.net
- fede-aurore.net
reverseproxy_sites: []
redirect_sites: []

View file

@ -0,0 +1,50 @@
---
postgresql:
version: 13
postgresql_hosts:
- database: etherpad
user: etherpad
net: 10.128.0.150/32
method: md5
- database: codimd
user: codimd
net: 10.128.0.150/32
method: md5
- database: synapse
user: synapse
net: 10.128.0.56/32
method: md5
- database: kanboard
user: kanboard
net: 10.128.0.150/32
method: md5
postgresql_databases:
- synapse
- codimd
- etherpad
- kanboard
postgresql_users:
- name: synapse
database: synapse
password: "{{ postgresql_synapse_passwd }}"
privs:
- ALL
- name: codimd
database: codimd
password: "{{ postgresql_codimd_passwd }}"
privs:
- ALL
- name: etherpad
database: etherpad
password: "{{ postgresql_etherpad_passwd }}"
privs:
- ALL
- name: kanboard
database: kanboard
password: "{{ postgresql_kanboard_passwd }}"
privs:
- ALL
...

View file

@ -0,0 +1,8 @@
postgresql:
version: 11
hosts: # dbname, username, CIDR ip addr, auth method
- [ "nextcloud", "nextcloud", "10.128.0.58", "md5" ]
- [ "gitea", "gitea", "10.128.0.60", "md5" ]
- [ "drone", "drone", "10.128.0.64", "md5" ]
- [ "wikijs", "wikijs", "10.128.0.66", "md5" ]
- [ "vote", "vote", "10.128.0.81", "md5" ]

View file

@ -0,0 +1,105 @@
---
loc_nginx:
service_name: captive_portal
default_server: '$server_addr'
default_ssl_server: '$server_addr'
servers:
- server_name:
- "10.13.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-fleming.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: auro.re
server_name:
- 10.23.0.247
locations:
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-pacaterie.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.33.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-rives.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.43.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-edc.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: auro.re
server_name:
- "10.53.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"
- ssl: auro.re
server_name:
- portail-gs.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"

View file

@ -1,39 +1,13 @@
---
certbot:
domains:
- auro.re
- chat.auro.re # cname to riot.auro.re
- codimd.auro.re
- element.auro.re # cname to riot.auro.re
- ehterpad.auro.re # cname to pad.auro.re
- grafana.auro.re
- hedgedoc.auro.re # cname to codimd.auro.re
- pad.auro.re
- passbolt.auro.re
- paste.auro.re # cname to privatebin.auro.re
- phabricator.auro.re
- privatebin.auro.re
- riot.auro.re
- sharelatex.auro.re
- status.auro.re
- wiki.auro.re
- www.auro.re
- zero.auro.re # cname to privatebin.auro.re
mail: tech.aurore@lists.crans.org
certname: auro.re
nginx:
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
redirect_tcp: {}
loc_certbot:
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "auro.re, *.auro.re"
loc_reverseproxy:
redirect_sites:
- from: www.auro.re
to: auro.re

View file

@ -1,31 +1,31 @@
---
certbot:
domains:
- bbb.auro.re
- drone.auro.re
- gitea.auro.re
- intranet.auro.re
- litl.auro.re
- nextcloud.auro.re
- re2o.auro.re
- vote.auro.re
- re2o-server.auro.re
- re2o-test.auro.re
- wikijs.auro.re
loc_certbot:
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_adm_challenge.
dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: adm.auro.re
domains: "*.adm.auro.re"
- dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "*.auro.re"
mail: tech.aurore@lists.crans.org
certname: auro.re
nginx:
loc_nginx:
servers: []
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
- name: adm.auro.re
cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
- name: auro.re
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
loc_reverseproxy:
redirect_tcp:
- name: Gitea
port: 2222
@ -33,7 +33,7 @@ nginx:
redirect_sites:
- from: 45.66.111.61
to: auro.re
to: intranet.auro.re
reverseproxy_sites:
- from: re2o.auro.re
@ -49,6 +49,9 @@ nginx:
- from: gitea.auro.re
to: "10.128.0.60:3000"
- from: git.adm.auro.re
to: "10.128.0.60:3000"
ssl: adm.auro.re
- from: drone.auro.re
to: "10.128.0.64:8000"

44
hosts
View file

@ -29,13 +29,19 @@ stream.adm.auro.re
re2o-server.adm.auro.re
re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
pendragon.adm.auro.re
services-bdd-local.adm.auro.re
#services-bdd-local.adm.auro.re
backup.adm.auro.re
services-web.adm.auro.re
mail.adm.auro.re
wikijs.adm.auro.re
prometheus-aurore.adm.auro.re
portail.adm.auro.re
jitsi-aurore.adm.auro.re
bdd.adm.auro.re
bdd-ovh.adm.auro.re
[aurore_testing_vm]
pendragon.adm.auro.re
###############################################################################
# OVH
@ -45,7 +51,7 @@ horus.adm.auro.re
[ovh_container]
synapse.adm.auro.re
services-bdd.adm.auro.re
#services-bdd.adm.auro.re
phabricator.adm.auro.re
wiki.adm.auro.re
www.adm.auro.re
@ -59,6 +65,8 @@ vpn-ovh.adm.auro.re
docker-ovh.adm.auro.re
switchs-manager.adm.auro.re
ldap-replica-ovh.adm.auro.re
prometheus-ovh.adm.auro.re
prometheus-federate.adm.auro.re
[ovh_testing_vm]
#re2o-test.adm.auro.re
@ -263,6 +271,7 @@ ep-1-3.borne.auro.re
ep-1-2.borne.auro.re
ep-0-1.borne.auro.re
eo-2-1.borne.auro.re
ee-2-1.borne.auro.re
###############################################################################
# George Sand
@ -337,6 +346,7 @@ gf-5-1.borne.auro.re
# Les Rives
[rives_pve]
thor.adm.auro.re
loki.adm.auro.re
[rives_vm]
dhcp-rives-backup.adm.auro.re
@ -345,6 +355,7 @@ dns-rives-backup.adm.auro.re
radius-rives-backup.adm.auro.re
routeur-rives-backup.adm.auro.re
ldap-replica-rives.adm.auro.re
prometheus-rives.adm.auro.re
[rives_unifi]
r3-4-4.borne.auro.re
@ -396,29 +407,31 @@ ovh_vm
[fleming:children]
fleming_pve
fleming_vm
#fleming_unifi
fleming_unifi
# everything at pacaterie
[pacaterie:children]
pacaterie_pve
pacaterie_vm
#pacaterie_unifi
pacaterie_unifi
# everything at edc
[edc:children]
edc_pve
edc_vm
edc_unifi
# everything at georgesand
[gs:children]
gs_pve
gs_vm
gs_unifi
# everything at Les Rives
[rives:children]
rives_pve
rives_vm
rives_unifi
###############################################################################
# Groups by type
@ -482,3 +495,22 @@ ldap-replica-ovh.adm.auro.re
[ldap_replica_rives]
ldap-replica-rives.adm.auro.re
[certbot]
portail.adm.auro.re
[certbot:children]
reverseproxy
[nginx]
portail.adm.auro.re
[nginx:children]
reverseproxy
[reverseproxy]
proxy-ovh.adm.auro.re
proxy.adm.auro.re
[bdd]
bdd.adm.auro.re
bdd-ovh.adm.auro.re

View file

@ -1,6 +1,6 @@
#!/usr/bin/env ansible-playbook
---
- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
- hosts: prometheus-fleming.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@ -14,7 +14,7 @@
roles:
- prometheus
- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
- hosts: prometheus-pacaterie.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@ -25,6 +25,8 @@
{{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
prometheus_ups_snmp_targets:
- ups-pn-1.ups.auro.re
roles:
- prometheus
@ -34,6 +36,9 @@
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_ups_snmp_targets:
- ups-ec-1.ups.auro.re
prometheus_targets:
- targets: |
{{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
@ -53,10 +58,78 @@
{{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['gs_unifi'] | list | sort }}"
prometheus_ups_snmp_targets:
- ups-gk-1.ups.auro.re
roles:
- prometheus
- hosts: prometheus-rives.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_ups_snmp_targets:
- ups-r3-1.ups.auro.re
prometheus_targets:
- targets: |
{{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['rives_unifi'] | list | sort }}"
roles:
- prometheus
- hosts: prometheus-aurore.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}"
# Prometheus targets.json
prometheus_targets:
- targets: |
{{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
prometheus_switch_snmp_targets:
- targets:
- yggdrasil.switch.auro.re
roles:
- prometheus
- hosts: prometheus-ovh.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_targets:
- targets: |
{{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
prometheus_docker_targets:
- docker-ovh.adm.auro.re:8087
roles:
- prometheus
- hosts: prometheus-federate.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_targets:
- prometheus-edc.adm.auro.re
- prometheus-gs.adm.auro.re
- prometheus-fleming.adm.auro.re
- prometheus-pacaterie.adm.auro.re
- prometheus-rives.adm.auro.re
- prometheus-aurore.adm.auro.re
- prometheus-ovh.adm.auro.re
roles:
- prometheus_federate
# Monitor all hosts
- hosts: all,!unifi,!ovh
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
roles:
- prometheus_node

View file

@ -43,7 +43,7 @@
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service
# - re2o_service
# Deploy Unifi Controller
@ -62,4 +62,4 @@
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service
# - re2o_service

View file

@ -0,0 +1,21 @@
---
- name: Install unattended-upgrades
when: ansible_os_family == "Debian"
apt:
name: unattended-upgrades
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure unattended-upgrades
template:
src: "apt/{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
mode: u=rw,g=r,o=r
loop:
- 50unattended-upgrades
- 20auto-upgrades
...

View file

@ -9,8 +9,6 @@
- aptitude # nice to have for Ansible
- bash-completion # because bash
- curl # better than wget
- emacs-nox # for maman
- fish # to motivate @edpibu
- git # code versioning
- htop # better than top
- iotop # monitor i/o
@ -18,14 +16,14 @@
- lsb-release
- molly-guard # prevent reboot
- nano # for vulcain
- net-tools
- ntp # network time sync
- oidentd # postgresql identification
- screen # Vulcain asked for this
- sudo
- tmux # For shirenn
- tree # create a graphical tree of files
- vim # better than nano
- zsh # to be able to ssh @erdnaxe
- dnsutils # dig
update_cache: true
register: apt_result
retries: 3
@ -74,6 +72,9 @@
# APT-List Changes : send email with changelog
- include_tasks: apt-listchanges.yml
# APT Unattended upgrades
- include_tasks: apt-unattended.yml
# User skeleton
- name: Configure user skeleton
copy:

View file

@ -0,0 +1,4 @@
// {{ ansible_managed }}
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

View file

@ -0,0 +1,22 @@
// {{ ansible_managed }}
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {};
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Mail "{{ monitoring_mail }}";
// Unattended-Upgrade::MailOnlyOnError "false";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";

View file

@ -1,8 +0,0 @@
---
- name: Reload nginx
service:
name: nginx
state: reloaded
- name: Generate certificates
command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"

View file

@ -1,13 +1,28 @@
---
- name: Install certbot and nginx plugin
- name: Install certbot and RFC2136 plugin
apt:
update_cache: true
name:
- certbot
- python3-certbot-nginx
register: pkg_result
- python3-certbot-dns-rfc2136
state: present
register: apt_result
retries: 3
until: pkg_result is succeeded
until: apt_result is succeeded
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
mode: 0600
owner: root
loop: "{{ certbot }}"
- name: Add dhparam
template:
src: "letsencrypt/dhparam.j2"
dest: "/etc/letsencrypt/dhparam"
mode: 0600
- name: Create /etc/letsencrypt/conf.d
file:
@ -18,8 +33,19 @@
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
mode: 0644
notify:
- Generate certificates
- Reload nginx
loop: "{{ certbot }}"
- name: Run certbot
command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
loop: "{{ certbot }}"
- name: Clean old files
file:
path: "{{ item }}"
state: absent
loop:
- "/etc/letsencrypt/options-ssl-nginx.conf"
- "/etc/letsencrypt/ssl-dhparams.pem"
- "/etc/letsencrypt/rfc2136.ini"

View file

@ -1,7 +1,7 @@
# {{ ansible_managed }}
{{ ansible_managed | comment(decoration='# ') }}
# Pour appliquer cette conf et générer la conf de renewal :
# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
# To generate the certificate, please use the following command
# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
@ -10,14 +10,19 @@ rsa-key-size = 4096
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = {{ certbot.mail }}
email = {{ item.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
# Use nginx challenge
authenticator = nginx
# Yes I want to sell my soul and my guinea pig.
agree-tos = True
# Use DNS-01 challenge
authenticator = dns-rfc2136
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
cert-name = {{ certbot.certname }}
domains = {{ ", ".join(certbot.domains) }}
cert-name = {{ item.certname }}
domains = {{ item.domains }}

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment(decoration='# ') }}
dns_rfc2136_server = {{ item.dns_rfc2136_server }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ item.dns_rfc2136_name }}
dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512

View file

@ -1,6 +1,6 @@
---
- name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force
command: /var/local/re2o-services/dhcp/main.py --force
become_user: re2o-services
- name: restart dhcpd

View file

@ -1,7 +1,7 @@
---
- name: Install dhcp (re2o-service)
import_role:
name: re2o-service
name: re2o_service
vars:
service_repo: https://gitlab.federez.net/re2o/dhcp.git
service_name: dhcp
@ -18,7 +18,7 @@
owner: re2o-services
group: nogroup
recurse: true
mode: 755
mode: 0755
- name: Install isc-dhcp-server
apt:

View file

@ -21,4 +21,4 @@
user: root
key: "{{ ssh_pub_keys }}"
state: present
# exclusive: True
exclusive: true

146
roles/nginx/tasks/main.yml Normal file
View file

@ -0,0 +1,146 @@
---
- name: Install NGINX
apt:
update_cache: true
name: nginx
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy proxypass snippets
template:
src: "nginx/snippets/options-proxypass.conf.j2"
dest: "/etc/nginx/snippets/options-proxypass.conf"
owner: root
group: root
mode: 0644
- name: Copy SSL snippets
template:
src: "nginx/snippets/options-ssl.conf.j2"
dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
owner: root
group: root
mode: 0644
loop: "{{ nginx.ssl }}"
- name: Disable default site
file:
dest: "/etc/nginx/sites-enabled/default"
state: absent
- name: Copy reverse proxy sites
when: reverseproxy is defined
template:
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
owner: root
group: root
mode: 0644
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Activate reverse proxy sites
when: reverseproxy is defined
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
owner: root
group: root
state: link
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
ignore_errors: "{{ ansible_check_mode }}"
- name: Copy forward modules
when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
template:
src: "nginx/modules-available/60-forward.conf.j2"
dest: "/etc/nginx/modules-available/60-forward.conf"
mode: 0644
notify: Reload nginx
- name: Activate modules
when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
file:
src: "/etc/nginx/modules-available/60-forward.conf"
dest: "/etc/nginx/modules-enabled/60-forward.conf"
state: link
mode: 0644
notify: Reload nginx
ignore_errors: "{{ ansible_check_mode }}"
- name: Copy service nginx configuration
when: nginx.servers is defined and nginx.servers|length > 0
template:
src: "nginx/sites-available/service.j2"
dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
owner: root
group: root
mode: 0644
notify: Reload nginx
- name: Activate local nginx service site
when: nginx.servers is defined and nginx.servers|length > 0
file:
src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
owner: root
group: root
state: link
notify: Reload nginx
ignore_errors: "{{ ansible_check_mode }}"
- name: Copy 50x error page
template:
src: www/html/50x.html.j2
dest: /var/www/html/50x.html
owner: www-data
group: www-data
mode: 0644
- name: Copy robots.txt file
when: nginx.deploy_robots_file
template:
src: www/html/robots.txt.j2
dest: /var/www/html/robots.txt
owner: www-data
group: www-data
mode: 0644
- name: Install passwords
when: nginx.auth_passwd|length > 0
template:
src: nginx/passwd.j2
dest: /etc/nginx/passwd
mode: 0644
- name: Copy 401 error page
when: nginx.auth_passwd|length > 0
template:
src: www/html/401.html.j2
dest: /var/www/html/401.html
owner: www-data
group: www-data
mode: 0644
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755
- name: Clean old files
file:
path: "{{ item }}"
state: absent
loop:
- "/etc/nginx/snippets/options-ssl.conf"
- "/var/www/custom_401.html"
- "/var/www/robots.txt"

View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

View file

@ -1,6 +1,6 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
{% for site in nginx.redirect_tcp %}
{% for site in reverseproxy.redirect_tcp %}
# Forward port {{ site.port }} to {{ site.name }}
stream {
server {
@ -12,3 +12,4 @@ stream {
}
{% endfor %}

View file

@ -0,0 +1,4 @@
{{ ansible_managed | comment }}
{% for user, hash in nginx.auth_passwd.items() -%}
{{ user }}:{{ hash }}
{% endfor -%}

View file

@ -1,6 +1,6 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
{% for site in nginx.redirect_sites %}
{% for site in reverseproxy.redirect_sites %}
# Redirect http://{{ site.from }} to http://{{ site.to }}
server {
listen 80;
@ -8,6 +8,11 @@ server {
server_name {{ site.from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 http://{{ site.to }}$request_uri;
}
@ -21,7 +26,12 @@ server {
server_name {{ site.from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 https://{{ site.to }}$request_uri;
@ -31,8 +41,8 @@ server {
{% endfor %}
{# Also redirect for DNAMEs #}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.redirect_sites %}
{% for dname in reverseproxy.redirect_dnames %}
{% for site in reverseproxy.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ site.to }}
@ -42,6 +52,11 @@ server {
server_name {{ from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 http://{{ site.to }}$request_uri;
}
@ -55,7 +70,12 @@ server {
server_name {{ from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 https://{{ site.to }}$request_uri;

View file

@ -1,4 +1,4 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
# Automatic Connection header for WebSocket support
# See http://nginx.org/en/docs/http/websocket.html
@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
'' close;
}
{% for site in nginx.reverseproxy_sites %}
{% for site in reverseproxy.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
@ -15,6 +15,11 @@ server {
server_name {{ site.from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 https://$host$request_uri;
}
@ -28,7 +33,7 @@ server {
server_name {{ site.from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;
@ -43,8 +48,9 @@ server {
root /var/www/html;
}
set_real_ip_from 10.231.136.0/24;
set_real_ip_from 2a0c:700:0:2::/64;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {

View file

@ -1,7 +1,7 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.reverseproxy_sites %}
{% for dname in reverseproxy.redirect_dnames %}
{% for site in reverseproxy.reverseproxy_sites %}
{% set from = site.from | regex_replace('auro.re', dname) %}
{% set to = site.from %}
{% if from != site.from %}
@ -12,6 +12,11 @@ server {
server_name {{ from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 http://{{ to }}$request_uri;
}
@ -25,7 +30,12 @@ server {
server_name {{ from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 https://{{ to }}$request_uri;

View file

@ -0,0 +1,132 @@
{{ ansible_managed | comment }}
# Automatic Connection header for WebSocket support
# See http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
{% for upstream in nginx.upstreams -%}
upstream {{ upstream.name }} {
# Path of the server
server {{ upstream.server }};
}
{% endfor -%}
{% if nginx.default_ssl_server -%}
# Redirect all services to the main site
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
server_name _;
charset utf-8;
# Hide Nginx version
server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 https://{{ nginx.default_ssl_server }}$request_uri;
}
}
{% endif -%}
{% if nginx.default_server -%}
# Redirect all services to the main site
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
charset utf-8;
# Hide Nginx version
server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 http://{{ nginx.default_server }}$request_uri;
}
}
{% endif -%}
{% for server in nginx.servers %}
{% if server.ssl is defined and server.ssl -%}
# Redirect HTTP to HTTPS
server {
listen 80{% if server.default is defined and server.default %} default_server{% endif %};
listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
server_name {{ server.server_name|join(" ") }};
charset utf-8;
# Hide Nginx version
server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / {
return 302 https://$host$request_uri;
}
}
{% endif -%}
server {
{% if server.ssl is defined and server.ssl -%}
listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
{% else -%}
listen 80;
listen [::]:80;
{% endif -%}
server_name {{ server.server_name|join(" ") }};
charset utf-8;
# Hide Nginx version
server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
{% if server.root is defined %}root {{ server.root }};{% endif %}
{% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
{% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
{% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
{% if server.additional_params is defined %}
{% for param in server.additional_params %}
{{ param }};
{% endfor %}
{% endif %}
{% if server.locations is defined %}
{% for location in server.locations %}
location {{ location.filter }} {
{% for param in location.params %}
{{ param }};
{% endfor %}
}
{% endfor %}
{% endif %}
}
{% endfor %}

View file

@ -0,0 +1,18 @@
{{ ansible_managed | comment }}
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info (^/[^/]*)(.*)$;
# check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
# Let NGINX handle errors
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/var/run/fcgiwrap.socket;

View file

@ -1,4 +1,4 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
proxy_redirect off;
proxy_set_header Host $host;

View file

@ -1,7 +1,7 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
ssl_certificate {{ item.cert }};
ssl_certificate_key {{ item.cert_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
ssl_trusted_certificate {{ item.trusted_cert }};

View file

@ -1,3 +1,3 @@
#!/usr/bin/tail +14
# {{ ansible_managed }}
{{ ansible_managed | comment }}
> NGINX a été déployé sur cette machine. Voir /etc/nginx/.

View file

@ -0,0 +1,18 @@
{{ ansible_header | comment('xml') }}
<html>
<head>
<title>Accès refusé</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<h1>Accès refusé</h1>
<p>
Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
</p>
<ul>
<li>Identifiant : <em>Stop</em></li>
<li>Mot de passe : <em>Spam</em></li>
</ul>
</body>
</html>

View file

@ -57,7 +57,7 @@
<h1>502</h1>
<p>Whoops, le service prend trop de temps à répondre…</p>
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
à contacter <a href="mailto:tech.aurore@lists.crans.org">l'équipe technique d'Aurore</a>.</p>
à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
</body>
</html>

View file

@ -0,0 +1,2 @@
User-agent: *
Disallow: /

View file

@ -1,73 +0,0 @@
---
- name: Install NGINX
apt:
update_cache: true
name: nginx
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy snippets
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
mode: 0644
loop:
- options-ssl.conf
- options-proxypass.conf
- name: Copy dhparam
template:
src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam
mode: 0644
- name: Copy reverse proxy sites
template:
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
mode: 0644
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Activate sites
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
mode: 0644
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Copy forward modules
template:
src: "nginx/modules-available/60-forward.conf.j2"
dest: "/etc/nginx/modules-available/60-forward.conf"
mode: 0644
notify: Reload nginx
- name: Activate modules
file:
src: "/etc/nginx/modules-available/60-forward.conf"
dest: "/etc/nginx/modules-enabled/60-forward.conf"
state: link
mode: 0644
notify: Reload nginx
- name: Copy 50x error page
template:
src: www/html/50x.html.j2
dest: /var/www/html/50x.html
mode: 0644
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755

View file

@ -0,0 +1,10 @@
---
- name: restart postfix
service:
name: postfix
state: restarted
- name: reload postfix
service:
name: postfix
state: reloaded

View file

@ -0,0 +1,17 @@
---
- name: Install postfix
apt:
name: postfix
update_cache: true
register: result
retries: 3
until: result is succeeded
- name: Configure postfix
template:
src: main.cf.j2
dest: /etc/postfix/main.cf
mode: 0644
owner: root
group: root
notify: restart postfix

View file

@ -0,0 +1,32 @@
# {{ ansible_managed }}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Template based on /usr/share/postfix/main.cf.debian
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# Send mail as user@{{ ansible_fqdn }}
myhostname = {{ ansible_fqdn }}
myorigin = $myhostname
mydomain = $myhostname
# Specify the trusted networks
mynetworks = 127.0.0.0/8 {{ local_network }}
# This host does not relay mail from untrusted networks
relay_domains =
# This is needed if no direct Internet access is available
relayhost = {{ relay_host }}

View file

@ -0,0 +1,5 @@
---
postgresql_hosts: []
postgresql_databases: []
postgresql_users: []
...

View file

@ -0,0 +1,6 @@
---
- name: restart postgresql
service:
name: postgresql
state: restarted
enabled: true

View file

@ -0,0 +1,74 @@
---
- name: Install postgresql and psycopg2
apt:
update_cache: true
pkg:
- postgresql
- python3-psycopg2
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure main postgresql directory exists
file:
path: /etc/postgresql/{{ postgresql.version }}/main/
state: directory
owner: postgres
group: postgres
mode: 0755
- name: Ensure configuration directory exists
file:
path: /etc/postgresql/{{ postgresql.version }}/main/conf.d
state: directory
owner: postgres
group: postgres
mode: 0755
- name: Configuration of postgresql {{ postgresql.version }}
template:
src: postgresql/{{ item }}.j2
dest: /etc/postgresql/{{ postgresql.version }}/main/{{ item }}
mode: 0640
owner: postgres
group: postgres
loop:
- pg_hba.conf
- postgresql.conf
notify:
- restart postgresql
- name: Create databases
become: true
become_user: postgres
postgresql_db:
name: "{{ item }}"
encoding: UTF-8
lc_collate: en_US.UTF-8
lc_ctype: en_US.UTF-8
template: template0
loop: "{{ postgresql_databases }}"
- name: Create users
become: true
become_user: postgres
postgresql_user:
db: "{{ item.database }}"
name: "{{ item.name }}"
password: "{{ item.password }}"
no_log: true
loop: "{{ postgresql_users }}"
- name: Grant privileges to users
become: true
become_user: postgres
postgresql_privs:
db: postgres
type: database
role: "{{ item.name }}"
privs: "{{ item.privs | join(',') }}"
obj: "{{ item.database }}"
no_log: true
loop: "{{ postgresql_users }}"
...

View file

@ -0,0 +1,20 @@
{{ ansible_managed | comment }}
# TYPE DATABASE USER ADDRESS METHOD
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# "local" is for Unix domain socket connections only
local all all peer
{% for host in postgresql_hosts %}
host "{{ host.database }}" "{{ host.user }}" {{ host.net }} {{ host.method }}
{% endfor %}

View file

@ -0,0 +1,695 @@
{{ ansible_managed | comment }}
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
# All changes to this section REQUIRES restart
# use data in another directory
data_directory = '/var/lib/postgresql/{{ postgresql.version }}/main'
# host-based authentication file
hba_file = '/etc/postgresql/{{ postgresql.version }}/main/pg_hba.conf'
# If external_pid_file is not explicitly set, no extra PID file is written.
external_pid_file = '/run/postgresql/{{ postgresql.version }}-main.pid'
# write an extra PID file
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '0.0.0.0, ::'
# listen_addresses = * # listen to all
#listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP Keepalives -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
ssl = on
#ssl_ca_file = ''
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
#ssl_crl_file = ''
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
max_wal_size = 1GB
min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
log_line_prefix = '%m [%p] %q%u@%d ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'Europe/Paris'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
cluster_name = '{{ postgresql.version }}/main' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
stats_temp_directory = '/var/run/postgresql/{{ postgresql.version }}-main.pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
datestyle = 'iso, dmy'
#intervalstyle = 'postgres'
timezone = 'Europe/Paris'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'en_US.UTF-8'
lc_monetary = 'en_US.UTF-8'
lc_numeric = 'en_US.UTF-8'
lc_time = 'en_US.UTF-8'
# default configuration for text search
default_text_search_config = 'pg_catalog.french'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#default_with_oids = off
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
include_dir = 'conf.d' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

View file

@ -55,6 +55,28 @@
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
dest: /etc/prometheus/targets_unifi_snmp.json
mode: 0644
when: prometheus_unifi_snmp_targets is defined
- name: Configure Prometheus Switchs
copy:
content: "{{ prometheus_switch_snmp_targets | to_nice_json }}"
dest: /etc/prometheus/targets_switch_snmp.json
mode: 0644
when: prometheus_switch_snmp_targets is defined
- name: Configure Prometheus UPS SNMP devices
copy:
content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n"
dest: /etc/prometheus/targets_ups_snmp.json
mode: 0644
when: prometheus_ups_snmp_targets is defined
- name: Configure Prometheus docker monitoring
copy:
content: "{{ [{'targets': prometheus_docker_targets }] | to_nice_json }}\n"
dest: /etc/prometheus/targets_docker.json
mode: 0644
when: prometheus_docker_targets is defined
- name: Activate prometheus service
systemd:

View file

@ -22,7 +22,7 @@ groups:
labels:
severity: warning
annotations:
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%."
summary: "Mémoire libre de {{ $labels.instance }} à {{ humanize $value }}%."
# Alert for out of disk space
- alert: OutOfDiskSpace
@ -31,7 +31,7 @@ groups:
labels:
severity: warning
annotations:
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%."
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ humanize $value }}%."
# Alert for out of inode space on disk
- alert: OutOfInodes
@ -49,7 +49,7 @@ groups:
labels:
severity: warning
annotations:
summary: "CPU sur {{ $labels.instance }} à {{ $value }}%."
summary: "CPU sur {{ $labels.instance }} à {{ humanize $value }}%."
# Check systemd unit (> buster)
- alert: SystemdServiceFailed
@ -59,4 +59,80 @@ groups:
severity: warning
annotations:
summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
# Check load of instance
- alert: LoadUsage
expr: node_load1 > 5
for: 2m
labels:
severity: warning
annotations:
summary: "La charge de {{ $labels.instance }} est à {{ $value }} !"
# Check UPS
- alert: UpsOutputSourceChanged
expr: upsOutputSource != 3
for: 1m
labels:
severity: warning
annotations:
summary: "La source d'alimentation de {{ $labels.instance }} a changé !"
- alert: UpsBatteryStatusWarning
expr: upsBatteryStatus == 3
for: 2m
labels:
severity: warning
annotations:
summary: "L'état de la batterie de {{ $labels.instance }} est faible !"
- alert: UpsBatteryStatusCritical
expr: upsBatteryStatus == 4
for: 10m
labels:
severity: warning
annotations:
summary: "L'état de la batterie de {{ $labels.instance }} est affaibli !"
- alert: UpsHighLoad
expr: upsOutputPercentLoad > 70
for: 5m
labels:
severity: critical
annotations:
summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !"
- alert: UpsWrongInputVoltage
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
for: 10m
labels:
severity: warning
annotations:
summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V."
- alert: UpsWrongOutputVoltage
expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
for: 10m
labels:
severity: warning
annotations:
summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."
- alert: UpsTimeRemainingWarning
expr: upsEstimatedMinutesRemaining < 15
for: 1m
labels:
severity: warning
annotations:
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
- alert: UpsTimeRemainingCritical
expr: upsEstimatedMinutesRemaining < 5
for: 1m
labels:
severity: critical
annotations:
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
{% endraw %}

View file

@ -8,7 +8,7 @@ global:
# Attach these labels to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
external_labels:
monitor: 'example'
federated_instance: '{{ inventory_hostname }}'
# Alertmanager configuration
# Use prometheus alertmanager installed on the same machine
@ -65,3 +65,38 @@ scrape_configs:
scheme: https
static_configs:
- targets: []
- job_name: ups_snmp
file_sd_configs:
- files:
- '/etc/prometheus/targets_ups_snmp.json'
metrics_path: /snmp
params:
module: [eatonups]
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9116
- job_name: switch_snmp
file_sd_configs:
- files:
- "/etc/prometheus/targets_switch_snmp.json"
metrics_path: /snmp
params:
module: [procurve_switch]
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9116
- job_name: docker
file_sd_configs:
- files:
- '/etc/prometheus/targets_docker.json'

View file

@ -1,4 +1,6 @@
# {{ ansible_managed }}
---
{{ ansible_managed | comment }}
# TODOlist :
# - Faire fonctionner le monitoring des switchs défini ici
# * Configurer tous les switchs avec un compte SNMPv3
@ -6,48 +8,144 @@
# - Optimiser les règles pour les bornes Unifi,
# on pourrait indexer avec les SSID
procurve_switch:
eatonups:
walk:
- 1.3.6.1.2.1.31.1.1.1.10
- 1.3.6.1.2.1.31.1.1.1.6
- 1.3.6.1.2.1.33.1.2
- 1.3.6.1.2.1.33.1.3
- 1.3.6.1.2.1.33.1.4
- 1.3.6.1.4.1.534.1.6
get:
- 1.3.6.1.2.1.1.3.0
- 1.3.6.1.2.1.1.5.0
- 1.3.6.1.2.1.1.6.0
metrics:
- name: sysUpTime
oid: 1.3.6.1.2.1.1.3
type: gauge
help: The time (in hundredths of a second) since the network management portion
of the system was last re-initialized. - 1.3.6.1.2.1.1.3
- name: sysName
oid: 1.3.6.1.2.1.1.5
type: DisplayString
help: An administratively-assigned name for this managed node - 1.3.6.1.2.1.1.5
- name: sysLocation
oid: 1.3.6.1.2.1.1.6
type: DisplayString
help: The physical location of this node (e.g., 'telephone closet, 3rd floor')
- 1.3.6.1.2.1.1.6
- name: ifHCOutOctets
oid: 1.3.6.1.2.1.31.1.1.1.10
type: counter
help: The total number of octets transmitted out of the interface, including framing
characters - 1.3.6.1.2.1.31.1.1.1.10
- name: upsBatteryStatus
oid: 1.3.6.1.2.1.33.1.2.1
type: gauge
help: The indication of the capacity remaining in the UPS system's batteries -
1.3.6.1.2.1.33.1.2.1
- name: upsEstimatedMinutesRemaining
oid: 1.3.6.1.2.1.33.1.2.3
type: gauge
help: An estimate of the time to battery charge depletion under the present load
conditions if the utility power is off and remains off, or if it were to be
lost and remain off. - 1.3.6.1.2.1.33.1.2.3
- name: upsInputVoltage
oid: 1.3.6.1.2.1.33.1.3.3.1.3
type: gauge
help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3
indexes:
- labelname: ifIndex
- labelname: upsInputLineIndex
type: gauge
- name: ifHCInOctets
oid: 1.3.6.1.2.1.31.1.1.1.6
type: counter
help: The total number of octets received on the interface, including framing
characters - 1.3.6.1.2.1.31.1.1.1.6
- name: upsOutputSource
oid: 1.3.6.1.2.1.33.1.4.1
type: gauge
help: The present source of output power - 1.3.6.1.2.1.33.1.4.1
- name: upsOutputVoltage
oid: 1.3.6.1.2.1.33.1.4.4.1.2
type: gauge
help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2
indexes:
- labelname: ifIndex
- labelname: upsOutputLineIndex
type: gauge
version: 3
- name: upsOutputPower
oid: 1.3.6.1.2.1.33.1.4.4.1.4
type: gauge
help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4
indexes:
- labelname: upsOutputLineIndex
type: gauge
- name: upsOutputPercentLoad
oid: 1.3.6.1.2.1.33.1.4.4.1.5
type: gauge
help: The percentage of the UPS power capacity presently being used on this output
line, i.e., the greater of the percent load of true power capacity and the percent
load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5
indexes:
- labelname: upsOutputLineIndex
type: gauge
- name: xupsEnvRemoteTemp
oid: 1.3.6.1.4.1.534.1.6.5
type: gauge
help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
- name: xupsEnvRemoteHumidity
oid: 1.3.6.1.4.1.534.1.6.6
type: gauge
help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6
version: 1
auth:
username: prometheus
community: public
procurve_switch:
walk:
- 1.3.6.1.2.1.31.1.1.1.10
- 1.3.6.1.2.1.31.1.1.1
- 1.3.6.1.2.1.2.2.1.2
- 1.3.6.1.2.1.31.1.1.1.18
get:
- 1.3.6.1.2.1.1.3.0
- 1.3.6.1.2.1.1.5.0
- 1.3.6.1.2.1.1.6.0
metrics:
- name: sysUpTime
oid: 1.3.6.1.2.1.1.3
type: gauge
help: The time (in hundredths of a second) since the network management
portion of the system was last re-initialized. - 1.3.6.1.2.1.1.3
- name: sysName
oid: 1.3.6.1.2.1.1.5
type: DisplayString
help: An administratively-assigned name for this managed node
- 1.3.6.1.2.1.1.5
- name: sysLocation
oid: 1.3.6.1.2.1.1.6
type: DisplayString
help: The physical location of this node (e.g., 'telephone closet, 3rd
floor') - 1.3.6.1.2.1.1.6
- name: ifHCOutOctets
oid: 1.3.6.1.2.1.31.1.1.1.10
type: counter
help: The total number of octets transmitted out of the interface,
including framing characters - 1.3.6.1.2.1.31.1.1.1.10
indexes:
- labelname: ifIndex
type: gauge
lookups:
- labels:
- ifIndex
labelname: ifDescr
oid: 1.3.6.1.2.1.2.2.1.2
type: DisplayString
- labels:
- ifIndex
labelname: ifName
oid: 1.3.6.1.2.1.31.1.1.1.1
type: DisplayString
- name: ifHCInOctets
oid: 1.3.6.1.2.1.31.1.1.1.6
type: counter
help: The total number of octets received on the interface, including
framing characters - 1.3.6.1.2.1.31.1.1.1.6
indexes:
- labelname: ifIndex
type: gauge
lookups:
- labels:
- ifIndex
labelname: ifDescr
oid: 1.3.6.1.2.1.2.2.1.2
type: DisplayString
- labels:
- ifIndex
labelname: ifName
oid: 1.3.6.1.2.1.31.1.1.1.1
type: DisplayString
version: 2
auth:
community: "{{ snmp_switch_community }}"
ubiquiti_unifi:
walk:
@ -90,13 +188,31 @@ ubiquiti_unifi:
indexes:
- labelname: unifiVapIndex
type: gauge
- name: unifiVapNumStations
- name: unifi_vap_num_stations
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
type: gauge
help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
indexes:
- labelname: unifiVapIndex
- labelname: unifi_vap_index
type: gauge
lookups:
- labels: [unifi_vap_index]
labelname: unifi_vap_essid
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6
type: DisplayString
- labels: [unifi_vap_index]
labelname: unifi_vap_radio
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
type: DisplayString
- labels: []
labelname: unifi_vap_index
# - name: unifiVapNumStations
# oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
# type: gauge
# help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
# indexes:
# - labelname: unifiVapIndex
# type: gauge
- name: unifiVapRadio
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
type: DisplayString
@ -295,3 +411,4 @@ ubiquiti_unifi:
auth_protocol: SHA
priv_protocol: AES
priv_password: {{ snmp_unifi_password }}
...

View file

@ -0,0 +1,5 @@
---
- name: Restart Prometheus
service:
name: prometheus
state: restarted

View file

@ -0,0 +1,46 @@
---
- name: Install Prometheus
apt:
update_cache: true
name:
- prometheus
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure Prometheus
template:
src: prometheus/prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml
mode: 0644
notify: Restart Prometheus
- name: Configure Prometheus alert rules
template:
src: "prometheus/{{ item }}.j2"
dest: "/etc/prometheus/{{ item }}"
mode: 0644
notify: Restart Prometheus
loop:
- alert.rules.yml
# We don't need to restart Prometheus when updating nodes
- name: Configure Prometheus Federate devices
copy:
content: "{{ [{'targets': prometheus_targets }] | to_nice_json }}"
dest: /etc/prometheus/targets.json
mode: 0644
when: prometheus_targets is defined
- name: Activate prometheus service
systemd:
name: prometheus
enabled: true
state: started
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-prometheus
mode: 0755
...

View file

@ -0,0 +1,16 @@
---
{{ ansible_managed | comment }}
groups:
- name: alert.rules
rules:
- alert: FederateInstanceDown
expr: up{job="federate"} == 0
for: 3m
labels:
severity: critical
annotations:
summary: >-
Federate : {{ "{{" }} $labels.instance {{ "}}" }} est invisible
depuis plus de 3 minutes !
...

View file

@ -0,0 +1,41 @@
---
{{ ansible_managed | comment }}
global:
external_labels:
monitor: '{{ ansible_fqdn }}'
alerting:
alertmanagers:
- static_configs:
- targets: ['{{ prometheus_alertmanager }}']
rule_files:
- 'alert.rules.yml'
scrape_configs:
- job_name: federate
scrape_interval: 30s
metrics_path: '/federate'
honor_labels: true
honor_timestamps: true
file_sd_configs:
- files:
- '/etc/prometheus/targets.json'
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: __address__
replacement: '$1:9090'
params:
match[]:
- '{job="servers"}'
- '{job="prometheus"}'
- '{job="unifi_snmp"}'
- '{job="django"}'
- '{job="ups_snmp"}'
- '{job="django"}'
- '{job="docker"}'
- '{job="switch_snmp"}'
...

View file

@ -0,0 +1,4 @@
#!/bin/sh
# {{ ansible_managed }}
echo "> prometheus a été déployé sur cette machine."
echo " Voir /etc/prometheus/"

View file

@ -106,12 +106,11 @@
- name: Install radius requirements (except freeradius-python3)
shell:
cmd: "{{ item }}"
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
chdir: /var/www/re2o/
loop:
- "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
- "pip3 install -r pip_requirements.txt"
- name: Install PyPi requirements for radius
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
# End of hideousness (hopefully).

View file

@ -30,11 +30,19 @@
mode: 0644
when: "'routeur-aurore' in ansible_hostname"
- name: Install ipset
apt:
name: ipset
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Install aurore-firewall (re2o-service)
import_role:
name: re2o-service
name: re2o_service
vars:
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git
service_name: aurore-firewall
service_version: aurore
service_config:

View file

@ -31,7 +31,7 @@ role = ['routeur']
### Specify each interface role
interfaces_type = {
'routable' : ['ens20', 'ens21'],
'routable' : ['ens20', 'ens21', 'ens23'],
'sortie' : ['ens19'],
'admin' : ['ens18']
}
@ -57,9 +57,53 @@ nat = [
},
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
'extra_nat' : {
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
'ens19': {
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
apartment_block_id }}',
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
},
}
},
{
'name': 'Accueil',
'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
'extra_nat': {
'ens19': {
'10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
'10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
},
'ens23' : {
'10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
'10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
},
},
'extra_nat_group': {
'ens19': 'accueil_ens23_allowed',
},
},
]
# ATTENTION: on doit avoir retry ≥ grace
# ATTENTION: il faut que ip_redirect gère tous les ports
# autorisés dans le profile re2o, sinon on laisse sortir
# du trafic
accueils = [
{
'iface': 'ens23',
'grace_period': 1800,
'retry_period': 86400,
'ip_sources': [
'10.{{ subnet_ids.users_accueil }}.1.0/24',
'10.{{ subnet_ids.users_accueil }}.2.0/24',
],
'ip_redirect': {
"tcp": {
"10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
}
},
'triggers': [
('4', 'tcp', '46.255.53.35', 443), # ComNPay
('4', 'tcp', '46.255.53.35', 80),
]
}
]

View file

@ -41,9 +41,11 @@ nat = [
{
'name' : 'AdminVlans',
'extra_nat' : {
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
'ens18': {
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
},
}
}
]

View file

@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
# Wifi
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
# Accueil
10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global
}

View file

@ -23,12 +23,14 @@ server:
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
# IPv6
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
# By default, anything other than localhost is refused.
@ -36,12 +38,11 @@ server:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
num-threads: {{ ansible_processor_vcpus }}
private-address: 10.0.0.0/8
# The host cache TTL affects blacklisting of supposedly bogus hosts.
# The default was 900 (15 minutes).
infra-host-ttl: 60

View file

@ -10,8 +10,19 @@
roles:
- passbolt
# Deploy reverse proxy
- hosts: proxy*.adm.auro.re
- hosts: reverseproxy
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
roles:
- certbot
- nginx_reverseproxy
- nginx
- hosts: nginx,!reverseproxy
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
roles:
- certbot
- nginx

View file

@ -1,5 +0,0 @@
#!/bin/bash
for ip in `cat hosts|grep pacaterie.adm.auro.re`; do
ssh-copy-id $ip
done

4
utils/README.md Normal file
View file

@ -0,0 +1,4 @@
# Utils
A repository of Ansible Playbooks that are useful, as little script or various
utilities, but not used in production.

13
utils/re2o_mail_server.yml Executable file
View file

@ -0,0 +1,13 @@
---
# Deploy Re2o mail service
- hosts: mail.auro.re
vars:
service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
service_name: mail-server
service_version: aurore
service_config:
hostname: re2o-test.adm.auro.re # use test instance for now, should be changed for prod!
username: service-user
password: "{{ vault_serviceuser_passwd }}"
roles:
- re2o-service

31
utils/reboot_needed_check.yml Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env ansible-playbook
---
# Check if a reboot is required by the installation of some packages (ie kernel)
- hosts: localhost
tasks:
- name: Make sure local file exist but is empty # weird hack, I know
copy:
dest: /tmp/ansible_dump_reboot_needed.txt
content: ""
force: true
mode: 0644
- hosts: all,!unifi,!escalope.adm.auro.re,!loki.adm.auro.re,!viviane.adm.auro.re,!vpn-ovh.adm.auro.re
tasks:
# Register the output of the file /var/run/reboot-required.pkgs
- name: Register if boot is required
shell: if [ -e /var/run/reboot-required.pkgs ]; then cat /var/run/reboot-required.pkgs; fi
register: result
- name: DEBUG
debug:
msg: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
when: result.stdout is defined
# Add info line by line
- name: Dump all info into the local file
delegate_to: localhost
lineinfile:
path: /tmp/ansible_dump_reboot_needed.txt
line: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
when: result.stdout is defined

21
utils/version_check.yml Executable file
View file

@ -0,0 +1,21 @@
#!/usr/bin/env ansible-playbook
---
# Check for the distribution
- hosts: localhost
tasks:
- name: Make sure local file exist but is empty # weird hack, I know
copy:
dest: /tmp/ansible_dump_reboot_needed.txt
content: ""
force: true
mode: 0644
- hosts: all,!unifi
tasks:
# Add info line by line
- name: Dump all info into the local file
delegate_to: localhost
lineinfile:
path: /tmp/ansible_dump_dist_version.txt
line: "[{{ ansible_facts['nodename'] }}] {{ ansible_fqdn }} : {{
ansible_distribution }} {{ ansible_distribution_version }}"