Fix: keep the logs for 90 days #36
89 changed files with 2515 additions and 464 deletions
|
@ -1,7 +1,10 @@
|
|||
skip_list:
|
||||
- '301'
|
||||
- no-changed-when
|
||||
- load-failure
|
||||
- document-start
|
||||
|
||||
warn_list:
|
||||
- '305' # Use shell only when shell functionality is required
|
||||
- '503' # Tasks that run when changed should likely be handlers
|
||||
- experimental # all rules tagged as experimental
|
||||
|
||||
exclude_paths:
|
||||
- group_vars/all/vault.yml
|
||||
|
|
15
.drone.yml
15
.drone.yml
|
@ -4,16 +4,9 @@ type: docker
|
|||
name: check
|
||||
|
||||
steps:
|
||||
- name: yamllint
|
||||
image: python:3.9-alpine
|
||||
- name: ansible and yaml linting
|
||||
pull: never
|
||||
image: aurore-ansible-lint-image
|
||||
commands:
|
||||
- pip install yamllint==1.25.0
|
||||
- yamllint -c .yamllint.yml .
|
||||
|
||||
- name: ansible-lint
|
||||
image: python:3.9-alpine
|
||||
commands:
|
||||
- apk add --no-cache gcc libc-dev libffi-dev openssl-dev
|
||||
- pip install ansible-lint==4.3.7
|
||||
- ansible-lint *.yml
|
||||
- ansible-lint
|
||||
...
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
image: python:3.9-alpine
|
||||
|
||||
stages:
|
||||
- lint
|
||||
|
||||
yamllint:
|
||||
stage: lint
|
||||
script:
|
||||
- pip install yamllint==1.25.0
|
||||
- yamllint -c .yamllint.yml .
|
||||
|
||||
ansible-lint:
|
||||
stage: lint
|
||||
script:
|
||||
- apk add gcc libc-dev libffi-dev openssl-dev
|
||||
- pip install ansible-lint==4.3.7
|
||||
- ansible-lint *.yml
|
||||
...
|
|
@ -6,6 +6,5 @@ rules:
|
|||
max: 120
|
||||
level: warning
|
||||
document-start:
|
||||
ignore: |
|
||||
/groups_var/all/vault.yml
|
||||
ignore: group_vars/all/vault.yml
|
||||
...
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
|
||||
|
||||
# Recettes Ansible d'Aurore
|
||||
|
||||
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
|
||||
|
|
7
bdd.yml
Normal file
7
bdd.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
# Install and configure bdd servers at Saclay and at OVH
|
||||
- hosts: bdd
|
||||
roles:
|
||||
- postgresql_server
|
||||
...
|
8
deploy_postfix_non_mailhost.yml
Normal file
8
deploy_postfix_non_mailhost.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
# Deploy a correclty configured postfix on non mailhost servers
|
||||
- hosts: all,!unifi
|
||||
vars:
|
||||
local_network: 10.128.0.0/16
|
||||
relay_host: proxy.adm.auro.re
|
||||
roles:
|
||||
- postfix_non_mailhost
|
7
docker-ansible-lint/Dockerfile
Normal file
7
docker-ansible-lint/Dockerfile
Normal file
|
@ -0,0 +1,7 @@
|
|||
FROM python:3.9-alpine
|
||||
LABEL description="Aurore's docker image for ansible-lint"
|
||||
|
||||
RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
|
||||
RUN pip install "yamllint>=1.26.0,<2.0"
|
||||
RUN pip install "ansible-lint==5.0.0"
|
||||
RUN pip install "ansible>=2.10,<2.11"
|
18
docker-ansible-lint/README.md
Normal file
18
docker-ansible-lint/README.md
Normal file
|
@ -0,0 +1,18 @@
|
|||
# Ansible-lint image
|
||||
|
||||
In order to build this image when a new version comes out, you need to
|
||||
1. ssh into the `drone.adm.auro.re` server
|
||||
2. git pull this repo to the lastest version
|
||||
3. optionally make the changes if it has not been done yet
|
||||
4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
|
||||
5. ???
|
||||
6. enjoy
|
||||
|
||||
You can verify that the image was correclty built by running
|
||||
```
|
||||
# list the images present
|
||||
sudo docker image ls
|
||||
|
||||
# run your image with an interactive shell
|
||||
sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
|
||||
```
|
|
@ -20,6 +20,8 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
|
|||
postgresql_services_url: 'services-bdd.adm.auro.re'
|
||||
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
|
||||
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
|
||||
postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
|
||||
postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
|
||||
|
||||
# Scripts will tell users to go there to manage their account
|
||||
intranet_url: 'https://re2o.auro.re/'
|
||||
|
|
|
@ -1,174 +1,186 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34336231623938346631313932323131336439623837626366646338396137633436646365386639
|
||||
6332383765386235396331373836366230663563376665380a616436373136633933376435653230
|
||||
64333963663436393265666434653164643164616134353665306462326666623530383838343135
|
||||
3531343533656332350a343432336636316131386132306238653736633966363235623833343638
|
||||
38643061383963396466346536343061653034333037393664356661376565643765306462626231
|
||||
39326233363962373839303464333833306532343834306232653731326135653934643836323639
|
||||
36343937626536346331613263663865346634666534646266623061303639626636393230616261
|
||||
32336366356439353738633234326138656464656630303362623664616634306230623538373965
|
||||
32346439306337623737616666353830626630373562366436653131393532313035303836326430
|
||||
64613235646366616533313065396663366434363832333535336631323366336437396664303834
|
||||
30336466313064636565326564356435306136396363373464326534303366323262303732626661
|
||||
38326663313332633530353739346538343434316133343066313530366637376135323564306537
|
||||
65626261303231656432333364333965663065346436626631666466643934623064333163626339
|
||||
32633565303734303862326365336339346133393431636266303530626564326361653230626536
|
||||
32313231373037633134623761663832393666353732613965613436323939343233613433343538
|
||||
37326438383130303861316663396333376662386337353964633930353536653437653061356635
|
||||
35646232343535313130646237643835376162623639333961323964353830653366626438346237
|
||||
36343663346332656537363434396633336161373730663364306239306432343930643230656465
|
||||
37633537616232656661313764626232303535383563353861396431643735326162383866626231
|
||||
61383165613332666537656137636430323332326335323763303537386662646263353539613964
|
||||
37323966306364306436653033393931663239383435613836356164633135306233356364313036
|
||||
39356661613434633930633066646437636535313565356366303732613731333062643231313035
|
||||
65333461396131663764626665393562623030343561313136363964393664376136303839333664
|
||||
65313465623331333538393734373264313562643232666130303930333662616465656432363039
|
||||
66616530336666343861336434633063343561323931323931346132376263376565313366306639
|
||||
64646465303432333136353661323936633965666364356633653861363139616562653834313861
|
||||
63306133613066373462383236613939316130623937643939323134343936356638376335323836
|
||||
39383334656236633037633230313138326238303863623231353465346661663162623138353461
|
||||
33343738613137366364633730346261366564646161373837613865393233663431636361663962
|
||||
38313230363737306265636435353533666262333666383639343364633464396566333433333538
|
||||
39643934646537653234336361613664333434623739353831316531313666396638333136343638
|
||||
33653034366362363562633462303165626333306664326366353334363964663936616430643662
|
||||
30616334326638323133366632663237356238353934323361376237613632396134663536336364
|
||||
39363439326335363437373939353564646663616464663763353931323233316135656634343137
|
||||
34396130386134386331643534353461663963323435656337653032376565313635623231343135
|
||||
34303130316239303065386134663332393938636332363665643832326439653733633231346537
|
||||
63383634333034323434376237663932613638363835393837613632663265616363303233653539
|
||||
61333765313463616665613136303533343230303735626437343635303934613365326166333966
|
||||
66613538393466666630363333643730653239393435616634303430396635383631613439623433
|
||||
36646431393865666162373232343335356366366633633264326639643434396234313863333163
|
||||
63396534623931633833656565396635333133376165613031663831633564663061656131303564
|
||||
61303132666264636139313738643161313134643733633366376538366135663135333333333564
|
||||
64366262353837363061653663616265393264373230346330636465336439623063636639356136
|
||||
65383638643961326661396336373163643832366561363764626461623662333436373136616437
|
||||
30316537653432356133616338353165633462643634323563306366343965326635363863316232
|
||||
61633135643861333635383464383937306236626632366235363433313335663431366531356337
|
||||
37303465323638383930336138356665343966336137356137656564303733373565366162343330
|
||||
38326366653733376138356339313564616165626235356363343430353239616339656239323964
|
||||
31643734653263653461333135386261646265323134633334376262323330396634643764323635
|
||||
30336262323035613338333166353364333836623865393132613338393237363734616330366463
|
||||
64646163303337323531636532383438356237306337656439663565643032633462316366663164
|
||||
33613039326337353531303831313136653539353261373930613030383134653261363833653439
|
||||
31343662623035393238646263633066653362323434306137633339393330376462356139333362
|
||||
35363436356530363134663064653031376561343732346262383333353733363136396262643135
|
||||
31326566303535343833326562376464643632363434323839366366626134303830323563633237
|
||||
37313964353033316163303738636632346137353437333463303135323631383132623133663130
|
||||
32373163393861366137303138363134653534613236636439623731393837306130626638343134
|
||||
39313532386338343662333134353761653162663665396664366239633536613132313735373334
|
||||
37613161383633653861376433633632333163653439633938386137313632396137616337373465
|
||||
65383238396439666537313833663364333731613434333739393161363437306665363834653761
|
||||
34303464386633633163353636643964393233383232623765373239376633393139326630653765
|
||||
62646439646534376234323661383063656463313437323231333165626163626262626562376338
|
||||
62646362346261313738323830613037663035666361386139666432613230346334323063326239
|
||||
65303065343061613736343663363630336333623439383032313137616131623933323636306331
|
||||
34636130626338303039356137353532346562363531623936316162336663306437386532363236
|
||||
36333661316161613237343032623764396435346632363963643438316430666539393566353939
|
||||
33333234313839636537366465356364303438313830663261373563346538626432313139303030
|
||||
33333066626463663663643833323764643737386162663766356665643064313263376434353038
|
||||
37643630643737663566653562353261333734636262626437393239383063613661643166626630
|
||||
31313564346239396561326162333534376264616435313762623032636432363832383630343964
|
||||
30343663643935633465393465626131633931623930653962303830333065363435383237653566
|
||||
65646632376330306437663334313932653230653562356338663366616463303466366263366137
|
||||
64633934626339633235386630396561376130373763313137386531356637633863393035306634
|
||||
65353432323235363135633832373032623837376333346131303162303464616234313062316563
|
||||
64646634633963663032613533636665333335656539323238623362306363313835626632306236
|
||||
30663637356463363530316434316639326639633539333335633330333834643035353932313638
|
||||
64356565653065666131373538356462306633343161376537323762313666373235353236313963
|
||||
65613561633266306632616538616461626532666435663038646138386430376164663766363138
|
||||
35316262393065653739323035666531333330326235386133383834383865356635666537333533
|
||||
31376138353231313262646334386566376264323066373934666363313431643738383064666437
|
||||
36656437313039656666373530346534393735353163646635663839326366643333393665626464
|
||||
36616637303631653661373433653865323634363065303433386534363064356564636465366265
|
||||
31333064383233636538393032376234663663353162343530376631356533653231303730396465
|
||||
33366162376464633633313664303939306330613865663431653037303061633130626635653638
|
||||
66626264363333376463386666313663333964333137333231303361616533393236373861656534
|
||||
32326335306566623332396638383133353434363565316432353963353062313662326361336537
|
||||
34396632656234333263663831326566353434316234613365316132363730643665373761666562
|
||||
31393565653663653731633333633730326265376135666162656132623238333765333363653130
|
||||
61353632313532616266363139336162336565356365316531336364623930636430353831623233
|
||||
61616131313438306633333066613764313161333934316139633738623164623564646365663566
|
||||
66356464376133363137313036623930373362306166623838373131313330393837396261656561
|
||||
66396233313530643164353264656563383632363139333262626532376562613630643437666266
|
||||
66656335656634613138316138643666623430363833663035616138336461303035633731636262
|
||||
36393939333765346239666433323032323361343934656463396365333366623337316663396263
|
||||
36616431626633663963636135643833666234613830366434636532373031343263316436306162
|
||||
39356365376561643665323866656465313434623138326238353662653735613565623264333336
|
||||
61393763363862613766653064636130323732663466366133666361636339356464313037353462
|
||||
63633936653235656538383433393065393162643034393538666433616131343462346235393164
|
||||
39353663373338626665663563663162633430343330373430376336326432346233663365376533
|
||||
32656465343538643137326366653232343530363834383831386634366262303333636261353863
|
||||
32633437343432653936643766363338636535613532323362656435613363393238626466303861
|
||||
38633861333638613466306338613932353964393365356637306261626535323732316362623731
|
||||
33313963623439613939333639346461663338373334396165636231666266613065323731373964
|
||||
64313133383435333935376531313432663766633133633863356563663535333263636237386136
|
||||
61653963633166383135333436646465383536373039383538326366636634313061613730653962
|
||||
37623962643866396637336231363038373465393637356463656566666661313130313863383233
|
||||
37343636346535363832626365396262303862393535336565393635663637323730373564336634
|
||||
37363036323733306535336366373630356531353737303165376530656433626634343365626239
|
||||
64346136363030663862313431653761666432393933366665346361626361623039326434633835
|
||||
32666538653037613361343536383634643762356234366433663639653461303933306434333864
|
||||
37386436393465323139306161333738383265323436376536656264356230303163326134323864
|
||||
63396331666431666464656161633466333764653631623131646566303366333030653834333335
|
||||
31323365353239366232643863386365633861376235643034303563613363663661616564363663
|
||||
63326562613365653539383336383339646164623864323830653434623365393432666466323134
|
||||
33626330373361393734656632393232363866613863373135636537613934343065306265623964
|
||||
34643765636165393336356630353663343065333431656164363638646233663762346536343362
|
||||
65653364343537383336373933313464663464653465383830363631316336303464313731356230
|
||||
34336130323766386465373162346535396565346630353734303937396130656132376331326563
|
||||
36386339383338346533646331666262396432336434646333653664326635386238333763626637
|
||||
31363464306465666339316436323265623437636533643431363161323139653065323534636533
|
||||
64386334353439373133313937343234373963353331646233346432646430636530663336316134
|
||||
66303337313034396232643531643262343036313762633165353665653938313665386363353865
|
||||
66333166303636626565613136653365313763303263313239333033353638616566656134396131
|
||||
38356434343931303134303362313363343634613361353538636634336332373132356165326163
|
||||
30386130326239366532363962316435663862393836326439623862366166376234343439306465
|
||||
36346639623939353232366333643963646336383833386565643435393734653936313638663930
|
||||
32323065343737663564333961373034393261613862333431663562353964666561643831316432
|
||||
35313832356639333937333266306166656538643065386639346337306134613536356137316331
|
||||
38376434666332366531393639303561663934353130333161636530383932653236313530616531
|
||||
61656664626663373164343863333039356362343034326131376666623264663732303734366363
|
||||
30306430353732616131346637626332656434393163313661356465393263393235396662623962
|
||||
62643538623331646265643561623366383937313136383939366164613235666234663137653432
|
||||
34316138643139336331356663333632656539653632626136613431393736613630353237356164
|
||||
33623632643335663163656236633134343464353837346237316162346634633336663564656531
|
||||
39373730346130363963376463326238366235613539613466653139306237343164336462353236
|
||||
39323361636333353661633863663162633563343937366461346338363061623730633537626562
|
||||
30353938383664333861366431343033313961376436363065373430353736343563313531386663
|
||||
37313534303564333237616331396437376436383833373936376664666366373235613533663239
|
||||
64653863613531356666646233393533646131333961343730663461346235633961306263343831
|
||||
64386332653330323937643266373437633465363933653833343930616134626566363339366362
|
||||
36356163333730656233653431326430326566386264343330666131393166323537623137396237
|
||||
65386234653231666631366533383762643830333261363532666138386263643662633932626335
|
||||
66303363613035643931393933303035323566373634663037313338616132373162366334373962
|
||||
33666463613435396331326565353433336361303562326562663035313639333232333430373266
|
||||
65383235356132353838636565636436356361653831356430663935613766613237366564316566
|
||||
37396130393363386566306162346466326165353863636633306335383265306139396339383866
|
||||
34326335323962633032386162623033353036643437313832323166363764653339343638343964
|
||||
66626662326234306362656162336538353131366337643761643930306163333661653062663832
|
||||
61303963623433313565633235306132366663336662616232613339366363373934613631623431
|
||||
34323736383366333032343364373533363761323338346163323836653235653136646162306166
|
||||
65333734623663346233343961396566313838653036396430396134393839326535363237363638
|
||||
38333232333863396334366561303136333863356666656335633630616531363766343535616533
|
||||
35656166303837653365303436623431613931336331356531666665346562613263363666626238
|
||||
62626236323863383366643162356462306163653032626130333863656337623136646439316337
|
||||
33306432663134383038646133346131333732633932383239643733643138303434646565663266
|
||||
34616265383733343963323538656138656331396438616133393063356638633965323363653066
|
||||
65353837333363613762333839313631373137363064383830353565333832356162323862393030
|
||||
35373038613133643466636537626437393837633865363566343565626633376262373766613738
|
||||
39343334336238363131373762646564653839623531323066356430326263376534373664363331
|
||||
64373735383933303638303661333964333464306338613363326261623438336530636262373766
|
||||
35346339643939666162386232666236326131366366303432393838326239313730323431376231
|
||||
39363032616666393431326533643865643937363937356431623763363037373333653266376561
|
||||
63323462363063343234373534663063353865363037383932386231313338343239653131633561
|
||||
34623439396232633265616438623562666333303932396366663330326565363736633461333463
|
||||
66346537323061306662323062393061353565393165363532306439343262343632616465363364
|
||||
30376331346430313536313963333136663833323064633631653935326366633862336163316538
|
||||
33383434336666303434363236396662366664393637656462363331356631613332353766636663
|
||||
62323264336235306532343065323834313730353237616463373766303439663533336366363565
|
||||
35646461636263646633343634323735383235376330616334373937646165623639363663353361
|
||||
65613034353736633332663333616564356265323731613537393430633137333337643663323137
|
||||
31623732663331653935316337306433333633353565343265666333363864346562363961333439
|
||||
30656136636661396335623566386362333861616663393738626632633537613564636261383138
|
||||
3233
|
||||
65623030336636323834313162306633623333666663633162356162313233393137646365363161
|
||||
3334363038323835666431626538383433626162373330360a656162303733653437633637663535
|
||||
62626630663332373761656137633165666531303137303565313236663564623061643631373333
|
||||
3164306333653734350a333333653630616462386637613432623039303931393661393563306137
|
||||
37326564333837306230326637626131666232646564383130623137613939633163313532653836
|
||||
62393766623065376135343062346362623466336234633239343530366432313336653863346534
|
||||
34346563666638643136316236626561396534316332623730633936646631623866383631633763
|
||||
32306236316334626632393736643135306333363135333566353062653866313161653763646336
|
||||
34636465663639396335353562343936333263616363653535303934646361656135383938626134
|
||||
34376335303564623436643735363262346334316465366435373435343338373666383635393666
|
||||
36643032613636643138373432393739626230326437386366386132636535313137313765616464
|
||||
31623461373166613237356362663939323633653565623830303334353834363561373832623163
|
||||
35316137633630633736383265333666636436326433653134313038626132633537316162376539
|
||||
37323338333235333836326161396236666661636464373163333934376662636639356432366565
|
||||
63363266633266643332663934356564323466646666656530336662353336346333366639613130
|
||||
33633039343666633536616237386265313863323537353466363432303632323265656265323166
|
||||
33313135333932363934386432663863383836333862333162333935313562626430353663636335
|
||||
34653231343964376531306366313264363930613432343864396130653666636332366239636236
|
||||
33343431353737323534396235613931666262626430303637626236393134386136366164306138
|
||||
64396238363030616465303634366339353731363461383432353434373735336363656266316336
|
||||
66313064653233653965646630313632336536643530363562613039313439366437353663363265
|
||||
30386238363562326263303164366436653334316164646633356666366631653636303835303738
|
||||
39366163613434623861376138363134616662343231306536396531366433313963383234373764
|
||||
64326664343736663264626432643664326563383633353364383963353733343864373766666534
|
||||
34393638613864333265313732333632373565303537316463623337326363383539336566646664
|
||||
66363764323261323330346338336133346136623431616333373235313565643164613432613861
|
||||
61346137356133343063636562336633646537373666323763626430633439323632326635383562
|
||||
36373461623931613162663466333065336237656265366437663035663831616363383066623731
|
||||
62326462313238373631386362393737323731643865623763333833316637323533656562663536
|
||||
30326465323164356436326463386137336439326231623534326164323530303239363161643762
|
||||
61313261333265366631656631326366313464336264626163653363333565353137313863646631
|
||||
62636534346534336136643164383766323631353837326561616436633139653531356533303432
|
||||
32616434653237376664353134363464613231366136323330646439623132306464623138393162
|
||||
34613931633736633532346634303535366430323164313764653832336464303337626634313861
|
||||
37333863316666353935363663613531643039613534393539343762363732383362333639356435
|
||||
61303663363438383733636663346362373033383130636431386636616366666537393937396633
|
||||
33653836343865326433316233306661653831613239376561393834653032633462306238373730
|
||||
61336266333364616533633433383663363564373334313934633132626238303036326339313932
|
||||
37323435663537376563343336666262343065316436346663623432333064326136316630633763
|
||||
65343538313163346539346336643237663431623861653433616639333130643162366539633238
|
||||
61306335346366363935373438353765333238323037343033626132323730326437656163353765
|
||||
39343863363366343764613533346537363661353234646364663037623030306334653264386630
|
||||
36653030316134656236373336616435363337643637623539633865333963363137363433383338
|
||||
62636330626631393438326365396331656361646263343863326635393666383638636337343339
|
||||
64313462623564326462636131313163353036393938393634376436306163663863653462663431
|
||||
66363334353039303266333430316239646533653337383164303837396130333366353465643965
|
||||
35383939633336386537626662316263383331336565643237396334643737313232306464363638
|
||||
34393131656232323865333739666639346335646336376666643065353538653530323338356639
|
||||
64623965326161386430323337326433343334363435316237626666363161353362383361326438
|
||||
35336431653033333261396632393966653463366637636539663165356532616331633837343435
|
||||
66356536313037623139613966356139363737656437356238636433366635313137623639366230
|
||||
36373837383462623966343535383434633932656133326565353063343530363066343365323462
|
||||
32333666373263353063346535343639623230613733363832323636313830636234326436613438
|
||||
30363765356637626134353763663938376134653539336436336336303834633533616664376535
|
||||
32613061363262303839313062666261363032363364366662333364653532373163653434366261
|
||||
39336233313232393331303732333735346434656436353466313932656239306631383237626565
|
||||
63313166326538663732363438393263643533636536333665663038383739383334366136646564
|
||||
33383936393463323235623038393138386164656164623439393734656336343835313135393165
|
||||
37616232633036383237643730313061323563643163633662393334353133343730656630643762
|
||||
39333937303931666161613037313837343836643330356538343264633761343432373161393061
|
||||
63393933383238356235613663343362656466353330383333393636386438306161623434343836
|
||||
35313030383235663461306539663666393234306332306536653862616138656135393131343462
|
||||
61633735303134326639663061643935373533336430306538363365623063663536376234356363
|
||||
65653432636430333330303131633263386265386662656131353833393138643732356336376335
|
||||
31393438393734336465396633306565343139626135386432343061623232363337326664366632
|
||||
36613434616662373431613238326464396437363935646437306665313936323732396165633266
|
||||
33343166333665373937656338333930343338373061633639393463316538373630626561333761
|
||||
63323336643133323962613435303134613230343033666336646132303462323037383139656166
|
||||
31323038653738666463323164366662363138663833393637313437633861353462663935616632
|
||||
65653939353435653337353966373135333036653061333438353136616434643563393465323735
|
||||
65373230373036353466356338343835363035653031363864316232613232323365353932313061
|
||||
62626432303334646365616330626261633066306661303537353264653235643632386466336236
|
||||
30316261666461616337363562323865636234356638653661336261373761383365386639303638
|
||||
38663763313931323266373162303136323433656466393330646462643438336236613530363636
|
||||
35353763373463376531323536613563643865346334646164326561663962393034643438326437
|
||||
30306437343331346233383036656663613038623137363962626462613762653262633035623539
|
||||
31613932313237343263373333313434386562623465663365306433333635366339616333393430
|
||||
63626466333934336130313038626136626466323563323630373965303435626664633138333838
|
||||
37643538353138303332653435343139383265363933646134636236656131643932353932303135
|
||||
65353438656431613335653838656462333731316665303063623464316462633961656464313933
|
||||
36366161623661393865346162383966323531396432646432383663326231373162373462633539
|
||||
31303138626662326637376536303532393636326530366362336437633639306436366531313636
|
||||
31613332656466343832316632313161336135663661333739646136313137386634633066316535
|
||||
66613334303139353463613866323431613037333239353839623165356233653361613063646335
|
||||
33386263616164303631653162633330633136666635376635623437656263306466623462366563
|
||||
61636334616134376230343265623336373863303463623833663761333039333335626665613661
|
||||
62626133316338303333613863373663623166323438656566653936616532343065383232323437
|
||||
38353731643561663461336561313637656563333230353963366632396637333033303365626562
|
||||
65373463653735313732353165643530336232396562653030623037303463326565643465363764
|
||||
38316663356535373432656563336538633765393031663339666638366138346564366162303436
|
||||
66363164633432326632306561643662663265666465373537383335303432616138613939366133
|
||||
39396430386437353163323935366265306339326563343530366161333330376535313737396537
|
||||
39353330323938326662303863323738626535643465656438376339643437653639666133633663
|
||||
39303464326237653933616238663839313730343731383132613062613736376232646366346365
|
||||
37653136393335396338346536393865316134343365623338623761303661343637336332316535
|
||||
31633133356263336534643230383034383164396630343131396533313864333963316433366130
|
||||
38653461303736343861333161343832363934386230393662616463386534336264626363386562
|
||||
62633832316664323032353835663266653534393733343166303763333434323633616233656131
|
||||
37333266356337656532386336373563353634656265313061363063356637353366636236653333
|
||||
31643535373762353663613035316464323033303438623635336637636265363363393961396435
|
||||
33646438366139323230623235666630663863633961393036376463386538313633626163323365
|
||||
36633266646330623463336434363934376438326465303938316432643035373236626437663766
|
||||
36303737386132383261663764386333343532626334633961373666376232633739663164323132
|
||||
61323230316266333837363537316165376261363738363762373231356533666332376333663239
|
||||
30646161666434363236633432616163323530643766363533653733346436303461643235343038
|
||||
65663738633032643334303737666565666137616437613662363062636664326235663737613863
|
||||
37653164653437356136623563653238366236613964663337336132326232653762643363623664
|
||||
66656166346230643930653232323234653266393730323735636164303230623766393630393262
|
||||
63333661396231323430343462656339653466363562303830643233636164303162376631383733
|
||||
38346231623835333762656135663366616566313963323732663037323338326231613465343462
|
||||
65616432626432333538396336353965353636636339336239653536613865643265353939656333
|
||||
66663933343664366163323730336337356634656436326661336636313363663165336161396333
|
||||
31626163303863653332613733663666383234303164346564646531366261323262636263353036
|
||||
64666135336264343636396466396564303665623965346163373337376331396233396561613765
|
||||
32636331376665396132313839653232306535613737653936366438323962333235336530396338
|
||||
63633737633630646164376361363631623862643363363066376364653965313837373462393832
|
||||
66336138366132626536323766393832386261396436336537316661383633613065393032636530
|
||||
63323866643266666637363633616535613032653930663734636663363865336565663864356234
|
||||
34626262663363376436346463393164646534386135303065623462623861353133656437323861
|
||||
33623938366635343930633264303530323164396661393338303163386539353938373237633436
|
||||
35663762353762313935313832383338663430363865343537663530613761303239356563363533
|
||||
37306162663831663464316464303136396539343030303631613964313165396531303665653761
|
||||
61383061653364383962663138356366373039366139613536633936633739343133376337613038
|
||||
62393730636433613037383665303430663666363663646564343935313063386135323963623965
|
||||
35643734656336623961363432363362393132613432303239393761353136636265613334373634
|
||||
34396335663037383661663832373937653639633531653064303732656332643962643866306337
|
||||
34303232623963623562613162623562366539393464663966366464643639343432663338616331
|
||||
30323461396138663334396265313134646263613033353833656465633537356261366261393261
|
||||
39303764633636376438656435633737366464343630653735313630386539623462653133396161
|
||||
36353235343635386636646361623465323135323239613161346563343263646235326232353863
|
||||
62646434333866653830316166656439643464393337306132376433633439376131366664383464
|
||||
36393635343265333530653166306263383236656136313136376436393531653334323564663236
|
||||
30653235343233636334626330363031373433396565663439333033623062313261643632306164
|
||||
66616338633261356136313334313365356234316262313439623563383330356233363438313833
|
||||
63313131316461333438363939626636346463366665393433653036663931643537613162393561
|
||||
34626662303462343239313265653838313634323230656130373163313863313162383736363835
|
||||
39663337353638613836636263373136623266373732373665353164376534623732313532306366
|
||||
31353930343062653532386237616433373437663239636230386133393766376238353064656366
|
||||
61666637646433333366313661353438313337643861333932313662636462346463643664356165
|
||||
62373338313237353936636138666539643166626631646163653262343365326637626133353361
|
||||
33663961373334376137393036383833356361383539653362343866386438633366353439323832
|
||||
38663461313431636562613435303237363163323936323530393966663361326365623564633865
|
||||
66356433626637376238653865303236646433316164666366303131336331616562323865643566
|
||||
36643664363363323566353730303339666262663434393863376234656136643865653135383861
|
||||
61396366383939656130616661396263396331666137666662323932303032623162396633346335
|
||||
65326362353933663437356235656530343833313136313662643236626661653332613539393638
|
||||
62656232326238313333623263333366366533313335336330643666383033333038336164316135
|
||||
61346335633139303163326433353633616562363866396234636138386638356235343035363436
|
||||
35633737336262383264383065343234373534663564316133643738306638393539353136356630
|
||||
63613238663066666336626262343933346433393438356565646565613566386566336138386661
|
||||
30373162333837656131653238393533646663323730626538316437363865626335626635666437
|
||||
34366663636366303438373032343235333634666637666336313061663239316663613861646133
|
||||
30383639666362346634303437383035306661623735643139643062653836366631336261643137
|
||||
36393135633338646238653763613935366566363032343730313666656539353866643564336661
|
||||
61643261393134303362303666393465643933363962653734646664643033386263346566316332
|
||||
36633166356665666161616530356439653832323064633662656138356435386434336431396664
|
||||
34373737643936316133343364353165653130376434646639633866336536373534396235633035
|
||||
33333734343835323565323863316364613132656665356639623364376538613539626137353564
|
||||
66343833653435383465376332363533326661373333303435303562396366616231306463396562
|
||||
65353966613832386235646539643033653335376131333333646237393431363163643630353135
|
||||
35666264626564623732346565613662303938643034326130646332663530383136333865386266
|
||||
31313633613739633865363736646138353937306438646532363033383539613534666437663961
|
||||
61313632613433353437306233626463373335366564653661643038373338303937316366316332
|
||||
64386132326633306336653134333038316639363538653735383266366239663861333830656438
|
||||
34393734363665656337626461376234306632623937353863333531313231616365316431303732
|
||||
32323436663736396439396361663965653632333066373764353561303030666134383836393537
|
||||
65323038373363316537323533646566396431326634336564306562636232316563613734366339
|
||||
37326465623137303436346430333263373437656632373039303338626130333834663564633535
|
||||
39353865376134383637633866356536393766376132396666656235396363656635633630656165
|
||||
38303439626438623166326331373036386263393331366266356539333533323864613932643335
|
||||
36303537636131386231613062383163346664643261323263393264343862386562313931616261
|
||||
34666533613831343764663630623139616634636531393861306337636239346131323437396337
|
||||
61633064663938613135666334396330363463636166653966653333326235343563633834666634
|
||||
38353937646265363964626661343565306331646363303038666264613833653962663237353538
|
||||
64393465363061653837343131373566336139643632323461323635343535313164383766343233
|
||||
61393136636536366433333766303263663839383064323430366666646163663663316138663532
|
||||
66363061626363396561353435386266653832313430633337346234333430393338353632383335
|
||||
64323765636634303632663135306533366232333665383333383936653033373332333331656261
|
||||
37326164666235323538633963616562633938626131346266366531333133333832393966326637
|
||||
62376661383562633834353631393933626237316431366237613634356666343031623566666330
|
||||
61623137336433383139633233356263643237393966613366326632303865353866643332316662
|
||||
35343239643933313031656534336165666161393566636435663039653438643832636232386566
|
||||
34326266353631333731636433333639316638643162653234346365353762353333316138303861
|
||||
36353932656264336165363532313366636536386661663934363761653362623362346431336530
|
||||
63663064656539343361383963663366626566306431353238633832353335383535
|
||||
|
|
8
group_vars/certbot.yml
Normal file
8
group_vars/certbot.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
glob_certbot:
|
||||
- dns_rfc2136_server: '10.128.0.30'
|
||||
dns_rfc2136_name: certbot_challenge.
|
||||
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
domains: "*.auro.re"
|
32
group_vars/nginx.yml
Normal file
32
group_vars/nginx.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
glob_nginx:
|
||||
contact: tech.aurore@lists.crans.org
|
||||
who: "L'équipe technique d'Aurore"
|
||||
service_name: service
|
||||
ssl:
|
||||
# Add adm.auro.re if necessary
|
||||
- name: auro.re
|
||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||
servers:
|
||||
- ssl: false # Replace by auro.re or adm.auro.re
|
||||
default: true
|
||||
server_name:
|
||||
- "default"
|
||||
- "_"
|
||||
root: "/var/www/html"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params: []
|
||||
additional_params: []
|
||||
upstreams: []
|
||||
|
||||
auth_passwd: []
|
||||
default_server:
|
||||
default_ssl_server:
|
||||
default_ssl_domain: auro.re
|
||||
real_ip_from:
|
||||
- "10.128.0.0/16"
|
||||
- "2a09:6840:128::/64"
|
||||
deploy_robots_file: false
|
11
group_vars/reverseproxy.yml
Normal file
11
group_vars/reverseproxy.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
loc_nginx:
|
||||
servers: []
|
||||
|
||||
glob_reverseproxy:
|
||||
redirect_dnames:
|
||||
- aurores.net
|
||||
- fede-aurore.net
|
||||
|
||||
reverseproxy_sites: []
|
||||
|
||||
redirect_sites: []
|
50
host_vars/bdd-ovh.adm.auro.re.yml
Normal file
50
host_vars/bdd-ovh.adm.auro.re.yml
Normal file
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
postgresql:
|
||||
version: 13
|
||||
|
||||
postgresql_hosts:
|
||||
- database: etherpad
|
||||
user: etherpad
|
||||
net: 10.128.0.150/32
|
||||
method: md5
|
||||
- database: codimd
|
||||
user: codimd
|
||||
net: 10.128.0.150/32
|
||||
method: md5
|
||||
- database: synapse
|
||||
user: synapse
|
||||
net: 10.128.0.56/32
|
||||
method: md5
|
||||
- database: kanboard
|
||||
user: kanboard
|
||||
net: 10.128.0.150/32
|
||||
method: md5
|
||||
|
||||
postgresql_databases:
|
||||
- synapse
|
||||
- codimd
|
||||
- etherpad
|
||||
- kanboard
|
||||
|
||||
postgresql_users:
|
||||
- name: synapse
|
||||
database: synapse
|
||||
password: "{{ postgresql_synapse_passwd }}"
|
||||
privs:
|
||||
- ALL
|
||||
- name: codimd
|
||||
database: codimd
|
||||
password: "{{ postgresql_codimd_passwd }}"
|
||||
privs:
|
||||
- ALL
|
||||
- name: etherpad
|
||||
database: etherpad
|
||||
password: "{{ postgresql_etherpad_passwd }}"
|
||||
privs:
|
||||
- ALL
|
||||
- name: kanboard
|
||||
database: kanboard
|
||||
password: "{{ postgresql_kanboard_passwd }}"
|
||||
privs:
|
||||
- ALL
|
||||
...
|
8
host_vars/bdd.adm.auro.re
Normal file
8
host_vars/bdd.adm.auro.re
Normal file
|
@ -0,0 +1,8 @@
|
|||
postgresql:
|
||||
version: 11
|
||||
hosts: # dbname, username, CIDR ip addr, auth method
|
||||
- [ "nextcloud", "nextcloud", "10.128.0.58", "md5" ]
|
||||
- [ "gitea", "gitea", "10.128.0.60", "md5" ]
|
||||
- [ "drone", "drone", "10.128.0.64", "md5" ]
|
||||
- [ "wikijs", "wikijs", "10.128.0.66", "md5" ]
|
||||
- [ "vote", "vote", "10.128.0.81", "md5" ]
|
105
host_vars/portail.adm.auro.re.yml
Normal file
105
host_vars/portail.adm.auro.re.yml
Normal file
|
@ -0,0 +1,105 @@
|
|||
---
|
||||
loc_nginx:
|
||||
service_name: captive_portal
|
||||
default_server: '$server_addr'
|
||||
default_ssl_server: '$server_addr'
|
||||
|
||||
servers:
|
||||
- server_name:
|
||||
- "10.13.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-fleming.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- portail-fleming.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-fleming.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- 10.23.0.247
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-pacaterie.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- portail-pacaterie.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-pacaterie.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- "10.33.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-rives.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- portail-rives.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-rives.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- "10.43.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-edc.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- portail-edc.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-edc.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- "10.53.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-gs.auro.re/portail/"
|
||||
|
||||
- ssl: auro.re
|
||||
server_name:
|
||||
- portail-gs.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-gs.auro.re/portail/"
|
|
@ -1,39 +1,13 @@
|
|||
---
|
||||
certbot:
|
||||
domains:
|
||||
- auro.re
|
||||
- chat.auro.re # cname to riot.auro.re
|
||||
- codimd.auro.re
|
||||
- element.auro.re # cname to riot.auro.re
|
||||
- ehterpad.auro.re # cname to pad.auro.re
|
||||
- grafana.auro.re
|
||||
- hedgedoc.auro.re # cname to codimd.auro.re
|
||||
- pad.auro.re
|
||||
- passbolt.auro.re
|
||||
- paste.auro.re # cname to privatebin.auro.re
|
||||
- phabricator.auro.re
|
||||
- privatebin.auro.re
|
||||
- riot.auro.re
|
||||
- sharelatex.auro.re
|
||||
- status.auro.re
|
||||
- wiki.auro.re
|
||||
- www.auro.re
|
||||
- zero.auro.re # cname to privatebin.auro.re
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
|
||||
nginx:
|
||||
ssl:
|
||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||
|
||||
redirect_dnames:
|
||||
- aurores.net
|
||||
- fede-aurore.net
|
||||
|
||||
redirect_tcp: {}
|
||||
loc_certbot:
|
||||
- dns_rfc2136_server: '10.128.0.30'
|
||||
dns_rfc2136_name: certbot_challenge.
|
||||
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
domains: "auro.re, *.auro.re"
|
||||
|
||||
loc_reverseproxy:
|
||||
redirect_sites:
|
||||
- from: www.auro.re
|
||||
to: auro.re
|
||||
|
|
|
@ -1,31 +1,31 @@
|
|||
---
|
||||
certbot:
|
||||
domains:
|
||||
- bbb.auro.re
|
||||
- drone.auro.re
|
||||
- gitea.auro.re
|
||||
- intranet.auro.re
|
||||
- litl.auro.re
|
||||
- nextcloud.auro.re
|
||||
- re2o.auro.re
|
||||
- vote.auro.re
|
||||
- re2o-server.auro.re
|
||||
- re2o-test.auro.re
|
||||
- wikijs.auro.re
|
||||
loc_certbot:
|
||||
- dns_rfc2136_server: '10.128.0.30'
|
||||
dns_rfc2136_name: certbot_adm_challenge.
|
||||
dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: adm.auro.re
|
||||
domains: "*.adm.auro.re"
|
||||
- dns_rfc2136_server: '10.128.0.30'
|
||||
dns_rfc2136_name: certbot_challenge.
|
||||
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
domains: "*.auro.re"
|
||||
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
|
||||
nginx:
|
||||
loc_nginx:
|
||||
servers: []
|
||||
ssl:
|
||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||
|
||||
redirect_dnames:
|
||||
- aurores.net
|
||||
- fede-aurore.net
|
||||
- name: adm.auro.re
|
||||
cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
|
||||
cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
|
||||
trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
|
||||
- name: auro.re
|
||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||
|
||||
loc_reverseproxy:
|
||||
redirect_tcp:
|
||||
- name: Gitea
|
||||
port: 2222
|
||||
|
@ -33,7 +33,7 @@ nginx:
|
|||
|
||||
redirect_sites:
|
||||
- from: 45.66.111.61
|
||||
to: auro.re
|
||||
to: intranet.auro.re
|
||||
|
||||
reverseproxy_sites:
|
||||
- from: re2o.auro.re
|
||||
|
@ -49,6 +49,9 @@ nginx:
|
|||
|
||||
- from: gitea.auro.re
|
||||
to: "10.128.0.60:3000"
|
||||
- from: git.adm.auro.re
|
||||
to: "10.128.0.60:3000"
|
||||
ssl: adm.auro.re
|
||||
|
||||
- from: drone.auro.re
|
||||
to: "10.128.0.64:8000"
|
||||
|
|
44
hosts
44
hosts
|
@ -29,13 +29,19 @@ stream.adm.auro.re
|
|||
re2o-server.adm.auro.re
|
||||
re2o-ldap.adm.auro.re
|
||||
re2o-db.adm.auro.re
|
||||
pendragon.adm.auro.re
|
||||
services-bdd-local.adm.auro.re
|
||||
#services-bdd-local.adm.auro.re
|
||||
backup.adm.auro.re
|
||||
services-web.adm.auro.re
|
||||
mail.adm.auro.re
|
||||
wikijs.adm.auro.re
|
||||
prometheus-aurore.adm.auro.re
|
||||
portail.adm.auro.re
|
||||
jitsi-aurore.adm.auro.re
|
||||
bdd.adm.auro.re
|
||||
bdd-ovh.adm.auro.re
|
||||
|
||||
[aurore_testing_vm]
|
||||
pendragon.adm.auro.re
|
||||
|
||||
###############################################################################
|
||||
# OVH
|
||||
|
@ -45,7 +51,7 @@ horus.adm.auro.re
|
|||
|
||||
[ovh_container]
|
||||
synapse.adm.auro.re
|
||||
services-bdd.adm.auro.re
|
||||
#services-bdd.adm.auro.re
|
||||
phabricator.adm.auro.re
|
||||
wiki.adm.auro.re
|
||||
www.adm.auro.re
|
||||
|
@ -59,6 +65,8 @@ vpn-ovh.adm.auro.re
|
|||
docker-ovh.adm.auro.re
|
||||
switchs-manager.adm.auro.re
|
||||
ldap-replica-ovh.adm.auro.re
|
||||
prometheus-ovh.adm.auro.re
|
||||
prometheus-federate.adm.auro.re
|
||||
|
||||
[ovh_testing_vm]
|
||||
#re2o-test.adm.auro.re
|
||||
|
@ -263,6 +271,7 @@ ep-1-3.borne.auro.re
|
|||
ep-1-2.borne.auro.re
|
||||
ep-0-1.borne.auro.re
|
||||
eo-2-1.borne.auro.re
|
||||
ee-2-1.borne.auro.re
|
||||
|
||||
###############################################################################
|
||||
# George Sand
|
||||
|
@ -337,6 +346,7 @@ gf-5-1.borne.auro.re
|
|||
# Les Rives
|
||||
[rives_pve]
|
||||
thor.adm.auro.re
|
||||
loki.adm.auro.re
|
||||
|
||||
[rives_vm]
|
||||
dhcp-rives-backup.adm.auro.re
|
||||
|
@ -345,6 +355,7 @@ dns-rives-backup.adm.auro.re
|
|||
radius-rives-backup.adm.auro.re
|
||||
routeur-rives-backup.adm.auro.re
|
||||
ldap-replica-rives.adm.auro.re
|
||||
prometheus-rives.adm.auro.re
|
||||
|
||||
[rives_unifi]
|
||||
r3-4-4.borne.auro.re
|
||||
|
@ -396,29 +407,31 @@ ovh_vm
|
|||
[fleming:children]
|
||||
fleming_pve
|
||||
fleming_vm
|
||||
#fleming_unifi
|
||||
fleming_unifi
|
||||
|
||||
# everything at pacaterie
|
||||
[pacaterie:children]
|
||||
pacaterie_pve
|
||||
pacaterie_vm
|
||||
#pacaterie_unifi
|
||||
pacaterie_unifi
|
||||
|
||||
# everything at edc
|
||||
[edc:children]
|
||||
edc_pve
|
||||
edc_vm
|
||||
edc_unifi
|
||||
|
||||
# everything at georgesand
|
||||
[gs:children]
|
||||
gs_pve
|
||||
gs_vm
|
||||
gs_unifi
|
||||
|
||||
# everything at Les Rives
|
||||
[rives:children]
|
||||
rives_pve
|
||||
rives_vm
|
||||
|
||||
rives_unifi
|
||||
|
||||
###############################################################################
|
||||
# Groups by type
|
||||
|
@ -482,3 +495,22 @@ ldap-replica-ovh.adm.auro.re
|
|||
[ldap_replica_rives]
|
||||
ldap-replica-rives.adm.auro.re
|
||||
|
||||
[certbot]
|
||||
portail.adm.auro.re
|
||||
|
||||
[certbot:children]
|
||||
reverseproxy
|
||||
|
||||
[nginx]
|
||||
portail.adm.auro.re
|
||||
|
||||
[nginx:children]
|
||||
reverseproxy
|
||||
|
||||
[reverseproxy]
|
||||
proxy-ovh.adm.auro.re
|
||||
proxy.adm.auro.re
|
||||
|
||||
[bdd]
|
||||
bdd.adm.auro.re
|
||||
bdd-ovh.adm.auro.re
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
|
||||
- hosts: prometheus-fleming.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
@ -14,7 +14,7 @@
|
|||
roles:
|
||||
- prometheus
|
||||
|
||||
- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
|
||||
- hosts: prometheus-pacaterie.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
@ -25,6 +25,8 @@
|
|||
{{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
|
||||
prometheus_unifi_snmp_targets:
|
||||
- targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-pn-1.ups.auro.re
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
|
@ -34,6 +36,9 @@
|
|||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-ec-1.ups.auro.re
|
||||
|
||||
prometheus_targets:
|
||||
- targets: |
|
||||
{{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
|
||||
|
@ -53,10 +58,78 @@
|
|||
{{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
|
||||
prometheus_unifi_snmp_targets:
|
||||
- targets: "{{ groups['gs_unifi'] | list | sort }}"
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-gk-1.ups.auro.re
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
- hosts: prometheus-rives.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-r3-1.ups.auro.re
|
||||
|
||||
prometheus_targets:
|
||||
- targets: |
|
||||
{{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
|
||||
prometheus_unifi_snmp_targets:
|
||||
- targets: "{{ groups['rives_unifi'] | list | sort }}"
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
- hosts: prometheus-aurore.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
snmp_switch_community: "{{ vault_snmp_switch_community }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_targets:
|
||||
- targets: |
|
||||
{{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
|
||||
prometheus_switch_snmp_targets:
|
||||
- targets:
|
||||
- yggdrasil.switch.auro.re
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
- hosts: prometheus-ovh.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_targets:
|
||||
- targets: |
|
||||
{{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
|
||||
prometheus_docker_targets:
|
||||
- docker-ovh.adm.auro.re:8087
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
|
||||
- hosts: prometheus-federate.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_targets:
|
||||
- prometheus-edc.adm.auro.re
|
||||
- prometheus-gs.adm.auro.re
|
||||
- prometheus-fleming.adm.auro.re
|
||||
- prometheus-pacaterie.adm.auro.re
|
||||
- prometheus-rives.adm.auro.re
|
||||
- prometheus-aurore.adm.auro.re
|
||||
- prometheus-ovh.adm.auro.re
|
||||
roles:
|
||||
- prometheus_federate
|
||||
|
||||
|
||||
# Monitor all hosts
|
||||
- hosts: all,!unifi,!ovh
|
||||
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
|
||||
roles:
|
||||
- prometheus_node
|
||||
|
|
|
@ -43,7 +43,7 @@
|
|||
# username: service-user
|
||||
# password: "{{ vault_serviceuser_passwd }}"
|
||||
# roles:
|
||||
# - re2o-service
|
||||
# - re2o_service
|
||||
|
||||
|
||||
# Deploy Unifi Controller
|
||||
|
@ -62,4 +62,4 @@
|
|||
# username: service-user
|
||||
# password: "{{ vault_serviceuser_passwd }}"
|
||||
# roles:
|
||||
# - re2o-service
|
||||
# - re2o_service
|
||||
|
|
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: Install unattended-upgrades
|
||||
when: ansible_os_family == "Debian"
|
||||
apt:
|
||||
name: unattended-upgrades
|
||||
state: present
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Configure unattended-upgrades
|
||||
template:
|
||||
src: "apt/{{ item }}.j2"
|
||||
dest: "/etc/apt/apt.conf.d/{{ item }}"
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
loop:
|
||||
- 50unattended-upgrades
|
||||
- 20auto-upgrades
|
||||
...
|
|
@ -9,8 +9,6 @@
|
|||
- aptitude # nice to have for Ansible
|
||||
- bash-completion # because bash
|
||||
- curl # better than wget
|
||||
- emacs-nox # for maman
|
||||
- fish # to motivate @edpibu
|
||||
- git # code versioning
|
||||
- htop # better than top
|
||||
- iotop # monitor i/o
|
||||
|
@ -18,14 +16,14 @@
|
|||
- lsb-release
|
||||
- molly-guard # prevent reboot
|
||||
- nano # for vulcain
|
||||
- net-tools
|
||||
- ntp # network time sync
|
||||
- oidentd # postgresql identification
|
||||
- screen # Vulcain asked for this
|
||||
- sudo
|
||||
- tmux # For shirenn
|
||||
- tree # create a graphical tree of files
|
||||
- vim # better than nano
|
||||
- zsh # to be able to ssh @erdnaxe
|
||||
- dnsutils # dig
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
|
@ -74,6 +72,9 @@
|
|||
# APT-List Changes : send email with changelog
|
||||
- include_tasks: apt-listchanges.yml
|
||||
|
||||
# APT Unattended upgrades
|
||||
- include_tasks: apt-unattended.yml
|
||||
|
||||
# User skeleton
|
||||
- name: Configure user skeleton
|
||||
copy:
|
||||
|
|
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
|
@ -0,0 +1,22 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
};
|
||||
|
||||
Unattended-Upgrade::Package-Blacklist {};
|
||||
|
||||
Unattended-Upgrade::MinimalSteps "true";
|
||||
Unattended-Upgrade::InstallOnShutdown "false";
|
||||
|
||||
Unattended-Upgrade::Mail "{{ monitoring_mail }}";
|
||||
// Unattended-Upgrade::MailOnlyOnError "false";
|
||||
|
||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
|
||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "false";
|
||||
|
||||
Unattended-Upgrade::Automatic-Reboot "false";
|
||||
|
||||
Unattended-Upgrade::SyslogEnable "true";
|
||||
Unattended-Upgrade::SyslogFacility "daemon";
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- name: Reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: Generate certificates
|
||||
command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
|
@ -1,13 +1,28 @@
|
|||
---
|
||||
- name: Install certbot and nginx plugin
|
||||
- name: Install certbot and RFC2136 plugin
|
||||
apt:
|
||||
update_cache: true
|
||||
name:
|
||||
- certbot
|
||||
- python3-certbot-nginx
|
||||
register: pkg_result
|
||||
- python3-certbot-dns-rfc2136
|
||||
state: present
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: pkg_result is succeeded
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Add DNS credentials
|
||||
template:
|
||||
src: letsencrypt/rfc2136.ini.j2
|
||||
dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
|
||||
mode: 0600
|
||||
owner: root
|
||||
loop: "{{ certbot }}"
|
||||
|
||||
- name: Add dhparam
|
||||
template:
|
||||
src: "letsencrypt/dhparam.j2"
|
||||
dest: "/etc/letsencrypt/dhparam"
|
||||
mode: 0600
|
||||
|
||||
- name: Create /etc/letsencrypt/conf.d
|
||||
file:
|
||||
|
@ -18,8 +33,19 @@
|
|||
- name: Add Certbot configuration
|
||||
template:
|
||||
src: "letsencrypt/conf.d/certname.ini.j2"
|
||||
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||
dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
|
||||
mode: 0644
|
||||
notify:
|
||||
- Generate certificates
|
||||
- Reload nginx
|
||||
loop: "{{ certbot }}"
|
||||
|
||||
- name: Run certbot
|
||||
command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
|
||||
loop: "{{ certbot }}"
|
||||
|
||||
- name: Clean old files
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "/etc/letsencrypt/options-ssl-nginx.conf"
|
||||
- "/etc/letsencrypt/ssl-dhparams.pem"
|
||||
- "/etc/letsencrypt/rfc2136.ini"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment(decoration='# ') }}
|
||||
|
||||
# Pour appliquer cette conf et générer la conf de renewal :
|
||||
# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
|
||||
# To generate the certificate, please use the following command
|
||||
# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
|
||||
|
||||
# Use a 4096 bit RSA key instead of 2048
|
||||
rsa-key-size = 4096
|
||||
|
@ -10,14 +10,19 @@ rsa-key-size = 4096
|
|||
# server = https://acme-staging.api.letsencrypt.org/directory
|
||||
|
||||
# Uncomment and update to register with the specified e-mail address
|
||||
email = {{ certbot.mail }}
|
||||
email = {{ item.mail }}
|
||||
|
||||
# Uncomment to use a text interface instead of ncurses
|
||||
text = True
|
||||
|
||||
# Use nginx challenge
|
||||
authenticator = nginx
|
||||
# Yes I want to sell my soul and my guinea pig.
|
||||
agree-tos = True
|
||||
|
||||
# Use DNS-01 challenge
|
||||
authenticator = dns-rfc2136
|
||||
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
|
||||
dns-rfc2136-propagation-seconds = 30
|
||||
|
||||
# Wildcard the domain
|
||||
cert-name = {{ certbot.certname }}
|
||||
domains = {{ ", ".join(certbot.domains) }}
|
||||
cert-name = {{ item.certname }}
|
||||
domains = {{ item.domains }}
|
||||
|
|
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
|
@ -0,0 +1,7 @@
|
|||
{{ ansible_managed | comment(decoration='# ') }}
|
||||
|
||||
dns_rfc2136_server = {{ item.dns_rfc2136_server }}
|
||||
dns_rfc2136_port = 53
|
||||
dns_rfc2136_name = {{ item.dns_rfc2136_name }}
|
||||
dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
|
||||
dns_rfc2136_algorithm = HMAC-SHA512
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: force run dhcp re2o-service
|
||||
shell: /var/local/re2o-services/dhcp/main.py --force
|
||||
command: /var/local/re2o-services/dhcp/main.py --force
|
||||
become_user: re2o-services
|
||||
|
||||
- name: restart dhcpd
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: Install dhcp (re2o-service)
|
||||
import_role:
|
||||
name: re2o-service
|
||||
name: re2o_service
|
||||
vars:
|
||||
service_repo: https://gitlab.federez.net/re2o/dhcp.git
|
||||
service_name: dhcp
|
||||
|
@ -18,7 +18,7 @@
|
|||
owner: re2o-services
|
||||
group: nogroup
|
||||
recurse: true
|
||||
mode: 755
|
||||
mode: 0755
|
||||
|
||||
- name: Install isc-dhcp-server
|
||||
apt:
|
||||
|
|
|
@ -21,4 +21,4 @@
|
|||
user: root
|
||||
key: "{{ ssh_pub_keys }}"
|
||||
state: present
|
||||
# exclusive: True
|
||||
exclusive: true
|
||||
|
|
146
roles/nginx/tasks/main.yml
Normal file
146
roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,146 @@
|
|||
---
|
||||
- name: Install NGINX
|
||||
apt:
|
||||
update_cache: true
|
||||
name: nginx
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Copy proxypass snippets
|
||||
template:
|
||||
src: "nginx/snippets/options-proxypass.conf.j2"
|
||||
dest: "/etc/nginx/snippets/options-proxypass.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Copy SSL snippets
|
||||
template:
|
||||
src: "nginx/snippets/options-ssl.conf.j2"
|
||||
dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: "{{ nginx.ssl }}"
|
||||
|
||||
- name: Disable default site
|
||||
file:
|
||||
dest: "/etc/nginx/sites-enabled/default"
|
||||
state: absent
|
||||
|
||||
- name: Copy reverse proxy sites
|
||||
when: reverseproxy is defined
|
||||
template:
|
||||
src: "nginx/sites-available/{{ item }}.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop:
|
||||
- reverseproxy
|
||||
- reverseproxy_redirect_dname
|
||||
- redirect
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate reverse proxy sites
|
||||
when: reverseproxy is defined
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ item }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
state: link
|
||||
loop:
|
||||
- reverseproxy
|
||||
- reverseproxy_redirect_dname
|
||||
- redirect
|
||||
notify: Reload nginx
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
|
||||
- name: Copy forward modules
|
||||
when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
|
||||
template:
|
||||
src: "nginx/modules-available/60-forward.conf.j2"
|
||||
dest: "/etc/nginx/modules-available/60-forward.conf"
|
||||
mode: 0644
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate modules
|
||||
when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
|
||||
file:
|
||||
src: "/etc/nginx/modules-available/60-forward.conf"
|
||||
dest: "/etc/nginx/modules-enabled/60-forward.conf"
|
||||
state: link
|
||||
mode: 0644
|
||||
notify: Reload nginx
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
|
||||
- name: Copy service nginx configuration
|
||||
when: nginx.servers is defined and nginx.servers|length > 0
|
||||
template:
|
||||
src: "nginx/sites-available/service.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate local nginx service site
|
||||
when: nginx.servers is defined and nginx.servers|length > 0
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
|
||||
owner: root
|
||||
group: root
|
||||
state: link
|
||||
notify: Reload nginx
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
|
||||
- name: Copy 50x error page
|
||||
template:
|
||||
src: www/html/50x.html.j2
|
||||
dest: /var/www/html/50x.html
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: 0644
|
||||
|
||||
- name: Copy robots.txt file
|
||||
when: nginx.deploy_robots_file
|
||||
template:
|
||||
src: www/html/robots.txt.j2
|
||||
dest: /var/www/html/robots.txt
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: 0644
|
||||
|
||||
- name: Install passwords
|
||||
when: nginx.auth_passwd|length > 0
|
||||
template:
|
||||
src: nginx/passwd.j2
|
||||
dest: /etc/nginx/passwd
|
||||
mode: 0644
|
||||
|
||||
- name: Copy 401 error page
|
||||
when: nginx.auth_passwd|length > 0
|
||||
template:
|
||||
src: www/html/401.html.j2
|
||||
dest: /var/www/html/401.html
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: 0644
|
||||
|
||||
- name: Indicate role in motd
|
||||
template:
|
||||
src: update-motd.d/05-service.j2
|
||||
dest: /etc/update-motd.d/05-nginx
|
||||
mode: 0755
|
||||
|
||||
- name: Clean old files
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "/etc/nginx/snippets/options-ssl.conf"
|
||||
- "/var/www/custom_401.html"
|
||||
- "/var/www/robots.txt"
|
8
roles/nginx/templates/letsencrypt/dhparam.j2
Normal file
8
roles/nginx/templates/letsencrypt/dhparam.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -1,6 +1,6 @@
|
|||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
{% for site in nginx.redirect_tcp %}
|
||||
{% for site in reverseproxy.redirect_tcp %}
|
||||
# Forward port {{ site.port }} to {{ site.name }}
|
||||
stream {
|
||||
server {
|
||||
|
@ -12,3 +12,4 @@ stream {
|
|||
}
|
||||
|
||||
{% endfor %}
|
||||
|
4
roles/nginx/templates/nginx/passwd.j2
Normal file
4
roles/nginx/templates/nginx/passwd.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
{{ ansible_managed | comment }}
|
||||
{% for user, hash in nginx.auth_passwd.items() -%}
|
||||
{{ user }}:{{ hash }}
|
||||
{% endfor -%}
|
|
@ -1,6 +1,6 @@
|
|||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
{% for site in nginx.redirect_sites %}
|
||||
{% for site in reverseproxy.redirect_sites %}
|
||||
# Redirect http://{{ site.from }} to http://{{ site.to }}
|
||||
server {
|
||||
listen 80;
|
||||
|
@ -8,6 +8,11 @@ server {
|
|||
|
||||
server_name {{ site.from }};
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 http://{{ site.to }}$request_uri;
|
||||
}
|
||||
|
@ -21,7 +26,12 @@ server {
|
|||
server_name {{ site.from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 https://{{ site.to }}$request_uri;
|
||||
|
@ -31,8 +41,8 @@ server {
|
|||
{% endfor %}
|
||||
|
||||
{# Also redirect for DNAMEs #}
|
||||
{% for dname in nginx.redirect_dnames %}
|
||||
{% for site in nginx.redirect_sites %}
|
||||
{% for dname in reverseproxy.redirect_dnames %}
|
||||
{% for site in reverseproxy.redirect_sites %}
|
||||
{% set from = site.from | regex_replace('crans.org', dname) %}
|
||||
{% if from != site.from %}
|
||||
# Redirect http://{{ from }} to http://{{ site.to }}
|
||||
|
@ -42,6 +52,11 @@ server {
|
|||
|
||||
server_name {{ from }};
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 http://{{ site.to }}$request_uri;
|
||||
}
|
||||
|
@ -55,7 +70,12 @@ server {
|
|||
server_name {{ from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 https://{{ site.to }}$request_uri;
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# Automatic Connection header for WebSocket support
|
||||
# See http://nginx.org/en/docs/http/websocket.html
|
||||
|
@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
|
|||
'' close;
|
||||
}
|
||||
|
||||
{% for site in nginx.reverseproxy_sites %}
|
||||
{% for site in reverseproxy.reverseproxy_sites %}
|
||||
# Redirect http://{{ site.from }} to https://{{ site.from }}
|
||||
server {
|
||||
listen 80;
|
||||
|
@ -15,6 +15,11 @@ server {
|
|||
|
||||
server_name {{ site.from }};
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
|
@ -28,7 +33,7 @@ server {
|
|||
server_name {{ site.from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||
|
||||
# Log into separate log files
|
||||
access_log /var/log/nginx/{{ site.from }}.log;
|
||||
|
@ -43,8 +48,9 @@ server {
|
|||
root /var/www/html;
|
||||
}
|
||||
|
||||
set_real_ip_from 10.231.136.0/24;
|
||||
set_real_ip_from 2a0c:700:0:2::/64;
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
|
@ -1,7 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
{% for dname in nginx.redirect_dnames %}
|
||||
{% for site in nginx.reverseproxy_sites %}
|
||||
{% for dname in reverseproxy.redirect_dnames %}
|
||||
{% for site in reverseproxy.reverseproxy_sites %}
|
||||
{% set from = site.from | regex_replace('auro.re', dname) %}
|
||||
{% set to = site.from %}
|
||||
{% if from != site.from %}
|
||||
|
@ -12,6 +12,11 @@ server {
|
|||
|
||||
server_name {{ from }};
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 http://{{ to }}$request_uri;
|
||||
}
|
||||
|
@ -25,7 +30,12 @@ server {
|
|||
server_name {{ from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 https://{{ to }}$request_uri;
|
132
roles/nginx/templates/nginx/sites-available/service.j2
Normal file
132
roles/nginx/templates/nginx/sites-available/service.j2
Normal file
|
@ -0,0 +1,132 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# Automatic Connection header for WebSocket support
|
||||
# See http://nginx.org/en/docs/http/websocket.html
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
{% for upstream in nginx.upstreams -%}
|
||||
upstream {{ upstream.name }} {
|
||||
# Path of the server
|
||||
server {{ upstream.server }};
|
||||
}
|
||||
{% endfor -%}
|
||||
|
||||
{% if nginx.default_ssl_server -%}
|
||||
# Redirect all services to the main site
|
||||
server {
|
||||
listen 443 default_server ssl;
|
||||
listen [::]:443 default_server ssl;
|
||||
include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
|
||||
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 https://{{ nginx.default_ssl_server }}$request_uri;
|
||||
}
|
||||
}
|
||||
{% endif -%}
|
||||
|
||||
{% if nginx.default_server -%}
|
||||
# Redirect all services to the main site
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 http://{{ nginx.default_server }}$request_uri;
|
||||
}
|
||||
}
|
||||
{% endif -%}
|
||||
|
||||
{% for server in nginx.servers %}
|
||||
{% if server.ssl is defined and server.ssl -%}
|
||||
# Redirect HTTP to HTTPS
|
||||
server {
|
||||
listen 80{% if server.default is defined and server.default %} default_server{% endif %};
|
||||
listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
|
||||
|
||||
server_name {{ server.server_name|join(" ") }};
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
{% endif -%}
|
||||
|
||||
server {
|
||||
{% if server.ssl is defined and server.ssl -%}
|
||||
listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
|
||||
listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
|
||||
include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
|
||||
{% else -%}
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
{% endif -%}
|
||||
|
||||
server_name {{ server.server_name|join(" ") }};
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
{% for realip in nginx.real_ip_from %}
|
||||
set_real_ip_from {{ realip }};
|
||||
{% endfor %}
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
{% if server.root is defined %}root {{ server.root }};{% endif %}
|
||||
{% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
|
||||
|
||||
{% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
|
||||
{% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
|
||||
|
||||
{% if server.additional_params is defined %}
|
||||
{% for param in server.additional_params %}
|
||||
{{ param }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if server.locations is defined %}
|
||||
{% for location in server.locations %}
|
||||
location {{ location.filter }} {
|
||||
{% for param in location.params %}
|
||||
{{ param }};
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
{% endfor %}
|
18
roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
Normal file
18
roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
Normal file
|
@ -0,0 +1,18 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
|
||||
fastcgi_split_path_info (^/[^/]*)(.*)$;
|
||||
|
||||
# check that the PHP script exists before passing it
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
# Bypass the fact that try_files resets $fastcgi_path_info
|
||||
# see: http://trac.nginx.org/nginx/ticket/321
|
||||
set $path_info $fastcgi_path_info;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
|
||||
# Let NGINX handle errors
|
||||
fastcgi_intercept_errors on;
|
||||
|
||||
include /etc/nginx/fastcgi.conf;
|
||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
|
@ -1,7 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
ssl_certificate {{ nginx.ssl.cert }};
|
||||
ssl_certificate_key {{ nginx.ssl.cert_key }};
|
||||
ssl_certificate {{ item.cert }};
|
||||
ssl_certificate_key {{ item.cert_key }};
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
|
|||
# Enable OCSP Stapling, point to certificate chain
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
|
||||
ssl_trusted_certificate {{ item.trusted_cert }};
|
||||
|
|
@ -1,3 +1,3 @@
|
|||
#!/usr/bin/tail +14
|
||||
# {{ ansible_managed }}
|
||||
{{ ansible_managed | comment }}
|
||||
[0m> [38;5;82mNGINX[0m a été déployé sur cette machine. Voir [38;5;6m/etc/nginx/[0m.
|
18
roles/nginx/templates/www/html/401.html.j2
Normal file
18
roles/nginx/templates/www/html/401.html.j2
Normal file
|
@ -0,0 +1,18 @@
|
|||
{{ ansible_header | comment('xml') }}
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>Accès refusé</title>
|
||||
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||||
</head>
|
||||
<body>
|
||||
<h1>Accès refusé</h1>
|
||||
<p>
|
||||
Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
|
||||
</p>
|
||||
<ul>
|
||||
<li>Identifiant : <em>Stop</em></li>
|
||||
<li>Mot de passe : <em>Spam</em></li>
|
||||
</ul>
|
||||
</body>
|
||||
</html>
|
|
@ -57,7 +57,7 @@
|
|||
<h1>502</h1>
|
||||
<p>Whoops, le service prend trop de temps à répondre…</p>
|
||||
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
|
||||
à contacter <a href="mailto:tech.aurore@lists.crans.org">l'équipe technique d'Aurore</a>.</p>
|
||||
à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
|
||||
</body>
|
||||
</html>
|
||||
|
2
roles/nginx/templates/www/html/robots.txt.j2
Normal file
2
roles/nginx/templates/www/html/robots.txt.j2
Normal file
|
@ -0,0 +1,2 @@
|
|||
User-agent: *
|
||||
Disallow: /
|
|
@ -1,73 +0,0 @@
|
|||
---
|
||||
- name: Install NGINX
|
||||
apt:
|
||||
update_cache: true
|
||||
name: nginx
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Copy snippets
|
||||
template:
|
||||
src: "nginx/snippets/{{ item }}.j2"
|
||||
dest: "/etc/nginx/snippets/{{ item }}"
|
||||
mode: 0644
|
||||
loop:
|
||||
- options-ssl.conf
|
||||
- options-proxypass.conf
|
||||
|
||||
- name: Copy dhparam
|
||||
template:
|
||||
src: letsencrypt/dhparam.j2
|
||||
dest: /etc/letsencrypt/dhparam
|
||||
mode: 0644
|
||||
|
||||
- name: Copy reverse proxy sites
|
||||
template:
|
||||
src: "nginx/sites-available/{{ item }}.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||
mode: 0644
|
||||
loop:
|
||||
- reverseproxy
|
||||
- reverseproxy_redirect_dname
|
||||
- redirect
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate sites
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ item }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
state: link
|
||||
mode: 0644
|
||||
loop:
|
||||
- reverseproxy
|
||||
- reverseproxy_redirect_dname
|
||||
- redirect
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Copy forward modules
|
||||
template:
|
||||
src: "nginx/modules-available/60-forward.conf.j2"
|
||||
dest: "/etc/nginx/modules-available/60-forward.conf"
|
||||
mode: 0644
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate modules
|
||||
file:
|
||||
src: "/etc/nginx/modules-available/60-forward.conf"
|
||||
dest: "/etc/nginx/modules-enabled/60-forward.conf"
|
||||
state: link
|
||||
mode: 0644
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Copy 50x error page
|
||||
template:
|
||||
src: www/html/50x.html.j2
|
||||
dest: /var/www/html/50x.html
|
||||
mode: 0644
|
||||
|
||||
- name: Indicate role in motd
|
||||
template:
|
||||
src: update-motd.d/05-service.j2
|
||||
dest: /etc/update-motd.d/05-nginx
|
||||
mode: 0755
|
10
roles/postfix_non_mailhost/handlers/main.yml
Normal file
10
roles/postfix_non_mailhost/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: restart postfix
|
||||
service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
|
||||
- name: reload postfix
|
||||
service:
|
||||
name: postfix
|
||||
state: reloaded
|
17
roles/postfix_non_mailhost/tasks/main.yml
Normal file
17
roles/postfix_non_mailhost/tasks/main.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: Install postfix
|
||||
apt:
|
||||
name: postfix
|
||||
update_cache: true
|
||||
register: result
|
||||
retries: 3
|
||||
until: result is succeeded
|
||||
|
||||
- name: Configure postfix
|
||||
template:
|
||||
src: main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
notify: restart postfix
|
32
roles/postfix_non_mailhost/templates/main.cf.j2
Normal file
32
roles/postfix_non_mailhost/templates/main.cf.j2
Normal file
|
@ -0,0 +1,32 @@
|
|||
# {{ ansible_managed }}
|
||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||
# Template based on /usr/share/postfix/main.cf.debian
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||||
biff = no
|
||||
|
||||
# appending .domain is the MUA's job.
|
||||
append_dot_mydomain = no
|
||||
|
||||
# Uncomment the next line to generate "delayed mail" warnings
|
||||
#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
|
||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
||||
# fresh installs.
|
||||
compatibility_level = 2
|
||||
|
||||
# Send mail as user@{{ ansible_fqdn }}
|
||||
myhostname = {{ ansible_fqdn }}
|
||||
myorigin = $myhostname
|
||||
mydomain = $myhostname
|
||||
|
||||
# Specify the trusted networks
|
||||
mynetworks = 127.0.0.0/8 {{ local_network }}
|
||||
|
||||
# This host does not relay mail from untrusted networks
|
||||
relay_domains =
|
||||
|
||||
# This is needed if no direct Internet access is available
|
||||
relayhost = {{ relay_host }}
|
5
roles/postgresql_server/defaults/main.yml
Normal file
5
roles/postgresql_server/defaults/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
postgresql_hosts: []
|
||||
postgresql_databases: []
|
||||
postgresql_users: []
|
||||
...
|
6
roles/postgresql_server/handlers/main.yml
Normal file
6
roles/postgresql_server/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: restart postgresql
|
||||
service:
|
||||
name: postgresql
|
||||
state: restarted
|
||||
enabled: true
|
74
roles/postgresql_server/tasks/main.yml
Normal file
74
roles/postgresql_server/tasks/main.yml
Normal file
|
@ -0,0 +1,74 @@
|
|||
---
|
||||
- name: Install postgresql and psycopg2
|
||||
apt:
|
||||
update_cache: true
|
||||
pkg:
|
||||
- postgresql
|
||||
- python3-psycopg2
|
||||
state: present
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Ensure main postgresql directory exists
|
||||
file:
|
||||
path: /etc/postgresql/{{ postgresql.version }}/main/
|
||||
state: directory
|
||||
owner: postgres
|
||||
group: postgres
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure configuration directory exists
|
||||
file:
|
||||
path: /etc/postgresql/{{ postgresql.version }}/main/conf.d
|
||||
state: directory
|
||||
owner: postgres
|
||||
group: postgres
|
||||
mode: 0755
|
||||
|
||||
- name: Configuration of postgresql {{ postgresql.version }}
|
||||
template:
|
||||
src: postgresql/{{ item }}.j2
|
||||
dest: /etc/postgresql/{{ postgresql.version }}/main/{{ item }}
|
||||
mode: 0640
|
||||
owner: postgres
|
||||
group: postgres
|
||||
loop:
|
||||
- pg_hba.conf
|
||||
- postgresql.conf
|
||||
notify:
|
||||
- restart postgresql
|
||||
|
||||
- name: Create databases
|
||||
become: true
|
||||
become_user: postgres
|
||||
postgresql_db:
|
||||
name: "{{ item }}"
|
||||
encoding: UTF-8
|
||||
lc_collate: en_US.UTF-8
|
||||
lc_ctype: en_US.UTF-8
|
||||
template: template0
|
||||
loop: "{{ postgresql_databases }}"
|
||||
|
||||
- name: Create users
|
||||
become: true
|
||||
become_user: postgres
|
||||
postgresql_user:
|
||||
db: "{{ item.database }}"
|
||||
name: "{{ item.name }}"
|
||||
password: "{{ item.password }}"
|
||||
no_log: true
|
||||
loop: "{{ postgresql_users }}"
|
||||
|
||||
- name: Grant privileges to users
|
||||
become: true
|
||||
become_user: postgres
|
||||
postgresql_privs:
|
||||
db: postgres
|
||||
type: database
|
||||
role: "{{ item.name }}"
|
||||
privs: "{{ item.privs | join(',') }}"
|
||||
obj: "{{ item.database }}"
|
||||
no_log: true
|
||||
loop: "{{ postgresql_users }}"
|
||||
...
|
20
roles/postgresql_server/templates/postgresql/pg_hba.conf.j2
Normal file
20
roles/postgresql_server/templates/postgresql/pg_hba.conf.j2
Normal file
|
@ -0,0 +1,20 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
|
||||
# DO NOT DISABLE!
|
||||
# If you change this first entry you will need to make sure that the
|
||||
# database superuser can access the database using some other method.
|
||||
# Noninteractive access to all databases is required during automatic
|
||||
# maintenance (custom daily cronjobs, replication, and similar tasks).
|
||||
#
|
||||
# Database administrative login by Unix domain socket
|
||||
local all postgres peer
|
||||
|
||||
|
||||
# "local" is for Unix domain socket connections only
|
||||
local all all peer
|
||||
|
||||
{% for host in postgresql_hosts %}
|
||||
host "{{ host.database }}" "{{ host.user }}" {{ host.net }} {{ host.method }}
|
||||
{% endfor %}
|
695
roles/postgresql_server/templates/postgresql/postgresql.conf.j2
Normal file
695
roles/postgresql_server/templates/postgresql/postgresql.conf.j2
Normal file
|
@ -0,0 +1,695 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# -----------------------------
|
||||
# PostgreSQL configuration file
|
||||
# -----------------------------
|
||||
#
|
||||
# This file consists of lines of the form:
|
||||
#
|
||||
# name = value
|
||||
#
|
||||
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
|
||||
# "#" anywhere on a line. The complete list of parameter names and allowed
|
||||
# values can be found in the PostgreSQL documentation.
|
||||
#
|
||||
# The commented-out settings shown in this file represent the default values.
|
||||
# Re-commenting a setting is NOT sufficient to revert it to the default value;
|
||||
# you need to reload the server.
|
||||
#
|
||||
# This file is read on server startup and when the server receives a SIGHUP
|
||||
# signal. If you edit the file on a running system, you have to SIGHUP the
|
||||
# server for the changes to take effect, run "pg_ctl reload", or execute
|
||||
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
|
||||
# require a server shutdown and restart to take effect.
|
||||
#
|
||||
# Any parameter can also be given as a command-line option to the server, e.g.,
|
||||
# "postgres -c log_connections=on". Some parameters can be changed at run time
|
||||
# with the "SET" SQL command.
|
||||
#
|
||||
# Memory units: kB = kilobytes Time units: ms = milliseconds
|
||||
# MB = megabytes s = seconds
|
||||
# GB = gigabytes min = minutes
|
||||
# TB = terabytes h = hours
|
||||
# d = days
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# FILE LOCATIONS
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# The default values of these variables are driven from the -D command-line
|
||||
# option or PGDATA environment variable, represented here as ConfigDir.
|
||||
# All changes to this section REQUIRES restart
|
||||
|
||||
# use data in another directory
|
||||
data_directory = '/var/lib/postgresql/{{ postgresql.version }}/main'
|
||||
# host-based authentication file
|
||||
hba_file = '/etc/postgresql/{{ postgresql.version }}/main/pg_hba.conf'
|
||||
|
||||
# If external_pid_file is not explicitly set, no extra PID file is written.
|
||||
external_pid_file = '/run/postgresql/{{ postgresql.version }}-main.pid'
|
||||
# write an extra PID file
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# CONNECTIONS AND AUTHENTICATION
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Connection Settings -
|
||||
|
||||
listen_addresses = '0.0.0.0, ::'
|
||||
# listen_addresses = * # listen to all
|
||||
#listen_addresses = 'localhost' # what IP address(es) to listen on;
|
||||
# comma-separated list of addresses;
|
||||
# defaults to 'localhost'; use '*' for all
|
||||
# (change requires restart)
|
||||
port = 5432 # (change requires restart)
|
||||
max_connections = 100 # (change requires restart)
|
||||
#superuser_reserved_connections = 3 # (change requires restart)
|
||||
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
|
||||
# (change requires restart)
|
||||
#unix_socket_group = '' # (change requires restart)
|
||||
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
|
||||
# (change requires restart)
|
||||
#bonjour = off # advertise server via Bonjour
|
||||
# (change requires restart)
|
||||
#bonjour_name = '' # defaults to the computer name
|
||||
# (change requires restart)
|
||||
|
||||
# - TCP Keepalives -
|
||||
# see "man 7 tcp" for details
|
||||
|
||||
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
|
||||
# 0 selects the system default
|
||||
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
|
||||
# 0 selects the system default
|
||||
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
|
||||
# 0 selects the system default
|
||||
|
||||
|
||||
# - Authentication -
|
||||
|
||||
#authentication_timeout = 1min # 1s-600s
|
||||
#password_encryption = md5 # md5 or scram-sha-256
|
||||
#db_user_namespace = off
|
||||
|
||||
# GSSAPI using Kerberos
|
||||
#krb_server_keyfile = ''
|
||||
#krb_caseins_users = off
|
||||
|
||||
# - SSL -
|
||||
|
||||
ssl = on
|
||||
#ssl_ca_file = ''
|
||||
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
|
||||
#ssl_crl_file = ''
|
||||
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
|
||||
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
|
||||
#ssl_prefer_server_ciphers = on
|
||||
#ssl_ecdh_curve = 'prime256v1'
|
||||
#ssl_dh_params_file = ''
|
||||
#ssl_passphrase_command = ''
|
||||
#ssl_passphrase_command_supports_reload = off
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# RESOURCE USAGE (except WAL)
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Memory -
|
||||
|
||||
shared_buffers = 128MB # min 128kB
|
||||
# (change requires restart)
|
||||
#huge_pages = try # on, off, or try
|
||||
# (change requires restart)
|
||||
#temp_buffers = 8MB # min 800kB
|
||||
#max_prepared_transactions = 0 # zero disables the feature
|
||||
# (change requires restart)
|
||||
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
|
||||
# you actively intend to use prepared transactions.
|
||||
#work_mem = 4MB # min 64kB
|
||||
#maintenance_work_mem = 64MB # min 1MB
|
||||
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
|
||||
#max_stack_depth = 2MB # min 100kB
|
||||
dynamic_shared_memory_type = posix # the default is the first option
|
||||
# supported by the operating system:
|
||||
# posix
|
||||
# sysv
|
||||
# windows
|
||||
# mmap
|
||||
# (change requires restart)
|
||||
|
||||
# - Disk -
|
||||
|
||||
#temp_file_limit = -1 # limits per-process temp file space
|
||||
# in kB, or -1 for no limit
|
||||
|
||||
# - Kernel Resources -
|
||||
|
||||
#max_files_per_process = 1000 # min 25
|
||||
# (change requires restart)
|
||||
|
||||
# - Cost-Based Vacuum Delay -
|
||||
|
||||
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
|
||||
#vacuum_cost_page_hit = 1 # 0-10000 credits
|
||||
#vacuum_cost_page_miss = 10 # 0-10000 credits
|
||||
#vacuum_cost_page_dirty = 20 # 0-10000 credits
|
||||
#vacuum_cost_limit = 200 # 1-10000 credits
|
||||
|
||||
# - Background Writer -
|
||||
|
||||
#bgwriter_delay = 200ms # 10-10000ms between rounds
|
||||
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
|
||||
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
|
||||
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
|
||||
|
||||
# - Asynchronous Behavior -
|
||||
|
||||
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
|
||||
#max_worker_processes = 8 # (change requires restart)
|
||||
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
|
||||
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
|
||||
#parallel_leader_participation = on
|
||||
#max_parallel_workers = 8 # maximum number of max_worker_processes that
|
||||
# can be used in parallel operations
|
||||
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
|
||||
# (change requires restart)
|
||||
#backend_flush_after = 0 # measured in pages, 0 disables
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# WRITE-AHEAD LOG
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Settings -
|
||||
|
||||
#wal_level = replica # minimal, replica, or logical
|
||||
# (change requires restart)
|
||||
#fsync = on # flush data to disk for crash safety
|
||||
# (turning this off can cause
|
||||
# unrecoverable data corruption)
|
||||
#synchronous_commit = on # synchronization level;
|
||||
# off, local, remote_write, remote_apply, or on
|
||||
#wal_sync_method = fsync # the default is the first option
|
||||
# supported by the operating system:
|
||||
# open_datasync
|
||||
# fdatasync (default on Linux)
|
||||
# fsync
|
||||
# fsync_writethrough
|
||||
# open_sync
|
||||
#full_page_writes = on # recover from partial page writes
|
||||
#wal_compression = off # enable compression of full-page writes
|
||||
#wal_log_hints = off # also do full page writes of non-critical updates
|
||||
# (change requires restart)
|
||||
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
|
||||
# (change requires restart)
|
||||
#wal_writer_delay = 200ms # 1-10000 milliseconds
|
||||
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
|
||||
|
||||
#commit_delay = 0 # range 0-100000, in microseconds
|
||||
#commit_siblings = 5 # range 1-1000
|
||||
|
||||
# - Checkpoints -
|
||||
|
||||
#checkpoint_timeout = 5min # range 30s-1d
|
||||
max_wal_size = 1GB
|
||||
min_wal_size = 80MB
|
||||
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
|
||||
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
|
||||
#checkpoint_warning = 30s # 0 disables
|
||||
|
||||
# - Archiving -
|
||||
|
||||
#archive_mode = off # enables archiving; off, on, or always
|
||||
# (change requires restart)
|
||||
#archive_command = '' # command to use to archive a logfile segment
|
||||
# placeholders: %p = path of file to archive
|
||||
# %f = file name only
|
||||
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
|
||||
#archive_timeout = 0 # force a logfile segment switch after this
|
||||
# number of seconds; 0 disables
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# REPLICATION
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Sending Servers -
|
||||
|
||||
# Set these on the master and on any standby that will send replication data.
|
||||
|
||||
#max_wal_senders = 10 # max number of walsender processes
|
||||
# (change requires restart)
|
||||
#wal_keep_segments = 0 # in logfile segments; 0 disables
|
||||
#wal_sender_timeout = 60s # in milliseconds; 0 disables
|
||||
|
||||
#max_replication_slots = 10 # max number of replication slots
|
||||
# (change requires restart)
|
||||
#track_commit_timestamp = off # collect timestamp of transaction commit
|
||||
# (change requires restart)
|
||||
|
||||
# - Master Server -
|
||||
|
||||
# These settings are ignored on a standby server.
|
||||
|
||||
#synchronous_standby_names = '' # standby servers that provide sync rep
|
||||
# method to choose sync standbys, number of sync standbys,
|
||||
# and comma-separated list of application_name
|
||||
# from standby(s); '*' = all
|
||||
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
|
||||
|
||||
# - Standby Servers -
|
||||
|
||||
# These settings are ignored on a master server.
|
||||
|
||||
#hot_standby = on # "off" disallows queries during recovery
|
||||
# (change requires restart)
|
||||
#max_standby_archive_delay = 30s # max delay before canceling queries
|
||||
# when reading WAL from archive;
|
||||
# -1 allows indefinite delay
|
||||
#max_standby_streaming_delay = 30s # max delay before canceling queries
|
||||
# when reading streaming WAL;
|
||||
# -1 allows indefinite delay
|
||||
#wal_receiver_status_interval = 10s # send replies at least this often
|
||||
# 0 disables
|
||||
#hot_standby_feedback = off # send info from standby to prevent
|
||||
# query conflicts
|
||||
#wal_receiver_timeout = 60s # time that receiver waits for
|
||||
# communication from master
|
||||
# in milliseconds; 0 disables
|
||||
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
|
||||
# retrieve WAL after a failed attempt
|
||||
# - Subscribers -
|
||||
|
||||
# These settings are ignored on a publisher.
|
||||
|
||||
#max_logical_replication_workers = 4 # taken from max_worker_processes
|
||||
# (change requires restart)
|
||||
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# QUERY TUNING
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Planner Method Configuration -
|
||||
|
||||
#enable_bitmapscan = on
|
||||
#enable_hashagg = on
|
||||
#enable_hashjoin = on
|
||||
#enable_indexscan = on
|
||||
#enable_indexonlyscan = on
|
||||
#enable_material = on
|
||||
#enable_mergejoin = on
|
||||
#enable_nestloop = on
|
||||
#enable_parallel_append = on
|
||||
#enable_seqscan = on
|
||||
#enable_sort = on
|
||||
#enable_tidscan = on
|
||||
#enable_partitionwise_join = off
|
||||
#enable_partitionwise_aggregate = off
|
||||
#enable_parallel_hash = on
|
||||
#enable_partition_pruning = on
|
||||
|
||||
# - Planner Cost Constants -
|
||||
|
||||
#seq_page_cost = 1.0 # measured on an arbitrary scale
|
||||
#random_page_cost = 4.0 # same scale as above
|
||||
#cpu_tuple_cost = 0.01 # same scale as above
|
||||
#cpu_index_tuple_cost = 0.005 # same scale as above
|
||||
#cpu_operator_cost = 0.0025 # same scale as above
|
||||
#parallel_tuple_cost = 0.1 # same scale as above
|
||||
#parallel_setup_cost = 1000.0 # same scale as above
|
||||
|
||||
#jit_above_cost = 100000 # perform JIT compilation if available
|
||||
# and query more expensive than this;
|
||||
# -1 disables
|
||||
#jit_inline_above_cost = 500000 # inline small functions if query is
|
||||
# more expensive than this; -1 disables
|
||||
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
|
||||
# query is more expensive than this;
|
||||
# -1 disables
|
||||
|
||||
#min_parallel_table_scan_size = 8MB
|
||||
#min_parallel_index_scan_size = 512kB
|
||||
#effective_cache_size = 4GB
|
||||
|
||||
# - Genetic Query Optimizer -
|
||||
|
||||
#geqo = on
|
||||
#geqo_threshold = 12
|
||||
#geqo_effort = 5 # range 1-10
|
||||
#geqo_pool_size = 0 # selects default based on effort
|
||||
#geqo_generations = 0 # selects default based on effort
|
||||
#geqo_selection_bias = 2.0 # range 1.5-2.0
|
||||
#geqo_seed = 0.0 # range 0.0-1.0
|
||||
|
||||
# - Other Planner Options -
|
||||
|
||||
#default_statistics_target = 100 # range 1-10000
|
||||
#constraint_exclusion = partition # on, off, or partition
|
||||
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
|
||||
#from_collapse_limit = 8
|
||||
#join_collapse_limit = 8 # 1 disables collapsing of explicit
|
||||
# JOIN clauses
|
||||
#force_parallel_mode = off
|
||||
#jit = on # allow JIT compilation
|
||||
#plan_cache_mode = auto # auto, force_generic_plan or
|
||||
# force_custom_plan
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# REPORTING AND LOGGING
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Where to Log -
|
||||
|
||||
#log_destination = 'stderr' # Valid values are combinations of
|
||||
# stderr, csvlog, syslog, and eventlog,
|
||||
# depending on platform. csvlog
|
||||
# requires logging_collector to be on.
|
||||
|
||||
# This is used when logging to stderr:
|
||||
#logging_collector = off # Enable capturing of stderr and csvlog
|
||||
# into log files. Required to be on for
|
||||
# csvlogs.
|
||||
# (change requires restart)
|
||||
|
||||
# These are only used if logging_collector is on:
|
||||
#log_directory = 'log' # directory where log files are written,
|
||||
# can be absolute or relative to PGDATA
|
||||
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
|
||||
# can include strftime() escapes
|
||||
#log_file_mode = 0600 # creation mode for log files,
|
||||
# begin with 0 to use octal notation
|
||||
#log_truncate_on_rotation = off # If on, an existing log file with the
|
||||
# same name as the new log file will be
|
||||
# truncated rather than appended to.
|
||||
# But such truncation only occurs on
|
||||
# time-driven rotation, not on restarts
|
||||
# or size-driven rotation. Default is
|
||||
# off, meaning append to existing files
|
||||
# in all cases.
|
||||
#log_rotation_age = 1d # Automatic rotation of logfiles will
|
||||
# happen after that time. 0 disables.
|
||||
#log_rotation_size = 10MB # Automatic rotation of logfiles will
|
||||
# happen after that much log output.
|
||||
# 0 disables.
|
||||
|
||||
# These are relevant when logging to syslog:
|
||||
#syslog_facility = 'LOCAL0'
|
||||
#syslog_ident = 'postgres'
|
||||
#syslog_sequence_numbers = on
|
||||
#syslog_split_messages = on
|
||||
|
||||
# This is only relevant when logging to eventlog (win32):
|
||||
# (change requires restart)
|
||||
#event_source = 'PostgreSQL'
|
||||
|
||||
# - When to Log -
|
||||
|
||||
#log_min_messages = warning # values in order of decreasing detail:
|
||||
# debug5
|
||||
# debug4
|
||||
# debug3
|
||||
# debug2
|
||||
# debug1
|
||||
# info
|
||||
# notice
|
||||
# warning
|
||||
# error
|
||||
# log
|
||||
# fatal
|
||||
# panic
|
||||
|
||||
#log_min_error_statement = error # values in order of decreasing detail:
|
||||
# debug5
|
||||
# debug4
|
||||
# debug3
|
||||
# debug2
|
||||
# debug1
|
||||
# info
|
||||
# notice
|
||||
# warning
|
||||
# error
|
||||
# log
|
||||
# fatal
|
||||
# panic (effectively off)
|
||||
|
||||
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
|
||||
# and their durations, > 0 logs only
|
||||
# statements running at least this number
|
||||
# of milliseconds
|
||||
|
||||
|
||||
# - What to Log -
|
||||
|
||||
#debug_print_parse = off
|
||||
#debug_print_rewritten = off
|
||||
#debug_print_plan = off
|
||||
#debug_pretty_print = on
|
||||
#log_checkpoints = off
|
||||
#log_connections = off
|
||||
#log_disconnections = off
|
||||
#log_duration = off
|
||||
#log_error_verbosity = default # terse, default, or verbose messages
|
||||
#log_hostname = off
|
||||
log_line_prefix = '%m [%p] %q%u@%d ' # special values:
|
||||
# %a = application name
|
||||
# %u = user name
|
||||
# %d = database name
|
||||
# %r = remote host and port
|
||||
# %h = remote host
|
||||
# %p = process ID
|
||||
# %t = timestamp without milliseconds
|
||||
# %m = timestamp with milliseconds
|
||||
# %n = timestamp with milliseconds (as a Unix epoch)
|
||||
# %i = command tag
|
||||
# %e = SQL state
|
||||
# %c = session ID
|
||||
# %l = session line number
|
||||
# %s = session start timestamp
|
||||
# %v = virtual transaction ID
|
||||
# %x = transaction ID (0 if none)
|
||||
# %q = stop here in non-session
|
||||
# processes
|
||||
# %% = '%'
|
||||
# e.g. '<%u%%%d> '
|
||||
#log_lock_waits = off # log lock waits >= deadlock_timeout
|
||||
#log_statement = 'none' # none, ddl, mod, all
|
||||
#log_replication_commands = off
|
||||
#log_temp_files = -1 # log temporary files equal or larger
|
||||
# than the specified size in kilobytes;
|
||||
# -1 disables, 0 logs all temp files
|
||||
log_timezone = 'Europe/Paris'
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# PROCESS TITLE
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
cluster_name = '{{ postgresql.version }}/main' # added to process titles if nonempty
|
||||
# (change requires restart)
|
||||
#update_process_title = on
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# STATISTICS
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Query and Index Statistics Collector -
|
||||
|
||||
#track_activities = on
|
||||
#track_counts = on
|
||||
#track_io_timing = off
|
||||
#track_functions = none # none, pl, all
|
||||
#track_activity_query_size = 1024 # (change requires restart)
|
||||
stats_temp_directory = '/var/run/postgresql/{{ postgresql.version }}-main.pg_stat_tmp'
|
||||
|
||||
|
||||
# - Monitoring -
|
||||
|
||||
#log_parser_stats = off
|
||||
#log_planner_stats = off
|
||||
#log_executor_stats = off
|
||||
#log_statement_stats = off
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# AUTOVACUUM
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#autovacuum = on # Enable autovacuum subprocess? 'on'
|
||||
# requires track_counts to also be on.
|
||||
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
|
||||
# their durations, > 0 logs only
|
||||
# actions running at least this number
|
||||
# of milliseconds.
|
||||
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
|
||||
# (change requires restart)
|
||||
#autovacuum_naptime = 1min # time between autovacuum runs
|
||||
#autovacuum_vacuum_threshold = 50 # min number of row updates before
|
||||
# vacuum
|
||||
#autovacuum_analyze_threshold = 50 # min number of row updates before
|
||||
# analyze
|
||||
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
|
||||
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
|
||||
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
|
||||
# (change requires restart)
|
||||
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
|
||||
# before forced vacuum
|
||||
# (change requires restart)
|
||||
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
|
||||
# autovacuum, in milliseconds;
|
||||
# -1 means use vacuum_cost_delay
|
||||
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
|
||||
# autovacuum, -1 means use
|
||||
# vacuum_cost_limit
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# CLIENT CONNECTION DEFAULTS
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Statement Behavior -
|
||||
|
||||
#client_min_messages = notice # values in order of decreasing detail:
|
||||
# debug5
|
||||
# debug4
|
||||
# debug3
|
||||
# debug2
|
||||
# debug1
|
||||
# log
|
||||
# notice
|
||||
# warning
|
||||
# error
|
||||
#search_path = '"$user", public' # schema names
|
||||
#row_security = on
|
||||
#default_tablespace = '' # a tablespace name, '' uses the default
|
||||
#temp_tablespaces = '' # a list of tablespace names, '' uses
|
||||
# only default tablespace
|
||||
#check_function_bodies = on
|
||||
#default_transaction_isolation = 'read committed'
|
||||
#default_transaction_read_only = off
|
||||
#default_transaction_deferrable = off
|
||||
#session_replication_role = 'origin'
|
||||
#statement_timeout = 0 # in milliseconds, 0 is disabled
|
||||
#lock_timeout = 0 # in milliseconds, 0 is disabled
|
||||
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
|
||||
#vacuum_freeze_min_age = 50000000
|
||||
#vacuum_freeze_table_age = 150000000
|
||||
#vacuum_multixact_freeze_min_age = 5000000
|
||||
#vacuum_multixact_freeze_table_age = 150000000
|
||||
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
|
||||
# before index cleanup, 0 always performs
|
||||
# index cleanup
|
||||
#bytea_output = 'hex' # hex, escape
|
||||
#xmlbinary = 'base64'
|
||||
#xmloption = 'content'
|
||||
#gin_fuzzy_search_limit = 0
|
||||
#gin_pending_list_limit = 4MB
|
||||
|
||||
# - Locale and Formatting -
|
||||
|
||||
datestyle = 'iso, dmy'
|
||||
#intervalstyle = 'postgres'
|
||||
timezone = 'Europe/Paris'
|
||||
#timezone_abbreviations = 'Default' # Select the set of available time zone
|
||||
# abbreviations. Currently, there are
|
||||
# Default
|
||||
# Australia (historical usage)
|
||||
# India
|
||||
# You can create your own file in
|
||||
# share/timezonesets/.
|
||||
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
|
||||
# selects precise output mode
|
||||
#client_encoding = sql_ascii # actually, defaults to database
|
||||
# encoding
|
||||
|
||||
# These settings are initialized by initdb, but they can be changed.
|
||||
lc_messages = 'en_US.UTF-8'
|
||||
lc_monetary = 'en_US.UTF-8'
|
||||
lc_numeric = 'en_US.UTF-8'
|
||||
lc_time = 'en_US.UTF-8'
|
||||
|
||||
# default configuration for text search
|
||||
default_text_search_config = 'pg_catalog.french'
|
||||
|
||||
# - Shared Library Preloading -
|
||||
|
||||
#shared_preload_libraries = '' # (change requires restart)
|
||||
#local_preload_libraries = ''
|
||||
#session_preload_libraries = ''
|
||||
#jit_provider = 'llvmjit' # JIT library to use
|
||||
|
||||
# - Other Defaults -
|
||||
|
||||
#dynamic_library_path = '$libdir'
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# LOCK MANAGEMENT
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#deadlock_timeout = 1s
|
||||
#max_locks_per_transaction = 64 # min 10
|
||||
# (change requires restart)
|
||||
#max_pred_locks_per_transaction = 64 # min 10
|
||||
# (change requires restart)
|
||||
#max_pred_locks_per_relation = -2 # negative values mean
|
||||
# (max_pred_locks_per_transaction
|
||||
# / -max_pred_locks_per_relation) - 1
|
||||
#max_pred_locks_per_page = 2 # min 0
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# VERSION AND PLATFORM COMPATIBILITY
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# - Previous PostgreSQL Versions -
|
||||
|
||||
#array_nulls = on
|
||||
#backslash_quote = safe_encoding # on, off, or safe_encoding
|
||||
#default_with_oids = off
|
||||
#escape_string_warning = on
|
||||
#lo_compat_privileges = off
|
||||
#operator_precedence_warning = off
|
||||
#quote_all_identifiers = off
|
||||
#standard_conforming_strings = on
|
||||
#synchronize_seqscans = on
|
||||
|
||||
# - Other Platforms and Clients -
|
||||
|
||||
#transform_null_equals = off
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# ERROR HANDLING
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#exit_on_error = off # terminate session on any error?
|
||||
#restart_after_crash = on # reinitialize after backend crash?
|
||||
#data_sync_retry = off # retry or panic on failure to fsync
|
||||
# data?
|
||||
# (change requires restart)
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# CONFIG FILE INCLUDES
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# These options allow settings to be loaded from files other than the
|
||||
# default postgresql.conf. Note that these are directives, not variable
|
||||
# assignments, so they can usefully be given more than once.
|
||||
|
||||
include_dir = 'conf.d' # include files ending in '.conf' from
|
||||
# a directory, e.g., 'conf.d'
|
||||
#include_if_exists = '...' # include file only if it exists
|
||||
#include = '...' # include file
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# CUSTOMIZED OPTIONS
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Add settings for extensions here
|
|
@ -55,6 +55,28 @@
|
|||
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets_unifi_snmp.json
|
||||
mode: 0644
|
||||
when: prometheus_unifi_snmp_targets is defined
|
||||
|
||||
- name: Configure Prometheus Switchs
|
||||
copy:
|
||||
content: "{{ prometheus_switch_snmp_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets_switch_snmp.json
|
||||
mode: 0644
|
||||
when: prometheus_switch_snmp_targets is defined
|
||||
|
||||
- name: Configure Prometheus UPS SNMP devices
|
||||
copy:
|
||||
content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n"
|
||||
dest: /etc/prometheus/targets_ups_snmp.json
|
||||
mode: 0644
|
||||
when: prometheus_ups_snmp_targets is defined
|
||||
|
||||
- name: Configure Prometheus docker monitoring
|
||||
copy:
|
||||
content: "{{ [{'targets': prometheus_docker_targets }] | to_nice_json }}\n"
|
||||
dest: /etc/prometheus/targets_docker.json
|
||||
mode: 0644
|
||||
when: prometheus_docker_targets is defined
|
||||
|
||||
- name: Activate prometheus service
|
||||
systemd:
|
||||
|
|
|
@ -22,7 +22,7 @@ groups:
|
|||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%."
|
||||
summary: "Mémoire libre de {{ $labels.instance }} à {{ humanize $value }}%."
|
||||
|
||||
# Alert for out of disk space
|
||||
- alert: OutOfDiskSpace
|
||||
|
@ -31,7 +31,7 @@ groups:
|
|||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%."
|
||||
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ humanize $value }}%."
|
||||
|
||||
# Alert for out of inode space on disk
|
||||
- alert: OutOfInodes
|
||||
|
@ -49,7 +49,7 @@ groups:
|
|||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "CPU sur {{ $labels.instance }} à {{ $value }}%."
|
||||
summary: "CPU sur {{ $labels.instance }} à {{ humanize $value }}%."
|
||||
|
||||
# Check systemd unit (> buster)
|
||||
- alert: SystemdServiceFailed
|
||||
|
@ -59,4 +59,80 @@ groups:
|
|||
severity: warning
|
||||
annotations:
|
||||
summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
|
||||
|
||||
# Check load of instance
|
||||
- alert: LoadUsage
|
||||
expr: node_load1 > 5
|
||||
for: 2m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "La charge de {{ $labels.instance }} est à {{ $value }} !"
|
||||
|
||||
# Check UPS
|
||||
- alert: UpsOutputSourceChanged
|
||||
expr: upsOutputSource != 3
|
||||
for: 1m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "La source d'alimentation de {{ $labels.instance }} a changé !"
|
||||
|
||||
- alert: UpsBatteryStatusWarning
|
||||
expr: upsBatteryStatus == 3
|
||||
for: 2m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "L'état de la batterie de {{ $labels.instance }} est faible !"
|
||||
|
||||
- alert: UpsBatteryStatusCritical
|
||||
expr: upsBatteryStatus == 4
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "L'état de la batterie de {{ $labels.instance }} est affaibli !"
|
||||
|
||||
- alert: UpsHighLoad
|
||||
expr: upsOutputPercentLoad > 70
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !"
|
||||
|
||||
- alert: UpsWrongInputVoltage
|
||||
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V."
|
||||
|
||||
- alert: UpsWrongOutputVoltage
|
||||
expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."
|
||||
|
||||
- alert: UpsTimeRemainingWarning
|
||||
expr: upsEstimatedMinutesRemaining < 15
|
||||
for: 1m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
|
||||
|
||||
- alert: UpsTimeRemainingCritical
|
||||
expr: upsEstimatedMinutesRemaining < 5
|
||||
for: 1m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
|
||||
|
||||
|
||||
{% endraw %}
|
||||
|
|
|
@ -8,7 +8,7 @@ global:
|
|||
# Attach these labels to any time series or alerts when communicating with
|
||||
# external systems (federation, remote storage, Alertmanager).
|
||||
external_labels:
|
||||
monitor: 'example'
|
||||
federated_instance: '{{ inventory_hostname }}'
|
||||
|
||||
# Alertmanager configuration
|
||||
# Use prometheus alertmanager installed on the same machine
|
||||
|
@ -65,3 +65,38 @@ scrape_configs:
|
|||
scheme: https
|
||||
static_configs:
|
||||
- targets: []
|
||||
|
||||
- job_name: ups_snmp
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets_ups_snmp.json'
|
||||
metrics_path: /snmp
|
||||
params:
|
||||
module: [eatonups]
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: 127.0.0.1:9116
|
||||
|
||||
- job_name: switch_snmp
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- "/etc/prometheus/targets_switch_snmp.json"
|
||||
metrics_path: /snmp
|
||||
params:
|
||||
module: [procurve_switch]
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: 127.0.0.1:9116
|
||||
|
||||
- job_name: docker
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets_docker.json'
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
# {{ ansible_managed }}
|
||||
---
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# TODOlist :
|
||||
# - Faire fonctionner le monitoring des switchs défini ici
|
||||
# * Configurer tous les switchs avec un compte SNMPv3
|
||||
|
@ -6,48 +8,144 @@
|
|||
# - Optimiser les règles pour les bornes Unifi,
|
||||
# on pourrait indexer avec les SSID
|
||||
|
||||
procurve_switch:
|
||||
eatonups:
|
||||
walk:
|
||||
- 1.3.6.1.2.1.31.1.1.1.10
|
||||
- 1.3.6.1.2.1.31.1.1.1.6
|
||||
- 1.3.6.1.2.1.33.1.2
|
||||
- 1.3.6.1.2.1.33.1.3
|
||||
- 1.3.6.1.2.1.33.1.4
|
||||
- 1.3.6.1.4.1.534.1.6
|
||||
get:
|
||||
- 1.3.6.1.2.1.1.3.0
|
||||
- 1.3.6.1.2.1.1.5.0
|
||||
- 1.3.6.1.2.1.1.6.0
|
||||
metrics:
|
||||
- name: sysUpTime
|
||||
oid: 1.3.6.1.2.1.1.3
|
||||
type: gauge
|
||||
help: The time (in hundredths of a second) since the network management portion
|
||||
of the system was last re-initialized. - 1.3.6.1.2.1.1.3
|
||||
- name: sysName
|
||||
oid: 1.3.6.1.2.1.1.5
|
||||
type: DisplayString
|
||||
help: An administratively-assigned name for this managed node - 1.3.6.1.2.1.1.5
|
||||
- name: sysLocation
|
||||
oid: 1.3.6.1.2.1.1.6
|
||||
type: DisplayString
|
||||
help: The physical location of this node (e.g., 'telephone closet, 3rd floor')
|
||||
- 1.3.6.1.2.1.1.6
|
||||
- name: ifHCOutOctets
|
||||
oid: 1.3.6.1.2.1.31.1.1.1.10
|
||||
type: counter
|
||||
help: The total number of octets transmitted out of the interface, including framing
|
||||
characters - 1.3.6.1.2.1.31.1.1.1.10
|
||||
- name: upsBatteryStatus
|
||||
oid: 1.3.6.1.2.1.33.1.2.1
|
||||
type: gauge
|
||||
help: The indication of the capacity remaining in the UPS system's batteries -
|
||||
1.3.6.1.2.1.33.1.2.1
|
||||
- name: upsEstimatedMinutesRemaining
|
||||
oid: 1.3.6.1.2.1.33.1.2.3
|
||||
type: gauge
|
||||
help: An estimate of the time to battery charge depletion under the present load
|
||||
conditions if the utility power is off and remains off, or if it were to be
|
||||
lost and remain off. - 1.3.6.1.2.1.33.1.2.3
|
||||
- name: upsInputVoltage
|
||||
oid: 1.3.6.1.2.1.33.1.3.3.1.3
|
||||
type: gauge
|
||||
help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3
|
||||
indexes:
|
||||
- labelname: ifIndex
|
||||
- labelname: upsInputLineIndex
|
||||
type: gauge
|
||||
- name: ifHCInOctets
|
||||
oid: 1.3.6.1.2.1.31.1.1.1.6
|
||||
type: counter
|
||||
help: The total number of octets received on the interface, including framing
|
||||
characters - 1.3.6.1.2.1.31.1.1.1.6
|
||||
- name: upsOutputSource
|
||||
oid: 1.3.6.1.2.1.33.1.4.1
|
||||
type: gauge
|
||||
help: The present source of output power - 1.3.6.1.2.1.33.1.4.1
|
||||
- name: upsOutputVoltage
|
||||
oid: 1.3.6.1.2.1.33.1.4.4.1.2
|
||||
type: gauge
|
||||
help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2
|
||||
indexes:
|
||||
- labelname: ifIndex
|
||||
- labelname: upsOutputLineIndex
|
||||
type: gauge
|
||||
version: 3
|
||||
- name: upsOutputPower
|
||||
oid: 1.3.6.1.2.1.33.1.4.4.1.4
|
||||
type: gauge
|
||||
help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4
|
||||
indexes:
|
||||
- labelname: upsOutputLineIndex
|
||||
type: gauge
|
||||
- name: upsOutputPercentLoad
|
||||
oid: 1.3.6.1.2.1.33.1.4.4.1.5
|
||||
type: gauge
|
||||
help: The percentage of the UPS power capacity presently being used on this output
|
||||
line, i.e., the greater of the percent load of true power capacity and the percent
|
||||
load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5
|
||||
indexes:
|
||||
- labelname: upsOutputLineIndex
|
||||
type: gauge
|
||||
- name: xupsEnvRemoteTemp
|
||||
oid: 1.3.6.1.4.1.534.1.6.5
|
||||
type: gauge
|
||||
help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
|
||||
- name: xupsEnvRemoteHumidity
|
||||
oid: 1.3.6.1.4.1.534.1.6.6
|
||||
type: gauge
|
||||
help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6
|
||||
version: 1
|
||||
auth:
|
||||
username: prometheus
|
||||
community: public
|
||||
|
||||
procurve_switch:
|
||||
walk:
|
||||
- 1.3.6.1.2.1.31.1.1.1.10
|
||||
- 1.3.6.1.2.1.31.1.1.1
|
||||
- 1.3.6.1.2.1.2.2.1.2
|
||||
- 1.3.6.1.2.1.31.1.1.1.18
|
||||
get:
|
||||
- 1.3.6.1.2.1.1.3.0
|
||||
- 1.3.6.1.2.1.1.5.0
|
||||
- 1.3.6.1.2.1.1.6.0
|
||||
metrics:
|
||||
- name: sysUpTime
|
||||
oid: 1.3.6.1.2.1.1.3
|
||||
type: gauge
|
||||
help: The time (in hundredths of a second) since the network management
|
||||
portion of the system was last re-initialized. - 1.3.6.1.2.1.1.3
|
||||
- name: sysName
|
||||
oid: 1.3.6.1.2.1.1.5
|
||||
type: DisplayString
|
||||
help: An administratively-assigned name for this managed node
|
||||
- 1.3.6.1.2.1.1.5
|
||||
- name: sysLocation
|
||||
oid: 1.3.6.1.2.1.1.6
|
||||
type: DisplayString
|
||||
help: The physical location of this node (e.g., 'telephone closet, 3rd
|
||||
floor') - 1.3.6.1.2.1.1.6
|
||||
- name: ifHCOutOctets
|
||||
oid: 1.3.6.1.2.1.31.1.1.1.10
|
||||
type: counter
|
||||
help: The total number of octets transmitted out of the interface,
|
||||
including framing characters - 1.3.6.1.2.1.31.1.1.1.10
|
||||
indexes:
|
||||
- labelname: ifIndex
|
||||
type: gauge
|
||||
lookups:
|
||||
- labels:
|
||||
- ifIndex
|
||||
labelname: ifDescr
|
||||
oid: 1.3.6.1.2.1.2.2.1.2
|
||||
type: DisplayString
|
||||
- labels:
|
||||
- ifIndex
|
||||
labelname: ifName
|
||||
oid: 1.3.6.1.2.1.31.1.1.1.1
|
||||
type: DisplayString
|
||||
- name: ifHCInOctets
|
||||
oid: 1.3.6.1.2.1.31.1.1.1.6
|
||||
type: counter
|
||||
help: The total number of octets received on the interface, including
|
||||
framing characters - 1.3.6.1.2.1.31.1.1.1.6
|
||||
indexes:
|
||||
- labelname: ifIndex
|
||||
type: gauge
|
||||
lookups:
|
||||
- labels:
|
||||
- ifIndex
|
||||
labelname: ifDescr
|
||||
oid: 1.3.6.1.2.1.2.2.1.2
|
||||
type: DisplayString
|
||||
- labels:
|
||||
- ifIndex
|
||||
labelname: ifName
|
||||
oid: 1.3.6.1.2.1.31.1.1.1.1
|
||||
type: DisplayString
|
||||
version: 2
|
||||
auth:
|
||||
community: "{{ snmp_switch_community }}"
|
||||
|
||||
ubiquiti_unifi:
|
||||
walk:
|
||||
|
@ -90,13 +188,31 @@ ubiquiti_unifi:
|
|||
indexes:
|
||||
- labelname: unifiVapIndex
|
||||
type: gauge
|
||||
- name: unifiVapNumStations
|
||||
- name: unifi_vap_num_stations
|
||||
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
|
||||
type: gauge
|
||||
help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
|
||||
indexes:
|
||||
- labelname: unifiVapIndex
|
||||
- labelname: unifi_vap_index
|
||||
type: gauge
|
||||
lookups:
|
||||
- labels: [unifi_vap_index]
|
||||
labelname: unifi_vap_essid
|
||||
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6
|
||||
type: DisplayString
|
||||
- labels: [unifi_vap_index]
|
||||
labelname: unifi_vap_radio
|
||||
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
|
||||
type: DisplayString
|
||||
- labels: []
|
||||
labelname: unifi_vap_index
|
||||
# - name: unifiVapNumStations
|
||||
# oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
|
||||
# type: gauge
|
||||
# help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
|
||||
# indexes:
|
||||
# - labelname: unifiVapIndex
|
||||
# type: gauge
|
||||
- name: unifiVapRadio
|
||||
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
|
||||
type: DisplayString
|
||||
|
@ -295,3 +411,4 @@ ubiquiti_unifi:
|
|||
auth_protocol: SHA
|
||||
priv_protocol: AES
|
||||
priv_password: {{ snmp_unifi_password }}
|
||||
...
|
||||
|
|
5
roles/prometheus_federate/handlers/main.yml
Normal file
5
roles/prometheus_federate/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Restart Prometheus
|
||||
service:
|
||||
name: prometheus
|
||||
state: restarted
|
46
roles/prometheus_federate/tasks/main.yml
Normal file
46
roles/prometheus_federate/tasks/main.yml
Normal file
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
- name: Install Prometheus
|
||||
apt:
|
||||
update_cache: true
|
||||
name:
|
||||
- prometheus
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Configure Prometheus
|
||||
template:
|
||||
src: prometheus/prometheus.yml.j2
|
||||
dest: /etc/prometheus/prometheus.yml
|
||||
mode: 0644
|
||||
notify: Restart Prometheus
|
||||
|
||||
- name: Configure Prometheus alert rules
|
||||
template:
|
||||
src: "prometheus/{{ item }}.j2"
|
||||
dest: "/etc/prometheus/{{ item }}"
|
||||
mode: 0644
|
||||
notify: Restart Prometheus
|
||||
loop:
|
||||
- alert.rules.yml
|
||||
|
||||
# We don't need to restart Prometheus when updating nodes
|
||||
- name: Configure Prometheus Federate devices
|
||||
copy:
|
||||
content: "{{ [{'targets': prometheus_targets }] | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets.json
|
||||
mode: 0644
|
||||
when: prometheus_targets is defined
|
||||
|
||||
- name: Activate prometheus service
|
||||
systemd:
|
||||
name: prometheus
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Indicate role in motd
|
||||
template:
|
||||
src: update-motd.d/05-service.j2
|
||||
dest: /etc/update-motd.d/05-prometheus
|
||||
mode: 0755
|
||||
...
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
groups:
|
||||
- name: alert.rules
|
||||
rules:
|
||||
- alert: FederateInstanceDown
|
||||
expr: up{job="federate"} == 0
|
||||
for: 3m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
summary: >-
|
||||
Federate : {{ "{{" }} $labels.instance {{ "}}" }} est invisible
|
||||
depuis plus de 3 minutes !
|
||||
...
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
global:
|
||||
external_labels:
|
||||
monitor: '{{ ansible_fqdn }}'
|
||||
|
||||
alerting:
|
||||
alertmanagers:
|
||||
- static_configs:
|
||||
- targets: ['{{ prometheus_alertmanager }}']
|
||||
|
||||
rule_files:
|
||||
- 'alert.rules.yml'
|
||||
|
||||
scrape_configs:
|
||||
- job_name: federate
|
||||
scrape_interval: 30s
|
||||
metrics_path: '/federate'
|
||||
honor_labels: true
|
||||
honor_timestamps: true
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets.json'
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: __address__
|
||||
replacement: '$1:9090'
|
||||
params:
|
||||
match[]:
|
||||
- '{job="servers"}'
|
||||
- '{job="prometheus"}'
|
||||
- '{job="unifi_snmp"}'
|
||||
- '{job="django"}'
|
||||
- '{job="ups_snmp"}'
|
||||
- '{job="django"}'
|
||||
- '{job="docker"}'
|
||||
- '{job="switch_snmp"}'
|
||||
...
|
4
roles/prometheus_federate/templates/update-motd.d/05-service.j2
Executable file
4
roles/prometheus_federate/templates/update-motd.d/05-service.j2
Executable file
|
@ -0,0 +1,4 @@
|
|||
#!/bin/sh
|
||||
# {{ ansible_managed }}
|
||||
echo "> prometheus a été déployé sur cette machine."
|
||||
echo " Voir /etc/prometheus/"
|
|
@ -106,12 +106,11 @@
|
|||
|
||||
- name: Install radius requirements (except freeradius-python3)
|
||||
shell:
|
||||
cmd: "{{ item }}"
|
||||
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
||||
chdir: /var/www/re2o/
|
||||
loop:
|
||||
- "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
||||
- "pip3 install -r pip_requirements.txt"
|
||||
|
||||
- name: Install PyPi requirements for radius
|
||||
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
|
||||
|
||||
# End of hideousness (hopefully).
|
||||
|
||||
|
|
|
@ -30,11 +30,19 @@
|
|||
mode: 0644
|
||||
when: "'routeur-aurore' in ansible_hostname"
|
||||
|
||||
- name: Install ipset
|
||||
apt:
|
||||
name: ipset
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Install aurore-firewall (re2o-service)
|
||||
import_role:
|
||||
name: re2o-service
|
||||
name: re2o_service
|
||||
vars:
|
||||
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
|
||||
service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git
|
||||
service_name: aurore-firewall
|
||||
service_version: aurore
|
||||
service_config:
|
||||
|
|
|
@ -31,7 +31,7 @@ role = ['routeur']
|
|||
### Specify each interface role
|
||||
|
||||
interfaces_type = {
|
||||
'routable' : ['ens20', 'ens21'],
|
||||
'routable' : ['ens20', 'ens21', 'ens23'],
|
||||
'sortie' : ['ens19'],
|
||||
'admin' : ['ens18']
|
||||
}
|
||||
|
@ -57,9 +57,53 @@ nat = [
|
|||
},
|
||||
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
|
||||
'extra_nat' : {
|
||||
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
|
||||
'ens19': {
|
||||
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
|
||||
apartment_block_id }}',
|
||||
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
|
||||
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
|
||||
},
|
||||
}
|
||||
},
|
||||
{
|
||||
'name': 'Accueil',
|
||||
'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
|
||||
'extra_nat': {
|
||||
'ens19': {
|
||||
'10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
|
||||
'10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
|
||||
},
|
||||
'ens23' : {
|
||||
'10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
|
||||
'10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
|
||||
},
|
||||
},
|
||||
'extra_nat_group': {
|
||||
'ens19': 'accueil_ens23_allowed',
|
||||
},
|
||||
},
|
||||
]
|
||||
|
||||
# ATTENTION: on doit avoir retry ≥ grace
|
||||
# ATTENTION: il faut que ip_redirect gère tous les ports
|
||||
# autorisés dans le profile re2o, sinon on laisse sortir
|
||||
# du trafic
|
||||
accueils = [
|
||||
{
|
||||
'iface': 'ens23',
|
||||
'grace_period': 1800,
|
||||
'retry_period': 86400,
|
||||
'ip_sources': [
|
||||
'10.{{ subnet_ids.users_accueil }}.1.0/24',
|
||||
'10.{{ subnet_ids.users_accueil }}.2.0/24',
|
||||
],
|
||||
'ip_redirect': {
|
||||
"tcp": {
|
||||
"10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
|
||||
}
|
||||
},
|
||||
'triggers': [
|
||||
('4', 'tcp', '46.255.53.35', 443), # ComNPay
|
||||
('4', 'tcp', '46.255.53.35', 80),
|
||||
]
|
||||
}
|
||||
]
|
||||
|
|
|
@ -41,9 +41,11 @@ nat = [
|
|||
{
|
||||
'name' : 'AdminVlans',
|
||||
'extra_nat' : {
|
||||
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
|
||||
'ens18': {
|
||||
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
},
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
|
|||
|
||||
# Wifi
|
||||
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
|
||||
|
||||
# Accueil
|
||||
10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -23,12 +23,14 @@ server:
|
|||
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
||||
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
||||
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
||||
interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
|
||||
|
||||
|
||||
# IPv6
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
|
||||
|
||||
|
||||
# By default, anything other than localhost is refused.
|
||||
|
@ -36,12 +38,11 @@ server:
|
|||
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
||||
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
||||
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
||||
access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
|
||||
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
|
||||
|
||||
num-threads: {{ ansible_processor_vcpus }}
|
||||
|
||||
private-address: 10.0.0.0/8
|
||||
|
||||
# The host cache TTL affects blacklisting of supposedly bogus hosts.
|
||||
# The default was 900 (15 minutes).
|
||||
infra-host-ttl: 60
|
||||
|
|
|
@ -10,8 +10,19 @@
|
|||
roles:
|
||||
- passbolt
|
||||
|
||||
# Deploy reverse proxy
|
||||
- hosts: proxy*.adm.auro.re
|
||||
- hosts: reverseproxy
|
||||
vars:
|
||||
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
||||
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
|
||||
reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
|
||||
roles:
|
||||
- certbot
|
||||
- nginx_reverseproxy
|
||||
- nginx
|
||||
|
||||
- hosts: nginx,!reverseproxy
|
||||
vars:
|
||||
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
||||
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
|
||||
roles:
|
||||
- certbot
|
||||
- nginx
|
||||
|
|
5
test.sh
5
test.sh
|
@ -1,5 +0,0 @@
|
|||
#!/bin/bash
|
||||
for ip in `cat hosts|grep pacaterie.adm.auro.re`; do
|
||||
ssh-copy-id $ip
|
||||
done
|
||||
|
4
utils/README.md
Normal file
4
utils/README.md
Normal file
|
@ -0,0 +1,4 @@
|
|||
# Utils
|
||||
|
||||
A repository of Ansible Playbooks that are useful, as little script or various
|
||||
utilities, but not used in production.
|
13
utils/re2o_mail_server.yml
Executable file
13
utils/re2o_mail_server.yml
Executable file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
# Deploy Re2o mail service
|
||||
- hosts: mail.auro.re
|
||||
vars:
|
||||
service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
|
||||
service_name: mail-server
|
||||
service_version: aurore
|
||||
service_config:
|
||||
hostname: re2o-test.adm.auro.re # use test instance for now, should be changed for prod!
|
||||
username: service-user
|
||||
password: "{{ vault_serviceuser_passwd }}"
|
||||
roles:
|
||||
- re2o-service
|
31
utils/reboot_needed_check.yml
Executable file
31
utils/reboot_needed_check.yml
Executable file
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
# Check if a reboot is required by the installation of some packages (ie kernel)
|
||||
- hosts: localhost
|
||||
tasks:
|
||||
- name: Make sure local file exist but is empty # weird hack, I know
|
||||
copy:
|
||||
dest: /tmp/ansible_dump_reboot_needed.txt
|
||||
content: ""
|
||||
force: true
|
||||
mode: 0644
|
||||
|
||||
- hosts: all,!unifi,!escalope.adm.auro.re,!loki.adm.auro.re,!viviane.adm.auro.re,!vpn-ovh.adm.auro.re
|
||||
tasks:
|
||||
# Register the output of the file /var/run/reboot-required.pkgs
|
||||
- name: Register if boot is required
|
||||
shell: if [ -e /var/run/reboot-required.pkgs ]; then cat /var/run/reboot-required.pkgs; fi
|
||||
register: result
|
||||
|
||||
- name: DEBUG
|
||||
debug:
|
||||
msg: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
|
||||
when: result.stdout is defined
|
||||
|
||||
# Add info line by line
|
||||
- name: Dump all info into the local file
|
||||
delegate_to: localhost
|
||||
lineinfile:
|
||||
path: /tmp/ansible_dump_reboot_needed.txt
|
||||
line: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
|
||||
when: result.stdout is defined
|
21
utils/version_check.yml
Executable file
21
utils/version_check.yml
Executable file
|
@ -0,0 +1,21 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
# Check for the distribution
|
||||
- hosts: localhost
|
||||
tasks:
|
||||
- name: Make sure local file exist but is empty # weird hack, I know
|
||||
copy:
|
||||
dest: /tmp/ansible_dump_reboot_needed.txt
|
||||
content: ""
|
||||
force: true
|
||||
mode: 0644
|
||||
|
||||
- hosts: all,!unifi
|
||||
tasks:
|
||||
# Add info line by line
|
||||
- name: Dump all info into the local file
|
||||
delegate_to: localhost
|
||||
lineinfile:
|
||||
path: /tmp/ansible_dump_dist_version.txt
|
||||
line: "[{{ ansible_facts['nodename'] }}] {{ ansible_fqdn }} : {{
|
||||
ansible_distribution }} {{ ansible_distribution_version }}"
|
Loading…
Reference in a new issue