Fix: keep the logs for 90 days #36
89 changed files with 2515 additions and 464 deletions
|
@ -1,7 +1,10 @@
|
||||||
skip_list:
|
skip_list:
|
||||||
- '301'
|
- no-changed-when
|
||||||
|
- load-failure
|
||||||
|
- document-start
|
||||||
|
|
||||||
warn_list:
|
warn_list:
|
||||||
- '305' # Use shell only when shell functionality is required
|
|
||||||
- '503' # Tasks that run when changed should likely be handlers
|
|
||||||
- experimental # all rules tagged as experimental
|
- experimental # all rules tagged as experimental
|
||||||
|
|
||||||
|
exclude_paths:
|
||||||
|
- group_vars/all/vault.yml
|
||||||
|
|
15
.drone.yml
15
.drone.yml
|
@ -4,16 +4,9 @@ type: docker
|
||||||
name: check
|
name: check
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: yamllint
|
- name: ansible and yaml linting
|
||||||
image: python:3.9-alpine
|
pull: never
|
||||||
|
image: aurore-ansible-lint-image
|
||||||
commands:
|
commands:
|
||||||
- pip install yamllint==1.25.0
|
- ansible-lint
|
||||||
- yamllint -c .yamllint.yml .
|
|
||||||
|
|
||||||
- name: ansible-lint
|
|
||||||
image: python:3.9-alpine
|
|
||||||
commands:
|
|
||||||
- apk add --no-cache gcc libc-dev libffi-dev openssl-dev
|
|
||||||
- pip install ansible-lint==4.3.7
|
|
||||||
- ansible-lint *.yml
|
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
---
|
|
||||||
image: python:3.9-alpine
|
|
||||||
|
|
||||||
stages:
|
|
||||||
- lint
|
|
||||||
|
|
||||||
yamllint:
|
|
||||||
stage: lint
|
|
||||||
script:
|
|
||||||
- pip install yamllint==1.25.0
|
|
||||||
- yamllint -c .yamllint.yml .
|
|
||||||
|
|
||||||
ansible-lint:
|
|
||||||
stage: lint
|
|
||||||
script:
|
|
||||||
- apk add gcc libc-dev libffi-dev openssl-dev
|
|
||||||
- pip install ansible-lint==4.3.7
|
|
||||||
- ansible-lint *.yml
|
|
||||||
...
|
|
|
@ -6,6 +6,5 @@ rules:
|
||||||
max: 120
|
max: 120
|
||||||
level: warning
|
level: warning
|
||||||
document-start:
|
document-start:
|
||||||
ignore: |
|
ignore: group_vars/all/vault.yml
|
||||||
/groups_var/all/vault.yml
|
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
|
||||||
|
|
||||||
# Recettes Ansible d'Aurore
|
# Recettes Ansible d'Aurore
|
||||||
|
|
||||||
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
|
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
|
||||||
|
|
7
bdd.yml
Normal file
7
bdd.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Install and configure bdd servers at Saclay and at OVH
|
||||||
|
- hosts: bdd
|
||||||
|
roles:
|
||||||
|
- postgresql_server
|
||||||
|
...
|
8
deploy_postfix_non_mailhost.yml
Normal file
8
deploy_postfix_non_mailhost.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
# Deploy a correclty configured postfix on non mailhost servers
|
||||||
|
- hosts: all,!unifi
|
||||||
|
vars:
|
||||||
|
local_network: 10.128.0.0/16
|
||||||
|
relay_host: proxy.adm.auro.re
|
||||||
|
roles:
|
||||||
|
- postfix_non_mailhost
|
7
docker-ansible-lint/Dockerfile
Normal file
7
docker-ansible-lint/Dockerfile
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
FROM python:3.9-alpine
|
||||||
|
LABEL description="Aurore's docker image for ansible-lint"
|
||||||
|
|
||||||
|
RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
|
||||||
|
RUN pip install "yamllint>=1.26.0,<2.0"
|
||||||
|
RUN pip install "ansible-lint==5.0.0"
|
||||||
|
RUN pip install "ansible>=2.10,<2.11"
|
18
docker-ansible-lint/README.md
Normal file
18
docker-ansible-lint/README.md
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# Ansible-lint image
|
||||||
|
|
||||||
|
In order to build this image when a new version comes out, you need to
|
||||||
|
1. ssh into the `drone.adm.auro.re` server
|
||||||
|
2. git pull this repo to the lastest version
|
||||||
|
3. optionally make the changes if it has not been done yet
|
||||||
|
4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
|
||||||
|
5. ???
|
||||||
|
6. enjoy
|
||||||
|
|
||||||
|
You can verify that the image was correclty built by running
|
||||||
|
```
|
||||||
|
# list the images present
|
||||||
|
sudo docker image ls
|
||||||
|
|
||||||
|
# run your image with an interactive shell
|
||||||
|
sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
|
||||||
|
```
|
|
@ -20,6 +20,8 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
|
||||||
postgresql_services_url: 'services-bdd.adm.auro.re'
|
postgresql_services_url: 'services-bdd.adm.auro.re'
|
||||||
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
|
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
|
||||||
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
|
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
|
||||||
|
postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
|
||||||
|
postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
|
||||||
|
|
||||||
# Scripts will tell users to go there to manage their account
|
# Scripts will tell users to go there to manage their account
|
||||||
intranet_url: 'https://re2o.auro.re/'
|
intranet_url: 'https://re2o.auro.re/'
|
||||||
|
|
|
@ -1,174 +1,186 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
34336231623938346631313932323131336439623837626366646338396137633436646365386639
|
65623030336636323834313162306633623333666663633162356162313233393137646365363161
|
||||||
6332383765386235396331373836366230663563376665380a616436373136633933376435653230
|
3334363038323835666431626538383433626162373330360a656162303733653437633637663535
|
||||||
64333963663436393265666434653164643164616134353665306462326666623530383838343135
|
62626630663332373761656137633165666531303137303565313236663564623061643631373333
|
||||||
3531343533656332350a343432336636316131386132306238653736633966363235623833343638
|
3164306333653734350a333333653630616462386637613432623039303931393661393563306137
|
||||||
38643061383963396466346536343061653034333037393664356661376565643765306462626231
|
37326564333837306230326637626131666232646564383130623137613939633163313532653836
|
||||||
39326233363962373839303464333833306532343834306232653731326135653934643836323639
|
62393766623065376135343062346362623466336234633239343530366432313336653863346534
|
||||||
36343937626536346331613263663865346634666534646266623061303639626636393230616261
|
34346563666638643136316236626561396534316332623730633936646631623866383631633763
|
||||||
32336366356439353738633234326138656464656630303362623664616634306230623538373965
|
32306236316334626632393736643135306333363135333566353062653866313161653763646336
|
||||||
32346439306337623737616666353830626630373562366436653131393532313035303836326430
|
34636465663639396335353562343936333263616363653535303934646361656135383938626134
|
||||||
64613235646366616533313065396663366434363832333535336631323366336437396664303834
|
34376335303564623436643735363262346334316465366435373435343338373666383635393666
|
||||||
30336466313064636565326564356435306136396363373464326534303366323262303732626661
|
36643032613636643138373432393739626230326437386366386132636535313137313765616464
|
||||||
38326663313332633530353739346538343434316133343066313530366637376135323564306537
|
31623461373166613237356362663939323633653565623830303334353834363561373832623163
|
||||||
65626261303231656432333364333965663065346436626631666466643934623064333163626339
|
35316137633630633736383265333666636436326433653134313038626132633537316162376539
|
||||||
32633565303734303862326365336339346133393431636266303530626564326361653230626536
|
37323338333235333836326161396236666661636464373163333934376662636639356432366565
|
||||||
32313231373037633134623761663832393666353732613965613436323939343233613433343538
|
63363266633266643332663934356564323466646666656530336662353336346333366639613130
|
||||||
37326438383130303861316663396333376662386337353964633930353536653437653061356635
|
33633039343666633536616237386265313863323537353466363432303632323265656265323166
|
||||||
35646232343535313130646237643835376162623639333961323964353830653366626438346237
|
33313135333932363934386432663863383836333862333162333935313562626430353663636335
|
||||||
36343663346332656537363434396633336161373730663364306239306432343930643230656465
|
34653231343964376531306366313264363930613432343864396130653666636332366239636236
|
||||||
37633537616232656661313764626232303535383563353861396431643735326162383866626231
|
33343431353737323534396235613931666262626430303637626236393134386136366164306138
|
||||||
61383165613332666537656137636430323332326335323763303537386662646263353539613964
|
64396238363030616465303634366339353731363461383432353434373735336363656266316336
|
||||||
37323966306364306436653033393931663239383435613836356164633135306233356364313036
|
66313064653233653965646630313632336536643530363562613039313439366437353663363265
|
||||||
39356661613434633930633066646437636535313565356366303732613731333062643231313035
|
30386238363562326263303164366436653334316164646633356666366631653636303835303738
|
||||||
65333461396131663764626665393562623030343561313136363964393664376136303839333664
|
39366163613434623861376138363134616662343231306536396531366433313963383234373764
|
||||||
65313465623331333538393734373264313562643232666130303930333662616465656432363039
|
64326664343736663264626432643664326563383633353364383963353733343864373766666534
|
||||||
66616530336666343861336434633063343561323931323931346132376263376565313366306639
|
34393638613864333265313732333632373565303537316463623337326363383539336566646664
|
||||||
64646465303432333136353661323936633965666364356633653861363139616562653834313861
|
66363764323261323330346338336133346136623431616333373235313565643164613432613861
|
||||||
63306133613066373462383236613939316130623937643939323134343936356638376335323836
|
61346137356133343063636562336633646537373666323763626430633439323632326635383562
|
||||||
39383334656236633037633230313138326238303863623231353465346661663162623138353461
|
36373461623931613162663466333065336237656265366437663035663831616363383066623731
|
||||||
33343738613137366364633730346261366564646161373837613865393233663431636361663962
|
62326462313238373631386362393737323731643865623763333833316637323533656562663536
|
||||||
38313230363737306265636435353533666262333666383639343364633464396566333433333538
|
30326465323164356436326463386137336439326231623534326164323530303239363161643762
|
||||||
39643934646537653234336361613664333434623739353831316531313666396638333136343638
|
61313261333265366631656631326366313464336264626163653363333565353137313863646631
|
||||||
33653034366362363562633462303165626333306664326366353334363964663936616430643662
|
62636534346534336136643164383766323631353837326561616436633139653531356533303432
|
||||||
30616334326638323133366632663237356238353934323361376237613632396134663536336364
|
32616434653237376664353134363464613231366136323330646439623132306464623138393162
|
||||||
39363439326335363437373939353564646663616464663763353931323233316135656634343137
|
34613931633736633532346634303535366430323164313764653832336464303337626634313861
|
||||||
34396130386134386331643534353461663963323435656337653032376565313635623231343135
|
37333863316666353935363663613531643039613534393539343762363732383362333639356435
|
||||||
34303130316239303065386134663332393938636332363665643832326439653733633231346537
|
61303663363438383733636663346362373033383130636431386636616366666537393937396633
|
||||||
63383634333034323434376237663932613638363835393837613632663265616363303233653539
|
33653836343865326433316233306661653831613239376561393834653032633462306238373730
|
||||||
61333765313463616665613136303533343230303735626437343635303934613365326166333966
|
61336266333364616533633433383663363564373334313934633132626238303036326339313932
|
||||||
66613538393466666630363333643730653239393435616634303430396635383631613439623433
|
37323435663537376563343336666262343065316436346663623432333064326136316630633763
|
||||||
36646431393865666162373232343335356366366633633264326639643434396234313863333163
|
65343538313163346539346336643237663431623861653433616639333130643162366539633238
|
||||||
63396534623931633833656565396635333133376165613031663831633564663061656131303564
|
61306335346366363935373438353765333238323037343033626132323730326437656163353765
|
||||||
61303132666264636139313738643161313134643733633366376538366135663135333333333564
|
39343863363366343764613533346537363661353234646364663037623030306334653264386630
|
||||||
64366262353837363061653663616265393264373230346330636465336439623063636639356136
|
36653030316134656236373336616435363337643637623539633865333963363137363433383338
|
||||||
65383638643961326661396336373163643832366561363764626461623662333436373136616437
|
62636330626631393438326365396331656361646263343863326635393666383638636337343339
|
||||||
30316537653432356133616338353165633462643634323563306366343965326635363863316232
|
64313462623564326462636131313163353036393938393634376436306163663863653462663431
|
||||||
61633135643861333635383464383937306236626632366235363433313335663431366531356337
|
66363334353039303266333430316239646533653337383164303837396130333366353465643965
|
||||||
37303465323638383930336138356665343966336137356137656564303733373565366162343330
|
35383939633336386537626662316263383331336565643237396334643737313232306464363638
|
||||||
38326366653733376138356339313564616165626235356363343430353239616339656239323964
|
34393131656232323865333739666639346335646336376666643065353538653530323338356639
|
||||||
31643734653263653461333135386261646265323134633334376262323330396634643764323635
|
64623965326161386430323337326433343334363435316237626666363161353362383361326438
|
||||||
30336262323035613338333166353364333836623865393132613338393237363734616330366463
|
35336431653033333261396632393966653463366637636539663165356532616331633837343435
|
||||||
64646163303337323531636532383438356237306337656439663565643032633462316366663164
|
66356536313037623139613966356139363737656437356238636433366635313137623639366230
|
||||||
33613039326337353531303831313136653539353261373930613030383134653261363833653439
|
36373837383462623966343535383434633932656133326565353063343530363066343365323462
|
||||||
31343662623035393238646263633066653362323434306137633339393330376462356139333362
|
32333666373263353063346535343639623230613733363832323636313830636234326436613438
|
||||||
35363436356530363134663064653031376561343732346262383333353733363136396262643135
|
30363765356637626134353763663938376134653539336436336336303834633533616664376535
|
||||||
31326566303535343833326562376464643632363434323839366366626134303830323563633237
|
32613061363262303839313062666261363032363364366662333364653532373163653434366261
|
||||||
37313964353033316163303738636632346137353437333463303135323631383132623133663130
|
39336233313232393331303732333735346434656436353466313932656239306631383237626565
|
||||||
32373163393861366137303138363134653534613236636439623731393837306130626638343134
|
63313166326538663732363438393263643533636536333665663038383739383334366136646564
|
||||||
39313532386338343662333134353761653162663665396664366239633536613132313735373334
|
33383936393463323235623038393138386164656164623439393734656336343835313135393165
|
||||||
37613161383633653861376433633632333163653439633938386137313632396137616337373465
|
37616232633036383237643730313061323563643163633662393334353133343730656630643762
|
||||||
65383238396439666537313833663364333731613434333739393161363437306665363834653761
|
39333937303931666161613037313837343836643330356538343264633761343432373161393061
|
||||||
34303464386633633163353636643964393233383232623765373239376633393139326630653765
|
63393933383238356235613663343362656466353330383333393636386438306161623434343836
|
||||||
62646439646534376234323661383063656463313437323231333165626163626262626562376338
|
35313030383235663461306539663666393234306332306536653862616138656135393131343462
|
||||||
62646362346261313738323830613037663035666361386139666432613230346334323063326239
|
61633735303134326639663061643935373533336430306538363365623063663536376234356363
|
||||||
65303065343061613736343663363630336333623439383032313137616131623933323636306331
|
65653432636430333330303131633263386265386662656131353833393138643732356336376335
|
||||||
34636130626338303039356137353532346562363531623936316162336663306437386532363236
|
31393438393734336465396633306565343139626135386432343061623232363337326664366632
|
||||||
36333661316161613237343032623764396435346632363963643438316430666539393566353939
|
36613434616662373431613238326464396437363935646437306665313936323732396165633266
|
||||||
33333234313839636537366465356364303438313830663261373563346538626432313139303030
|
33343166333665373937656338333930343338373061633639393463316538373630626561333761
|
||||||
33333066626463663663643833323764643737386162663766356665643064313263376434353038
|
63323336643133323962613435303134613230343033666336646132303462323037383139656166
|
||||||
37643630643737663566653562353261333734636262626437393239383063613661643166626630
|
31323038653738666463323164366662363138663833393637313437633861353462663935616632
|
||||||
31313564346239396561326162333534376264616435313762623032636432363832383630343964
|
65653939353435653337353966373135333036653061333438353136616434643563393465323735
|
||||||
30343663643935633465393465626131633931623930653962303830333065363435383237653566
|
65373230373036353466356338343835363035653031363864316232613232323365353932313061
|
||||||
65646632376330306437663334313932653230653562356338663366616463303466366263366137
|
62626432303334646365616330626261633066306661303537353264653235643632386466336236
|
||||||
64633934626339633235386630396561376130373763313137386531356637633863393035306634
|
30316261666461616337363562323865636234356638653661336261373761383365386639303638
|
||||||
65353432323235363135633832373032623837376333346131303162303464616234313062316563
|
38663763313931323266373162303136323433656466393330646462643438336236613530363636
|
||||||
64646634633963663032613533636665333335656539323238623362306363313835626632306236
|
35353763373463376531323536613563643865346334646164326561663962393034643438326437
|
||||||
30663637356463363530316434316639326639633539333335633330333834643035353932313638
|
30306437343331346233383036656663613038623137363962626462613762653262633035623539
|
||||||
64356565653065666131373538356462306633343161376537323762313666373235353236313963
|
31613932313237343263373333313434386562623465663365306433333635366339616333393430
|
||||||
65613561633266306632616538616461626532666435663038646138386430376164663766363138
|
63626466333934336130313038626136626466323563323630373965303435626664633138333838
|
||||||
35316262393065653739323035666531333330326235386133383834383865356635666537333533
|
37643538353138303332653435343139383265363933646134636236656131643932353932303135
|
||||||
31376138353231313262646334386566376264323066373934666363313431643738383064666437
|
65353438656431613335653838656462333731316665303063623464316462633961656464313933
|
||||||
36656437313039656666373530346534393735353163646635663839326366643333393665626464
|
36366161623661393865346162383966323531396432646432383663326231373162373462633539
|
||||||
36616637303631653661373433653865323634363065303433386534363064356564636465366265
|
31303138626662326637376536303532393636326530366362336437633639306436366531313636
|
||||||
31333064383233636538393032376234663663353162343530376631356533653231303730396465
|
31613332656466343832316632313161336135663661333739646136313137386634633066316535
|
||||||
33366162376464633633313664303939306330613865663431653037303061633130626635653638
|
66613334303139353463613866323431613037333239353839623165356233653361613063646335
|
||||||
66626264363333376463386666313663333964333137333231303361616533393236373861656534
|
33386263616164303631653162633330633136666635376635623437656263306466623462366563
|
||||||
32326335306566623332396638383133353434363565316432353963353062313662326361336537
|
61636334616134376230343265623336373863303463623833663761333039333335626665613661
|
||||||
34396632656234333263663831326566353434316234613365316132363730643665373761666562
|
62626133316338303333613863373663623166323438656566653936616532343065383232323437
|
||||||
31393565653663653731633333633730326265376135666162656132623238333765333363653130
|
38353731643561663461336561313637656563333230353963366632396637333033303365626562
|
||||||
61353632313532616266363139336162336565356365316531336364623930636430353831623233
|
65373463653735313732353165643530336232396562653030623037303463326565643465363764
|
||||||
61616131313438306633333066613764313161333934316139633738623164623564646365663566
|
38316663356535373432656563336538633765393031663339666638366138346564366162303436
|
||||||
66356464376133363137313036623930373362306166623838373131313330393837396261656561
|
66363164633432326632306561643662663265666465373537383335303432616138613939366133
|
||||||
66396233313530643164353264656563383632363139333262626532376562613630643437666266
|
39396430386437353163323935366265306339326563343530366161333330376535313737396537
|
||||||
66656335656634613138316138643666623430363833663035616138336461303035633731636262
|
39353330323938326662303863323738626535643465656438376339643437653639666133633663
|
||||||
36393939333765346239666433323032323361343934656463396365333366623337316663396263
|
39303464326237653933616238663839313730343731383132613062613736376232646366346365
|
||||||
36616431626633663963636135643833666234613830366434636532373031343263316436306162
|
37653136393335396338346536393865316134343365623338623761303661343637336332316535
|
||||||
39356365376561643665323866656465313434623138326238353662653735613565623264333336
|
31633133356263336534643230383034383164396630343131396533313864333963316433366130
|
||||||
61393763363862613766653064636130323732663466366133666361636339356464313037353462
|
38653461303736343861333161343832363934386230393662616463386534336264626363386562
|
||||||
63633936653235656538383433393065393162643034393538666433616131343462346235393164
|
62633832316664323032353835663266653534393733343166303763333434323633616233656131
|
||||||
39353663373338626665663563663162633430343330373430376336326432346233663365376533
|
37333266356337656532386336373563353634656265313061363063356637353366636236653333
|
||||||
32656465343538643137326366653232343530363834383831386634366262303333636261353863
|
31643535373762353663613035316464323033303438623635336637636265363363393961396435
|
||||||
32633437343432653936643766363338636535613532323362656435613363393238626466303861
|
33646438366139323230623235666630663863633961393036376463386538313633626163323365
|
||||||
38633861333638613466306338613932353964393365356637306261626535323732316362623731
|
36633266646330623463336434363934376438326465303938316432643035373236626437663766
|
||||||
33313963623439613939333639346461663338373334396165636231666266613065323731373964
|
36303737386132383261663764386333343532626334633961373666376232633739663164323132
|
||||||
64313133383435333935376531313432663766633133633863356563663535333263636237386136
|
61323230316266333837363537316165376261363738363762373231356533666332376333663239
|
||||||
61653963633166383135333436646465383536373039383538326366636634313061613730653962
|
30646161666434363236633432616163323530643766363533653733346436303461643235343038
|
||||||
37623962643866396637336231363038373465393637356463656566666661313130313863383233
|
65663738633032643334303737666565666137616437613662363062636664326235663737613863
|
||||||
37343636346535363832626365396262303862393535336565393635663637323730373564336634
|
37653164653437356136623563653238366236613964663337336132326232653762643363623664
|
||||||
37363036323733306535336366373630356531353737303165376530656433626634343365626239
|
66656166346230643930653232323234653266393730323735636164303230623766393630393262
|
||||||
64346136363030663862313431653761666432393933366665346361626361623039326434633835
|
63333661396231323430343462656339653466363562303830643233636164303162376631383733
|
||||||
32666538653037613361343536383634643762356234366433663639653461303933306434333864
|
38346231623835333762656135663366616566313963323732663037323338326231613465343462
|
||||||
37386436393465323139306161333738383265323436376536656264356230303163326134323864
|
65616432626432333538396336353965353636636339336239653536613865643265353939656333
|
||||||
63396331666431666464656161633466333764653631623131646566303366333030653834333335
|
66663933343664366163323730336337356634656436326661336636313363663165336161396333
|
||||||
31323365353239366232643863386365633861376235643034303563613363663661616564363663
|
31626163303863653332613733663666383234303164346564646531366261323262636263353036
|
||||||
63326562613365653539383336383339646164623864323830653434623365393432666466323134
|
64666135336264343636396466396564303665623965346163373337376331396233396561613765
|
||||||
33626330373361393734656632393232363866613863373135636537613934343065306265623964
|
32636331376665396132313839653232306535613737653936366438323962333235336530396338
|
||||||
34643765636165393336356630353663343065333431656164363638646233663762346536343362
|
63633737633630646164376361363631623862643363363066376364653965313837373462393832
|
||||||
65653364343537383336373933313464663464653465383830363631316336303464313731356230
|
66336138366132626536323766393832386261396436336537316661383633613065393032636530
|
||||||
34336130323766386465373162346535396565346630353734303937396130656132376331326563
|
63323866643266666637363633616535613032653930663734636663363865336565663864356234
|
||||||
36386339383338346533646331666262396432336434646333653664326635386238333763626637
|
34626262663363376436346463393164646534386135303065623462623861353133656437323861
|
||||||
31363464306465666339316436323265623437636533643431363161323139653065323534636533
|
33623938366635343930633264303530323164396661393338303163386539353938373237633436
|
||||||
64386334353439373133313937343234373963353331646233346432646430636530663336316134
|
35663762353762313935313832383338663430363865343537663530613761303239356563363533
|
||||||
66303337313034396232643531643262343036313762633165353665653938313665386363353865
|
37306162663831663464316464303136396539343030303631613964313165396531303665653761
|
||||||
66333166303636626565613136653365313763303263313239333033353638616566656134396131
|
61383061653364383962663138356366373039366139613536633936633739343133376337613038
|
||||||
38356434343931303134303362313363343634613361353538636634336332373132356165326163
|
62393730636433613037383665303430663666363663646564343935313063386135323963623965
|
||||||
30386130326239366532363962316435663862393836326439623862366166376234343439306465
|
35643734656336623961363432363362393132613432303239393761353136636265613334373634
|
||||||
36346639623939353232366333643963646336383833386565643435393734653936313638663930
|
34396335663037383661663832373937653639633531653064303732656332643962643866306337
|
||||||
32323065343737663564333961373034393261613862333431663562353964666561643831316432
|
34303232623963623562613162623562366539393464663966366464643639343432663338616331
|
||||||
35313832356639333937333266306166656538643065386639346337306134613536356137316331
|
30323461396138663334396265313134646263613033353833656465633537356261366261393261
|
||||||
38376434666332366531393639303561663934353130333161636530383932653236313530616531
|
39303764633636376438656435633737366464343630653735313630386539623462653133396161
|
||||||
61656664626663373164343863333039356362343034326131376666623264663732303734366363
|
36353235343635386636646361623465323135323239613161346563343263646235326232353863
|
||||||
30306430353732616131346637626332656434393163313661356465393263393235396662623962
|
62646434333866653830316166656439643464393337306132376433633439376131366664383464
|
||||||
62643538623331646265643561623366383937313136383939366164613235666234663137653432
|
36393635343265333530653166306263383236656136313136376436393531653334323564663236
|
||||||
34316138643139336331356663333632656539653632626136613431393736613630353237356164
|
30653235343233636334626330363031373433396565663439333033623062313261643632306164
|
||||||
33623632643335663163656236633134343464353837346237316162346634633336663564656531
|
66616338633261356136313334313365356234316262313439623563383330356233363438313833
|
||||||
39373730346130363963376463326238366235613539613466653139306237343164336462353236
|
63313131316461333438363939626636346463366665393433653036663931643537613162393561
|
||||||
39323361636333353661633863663162633563343937366461346338363061623730633537626562
|
34626662303462343239313265653838313634323230656130373163313863313162383736363835
|
||||||
30353938383664333861366431343033313961376436363065373430353736343563313531386663
|
39663337353638613836636263373136623266373732373665353164376534623732313532306366
|
||||||
37313534303564333237616331396437376436383833373936376664666366373235613533663239
|
31353930343062653532386237616433373437663239636230386133393766376238353064656366
|
||||||
64653863613531356666646233393533646131333961343730663461346235633961306263343831
|
61666637646433333366313661353438313337643861333932313662636462346463643664356165
|
||||||
64386332653330323937643266373437633465363933653833343930616134626566363339366362
|
62373338313237353936636138666539643166626631646163653262343365326637626133353361
|
||||||
36356163333730656233653431326430326566386264343330666131393166323537623137396237
|
33663961373334376137393036383833356361383539653362343866386438633366353439323832
|
||||||
65386234653231666631366533383762643830333261363532666138386263643662633932626335
|
38663461313431636562613435303237363163323936323530393966663361326365623564633865
|
||||||
66303363613035643931393933303035323566373634663037313338616132373162366334373962
|
66356433626637376238653865303236646433316164666366303131336331616562323865643566
|
||||||
33666463613435396331326565353433336361303562326562663035313639333232333430373266
|
36643664363363323566353730303339666262663434393863376234656136643865653135383861
|
||||||
65383235356132353838636565636436356361653831356430663935613766613237366564316566
|
61396366383939656130616661396263396331666137666662323932303032623162396633346335
|
||||||
37396130393363386566306162346466326165353863636633306335383265306139396339383866
|
65326362353933663437356235656530343833313136313662643236626661653332613539393638
|
||||||
34326335323962633032386162623033353036643437313832323166363764653339343638343964
|
62656232326238313333623263333366366533313335336330643666383033333038336164316135
|
||||||
66626662326234306362656162336538353131366337643761643930306163333661653062663832
|
61346335633139303163326433353633616562363866396234636138386638356235343035363436
|
||||||
61303963623433313565633235306132366663336662616232613339366363373934613631623431
|
35633737336262383264383065343234373534663564316133643738306638393539353136356630
|
||||||
34323736383366333032343364373533363761323338346163323836653235653136646162306166
|
63613238663066666336626262343933346433393438356565646565613566386566336138386661
|
||||||
65333734623663346233343961396566313838653036396430396134393839326535363237363638
|
30373162333837656131653238393533646663323730626538316437363865626335626635666437
|
||||||
38333232333863396334366561303136333863356666656335633630616531363766343535616533
|
34366663636366303438373032343235333634666637666336313061663239316663613861646133
|
||||||
35656166303837653365303436623431613931336331356531666665346562613263363666626238
|
30383639666362346634303437383035306661623735643139643062653836366631336261643137
|
||||||
62626236323863383366643162356462306163653032626130333863656337623136646439316337
|
36393135633338646238653763613935366566363032343730313666656539353866643564336661
|
||||||
33306432663134383038646133346131333732633932383239643733643138303434646565663266
|
61643261393134303362303666393465643933363962653734646664643033386263346566316332
|
||||||
34616265383733343963323538656138656331396438616133393063356638633965323363653066
|
36633166356665666161616530356439653832323064633662656138356435386434336431396664
|
||||||
65353837333363613762333839313631373137363064383830353565333832356162323862393030
|
34373737643936316133343364353165653130376434646639633866336536373534396235633035
|
||||||
35373038613133643466636537626437393837633865363566343565626633376262373766613738
|
33333734343835323565323863316364613132656665356639623364376538613539626137353564
|
||||||
39343334336238363131373762646564653839623531323066356430326263376534373664363331
|
66343833653435383465376332363533326661373333303435303562396366616231306463396562
|
||||||
64373735383933303638303661333964333464306338613363326261623438336530636262373766
|
65353966613832386235646539643033653335376131333333646237393431363163643630353135
|
||||||
35346339643939666162386232666236326131366366303432393838326239313730323431376231
|
35666264626564623732346565613662303938643034326130646332663530383136333865386266
|
||||||
39363032616666393431326533643865643937363937356431623763363037373333653266376561
|
31313633613739633865363736646138353937306438646532363033383539613534666437663961
|
||||||
63323462363063343234373534663063353865363037383932386231313338343239653131633561
|
61313632613433353437306233626463373335366564653661643038373338303937316366316332
|
||||||
34623439396232633265616438623562666333303932396366663330326565363736633461333463
|
64386132326633306336653134333038316639363538653735383266366239663861333830656438
|
||||||
66346537323061306662323062393061353565393165363532306439343262343632616465363364
|
34393734363665656337626461376234306632623937353863333531313231616365316431303732
|
||||||
30376331346430313536313963333136663833323064633631653935326366633862336163316538
|
32323436663736396439396361663965653632333066373764353561303030666134383836393537
|
||||||
33383434336666303434363236396662366664393637656462363331356631613332353766636663
|
65323038373363316537323533646566396431326634336564306562636232316563613734366339
|
||||||
62323264336235306532343065323834313730353237616463373766303439663533336366363565
|
37326465623137303436346430333263373437656632373039303338626130333834663564633535
|
||||||
35646461636263646633343634323735383235376330616334373937646165623639363663353361
|
39353865376134383637633866356536393766376132396666656235396363656635633630656165
|
||||||
65613034353736633332663333616564356265323731613537393430633137333337643663323137
|
38303439626438623166326331373036386263393331366266356539333533323864613932643335
|
||||||
31623732663331653935316337306433333633353565343265666333363864346562363961333439
|
36303537636131386231613062383163346664643261323263393264343862386562313931616261
|
||||||
30656136636661396335623566386362333861616663393738626632633537613564636261383138
|
34666533613831343764663630623139616634636531393861306337636239346131323437396337
|
||||||
3233
|
61633064663938613135666334396330363463636166653966653333326235343563633834666634
|
||||||
|
38353937646265363964626661343565306331646363303038666264613833653962663237353538
|
||||||
|
64393465363061653837343131373566336139643632323461323635343535313164383766343233
|
||||||
|
61393136636536366433333766303263663839383064323430366666646163663663316138663532
|
||||||
|
66363061626363396561353435386266653832313430633337346234333430393338353632383335
|
||||||
|
64323765636634303632663135306533366232333665383333383936653033373332333331656261
|
||||||
|
37326164666235323538633963616562633938626131346266366531333133333832393966326637
|
||||||
|
62376661383562633834353631393933626237316431366237613634356666343031623566666330
|
||||||
|
61623137336433383139633233356263643237393966613366326632303865353866643332316662
|
||||||
|
35343239643933313031656534336165666161393566636435663039653438643832636232386566
|
||||||
|
34326266353631333731636433333639316638643162653234346365353762353333316138303861
|
||||||
|
36353932656264336165363532313366636536386661663934363761653362623362346431336530
|
||||||
|
63663064656539343361383963663366626566306431353238633832353335383535
|
||||||
|
|
8
group_vars/certbot.yml
Normal file
8
group_vars/certbot.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
glob_certbot:
|
||||||
|
- dns_rfc2136_server: '10.128.0.30'
|
||||||
|
dns_rfc2136_name: certbot_challenge.
|
||||||
|
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||||
|
mail: tech.aurore@lists.crans.org
|
||||||
|
certname: auro.re
|
||||||
|
domains: "*.auro.re"
|
32
group_vars/nginx.yml
Normal file
32
group_vars/nginx.yml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
---
|
||||||
|
glob_nginx:
|
||||||
|
contact: tech.aurore@lists.crans.org
|
||||||
|
who: "L'équipe technique d'Aurore"
|
||||||
|
service_name: service
|
||||||
|
ssl:
|
||||||
|
# Add adm.auro.re if necessary
|
||||||
|
- name: auro.re
|
||||||
|
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||||
|
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||||
|
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||||
|
servers:
|
||||||
|
- ssl: false # Replace by auro.re or adm.auro.re
|
||||||
|
default: true
|
||||||
|
server_name:
|
||||||
|
- "default"
|
||||||
|
- "_"
|
||||||
|
root: "/var/www/html"
|
||||||
|
locations:
|
||||||
|
- filter: "/"
|
||||||
|
params: []
|
||||||
|
additional_params: []
|
||||||
|
upstreams: []
|
||||||
|
|
||||||
|
auth_passwd: []
|
||||||
|
default_server:
|
||||||
|
default_ssl_server:
|
||||||
|
default_ssl_domain: auro.re
|
||||||
|
real_ip_from:
|
||||||
|
- "10.128.0.0/16"
|
||||||
|
- "2a09:6840:128::/64"
|
||||||
|
deploy_robots_file: false
|
11
group_vars/reverseproxy.yml
Normal file
11
group_vars/reverseproxy.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
loc_nginx:
|
||||||
|
servers: []
|
||||||
|
|
||||||
|
glob_reverseproxy:
|
||||||
|
redirect_dnames:
|
||||||
|
- aurores.net
|
||||||
|
- fede-aurore.net
|
||||||
|
|
||||||
|
reverseproxy_sites: []
|
||||||
|
|
||||||
|
redirect_sites: []
|
50
host_vars/bdd-ovh.adm.auro.re.yml
Normal file
50
host_vars/bdd-ovh.adm.auro.re.yml
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
---
|
||||||
|
postgresql:
|
||||||
|
version: 13
|
||||||
|
|
||||||
|
postgresql_hosts:
|
||||||
|
- database: etherpad
|
||||||
|
user: etherpad
|
||||||
|
net: 10.128.0.150/32
|
||||||
|
method: md5
|
||||||
|
- database: codimd
|
||||||
|
user: codimd
|
||||||
|
net: 10.128.0.150/32
|
||||||
|
method: md5
|
||||||
|
- database: synapse
|
||||||
|
user: synapse
|
||||||
|
net: 10.128.0.56/32
|
||||||
|
method: md5
|
||||||
|
- database: kanboard
|
||||||
|
user: kanboard
|
||||||
|
net: 10.128.0.150/32
|
||||||
|
method: md5
|
||||||
|
|
||||||
|
postgresql_databases:
|
||||||
|
- synapse
|
||||||
|
- codimd
|
||||||
|
- etherpad
|
||||||
|
- kanboard
|
||||||
|
|
||||||
|
postgresql_users:
|
||||||
|
- name: synapse
|
||||||
|
database: synapse
|
||||||
|
password: "{{ postgresql_synapse_passwd }}"
|
||||||
|
privs:
|
||||||
|
- ALL
|
||||||
|
- name: codimd
|
||||||
|
database: codimd
|
||||||
|
password: "{{ postgresql_codimd_passwd }}"
|
||||||
|
privs:
|
||||||
|
- ALL
|
||||||
|
- name: etherpad
|
||||||
|
database: etherpad
|
||||||
|
password: "{{ postgresql_etherpad_passwd }}"
|
||||||
|
privs:
|
||||||
|
- ALL
|
||||||
|
- name: kanboard
|
||||||
|
database: kanboard
|
||||||
|
password: "{{ postgresql_kanboard_passwd }}"
|
||||||
|
privs:
|
||||||
|
- ALL
|
||||||
|
...
|
8
host_vars/bdd.adm.auro.re
Normal file
8
host_vars/bdd.adm.auro.re
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
postgresql:
|
||||||
|
version: 11
|
||||||
|
hosts: # dbname, username, CIDR ip addr, auth method
|
||||||
|
- [ "nextcloud", "nextcloud", "10.128.0.58", "md5" ]
|
||||||
|
- [ "gitea", "gitea", "10.128.0.60", "md5" ]
|
||||||
|
- [ "drone", "drone", "10.128.0.64", "md5" ]
|
||||||
|
- [ "wikijs", "wikijs", "10.128.0.66", "md5" ]
|
||||||
|
- [ "vote", "vote", "10.128.0.81", "md5" ]
|
105
host_vars/portail.adm.auro.re.yml
Normal file
105
host_vars/portail.adm.auro.re.yml
Normal file
|
@ -0,0 +1,105 @@
|
||||||
|
---
|
||||||
|
loc_nginx:
|
||||||
|
service_name: captive_portal
|
||||||
|
default_server: '$server_addr'
|
||||||
|
default_ssl_server: '$server_addr'
|
||||||
|
|
||||||
|
servers:
|
||||||
|
- server_name:
|
||||||
|
- "10.13.0.247"
|
||||||
|
locations:
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-fleming.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- portail-fleming.auro.re
|
||||||
|
locations:
|
||||||
|
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||||
|
params:
|
||||||
|
- "proxy_pass http://10.128.0.20"
|
||||||
|
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-fleming.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- 10.23.0.247
|
||||||
|
locations:
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-pacaterie.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- portail-pacaterie.auro.re
|
||||||
|
locations:
|
||||||
|
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||||
|
params:
|
||||||
|
- "proxy_pass http://10.128.0.20"
|
||||||
|
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-pacaterie.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- "10.33.0.247"
|
||||||
|
locations:
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-rives.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- portail-rives.auro.re
|
||||||
|
locations:
|
||||||
|
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||||
|
params:
|
||||||
|
- "proxy_pass http://10.128.0.20"
|
||||||
|
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-rives.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- "10.43.0.247"
|
||||||
|
locations:
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-edc.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- portail-edc.auro.re
|
||||||
|
locations:
|
||||||
|
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||||
|
params:
|
||||||
|
- "proxy_pass http://10.128.0.20"
|
||||||
|
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-edc.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- "10.53.0.247"
|
||||||
|
locations:
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-gs.auro.re/portail/"
|
||||||
|
|
||||||
|
- ssl: auro.re
|
||||||
|
server_name:
|
||||||
|
- portail-gs.auro.re
|
||||||
|
locations:
|
||||||
|
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||||
|
params:
|
||||||
|
- "proxy_pass http://10.128.0.20"
|
||||||
|
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||||
|
- filter: "/"
|
||||||
|
params:
|
||||||
|
- "return 302 https://portail-gs.auro.re/portail/"
|
|
@ -1,39 +1,13 @@
|
||||||
---
|
---
|
||||||
certbot:
|
loc_certbot:
|
||||||
domains:
|
- dns_rfc2136_server: '10.128.0.30'
|
||||||
- auro.re
|
dns_rfc2136_name: certbot_challenge.
|
||||||
- chat.auro.re # cname to riot.auro.re
|
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||||
- codimd.auro.re
|
mail: tech.aurore@lists.crans.org
|
||||||
- element.auro.re # cname to riot.auro.re
|
certname: auro.re
|
||||||
- ehterpad.auro.re # cname to pad.auro.re
|
domains: "auro.re, *.auro.re"
|
||||||
- grafana.auro.re
|
|
||||||
- hedgedoc.auro.re # cname to codimd.auro.re
|
|
||||||
- pad.auro.re
|
|
||||||
- passbolt.auro.re
|
|
||||||
- paste.auro.re # cname to privatebin.auro.re
|
|
||||||
- phabricator.auro.re
|
|
||||||
- privatebin.auro.re
|
|
||||||
- riot.auro.re
|
|
||||||
- sharelatex.auro.re
|
|
||||||
- status.auro.re
|
|
||||||
- wiki.auro.re
|
|
||||||
- www.auro.re
|
|
||||||
- zero.auro.re # cname to privatebin.auro.re
|
|
||||||
mail: tech.aurore@lists.crans.org
|
|
||||||
certname: auro.re
|
|
||||||
|
|
||||||
nginx:
|
|
||||||
ssl:
|
|
||||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
|
||||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
|
||||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
|
||||||
|
|
||||||
redirect_dnames:
|
|
||||||
- aurores.net
|
|
||||||
- fede-aurore.net
|
|
||||||
|
|
||||||
redirect_tcp: {}
|
|
||||||
|
|
||||||
|
loc_reverseproxy:
|
||||||
redirect_sites:
|
redirect_sites:
|
||||||
- from: www.auro.re
|
- from: www.auro.re
|
||||||
to: auro.re
|
to: auro.re
|
||||||
|
|
|
@ -1,31 +1,31 @@
|
||||||
---
|
---
|
||||||
certbot:
|
loc_certbot:
|
||||||
domains:
|
- dns_rfc2136_server: '10.128.0.30'
|
||||||
- bbb.auro.re
|
dns_rfc2136_name: certbot_adm_challenge.
|
||||||
- drone.auro.re
|
dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
|
||||||
- gitea.auro.re
|
mail: tech.aurore@lists.crans.org
|
||||||
- intranet.auro.re
|
certname: adm.auro.re
|
||||||
- litl.auro.re
|
domains: "*.adm.auro.re"
|
||||||
- nextcloud.auro.re
|
- dns_rfc2136_server: '10.128.0.30'
|
||||||
- re2o.auro.re
|
dns_rfc2136_name: certbot_challenge.
|
||||||
- vote.auro.re
|
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||||
- re2o-server.auro.re
|
mail: tech.aurore@lists.crans.org
|
||||||
- re2o-test.auro.re
|
certname: auro.re
|
||||||
- wikijs.auro.re
|
domains: "*.auro.re"
|
||||||
|
|
||||||
mail: tech.aurore@lists.crans.org
|
loc_nginx:
|
||||||
certname: auro.re
|
servers: []
|
||||||
|
|
||||||
nginx:
|
|
||||||
ssl:
|
ssl:
|
||||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
- name: adm.auro.re
|
||||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
|
||||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
|
||||||
|
trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
|
||||||
redirect_dnames:
|
- name: auro.re
|
||||||
- aurores.net
|
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||||
- fede-aurore.net
|
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||||
|
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||||
|
|
||||||
|
loc_reverseproxy:
|
||||||
redirect_tcp:
|
redirect_tcp:
|
||||||
- name: Gitea
|
- name: Gitea
|
||||||
port: 2222
|
port: 2222
|
||||||
|
@ -33,7 +33,7 @@ nginx:
|
||||||
|
|
||||||
redirect_sites:
|
redirect_sites:
|
||||||
- from: 45.66.111.61
|
- from: 45.66.111.61
|
||||||
to: auro.re
|
to: intranet.auro.re
|
||||||
|
|
||||||
reverseproxy_sites:
|
reverseproxy_sites:
|
||||||
- from: re2o.auro.re
|
- from: re2o.auro.re
|
||||||
|
@ -49,6 +49,9 @@ nginx:
|
||||||
|
|
||||||
- from: gitea.auro.re
|
- from: gitea.auro.re
|
||||||
to: "10.128.0.60:3000"
|
to: "10.128.0.60:3000"
|
||||||
|
- from: git.adm.auro.re
|
||||||
|
to: "10.128.0.60:3000"
|
||||||
|
ssl: adm.auro.re
|
||||||
|
|
||||||
- from: drone.auro.re
|
- from: drone.auro.re
|
||||||
to: "10.128.0.64:8000"
|
to: "10.128.0.64:8000"
|
||||||
|
|
44
hosts
44
hosts
|
@ -29,13 +29,19 @@ stream.adm.auro.re
|
||||||
re2o-server.adm.auro.re
|
re2o-server.adm.auro.re
|
||||||
re2o-ldap.adm.auro.re
|
re2o-ldap.adm.auro.re
|
||||||
re2o-db.adm.auro.re
|
re2o-db.adm.auro.re
|
||||||
pendragon.adm.auro.re
|
#services-bdd-local.adm.auro.re
|
||||||
services-bdd-local.adm.auro.re
|
|
||||||
backup.adm.auro.re
|
backup.adm.auro.re
|
||||||
services-web.adm.auro.re
|
services-web.adm.auro.re
|
||||||
mail.adm.auro.re
|
mail.adm.auro.re
|
||||||
wikijs.adm.auro.re
|
wikijs.adm.auro.re
|
||||||
|
prometheus-aurore.adm.auro.re
|
||||||
|
portail.adm.auro.re
|
||||||
|
jitsi-aurore.adm.auro.re
|
||||||
|
bdd.adm.auro.re
|
||||||
|
bdd-ovh.adm.auro.re
|
||||||
|
|
||||||
|
[aurore_testing_vm]
|
||||||
|
pendragon.adm.auro.re
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# OVH
|
# OVH
|
||||||
|
@ -45,7 +51,7 @@ horus.adm.auro.re
|
||||||
|
|
||||||
[ovh_container]
|
[ovh_container]
|
||||||
synapse.adm.auro.re
|
synapse.adm.auro.re
|
||||||
services-bdd.adm.auro.re
|
#services-bdd.adm.auro.re
|
||||||
phabricator.adm.auro.re
|
phabricator.adm.auro.re
|
||||||
wiki.adm.auro.re
|
wiki.adm.auro.re
|
||||||
www.adm.auro.re
|
www.adm.auro.re
|
||||||
|
@ -59,6 +65,8 @@ vpn-ovh.adm.auro.re
|
||||||
docker-ovh.adm.auro.re
|
docker-ovh.adm.auro.re
|
||||||
switchs-manager.adm.auro.re
|
switchs-manager.adm.auro.re
|
||||||
ldap-replica-ovh.adm.auro.re
|
ldap-replica-ovh.adm.auro.re
|
||||||
|
prometheus-ovh.adm.auro.re
|
||||||
|
prometheus-federate.adm.auro.re
|
||||||
|
|
||||||
[ovh_testing_vm]
|
[ovh_testing_vm]
|
||||||
#re2o-test.adm.auro.re
|
#re2o-test.adm.auro.re
|
||||||
|
@ -263,6 +271,7 @@ ep-1-3.borne.auro.re
|
||||||
ep-1-2.borne.auro.re
|
ep-1-2.borne.auro.re
|
||||||
ep-0-1.borne.auro.re
|
ep-0-1.borne.auro.re
|
||||||
eo-2-1.borne.auro.re
|
eo-2-1.borne.auro.re
|
||||||
|
ee-2-1.borne.auro.re
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# George Sand
|
# George Sand
|
||||||
|
@ -337,6 +346,7 @@ gf-5-1.borne.auro.re
|
||||||
# Les Rives
|
# Les Rives
|
||||||
[rives_pve]
|
[rives_pve]
|
||||||
thor.adm.auro.re
|
thor.adm.auro.re
|
||||||
|
loki.adm.auro.re
|
||||||
|
|
||||||
[rives_vm]
|
[rives_vm]
|
||||||
dhcp-rives-backup.adm.auro.re
|
dhcp-rives-backup.adm.auro.re
|
||||||
|
@ -345,6 +355,7 @@ dns-rives-backup.adm.auro.re
|
||||||
radius-rives-backup.adm.auro.re
|
radius-rives-backup.adm.auro.re
|
||||||
routeur-rives-backup.adm.auro.re
|
routeur-rives-backup.adm.auro.re
|
||||||
ldap-replica-rives.adm.auro.re
|
ldap-replica-rives.adm.auro.re
|
||||||
|
prometheus-rives.adm.auro.re
|
||||||
|
|
||||||
[rives_unifi]
|
[rives_unifi]
|
||||||
r3-4-4.borne.auro.re
|
r3-4-4.borne.auro.re
|
||||||
|
@ -396,29 +407,31 @@ ovh_vm
|
||||||
[fleming:children]
|
[fleming:children]
|
||||||
fleming_pve
|
fleming_pve
|
||||||
fleming_vm
|
fleming_vm
|
||||||
#fleming_unifi
|
fleming_unifi
|
||||||
|
|
||||||
# everything at pacaterie
|
# everything at pacaterie
|
||||||
[pacaterie:children]
|
[pacaterie:children]
|
||||||
pacaterie_pve
|
pacaterie_pve
|
||||||
pacaterie_vm
|
pacaterie_vm
|
||||||
#pacaterie_unifi
|
pacaterie_unifi
|
||||||
|
|
||||||
# everything at edc
|
# everything at edc
|
||||||
[edc:children]
|
[edc:children]
|
||||||
edc_pve
|
edc_pve
|
||||||
edc_vm
|
edc_vm
|
||||||
|
edc_unifi
|
||||||
|
|
||||||
# everything at georgesand
|
# everything at georgesand
|
||||||
[gs:children]
|
[gs:children]
|
||||||
gs_pve
|
gs_pve
|
||||||
gs_vm
|
gs_vm
|
||||||
|
gs_unifi
|
||||||
|
|
||||||
# everything at Les Rives
|
# everything at Les Rives
|
||||||
[rives:children]
|
[rives:children]
|
||||||
rives_pve
|
rives_pve
|
||||||
rives_vm
|
rives_vm
|
||||||
|
rives_unifi
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Groups by type
|
# Groups by type
|
||||||
|
@ -482,3 +495,22 @@ ldap-replica-ovh.adm.auro.re
|
||||||
[ldap_replica_rives]
|
[ldap_replica_rives]
|
||||||
ldap-replica-rives.adm.auro.re
|
ldap-replica-rives.adm.auro.re
|
||||||
|
|
||||||
|
[certbot]
|
||||||
|
portail.adm.auro.re
|
||||||
|
|
||||||
|
[certbot:children]
|
||||||
|
reverseproxy
|
||||||
|
|
||||||
|
[nginx]
|
||||||
|
portail.adm.auro.re
|
||||||
|
|
||||||
|
[nginx:children]
|
||||||
|
reverseproxy
|
||||||
|
|
||||||
|
[reverseproxy]
|
||||||
|
proxy-ovh.adm.auro.re
|
||||||
|
proxy.adm.auro.re
|
||||||
|
|
||||||
|
[bdd]
|
||||||
|
bdd.adm.auro.re
|
||||||
|
bdd-ovh.adm.auro.re
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
|
- hosts: prometheus-fleming.adm.auro.re
|
||||||
vars:
|
vars:
|
||||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||||
|
@ -14,7 +14,7 @@
|
||||||
roles:
|
roles:
|
||||||
- prometheus
|
- prometheus
|
||||||
|
|
||||||
- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
|
- hosts: prometheus-pacaterie.adm.auro.re
|
||||||
vars:
|
vars:
|
||||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||||
|
@ -25,6 +25,8 @@
|
||||||
{{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
|
{{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
|
||||||
prometheus_unifi_snmp_targets:
|
prometheus_unifi_snmp_targets:
|
||||||
- targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
|
- targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
|
||||||
|
prometheus_ups_snmp_targets:
|
||||||
|
- ups-pn-1.ups.auro.re
|
||||||
roles:
|
roles:
|
||||||
- prometheus
|
- prometheus
|
||||||
|
|
||||||
|
@ -34,6 +36,9 @@
|
||||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||||
|
|
||||||
# Prometheus targets.json
|
# Prometheus targets.json
|
||||||
|
prometheus_ups_snmp_targets:
|
||||||
|
- ups-ec-1.ups.auro.re
|
||||||
|
|
||||||
prometheus_targets:
|
prometheus_targets:
|
||||||
- targets: |
|
- targets: |
|
||||||
{{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
|
{{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
|
||||||
|
@ -53,10 +58,78 @@
|
||||||
{{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
|
{{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
|
||||||
prometheus_unifi_snmp_targets:
|
prometheus_unifi_snmp_targets:
|
||||||
- targets: "{{ groups['gs_unifi'] | list | sort }}"
|
- targets: "{{ groups['gs_unifi'] | list | sort }}"
|
||||||
|
prometheus_ups_snmp_targets:
|
||||||
|
- ups-gk-1.ups.auro.re
|
||||||
roles:
|
roles:
|
||||||
- prometheus
|
- prometheus
|
||||||
|
|
||||||
|
- hosts: prometheus-rives.adm.auro.re
|
||||||
|
vars:
|
||||||
|
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||||
|
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||||
|
|
||||||
|
# Prometheus targets.json
|
||||||
|
prometheus_ups_snmp_targets:
|
||||||
|
- ups-r3-1.ups.auro.re
|
||||||
|
|
||||||
|
prometheus_targets:
|
||||||
|
- targets: |
|
||||||
|
{{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
|
||||||
|
prometheus_unifi_snmp_targets:
|
||||||
|
- targets: "{{ groups['rives_unifi'] | list | sort }}"
|
||||||
|
roles:
|
||||||
|
- prometheus
|
||||||
|
|
||||||
|
- hosts: prometheus-aurore.adm.auro.re
|
||||||
|
vars:
|
||||||
|
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||||
|
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||||
|
snmp_switch_community: "{{ vault_snmp_switch_community }}"
|
||||||
|
|
||||||
|
# Prometheus targets.json
|
||||||
|
prometheus_targets:
|
||||||
|
- targets: |
|
||||||
|
{{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
|
||||||
|
prometheus_switch_snmp_targets:
|
||||||
|
- targets:
|
||||||
|
- yggdrasil.switch.auro.re
|
||||||
|
roles:
|
||||||
|
- prometheus
|
||||||
|
|
||||||
|
- hosts: prometheus-ovh.adm.auro.re
|
||||||
|
vars:
|
||||||
|
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||||
|
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||||
|
|
||||||
|
# Prometheus targets.json
|
||||||
|
prometheus_targets:
|
||||||
|
- targets: |
|
||||||
|
{{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
|
||||||
|
prometheus_docker_targets:
|
||||||
|
- docker-ovh.adm.auro.re:8087
|
||||||
|
roles:
|
||||||
|
- prometheus
|
||||||
|
|
||||||
|
|
||||||
|
- hosts: prometheus-federate.adm.auro.re
|
||||||
|
vars:
|
||||||
|
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||||
|
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||||
|
|
||||||
|
# Prometheus targets.json
|
||||||
|
prometheus_targets:
|
||||||
|
- prometheus-edc.adm.auro.re
|
||||||
|
- prometheus-gs.adm.auro.re
|
||||||
|
- prometheus-fleming.adm.auro.re
|
||||||
|
- prometheus-pacaterie.adm.auro.re
|
||||||
|
- prometheus-rives.adm.auro.re
|
||||||
|
- prometheus-aurore.adm.auro.re
|
||||||
|
- prometheus-ovh.adm.auro.re
|
||||||
|
roles:
|
||||||
|
- prometheus_federate
|
||||||
|
|
||||||
|
|
||||||
# Monitor all hosts
|
# Monitor all hosts
|
||||||
- hosts: all,!unifi,!ovh
|
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
|
||||||
roles:
|
roles:
|
||||||
- prometheus_node
|
- prometheus_node
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
# username: service-user
|
# username: service-user
|
||||||
# password: "{{ vault_serviceuser_passwd }}"
|
# password: "{{ vault_serviceuser_passwd }}"
|
||||||
# roles:
|
# roles:
|
||||||
# - re2o-service
|
# - re2o_service
|
||||||
|
|
||||||
|
|
||||||
# Deploy Unifi Controller
|
# Deploy Unifi Controller
|
||||||
|
@ -62,4 +62,4 @@
|
||||||
# username: service-user
|
# username: service-user
|
||||||
# password: "{{ vault_serviceuser_passwd }}"
|
# password: "{{ vault_serviceuser_passwd }}"
|
||||||
# roles:
|
# roles:
|
||||||
# - re2o-service
|
# - re2o_service
|
||||||
|
|
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
- name: Install unattended-upgrades
|
||||||
|
when: ansible_os_family == "Debian"
|
||||||
|
apt:
|
||||||
|
name: unattended-upgrades
|
||||||
|
state: present
|
||||||
|
update_cache: true
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Configure unattended-upgrades
|
||||||
|
template:
|
||||||
|
src: "apt/{{ item }}.j2"
|
||||||
|
dest: "/etc/apt/apt.conf.d/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
mode: u=rw,g=r,o=r
|
||||||
|
loop:
|
||||||
|
- 50unattended-upgrades
|
||||||
|
- 20auto-upgrades
|
||||||
|
...
|
|
@ -9,8 +9,6 @@
|
||||||
- aptitude # nice to have for Ansible
|
- aptitude # nice to have for Ansible
|
||||||
- bash-completion # because bash
|
- bash-completion # because bash
|
||||||
- curl # better than wget
|
- curl # better than wget
|
||||||
- emacs-nox # for maman
|
|
||||||
- fish # to motivate @edpibu
|
|
||||||
- git # code versioning
|
- git # code versioning
|
||||||
- htop # better than top
|
- htop # better than top
|
||||||
- iotop # monitor i/o
|
- iotop # monitor i/o
|
||||||
|
@ -18,14 +16,14 @@
|
||||||
- lsb-release
|
- lsb-release
|
||||||
- molly-guard # prevent reboot
|
- molly-guard # prevent reboot
|
||||||
- nano # for vulcain
|
- nano # for vulcain
|
||||||
- net-tools
|
|
||||||
- ntp # network time sync
|
- ntp # network time sync
|
||||||
- oidentd # postgresql identification
|
|
||||||
- screen # Vulcain asked for this
|
- screen # Vulcain asked for this
|
||||||
- sudo
|
- sudo
|
||||||
|
- tmux # For shirenn
|
||||||
- tree # create a graphical tree of files
|
- tree # create a graphical tree of files
|
||||||
- vim # better than nano
|
- vim # better than nano
|
||||||
- zsh # to be able to ssh @erdnaxe
|
- zsh # to be able to ssh @erdnaxe
|
||||||
|
- dnsutils # dig
|
||||||
update_cache: true
|
update_cache: true
|
||||||
register: apt_result
|
register: apt_result
|
||||||
retries: 3
|
retries: 3
|
||||||
|
@ -74,6 +72,9 @@
|
||||||
# APT-List Changes : send email with changelog
|
# APT-List Changes : send email with changelog
|
||||||
- include_tasks: apt-listchanges.yml
|
- include_tasks: apt-listchanges.yml
|
||||||
|
|
||||||
|
# APT Unattended upgrades
|
||||||
|
- include_tasks: apt-unattended.yml
|
||||||
|
|
||||||
# User skeleton
|
# User skeleton
|
||||||
- name: Configure user skeleton
|
- name: Configure user skeleton
|
||||||
copy:
|
copy:
|
||||||
|
|
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
// {{ ansible_managed }}
|
||||||
|
|
||||||
|
APT::Periodic::Update-Package-Lists "1";
|
||||||
|
APT::Periodic::Unattended-Upgrade "1";
|
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
// {{ ansible_managed }}
|
||||||
|
|
||||||
|
Unattended-Upgrade::Origins-Pattern {
|
||||||
|
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||||
|
};
|
||||||
|
|
||||||
|
Unattended-Upgrade::Package-Blacklist {};
|
||||||
|
|
||||||
|
Unattended-Upgrade::MinimalSteps "true";
|
||||||
|
Unattended-Upgrade::InstallOnShutdown "false";
|
||||||
|
|
||||||
|
Unattended-Upgrade::Mail "{{ monitoring_mail }}";
|
||||||
|
// Unattended-Upgrade::MailOnlyOnError "false";
|
||||||
|
|
||||||
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
|
||||||
|
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
|
||||||
|
Unattended-Upgrade::Remove-Unused-Dependencies "false";
|
||||||
|
|
||||||
|
Unattended-Upgrade::Automatic-Reboot "false";
|
||||||
|
|
||||||
|
Unattended-Upgrade::SyslogEnable "true";
|
||||||
|
Unattended-Upgrade::SyslogFacility "daemon";
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
- name: Reload nginx
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: reloaded
|
|
||||||
|
|
||||||
- name: Generate certificates
|
|
||||||
command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
|
|
@ -1,13 +1,28 @@
|
||||||
---
|
---
|
||||||
- name: Install certbot and nginx plugin
|
- name: Install certbot and RFC2136 plugin
|
||||||
apt:
|
apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
name:
|
name:
|
||||||
- certbot
|
- certbot
|
||||||
- python3-certbot-nginx
|
- python3-certbot-dns-rfc2136
|
||||||
register: pkg_result
|
state: present
|
||||||
|
register: apt_result
|
||||||
retries: 3
|
retries: 3
|
||||||
until: pkg_result is succeeded
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Add DNS credentials
|
||||||
|
template:
|
||||||
|
src: letsencrypt/rfc2136.ini.j2
|
||||||
|
dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
loop: "{{ certbot }}"
|
||||||
|
|
||||||
|
- name: Add dhparam
|
||||||
|
template:
|
||||||
|
src: "letsencrypt/dhparam.j2"
|
||||||
|
dest: "/etc/letsencrypt/dhparam"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
- name: Create /etc/letsencrypt/conf.d
|
- name: Create /etc/letsencrypt/conf.d
|
||||||
file:
|
file:
|
||||||
|
@ -18,8 +33,19 @@
|
||||||
- name: Add Certbot configuration
|
- name: Add Certbot configuration
|
||||||
template:
|
template:
|
||||||
src: "letsencrypt/conf.d/certname.ini.j2"
|
src: "letsencrypt/conf.d/certname.ini.j2"
|
||||||
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify:
|
loop: "{{ certbot }}"
|
||||||
- Generate certificates
|
|
||||||
- Reload nginx
|
- name: Run certbot
|
||||||
|
command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
|
||||||
|
loop: "{{ certbot }}"
|
||||||
|
|
||||||
|
- name: Clean old files
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- "/etc/letsencrypt/options-ssl-nginx.conf"
|
||||||
|
- "/etc/letsencrypt/ssl-dhparams.pem"
|
||||||
|
- "/etc/letsencrypt/rfc2136.ini"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment(decoration='# ') }}
|
||||||
|
|
||||||
# Pour appliquer cette conf et générer la conf de renewal :
|
# To generate the certificate, please use the following command
|
||||||
# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
|
# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
|
||||||
|
|
||||||
# Use a 4096 bit RSA key instead of 2048
|
# Use a 4096 bit RSA key instead of 2048
|
||||||
rsa-key-size = 4096
|
rsa-key-size = 4096
|
||||||
|
@ -10,14 +10,19 @@ rsa-key-size = 4096
|
||||||
# server = https://acme-staging.api.letsencrypt.org/directory
|
# server = https://acme-staging.api.letsencrypt.org/directory
|
||||||
|
|
||||||
# Uncomment and update to register with the specified e-mail address
|
# Uncomment and update to register with the specified e-mail address
|
||||||
email = {{ certbot.mail }}
|
email = {{ item.mail }}
|
||||||
|
|
||||||
# Uncomment to use a text interface instead of ncurses
|
# Uncomment to use a text interface instead of ncurses
|
||||||
text = True
|
text = True
|
||||||
|
|
||||||
# Use nginx challenge
|
# Yes I want to sell my soul and my guinea pig.
|
||||||
authenticator = nginx
|
agree-tos = True
|
||||||
|
|
||||||
|
# Use DNS-01 challenge
|
||||||
|
authenticator = dns-rfc2136
|
||||||
|
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
|
||||||
|
dns-rfc2136-propagation-seconds = 30
|
||||||
|
|
||||||
# Wildcard the domain
|
# Wildcard the domain
|
||||||
cert-name = {{ certbot.certname }}
|
cert-name = {{ item.certname }}
|
||||||
domains = {{ ", ".join(certbot.domains) }}
|
domains = {{ item.domains }}
|
||||||
|
|
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{{ ansible_managed | comment(decoration='# ') }}
|
||||||
|
|
||||||
|
dns_rfc2136_server = {{ item.dns_rfc2136_server }}
|
||||||
|
dns_rfc2136_port = 53
|
||||||
|
dns_rfc2136_name = {{ item.dns_rfc2136_name }}
|
||||||
|
dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
|
||||||
|
dns_rfc2136_algorithm = HMAC-SHA512
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: force run dhcp re2o-service
|
- name: force run dhcp re2o-service
|
||||||
shell: /var/local/re2o-services/dhcp/main.py --force
|
command: /var/local/re2o-services/dhcp/main.py --force
|
||||||
become_user: re2o-services
|
become_user: re2o-services
|
||||||
|
|
||||||
- name: restart dhcpd
|
- name: restart dhcpd
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Install dhcp (re2o-service)
|
- name: Install dhcp (re2o-service)
|
||||||
import_role:
|
import_role:
|
||||||
name: re2o-service
|
name: re2o_service
|
||||||
vars:
|
vars:
|
||||||
service_repo: https://gitlab.federez.net/re2o/dhcp.git
|
service_repo: https://gitlab.federez.net/re2o/dhcp.git
|
||||||
service_name: dhcp
|
service_name: dhcp
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
owner: re2o-services
|
owner: re2o-services
|
||||||
group: nogroup
|
group: nogroup
|
||||||
recurse: true
|
recurse: true
|
||||||
mode: 755
|
mode: 0755
|
||||||
|
|
||||||
- name: Install isc-dhcp-server
|
- name: Install isc-dhcp-server
|
||||||
apt:
|
apt:
|
||||||
|
|
|
@ -21,4 +21,4 @@
|
||||||
user: root
|
user: root
|
||||||
key: "{{ ssh_pub_keys }}"
|
key: "{{ ssh_pub_keys }}"
|
||||||
state: present
|
state: present
|
||||||
# exclusive: True
|
exclusive: true
|
||||||
|
|
146
roles/nginx/tasks/main.yml
Normal file
146
roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,146 @@
|
||||||
|
---
|
||||||
|
- name: Install NGINX
|
||||||
|
apt:
|
||||||
|
update_cache: true
|
||||||
|
name: nginx
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Copy proxypass snippets
|
||||||
|
template:
|
||||||
|
src: "nginx/snippets/options-proxypass.conf.j2"
|
||||||
|
dest: "/etc/nginx/snippets/options-proxypass.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Copy SSL snippets
|
||||||
|
template:
|
||||||
|
src: "nginx/snippets/options-ssl.conf.j2"
|
||||||
|
dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
loop: "{{ nginx.ssl }}"
|
||||||
|
|
||||||
|
- name: Disable default site
|
||||||
|
file:
|
||||||
|
dest: "/etc/nginx/sites-enabled/default"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Copy reverse proxy sites
|
||||||
|
when: reverseproxy is defined
|
||||||
|
template:
|
||||||
|
src: "nginx/sites-available/{{ item }}.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
loop:
|
||||||
|
- reverseproxy
|
||||||
|
- reverseproxy_redirect_dname
|
||||||
|
- redirect
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Activate reverse proxy sites
|
||||||
|
when: reverseproxy is defined
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ item }}"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: link
|
||||||
|
loop:
|
||||||
|
- reverseproxy
|
||||||
|
- reverseproxy_redirect_dname
|
||||||
|
- redirect
|
||||||
|
notify: Reload nginx
|
||||||
|
ignore_errors: "{{ ansible_check_mode }}"
|
||||||
|
|
||||||
|
- name: Copy forward modules
|
||||||
|
when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
|
||||||
|
template:
|
||||||
|
src: "nginx/modules-available/60-forward.conf.j2"
|
||||||
|
dest: "/etc/nginx/modules-available/60-forward.conf"
|
||||||
|
mode: 0644
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Activate modules
|
||||||
|
when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/modules-available/60-forward.conf"
|
||||||
|
dest: "/etc/nginx/modules-enabled/60-forward.conf"
|
||||||
|
state: link
|
||||||
|
mode: 0644
|
||||||
|
notify: Reload nginx
|
||||||
|
ignore_errors: "{{ ansible_check_mode }}"
|
||||||
|
|
||||||
|
- name: Copy service nginx configuration
|
||||||
|
when: nginx.servers is defined and nginx.servers|length > 0
|
||||||
|
template:
|
||||||
|
src: "nginx/sites-available/service.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Activate local nginx service site
|
||||||
|
when: nginx.servers is defined and nginx.servers|length > 0
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: link
|
||||||
|
notify: Reload nginx
|
||||||
|
ignore_errors: "{{ ansible_check_mode }}"
|
||||||
|
|
||||||
|
- name: Copy 50x error page
|
||||||
|
template:
|
||||||
|
src: www/html/50x.html.j2
|
||||||
|
dest: /var/www/html/50x.html
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Copy robots.txt file
|
||||||
|
when: nginx.deploy_robots_file
|
||||||
|
template:
|
||||||
|
src: www/html/robots.txt.j2
|
||||||
|
dest: /var/www/html/robots.txt
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Install passwords
|
||||||
|
when: nginx.auth_passwd|length > 0
|
||||||
|
template:
|
||||||
|
src: nginx/passwd.j2
|
||||||
|
dest: /etc/nginx/passwd
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Copy 401 error page
|
||||||
|
when: nginx.auth_passwd|length > 0
|
||||||
|
template:
|
||||||
|
src: www/html/401.html.j2
|
||||||
|
dest: /var/www/html/401.html
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Indicate role in motd
|
||||||
|
template:
|
||||||
|
src: update-motd.d/05-service.j2
|
||||||
|
dest: /etc/update-motd.d/05-nginx
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Clean old files
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- "/etc/nginx/snippets/options-ssl.conf"
|
||||||
|
- "/var/www/custom_401.html"
|
||||||
|
- "/var/www/robots.txt"
|
8
roles/nginx/templates/letsencrypt/dhparam.j2
Normal file
8
roles/nginx/templates/letsencrypt/dhparam.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -1,6 +1,6 @@
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
{% for site in nginx.redirect_tcp %}
|
{% for site in reverseproxy.redirect_tcp %}
|
||||||
# Forward port {{ site.port }} to {{ site.name }}
|
# Forward port {{ site.port }} to {{ site.name }}
|
||||||
stream {
|
stream {
|
||||||
server {
|
server {
|
||||||
|
@ -12,3 +12,4 @@ stream {
|
||||||
}
|
}
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
4
roles/nginx/templates/nginx/passwd.j2
Normal file
4
roles/nginx/templates/nginx/passwd.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
{% for user, hash in nginx.auth_passwd.items() -%}
|
||||||
|
{{ user }}:{{ hash }}
|
||||||
|
{% endfor -%}
|
|
@ -1,6 +1,6 @@
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
{% for site in nginx.redirect_sites %}
|
{% for site in reverseproxy.redirect_sites %}
|
||||||
# Redirect http://{{ site.from }} to http://{{ site.to }}
|
# Redirect http://{{ site.from }} to http://{{ site.to }}
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
|
@ -8,6 +8,11 @@ server {
|
||||||
|
|
||||||
server_name {{ site.from }};
|
server_name {{ site.from }};
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 http://{{ site.to }}$request_uri;
|
return 302 http://{{ site.to }}$request_uri;
|
||||||
}
|
}
|
||||||
|
@ -21,7 +26,12 @@ server {
|
||||||
server_name {{ site.from }};
|
server_name {{ site.from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 https://{{ site.to }}$request_uri;
|
return 302 https://{{ site.to }}$request_uri;
|
||||||
|
@ -31,8 +41,8 @@ server {
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{# Also redirect for DNAMEs #}
|
{# Also redirect for DNAMEs #}
|
||||||
{% for dname in nginx.redirect_dnames %}
|
{% for dname in reverseproxy.redirect_dnames %}
|
||||||
{% for site in nginx.redirect_sites %}
|
{% for site in reverseproxy.redirect_sites %}
|
||||||
{% set from = site.from | regex_replace('crans.org', dname) %}
|
{% set from = site.from | regex_replace('crans.org', dname) %}
|
||||||
{% if from != site.from %}
|
{% if from != site.from %}
|
||||||
# Redirect http://{{ from }} to http://{{ site.to }}
|
# Redirect http://{{ from }} to http://{{ site.to }}
|
||||||
|
@ -42,6 +52,11 @@ server {
|
||||||
|
|
||||||
server_name {{ from }};
|
server_name {{ from }};
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 http://{{ site.to }}$request_uri;
|
return 302 http://{{ site.to }}$request_uri;
|
||||||
}
|
}
|
||||||
|
@ -55,7 +70,12 @@ server {
|
||||||
server_name {{ from }};
|
server_name {{ from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 https://{{ site.to }}$request_uri;
|
return 302 https://{{ site.to }}$request_uri;
|
|
@ -1,4 +1,4 @@
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# Automatic Connection header for WebSocket support
|
# Automatic Connection header for WebSocket support
|
||||||
# See http://nginx.org/en/docs/http/websocket.html
|
# See http://nginx.org/en/docs/http/websocket.html
|
||||||
|
@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
|
||||||
'' close;
|
'' close;
|
||||||
}
|
}
|
||||||
|
|
||||||
{% for site in nginx.reverseproxy_sites %}
|
{% for site in reverseproxy.reverseproxy_sites %}
|
||||||
# Redirect http://{{ site.from }} to https://{{ site.from }}
|
# Redirect http://{{ site.from }} to https://{{ site.from }}
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
|
@ -15,6 +15,11 @@ server {
|
||||||
|
|
||||||
server_name {{ site.from }};
|
server_name {{ site.from }};
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 https://$host$request_uri;
|
return 302 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
@ -28,7 +33,7 @@ server {
|
||||||
server_name {{ site.from }};
|
server_name {{ site.from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
# Log into separate log files
|
# Log into separate log files
|
||||||
access_log /var/log/nginx/{{ site.from }}.log;
|
access_log /var/log/nginx/{{ site.from }}.log;
|
||||||
|
@ -43,8 +48,9 @@ server {
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
}
|
}
|
||||||
|
|
||||||
set_real_ip_from 10.231.136.0/24;
|
{% for realip in nginx.real_ip_from %}
|
||||||
set_real_ip_from 2a0c:700:0:2::/64;
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
real_ip_header P-Real-Ip;
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
{% for dname in nginx.redirect_dnames %}
|
{% for dname in reverseproxy.redirect_dnames %}
|
||||||
{% for site in nginx.reverseproxy_sites %}
|
{% for site in reverseproxy.reverseproxy_sites %}
|
||||||
{% set from = site.from | regex_replace('auro.re', dname) %}
|
{% set from = site.from | regex_replace('auro.re', dname) %}
|
||||||
{% set to = site.from %}
|
{% set to = site.from %}
|
||||||
{% if from != site.from %}
|
{% if from != site.from %}
|
||||||
|
@ -12,6 +12,11 @@ server {
|
||||||
|
|
||||||
server_name {{ from }};
|
server_name {{ from }};
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 http://{{ to }}$request_uri;
|
return 302 http://{{ to }}$request_uri;
|
||||||
}
|
}
|
||||||
|
@ -25,7 +30,12 @@ server {
|
||||||
server_name {{ from }};
|
server_name {{ from }};
|
||||||
|
|
||||||
# SSL common conf
|
# SSL common conf
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 302 https://{{ to }}$request_uri;
|
return 302 https://{{ to }}$request_uri;
|
132
roles/nginx/templates/nginx/sites-available/service.j2
Normal file
132
roles/nginx/templates/nginx/sites-available/service.j2
Normal file
|
@ -0,0 +1,132 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# Automatic Connection header for WebSocket support
|
||||||
|
# See http://nginx.org/en/docs/http/websocket.html
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
{% for upstream in nginx.upstreams -%}
|
||||||
|
upstream {{ upstream.name }} {
|
||||||
|
# Path of the server
|
||||||
|
server {{ upstream.server }};
|
||||||
|
}
|
||||||
|
{% endfor -%}
|
||||||
|
|
||||||
|
{% if nginx.default_ssl_server -%}
|
||||||
|
# Redirect all services to the main site
|
||||||
|
server {
|
||||||
|
listen 443 default_server ssl;
|
||||||
|
listen [::]:443 default_server ssl;
|
||||||
|
include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
charset utf-8;
|
||||||
|
|
||||||
|
# Hide Nginx version
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 302 https://{{ nginx.default_ssl_server }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% if nginx.default_server -%}
|
||||||
|
# Redirect all services to the main site
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
listen [::]:80 default_server;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
charset utf-8;
|
||||||
|
|
||||||
|
# Hide Nginx version
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 302 http://{{ nginx.default_server }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% for server in nginx.servers %}
|
||||||
|
{% if server.ssl is defined and server.ssl -%}
|
||||||
|
# Redirect HTTP to HTTPS
|
||||||
|
server {
|
||||||
|
listen 80{% if server.default is defined and server.default %} default_server{% endif %};
|
||||||
|
listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
|
||||||
|
|
||||||
|
server_name {{ server.server_name|join(" ") }};
|
||||||
|
charset utf-8;
|
||||||
|
|
||||||
|
# Hide Nginx version
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 302 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
server {
|
||||||
|
{% if server.ssl is defined and server.ssl -%}
|
||||||
|
listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
|
||||||
|
listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
|
||||||
|
include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
|
||||||
|
{% else -%}
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
server_name {{ server.server_name|join(" ") }};
|
||||||
|
charset utf-8;
|
||||||
|
|
||||||
|
# Hide Nginx version
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
{% for realip in nginx.real_ip_from %}
|
||||||
|
set_real_ip_from {{ realip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header P-Real-Ip;
|
||||||
|
|
||||||
|
{% if server.root is defined %}root {{ server.root }};{% endif %}
|
||||||
|
{% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
|
||||||
|
|
||||||
|
{% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
|
||||||
|
{% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
|
||||||
|
|
||||||
|
{% if server.additional_params is defined %}
|
||||||
|
{% for param in server.additional_params %}
|
||||||
|
{{ param }};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if server.locations is defined %}
|
||||||
|
{% for location in server.locations %}
|
||||||
|
location {{ location.filter }} {
|
||||||
|
{% for param in location.params %}
|
||||||
|
{{ param }};
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
{% endfor %}
|
18
roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
Normal file
18
roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
|
||||||
|
fastcgi_split_path_info (^/[^/]*)(.*)$;
|
||||||
|
|
||||||
|
# check that the PHP script exists before passing it
|
||||||
|
try_files $fastcgi_script_name =404;
|
||||||
|
|
||||||
|
# Bypass the fact that try_files resets $fastcgi_path_info
|
||||||
|
# see: http://trac.nginx.org/nginx/ticket/321
|
||||||
|
set $path_info $fastcgi_path_info;
|
||||||
|
fastcgi_param PATH_INFO $path_info;
|
||||||
|
|
||||||
|
# Let NGINX handle errors
|
||||||
|
fastcgi_intercept_errors on;
|
||||||
|
|
||||||
|
include /etc/nginx/fastcgi.conf;
|
||||||
|
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
|
@ -1,4 +1,4 @@
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
proxy_redirect off;
|
proxy_redirect off;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
ssl_certificate {{ nginx.ssl.cert }};
|
ssl_certificate {{ item.cert }};
|
||||||
ssl_certificate_key {{ nginx.ssl.cert_key }};
|
ssl_certificate_key {{ item.cert_key }};
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
|
||||||
# Enable OCSP Stapling, point to certificate chain
|
# Enable OCSP Stapling, point to certificate chain
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
|
ssl_trusted_certificate {{ item.trusted_cert }};
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
#!/usr/bin/tail +14
|
#!/usr/bin/tail +14
|
||||||
# {{ ansible_managed }}
|
{{ ansible_managed | comment }}
|
||||||
[0m> [38;5;82mNGINX[0m a été déployé sur cette machine. Voir [38;5;6m/etc/nginx/[0m.
|
[0m> [38;5;82mNGINX[0m a été déployé sur cette machine. Voir [38;5;6m/etc/nginx/[0m.
|
18
roles/nginx/templates/www/html/401.html.j2
Normal file
18
roles/nginx/templates/www/html/401.html.j2
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{{ ansible_header | comment('xml') }}
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Accès refusé</title>
|
||||||
|
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h1>Accès refusé</h1>
|
||||||
|
<p>
|
||||||
|
Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
|
||||||
|
</p>
|
||||||
|
<ul>
|
||||||
|
<li>Identifiant : <em>Stop</em></li>
|
||||||
|
<li>Mot de passe : <em>Spam</em></li>
|
||||||
|
</ul>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -57,7 +57,7 @@
|
||||||
<h1>502</h1>
|
<h1>502</h1>
|
||||||
<p>Whoops, le service prend trop de temps à répondre…</p>
|
<p>Whoops, le service prend trop de temps à répondre…</p>
|
||||||
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
|
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
|
||||||
à contacter <a href="mailto:tech.aurore@lists.crans.org">l'équipe technique d'Aurore</a>.</p>
|
à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
2
roles/nginx/templates/www/html/robots.txt.j2
Normal file
2
roles/nginx/templates/www/html/robots.txt.j2
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
User-agent: *
|
||||||
|
Disallow: /
|
|
@ -1,73 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install NGINX
|
|
||||||
apt:
|
|
||||||
update_cache: true
|
|
||||||
name: nginx
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Copy snippets
|
|
||||||
template:
|
|
||||||
src: "nginx/snippets/{{ item }}.j2"
|
|
||||||
dest: "/etc/nginx/snippets/{{ item }}"
|
|
||||||
mode: 0644
|
|
||||||
loop:
|
|
||||||
- options-ssl.conf
|
|
||||||
- options-proxypass.conf
|
|
||||||
|
|
||||||
- name: Copy dhparam
|
|
||||||
template:
|
|
||||||
src: letsencrypt/dhparam.j2
|
|
||||||
dest: /etc/letsencrypt/dhparam
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Copy reverse proxy sites
|
|
||||||
template:
|
|
||||||
src: "nginx/sites-available/{{ item }}.j2"
|
|
||||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
|
||||||
mode: 0644
|
|
||||||
loop:
|
|
||||||
- reverseproxy
|
|
||||||
- reverseproxy_redirect_dname
|
|
||||||
- redirect
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Activate sites
|
|
||||||
file:
|
|
||||||
src: "/etc/nginx/sites-available/{{ item }}"
|
|
||||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
|
||||||
state: link
|
|
||||||
mode: 0644
|
|
||||||
loop:
|
|
||||||
- reverseproxy
|
|
||||||
- reverseproxy_redirect_dname
|
|
||||||
- redirect
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Copy forward modules
|
|
||||||
template:
|
|
||||||
src: "nginx/modules-available/60-forward.conf.j2"
|
|
||||||
dest: "/etc/nginx/modules-available/60-forward.conf"
|
|
||||||
mode: 0644
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Activate modules
|
|
||||||
file:
|
|
||||||
src: "/etc/nginx/modules-available/60-forward.conf"
|
|
||||||
dest: "/etc/nginx/modules-enabled/60-forward.conf"
|
|
||||||
state: link
|
|
||||||
mode: 0644
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Copy 50x error page
|
|
||||||
template:
|
|
||||||
src: www/html/50x.html.j2
|
|
||||||
dest: /var/www/html/50x.html
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Indicate role in motd
|
|
||||||
template:
|
|
||||||
src: update-motd.d/05-service.j2
|
|
||||||
dest: /etc/update-motd.d/05-nginx
|
|
||||||
mode: 0755
|
|
10
roles/postfix_non_mailhost/handlers/main.yml
Normal file
10
roles/postfix_non_mailhost/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- name: restart postfix
|
||||||
|
service:
|
||||||
|
name: postfix
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: reload postfix
|
||||||
|
service:
|
||||||
|
name: postfix
|
||||||
|
state: reloaded
|
17
roles/postfix_non_mailhost/tasks/main.yml
Normal file
17
roles/postfix_non_mailhost/tasks/main.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
- name: Install postfix
|
||||||
|
apt:
|
||||||
|
name: postfix
|
||||||
|
update_cache: true
|
||||||
|
register: result
|
||||||
|
retries: 3
|
||||||
|
until: result is succeeded
|
||||||
|
|
||||||
|
- name: Configure postfix
|
||||||
|
template:
|
||||||
|
src: main.cf.j2
|
||||||
|
dest: /etc/postfix/main.cf
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: restart postfix
|
32
roles/postfix_non_mailhost/templates/main.cf.j2
Normal file
32
roles/postfix_non_mailhost/templates/main.cf.j2
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||||
|
# Template based on /usr/share/postfix/main.cf.debian
|
||||||
|
|
||||||
|
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||||||
|
biff = no
|
||||||
|
|
||||||
|
# appending .domain is the MUA's job.
|
||||||
|
append_dot_mydomain = no
|
||||||
|
|
||||||
|
# Uncomment the next line to generate "delayed mail" warnings
|
||||||
|
#delay_warning_time = 4h
|
||||||
|
|
||||||
|
readme_directory = no
|
||||||
|
|
||||||
|
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
||||||
|
# fresh installs.
|
||||||
|
compatibility_level = 2
|
||||||
|
|
||||||
|
# Send mail as user@{{ ansible_fqdn }}
|
||||||
|
myhostname = {{ ansible_fqdn }}
|
||||||
|
myorigin = $myhostname
|
||||||
|
mydomain = $myhostname
|
||||||
|
|
||||||
|
# Specify the trusted networks
|
||||||
|
mynetworks = 127.0.0.0/8 {{ local_network }}
|
||||||
|
|
||||||
|
# This host does not relay mail from untrusted networks
|
||||||
|
relay_domains =
|
||||||
|
|
||||||
|
# This is needed if no direct Internet access is available
|
||||||
|
relayhost = {{ relay_host }}
|
5
roles/postgresql_server/defaults/main.yml
Normal file
5
roles/postgresql_server/defaults/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
postgresql_hosts: []
|
||||||
|
postgresql_databases: []
|
||||||
|
postgresql_users: []
|
||||||
|
...
|
6
roles/postgresql_server/handlers/main.yml
Normal file
6
roles/postgresql_server/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: restart postgresql
|
||||||
|
service:
|
||||||
|
name: postgresql
|
||||||
|
state: restarted
|
||||||
|
enabled: true
|
74
roles/postgresql_server/tasks/main.yml
Normal file
74
roles/postgresql_server/tasks/main.yml
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
---
|
||||||
|
- name: Install postgresql and psycopg2
|
||||||
|
apt:
|
||||||
|
update_cache: true
|
||||||
|
pkg:
|
||||||
|
- postgresql
|
||||||
|
- python3-psycopg2
|
||||||
|
state: present
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Ensure main postgresql directory exists
|
||||||
|
file:
|
||||||
|
path: /etc/postgresql/{{ postgresql.version }}/main/
|
||||||
|
state: directory
|
||||||
|
owner: postgres
|
||||||
|
group: postgres
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Ensure configuration directory exists
|
||||||
|
file:
|
||||||
|
path: /etc/postgresql/{{ postgresql.version }}/main/conf.d
|
||||||
|
state: directory
|
||||||
|
owner: postgres
|
||||||
|
group: postgres
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Configuration of postgresql {{ postgresql.version }}
|
||||||
|
template:
|
||||||
|
src: postgresql/{{ item }}.j2
|
||||||
|
dest: /etc/postgresql/{{ postgresql.version }}/main/{{ item }}
|
||||||
|
mode: 0640
|
||||||
|
owner: postgres
|
||||||
|
group: postgres
|
||||||
|
loop:
|
||||||
|
- pg_hba.conf
|
||||||
|
- postgresql.conf
|
||||||
|
notify:
|
||||||
|
- restart postgresql
|
||||||
|
|
||||||
|
- name: Create databases
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
postgresql_db:
|
||||||
|
name: "{{ item }}"
|
||||||
|
encoding: UTF-8
|
||||||
|
lc_collate: en_US.UTF-8
|
||||||
|
lc_ctype: en_US.UTF-8
|
||||||
|
template: template0
|
||||||
|
loop: "{{ postgresql_databases }}"
|
||||||
|
|
||||||
|
- name: Create users
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
postgresql_user:
|
||||||
|
db: "{{ item.database }}"
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
password: "{{ item.password }}"
|
||||||
|
no_log: true
|
||||||
|
loop: "{{ postgresql_users }}"
|
||||||
|
|
||||||
|
- name: Grant privileges to users
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
postgresql_privs:
|
||||||
|
db: postgres
|
||||||
|
type: database
|
||||||
|
role: "{{ item.name }}"
|
||||||
|
privs: "{{ item.privs | join(',') }}"
|
||||||
|
obj: "{{ item.database }}"
|
||||||
|
no_log: true
|
||||||
|
loop: "{{ postgresql_users }}"
|
||||||
|
...
|
20
roles/postgresql_server/templates/postgresql/pg_hba.conf.j2
Normal file
20
roles/postgresql_server/templates/postgresql/pg_hba.conf.j2
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# TYPE DATABASE USER ADDRESS METHOD
|
||||||
|
|
||||||
|
# DO NOT DISABLE!
|
||||||
|
# If you change this first entry you will need to make sure that the
|
||||||
|
# database superuser can access the database using some other method.
|
||||||
|
# Noninteractive access to all databases is required during automatic
|
||||||
|
# maintenance (custom daily cronjobs, replication, and similar tasks).
|
||||||
|
#
|
||||||
|
# Database administrative login by Unix domain socket
|
||||||
|
local all postgres peer
|
||||||
|
|
||||||
|
|
||||||
|
# "local" is for Unix domain socket connections only
|
||||||
|
local all all peer
|
||||||
|
|
||||||
|
{% for host in postgresql_hosts %}
|
||||||
|
host "{{ host.database }}" "{{ host.user }}" {{ host.net }} {{ host.method }}
|
||||||
|
{% endfor %}
|
695
roles/postgresql_server/templates/postgresql/postgresql.conf.j2
Normal file
695
roles/postgresql_server/templates/postgresql/postgresql.conf.j2
Normal file
|
@ -0,0 +1,695 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# -----------------------------
|
||||||
|
# PostgreSQL configuration file
|
||||||
|
# -----------------------------
|
||||||
|
#
|
||||||
|
# This file consists of lines of the form:
|
||||||
|
#
|
||||||
|
# name = value
|
||||||
|
#
|
||||||
|
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
|
||||||
|
# "#" anywhere on a line. The complete list of parameter names and allowed
|
||||||
|
# values can be found in the PostgreSQL documentation.
|
||||||
|
#
|
||||||
|
# The commented-out settings shown in this file represent the default values.
|
||||||
|
# Re-commenting a setting is NOT sufficient to revert it to the default value;
|
||||||
|
# you need to reload the server.
|
||||||
|
#
|
||||||
|
# This file is read on server startup and when the server receives a SIGHUP
|
||||||
|
# signal. If you edit the file on a running system, you have to SIGHUP the
|
||||||
|
# server for the changes to take effect, run "pg_ctl reload", or execute
|
||||||
|
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
|
||||||
|
# require a server shutdown and restart to take effect.
|
||||||
|
#
|
||||||
|
# Any parameter can also be given as a command-line option to the server, e.g.,
|
||||||
|
# "postgres -c log_connections=on". Some parameters can be changed at run time
|
||||||
|
# with the "SET" SQL command.
|
||||||
|
#
|
||||||
|
# Memory units: kB = kilobytes Time units: ms = milliseconds
|
||||||
|
# MB = megabytes s = seconds
|
||||||
|
# GB = gigabytes min = minutes
|
||||||
|
# TB = terabytes h = hours
|
||||||
|
# d = days
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# FILE LOCATIONS
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# The default values of these variables are driven from the -D command-line
|
||||||
|
# option or PGDATA environment variable, represented here as ConfigDir.
|
||||||
|
# All changes to this section REQUIRES restart
|
||||||
|
|
||||||
|
# use data in another directory
|
||||||
|
data_directory = '/var/lib/postgresql/{{ postgresql.version }}/main'
|
||||||
|
# host-based authentication file
|
||||||
|
hba_file = '/etc/postgresql/{{ postgresql.version }}/main/pg_hba.conf'
|
||||||
|
|
||||||
|
# If external_pid_file is not explicitly set, no extra PID file is written.
|
||||||
|
external_pid_file = '/run/postgresql/{{ postgresql.version }}-main.pid'
|
||||||
|
# write an extra PID file
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# CONNECTIONS AND AUTHENTICATION
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Connection Settings -
|
||||||
|
|
||||||
|
listen_addresses = '0.0.0.0, ::'
|
||||||
|
# listen_addresses = * # listen to all
|
||||||
|
#listen_addresses = 'localhost' # what IP address(es) to listen on;
|
||||||
|
# comma-separated list of addresses;
|
||||||
|
# defaults to 'localhost'; use '*' for all
|
||||||
|
# (change requires restart)
|
||||||
|
port = 5432 # (change requires restart)
|
||||||
|
max_connections = 100 # (change requires restart)
|
||||||
|
#superuser_reserved_connections = 3 # (change requires restart)
|
||||||
|
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
|
||||||
|
# (change requires restart)
|
||||||
|
#unix_socket_group = '' # (change requires restart)
|
||||||
|
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
|
||||||
|
# (change requires restart)
|
||||||
|
#bonjour = off # advertise server via Bonjour
|
||||||
|
# (change requires restart)
|
||||||
|
#bonjour_name = '' # defaults to the computer name
|
||||||
|
# (change requires restart)
|
||||||
|
|
||||||
|
# - TCP Keepalives -
|
||||||
|
# see "man 7 tcp" for details
|
||||||
|
|
||||||
|
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
|
||||||
|
# 0 selects the system default
|
||||||
|
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
|
||||||
|
# 0 selects the system default
|
||||||
|
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
|
||||||
|
# 0 selects the system default
|
||||||
|
|
||||||
|
|
||||||
|
# - Authentication -
|
||||||
|
|
||||||
|
#authentication_timeout = 1min # 1s-600s
|
||||||
|
#password_encryption = md5 # md5 or scram-sha-256
|
||||||
|
#db_user_namespace = off
|
||||||
|
|
||||||
|
# GSSAPI using Kerberos
|
||||||
|
#krb_server_keyfile = ''
|
||||||
|
#krb_caseins_users = off
|
||||||
|
|
||||||
|
# - SSL -
|
||||||
|
|
||||||
|
ssl = on
|
||||||
|
#ssl_ca_file = ''
|
||||||
|
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
|
||||||
|
#ssl_crl_file = ''
|
||||||
|
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
|
||||||
|
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
|
||||||
|
#ssl_prefer_server_ciphers = on
|
||||||
|
#ssl_ecdh_curve = 'prime256v1'
|
||||||
|
#ssl_dh_params_file = ''
|
||||||
|
#ssl_passphrase_command = ''
|
||||||
|
#ssl_passphrase_command_supports_reload = off
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# RESOURCE USAGE (except WAL)
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Memory -
|
||||||
|
|
||||||
|
shared_buffers = 128MB # min 128kB
|
||||||
|
# (change requires restart)
|
||||||
|
#huge_pages = try # on, off, or try
|
||||||
|
# (change requires restart)
|
||||||
|
#temp_buffers = 8MB # min 800kB
|
||||||
|
#max_prepared_transactions = 0 # zero disables the feature
|
||||||
|
# (change requires restart)
|
||||||
|
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
|
||||||
|
# you actively intend to use prepared transactions.
|
||||||
|
#work_mem = 4MB # min 64kB
|
||||||
|
#maintenance_work_mem = 64MB # min 1MB
|
||||||
|
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
|
||||||
|
#max_stack_depth = 2MB # min 100kB
|
||||||
|
dynamic_shared_memory_type = posix # the default is the first option
|
||||||
|
# supported by the operating system:
|
||||||
|
# posix
|
||||||
|
# sysv
|
||||||
|
# windows
|
||||||
|
# mmap
|
||||||
|
# (change requires restart)
|
||||||
|
|
||||||
|
# - Disk -
|
||||||
|
|
||||||
|
#temp_file_limit = -1 # limits per-process temp file space
|
||||||
|
# in kB, or -1 for no limit
|
||||||
|
|
||||||
|
# - Kernel Resources -
|
||||||
|
|
||||||
|
#max_files_per_process = 1000 # min 25
|
||||||
|
# (change requires restart)
|
||||||
|
|
||||||
|
# - Cost-Based Vacuum Delay -
|
||||||
|
|
||||||
|
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
|
||||||
|
#vacuum_cost_page_hit = 1 # 0-10000 credits
|
||||||
|
#vacuum_cost_page_miss = 10 # 0-10000 credits
|
||||||
|
#vacuum_cost_page_dirty = 20 # 0-10000 credits
|
||||||
|
#vacuum_cost_limit = 200 # 1-10000 credits
|
||||||
|
|
||||||
|
# - Background Writer -
|
||||||
|
|
||||||
|
#bgwriter_delay = 200ms # 10-10000ms between rounds
|
||||||
|
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
|
||||||
|
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
|
||||||
|
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
|
||||||
|
|
||||||
|
# - Asynchronous Behavior -
|
||||||
|
|
||||||
|
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
|
||||||
|
#max_worker_processes = 8 # (change requires restart)
|
||||||
|
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
|
||||||
|
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
|
||||||
|
#parallel_leader_participation = on
|
||||||
|
#max_parallel_workers = 8 # maximum number of max_worker_processes that
|
||||||
|
# can be used in parallel operations
|
||||||
|
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
|
||||||
|
# (change requires restart)
|
||||||
|
#backend_flush_after = 0 # measured in pages, 0 disables
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# WRITE-AHEAD LOG
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Settings -
|
||||||
|
|
||||||
|
#wal_level = replica # minimal, replica, or logical
|
||||||
|
# (change requires restart)
|
||||||
|
#fsync = on # flush data to disk for crash safety
|
||||||
|
# (turning this off can cause
|
||||||
|
# unrecoverable data corruption)
|
||||||
|
#synchronous_commit = on # synchronization level;
|
||||||
|
# off, local, remote_write, remote_apply, or on
|
||||||
|
#wal_sync_method = fsync # the default is the first option
|
||||||
|
# supported by the operating system:
|
||||||
|
# open_datasync
|
||||||
|
# fdatasync (default on Linux)
|
||||||
|
# fsync
|
||||||
|
# fsync_writethrough
|
||||||
|
# open_sync
|
||||||
|
#full_page_writes = on # recover from partial page writes
|
||||||
|
#wal_compression = off # enable compression of full-page writes
|
||||||
|
#wal_log_hints = off # also do full page writes of non-critical updates
|
||||||
|
# (change requires restart)
|
||||||
|
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
|
||||||
|
# (change requires restart)
|
||||||
|
#wal_writer_delay = 200ms # 1-10000 milliseconds
|
||||||
|
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
|
||||||
|
|
||||||
|
#commit_delay = 0 # range 0-100000, in microseconds
|
||||||
|
#commit_siblings = 5 # range 1-1000
|
||||||
|
|
||||||
|
# - Checkpoints -
|
||||||
|
|
||||||
|
#checkpoint_timeout = 5min # range 30s-1d
|
||||||
|
max_wal_size = 1GB
|
||||||
|
min_wal_size = 80MB
|
||||||
|
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
|
||||||
|
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
|
||||||
|
#checkpoint_warning = 30s # 0 disables
|
||||||
|
|
||||||
|
# - Archiving -
|
||||||
|
|
||||||
|
#archive_mode = off # enables archiving; off, on, or always
|
||||||
|
# (change requires restart)
|
||||||
|
#archive_command = '' # command to use to archive a logfile segment
|
||||||
|
# placeholders: %p = path of file to archive
|
||||||
|
# %f = file name only
|
||||||
|
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
|
||||||
|
#archive_timeout = 0 # force a logfile segment switch after this
|
||||||
|
# number of seconds; 0 disables
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# REPLICATION
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Sending Servers -
|
||||||
|
|
||||||
|
# Set these on the master and on any standby that will send replication data.
|
||||||
|
|
||||||
|
#max_wal_senders = 10 # max number of walsender processes
|
||||||
|
# (change requires restart)
|
||||||
|
#wal_keep_segments = 0 # in logfile segments; 0 disables
|
||||||
|
#wal_sender_timeout = 60s # in milliseconds; 0 disables
|
||||||
|
|
||||||
|
#max_replication_slots = 10 # max number of replication slots
|
||||||
|
# (change requires restart)
|
||||||
|
#track_commit_timestamp = off # collect timestamp of transaction commit
|
||||||
|
# (change requires restart)
|
||||||
|
|
||||||
|
# - Master Server -
|
||||||
|
|
||||||
|
# These settings are ignored on a standby server.
|
||||||
|
|
||||||
|
#synchronous_standby_names = '' # standby servers that provide sync rep
|
||||||
|
# method to choose sync standbys, number of sync standbys,
|
||||||
|
# and comma-separated list of application_name
|
||||||
|
# from standby(s); '*' = all
|
||||||
|
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
|
||||||
|
|
||||||
|
# - Standby Servers -
|
||||||
|
|
||||||
|
# These settings are ignored on a master server.
|
||||||
|
|
||||||
|
#hot_standby = on # "off" disallows queries during recovery
|
||||||
|
# (change requires restart)
|
||||||
|
#max_standby_archive_delay = 30s # max delay before canceling queries
|
||||||
|
# when reading WAL from archive;
|
||||||
|
# -1 allows indefinite delay
|
||||||
|
#max_standby_streaming_delay = 30s # max delay before canceling queries
|
||||||
|
# when reading streaming WAL;
|
||||||
|
# -1 allows indefinite delay
|
||||||
|
#wal_receiver_status_interval = 10s # send replies at least this often
|
||||||
|
# 0 disables
|
||||||
|
#hot_standby_feedback = off # send info from standby to prevent
|
||||||
|
# query conflicts
|
||||||
|
#wal_receiver_timeout = 60s # time that receiver waits for
|
||||||
|
# communication from master
|
||||||
|
# in milliseconds; 0 disables
|
||||||
|
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
|
||||||
|
# retrieve WAL after a failed attempt
|
||||||
|
# - Subscribers -
|
||||||
|
|
||||||
|
# These settings are ignored on a publisher.
|
||||||
|
|
||||||
|
#max_logical_replication_workers = 4 # taken from max_worker_processes
|
||||||
|
# (change requires restart)
|
||||||
|
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# QUERY TUNING
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Planner Method Configuration -
|
||||||
|
|
||||||
|
#enable_bitmapscan = on
|
||||||
|
#enable_hashagg = on
|
||||||
|
#enable_hashjoin = on
|
||||||
|
#enable_indexscan = on
|
||||||
|
#enable_indexonlyscan = on
|
||||||
|
#enable_material = on
|
||||||
|
#enable_mergejoin = on
|
||||||
|
#enable_nestloop = on
|
||||||
|
#enable_parallel_append = on
|
||||||
|
#enable_seqscan = on
|
||||||
|
#enable_sort = on
|
||||||
|
#enable_tidscan = on
|
||||||
|
#enable_partitionwise_join = off
|
||||||
|
#enable_partitionwise_aggregate = off
|
||||||
|
#enable_parallel_hash = on
|
||||||
|
#enable_partition_pruning = on
|
||||||
|
|
||||||
|
# - Planner Cost Constants -
|
||||||
|
|
||||||
|
#seq_page_cost = 1.0 # measured on an arbitrary scale
|
||||||
|
#random_page_cost = 4.0 # same scale as above
|
||||||
|
#cpu_tuple_cost = 0.01 # same scale as above
|
||||||
|
#cpu_index_tuple_cost = 0.005 # same scale as above
|
||||||
|
#cpu_operator_cost = 0.0025 # same scale as above
|
||||||
|
#parallel_tuple_cost = 0.1 # same scale as above
|
||||||
|
#parallel_setup_cost = 1000.0 # same scale as above
|
||||||
|
|
||||||
|
#jit_above_cost = 100000 # perform JIT compilation if available
|
||||||
|
# and query more expensive than this;
|
||||||
|
# -1 disables
|
||||||
|
#jit_inline_above_cost = 500000 # inline small functions if query is
|
||||||
|
# more expensive than this; -1 disables
|
||||||
|
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
|
||||||
|
# query is more expensive than this;
|
||||||
|
# -1 disables
|
||||||
|
|
||||||
|
#min_parallel_table_scan_size = 8MB
|
||||||
|
#min_parallel_index_scan_size = 512kB
|
||||||
|
#effective_cache_size = 4GB
|
||||||
|
|
||||||
|
# - Genetic Query Optimizer -
|
||||||
|
|
||||||
|
#geqo = on
|
||||||
|
#geqo_threshold = 12
|
||||||
|
#geqo_effort = 5 # range 1-10
|
||||||
|
#geqo_pool_size = 0 # selects default based on effort
|
||||||
|
#geqo_generations = 0 # selects default based on effort
|
||||||
|
#geqo_selection_bias = 2.0 # range 1.5-2.0
|
||||||
|
#geqo_seed = 0.0 # range 0.0-1.0
|
||||||
|
|
||||||
|
# - Other Planner Options -
|
||||||
|
|
||||||
|
#default_statistics_target = 100 # range 1-10000
|
||||||
|
#constraint_exclusion = partition # on, off, or partition
|
||||||
|
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
|
||||||
|
#from_collapse_limit = 8
|
||||||
|
#join_collapse_limit = 8 # 1 disables collapsing of explicit
|
||||||
|
# JOIN clauses
|
||||||
|
#force_parallel_mode = off
|
||||||
|
#jit = on # allow JIT compilation
|
||||||
|
#plan_cache_mode = auto # auto, force_generic_plan or
|
||||||
|
# force_custom_plan
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# REPORTING AND LOGGING
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Where to Log -
|
||||||
|
|
||||||
|
#log_destination = 'stderr' # Valid values are combinations of
|
||||||
|
# stderr, csvlog, syslog, and eventlog,
|
||||||
|
# depending on platform. csvlog
|
||||||
|
# requires logging_collector to be on.
|
||||||
|
|
||||||
|
# This is used when logging to stderr:
|
||||||
|
#logging_collector = off # Enable capturing of stderr and csvlog
|
||||||
|
# into log files. Required to be on for
|
||||||
|
# csvlogs.
|
||||||
|
# (change requires restart)
|
||||||
|
|
||||||
|
# These are only used if logging_collector is on:
|
||||||
|
#log_directory = 'log' # directory where log files are written,
|
||||||
|
# can be absolute or relative to PGDATA
|
||||||
|
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
|
||||||
|
# can include strftime() escapes
|
||||||
|
#log_file_mode = 0600 # creation mode for log files,
|
||||||
|
# begin with 0 to use octal notation
|
||||||
|
#log_truncate_on_rotation = off # If on, an existing log file with the
|
||||||
|
# same name as the new log file will be
|
||||||
|
# truncated rather than appended to.
|
||||||
|
# But such truncation only occurs on
|
||||||
|
# time-driven rotation, not on restarts
|
||||||
|
# or size-driven rotation. Default is
|
||||||
|
# off, meaning append to existing files
|
||||||
|
# in all cases.
|
||||||
|
#log_rotation_age = 1d # Automatic rotation of logfiles will
|
||||||
|
# happen after that time. 0 disables.
|
||||||
|
#log_rotation_size = 10MB # Automatic rotation of logfiles will
|
||||||
|
# happen after that much log output.
|
||||||
|
# 0 disables.
|
||||||
|
|
||||||
|
# These are relevant when logging to syslog:
|
||||||
|
#syslog_facility = 'LOCAL0'
|
||||||
|
#syslog_ident = 'postgres'
|
||||||
|
#syslog_sequence_numbers = on
|
||||||
|
#syslog_split_messages = on
|
||||||
|
|
||||||
|
# This is only relevant when logging to eventlog (win32):
|
||||||
|
# (change requires restart)
|
||||||
|
#event_source = 'PostgreSQL'
|
||||||
|
|
||||||
|
# - When to Log -
|
||||||
|
|
||||||
|
#log_min_messages = warning # values in order of decreasing detail:
|
||||||
|
# debug5
|
||||||
|
# debug4
|
||||||
|
# debug3
|
||||||
|
# debug2
|
||||||
|
# debug1
|
||||||
|
# info
|
||||||
|
# notice
|
||||||
|
# warning
|
||||||
|
# error
|
||||||
|
# log
|
||||||
|
# fatal
|
||||||
|
# panic
|
||||||
|
|
||||||
|
#log_min_error_statement = error # values in order of decreasing detail:
|
||||||
|
# debug5
|
||||||
|
# debug4
|
||||||
|
# debug3
|
||||||
|
# debug2
|
||||||
|
# debug1
|
||||||
|
# info
|
||||||
|
# notice
|
||||||
|
# warning
|
||||||
|
# error
|
||||||
|
# log
|
||||||
|
# fatal
|
||||||
|
# panic (effectively off)
|
||||||
|
|
||||||
|
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
|
||||||
|
# and their durations, > 0 logs only
|
||||||
|
# statements running at least this number
|
||||||
|
# of milliseconds
|
||||||
|
|
||||||
|
|
||||||
|
# - What to Log -
|
||||||
|
|
||||||
|
#debug_print_parse = off
|
||||||
|
#debug_print_rewritten = off
|
||||||
|
#debug_print_plan = off
|
||||||
|
#debug_pretty_print = on
|
||||||
|
#log_checkpoints = off
|
||||||
|
#log_connections = off
|
||||||
|
#log_disconnections = off
|
||||||
|
#log_duration = off
|
||||||
|
#log_error_verbosity = default # terse, default, or verbose messages
|
||||||
|
#log_hostname = off
|
||||||
|
log_line_prefix = '%m [%p] %q%u@%d ' # special values:
|
||||||
|
# %a = application name
|
||||||
|
# %u = user name
|
||||||
|
# %d = database name
|
||||||
|
# %r = remote host and port
|
||||||
|
# %h = remote host
|
||||||
|
# %p = process ID
|
||||||
|
# %t = timestamp without milliseconds
|
||||||
|
# %m = timestamp with milliseconds
|
||||||
|
# %n = timestamp with milliseconds (as a Unix epoch)
|
||||||
|
# %i = command tag
|
||||||
|
# %e = SQL state
|
||||||
|
# %c = session ID
|
||||||
|
# %l = session line number
|
||||||
|
# %s = session start timestamp
|
||||||
|
# %v = virtual transaction ID
|
||||||
|
# %x = transaction ID (0 if none)
|
||||||
|
# %q = stop here in non-session
|
||||||
|
# processes
|
||||||
|
# %% = '%'
|
||||||
|
# e.g. '<%u%%%d> '
|
||||||
|
#log_lock_waits = off # log lock waits >= deadlock_timeout
|
||||||
|
#log_statement = 'none' # none, ddl, mod, all
|
||||||
|
#log_replication_commands = off
|
||||||
|
#log_temp_files = -1 # log temporary files equal or larger
|
||||||
|
# than the specified size in kilobytes;
|
||||||
|
# -1 disables, 0 logs all temp files
|
||||||
|
log_timezone = 'Europe/Paris'
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# PROCESS TITLE
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
cluster_name = '{{ postgresql.version }}/main' # added to process titles if nonempty
|
||||||
|
# (change requires restart)
|
||||||
|
#update_process_title = on
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# STATISTICS
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Query and Index Statistics Collector -
|
||||||
|
|
||||||
|
#track_activities = on
|
||||||
|
#track_counts = on
|
||||||
|
#track_io_timing = off
|
||||||
|
#track_functions = none # none, pl, all
|
||||||
|
#track_activity_query_size = 1024 # (change requires restart)
|
||||||
|
stats_temp_directory = '/var/run/postgresql/{{ postgresql.version }}-main.pg_stat_tmp'
|
||||||
|
|
||||||
|
|
||||||
|
# - Monitoring -
|
||||||
|
|
||||||
|
#log_parser_stats = off
|
||||||
|
#log_planner_stats = off
|
||||||
|
#log_executor_stats = off
|
||||||
|
#log_statement_stats = off
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# AUTOVACUUM
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#autovacuum = on # Enable autovacuum subprocess? 'on'
|
||||||
|
# requires track_counts to also be on.
|
||||||
|
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
|
||||||
|
# their durations, > 0 logs only
|
||||||
|
# actions running at least this number
|
||||||
|
# of milliseconds.
|
||||||
|
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
|
||||||
|
# (change requires restart)
|
||||||
|
#autovacuum_naptime = 1min # time between autovacuum runs
|
||||||
|
#autovacuum_vacuum_threshold = 50 # min number of row updates before
|
||||||
|
# vacuum
|
||||||
|
#autovacuum_analyze_threshold = 50 # min number of row updates before
|
||||||
|
# analyze
|
||||||
|
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
|
||||||
|
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
|
||||||
|
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
|
||||||
|
# (change requires restart)
|
||||||
|
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
|
||||||
|
# before forced vacuum
|
||||||
|
# (change requires restart)
|
||||||
|
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
|
||||||
|
# autovacuum, in milliseconds;
|
||||||
|
# -1 means use vacuum_cost_delay
|
||||||
|
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
|
||||||
|
# autovacuum, -1 means use
|
||||||
|
# vacuum_cost_limit
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# CLIENT CONNECTION DEFAULTS
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Statement Behavior -
|
||||||
|
|
||||||
|
#client_min_messages = notice # values in order of decreasing detail:
|
||||||
|
# debug5
|
||||||
|
# debug4
|
||||||
|
# debug3
|
||||||
|
# debug2
|
||||||
|
# debug1
|
||||||
|
# log
|
||||||
|
# notice
|
||||||
|
# warning
|
||||||
|
# error
|
||||||
|
#search_path = '"$user", public' # schema names
|
||||||
|
#row_security = on
|
||||||
|
#default_tablespace = '' # a tablespace name, '' uses the default
|
||||||
|
#temp_tablespaces = '' # a list of tablespace names, '' uses
|
||||||
|
# only default tablespace
|
||||||
|
#check_function_bodies = on
|
||||||
|
#default_transaction_isolation = 'read committed'
|
||||||
|
#default_transaction_read_only = off
|
||||||
|
#default_transaction_deferrable = off
|
||||||
|
#session_replication_role = 'origin'
|
||||||
|
#statement_timeout = 0 # in milliseconds, 0 is disabled
|
||||||
|
#lock_timeout = 0 # in milliseconds, 0 is disabled
|
||||||
|
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
|
||||||
|
#vacuum_freeze_min_age = 50000000
|
||||||
|
#vacuum_freeze_table_age = 150000000
|
||||||
|
#vacuum_multixact_freeze_min_age = 5000000
|
||||||
|
#vacuum_multixact_freeze_table_age = 150000000
|
||||||
|
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
|
||||||
|
# before index cleanup, 0 always performs
|
||||||
|
# index cleanup
|
||||||
|
#bytea_output = 'hex' # hex, escape
|
||||||
|
#xmlbinary = 'base64'
|
||||||
|
#xmloption = 'content'
|
||||||
|
#gin_fuzzy_search_limit = 0
|
||||||
|
#gin_pending_list_limit = 4MB
|
||||||
|
|
||||||
|
# - Locale and Formatting -
|
||||||
|
|
||||||
|
datestyle = 'iso, dmy'
|
||||||
|
#intervalstyle = 'postgres'
|
||||||
|
timezone = 'Europe/Paris'
|
||||||
|
#timezone_abbreviations = 'Default' # Select the set of available time zone
|
||||||
|
# abbreviations. Currently, there are
|
||||||
|
# Default
|
||||||
|
# Australia (historical usage)
|
||||||
|
# India
|
||||||
|
# You can create your own file in
|
||||||
|
# share/timezonesets/.
|
||||||
|
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
|
||||||
|
# selects precise output mode
|
||||||
|
#client_encoding = sql_ascii # actually, defaults to database
|
||||||
|
# encoding
|
||||||
|
|
||||||
|
# These settings are initialized by initdb, but they can be changed.
|
||||||
|
lc_messages = 'en_US.UTF-8'
|
||||||
|
lc_monetary = 'en_US.UTF-8'
|
||||||
|
lc_numeric = 'en_US.UTF-8'
|
||||||
|
lc_time = 'en_US.UTF-8'
|
||||||
|
|
||||||
|
# default configuration for text search
|
||||||
|
default_text_search_config = 'pg_catalog.french'
|
||||||
|
|
||||||
|
# - Shared Library Preloading -
|
||||||
|
|
||||||
|
#shared_preload_libraries = '' # (change requires restart)
|
||||||
|
#local_preload_libraries = ''
|
||||||
|
#session_preload_libraries = ''
|
||||||
|
#jit_provider = 'llvmjit' # JIT library to use
|
||||||
|
|
||||||
|
# - Other Defaults -
|
||||||
|
|
||||||
|
#dynamic_library_path = '$libdir'
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# LOCK MANAGEMENT
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#deadlock_timeout = 1s
|
||||||
|
#max_locks_per_transaction = 64 # min 10
|
||||||
|
# (change requires restart)
|
||||||
|
#max_pred_locks_per_transaction = 64 # min 10
|
||||||
|
# (change requires restart)
|
||||||
|
#max_pred_locks_per_relation = -2 # negative values mean
|
||||||
|
# (max_pred_locks_per_transaction
|
||||||
|
# / -max_pred_locks_per_relation) - 1
|
||||||
|
#max_pred_locks_per_page = 2 # min 0
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# VERSION AND PLATFORM COMPATIBILITY
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - Previous PostgreSQL Versions -
|
||||||
|
|
||||||
|
#array_nulls = on
|
||||||
|
#backslash_quote = safe_encoding # on, off, or safe_encoding
|
||||||
|
#default_with_oids = off
|
||||||
|
#escape_string_warning = on
|
||||||
|
#lo_compat_privileges = off
|
||||||
|
#operator_precedence_warning = off
|
||||||
|
#quote_all_identifiers = off
|
||||||
|
#standard_conforming_strings = on
|
||||||
|
#synchronize_seqscans = on
|
||||||
|
|
||||||
|
# - Other Platforms and Clients -
|
||||||
|
|
||||||
|
#transform_null_equals = off
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# ERROR HANDLING
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#exit_on_error = off # terminate session on any error?
|
||||||
|
#restart_after_crash = on # reinitialize after backend crash?
|
||||||
|
#data_sync_retry = off # retry or panic on failure to fsync
|
||||||
|
# data?
|
||||||
|
# (change requires restart)
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# CONFIG FILE INCLUDES
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# These options allow settings to be loaded from files other than the
|
||||||
|
# default postgresql.conf. Note that these are directives, not variable
|
||||||
|
# assignments, so they can usefully be given more than once.
|
||||||
|
|
||||||
|
include_dir = 'conf.d' # include files ending in '.conf' from
|
||||||
|
# a directory, e.g., 'conf.d'
|
||||||
|
#include_if_exists = '...' # include file only if it exists
|
||||||
|
#include = '...' # include file
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# CUSTOMIZED OPTIONS
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Add settings for extensions here
|
|
@ -55,6 +55,28 @@
|
||||||
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
|
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
|
||||||
dest: /etc/prometheus/targets_unifi_snmp.json
|
dest: /etc/prometheus/targets_unifi_snmp.json
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
when: prometheus_unifi_snmp_targets is defined
|
||||||
|
|
||||||
|
- name: Configure Prometheus Switchs
|
||||||
|
copy:
|
||||||
|
content: "{{ prometheus_switch_snmp_targets | to_nice_json }}"
|
||||||
|
dest: /etc/prometheus/targets_switch_snmp.json
|
||||||
|
mode: 0644
|
||||||
|
when: prometheus_switch_snmp_targets is defined
|
||||||
|
|
||||||
|
- name: Configure Prometheus UPS SNMP devices
|
||||||
|
copy:
|
||||||
|
content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n"
|
||||||
|
dest: /etc/prometheus/targets_ups_snmp.json
|
||||||
|
mode: 0644
|
||||||
|
when: prometheus_ups_snmp_targets is defined
|
||||||
|
|
||||||
|
- name: Configure Prometheus docker monitoring
|
||||||
|
copy:
|
||||||
|
content: "{{ [{'targets': prometheus_docker_targets }] | to_nice_json }}\n"
|
||||||
|
dest: /etc/prometheus/targets_docker.json
|
||||||
|
mode: 0644
|
||||||
|
when: prometheus_docker_targets is defined
|
||||||
|
|
||||||
- name: Activate prometheus service
|
- name: Activate prometheus service
|
||||||
systemd:
|
systemd:
|
||||||
|
|
|
@ -22,7 +22,7 @@ groups:
|
||||||
labels:
|
labels:
|
||||||
severity: warning
|
severity: warning
|
||||||
annotations:
|
annotations:
|
||||||
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%."
|
summary: "Mémoire libre de {{ $labels.instance }} à {{ humanize $value }}%."
|
||||||
|
|
||||||
# Alert for out of disk space
|
# Alert for out of disk space
|
||||||
- alert: OutOfDiskSpace
|
- alert: OutOfDiskSpace
|
||||||
|
@ -31,7 +31,7 @@ groups:
|
||||||
labels:
|
labels:
|
||||||
severity: warning
|
severity: warning
|
||||||
annotations:
|
annotations:
|
||||||
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%."
|
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ humanize $value }}%."
|
||||||
|
|
||||||
# Alert for out of inode space on disk
|
# Alert for out of inode space on disk
|
||||||
- alert: OutOfInodes
|
- alert: OutOfInodes
|
||||||
|
@ -49,7 +49,7 @@ groups:
|
||||||
labels:
|
labels:
|
||||||
severity: warning
|
severity: warning
|
||||||
annotations:
|
annotations:
|
||||||
summary: "CPU sur {{ $labels.instance }} à {{ $value }}%."
|
summary: "CPU sur {{ $labels.instance }} à {{ humanize $value }}%."
|
||||||
|
|
||||||
# Check systemd unit (> buster)
|
# Check systemd unit (> buster)
|
||||||
- alert: SystemdServiceFailed
|
- alert: SystemdServiceFailed
|
||||||
|
@ -59,4 +59,80 @@ groups:
|
||||||
severity: warning
|
severity: warning
|
||||||
annotations:
|
annotations:
|
||||||
summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
|
summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
|
||||||
|
|
||||||
|
# Check load of instance
|
||||||
|
- alert: LoadUsage
|
||||||
|
expr: node_load1 > 5
|
||||||
|
for: 2m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "La charge de {{ $labels.instance }} est à {{ $value }} !"
|
||||||
|
|
||||||
|
# Check UPS
|
||||||
|
- alert: UpsOutputSourceChanged
|
||||||
|
expr: upsOutputSource != 3
|
||||||
|
for: 1m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "La source d'alimentation de {{ $labels.instance }} a changé !"
|
||||||
|
|
||||||
|
- alert: UpsBatteryStatusWarning
|
||||||
|
expr: upsBatteryStatus == 3
|
||||||
|
for: 2m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "L'état de la batterie de {{ $labels.instance }} est faible !"
|
||||||
|
|
||||||
|
- alert: UpsBatteryStatusCritical
|
||||||
|
expr: upsBatteryStatus == 4
|
||||||
|
for: 10m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "L'état de la batterie de {{ $labels.instance }} est affaibli !"
|
||||||
|
|
||||||
|
- alert: UpsHighLoad
|
||||||
|
expr: upsOutputPercentLoad > 70
|
||||||
|
for: 5m
|
||||||
|
labels:
|
||||||
|
severity: critical
|
||||||
|
annotations:
|
||||||
|
summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !"
|
||||||
|
|
||||||
|
- alert: UpsWrongInputVoltage
|
||||||
|
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
|
||||||
|
for: 10m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V."
|
||||||
|
|
||||||
|
- alert: UpsWrongOutputVoltage
|
||||||
|
expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
|
||||||
|
for: 10m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."
|
||||||
|
|
||||||
|
- alert: UpsTimeRemainingWarning
|
||||||
|
expr: upsEstimatedMinutesRemaining < 15
|
||||||
|
for: 1m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
|
||||||
|
|
||||||
|
- alert: UpsTimeRemainingCritical
|
||||||
|
expr: upsEstimatedMinutesRemaining < 5
|
||||||
|
for: 1m
|
||||||
|
labels:
|
||||||
|
severity: critical
|
||||||
|
annotations:
|
||||||
|
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
|
||||||
|
|
||||||
|
|
||||||
{% endraw %}
|
{% endraw %}
|
||||||
|
|
|
@ -8,7 +8,7 @@ global:
|
||||||
# Attach these labels to any time series or alerts when communicating with
|
# Attach these labels to any time series or alerts when communicating with
|
||||||
# external systems (federation, remote storage, Alertmanager).
|
# external systems (federation, remote storage, Alertmanager).
|
||||||
external_labels:
|
external_labels:
|
||||||
monitor: 'example'
|
federated_instance: '{{ inventory_hostname }}'
|
||||||
|
|
||||||
# Alertmanager configuration
|
# Alertmanager configuration
|
||||||
# Use prometheus alertmanager installed on the same machine
|
# Use prometheus alertmanager installed on the same machine
|
||||||
|
@ -65,3 +65,38 @@ scrape_configs:
|
||||||
scheme: https
|
scheme: https
|
||||||
static_configs:
|
static_configs:
|
||||||
- targets: []
|
- targets: []
|
||||||
|
|
||||||
|
- job_name: ups_snmp
|
||||||
|
file_sd_configs:
|
||||||
|
- files:
|
||||||
|
- '/etc/prometheus/targets_ups_snmp.json'
|
||||||
|
metrics_path: /snmp
|
||||||
|
params:
|
||||||
|
module: [eatonups]
|
||||||
|
relabel_configs:
|
||||||
|
- source_labels: [__address__]
|
||||||
|
target_label: __param_target
|
||||||
|
- source_labels: [__param_target]
|
||||||
|
target_label: instance
|
||||||
|
- target_label: __address__
|
||||||
|
replacement: 127.0.0.1:9116
|
||||||
|
|
||||||
|
- job_name: switch_snmp
|
||||||
|
file_sd_configs:
|
||||||
|
- files:
|
||||||
|
- "/etc/prometheus/targets_switch_snmp.json"
|
||||||
|
metrics_path: /snmp
|
||||||
|
params:
|
||||||
|
module: [procurve_switch]
|
||||||
|
relabel_configs:
|
||||||
|
- source_labels: [__address__]
|
||||||
|
target_label: __param_target
|
||||||
|
- source_labels: [__param_target]
|
||||||
|
target_label: instance
|
||||||
|
- target_label: __address__
|
||||||
|
replacement: 127.0.0.1:9116
|
||||||
|
|
||||||
|
- job_name: docker
|
||||||
|
file_sd_configs:
|
||||||
|
- files:
|
||||||
|
- '/etc/prometheus/targets_docker.json'
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
# {{ ansible_managed }}
|
---
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# TODOlist :
|
# TODOlist :
|
||||||
# - Faire fonctionner le monitoring des switchs défini ici
|
# - Faire fonctionner le monitoring des switchs défini ici
|
||||||
# * Configurer tous les switchs avec un compte SNMPv3
|
# * Configurer tous les switchs avec un compte SNMPv3
|
||||||
|
@ -6,48 +8,144 @@
|
||||||
# - Optimiser les règles pour les bornes Unifi,
|
# - Optimiser les règles pour les bornes Unifi,
|
||||||
# on pourrait indexer avec les SSID
|
# on pourrait indexer avec les SSID
|
||||||
|
|
||||||
procurve_switch:
|
eatonups:
|
||||||
walk:
|
walk:
|
||||||
- 1.3.6.1.2.1.31.1.1.1.10
|
- 1.3.6.1.2.1.33.1.2
|
||||||
- 1.3.6.1.2.1.31.1.1.1.6
|
- 1.3.6.1.2.1.33.1.3
|
||||||
|
- 1.3.6.1.2.1.33.1.4
|
||||||
|
- 1.3.6.1.4.1.534.1.6
|
||||||
get:
|
get:
|
||||||
- 1.3.6.1.2.1.1.3.0
|
- 1.3.6.1.2.1.1.3.0
|
||||||
- 1.3.6.1.2.1.1.5.0
|
|
||||||
- 1.3.6.1.2.1.1.6.0
|
|
||||||
metrics:
|
metrics:
|
||||||
- name: sysUpTime
|
- name: sysUpTime
|
||||||
oid: 1.3.6.1.2.1.1.3
|
oid: 1.3.6.1.2.1.1.3
|
||||||
type: gauge
|
type: gauge
|
||||||
help: The time (in hundredths of a second) since the network management portion
|
help: The time (in hundredths of a second) since the network management portion
|
||||||
of the system was last re-initialized. - 1.3.6.1.2.1.1.3
|
of the system was last re-initialized. - 1.3.6.1.2.1.1.3
|
||||||
- name: sysName
|
- name: upsBatteryStatus
|
||||||
oid: 1.3.6.1.2.1.1.5
|
oid: 1.3.6.1.2.1.33.1.2.1
|
||||||
type: DisplayString
|
type: gauge
|
||||||
help: An administratively-assigned name for this managed node - 1.3.6.1.2.1.1.5
|
help: The indication of the capacity remaining in the UPS system's batteries -
|
||||||
- name: sysLocation
|
1.3.6.1.2.1.33.1.2.1
|
||||||
oid: 1.3.6.1.2.1.1.6
|
- name: upsEstimatedMinutesRemaining
|
||||||
type: DisplayString
|
oid: 1.3.6.1.2.1.33.1.2.3
|
||||||
help: The physical location of this node (e.g., 'telephone closet, 3rd floor')
|
type: gauge
|
||||||
- 1.3.6.1.2.1.1.6
|
help: An estimate of the time to battery charge depletion under the present load
|
||||||
- name: ifHCOutOctets
|
conditions if the utility power is off and remains off, or if it were to be
|
||||||
oid: 1.3.6.1.2.1.31.1.1.1.10
|
lost and remain off. - 1.3.6.1.2.1.33.1.2.3
|
||||||
type: counter
|
- name: upsInputVoltage
|
||||||
help: The total number of octets transmitted out of the interface, including framing
|
oid: 1.3.6.1.2.1.33.1.3.3.1.3
|
||||||
characters - 1.3.6.1.2.1.31.1.1.1.10
|
type: gauge
|
||||||
|
help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3
|
||||||
indexes:
|
indexes:
|
||||||
- labelname: ifIndex
|
- labelname: upsInputLineIndex
|
||||||
type: gauge
|
type: gauge
|
||||||
- name: ifHCInOctets
|
- name: upsOutputSource
|
||||||
oid: 1.3.6.1.2.1.31.1.1.1.6
|
oid: 1.3.6.1.2.1.33.1.4.1
|
||||||
type: counter
|
type: gauge
|
||||||
help: The total number of octets received on the interface, including framing
|
help: The present source of output power - 1.3.6.1.2.1.33.1.4.1
|
||||||
characters - 1.3.6.1.2.1.31.1.1.1.6
|
- name: upsOutputVoltage
|
||||||
|
oid: 1.3.6.1.2.1.33.1.4.4.1.2
|
||||||
|
type: gauge
|
||||||
|
help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2
|
||||||
indexes:
|
indexes:
|
||||||
- labelname: ifIndex
|
- labelname: upsOutputLineIndex
|
||||||
type: gauge
|
type: gauge
|
||||||
version: 3
|
- name: upsOutputPower
|
||||||
|
oid: 1.3.6.1.2.1.33.1.4.4.1.4
|
||||||
|
type: gauge
|
||||||
|
help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4
|
||||||
|
indexes:
|
||||||
|
- labelname: upsOutputLineIndex
|
||||||
|
type: gauge
|
||||||
|
- name: upsOutputPercentLoad
|
||||||
|
oid: 1.3.6.1.2.1.33.1.4.4.1.5
|
||||||
|
type: gauge
|
||||||
|
help: The percentage of the UPS power capacity presently being used on this output
|
||||||
|
line, i.e., the greater of the percent load of true power capacity and the percent
|
||||||
|
load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5
|
||||||
|
indexes:
|
||||||
|
- labelname: upsOutputLineIndex
|
||||||
|
type: gauge
|
||||||
|
- name: xupsEnvRemoteTemp
|
||||||
|
oid: 1.3.6.1.4.1.534.1.6.5
|
||||||
|
type: gauge
|
||||||
|
help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
|
||||||
|
- name: xupsEnvRemoteHumidity
|
||||||
|
oid: 1.3.6.1.4.1.534.1.6.6
|
||||||
|
type: gauge
|
||||||
|
help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6
|
||||||
|
version: 1
|
||||||
auth:
|
auth:
|
||||||
username: prometheus
|
community: public
|
||||||
|
|
||||||
|
procurve_switch:
|
||||||
|
walk:
|
||||||
|
- 1.3.6.1.2.1.31.1.1.1.10
|
||||||
|
- 1.3.6.1.2.1.31.1.1.1
|
||||||
|
- 1.3.6.1.2.1.2.2.1.2
|
||||||
|
- 1.3.6.1.2.1.31.1.1.1.18
|
||||||
|
get:
|
||||||
|
- 1.3.6.1.2.1.1.3.0
|
||||||
|
- 1.3.6.1.2.1.1.5.0
|
||||||
|
- 1.3.6.1.2.1.1.6.0
|
||||||
|
metrics:
|
||||||
|
- name: sysUpTime
|
||||||
|
oid: 1.3.6.1.2.1.1.3
|
||||||
|
type: gauge
|
||||||
|
help: The time (in hundredths of a second) since the network management
|
||||||
|
portion of the system was last re-initialized. - 1.3.6.1.2.1.1.3
|
||||||
|
- name: sysName
|
||||||
|
oid: 1.3.6.1.2.1.1.5
|
||||||
|
type: DisplayString
|
||||||
|
help: An administratively-assigned name for this managed node
|
||||||
|
- 1.3.6.1.2.1.1.5
|
||||||
|
- name: sysLocation
|
||||||
|
oid: 1.3.6.1.2.1.1.6
|
||||||
|
type: DisplayString
|
||||||
|
help: The physical location of this node (e.g., 'telephone closet, 3rd
|
||||||
|
floor') - 1.3.6.1.2.1.1.6
|
||||||
|
- name: ifHCOutOctets
|
||||||
|
oid: 1.3.6.1.2.1.31.1.1.1.10
|
||||||
|
type: counter
|
||||||
|
help: The total number of octets transmitted out of the interface,
|
||||||
|
including framing characters - 1.3.6.1.2.1.31.1.1.1.10
|
||||||
|
indexes:
|
||||||
|
- labelname: ifIndex
|
||||||
|
type: gauge
|
||||||
|
lookups:
|
||||||
|
- labels:
|
||||||
|
- ifIndex
|
||||||
|
labelname: ifDescr
|
||||||
|
oid: 1.3.6.1.2.1.2.2.1.2
|
||||||
|
type: DisplayString
|
||||||
|
- labels:
|
||||||
|
- ifIndex
|
||||||
|
labelname: ifName
|
||||||
|
oid: 1.3.6.1.2.1.31.1.1.1.1
|
||||||
|
type: DisplayString
|
||||||
|
- name: ifHCInOctets
|
||||||
|
oid: 1.3.6.1.2.1.31.1.1.1.6
|
||||||
|
type: counter
|
||||||
|
help: The total number of octets received on the interface, including
|
||||||
|
framing characters - 1.3.6.1.2.1.31.1.1.1.6
|
||||||
|
indexes:
|
||||||
|
- labelname: ifIndex
|
||||||
|
type: gauge
|
||||||
|
lookups:
|
||||||
|
- labels:
|
||||||
|
- ifIndex
|
||||||
|
labelname: ifDescr
|
||||||
|
oid: 1.3.6.1.2.1.2.2.1.2
|
||||||
|
type: DisplayString
|
||||||
|
- labels:
|
||||||
|
- ifIndex
|
||||||
|
labelname: ifName
|
||||||
|
oid: 1.3.6.1.2.1.31.1.1.1.1
|
||||||
|
type: DisplayString
|
||||||
|
version: 2
|
||||||
|
auth:
|
||||||
|
community: "{{ snmp_switch_community }}"
|
||||||
|
|
||||||
ubiquiti_unifi:
|
ubiquiti_unifi:
|
||||||
walk:
|
walk:
|
||||||
|
@ -90,13 +188,31 @@ ubiquiti_unifi:
|
||||||
indexes:
|
indexes:
|
||||||
- labelname: unifiVapIndex
|
- labelname: unifiVapIndex
|
||||||
type: gauge
|
type: gauge
|
||||||
- name: unifiVapNumStations
|
- name: unifi_vap_num_stations
|
||||||
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
|
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
|
||||||
type: gauge
|
type: gauge
|
||||||
help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
|
help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
|
||||||
indexes:
|
indexes:
|
||||||
- labelname: unifiVapIndex
|
- labelname: unifi_vap_index
|
||||||
type: gauge
|
type: gauge
|
||||||
|
lookups:
|
||||||
|
- labels: [unifi_vap_index]
|
||||||
|
labelname: unifi_vap_essid
|
||||||
|
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6
|
||||||
|
type: DisplayString
|
||||||
|
- labels: [unifi_vap_index]
|
||||||
|
labelname: unifi_vap_radio
|
||||||
|
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
|
||||||
|
type: DisplayString
|
||||||
|
- labels: []
|
||||||
|
labelname: unifi_vap_index
|
||||||
|
# - name: unifiVapNumStations
|
||||||
|
# oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
|
||||||
|
# type: gauge
|
||||||
|
# help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
|
||||||
|
# indexes:
|
||||||
|
# - labelname: unifiVapIndex
|
||||||
|
# type: gauge
|
||||||
- name: unifiVapRadio
|
- name: unifiVapRadio
|
||||||
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
|
oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
|
||||||
type: DisplayString
|
type: DisplayString
|
||||||
|
@ -295,3 +411,4 @@ ubiquiti_unifi:
|
||||||
auth_protocol: SHA
|
auth_protocol: SHA
|
||||||
priv_protocol: AES
|
priv_protocol: AES
|
||||||
priv_password: {{ snmp_unifi_password }}
|
priv_password: {{ snmp_unifi_password }}
|
||||||
|
...
|
||||||
|
|
5
roles/prometheus_federate/handlers/main.yml
Normal file
5
roles/prometheus_federate/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: Restart Prometheus
|
||||||
|
service:
|
||||||
|
name: prometheus
|
||||||
|
state: restarted
|
46
roles/prometheus_federate/tasks/main.yml
Normal file
46
roles/prometheus_federate/tasks/main.yml
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
---
|
||||||
|
- name: Install Prometheus
|
||||||
|
apt:
|
||||||
|
update_cache: true
|
||||||
|
name:
|
||||||
|
- prometheus
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Configure Prometheus
|
||||||
|
template:
|
||||||
|
src: prometheus/prometheus.yml.j2
|
||||||
|
dest: /etc/prometheus/prometheus.yml
|
||||||
|
mode: 0644
|
||||||
|
notify: Restart Prometheus
|
||||||
|
|
||||||
|
- name: Configure Prometheus alert rules
|
||||||
|
template:
|
||||||
|
src: "prometheus/{{ item }}.j2"
|
||||||
|
dest: "/etc/prometheus/{{ item }}"
|
||||||
|
mode: 0644
|
||||||
|
notify: Restart Prometheus
|
||||||
|
loop:
|
||||||
|
- alert.rules.yml
|
||||||
|
|
||||||
|
# We don't need to restart Prometheus when updating nodes
|
||||||
|
- name: Configure Prometheus Federate devices
|
||||||
|
copy:
|
||||||
|
content: "{{ [{'targets': prometheus_targets }] | to_nice_json }}"
|
||||||
|
dest: /etc/prometheus/targets.json
|
||||||
|
mode: 0644
|
||||||
|
when: prometheus_targets is defined
|
||||||
|
|
||||||
|
- name: Activate prometheus service
|
||||||
|
systemd:
|
||||||
|
name: prometheus
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Indicate role in motd
|
||||||
|
template:
|
||||||
|
src: update-motd.d/05-service.j2
|
||||||
|
dest: /etc/update-motd.d/05-prometheus
|
||||||
|
mode: 0755
|
||||||
|
...
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
groups:
|
||||||
|
- name: alert.rules
|
||||||
|
rules:
|
||||||
|
- alert: FederateInstanceDown
|
||||||
|
expr: up{job="federate"} == 0
|
||||||
|
for: 3m
|
||||||
|
labels:
|
||||||
|
severity: critical
|
||||||
|
annotations:
|
||||||
|
summary: >-
|
||||||
|
Federate : {{ "{{" }} $labels.instance {{ "}}" }} est invisible
|
||||||
|
depuis plus de 3 minutes !
|
||||||
|
...
|
|
@ -0,0 +1,41 @@
|
||||||
|
---
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
global:
|
||||||
|
external_labels:
|
||||||
|
monitor: '{{ ansible_fqdn }}'
|
||||||
|
|
||||||
|
alerting:
|
||||||
|
alertmanagers:
|
||||||
|
- static_configs:
|
||||||
|
- targets: ['{{ prometheus_alertmanager }}']
|
||||||
|
|
||||||
|
rule_files:
|
||||||
|
- 'alert.rules.yml'
|
||||||
|
|
||||||
|
scrape_configs:
|
||||||
|
- job_name: federate
|
||||||
|
scrape_interval: 30s
|
||||||
|
metrics_path: '/federate'
|
||||||
|
honor_labels: true
|
||||||
|
honor_timestamps: true
|
||||||
|
file_sd_configs:
|
||||||
|
- files:
|
||||||
|
- '/etc/prometheus/targets.json'
|
||||||
|
relabel_configs:
|
||||||
|
- source_labels: [__address__]
|
||||||
|
target_label: __param_target
|
||||||
|
- source_labels: [__param_target]
|
||||||
|
target_label: __address__
|
||||||
|
replacement: '$1:9090'
|
||||||
|
params:
|
||||||
|
match[]:
|
||||||
|
- '{job="servers"}'
|
||||||
|
- '{job="prometheus"}'
|
||||||
|
- '{job="unifi_snmp"}'
|
||||||
|
- '{job="django"}'
|
||||||
|
- '{job="ups_snmp"}'
|
||||||
|
- '{job="django"}'
|
||||||
|
- '{job="docker"}'
|
||||||
|
- '{job="switch_snmp"}'
|
||||||
|
...
|
4
roles/prometheus_federate/templates/update-motd.d/05-service.j2
Executable file
4
roles/prometheus_federate/templates/update-motd.d/05-service.j2
Executable file
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
echo "> prometheus a été déployé sur cette machine."
|
||||||
|
echo " Voir /etc/prometheus/"
|
|
@ -106,12 +106,11 @@
|
||||||
|
|
||||||
- name: Install radius requirements (except freeradius-python3)
|
- name: Install radius requirements (except freeradius-python3)
|
||||||
shell:
|
shell:
|
||||||
cmd: "{{ item }}"
|
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
||||||
chdir: /var/www/re2o/
|
chdir: /var/www/re2o/
|
||||||
loop:
|
|
||||||
- "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
|
||||||
- "pip3 install -r pip_requirements.txt"
|
|
||||||
|
|
||||||
|
- name: Install PyPi requirements for radius
|
||||||
|
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
|
||||||
|
|
||||||
# End of hideousness (hopefully).
|
# End of hideousness (hopefully).
|
||||||
|
|
||||||
|
|
|
@ -30,11 +30,19 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
when: "'routeur-aurore' in ansible_hostname"
|
when: "'routeur-aurore' in ansible_hostname"
|
||||||
|
|
||||||
|
- name: Install ipset
|
||||||
|
apt:
|
||||||
|
name: ipset
|
||||||
|
update_cache: true
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
- name: Install aurore-firewall (re2o-service)
|
- name: Install aurore-firewall (re2o-service)
|
||||||
import_role:
|
import_role:
|
||||||
name: re2o-service
|
name: re2o_service
|
||||||
vars:
|
vars:
|
||||||
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
|
service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git
|
||||||
service_name: aurore-firewall
|
service_name: aurore-firewall
|
||||||
service_version: aurore
|
service_version: aurore
|
||||||
service_config:
|
service_config:
|
||||||
|
|
|
@ -31,7 +31,7 @@ role = ['routeur']
|
||||||
### Specify each interface role
|
### Specify each interface role
|
||||||
|
|
||||||
interfaces_type = {
|
interfaces_type = {
|
||||||
'routable' : ['ens20', 'ens21'],
|
'routable' : ['ens20', 'ens21', 'ens23'],
|
||||||
'sortie' : ['ens19'],
|
'sortie' : ['ens19'],
|
||||||
'admin' : ['ens18']
|
'admin' : ['ens18']
|
||||||
}
|
}
|
||||||
|
@ -57,9 +57,53 @@ nat = [
|
||||||
},
|
},
|
||||||
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
|
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
|
||||||
'extra_nat' : {
|
'extra_nat' : {
|
||||||
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
|
'ens19': {
|
||||||
|
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
|
||||||
apartment_block_id }}',
|
apartment_block_id }}',
|
||||||
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
|
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name': 'Accueil',
|
||||||
|
'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
|
||||||
|
'extra_nat': {
|
||||||
|
'ens19': {
|
||||||
|
'10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
|
||||||
|
'10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
|
||||||
|
},
|
||||||
|
'ens23' : {
|
||||||
|
'10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
|
||||||
|
'10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
'extra_nat_group': {
|
||||||
|
'ens19': 'accueil_ens23_allowed',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
]
|
||||||
|
|
||||||
|
# ATTENTION: on doit avoir retry ≥ grace
|
||||||
|
# ATTENTION: il faut que ip_redirect gère tous les ports
|
||||||
|
# autorisés dans le profile re2o, sinon on laisse sortir
|
||||||
|
# du trafic
|
||||||
|
accueils = [
|
||||||
|
{
|
||||||
|
'iface': 'ens23',
|
||||||
|
'grace_period': 1800,
|
||||||
|
'retry_period': 86400,
|
||||||
|
'ip_sources': [
|
||||||
|
'10.{{ subnet_ids.users_accueil }}.1.0/24',
|
||||||
|
'10.{{ subnet_ids.users_accueil }}.2.0/24',
|
||||||
|
],
|
||||||
|
'ip_redirect': {
|
||||||
|
"tcp": {
|
||||||
|
"10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
|
||||||
|
}
|
||||||
|
},
|
||||||
|
'triggers': [
|
||||||
|
('4', 'tcp', '46.255.53.35', 443), # ComNPay
|
||||||
|
('4', 'tcp', '46.255.53.35', 80),
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
|
@ -41,9 +41,11 @@ nat = [
|
||||||
{
|
{
|
||||||
'name' : 'AdminVlans',
|
'name' : 'AdminVlans',
|
||||||
'extra_nat' : {
|
'extra_nat' : {
|
||||||
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
|
'ens18': {
|
||||||
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||||
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
|
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||||
|
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
|
@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
|
||||||
|
|
||||||
# Wifi
|
# Wifi
|
||||||
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
|
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
|
||||||
|
|
||||||
|
# Accueil
|
||||||
|
10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -23,12 +23,14 @@ server:
|
||||||
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
||||||
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
||||||
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
||||||
|
interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
|
||||||
|
|
||||||
|
|
||||||
# IPv6
|
# IPv6
|
||||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
|
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
|
||||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
|
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
|
||||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
|
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
|
||||||
|
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
|
||||||
|
|
||||||
|
|
||||||
# By default, anything other than localhost is refused.
|
# By default, anything other than localhost is refused.
|
||||||
|
@ -36,12 +38,11 @@ server:
|
||||||
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
||||||
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
||||||
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
||||||
|
access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
|
||||||
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
|
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
|
||||||
|
|
||||||
num-threads: {{ ansible_processor_vcpus }}
|
num-threads: {{ ansible_processor_vcpus }}
|
||||||
|
|
||||||
private-address: 10.0.0.0/8
|
|
||||||
|
|
||||||
# The host cache TTL affects blacklisting of supposedly bogus hosts.
|
# The host cache TTL affects blacklisting of supposedly bogus hosts.
|
||||||
# The default was 900 (15 minutes).
|
# The default was 900 (15 minutes).
|
||||||
infra-host-ttl: 60
|
infra-host-ttl: 60
|
||||||
|
|
|
@ -10,8 +10,19 @@
|
||||||
roles:
|
roles:
|
||||||
- passbolt
|
- passbolt
|
||||||
|
|
||||||
# Deploy reverse proxy
|
- hosts: reverseproxy
|
||||||
- hosts: proxy*.adm.auro.re
|
vars:
|
||||||
|
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
||||||
|
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
|
||||||
|
reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
|
||||||
roles:
|
roles:
|
||||||
- certbot
|
- certbot
|
||||||
- nginx_reverseproxy
|
- nginx
|
||||||
|
|
||||||
|
- hosts: nginx,!reverseproxy
|
||||||
|
vars:
|
||||||
|
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
||||||
|
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
|
||||||
|
roles:
|
||||||
|
- certbot
|
||||||
|
- nginx
|
||||||
|
|
5
test.sh
5
test.sh
|
@ -1,5 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
for ip in `cat hosts|grep pacaterie.adm.auro.re`; do
|
|
||||||
ssh-copy-id $ip
|
|
||||||
done
|
|
||||||
|
|
4
utils/README.md
Normal file
4
utils/README.md
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# Utils
|
||||||
|
|
||||||
|
A repository of Ansible Playbooks that are useful, as little script or various
|
||||||
|
utilities, but not used in production.
|
13
utils/re2o_mail_server.yml
Executable file
13
utils/re2o_mail_server.yml
Executable file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
# Deploy Re2o mail service
|
||||||
|
- hosts: mail.auro.re
|
||||||
|
vars:
|
||||||
|
service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
|
||||||
|
service_name: mail-server
|
||||||
|
service_version: aurore
|
||||||
|
service_config:
|
||||||
|
hostname: re2o-test.adm.auro.re # use test instance for now, should be changed for prod!
|
||||||
|
username: service-user
|
||||||
|
password: "{{ vault_serviceuser_passwd }}"
|
||||||
|
roles:
|
||||||
|
- re2o-service
|
31
utils/reboot_needed_check.yml
Executable file
31
utils/reboot_needed_check.yml
Executable file
|
@ -0,0 +1,31 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Check if a reboot is required by the installation of some packages (ie kernel)
|
||||||
|
- hosts: localhost
|
||||||
|
tasks:
|
||||||
|
- name: Make sure local file exist but is empty # weird hack, I know
|
||||||
|
copy:
|
||||||
|
dest: /tmp/ansible_dump_reboot_needed.txt
|
||||||
|
content: ""
|
||||||
|
force: true
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- hosts: all,!unifi,!escalope.adm.auro.re,!loki.adm.auro.re,!viviane.adm.auro.re,!vpn-ovh.adm.auro.re
|
||||||
|
tasks:
|
||||||
|
# Register the output of the file /var/run/reboot-required.pkgs
|
||||||
|
- name: Register if boot is required
|
||||||
|
shell: if [ -e /var/run/reboot-required.pkgs ]; then cat /var/run/reboot-required.pkgs; fi
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- name: DEBUG
|
||||||
|
debug:
|
||||||
|
msg: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
|
||||||
|
when: result.stdout is defined
|
||||||
|
|
||||||
|
# Add info line by line
|
||||||
|
- name: Dump all info into the local file
|
||||||
|
delegate_to: localhost
|
||||||
|
lineinfile:
|
||||||
|
path: /tmp/ansible_dump_reboot_needed.txt
|
||||||
|
line: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
|
||||||
|
when: result.stdout is defined
|
21
utils/version_check.yml
Executable file
21
utils/version_check.yml
Executable file
|
@ -0,0 +1,21 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Check for the distribution
|
||||||
|
- hosts: localhost
|
||||||
|
tasks:
|
||||||
|
- name: Make sure local file exist but is empty # weird hack, I know
|
||||||
|
copy:
|
||||||
|
dest: /tmp/ansible_dump_reboot_needed.txt
|
||||||
|
content: ""
|
||||||
|
force: true
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- hosts: all,!unifi
|
||||||
|
tasks:
|
||||||
|
# Add info line by line
|
||||||
|
- name: Dump all info into the local file
|
||||||
|
delegate_to: localhost
|
||||||
|
lineinfile:
|
||||||
|
path: /tmp/ansible_dump_dist_version.txt
|
||||||
|
line: "[{{ ansible_facts['nodename'] }}] {{ ansible_fqdn }} : {{
|
||||||
|
ansible_distribution }} {{ ansible_distribution_version }}"
|
Loading…
Reference in a new issue