diff --git a/README.md b/README.md index 541ca42..5f2da81 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,9 @@ # Recettes Ansible d'Aurore -Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore. -Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7. +Dépendances requises : + + * Ansible 2.9 ou plus récent. ## Ansible 101 diff --git a/ansible.cfg b/ansible.cfg index e2d6a32..c5f49b4 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,6 +2,9 @@ [defaults] +# Explicitly redefine some defaults to make subfolder execution work +roles_path = ./roles + # Do not create .retry files retry_files_enabled = False diff --git a/deploy_all.sh b/deploy_all.sh new file mode 100755 index 0000000..f450a8f --- /dev/null +++ b/deploy_all.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Deploy all playbooks +ansible-playbook playbooks/*.yml $@ diff --git a/deploy_postfix_non_mailhost.yml b/deploy_postfix_non_mailhost.yml deleted file mode 100755 index 741d653..0000000 --- a/deploy_postfix_non_mailhost.yml +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -# Deploy a correclty configured postfix on non mailhost servers -- hosts: all,!unifi - vars: - local_network: 10.128.0.0/16 - relay_host: proxy.adm.auro.re - roles: - - postfix_non_mailhost diff --git a/network.yml b/network.yml deleted file mode 100755 index dee41b3..0000000 --- a/network.yml +++ /dev/null @@ -1,82 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -# Set up DHCP servers. -- hosts: dhcp-*.adm.auro.re - vars: - update_motd: - unbound: isc-dhcp-server est déployé. - roles: - - isc_dhcp_server - - update_motd - -# Deploy unbound DNS server (recursive). -- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re - vars: - update_motd: - unbound: Unbound est déployé. - roles: - - unbound - - update_motd - -# Déploiement du service re2o aurore-firewall et keepalived -# radvd: IPv6 SLAAC (/64 subnets, private IPs). -# Must NOT be on routeur-aurore-*, or will with DHCPv6! -- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re - vars: - update_motd: - unbound: Le routage (avec radvd) est déployé. - roles: - - router - - radvd - - update_motd - -# No radvd here -- hosts: ~routeur-aurore.*\.adm\.auro\.re - vars: - update_motd: - unbound: Le routage (avec DHCPv6) est déployé. - roles: - - router - - ipv6_edge_router - - update_motd - -# Radius (backup only for now) -- hosts: radius-*.adm.auro.re - vars: - update_motd: - unbound: FreeRADIUS est déployé. - roles: - - radius - - update_motd - -# WIP: Deploy authoritative DNS servers -# - hosts: authoritative_dns -# vars: -# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git -# service_name: dns -# service_version: crans -# service_config: -# hostname: re2o-server.adm.auro.re -# username: service-user -# password: "{{ vault_serviceuser_passwd }}" -# roles: -# - re2o_service - - -# Deploy Unifi Controller -# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re -# roles: -# - unifi-controller - -# Deploy Re2o switch service -# - hosts: switchs-manager.adm.auro.re -# vars: -# service_repo: https://gitlab.federez.net/re2o/switchs.git -# service_name: switchs -# service_version: master -# service_config: -# hostname: re2o-server.adm.auro.re -# username: service-user -# password: "{{ vault_serviceuser_passwd }}" -# roles: -# - re2o_service diff --git a/base.yml b/playbooks/base.yml similarity index 63% rename from base.yml rename to playbooks/base.yml index ed05dbd..6126147 100755 --- a/base.yml +++ b/playbooks/base.yml @@ -5,14 +5,6 @@ roles: - baseconfig - basesecurity - - update_motd - -# Plug LDAP on all servers -- hosts: all,!unifi - roles: - ldap_client - -# Install logrotate -- hosts: all,!unifi,!pve - roles: - logrotate + - update_motd diff --git a/backups.yml b/playbooks/borgbackup.yml similarity index 90% rename from backups.yml rename to playbooks/borgbackup.yml index 60200b9..df8c37e 100755 --- a/backups.yml +++ b/playbooks/borgbackup.yml @@ -10,7 +10,7 @@ - borgbackup_server - update_motd -- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re +- hosts: all,!unifi,!unifi-* vars: update_motd: borgbackup_client: >- diff --git a/playbooks/docker.yml b/playbooks/docker.yml new file mode 100755 index 0000000..9d64f11 --- /dev/null +++ b/playbooks/docker.yml @@ -0,0 +1,10 @@ +#!/usr/bin/env ansible-playbook +--- +# Deploy Docker hosts +- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re + vars: + update_motd: + docker: Docker est déployé. + roles: + - docker + - update_motd diff --git a/grafana.yml b/playbooks/grafana.yml similarity index 100% rename from grafana.yml rename to playbooks/grafana.yml diff --git a/playbooks/isc-dhcp-server.yml b/playbooks/isc-dhcp-server.yml new file mode 100755 index 0000000..c46b691 --- /dev/null +++ b/playbooks/isc-dhcp-server.yml @@ -0,0 +1,9 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: dhcp-*.adm.auro.re + vars: + update_motd: + unbound: isc-dhcp-server est déployé. + roles: + - isc_dhcp_server + - update_motd diff --git a/playbooks/knot.yml b/playbooks/knot.yml new file mode 100755 index 0000000..43b59c3 --- /dev/null +++ b/playbooks/knot.yml @@ -0,0 +1,17 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: all + roles: [] + +# WIP: Deploy authoritative DNS servers +# - hosts: authoritative_dns +# vars: +# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git +# service_name: dns +# service_version: crans +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o_service diff --git a/ldap_replica.yml b/playbooks/ldap_replica.yml similarity index 60% rename from ldap_replica.yml rename to playbooks/ldap_replica.yml index b921957..d9042a2 100755 --- a/ldap_replica.yml +++ b/playbooks/ldap_replica.yml @@ -1,7 +1,10 @@ #!/usr/bin/env ansible-playbook --- +- hosts: all + roles: [] + # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA -- hosts: ldap_replica - roles: - - ldap_replica +#- hosts: ldap_replica +# roles: +# - ldap_replica diff --git a/matrix.yml b/playbooks/matrix-synapse.yml similarity index 79% rename from matrix.yml rename to playbooks/matrix-synapse.yml index 4cec87b..88213aa 100755 --- a/matrix.yml +++ b/playbooks/matrix-synapse.yml @@ -1,6 +1,6 @@ #!/usr/bin/env ansible-playbook --- -# Install Matrix Synapse on corresponding containers +# Install Matrix Synapse - hosts: synapse.adm.auro.re vars: mxisd_releases: https://github.com/kamax-matrix/mxisd/releases @@ -16,8 +16,3 @@ - matrix_appservice_irc - matrix_appservice_webhooks - update_motd - -# Install Matrix services -- hosts: matrix-services.adm.auro.re - roles: - - debian_backports diff --git a/services_web.yml b/playbooks/nginx.yml similarity index 72% rename from services_web.yml rename to playbooks/nginx.yml index d79a735..656f83b 100755 --- a/services_web.yml +++ b/playbooks/nginx.yml @@ -1,19 +1,5 @@ #!/usr/bin/env ansible-playbook --- -# Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re - vars: - update_motd: - docker: Docker est déployé. - roles: - - docker - - update_motd - -# Deploy Passbolt -- hosts: passbolt.adm.auro.re - roles: - - passbolt - - hosts: reverseproxy vars: certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}' diff --git a/utils/re2o_mail_server.yml b/playbooks/postfix.yml similarity index 63% rename from utils/re2o_mail_server.yml rename to playbooks/postfix.yml index 79fd7ff..0f24dc9 100755 --- a/utils/re2o_mail_server.yml +++ b/playbooks/postfix.yml @@ -1,4 +1,13 @@ +#!/usr/bin/env ansible-playbook --- +# Deploy Postfix on non mailhost servers +- hosts: all,!unifi + vars: + local_network: 10.128.0.0/16 + relay_host: proxy.adm.auro.re + roles: + - postfix_non_mailhost + # Deploy Re2o mail service - hosts: mail.auro.re vars: @@ -10,4 +19,4 @@ username: service-user password: "{{ vault_serviceuser_passwd }}" roles: - - re2o-service + - re2o_service diff --git a/bdd.yml b/playbooks/postgresql.yml similarity index 56% rename from bdd.yml rename to playbooks/postgresql.yml index da4248d..1b587f1 100755 --- a/bdd.yml +++ b/playbooks/postgresql.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- -# Install and configure bdd servers at Saclay and at OVH -- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re +# Install and configure database servers at Saclay and at OVH +- hosts: bdd.adm.auro.re,bdd-ovh.adm.auro.re vars: update_motd: postgresql: PostgreSQL est déployé. diff --git a/monitoring.yml b/playbooks/prometheus.yml similarity index 100% rename from monitoring.yml rename to playbooks/prometheus.yml diff --git a/playbooks/radius.yml b/playbooks/radius.yml new file mode 100755 index 0000000..b48765e --- /dev/null +++ b/playbooks/radius.yml @@ -0,0 +1,10 @@ +#!/usr/bin/env ansible-playbook +--- +# Deploy Radius +- hosts: radius-*.adm.auro.re + vars: + update_motd: + unbound: FreeRADIUS est déployé. + roles: + - radius + - update_motd diff --git a/playbooks/router.yml b/playbooks/router.yml new file mode 100755 index 0000000..c273f0d --- /dev/null +++ b/playbooks/router.yml @@ -0,0 +1,23 @@ +#!/usr/bin/env ansible-playbook +--- +# Deploy firewall and keepalived +# radvd: IPv6 SLAAC (/64 subnets, private IPs). +# Must NOT be on routeur-aurore-*, or will with DHCPv6! +- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re + vars: + update_motd: + unbound: Le routage (avec radvd) est déployé. + roles: + - router + - radvd + - update_motd + +# No radvd here +- hosts: ~routeur-aurore.*\.adm\.auro\.re + vars: + update_motd: + unbound: Le routage (avec DHCPv6) est déployé. + roles: + - router + - ipv6_edge_router + - update_motd diff --git a/log.yml b/playbooks/rsyslog.yml similarity index 100% rename from log.yml rename to playbooks/rsyslog.yml diff --git a/playbooks/switchs-manager.yml b/playbooks/switchs-manager.yml new file mode 100755 index 0000000..c8f2a1b --- /dev/null +++ b/playbooks/switchs-manager.yml @@ -0,0 +1,17 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: all + roles: [] + +# Deploy Re2o switch service +# - hosts: switchs-manager.adm.auro.re +# vars: +# service_repo: https://gitlab.federez.net/re2o/switchs.git +# service_name: switchs +# service_version: master +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o_service diff --git a/playbooks/unbound.yml b/playbooks/unbound.yml new file mode 100755 index 0000000..d443aec --- /dev/null +++ b/playbooks/unbound.yml @@ -0,0 +1,10 @@ +#!/usr/bin/env ansible-playbook +--- +# Deploy unbound DNS server (recursive). +- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re + vars: + update_motd: + unbound: Unbound est déployé. + roles: + - unbound + - update_motd diff --git a/playbooks/unifi.yml b/playbooks/unifi.yml new file mode 100755 index 0000000..638580e --- /dev/null +++ b/playbooks/unifi.yml @@ -0,0 +1,9 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: all + roles: [] + +# Deploy Unifi Controller +# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re +# roles: +# - unifi-controller diff --git a/utils/sudo_upgrade.yml b/utils/sudo_upgrade.yml deleted file mode 100755 index 45b01ad..0000000 --- a/utils/sudo_upgrade.yml +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -# This is a special playbook to upgrade sudo everywhere after the -# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) -# Please always use with --limit myserver.adm.auro.re -# And list updates with --check -- hosts: all - tasks: - - name: Upgrade sudo - apt: - name: sudo - state: latest - update_cache: true - cache_valid_time: 3600 # one hour - register: apt_result - retries: 3 - until: apt_result is succeeded