Move playbooks in subfolder #73
24 changed files with 135 additions and 146 deletions
|
@ -2,8 +2,9 @@
|
||||||
|
|
||||||
# Recettes Ansible d'Aurore
|
# Recettes Ansible d'Aurore
|
||||||
|
|
||||||
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
|
Dépendances requises :
|
||||||
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
|
|
||||||
|
* Ansible 2.9 ou plus récent.
|
||||||
|
|
||||||
## Ansible 101
|
## Ansible 101
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
|
|
||||||
[defaults]
|
[defaults]
|
||||||
|
|
||||||
|
# Explicitly redefine some defaults to make subfolder execution work
|
||||||
|
roles_path = ./roles
|
||||||
|
|
||||||
# Do not create .retry files
|
# Do not create .retry files
|
||||||
retry_files_enabled = False
|
retry_files_enabled = False
|
||||||
|
|
||||||
|
|
3
deploy_all.sh
Executable file
3
deploy_all.sh
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# Deploy all playbooks
|
||||||
|
ansible-playbook playbooks/*.yml $@
|
|
@ -1,9 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
# Deploy a correclty configured postfix on non mailhost servers
|
|
||||||
- hosts: all,!unifi
|
|
||||||
vars:
|
|
||||||
local_network: 10.128.0.0/16
|
|
||||||
relay_host: proxy.adm.auro.re
|
|
||||||
roles:
|
|
||||||
- postfix_non_mailhost
|
|
82
network.yml
82
network.yml
|
@ -1,82 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
# Set up DHCP servers.
|
|
||||||
- hosts: dhcp-*.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: isc-dhcp-server est déployé.
|
|
||||||
roles:
|
|
||||||
- isc_dhcp_server
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Deploy unbound DNS server (recursive).
|
|
||||||
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: Unbound est déployé.
|
|
||||||
roles:
|
|
||||||
- unbound
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Déploiement du service re2o aurore-firewall et keepalived
|
|
||||||
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
|
|
||||||
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
|
|
||||||
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: Le routage (avec radvd) est déployé.
|
|
||||||
roles:
|
|
||||||
- router
|
|
||||||
- radvd
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# No radvd here
|
|
||||||
- hosts: ~routeur-aurore.*\.adm\.auro\.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: Le routage (avec DHCPv6) est déployé.
|
|
||||||
roles:
|
|
||||||
- router
|
|
||||||
- ipv6_edge_router
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Radius (backup only for now)
|
|
||||||
- hosts: radius-*.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: FreeRADIUS est déployé.
|
|
||||||
roles:
|
|
||||||
- radius
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# WIP: Deploy authoritative DNS servers
|
|
||||||
# - hosts: authoritative_dns
|
|
||||||
# vars:
|
|
||||||
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
|
|
||||||
# service_name: dns
|
|
||||||
# service_version: crans
|
|
||||||
# service_config:
|
|
||||||
# hostname: re2o-server.adm.auro.re
|
|
||||||
# username: service-user
|
|
||||||
# password: "{{ vault_serviceuser_passwd }}"
|
|
||||||
# roles:
|
|
||||||
# - re2o_service
|
|
||||||
|
|
||||||
|
|
||||||
# Deploy Unifi Controller
|
|
||||||
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
|
|
||||||
# roles:
|
|
||||||
# - unifi-controller
|
|
||||||
|
|
||||||
# Deploy Re2o switch service
|
|
||||||
# - hosts: switchs-manager.adm.auro.re
|
|
||||||
# vars:
|
|
||||||
# service_repo: https://gitlab.federez.net/re2o/switchs.git
|
|
||||||
# service_name: switchs
|
|
||||||
# service_version: master
|
|
||||||
# service_config:
|
|
||||||
# hostname: re2o-server.adm.auro.re
|
|
||||||
# username: service-user
|
|
||||||
# password: "{{ vault_serviceuser_passwd }}"
|
|
||||||
# roles:
|
|
||||||
# - re2o_service
|
|
|
@ -5,14 +5,6 @@
|
||||||
roles:
|
roles:
|
||||||
- baseconfig
|
- baseconfig
|
||||||
- basesecurity
|
- basesecurity
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Plug LDAP on all servers
|
|
||||||
- hosts: all,!unifi
|
|
||||||
roles:
|
|
||||||
- ldap_client
|
- ldap_client
|
||||||
|
|
||||||
# Install logrotate
|
|
||||||
- hosts: all,!unifi,!pve
|
|
||||||
roles:
|
|
||||||
- logrotate
|
- logrotate
|
||||||
|
- update_motd
|
|
@ -10,7 +10,7 @@
|
||||||
- borgbackup_server
|
- borgbackup_server
|
||||||
- update_motd
|
- update_motd
|
||||||
|
|
||||||
- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
|
- hosts: all,!unifi,!unifi-*
|
||||||
vars:
|
vars:
|
||||||
update_motd:
|
update_motd:
|
||||||
borgbackup_client: >-
|
borgbackup_client: >-
|
10
playbooks/docker.yml
Executable file
10
playbooks/docker.yml
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy Docker hosts
|
||||||
|
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
docker: Docker est déployé.
|
||||||
|
roles:
|
||||||
|
- docker
|
||||||
|
- update_motd
|
9
playbooks/isc-dhcp-server.yml
Executable file
9
playbooks/isc-dhcp-server.yml
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: dhcp-*.adm.auro.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: isc-dhcp-server est déployé.
|
||||||
|
roles:
|
||||||
|
- isc_dhcp_server
|
||||||
|
- update_motd
|
17
playbooks/knot.yml
Executable file
17
playbooks/knot.yml
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
|
# WIP: Deploy authoritative DNS servers
|
||||||
|
# - hosts: authoritative_dns
|
||||||
|
# vars:
|
||||||
|
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
|
||||||
|
# service_name: dns
|
||||||
|
# service_version: crans
|
||||||
|
# service_config:
|
||||||
|
# hostname: re2o-server.adm.auro.re
|
||||||
|
# username: service-user
|
||||||
|
# password: "{{ vault_serviceuser_passwd }}"
|
||||||
|
# roles:
|
||||||
|
# - re2o_service
|
|
@ -1,7 +1,10 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
# Clone LDAP on local geographic location
|
# Clone LDAP on local geographic location
|
||||||
# DON'T DO THIS AS IT RECREATES THE REPLICA
|
# DON'T DO THIS AS IT RECREATES THE REPLICA
|
||||||
- hosts: ldap_replica
|
#- hosts: ldap_replica
|
||||||
roles:
|
# roles:
|
||||||
- ldap_replica
|
# - ldap_replica
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Install Matrix Synapse on corresponding containers
|
# Install Matrix Synapse
|
||||||
- hosts: synapse.adm.auro.re
|
- hosts: synapse.adm.auro.re
|
||||||
vars:
|
vars:
|
||||||
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
|
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
|
||||||
|
@ -16,8 +16,3 @@
|
||||||
- matrix_appservice_irc
|
- matrix_appservice_irc
|
||||||
- matrix_appservice_webhooks
|
- matrix_appservice_webhooks
|
||||||
- update_motd
|
- update_motd
|
||||||
|
|
||||||
# Install Matrix services
|
|
||||||
- hosts: matrix-services.adm.auro.re
|
|
||||||
roles:
|
|
||||||
- debian_backports
|
|
|
@ -1,19 +1,5 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Deploy Docker hosts
|
|
||||||
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
docker: Docker est déployé.
|
|
||||||
roles:
|
|
||||||
- docker
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Deploy Passbolt
|
|
||||||
- hosts: passbolt.adm.auro.re
|
|
||||||
roles:
|
|
||||||
- passbolt
|
|
||||||
|
|
||||||
- hosts: reverseproxy
|
- hosts: reverseproxy
|
||||||
vars:
|
vars:
|
||||||
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
|
@ -1,4 +1,13 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
|
# Deploy Postfix on non mailhost servers
|
||||||
|
- hosts: all,!unifi
|
||||||
|
vars:
|
||||||
|
local_network: 10.128.0.0/16
|
||||||
|
relay_host: proxy.adm.auro.re
|
||||||
|
roles:
|
||||||
|
- postfix_non_mailhost
|
||||||
|
|
||||||
# Deploy Re2o mail service
|
# Deploy Re2o mail service
|
||||||
- hosts: mail.auro.re
|
- hosts: mail.auro.re
|
||||||
vars:
|
vars:
|
||||||
|
@ -10,4 +19,4 @@
|
||||||
username: service-user
|
username: service-user
|
||||||
password: "{{ vault_serviceuser_passwd }}"
|
password: "{{ vault_serviceuser_passwd }}"
|
||||||
roles:
|
roles:
|
||||||
- re2o-service
|
- re2o_service
|
|
@ -1,7 +1,7 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Install and configure bdd servers at Saclay and at OVH
|
# Install and configure database servers at Saclay and at OVH
|
||||||
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
|
- hosts: bdd.adm.auro.re,bdd-ovh.adm.auro.re
|
||||||
vars:
|
vars:
|
||||||
update_motd:
|
update_motd:
|
||||||
postgresql: PostgreSQL est déployé.
|
postgresql: PostgreSQL est déployé.
|
10
playbooks/radius.yml
Executable file
10
playbooks/radius.yml
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy Radius
|
||||||
|
- hosts: radius-*.adm.auro.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: FreeRADIUS est déployé.
|
||||||
|
roles:
|
||||||
|
- radius
|
||||||
|
- update_motd
|
23
playbooks/router.yml
Executable file
23
playbooks/router.yml
Executable file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy firewall and keepalived
|
||||||
|
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
|
||||||
|
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
|
||||||
|
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: Le routage (avec radvd) est déployé.
|
||||||
|
roles:
|
||||||
|
- router
|
||||||
|
- radvd
|
||||||
|
- update_motd
|
||||||
|
|
||||||
|
# No radvd here
|
||||||
|
- hosts: ~routeur-aurore.*\.adm\.auro\.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: Le routage (avec DHCPv6) est déployé.
|
||||||
|
roles:
|
||||||
|
- router
|
||||||
|
- ipv6_edge_router
|
||||||
|
- update_motd
|
17
playbooks/switchs-manager.yml
Executable file
17
playbooks/switchs-manager.yml
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
|
# Deploy Re2o switch service
|
||||||
|
# - hosts: switchs-manager.adm.auro.re
|
||||||
|
# vars:
|
||||||
|
# service_repo: https://gitlab.federez.net/re2o/switchs.git
|
||||||
|
# service_name: switchs
|
||||||
|
# service_version: master
|
||||||
|
# service_config:
|
||||||
|
# hostname: re2o-server.adm.auro.re
|
||||||
|
# username: service-user
|
||||||
|
# password: "{{ vault_serviceuser_passwd }}"
|
||||||
|
# roles:
|
||||||
|
# - re2o_service
|
10
playbooks/unbound.yml
Executable file
10
playbooks/unbound.yml
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy unbound DNS server (recursive).
|
||||||
|
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: Unbound est déployé.
|
||||||
|
roles:
|
||||||
|
- unbound
|
||||||
|
- update_motd
|
9
playbooks/unifi.yml
Executable file
9
playbooks/unifi.yml
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
|
# Deploy Unifi Controller
|
||||||
|
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
|
||||||
|
# roles:
|
||||||
|
# - unifi-controller
|
|
@ -1,17 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
# This is a special playbook to upgrade sudo everywhere after the
|
|
||||||
# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
|
|
||||||
# Please always use with --limit myserver.adm.auro.re
|
|
||||||
# And list updates with --check
|
|
||||||
- hosts: all
|
|
||||||
tasks:
|
|
||||||
- name: Upgrade sudo
|
|
||||||
apt:
|
|
||||||
name: sudo
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
cache_valid_time: 3600 # one hour
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
Loading…
Reference in a new issue