2021-11-28 10:16:50 +01:00
24 changed files with 135 additions and 146 deletions
--- a/README.md
+++ b/README.md
@ -2,8 +2,9 @@

 # Recettes Ansible d'Aurore

-Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
-Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
+Dépendances requises :
+
+ * Ansible 2.9 ou plus récent.

 ## Ansible 101

--- a/ansible.cfg
+++ b/ansible.cfg
@ -2,6 +2,9 @@

 [defaults]

+# Explicitly redefine some defaults to make subfolder execution work
+roles_path = ./roles
+
 # Do not create .retry files
 retry_files_enabled = False

--- a/deploy_all.sh
+++ b/deploy_all.sh
@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Deploy all playbooks
+ansible-playbook playbooks/*.yml $@
--- a/deploy_postfix_non_mailhost.yml
+++ b/deploy_postfix_non_mailhost.yml
@ -1,9 +0,0 @@
-#!/usr/bin/env ansible-playbook
---
-# Deploy a correclty configured postfix on non mailhost servers
- hosts: all,!unifi
-  vars:
-    local_network: 10.128.0.0/16
-    relay_host: proxy.adm.auro.re
-  roles:
-    - postfix_non_mailhost
--- a/network.yml
+++ b/network.yml
@ -1,82 +0,0 @@
-#!/usr/bin/env ansible-playbook
---
-# Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re
-  vars:
-    update_motd:
-      unbound: isc-dhcp-server est déployé.
-  roles:
-    - isc_dhcp_server
-    - update_motd
-
-# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
-  vars:
-    update_motd:
-      unbound: Unbound est déployé.
-  roles:
-    - unbound
-    - update_motd
-
-# Déploiement du service re2o aurore-firewall et keepalived
-# radvd: IPv6 SLAAC (/64 subnets, private IPs).
-#   Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
-  vars:
-    update_motd:
-      unbound: Le routage (avec radvd) est déployé.
-  roles:
-    - router
-    - radvd
-    - update_motd
-
-# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
-  vars:
-    update_motd:
-      unbound: Le routage (avec DHCPv6) est déployé.
-  roles:
-    - router
-    - ipv6_edge_router
-    - update_motd
-
-# Radius (backup only for now)
- hosts: radius-*.adm.auro.re
-  vars:
-    update_motd:
-      unbound: FreeRADIUS est déployé.
-  roles:
-    - radius
-    - update_motd
-
-# WIP: Deploy authoritative DNS servers
-# - hosts: authoritative_dns
-#   vars:
-#     service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
-#     service_name: dns
-#     service_version: crans
-#     service_config:
-#       hostname: re2o-server.adm.auro.re
-#       username: service-user
-#       password: "{{ vault_serviceuser_passwd }}"
-#   roles:
-#     - re2o_service
-
-
-# Deploy Unifi Controller
-# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
-#   roles:
-#     - unifi-controller
-
-# Deploy Re2o switch service
-# - hosts: switchs-manager.adm.auro.re
-#   vars:
-#     service_repo: https://gitlab.federez.net/re2o/switchs.git
-#     service_name: switchs
-#     service_version: master
-#     service_config:
-#       hostname: re2o-server.adm.auro.re
-#       username: service-user
-#       password: "{{ vault_serviceuser_passwd }}"
-#   roles:
-#     - re2o_service
--- a/playbooks/base.yml
+++ b/playbooks/base.yml
@ -5,14 +5,6 @@
  roles:
    - baseconfig
    - basesecurity
-    - update_motd
-
-# Plug LDAP on all servers
- hosts: all,!unifi
-  roles:
    - ldap_client
-
-# Install logrotate
- hosts: all,!unifi,!pve
-  roles:
    - logrotate
+    - update_motd
--- a/playbooks/borgbackup.yml
+++ b/playbooks/borgbackup.yml
@ -10,7 +10,7 @@
    - borgbackup_server
    - update_motd

- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
+- hosts: all,!unifi,!unifi-*
  vars:
    update_motd:
      borgbackup_client: >-
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@ -0,0 +1,10 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy Docker hosts
+- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
+  vars:
+    update_motd:
+      docker: Docker est déployé.
+  roles:
+    - docker
+    - update_motd
--- a/playbooks/grafana.yml
+++ b/playbooks/grafana.yml
--- a/playbooks/isc-dhcp-server.yml
+++ b/playbooks/isc-dhcp-server.yml
@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: dhcp-*.adm.auro.re
+  vars:
+    update_motd:
+      unbound: isc-dhcp-server est déployé.
+  roles:
+    - isc_dhcp_server
+    - update_motd
--- a/playbooks/knot.yml
+++ b/playbooks/knot.yml
@ -0,0 +1,17 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: all
+  roles: []
+
+# WIP: Deploy authoritative DNS servers
+# - hosts: authoritative_dns
+#   vars:
+#     service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
+#     service_name: dns
+#     service_version: crans
+#     service_config:
+#       hostname: re2o-server.adm.auro.re
+#       username: service-user
+#       password: "{{ vault_serviceuser_passwd }}"
+#   roles:
+#     - re2o_service
--- a/playbooks/ldap_replica.yml
+++ b/playbooks/ldap_replica.yml
@ -1,7 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
+- hosts: all
+  roles: []
+
 # Clone LDAP on local geographic location
 # DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica
-  roles:
-    - ldap_replica
+#- hosts: ldap_replica
+#  roles:
+#    - ldap_replica
--- a/playbooks/matrix-synapse.yml
+++ b/playbooks/matrix-synapse.yml
@ -1,6 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Install Matrix Synapse on corresponding containers
+# Install Matrix Synapse
 - hosts: synapse.adm.auro.re
  vars:
    mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
@ -16,8 +16,3 @@
    - matrix_appservice_irc
    - matrix_appservice_webhooks
    - update_motd
-
-# Install Matrix services
- hosts: matrix-services.adm.auro.re
-  roles:
-    - debian_backports
--- a/playbooks/nginx.yml
+++ b/playbooks/nginx.yml
@ -1,19 +1,5 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re
-  vars:
-    update_motd:
-      docker: Docker est déployé.
-  roles:
-    - docker
-    - update_motd
-
-# Deploy Passbolt
- hosts: passbolt.adm.auro.re
-  roles:
-    - passbolt
-
 - hosts: reverseproxy
  vars:
    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
--- a/utils/re2o_mail_server.yml
+++ b/utils/re2o_mail_server.yml
@ -1,4 +1,13 @@
+#!/usr/bin/env ansible-playbook
 ---
+# Deploy Postfix on non mailhost servers
+- hosts: all,!unifi
+  vars:
+    local_network: 10.128.0.0/16
+    relay_host: proxy.adm.auro.re
+  roles:
+    - postfix_non_mailhost
+
 # Deploy Re2o mail service
 - hosts: mail.auro.re
  vars:
@ -10,4 +19,4 @@
      username: service-user
      password: "{{ vault_serviceuser_passwd }}"
  roles:
-    - re2o-service
+    - re2o_service
--- a/playbooks/postgresql.yml
+++ b/playbooks/postgresql.yml
@ -1,7 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Install and configure bdd servers at Saclay and at OVH
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
+# Install and configure database servers at Saclay and at OVH
+- hosts: bdd.adm.auro.re,bdd-ovh.adm.auro.re
  vars:
    update_motd:
      postgresql: PostgreSQL est déployé.
--- a/playbooks/prometheus.yml
+++ b/playbooks/prometheus.yml
--- a/playbooks/radius.yml
+++ b/playbooks/radius.yml
@ -0,0 +1,10 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy Radius
+- hosts: radius-*.adm.auro.re
+  vars:
+    update_motd:
+      unbound: FreeRADIUS est déployé.
+  roles:
+    - radius
+    - update_motd
--- a/playbooks/router.yml
+++ b/playbooks/router.yml
@ -0,0 +1,23 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy firewall and keepalived
+# radvd: IPv6 SLAAC (/64 subnets, private IPs).
+#   Must NOT be on routeur-aurore-*, or will with DHCPv6!
+- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
+  vars:
+    update_motd:
+      unbound: Le routage (avec radvd) est déployé.
+  roles:
+    - router
+    - radvd
+    - update_motd
+
+# No radvd here
+- hosts: ~routeur-aurore.*\.adm\.auro\.re
+  vars:
+    update_motd:
+      unbound: Le routage (avec DHCPv6) est déployé.
+  roles:
+    - router
+    - ipv6_edge_router
+    - update_motd
--- a/playbooks/rsyslog.yml
+++ b/playbooks/rsyslog.yml
--- a/playbooks/switchs-manager.yml
+++ b/playbooks/switchs-manager.yml
@ -0,0 +1,17 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: all
+  roles: []
+
+# Deploy Re2o switch service
+# - hosts: switchs-manager.adm.auro.re
+#   vars:
+#     service_repo: https://gitlab.federez.net/re2o/switchs.git
+#     service_name: switchs
+#     service_version: master
+#     service_config:
+#       hostname: re2o-server.adm.auro.re
+#       username: service-user
+#       password: "{{ vault_serviceuser_passwd }}"
+#   roles:
+#     - re2o_service
--- a/playbooks/unbound.yml
+++ b/playbooks/unbound.yml
@ -0,0 +1,10 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy unbound DNS server (recursive).
+- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
+  vars:
+    update_motd:
+      unbound: Unbound est déployé.
+  roles:
+    - unbound
+    - update_motd
--- a/playbooks/unifi.yml
+++ b/playbooks/unifi.yml
@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: all
+  roles: []
+
+# Deploy Unifi Controller
+# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
+#   roles:
+#     - unifi-controller
--- a/utils/sudo_upgrade.yml
+++ b/utils/sudo_upgrade.yml
@ -1,17 +0,0 @@
-#!/usr/bin/env ansible-playbook
---
-# This is a special playbook to upgrade sudo everywhere after the
-# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
-# Please always use with --limit myserver.adm.auro.re
-# And list updates with --check
- hosts: all
-  tasks:
-    - name: Upgrade sudo
-      apt:
-        name: sudo
-        state: latest
-        update_cache: true
-        cache_valid_time: 3600  # one hour
-      register: apt_result
-      retries: 3
-      until: apt_result is succeeded