Move playbooks in subfolder #73

Merged
erdnaxe merged 18 commits from move_playbooks into master 2021-11-28 10:16:50 +01:00
24 changed files with 135 additions and 146 deletions

View file

@ -2,8 +2,9 @@
# Recettes Ansible d'Aurore # Recettes Ansible d'Aurore
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore. Dépendances requises :
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
* Ansible 2.9 ou plus récent.
## Ansible 101 ## Ansible 101

View file

@ -2,6 +2,9 @@
[defaults] [defaults]
# Explicitly redefine some defaults to make subfolder execution work
erdnaxe marked this conversation as resolved Outdated
Outdated
Review

ExplicitelyExplicitly
redefinedredefine?

`Explicitely` → `Explicitly` `redefined` → `redefine`?
roles_path = ./roles
# Do not create .retry files # Do not create .retry files
retry_files_enabled = False retry_files_enabled = False

3
deploy_all.sh Executable file
View file

@ -0,0 +1,3 @@
#!/usr/bin/env bash
# Deploy all playbooks
ansible-playbook playbooks/*.yml $@

View file

@ -1,9 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy a correclty configured postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost

View file

@ -1,82 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re
vars:
update_motd:
unbound: isc-dhcp-server est déployé.
roles:
- isc_dhcp_server
- update_motd
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
vars:
update_motd:
unbound: Unbound est déployé.
roles:
- unbound
- update_motd
# Déploiement du service re2o aurore-firewall et keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec radvd) est déployé.
roles:
- router
- radvd
- update_motd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec DHCPv6) est déployé.
roles:
- router
- ipv6_edge_router
- update_motd
# Radius (backup only for now)
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

View file

@ -5,14 +5,6 @@
roles: roles:
- baseconfig - baseconfig
- basesecurity - basesecurity
- update_motd
# Plug LDAP on all servers
- hosts: all,!unifi
roles:
- ldap_client - ldap_client
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate - logrotate
- update_motd

View file

@ -10,7 +10,7 @@
- borgbackup_server - borgbackup_server
- update_motd - update_motd
- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re - hosts: all,!unifi,!unifi-*
vars: vars:
update_motd: update_motd:
borgbackup_client: >- borgbackup_client: >-

10
playbooks/docker.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
erdnaxe marked this conversation as resolved Outdated
Outdated
Review

Why do we install docker on stream.adm?

Why do we install `docker` on `stream.adm`?

Before stream was using a dockerized solution. Now it's gone and it's not even called stream anymore.

Before stream was using a dockerized solution. Now it's gone and it's not even called stream anymore.
vars:
update_motd:
docker: Docker est déployé.
roles:
- docker
- update_motd

9
playbooks/isc-dhcp-server.yml Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
---
- hosts: dhcp-*.adm.auro.re
vars:
update_motd:
unbound: isc-dhcp-server est déployé.
roles:
- isc_dhcp_server
- update_motd

17
playbooks/knot.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

View file

@ -1,7 +1,10 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
- hosts: all
roles: []
# Clone LDAP on local geographic location # Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA # DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica #- hosts: ldap_replica
roles: # roles:
- ldap_replica # - ldap_replica

View file

@ -1,6 +1,6 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Install Matrix Synapse on corresponding containers # Install Matrix Synapse
- hosts: synapse.adm.auro.re - hosts: synapse.adm.auro.re
vars: vars:
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
@ -16,8 +16,3 @@
- matrix_appservice_irc - matrix_appservice_irc
- matrix_appservice_webhooks - matrix_appservice_webhooks
- update_motd - update_motd
# Install Matrix services
- hosts: matrix-services.adm.auro.re
roles:
- debian_backports

View file

@ -1,19 +1,5 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re
vars:
update_motd:
docker: Docker est déployé.
roles:
- docker
- update_motd
# Deploy Passbolt
- hosts: passbolt.adm.auro.re
roles:
- passbolt
- hosts: reverseproxy - hosts: reverseproxy
vars: vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}' certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'

View file

@ -1,4 +1,13 @@
#!/usr/bin/env ansible-playbook
--- ---
# Deploy Postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost
# Deploy Re2o mail service # Deploy Re2o mail service
- hosts: mail.auro.re - hosts: mail.auro.re
vars: vars:
@ -10,4 +19,4 @@
username: service-user username: service-user
password: "{{ vault_serviceuser_passwd }}" password: "{{ vault_serviceuser_passwd }}"
roles: roles:
- re2o-service - re2o_service

View file

@ -1,7 +1,7 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Install and configure bdd servers at Saclay and at OVH # Install and configure database servers at Saclay and at OVH
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re - hosts: bdd.adm.auro.re,bdd-ovh.adm.auro.re
vars: vars:
update_motd: update_motd:
postgresql: PostgreSQL est déployé. postgresql: PostgreSQL est déployé.

10
playbooks/radius.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Radius
erdnaxe marked this conversation as resolved Outdated
Outdated
Review

backup only for now?

`backup only for now`?
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd

23
playbooks/router.yml Executable file
View file

@ -0,0 +1,23 @@
#!/usr/bin/env ansible-playbook
---
# Deploy firewall and keepalived
erdnaxe marked this conversation as resolved Outdated
Outdated
Review

Why is the comment in French?

Perhaps we should choose French or English and stick with it?

Why is the comment in French? Perhaps we should choose French or English and stick with it?
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec radvd) est déployé.
roles:
- router
- radvd
- update_motd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec DHCPv6) est déployé.
roles:
- router
- ipv6_edge_router
- update_motd

17
playbooks/switchs-manager.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

10
playbooks/unbound.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
vars:
update_motd:
unbound: Unbound est déployé.
roles:
- unbound
- update_motd

9
playbooks/unifi.yml Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller

View file

@ -1,17 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# This is a special playbook to upgrade sudo everywhere after the
# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
# Please always use with --limit myserver.adm.auro.re
# And list updates with --check
- hosts: all
tasks:
- name: Upgrade sudo
apt:
name: sudo
state: latest
update_cache: true
cache_valid_time: 3600 # one hour
register: apt_result
retries: 3
until: apt_result is succeeded