Move playbooks in subfolder #73
24 changed files with 135 additions and 146 deletions
|
@ -2,8 +2,9 @@
|
||||||
|
|
||||||
# Recettes Ansible d'Aurore
|
# Recettes Ansible d'Aurore
|
||||||
|
|
||||||
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
|
Dépendances requises :
|
||||||
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
|
|
||||||
|
* Ansible 2.9 ou plus récent.
|
||||||
|
|
||||||
## Ansible 101
|
## Ansible 101
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
|
|
||||||
[defaults]
|
[defaults]
|
||||||
|
|
||||||
|
# Explicitly redefine some defaults to make subfolder execution work
|
||||||
erdnaxe marked this conversation as resolved
Outdated
|
|||||||
|
roles_path = ./roles
|
||||||
|
|
||||||
# Do not create .retry files
|
# Do not create .retry files
|
||||||
retry_files_enabled = False
|
retry_files_enabled = False
|
||||||
|
|
||||||
|
|
3
deploy_all.sh
Executable file
3
deploy_all.sh
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# Deploy all playbooks
|
||||||
|
ansible-playbook playbooks/*.yml $@
|
|
@ -1,9 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
# Deploy a correclty configured postfix on non mailhost servers
|
|
||||||
- hosts: all,!unifi
|
|
||||||
vars:
|
|
||||||
local_network: 10.128.0.0/16
|
|
||||||
relay_host: proxy.adm.auro.re
|
|
||||||
roles:
|
|
||||||
- postfix_non_mailhost
|
|
82
network.yml
82
network.yml
|
@ -1,82 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
# Set up DHCP servers.
|
|
||||||
- hosts: dhcp-*.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: isc-dhcp-server est déployé.
|
|
||||||
roles:
|
|
||||||
- isc_dhcp_server
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Deploy unbound DNS server (recursive).
|
|
||||||
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: Unbound est déployé.
|
|
||||||
roles:
|
|
||||||
- unbound
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Déploiement du service re2o aurore-firewall et keepalived
|
|
||||||
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
|
|
||||||
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
|
|
||||||
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: Le routage (avec radvd) est déployé.
|
|
||||||
roles:
|
|
||||||
- router
|
|
||||||
- radvd
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# No radvd here
|
|
||||||
- hosts: ~routeur-aurore.*\.adm\.auro\.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: Le routage (avec DHCPv6) est déployé.
|
|
||||||
roles:
|
|
||||||
- router
|
|
||||||
- ipv6_edge_router
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Radius (backup only for now)
|
|
||||||
- hosts: radius-*.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
unbound: FreeRADIUS est déployé.
|
|
||||||
roles:
|
|
||||||
- radius
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# WIP: Deploy authoritative DNS servers
|
|
||||||
# - hosts: authoritative_dns
|
|
||||||
# vars:
|
|
||||||
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
|
|
||||||
# service_name: dns
|
|
||||||
# service_version: crans
|
|
||||||
# service_config:
|
|
||||||
# hostname: re2o-server.adm.auro.re
|
|
||||||
# username: service-user
|
|
||||||
# password: "{{ vault_serviceuser_passwd }}"
|
|
||||||
# roles:
|
|
||||||
# - re2o_service
|
|
||||||
|
|
||||||
|
|
||||||
# Deploy Unifi Controller
|
|
||||||
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
|
|
||||||
# roles:
|
|
||||||
# - unifi-controller
|
|
||||||
|
|
||||||
# Deploy Re2o switch service
|
|
||||||
# - hosts: switchs-manager.adm.auro.re
|
|
||||||
# vars:
|
|
||||||
# service_repo: https://gitlab.federez.net/re2o/switchs.git
|
|
||||||
# service_name: switchs
|
|
||||||
# service_version: master
|
|
||||||
# service_config:
|
|
||||||
# hostname: re2o-server.adm.auro.re
|
|
||||||
# username: service-user
|
|
||||||
# password: "{{ vault_serviceuser_passwd }}"
|
|
||||||
# roles:
|
|
||||||
# - re2o_service
|
|
|
@ -5,14 +5,6 @@
|
||||||
roles:
|
roles:
|
||||||
- baseconfig
|
- baseconfig
|
||||||
- basesecurity
|
- basesecurity
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Plug LDAP on all servers
|
|
||||||
- hosts: all,!unifi
|
|
||||||
roles:
|
|
||||||
- ldap_client
|
- ldap_client
|
||||||
|
|
||||||
# Install logrotate
|
|
||||||
- hosts: all,!unifi,!pve
|
|
||||||
roles:
|
|
||||||
- logrotate
|
- logrotate
|
||||||
|
- update_motd
|
|
@ -10,7 +10,7 @@
|
||||||
- borgbackup_server
|
- borgbackup_server
|
||||||
- update_motd
|
- update_motd
|
||||||
|
|
||||||
- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
|
- hosts: all,!unifi,!unifi-*
|
||||||
vars:
|
vars:
|
||||||
update_motd:
|
update_motd:
|
||||||
borgbackup_client: >-
|
borgbackup_client: >-
|
10
playbooks/docker.yml
Executable file
10
playbooks/docker.yml
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy Docker hosts
|
||||||
|
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
|
||||||
erdnaxe marked this conversation as resolved
Outdated
jeltz
commented
Why do we install Why do we install `docker` on `stream.adm`?
erdnaxe
commented
Before stream was using a dockerized solution. Now it's gone and it's not even called stream anymore. Before stream was using a dockerized solution. Now it's gone and it's not even called stream anymore.
|
|||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
docker: Docker est déployé.
|
||||||
|
roles:
|
||||||
|
- docker
|
||||||
|
- update_motd
|
9
playbooks/isc-dhcp-server.yml
Executable file
9
playbooks/isc-dhcp-server.yml
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: dhcp-*.adm.auro.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: isc-dhcp-server est déployé.
|
||||||
|
roles:
|
||||||
|
- isc_dhcp_server
|
||||||
|
- update_motd
|
17
playbooks/knot.yml
Executable file
17
playbooks/knot.yml
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
|
# WIP: Deploy authoritative DNS servers
|
||||||
|
# - hosts: authoritative_dns
|
||||||
|
# vars:
|
||||||
|
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
|
||||||
|
# service_name: dns
|
||||||
|
# service_version: crans
|
||||||
|
# service_config:
|
||||||
|
# hostname: re2o-server.adm.auro.re
|
||||||
|
# username: service-user
|
||||||
|
# password: "{{ vault_serviceuser_passwd }}"
|
||||||
|
# roles:
|
||||||
|
# - re2o_service
|
|
@ -1,7 +1,10 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
# Clone LDAP on local geographic location
|
# Clone LDAP on local geographic location
|
||||||
# DON'T DO THIS AS IT RECREATES THE REPLICA
|
# DON'T DO THIS AS IT RECREATES THE REPLICA
|
||||||
- hosts: ldap_replica
|
#- hosts: ldap_replica
|
||||||
roles:
|
# roles:
|
||||||
- ldap_replica
|
# - ldap_replica
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Install Matrix Synapse on corresponding containers
|
# Install Matrix Synapse
|
||||||
- hosts: synapse.adm.auro.re
|
- hosts: synapse.adm.auro.re
|
||||||
vars:
|
vars:
|
||||||
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
|
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
|
||||||
|
@ -16,8 +16,3 @@
|
||||||
- matrix_appservice_irc
|
- matrix_appservice_irc
|
||||||
- matrix_appservice_webhooks
|
- matrix_appservice_webhooks
|
||||||
- update_motd
|
- update_motd
|
||||||
|
|
||||||
# Install Matrix services
|
|
||||||
- hosts: matrix-services.adm.auro.re
|
|
||||||
roles:
|
|
||||||
- debian_backports
|
|
|
@ -1,19 +1,5 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Deploy Docker hosts
|
|
||||||
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re
|
|
||||||
vars:
|
|
||||||
update_motd:
|
|
||||||
docker: Docker est déployé.
|
|
||||||
roles:
|
|
||||||
- docker
|
|
||||||
- update_motd
|
|
||||||
|
|
||||||
# Deploy Passbolt
|
|
||||||
- hosts: passbolt.adm.auro.re
|
|
||||||
roles:
|
|
||||||
- passbolt
|
|
||||||
|
|
||||||
- hosts: reverseproxy
|
- hosts: reverseproxy
|
||||||
vars:
|
vars:
|
||||||
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
|
|
@ -1,4 +1,13 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
|
# Deploy Postfix on non mailhost servers
|
||||||
|
- hosts: all,!unifi
|
||||||
|
vars:
|
||||||
|
local_network: 10.128.0.0/16
|
||||||
|
relay_host: proxy.adm.auro.re
|
||||||
|
roles:
|
||||||
|
- postfix_non_mailhost
|
||||||
|
|
||||||
# Deploy Re2o mail service
|
# Deploy Re2o mail service
|
||||||
- hosts: mail.auro.re
|
- hosts: mail.auro.re
|
||||||
vars:
|
vars:
|
||||||
|
@ -10,4 +19,4 @@
|
||||||
username: service-user
|
username: service-user
|
||||||
password: "{{ vault_serviceuser_passwd }}"
|
password: "{{ vault_serviceuser_passwd }}"
|
||||||
roles:
|
roles:
|
||||||
- re2o-service
|
- re2o_service
|
|
@ -1,7 +1,7 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Install and configure bdd servers at Saclay and at OVH
|
# Install and configure database servers at Saclay and at OVH
|
||||||
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
|
- hosts: bdd.adm.auro.re,bdd-ovh.adm.auro.re
|
||||||
vars:
|
vars:
|
||||||
update_motd:
|
update_motd:
|
||||||
postgresql: PostgreSQL est déployé.
|
postgresql: PostgreSQL est déployé.
|
10
playbooks/radius.yml
Executable file
10
playbooks/radius.yml
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy Radius
|
||||||
erdnaxe marked this conversation as resolved
Outdated
jeltz
commented
`backup only for now`?
|
|||||||
|
- hosts: radius-*.adm.auro.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: FreeRADIUS est déployé.
|
||||||
|
roles:
|
||||||
|
- radius
|
||||||
|
- update_motd
|
23
playbooks/router.yml
Executable file
23
playbooks/router.yml
Executable file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy firewall and keepalived
|
||||||
erdnaxe marked this conversation as resolved
Outdated
jeltz
commented
Why is the comment in French? Perhaps we should choose French or English and stick with it? Why is the comment in French?
Perhaps we should choose French or English and stick with it?
|
|||||||
|
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
|
||||||
|
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
|
||||||
|
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: Le routage (avec radvd) est déployé.
|
||||||
|
roles:
|
||||||
|
- router
|
||||||
|
- radvd
|
||||||
|
- update_motd
|
||||||
|
|
||||||
|
# No radvd here
|
||||||
|
- hosts: ~routeur-aurore.*\.adm\.auro\.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: Le routage (avec DHCPv6) est déployé.
|
||||||
|
roles:
|
||||||
|
- router
|
||||||
|
- ipv6_edge_router
|
||||||
|
- update_motd
|
17
playbooks/switchs-manager.yml
Executable file
17
playbooks/switchs-manager.yml
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
|
# Deploy Re2o switch service
|
||||||
|
# - hosts: switchs-manager.adm.auro.re
|
||||||
|
# vars:
|
||||||
|
# service_repo: https://gitlab.federez.net/re2o/switchs.git
|
||||||
|
# service_name: switchs
|
||||||
|
# service_version: master
|
||||||
|
# service_config:
|
||||||
|
# hostname: re2o-server.adm.auro.re
|
||||||
|
# username: service-user
|
||||||
|
# password: "{{ vault_serviceuser_passwd }}"
|
||||||
|
# roles:
|
||||||
|
# - re2o_service
|
10
playbooks/unbound.yml
Executable file
10
playbooks/unbound.yml
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy unbound DNS server (recursive).
|
||||||
|
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
|
||||||
|
vars:
|
||||||
|
update_motd:
|
||||||
|
unbound: Unbound est déployé.
|
||||||
|
roles:
|
||||||
|
- unbound
|
||||||
|
- update_motd
|
9
playbooks/unifi.yml
Executable file
9
playbooks/unifi.yml
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
roles: []
|
||||||
|
|
||||||
|
# Deploy Unifi Controller
|
||||||
|
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
|
||||||
|
# roles:
|
||||||
|
# - unifi-controller
|
|
@ -1,17 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
# This is a special playbook to upgrade sudo everywhere after the
|
|
||||||
# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
|
|
||||||
# Please always use with --limit myserver.adm.auro.re
|
|
||||||
# And list updates with --check
|
|
||||||
- hosts: all
|
|
||||||
tasks:
|
|
||||||
- name: Upgrade sudo
|
|
||||||
apt:
|
|
||||||
name: sudo
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
cache_valid_time: 3600 # one hour
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
Loading…
Reference in a new issue
Explicitely
→Explicitly
redefined
→redefine
?