Borgmatic improvements (very old changes I forgot to merge) #84

Merged
jeltz merged 4 commits from borgmatic_hourly into master 2021-12-14 08:01:20 +01:00
96 changed files with 1852 additions and 1267 deletions
Showing only changes of commit 11937776c8 - Show all commits

View file

@ -3,9 +3,7 @@ skip_list:
- load-failure - load-failure
- document-start - document-start
- meta-no-info - meta-no-info
- ignore-errors
warn_list:
- experimental # all rules tagged as experimental
exclude_paths: exclude_paths:
- group_vars/all/vault.yml - group_vars/all/vault.yml

View file

@ -5,8 +5,7 @@ name: check
steps: steps:
- name: ansible and yaml linting - name: ansible and yaml linting
pull: never image: quay.io/ansible/toolset:3.5.0
image: aurore-ansible-lint-image
commands: commands:
- ansible-lint - ansible-lint
... ...

View file

@ -2,8 +2,9 @@
# Recettes Ansible d'Aurore # Recettes Ansible d'Aurore
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore. Dépendances requises :
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
* Ansible 2.9 ou plus récent.
## Ansible 101 ## Ansible 101
@ -88,8 +89,11 @@ On va utiliser plutôt `ProxyJump`.
Dans la configuration SSH : Dans la configuration SSH :
``` ```
# Use a proxy jump server to log on all Aurore inventory Host *.adm.auro.re *.pve.auro.re
Host 10.128.0.* *.adm.auro.re # Accept new host keys
StrictHostKeyChecking accept-new
# Use passerelle to connect to administration VLANs
ProxyJump passerelle.auro.re ProxyJump passerelle.auro.re
``` ```

View file

@ -2,6 +2,9 @@
[defaults] [defaults]
# Explicitly redefine some defaults to make subfolder execution work
roles_path = ./roles
# Do not create .retry files # Do not create .retry files
retry_files_enabled = False retry_files_enabled = False
@ -9,7 +12,7 @@ retry_files_enabled = False
inventory = ./hosts inventory = ./hosts
# Custom header in templates # Custom header in templates
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid} ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
# Do not use cows (with cowsay) # Do not use cows (with cowsay)
nocows = 1 nocows = 1
@ -20,19 +23,12 @@ forks = 15
# Some SSH connection will take time # Some SSH connection will take time
timeout = 60 timeout = 60
[privilege_escalation] remote_user = root
# Use sudo to get priviledge access
become = True
# Ask for password
become_ask_pass = True
[diff] [diff]
# TO know what changed # TO know what changed
always = yes always = yes
[ssh_connection] [ssh_connection]
pipelining = True pipelining = True

View file

@ -1,9 +0,0 @@
---
- hosts: perceval.adm.auro.re
roles:
- borgbackup_server
- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
roles:
- borgbackup_client
...

View file

@ -1,7 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Install and configure bdd servers at Saclay and at OVH
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
roles:
- postgresql_server
...

View file

@ -15,6 +15,6 @@ for host in $HOSTS; do
# sshpass can be used for non-interactive password authentication. # sshpass can be used for non-interactive password authentication.
# place your password in ldap-password.txt. # place your password in ldap-password.txt.
SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host" SSHPASS=${passwd} sshpass -v -e ssh-copy-id "$host"
done done

3
deploy_all.sh Executable file
View file

@ -0,0 +1,3 @@
#!/usr/bin/env bash
# Deploy all playbooks
ansible-playbook playbooks/*.yml $@

View file

@ -1,8 +0,0 @@
---
# Deploy a correclty configured postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost

View file

@ -1,7 +0,0 @@
FROM python:3.9-alpine
LABEL description="Aurore's docker image for ansible-lint"
RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
RUN pip install --no-cache-dir "yamllint>=1.26.0,<2.0"
RUN pip install --no-cache-dir "ansible-lint==5.0.0"
RUN pip install --no-cache-dir "ansible>=2.10,<2.11"

View file

@ -1,18 +0,0 @@
# Ansible-lint image
In order to build this image when a new version comes out, you need to
1. ssh into the `drone.adm.auro.re` server
2. git pull this repo to the lastest version
3. optionally make the changes if it has not been done yet
4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
5. ???
6. enjoy
You can verify that the image was correclty built by running
```
# list the images present
sudo docker image ls
# run your image with an interactive shell
sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
```

View file

@ -18,16 +18,6 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
# Databases # Databases
postgresql_services_url: 'bdd-ovh.adm.auro.re' postgresql_services_url: 'bdd-ovh.adm.auro.re'
postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
postgresql_grafana_passwd: "{{ vault_postgresql_grafana_passwd }}"
postgresql_cas_passwd: "{{ vault_postgresql_cas_passwd }}"
postgresql_drone_passwd: "{{ vault_postgresql_drone_passwd }}"
postgresql_wikijs_passwd: "{{ vault_postgresql_wikijs_passwd }}"
postgresql_nextcloud_passwd: "{{ vault_postgresql_nextcloud_passwd }}"
postgresql_gitea_passwd: "{{ vault_postgresql_gitea_passwd }}"
# Scripts will tell users to go there to manage their account # Scripts will tell users to go there to manage their account
intranet_url: 'https://re2o.auro.re/' intranet_url: 'https://re2o.auro.re/'

View file

@ -1,214 +1,224 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
65616665376265626636393064366339323264623332323337356438303634646361303530626536 66666438656133326638326138663066643238626366633137646134376233336639326365653163
3134646236376339666130646239626333613866383766340a366465373839396639623862636436 3737613361383538663934626164356535313133643730610a663634653164623665336136326430
34336636326332313432373162356565383034636366613135353037393138363466626235353261 63383735653262393538383663653966623462326332653163316138313832346532326535336263
3634306231333966350a323133396531626565633433313761343433303964316163643365626466 6638373331343838610a323166393664633431323461396135653464396236333235333134613834
33376632643937663566386232383161303231326638356338383536626531313462636335363166 37333866663935653832613036643131306333653565623261346134396534316163366636363134
35353138393964663063613331386138363030356661633530313533336138336362306437626431 34653939363835303037666333623230643339333165613265653638376234646438393630383165
34613435383966333538363734613730386634393532653334393766613262666434303666386537 38376162626538383263626664373634343063623630326334313265323330656465343865306361
33643832653236313136663761613762656334356466623431383533333563646135336332653331 37643835366461353335626639646430633135616130646638376461316434306537346532353630
39376164363533383930343237366638323534313232613561643936336330353538393136363534 31373039303862613264653836313763333566663065383361343261343462633934343139326135
37353536623939386131616638623531326531316233656166383133316564393731623366353833 66393363393962636438383362613162303931316337626665336362633030653430346436326530
31613665303532303435363765373434653933386530356433653061623232306239316534653432 62326664396534626664383834613936356462393163666431333731613339353038336634623532
39663938616637363238623866303439326666303438613066633866343830303762633233383333 33633432363730616439386536626163383563333265386134356231376665336332376439333232
65343332616430613839636337396238666466666430383031663939323239383964346638356538 31336466633135646461373364363534636439356137616632616431363638386234303637626537
65306463303330373534316438313932373864626637643935636165333835373662623737613734 37653332366234386562656365333533326539353837343631636662666236643761323463376137
36373161386163383831623065323763356637313364303539343763653065383139623934353638 35343834636562646339316139613265393736376265636564386639646537323136616464306630
34373861616336363861363761373665393465623566393063346331333861326337316363373163 66333065323533663536336238356537373030333630626464363731313533313537346138616664
31633532373966656565303866653335356364633063313665386335663863363163303431656165 34313635636664636135633035356666613261373065636462306438386461663361326132363439
61383231666665346162303635393838323462613261663231356531393734313063663231616632 34396162373635313732653039326639366362653962376135613636396639656634313234396136
30343562366433363261393037313062343036663139353431663330383263316662313330636534 65363639393532653237613237313563343865613833373562643764333930326539303138636166
33666463393664636538376365663236613536633663303738373034303136383939343039316463 39313565653462613337616263663739333136393966663664653335333237626565636462663261
38363731333435333262383064336138303062303836303735383836626430623738666635383637 62313831663732616133396662343332353365356162353436333135393738323761363164653161
36383031646561666632666339616632366138383534393030636331323037643564306363303864 64393137343738393939316532613639373430656630386532366136393235383063626433396338
33616664326330656136336538363539623039376565383166373032386230383639326564343961 66373337343232343964326435653039386338623166616537383466653030613361396462323038
39623465366233383663383433313862306366643432623130363037643033366531376163386165 33623637323135313664306538323137333763653263326533323039373139396633313135333166
64353930386233373561356530316361623665643531333632376266633963303262346532386633 38356236653731373132353063643038623866653330623537356230306563646262343531333830
34363938363765313366636134636364616634393061333264386262386261383236386532393966 38626161393330303161313932616531326331633938656236313166313035613163323539353535
62636332633165383730313365366631303032336339346138633231656165646465643039666362 63343136643361333431353762643631643262633266346139353165393962326634363764373930
39613534303532616433646433616261653739663366383566303862386666383363633736306265 30363463623434633032366338316332313736656465366461633864373236653863393637636330
65366434626634303033616463316433393730373034666463663333376633656630386665313934 34313936666432363562633531666466356633616664663063363263356632343931333766663466
36626337383236373533623830326134303931653434613837353961366130623665623336303139 64633438333436623639333036636633366337383065313162666231613337306532653335363739
63616265366638393064666166343331306530313438636436306264636235643762623564653762 36356139303461336139323963383465376366633064343031303864373735656430666261643565
65393435363564366266313161393631383836396464643635643361363034306134626535353962 61323236623330636561653962323738323332383331303335663036626638383334333730303965
63393530313438383731303666343637303666616239643334626338393864613635363330653062 33383063323438393532306330393366326561323632623238613836396635656631373430343662
31633030396362666237376232306238373065616238373934313930313234353433343934363432 39333464643037666233373565633132386233353333313135306133343765373565393937656163
35633636656632643964613431333435656532653038373532343036396136636231306436326639 38316238383832343063666334663733313162303337313262666430363538626134313065373336
36376163656634303236396133316664613164346661346565646165303664343735303233636164 32393763633530326161333861333137363066366332613963393734663130613735393764653334
38393361343561396336333133326539346561373038613265666364316630363339336565363265 39613439643364333665383465633765363063313536383835303964363731376165383830616265
64623063346232346334373836346231353336383931393663373365623838363036643232646330 39663762306232646533353963353663343832353739333132366662306335313435663434383431
37303139663166653634336363626637653666363965383632313261326530323236303961343130 36323032333731373032313263396565643561656531643462613931313435616438366132393135
39663165303836346339396536313137636462373765313135303039386339393536303263636236 34303334383662386261386537373438373334623235643037613136653639353164353763613965
31333534323735373638666364643365396435636533393932643432386630663135633839643965 62346231613333353331376433633633353537646639393739356137316131313536343736366532
34346330613132383533393361626333636132616130343266663835616534616562646366366336 62313438326264303638323832653232643266626561303032666432353935396262316538333361
38303337373331303638643639373535633331626461613862333562653165306663383237383232 39323138313234363764303036656631323636626633316436626637333863383230613132353563
63303331656338656137613162323138333661613834323863633265353737633666336263636665 30623161643535643431663535386130643662616263343535326433353764626264343937383730
34393064376330306562343930376337626165373562336630633938316566343434633734613561 66616433623234316262343531643531396662356135336336356233393438656263316138613138
39363531383233666437373562663136303834373838383632356436643638306633346434316362 62323432306563313462366464653965663137383536633437653135343739393839343335366634
63343866353465396630383562306230313737353863363935346630396134393534353531336535 30333834656335383763643637366565633339386330386237313236373463353663363463616636
65366634316230323264366662376133303565626638386635616536303839363737663538353338 61326539363461343639366534643363353038663539366565653234646332626661613333336563
32663834636363643034316165303164386430346663303635323634373465326537653132366230 63663939343465366565653665376237313366376162363833366666373264383131386531396436
38376361663233646266663330363236666533663861303365303833386465653864656331616162 36383430613036633734346561633366613731373133373261626331336266383133653735646638
66323532643737643539643562653335393338643465373838656464326133393466373733343666 64353266653531613264373864353631626331343166656263303165326665326163313539336230
39613331376538653934333061376664323230636663336232333361623136393836326262336430 33656438613833306538643737663763343836393234633630633665393631373736353963343431
35663930336364376230356537326131323666343330373030303765653763323863646631666136 63666366303230386336363933613935313636316361346632626561376562386264666464333639
39623936613762393332303763633966303966396536643236366534316539386136633230653433 65396136623735326462316565356337363537343764653562653731386136366537306137666438
65326634323062313730376338343965386338306135393033333161313839333963326134653966 63646364646138316264336334363437363638393561343138323762626666643039633130623537
66363365353537323034646537633331336134363239393465363164663263313731666335613032 62363938323136326134633039646464353262393731313962373032623966343264333661393934
61643935623064626464346430353033313961326164316637316664363830633137383335316538 38336435346161306238373963396265376263336632646436663837356331663138366561316433
31646133623461386434343663313365376230613237326638393464366166633635646462373939 36623139336231366632323133623639356633393035333761363630633563306436326361306662
31313165616363373730393733386430633065373433643935643931363965393465323264626164 31383261343035636164313463333532373064393765363332336465663430326164373538333530
65333431653566646134646132626136323035323362313163303463393962306631363631383762 62393131666539343933393339306466336235396430326265656661643865663362616332343065
63333063633934646332303966666461663566626564643365643232323732646530303834616639 66613561326162313235613131336130333565363263343665373565386164376165646136386136
63616262316563636636613764663563323063636331643063373364373337373664333763363464 65656361316138303865636462326331353934376365613665316538616164646433356262663931
31346663633866653162323934613532333934626430643138613631653164343063323661383163 65363166386139383736643664353266613133353263313336613361616237633066356562616534
36633431376463633334306663346462373166613531663064323238323434346439333936313539 61303038666338313063383431313239393062653661393336333938663937306536383431646632
33663036663234383934626661383530666566323336363734336265346235306135336136373864 63623031323034643664663134626433323466376133636330316533663462383736623463633332
38313937663965313334653139366430316632313737303639636135666235346633303861626430 32373166313562613461643163366563656638346464343064636632373835393236336438633061
34373938633331666535336438313363626636363063333265316166333562616330306563386335 63363363353437356339643333356531633033376230313330393365626164666335623262313533
65366366303937376438313032643037656465393263393434623462336430393031373433383532 65373234346666663264373238663430373262313435316134313832303964656330386431663833
66306566656437323530323434353835303838303438613662356134343136386630643338333264 33313363366566303535326365353135303863363534646439626664323032346664656530396530
30643039666535323736303930336239643730653233393538633235303938623161343437616136 37633666383162343231333464633439643637356437383866303235616462346664316363336132
34613337383363656536373737396261396261653264373362313161336435623466366436623736 62376661323764323936666165366566636531363736306561663934653533653433666466343438
61313036383063656537613664633437336361396665633764313062396265323766346363656666 35306130323336613764633438626339636531626135373530373066363839313132346538613836
33656130316566633563353631323438343532393563633830343131653063353331323961343636 65623635346233363331633261303761393466636137346331383038613739636366616164306265
38303239623566383337356262313538316437323731326166366139623665356132313563663734 35646333653666373930303535643961343832653062303736613436666661323965373433363537
34353065316164653638313439303466316338373565323435343937653632313566656438333730 35626533386162333364333538653166663838613433353138396661303930613838623635636366
62373366333335643366356438613838373963363436393035623132626233373830666238323464 37626662303434303331666437363138336261303031343964383364313239623739343233353636
33356562636261376665303262633665323830316137306239626432323330393863613938313539 34373433343539613664313164653364353835346263643031626434333037353766376233663236
33613438373733633661633266353866373834346436383466636138393736373638623136383639 61313735303437393230663766323262383130623039393637633039316335383032346261323534
38653439373230353265386166663562633738306232623132636333396135343461646136303162 35656666306262353638623638366339353364383939306330343430366631386161343061346462
36343636306333376564383764356433653362356434306566376565653736643035336433303331 31623431626239376538663463393265366430626565396266393063646532353563663630623363
38626430623633313336653261633834323430323137313533333166393966633662613561643863 36663436346161303066633435353863663163376231303732363563313263326637346234666231
65653237636436373739633862313132623831623461643063626361613231343537383032346132 37656331623838366535303863376233356336613237353966653334343835613738343435646630
61383666383134373061643061656164366364656231343434616366356237303766343166613964 31353731613934653462356630313164313262363966356336323437653037386234303531636465
36376461366663373132326263616263316663323039626239643361363362306334633636343064 39393433373931393234633363383864336465346434333436643139643437656238623737363630
66336533626562323832633133653366323137616431363566653561363233626239616262346165 35656334396438623132373164366464646462353033623965663963633437356337346636633563
30396466343639383665383762383765396638323761653065356339343965373032306136656563 30376236303661323764643536353230373333316237323065616366363262643765666433623735
31353033343532366339303331366235373838356461353564623430333561356635336163396466 64323663666434653761313431333131343536626537393161373063363163393563343465633664
38303438616436383763386538663039393862636333326630623862353732343961646162653933 61356637636161386362363065313730366362373833633830353466356435323533356335636138
35633235303530353065343434333164306530363839663366316235333563663965623934383634 64346266316530376437663336663161376330326331663664653634633537613835366233356132
32616565313232373964366163323739353261643432363037666639663664303861383033333462 62636337613966306439613666336539313866323465366235396630353461613339623830336332
62333633626263393637306365353565306636386238613365643537353861396638643065616236 31653865663734616462356637303332303339393937313031326330373639643934326336366431
63303130313363326333663936393765623930636331663837313835333862386263303238386262 61383465373564393337333137616432626233306631623463316131633331346465646632326231
35646634663163626438356536346239666461306462326465613339653337326436356638323666 32616261666531613265383536653139653335616130333030363433646561336634643464646164
38323134396238356532623430303233303636343839646436363066383136366436336536313766 61383536336139376134336662353931623365353238333835353731373031323535373764303235
33373036386465623737316435643430616434336165343832386539666432613365326664663237 39656362383665366463363730356264313564313035393332353136323763373538643864663966
61333166343438313131643635663234626638623139363034616263643463356632353932383938 35313364323863643063353261613036346533326336633562623730363661333336336266626562
61383065343231633438313536633039633266323563336531663365326137666535623230336134 35373037366166323363343362616562346264626564356631303463636432343635383965633136
34646661306330653631383364343566386531313137643233376265313461396538373132396366 35663632306465353533383166666230363635326637656561333137366263376261383562386538
66313534386133346161373130386465383139623831653566326434646461306139633433656630 63613563663463643737333537646335353137333434313363656531333465623562653864306665
64623164376361643062396139356464373131653036336361623738633263326234323066613661 34313736346131636261663035326361613036393433346233373963333134616235393532333763
31306163313038333861656561356661383436363534366665376362346661616464633065303234 62313136623031393364316361663536353063383065613334663239353932646230306461333764
61616237313434363761636261313630356639346434636465363763373235636462666338343265 62306532653130353032306530636164363730323538613965323661393439613161356237656335
34336533376366393339306539633238326663656266373965623962623665626238366333393734 30343330336131393636646639306532333864646563303363313331613630313430303834653864
35646636666535396638373134376362396134353035633566336461326630323833383734356161 38313465303332303530326466373939343161633534353064333731343431336334303133343531
62303738343662633735663965336435316630653061373736643035653337363635623863626533 64336534623066333863666636326364353839613565643132643266333861636663313930363434
31306138313839616131363333326439323863646236613133333163366162353063366561656631 37656338356566646632393831613237613936663934333766633365373636643234346136633264
61623237633361313631633463666335643935616237656134383830393335346632393066666632 64643865613938366530613365326163376566616562383032633636393234373439656538343130
66326331653430633165333037316637303138353133313264643739626566353137383265366264 63666535646163346166396538386631373532626133643530326532353066313139656266313135
38353533613863353431656665363339633265303463613565636565393836616230643932333762 38633131613364306165646630346361303136636434653234633164333235666166613061626337
30353437343761613236613431626536666538336234633166623961363031393235333763626337 66396461636264616562666337343831303335373835386265666265616366393934323265333235
65623836323538653730393533383532626133393834376339303630626533613339623666353839 30346332373635633935616539323331326165666362316462633432353666633135653136373662
38613833623830306566333035336334383733626166363239356661353965353462393161626136 66306138633738653266336164346566616266626434356665386137313631646565646331303961
37336365663863393963653031303337396666653262646635386337386230383562616564653966 30383961373962333133396665333339333230356666636636643235373236346666333239353763
34393831383639303562333464653736363330326462623266383038326561323264363563623065 62653737313566376461336230623962353136666263656239373138353162666464633239386265
30366435323961613463653636666238383632353661326439346430356134643866396531623039 39646336313932306236346534643431373562636265306166653433636565353037363633653530
66663830353732663863393762626161383263663535333032393632633066363836363939316262 36393638663965613337646633363664663432303231366662646435626233303538346537366130
30373766363637316535306538663235656137363038623936366465376636393535326437666334 65336232353162323337303234633734356236373131626339316363666537666538623438313833
30343437326362613761376262383265313264383464383838386638653065313864353235373331 65383535636234303036346661373630303731663839323663336236643739303836333030343136
62646366333137643931316339373761663731633766363864633461323266663236613231656633 62326539356535323731373938393238613133636432323166326133336362313465326262353530
31653132343031313535656538663761386266333062646439383633336531373764366166646165 32613765633035616431656632366264633134626335356133363561383163396334313738376437
64343439386336323064616634363532353166353531633332663862653666666436666564356236 66383266396365336338383338646465616438386234353635303565326365396432383431616636
62336332386437626137386566333934393636313933386466366361633232383135383066396263 39346566306535306534383965313861343336326462316566643962346465333764653131383031
38343432323865353563363631646535633438336333316134343862336666313063643036343030 32306533313137346166653863386134623062653637346535383130643936656331613866346337
62323732353837363639376564336665343265663861303938316564646533346337306338623834 61366632316332316664613031323033626235326461336133343335323531633639363465306438
62353835356465303561346337366136396664383961663237653538643462666263346638303363 66616262353066363637616530396362626161396439613134373537643266666562386436346638
32663564646333343532613861336132396530363435626361643631666464383364613336383235 63623033353734373062373365663733666161366262303030306162386366653933326234646333
64376465636238633765643234383665663637643565626663393066316538313563393730396430 61633337326265326334346261343663633539373533613963636438663638306130646234386434
36373037396264613731353337393261346534343263393862376464393565353739393431313031 38346537623566313763383064666639376237656662383865653162336234303232386439373962
61353538366439383234316530326338633635393035376335616565356630633964636639386639 31383961616333623736626534333536356136613137636662353664396135623134343663646638
63356666653532666435663564393332303234363465636335316365326365633837663930616233 64376366346534663132616265356263356638303162306233383230363636323962333963353262
61343933653232666138613866666430376439396336353535663361373564366262646663653064 64343232373063313036616634613939623433373262386134633233643635306137373630316334
31353765386537656235613131323763323930363162646236333632663034356237363231313762 65336466646532343633663739626336393730383836653065356632333533633162646437366665
39323531333264633863363163333735303636333866653763373362626265396265356564303533 31376531383262373566323664323161346563626366623133643462636363393835373834313862
31353838333337393732633961353561633430616637396235626261316433366339356239633737 61323533306137356330666531366466303230653864386566613535363465313063363962653666
64333636333566366237303231376337613539643464663839303438313532323538643738353866 62333639636332366537363631623430376163396333333663396430393334343732626361306439
38626438303033346531323836336534633732366631376665663139323037643161326561363635 31623862663736633362373466626333663964356162653337633039323138353035656562396132
34633237623537383466316433336636633962623161383338656339613139346138366132356365 33333837396164646564623735366266376562623835656566393361633730616130373931663461
38363635666234616532316333366236396639353130646234626533666133363661393038353666 62376537613661616135346562393539346632343530363335373965323664653463383637656336
38343530306239336234336463646332356462356565376463383930656561336239656465303231 31383835363931393537646132656164653730323639373835336334653561363835373663363730
61323862333032343137636434643335383163366236373161653366323139646235306564366637 32376435626431356336633939326636313834346666656237376264633162323062663238353537
31313335653732633434616436636532343037383861393931323734383964346437323933653737 34376336616234373165313064396361356263383239393036643761613630666230346361336666
39653633663064313933346231663931343163336166663662333239376634386135666230393563 32333462313161656563323534393936373535316236393865636630366263373765323632643065
34333163653935326532386662613537373161366331633737653539333161386461313638643034 66396465306234623565663139613830356139376135336230373364646465343562373361646337
62323433613164383731653534383662316364333538613433623731376234306538663766363965 63363937663461636334366630303530343065323065633965643561366264613865356235636337
64376432396361636637343539393330323835353562393031616137393363333662346332616464 65616564636635376635623937303330386537323966353034363331316363653136653939376439
32643939663266343038356539656464393665616637383030666630333834613830373837353738 33323262396138316665383163306131383331623338343263353638343033323638323462303439
63623130653465386135636635643637366231383765623761356563323061343337306538633031 33333631623638616430356666663161636534313038373130663030356537653265363232386530
66326334303539623763636362333534643431383962383539613964613531353135663463373266 31646637333263613937646330363139353531373361376466396331386266393264366239356237
37326632353861383964653430656362613930353138316566636531323733396231333361663431 66336333663665393035626639376163623435666530656563336434626238373736336335613036
66356561366634323832386437336130363535343132333436633761613731636561333039303965 37303038646534363161343735633330343734616339633039376539343438373264393938663463
33336532373764303334636461646464633866656237656466613361613131613764366339336233 32356562353161396230373239653631323038383661383037393761323131323038643064656665
38373030366130613230636365303233393631383538316230366434326137336532333261383236 65346362373430656162346438653533306638303364386438383436333232363033383933666562
64306566343964643139646438633066373261363836386361316138326362373361316536313839 32336630303932303636653438336462313466393463343363633662383237643837323363353765
39663633343330663732376230633638626533313963306266363030306431373862633833383532 31666537643665343431613462616663303732666535363536613534656236356237336564363134
36623537323532373934613962613761376463363337393666316434383463393962616366643436 33633266396630393837363364303963663435646166363566356530313835316236346332633164
34326566383666663266396165613534633464656130313535383963353238623238393837353133 62656636643930363235636162646166626337326535643565616139363738396631613665626536
66396661626432313038306362393136616166653962363736363133303835376264616561343736 66303238363335656538353265383864663436363834633664653433333163643537333433383766
38383531623733326366333661393262613335653238343235353165613339393535316236353563 66613437366632346263623233646338316239316430303336323465656531326637323263343162
35663037363935386634623064636333666135313361303837383630643665613863373931626333 31346632363464313637373766303765323435663939353063313236373632393866363562346335
36316138343462636538616466383461353639613264653831323133333262626633353766643730 33386334653833663832396536663031613432656665306662396135363632333961663663386635
63343030346536616539643832303238393539383362316137386437356630313438623436636465 62653631623636623963616431613131393734396365333131386433613561646266623739353330
35363436306634393764386362616330373732623763373064306562326337303732333733346563 35336234653334653030356261353438363232366230316366313661626261646633333365393563
63356231343165653132303338343439356666646162626639646232623064656664336133666233 66636532326239623463303662386536313461376464633738633038346664373032373364336166
36366366363264663033333731616632383438306435663631613439646466663434343931663764 65306433316365613261383534326530376430323938306265313838626536373530636533336462
36623437666232323336366363333333373430303639393761636463333135626263333066656538 33323034393765613737666237303233333439656463306633343237633634396331306338336139
35336431623265663239633963353162366534653864653530623935333137653761336234616133 30336637633064373033363333353838646365313733646461663763373661366237366433363638
61643231663033393535383063373236363538623964303435623337383031653734626461623731 31303565396133313932636665663261393136623730663535396337663961393363626435663062
62306565303739313166333663363935313362356362303066323635626638393961623138613864 34343536383864323231653632393839616539333438353039633764336535653962393135333035
33626639323030306461326232323533303131633630316437333936653839626362613162336339 39343332396130643239633639353661623565323861303137303764633266613130323431636164
39373339626238303238306363356166646532623963306438626264633961643765353434326430 65653235386661333363653665626231356331333666363133343830326431396366373064653063
65323535306566343537663632393866616239613732643032356536303764636564306630383633 61316233633635663866356261383766666430663130636166656330356639666233386131313737
66356435616237376538653539366636636533343866623764316462346634313032333636336166 62333637366430636362316166356464643361363165616630393461356661396263316234346562
33653231336563363336303936336430343137653966393530393532323563393532353434393231 61653032333639383762353335643036616566666230666465646338663834666161626263623862
38363662613161626132383266323635613165363433623630653663396562366262376634326561 36383166623766623730333337313932363337356430373165666537346637316438313133656362
66643938306331663931386535613833613761313639363038616139343966656662646432663666 65303936363730356131316232346433376261656661353533613265343065356539343366383538
63393931373738373536323631353361303366343330306565393230396332373932303866333034 32366561663366656562356666303936336663353964623263336435653964626133383332373436
35396166633165396537373638333730303730613939386663653032626439363466623231303833 30346236633266613363626632636464366435383430323365383436626361336531353363313439
63656338656435383531613734643165613536353632393535646132303034663731396631303237 65663664623531363039303431303137623164633332616436353631633361383536616330363737
64376438373538373362353766303963396639333732373266343766363534623063313138616139 39656535666131333863363832353664326534646233346435623937646566623466646131383335
39313861616164613031643934313466633431316230656566306666303932343039383737313565 37643038306363336638393132666464393636623331306366636435633335333064383630393763
66356432336663636631666138636538323238303462376330663134616365323536386234666136 62346366613238366532343761323663633137393133306564386533643132323661323938643933
63343032383465616437303437303063626335363333656166393435343834646634313435653334 37316165346536393465613233666166633935666361376131613762383933363935353034653662
31366465386238393133366364376565656639656230343161613463393931373537383564353866 30393138633665366336373038326436353932613138396462383163376361356435376462333237
31313464663531353165646665356231646634383936643539323866376631666635306334616261 66363535616639356336323838653633323064643635373630653639613834386465363536306664
39383439366664386563386133356239333133306162316466343334356631616434623363643535 34303831366364346361643564616435396661373765323530396635376161316334356137656664
38663530623063373965666530386632323034623139303839323761376638313362316430373536 61333762366365633038653934653436613637636132353062373134316162336539653239613333
62363265366537656237633663663266653631653561303965616635363438613061306362336430 34383666643136373337303466346165363137306563643964303839626264323231343262303836
35303461633864353735613330643966396230623434323132383135623331353361633134663931 36643664633535326166313832666230656532353538363765316362336136323430636666356339
33333435306635313161613930656239346461623931356430306364383937353433626435633832 30656635343038646131663837313232316262393863613863393031386336663730613761393466
64613437313464323861356338643733386432656233663333343437353935353236346561366330 65343331346435393764343565326531653263336463346633653231643937323237383134626462
32396465333833343732653136616636663736623434363765336161383433356333313135313161 32383362633666303131376164353261353232393036353636626566633862383063356136333036
33373764393265376661613465626638353636653931323162363031666262653062626166363930 64346239363633393065633631343061343639323437303163343565646661366265643133386465
39613931356338393862356537343332633635366134343037633765616634316362386335663036 30616235653231623263353736636231356136653236366531316131323635333137643666373437
32666465323538356634346662383238326663333339623430376362306534363630613337626266 61336435613237306430343966383839663261386335616234363864353632653433393033656433
39326361383435623939663163373835626439643433393839383730666166666266356361633731 39613835326130383864373832663536383261363135303664383131636164316634383831363233
33336265613531303735613239316362633538386632343836613230326164366165616265313066 34386639616233373731306537633962383565336565343434663361343062326435343565666632
35333361303734343231633930346230343432336665383337343431303031383962383366343433 64303830326436613932333161333930656666306165316333386237633161366161303537383465
63363364333063313632663765633831323863626636643862323865356461366361343563383363 63326265626662376136636131323261643234656239316131383235636336303733386632633436
33363138646366333136326435376537356338633862623531393938373935353466376266333664 65636663626434303637616366626463346533616237306130666365366564333735383032346635
31633039336362363237376266346561313064393537613832663130653761636633313562316639 31623663363164316362343933663530663038616137633235656466366565306331343961343362
36633432613931663263343861396632356136366636336163343333323661666663346365626564 65333935653664323266356637616532393538653231383935643432363838343335656165633832
32613734313663656164333537653666313033643262336239623961313638306634343666303938 65626531316161646233626337626165656133643362626263363261326363306439353863353633
62636236353161336134323430336263643038623663353965656236623465326661633766363765 38323161383739336631373266303633363964663833643130643235366137383637663134623664
35653261663335313065383266383833393431333631653363363030363939323862653262316637 37363363306632646433376133383964643965623833373436663436393164666430363663363036
62343263623037643435656165623466326365363532353434643665336632383765313937666535 62346538353538356566623562666166383162666537656335346337643132303339326333363933
37663463303034363531386465383663393534393435633764646138313962373735393334326137 31396461346434623362353863303335623866316562316234386538343364343561333937326166
61653933316435363130333335323066386532626234626534396435383061333961363739333033 33613237386239613533653036613636666662616461613031623065323630333766653265666439
61656364313963303132623837666463633066653165316633373166373161343539393132316665 37653936303438333235366232343436346463643330373038646330306236643737386330663266
37646631643265333665643262666265653339616530336361333333633939373839323264613761 33323631303836363239663731623435666630626335663134393532306235343033663365613237
62643363356431306330313761623933623333383066333364663439646536333232386232623238 61643233356264306465623062303231643335643737366434306663393035613365616139646538
62356533636632396330353430653935613965383938643638353632643865323832623737646635 34613338346633326432353064336233343765633638626639643430333233353235616639626239
32636464343734653765396236653538343463373662653733326362363330643038663766383861 61663361643636653930666437633865386537383163643832326665316465616232636266366539
34316338343064393862353364613037393231343366633364393535343965623431 62653061396265393831396431626462663033383637363565313531343764383931663665613064
39383461353133306434323562393136313536623739353235346565376134306636613465633630
34633737633536353338663061373738336337633134636639663730366537343463373635653833
62393937393232316161366135353638666466373639613363653032666530633634306639333366
38386432636639386435306638383035353134373261663038616137336164396235356131323038
61333031316666353336343638623963616266643432613533616466353362353565363237636630
38343662623838666134356537353434383564616335363032663436333133613762383063353562
66646138383064636463623939643834396165633164333038373938636631306439356436373561
64663835393863353131343334633137346162373838353738323938313162396165393632316566
65326462613361643964386564376464353666386133616666623039366638383236653832393665
623466653930303838323161316265323031

View file

@ -1,3 +1,4 @@
---
loc_nginx: loc_nginx:
servers: [] servers: []

3
group_vars/routeur.yml Normal file
View file

@ -0,0 +1,3 @@
---
rsyslog_high_density: true
...

View file

@ -1,70 +0,0 @@
---
postgresql:
version: 13
postgresql_hosts:
- database: etherpad
user: etherpad
net: 10.128.0.150/32
method: md5
- database: codimd
user: codimd
net: 10.128.0.150/32
method: md5
- database: synapse
user: synapse
net: 10.128.0.56/32
method: md5
- database: kanboard
user: kanboard
net: 10.128.0.150/32
method: md5
- database: grafana
user: grafana
net: 10.128.0.150/32
method: md5
- database: cas
user: cas
net: 10.128.0.150/32
method: md5
postgresql_databases:
- synapse
- codimd
- etherpad
- kanboard
- grafana
- cas
postgresql_users:
- name: synapse
database: synapse
password: "{{ postgresql_synapse_passwd }}"
privs:
- ALL
- name: codimd
database: codimd
password: "{{ postgresql_codimd_passwd }}"
privs:
- ALL
- name: etherpad
database: etherpad
password: "{{ postgresql_etherpad_passwd }}"
privs:
- ALL
- name: kanboard
database: kanboard
password: "{{ postgresql_kanboard_passwd }}"
privs:
- ALL
- name: grafana
database: grafana
password: "{{ postgresql_grafana_passwd }}"
privs:
- ALL
- name: cas
database: cas
password: "{{ postgresql_cas_passwd }}"
privs:
- ALL
...

View file

@ -1,50 +0,0 @@
---
postgresql:
version: 13
postgresql_hosts:
- database: nextcloud
user: nextcloud
net: 10.128.0.58/32
method: md5
- database: gitea
user: gitea
net: 10.128.0.60/32
method: md5
- database: wikijs
user: wikijs
net: 10.128.0.66/32
method: md5
- database: drone
user: drone
net: 10.128.0.64/32
method: md5
postgresql_databases:
- nextcloud
- gitea
- wikijs
- drone
postgresql_users:
- name: nextcloud
database: nextcloud
password: "{{ postgresql_nextcloud_passwd }}"
privs:
- ALL
- name: gitea
database: gitea
password: "{{ postgresql_gitea_passwd }}"
privs:
- ALL
- name: wikijs
database: wikijs
password: "{{ postgresql_wikijs_passwd }}"
privs:
- ALL
- name: drone
database: drone
password: "{{ postgresql_drone_passwd }}"
privs:
- ALL
...

View file

@ -10,5 +10,7 @@ rsyslog_inputs:
port: 20514 port: 20514
- proto: udp - proto: udp
port: 514 port: 514
- proto: tcp
port: 6514
rsyslog_outputs: [] rsyslog_outputs: []
... ...

View file

@ -41,9 +41,6 @@ loc_reverseproxy:
- from: intranet.auro.re - from: intranet.auro.re
to: 10.128.0.20 to: 10.128.0.20
- from: bbb.auro.re
to: 10.128.0.54
- from: nextcloud.auro.re - from: nextcloud.auro.re
to: "10.128.0.58:8080" to: "10.128.0.58:8080"
@ -64,3 +61,12 @@ loc_reverseproxy:
- from: wikijs.auro.re - from: wikijs.auro.re
to: "10.128.0.66:3000" to: "10.128.0.66:3000"
- from: wiki.auro.re
to: "10.128.0.66:3000"
- from: netbox.auro.re
to: 10.128.0.97
- from: grafana.auro.re
to: "10.128.0.98:3000"

View file

@ -1 +0,0 @@
postgresql_databases: true

67
hosts
View file

@ -8,10 +8,11 @@
############################################################################### ###############################################################################
# Aurore : main services # Aurore : main services
viviane.adm.auro.re
[aurore_pve] [aurore_pve]
merlin.adm.auro.re escalope.adm.auro.re
services-1.pve.auro.re
services-2.pve.auro.re
services-3.pve.auro.re
[aurore_vm] [aurore_vm]
routeur-aurore.adm.auro.re routeur-aurore.adm.auro.re
@ -25,7 +26,7 @@ camelot.adm.auro.re
gitea.adm.auro.re gitea.adm.auro.re
drone.adm.auro.re drone.adm.auro.re
nextcloud.adm.auro.re nextcloud.adm.auro.re
stream.adm.auro.re galene.adm.auro.re
re2o-server.adm.auro.re re2o-server.adm.auro.re
re2o-ldap.adm.auro.re re2o-ldap.adm.auro.re
re2o-db.adm.auro.re re2o-db.adm.auro.re
@ -39,9 +40,10 @@ bdd.adm.auro.re
bdd-ovh.adm.auro.re bdd-ovh.adm.auro.re
litl.adm.auro.re litl.adm.auro.re
log.adm.auro.re log.adm.auro.re
netbox.adm.auro.re
grafana.adm.auro.re
[aurore_testing_vm] [aurore_testing_vm]
pendragon.adm.auro.re
############################################################################### ###############################################################################
# OVH # OVH
@ -51,11 +53,8 @@ horus.adm.auro.re
[ovh_container] [ovh_container]
synapse.adm.auro.re synapse.adm.auro.re
phabricator.adm.auro.re
wiki.adm.auro.re
www.adm.auro.re www.adm.auro.re
proxy-ovh.adm.auro.re proxy-ovh.adm.auro.re
matrix-services.adm.auro.re
[ovh_vm] [ovh_vm]
serge.adm.auro.re serge.adm.auro.re
@ -73,8 +72,10 @@ prometheus-federate.adm.auro.re
############################################################################### ###############################################################################
# Les Jardins de Fleming # Les Jardins de Fleming
[fleming_server]
perceval.adm.auro.re
[fleming_pve] [fleming_pve]
freya.adm.auro.re
marki.adm.auro.re marki.adm.auro.re
[fleming_vm] [fleming_vm]
@ -244,7 +245,7 @@ ps-4-3.borne.auro.re
# Emilie du Chatelet # Emilie du Chatelet
[edc_server] [edc_server]
perceval.adm.auro.re caradoc.adm.auro.re
[edc_pve] [edc_pve]
chapalux.adm.auro.re chapalux.adm.auro.re
@ -267,7 +268,6 @@ ee-2-1.borne.auro.re
ee-2-2.borne.auro.re ee-2-2.borne.auro.re
eo-0-1.borne.auro.re eo-0-1.borne.auro.re
eo-2-1.borne.auro.re eo-2-1.borne.auro.re
eo-2-2.borne.auro.re
ep-0-1.borne.auro.re ep-0-1.borne.auro.re
ep-1-1.borne.auro.re ep-1-1.borne.auro.re
ep-1-2.borne.auro.re ep-1-2.borne.auro.re
@ -348,7 +348,6 @@ gh-1-2.borne.auro.re
############################################################################### ###############################################################################
# Les Rives # Les Rives
[rives_pve] [rives_pve]
thor.adm.auro.re
loki.adm.auro.re loki.adm.auro.re
[rives_vm] [rives_vm]
@ -439,6 +438,7 @@ ovh_vm
# everything at fleming # everything at fleming
[fleming:children] [fleming:children]
fleming_server
fleming_pve fleming_pve
fleming_vm fleming_vm
fleming_unifi fleming_unifi
@ -451,6 +451,7 @@ pacaterie_unifi
# everything at edc # everything at edc
[edc:children] [edc:children]
edc_server
edc_pve edc_pve
edc_vm edc_vm
edc_unifi edc_unifi
@ -483,6 +484,11 @@ edc_vm
gs_vm gs_vm
rives_vm rives_vm
# every server
[server:children]
fleming_server
edc_server
# every PVE # every PVE
[pve:children] [pve:children]
ovh_pve ovh_pve
@ -503,6 +509,20 @@ pacaterie_unifi
############################################################################### ###############################################################################
# Groups by service # Groups by service
[routeur]
routeur-fleming.adm.auro.re
routeur-fleming-backup.adm.auro.re
routeur-pacaterie.adm.auro.re
routeur-pacaterie-backup.adm.auro.re
routeur-edc.adm.auro.re
routeur-edc-backup.adm.auro.re
routeur-gs.adm.auro.re
routeur-gs-backup.adm.auro.re
routeur-rives.adm.auro.re
routeur-rives-backup.adm.auro.re
routeur-aurore.adm.auro.re
routeur-aurore-backup.adm.auro.re
[ldap_replica:children] [ldap_replica:children]
ldap_replica_fleming ldap_replica_fleming
ldap_replica_pacaterie ldap_replica_pacaterie
@ -549,3 +569,26 @@ proxy.adm.auro.re
bdd.adm.auro.re bdd.adm.auro.re
bdd-ovh.adm.auro.re bdd-ovh.adm.auro.re
re2o-db.adm.auro.re re2o-db.adm.auro.re
[radius]
radius-aurore.adm.auro.re
radius-fleming.adm.auro.re
radius-fleming-backup.adm.auro.re
radius-edc.adm.auro.re
radius-edc-backup.adm.auro.re
radius-gs.adm.auro.re
radius-gs-backup.adm.auro.re
radius-pacaterie.adm.auro.re
radius-pacaterie-backup.adm.auro.re
radius-rives.adm.auro.re
radius-rives-backup.adm.auro.re
[prometheus]
prometheus-ovh.adm.auro.re
prometheus-aurore.adm.auro.re
prometheus-rives.adm.auro.re
prometheus-gs.adm.auro.re
prometheus-edc.adm.auro.re
prometheus-pacaterie.adm.auro.re
prometheus-fleming.adm.auro.re
prometheus-federate.adm.auro.re

View file

@ -1,65 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re
roles:
- isc_dhcp_server
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
roles:
- unbound
# Déploiement du service re2o aurore-firewall et keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
roles:
- router
- radvd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
roles:
- router
- ipv6_edge_router
# Radius (backup only for now)
- hosts: radius-*.adm.auro.re
roles:
- radius
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

View file

@ -5,13 +5,6 @@
roles: roles:
- baseconfig - baseconfig
- basesecurity - basesecurity
# Plug LDAP on all servers
- hosts: all,!unifi
roles:
- ldap_client - ldap_client
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate - logrotate
- update_motd

32
playbooks/borgbackup.yml Executable file
View file

@ -0,0 +1,32 @@
#!/usr/bin/env ansible-playbook
---
- hosts: perceval.adm.auro.re
vars:
update_motd:
borgbackup_server: >-
Les sauvegardes (borg) sont stockées dans
{{ borg_server_backups_dir }}.
roles:
- borgbackup_server
- update_motd
- hosts: all,!unifi,!unifi-*,!bdd
vars:
update_motd:
borgbackup_client: >-
BorgBackup est déployé (/etc/borgmatic/config.yaml)
roles:
- borgbackup_client
- update_motd
# On databases server, also backup databases
- hosts: bdd
vars:
borg_postgresql_databases: true
update_motd:
borgbackup_client: >-
BorgBackup est déployé (/etc/borgmatic/config.yaml)
roles:
- borgbackup_client
- update_motd
...

10
playbooks/docker.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
vars:
update_motd:
docker: Docker est déployé.
roles:
- docker
- update_motd

27
playbooks/grafana.yml Executable file
View file

@ -0,0 +1,27 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Grafana
- hosts: grafana.adm.auro.re
vars:
grafana:
root_url: https://grafana.auro.re
database:
type: postgres
host: 10.128.0.95
name: grafana
user: grafana
password: "{{ vault_postgresql_grafana_passwd }}"
ldap:
host: "re2o-ldap.adm.auro.re ldap-replica-ovh.adm.auro.re 10.128.0.21 10.128.0.149"
bind_dn: cn=grafana,ou=service-users,dc=auro,dc=re
bind_password: "{{ vault_ldap_grafana_password }}"
search_base_dns: "cn=Utilisateurs,dc=auro,dc=re"
group_search_base_dns: "ou=posix,ou=groups,dc=auro,dc=re"
editors_group_dn:
- cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re
- cn=technicien,ou=posix,ou=groups,dc=auro,dc=re
update_motd:
grafana: Grafana est déployé (/etc/grafana).
roles:
- grafana
- update_motd

9
playbooks/isc-dhcp-server.yml Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
---
- hosts: dhcp-*.adm.auro.re
vars:
update_motd:
unbound: isc-dhcp-server est déployé.
roles:
- isc_dhcp_server
- update_motd

17
playbooks/knot.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

View file

@ -1,7 +1,10 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
- hosts: all
roles: []
# Clone LDAP on local geographic location # Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA # DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica # - hosts: ldap_replica
roles: # roles:
- ldap_replica # - ldap_replica

View file

@ -1,18 +1,18 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Install Matrix Synapse on corresponding containers # Install Matrix Synapse
- hosts: synapse.adm.auro.re - hosts: synapse.adm.auro.re
vars: vars:
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb" mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb"
update_motd:
matrix-synapse: matrix-synapse est déployé.
matrix-appservice-irc: matrix-appservice-irc est déployé.
matrix-appservice-webhooks: matrix-appservice-webhooks est déployé.
roles: roles:
- debian_backports - debian_backports
- nodejs - nodejs
- matrix_synapse - matrix_synapse
- matrix_appservice_irc - matrix_appservice_irc
- matrix_appservice_webhooks - matrix_appservice_webhooks
- update_motd
# Install Matrix services
- hosts: matrix-services.adm.auro.re
roles:
- debian_backports

View file

@ -1,28 +1,26 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re
roles:
- docker
# Deploy Passbolt
- hosts: passbolt.adm.auro.re
roles:
- passbolt
- hosts: reverseproxy - hosts: reverseproxy
vars: vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}' certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}' nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}' reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
update_motd:
nginx: >-
Le reverse-proxy NGINX est déployé (/etc/nginx).
roles: roles:
- certbot - certbot
- nginx - nginx
- update_motd
- hosts: nginx,!reverseproxy - hosts: nginx,!reverseproxy
vars: vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}' certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}' nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
update_motd:
nginx: >-
NGINX avec certbot est déployé (/etc/nginx).
roles: roles:
- certbot - certbot
- nginx - nginx
- update_motd

View file

@ -1,4 +1,13 @@
#!/usr/bin/env ansible-playbook
--- ---
# Deploy Postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost
# Deploy Re2o mail service # Deploy Re2o mail service
- hosts: mail.auro.re - hosts: mail.auro.re
vars: vars:
@ -10,4 +19,4 @@
username: service-user username: service-user
password: "{{ vault_serviceuser_passwd }}" password: "{{ vault_serviceuser_passwd }}"
roles: roles:
- re2o-service - re2o_service

140
playbooks/postgresql.yml Executable file
View file

@ -0,0 +1,140 @@
#!/usr/bin/env ansible-playbook
---
# Install and configure database servers at Saclay
- hosts: bdd.adm.auro.re
vars:
postgresql:
version: 13
hosts:
- database: nextcloud
user: nextcloud
net: 10.128.0.58/32
method: md5
- database: gitea
user: gitea
net: 10.128.0.60/32
method: md5
- database: wikijs
user: wikijs
net: 10.128.0.66/32
method: md5
- database: drone
user: drone
net: 10.128.0.64/32
method: md5
- database: netbox
user: netbox
net: 10.128.0.97/32
method: md5
- database: grafana
user: grafana
net: 10.128.0.98/32
method: md5
databases:
- nextcloud
- gitea
- wikijs
- drone
- netbox
- grafana
users:
- name: nextcloud
database: nextcloud
password: "{{ vault_postgresql_nextcloud_passwd }}"
privs:
- ALL
- name: gitea
database: gitea
password: "{{ vault_postgresql_gitea_passwd }}"
privs:
- ALL
- name: wikijs
database: wikijs
password: "{{ vault_postgresql_wikijs_passwd }}"
privs:
- ALL
- name: drone
database: drone
password: "{{ vault_postgresql_drone_passwd }}"
privs:
- ALL
- name: netbox
database: netbox
password: "{{ vault_postgresql_netbox_passwd }}"
privs:
- ALL
- name: grafana
database: grafana
password: "{{ vault_postgresql_grafana_passwd }}"
privs:
- ALL
update_motd:
postgresql: PostgreSQL est déployé.
roles:
- postgresql
- update_motd
# Install and configure database servers at OVH
- hosts: bdd-ovh.adm.auro.re
vars:
postgresql:
version: 13
hosts:
- database: etherpad
user: etherpad
net: 10.128.0.150/32
method: md5
- database: codimd
user: codimd
net: 10.128.0.150/32
method: md5
- database: synapse
user: synapse
net: 10.128.0.56/32
method: md5
- database: kanboard
user: kanboard
net: 10.128.0.150/32
method: md5
- database: cas
user: cas
net: 10.128.0.150/32
method: md5
databases:
- synapse
- codimd
- etherpad
- kanboard
- cas
users:
- name: synapse
database: synapse
password: "{{ vault_postgresql_synapse_passwd }}"
privs:
- ALL
- name: codimd
database: codimd
password: "{{ vault_postgresql_codimd_passwd }}"
privs:
- ALL
- name: etherpad
database: etherpad
password: "{{ vault_postgresql_etherpad_passwd }}"
privs:
- ALL
- name: kanboard
database: kanboard
password: "{{ vault_postgresql_kanboard_passwd }}"
privs:
- ALL
- name: cas
database: cas
password: "{{ vault_postgresql_cas_passwd }}"
privs:
- ALL
update_motd:
postgresql: PostgreSQL est déployé.
roles:
- postgresql
- update_motd
...

View file

@ -5,6 +5,8 @@
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}" snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_targets: prometheus_targets:
@ -12,14 +14,20 @@
{{ groups['fleming_pve'] + groups['fleming_vm'] | list | sort }} {{ groups['fleming_pve'] + groups['fleming_vm'] | list | sort }}
prometheus_unifi_snmp_targets: prometheus_unifi_snmp_targets:
- targets: "{{ groups['fleming_unifi'] | list | sort }}" - targets: "{{ groups['fleming_unifi'] | list | sort }}"
update_motd:
prometheus: >-
Prometheus (en configuration fleming) est déployé (/etc/prometheus).
roles: roles:
- prometheus - prometheus
- update_motd
- hosts: prometheus-pacaterie.adm.auro.re - hosts: prometheus-pacaterie.adm.auro.re
vars: vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}" snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_targets: prometheus_targets:
@ -30,14 +38,20 @@
prometheus_ups_snmp_targets: prometheus_ups_snmp_targets:
- ups-pn-1.ups.auro.re - ups-pn-1.ups.auro.re
- ups-ps-1.ups.auro.re - ups-ps-1.ups.auro.re
update_motd:
prometheus: >-
Prometheus (en configuration pacaterie) est déployé (/etc/prometheus).
roles: roles:
- prometheus - prometheus
- update_motd
- hosts: prometheus-edc.adm.auro.re - hosts: prometheus-edc.adm.auro.re
vars: vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}" snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_ups_snmp_targets: prometheus_ups_snmp_targets:
@ -50,14 +64,20 @@
{{ groups['edc_pve'] + groups['edc_vm'] + groups['edc_server'] | list | sort }} {{ groups['edc_pve'] + groups['edc_vm'] + groups['edc_server'] | list | sort }}
prometheus_unifi_snmp_targets: prometheus_unifi_snmp_targets:
- targets: "{{ groups['edc_unifi'] | list | sort }}" - targets: "{{ groups['edc_unifi'] | list | sort }}"
update_motd:
prometheus: >-
Prometheus (en configuration edc) est déployé (/etc/prometheus).
roles: roles:
- prometheus - prometheus
- update_motd
- hosts: prometheus-gs.adm.auro.re - hosts: prometheus-gs.adm.auro.re
vars: vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}" snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_targets: prometheus_targets:
@ -67,14 +87,22 @@
- targets: "{{ groups['gs_unifi'] | list | sort }}" - targets: "{{ groups['gs_unifi'] | list | sort }}"
prometheus_ups_snmp_targets: prometheus_ups_snmp_targets:
- ups-gk-1.ups.auro.re - ups-gk-1.ups.auro.re
prometheus_pdu_snmp_targets:
- pdu-ga-1.ups.auro.re
update_motd:
prometheus: >-
Prometheus (en configuration gs) est déployé (/etc/prometheus).
roles: roles:
- prometheus - prometheus
- update_motd
- hosts: prometheus-rives.adm.auro.re - hosts: prometheus-rives.adm.auro.re
vars: vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}" snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_ups_snmp_targets: prometheus_ups_snmp_targets:
@ -86,19 +114,28 @@
{{ groups['rives_pve'] + groups['rives_vm'] | list | sort }} {{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
prometheus_unifi_snmp_targets: prometheus_unifi_snmp_targets:
- targets: "{{ groups['rives_unifi'] | list | sort }}" - targets: "{{ groups['rives_unifi'] | list | sort }}"
update_motd:
prometheus: >-
Prometheus (en configuration rives) est déployé (/etc/prometheus).
roles: roles:
- prometheus - prometheus
- update_motd
- hosts: prometheus-aurore.adm.auro.re - hosts: prometheus-aurore.adm.auro.re
vars: vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}" snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_targets: prometheus_targets:
- targets: | - targets: |
{{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }} {{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
prometheus_postgres_targets:
- targets: |
{{ groups['bdd'] + groups['radius'] | list | sort }}
prometheus_switch_snmp_targets: prometheus_switch_snmp_targets:
- targets: - targets:
- yggdrasil.switch.auro.re - yggdrasil.switch.auro.re
@ -115,29 +152,43 @@
- sw-ec-core.switch.auro.re - sw-ec-core.switch.auro.re
- sw-gk-core.switch.auro.re - sw-gk-core.switch.auro.re
- sw-r3-core.switch.auro.re - sw-r3-core.switch.auro.re
update_motd:
prometheus: >-
Prometheus (en configuration aurore) est déployé (/etc/prometheus).
roles: roles:
- prometheus - prometheus
- update_motd
- hosts: prometheus-ovh.adm.auro.re - hosts: prometheus-ovh.adm.auro.re
vars: vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_switch_community: "{{ vault_snmp_switch_community }}" snmp_switch_community: "{{ vault_snmp_switch_community }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_targets: prometheus_targets:
- targets: | - targets: |
{{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }} {{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
prometheus_postgres_targets:
- targets:
- bdd-ovh.adm.auro.re
prometheus_docker_targets: prometheus_docker_targets:
- docker-ovh.adm.auro.re:8087 - docker-ovh.adm.auro.re
update_motd:
prometheus: >-
Prometheus (en configuration ovh) est déployé (/etc/prometheus).
roles: roles:
- prometheus - prometheus
- update_motd
- hosts: prometheus-federate.adm.auro.re - hosts: prometheus-federate.adm.auro.re
vars: vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093 prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
snmp_pdu_user: "{{ vault_snmp_pdu_user }}"
snmp_pdu_password: "{{ vault_snmp_pdu_password }}"
# Prometheus targets.json # Prometheus targets.json
prometheus_targets: prometheus_targets:
@ -148,9 +199,17 @@
- prometheus-rives.adm.auro.re - prometheus-rives.adm.auro.re
- prometheus-aurore.adm.auro.re - prometheus-aurore.adm.auro.re
- prometheus-ovh.adm.auro.re - prometheus-ovh.adm.auro.re
update_motd:
prometheus_federate: >-
Prometheus (en configuration fédération) est déployé (/etc/prometheus).
roles: roles:
- prometheus_federate - prometheus_federate
- update_motd
# Postgres Exporters
- hosts: bdd,radius
roles:
- prometheus_postgres
# Monitor all hosts # Monitor all hosts
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container - hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container

10
playbooks/radius.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Radius
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd

23
playbooks/router.yml Executable file
View file

@ -0,0 +1,23 @@
#!/usr/bin/env ansible-playbook
---
# Deploy firewall and keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec radvd) est déployé.
roles:
- router
- radvd
- update_motd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec DHCPv6) est déployé.
roles:
- router
- ipv6_edge_router
- update_motd

1
log.yml → playbooks/rsyslog.yml Normal file → Executable file
View file

@ -1,3 +1,4 @@
#!/usr/bin/env ansible-playbook
--- ---
- hosts: log.adm.auro.re - hosts: log.adm.auro.re
roles: roles:

14
playbooks/ssh.yml Executable file
View file

@ -0,0 +1,14 @@
#!/usr/bin/env ansible-playbook
---
- hosts: services-*.pve.auro.re
vars:
openssh_users_ca_public_key:
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
openssh_authorized_principals:
- any
- "{{ inventory_hostname }}"
roles:
- openssh_server
...

17
playbooks/switchs-manager.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

10
playbooks/unbound.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
vars:
update_motd:
unbound: Unbound est déployé.
roles:
- unbound
- update_motd

9
playbooks/unifi.yml Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller

View file

@ -1,432 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# This is a special playbook to create a new VM !
- hosts: proxy.adm.auro.re # Host with python-proxmoxer and python-requests
become: false # We do not need root as we use Proxmox API
vars:
vm_definitions:
# Réseau Pacaterie
- name: ldap-replica-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau Fleming
- name: ldap-replica-fleming1
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau EdC
- name: ldap-replica-edc1
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau George Sand
- name: ldap-replica-gs1
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
vars_prompt:
- name: "password"
prompt: "Enter LDAP password for your user"
private: true
tasks:
- name: Define a virtual machine in Proxmox
proxmox_kvm:
api_user: "{{ ansible_user_id }}@pam"
api_password: "{{ password }}"
api_host: "{{ item.virtu }}.adm.auro.re"
name: "{{ item.name }}"
node: "{{ item.virtu }}"
scsihw: virtio-scsi-pci
scsi: '{"scsi0":"{{ item.virtu }}:{{ item.disksize }},format=raw"}'
sata: '{"sata0":"local:iso/{{ item.installiso }},media=cdrom"}'
net: '{"net0":"virtio,bridge=vmbr2"}' # Adm only by default
cores: "{{ item.cores }}"
memory: "{{ item.memory }}"
balloon: "{{ item.memory // 2 }}"
bios: seabios # Ansible module doesn't support UEFI boot disk
loop:
# Réseau Fleming
- name: ldap-replica-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: ldap-replica-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: routeur-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
# Réseau Pacaterie
- name: ldap-replica-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: ldap-replica-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: routeur-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
# Réseau EDC
- name: ldap-replica-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
# Réseau George Sand
- name: ldap-replica-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso

View file

@ -29,9 +29,6 @@
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- include_role:
name: update_motd
# Configure APT mirrors on Debian Stretch # Configure APT mirrors on Debian Stretch
- name: Configure APT mirrors - name: Configure APT mirrors
when: when:

View file

@ -107,10 +107,4 @@
name: borgmatic.timer name: borgmatic.timer
state: started state: started
enabled: true enabled: true
- include_role:
name: update_motd
vars:
key: 10-borgmatic
message: Borgmatic (client) est installé dans /etc/borgmatic/config.yaml.
... ...

View file

@ -42,7 +42,7 @@ consistency:
- repository - repository
- archives - archives
{% if postgresql_databases is defined %} {% if borg_postgresql_databases is defined %}
hooks: hooks:
postgresql_databases: postgresql_databases:
- name: all - name: all

View file

@ -35,13 +35,4 @@
owner: "{{ borg_server_user }}" owner: "{{ borg_server_user }}"
group: "{{ borg_server_group }}" group: "{{ borg_server_group }}"
mode: u=rwx,g=,o= mode: u=rwx,g=,o=
- include_role:
name: update_motd
vars:
motd_messages:
- key: 10-borg-server
message: >-
Les sauvegardes (borg) sont stockées dans
{{ borg_server_backups_dir }}.
... ...

View file

@ -50,12 +50,4 @@
url: https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64 url: https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64
dest: /usr/local/bin/docker-compose dest: /usr/local/bin/docker-compose
mode: "0755" mode: "0755"
- include_role:
name: update_motd
vars:
motd_messages:
- key: 10-docker
message: >-
Docker est installé sur ce serveur.
... ...

View file

@ -1,30 +0,0 @@
---
# For DokuWiki package
- name: Configure Debian Buster mirrors
when:
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: apt/buster.list.j2
dest: /etc/apt/sources.list.d/buster.list
mode: 0644
# For DokuWiki package
- name: Configure DokuWiki pin
when:
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: apt/dokuwiki.j2
dest: /etc/apt/preferences.d/dokuwiki
mode: 0644
# Install
- name: Install DokuWiki
apt:
update_cache: true
name: dokuwiki
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

View file

@ -1,9 +0,0 @@
# {{ ansible_managed }}
{# #}
{# Default mirror #}
{% if debian_mirror is not defined %}
{% set debian_mirror = 'http://ftp.fr.debian.org/debian' %}
{% endif %}
deb {{ debian_mirror }} buster main
deb-src {{ debian_mirror }} buster main

View file

@ -1,9 +0,0 @@
# {{ ansible_managed }}
Package: *
Pin: release n=stretch*
Pin-Priority: 990
Package: dokuwiki
Pin: release n=buster
Pin-Priority: 990

View file

@ -0,0 +1,5 @@
---
- name: Restart grafana
service:
name: grafana-server
state: restarted

View file

@ -0,0 +1,111 @@
---
- name: Install gpg (to import Grafana key)
apt:
name: gpg
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Import Grafana GPG signing key
apt_key:
url: https://packages.grafana.com/gpg.key
state: present
register: apt_key_result
retries: 3
until: apt_key_result is succeeded
- name: Add Grafana repository
apt_repository:
repo: deb https://packages.grafana.com/oss/deb stable main
state: present
update_cache: true
- name: Install Grafana
apt:
name: grafana
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure Grafana
ini_file:
path: /etc/grafana/grafana.ini
section: "{{ item.section }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
mode: 0640
loop:
- section: server
option: root_url
value: "{{ grafana.root_url }}"
- section: analytics
option: reporting_enabled
value: "false"
- section: analytics
option: check_for_updates
value: "false"
- section: security
option: disable_initial_admin_creation
value: "true"
- section: security
option: cookie_secure
value: "true"
- section: security
option: disable_gravatar
value: "true"
- section: snapshots
option: external_enabled
value: "false"
- section: users
option: allow_sign_up
value: "false"
- section: users
option: allow_org_create
value: "false"
- section: auth.anonymous
option: enabled
value: "false" # no public access
- section: auth.anonymous
option: hide_version
value: "true"
- section: auth.basic # only LDAP auth
option: enabled
value: "false"
- section: auth.ldap
option: enabled
value: "true"
- section: alerting
option: enabled
value: "false"
- section: database
option: type
value: "{{ grafana.database.type }}"
- section: database
option: host
value: "{{ grafana.database.host }}"
- section: database
option: name
value: "{{ grafana.database.name }}"
- section: database
option: user
value: "{{ grafana.database.user }}"
- section: database
option: password
value: "{{ grafana.database.password }}"
notify: Restart grafana
- name: Configure Grafana LDAP
template:
src: ldap.toml.j2
dest: /etc/grafana/ldap.toml
mode: 0640
notify: Restart grafana
- name: Enable and start Grafana
systemd:
name: grafana-server
enabled: true
state: started
daemon_reload: true

View file

@ -0,0 +1,61 @@
{{ ansible_managed | comment }}
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "{{ grafana.ldap.host }}"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn
bind_dn = "{{ grafana.ldap.bind_dn }}"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = '{{ grafana.ldap.bind_password }}'
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)"
# An array of base dns to search through
search_base_dns = ["{{ grafana.ldap.search_base_dns }}"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["{{ grafana.ldap.group_search_base_dns }}"]
group_search_filter_user_attribute = "cn"
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "sn"
surname = ""
username = "cn"
member_of = "dn"
email = "mail"
# Editors
{% for group_dn in grafana.ldap.editors_group_dn %}
[[servers.group_mappings]]
group_dn = "{{ group_dn }}"
org_role = "Editor"
{% endfor %}
# Viewers
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"

View file

@ -60,3 +60,4 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope. # The search scope.
#scope sub #scope sub

View file

@ -1,7 +1,24 @@
# see "man logrotate" for details
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
# global options do not affect preceding include directives
# rotate log files weekly
weekly weekly
# keep 4 weeks worth of backlogs
rotate 4 rotate 4
# create new (empty) log files after rotating old ones
create create
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d include /etc/logrotate.d
# system-specific logs may also be configured here.

View file

@ -148,14 +148,6 @@
group: www-data group: www-data
mode: 0644 mode: 0644
- include_role:
name: update_motd
vars:
motd_messages:
- key: 10-nginx
message: >-
NGinx est installé sur ce serveur. Voir /etc/nginx.
- name: Clean old files - name: Clean old files
file: file:
path: "{{ item }}" path: "{{ item }}"

View file

@ -0,0 +1,4 @@
---
openssh_authorized_principals:
- any
...

View file

@ -0,0 +1,6 @@
---
- name: Restart sshd
systemd:
name: ssh.service
state: restarted
...

View file

@ -0,0 +1,39 @@
---
- name: Install OpenSSH server
apt:
name: openssh-server
- name: Enable OpenSSH Server
systemd:
name: sshd.service
enabled: true
state: started
- name: Install sshd configuration file
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: u=r,g=,o=
validate: "/usr/sbin/sshd -tf %s"
notify: Restart sshd
- name: Install Users CA public key
copy:
content: "{{ openssh_users_ca_public_key }}"
dest: /etc/ssh/users_ca.pub
owner: root
group: root
mode: u=r,g=,o=
notify: Restart sshd
- name: Install authorized principals file
copy:
content: "{{ openssh_authorized_principals | join('\n') }}"
dest: /etc/ssh/authorized_principals
owner: root
group: root
mode: u=r,g=,o=
notify: Restart sshd
...

View file

@ -0,0 +1,45 @@
{{ ansible_managed | comment }}
SyslogFacility AUTH
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port 22
MaxStartups 10:30:100
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
# https://infosec.mozilla.org/guidelines/openssh.html
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
AuthenticationMethods publickey
TrustedUserCAKeys /etc/ssh/users_ca.pub
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
StrictModes yes
UsePAM no
PermitRootLogin yes
PermitUserRC no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding yes
X11Forwarding no
PermitTTY yes
PermitTunnel no
VersionAddendum none
PrintLastLog yes
PrintMotd yes
TCPKeepAlive yes
UseDNS no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO

View file

@ -1,10 +0,0 @@
---
# URL to clone
passbolt_repo: https://github.com/passbolt/passbolt_api.git
passbolt_version: v2.10.0
# Install target
passbolt_path: /var/www/passbolt
# User used to run passbolt
passbolt_user: www-data

View file

@ -1,39 +0,0 @@
---
# See https://help.passbolt.com/hosting/install/ce/from-source.html
- name: Clone passbolt project
git:
repo: "{{ passbolt_repo }}"
dest: "{{ passbolt_path }}"
version: "{{ passbolt_version }}"
become: true
become_user: "{{ passbolt_user }}"
- name: Install passbolt dependencies
apt:
name:
- composer
- php-fpm
- php-intl
- php-gnupg
- php-gd
- php-mysql
- nginx
- mariadb-server
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
# Setup dependencies
- name: Install passbolt PHP dependencies
composer:
command: install
working_dir: "{{ passbolt_path }}"
no_dev: true
become: true
become_user: "{{ passbolt_user }}"
register: composer_result
retries: 3
until: composer_result is succeeded

View file

@ -55,7 +55,7 @@
lc_collate: en_US.UTF-8 lc_collate: en_US.UTF-8
lc_ctype: en_US.UTF-8 lc_ctype: en_US.UTF-8
template: template0 template: template0
loop: "{{ postgresql_databases }}" loop: "{{ postgresql.databases | default([]) }}"
- name: Create users - name: Create users
become: true become: true
@ -65,7 +65,7 @@
name: "{{ item.name }}" name: "{{ item.name }}"
password: "{{ item.password }}" password: "{{ item.password }}"
no_log: true no_log: true
loop: "{{ postgresql_users }}" loop: "{{ postgresql.users | default([]) }}"
- name: Grant privileges to users - name: Grant privileges to users
become: true become: true
@ -77,5 +77,5 @@
privs: "{{ item.privs | join(',') }}" privs: "{{ item.privs | join(',') }}"
obj: "{{ item.database }}" obj: "{{ item.database }}"
no_log: true no_log: true
loop: "{{ postgresql_users }}" loop: "{{ postgresql.users | default([]) }}"
... ...

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment }}
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer map=map_local
{% for host in postgresql.hosts | default([]) %}
host "{{ host.database }}" "{{ host.user }}" {{ host.net }} {{ host.method }}
{% endfor %}

View file

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
# MAPNAME SYSTEM-USERNAME PG-USERNAME
map_local root postgres
map_local postgres postgres

View file

@ -1,5 +0,0 @@
---
postgresql_hosts: []
postgresql_databases: []
postgresql_users: []
...

View file

@ -1,19 +0,0 @@
{{ ansible_managed | comment }}
# TYPE DATABASE USER ADDRESS METHOD
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer map=map_root
# "local" is for Unix domain socket connections only
local all all peer
{% for host in postgresql_hosts %}
host "{{ host.database }}" "{{ host.user }}" {{ host.net }} {{ host.method }}
{% endfor %}

View file

@ -1,4 +0,0 @@
{{ ansible_managed | comment }}
# MAPNAME SYSTEM-USERNAME PG-USERNAME
map_root root postgress

View file

@ -18,8 +18,30 @@
mode: u=r,g=r,o= mode: u=r,g=r,o=
loop: loop:
- prometheus.yml - prometheus.yml
- alert.rules.yml notify: Restart Prometheus
- name: Creates directory for alerts
file:
path: /etc/prometheus/alerts
state: directory
owner: prometheus
group: prometheus
mode: 0755
- name: Configure Prometheus alerts
template:
src: "{{ item }}.j2"
dest: "/etc/prometheus/alerts/{{ item }}"
owner: prometheus
group: prometheus
mode: u=r,g=r,o=
loop:
- server.rules.yml
- docker.rules.yml
- django.rules.yml - django.rules.yml
- ups.rules.yml
- postgres.rules.yml
- environmental.rules.yml
notify: Restart Prometheus notify: Restart Prometheus
- name: Make Prometheus snmp-exporter listen on localhost only - name: Make Prometheus snmp-exporter listen on localhost only
@ -29,14 +51,16 @@
line: "ARGS=\"--web.listen-address=127.0.0.1:9116\"" line: "ARGS=\"--web.listen-address=127.0.0.1:9116\""
notify: Restart prometheus-snmp-exporter notify: Restart prometheus-snmp-exporter
# This file store SNMP OIDs # These files store SNMP OIDs
- name: Configure Prometheus snmp-exporter - name: Configure Prometheus snmp-exporter
template: template:
src: snmp.yml.j2 src: "{{ item }}.j2"
dest: /etc/prometheus/snmp.yml dest: "/etc/prometheus/{{ item }}"
owner: prometheus owner: prometheus
group: prometheus group: prometheus
mode: u=r,g=r,o= mode: u=r,g=r,o=
loop:
- snmp.yml
notify: Restart prometheus-snmp-exporter notify: Restart prometheus-snmp-exporter
# We don't need to restart Prometheus when updating nodes # We don't need to restart Prometheus when updating nodes
@ -75,17 +99,23 @@
mode: 0644 mode: 0644
when: prometheus_docker_targets is defined when: prometheus_docker_targets is defined
- name: Configure Prometheus postgres monitoring
copy:
content: "{{ prometheus_postgres_targets | to_nice_json }}\n"
dest: /etc/prometheus/targets_postgres.json
mode: 0644
when: prometheus_postgres_targets is defined
- name: Configure Prometheus apc_pdu monitoring
copy:
content: "{{ [{'targets': prometheus_pdu_snmp_targets }] | to_nice_json }}\n"
dest: /etc/prometheus/targets_apc_pdu_snmp.json
mode: 0644
when: prometheus_pdu_snmp_targets is defined
- name: Activate prometheus service - name: Activate prometheus service
systemd: systemd:
name: prometheus name: prometheus
enabled: true enabled: true
state: started state: started
- include_role:
name: update_motd
vars:
motd_messages:
- key: 05-prometheus
message: >-
Prometheus est déployé sur cette machine (voir /etc/prometheus)
... ...

View file

@ -0,0 +1,50 @@
---
{{ ansible_managed | comment }}
{% macro raw(string) -%}
{{ "{{" }} {{ string }} {{ "}}" }}
{%- endmacro %}
groups:
- name: docker.rules
rules:
- alert: ContainerDown
expr: docker_container_running_state != 1
for: 0m
labels:
severity: critical
annotations:
summary: >-
Le container Docker est éteint / tombé
(container {{ raw('$labels.name') }})
- alert: ContainerFailed
expr: sum(increase(docker_container_restart_count[5m])) > 2
for: 0m
labels:
severity: critical
annotations:
summary: >-
Le container Docker redémarre souvent
(container {{ raw('$labels.name') }})
- alert: ContainerFailed
expr:
(
docker_container_cpu_used_total
/
docker_container_cpu_capacity_total
) * 100
> 30
for: 0m
labels:
severity: critical
annotations:
summary: >-
Le container Docker utilise beaucoup de CPU
(container {{ raw('$labels.name') }},
valeur {{ raw('$value | printf "%.1f"') }})
...

View file

@ -0,0 +1,52 @@
---
{{ ansible_managed | comment }}
{% macro raw(string) -%}
{{ "{{" }} {{ string }} {{ "}}" }}
{%- endmacro %}
groups:
- name: environmental.rules
rules:
- alert: EnvironmentalTemperature
expr: rPDU2SensorTempHumidityStatusTempC / 10 > 30
for: 10m
labels:
severity: warning
annotations:
summary: >-
Température environnementale à {{ raw('$value') }}°
- alert: EnvironmentalTemperature
expr: rPDU2SensorTempHumidityStatusTempC / 10 > 40
for: 10m
labels:
severity: critical
annotations:
summary: >-
Température environnementale à {{ raw('$value') }}°
- alert: EnvironmentalTemperature
expr: xupsEnvRemoteTemp > 30
for: 10m
labels:
severity: warning
annotations:
summary: >-
Température environnementale à {{ raw('$value') }}°
- alert: EnvironmentalTemperature
expr: xupsEnvRemoteTemp > 40
for: 10m
labels:
severity: critical
annotations:
summary: >-
Température environnementale à {{ raw('$value') }}°
...

View file

@ -0,0 +1,219 @@
---
{{ ansible_managed | comment }}
{% macro raw(string) -%}
{{ "{{" }} {{ string }} {{ "}}" }}
{%- endmacro %}
groups:
- name: postgres.rules
rules:
- alert: PostgresqlDown
expr: pg_up == 0
for: 0m
labels:
severity: critical
annotations:
summary: Serveur PostgreSQL down
- alert: PostgresqlRestarted
expr: time() - pg_postmaster_start_time_seconds < 60
for: 0m
labels:
severity: critical
annotations:
summary: Serveur PostgreSQL redémarré
- alert: PostgresqlExporterError
expr: pg_exporter_last_scrape_error > 0
for: 0m
labels:
severity: critical
annotations:
summary: Erreur dans l'exporter PostgreSQL
- alert: PostgresqlReplicationLag
expr:
pg_replication_lag > 30
and
ON(instance) pg_replication_is_replica == 1
for: 0m
labels:
severity: critical
annotations:
summary: >-
La réplication PostgreSQL lag ({{ raw('$value') }} > 30s)
(base de données {{ raw('$labels.datname') }} )
- alert: PostgresqlTableNotVaccumed
expr:
time() - pg_stat_user_tables_last_autovacuum
> 60 * 60 * 24
for: 0m
labels:
severity: warning
annotations:
summary: >-
Le démon autovacuum n'a pas été lancé depuis 24h
(base de données {{ raw('$labels.datname') }} )
- alert: PostgresqlTableNotAnalyzed
expr:
time() - pg_stat_user_tables_last_autoanalyze
> 60 * 60 * 24
for: 0m
labels:
severity: warning
annotations:
summary: >-
Table non-analysée depuis 24h
(base de données {{ raw('$labels.datname') }})
- alert: PostgresqlTooManyConnections
expr:
(
sum by (datname)
(pg_stat_activity_count{datname!~"template.*|postgres"})
) * 100
> pg_settings_max_connections * 80
for: 2m
labels:
severity: warning
annotations:
summary: >-
PostgreSQL a trop de connexions
({{ raw('$value | printf "%.1f"') }} > 80%)
(base de données {{ raw('$labels.datname') }})
- alert: PostgresqlDeadLocks
expr: increase(pg_stat_database_deadlocks{datname!~"template.*|postgres"}[1m]) > 5
for: 0m
labels:
severity: warning
annotations:
summary: >-
PostgreSQL a plus de 5 deadlocks.
(base de données {{ raw('$labels.datname') }} )
- alert: PostgresqlSlowQueries
expr: pg_slow_queries > 0
for: 2m
labels:
severity: warning
annotations:
summary: >-
Présence de requêtes lentes (slow-queries)
(base de données {{ raw('$labels.datname') }} )
- alert: PostgresqlHighRollbackRate
expr:
(
rate(pg_stat_database_xact_rollback{datname!~"template.*"}[3m]) /
rate(pg_stat_database_xact_commit{datname!~"template.*"}[3m])
) * 100
> 7
for: 0m
labels:
severity: warning
annotations:
summary: >-
PostgreSQL a un taux de retour en arrière (rollback) élevé
(base de données {{ raw('$labels.datname') }}, valeur {{ raw('$value | printf "%.1f"') }} %)
- alert: PostgresqlWaleReplicationStopped
expr: rate(pg_xlog_position_bytes[1m]) == 0
for: 0m
labels:
severity: critical
annotations:
summary: >-
Réplication de PostgreSQL WALE stoppée
(base de données {{ raw('$labels.datname') }} )
- alert: PostgresqlHighRateStatementTimeout
expr: rate(postgresql_errors_total{type="statement_timeout"}[1m]) > 3
for: 0m
labels:
severity: critical
annotations:
summary: >-
Beaucoup de requêtes PostgreSQL sont timeout
(base de données {{ raw('$labels.datname') }}, valeur {{ raw('$value | printf "%.1f"') }} )
- alert: PostgresqlHighRateDeadlock
expr: increase(postgresql_errors_total{type="deadlock_detected"}[1m]) > 1
for: 0m
labels:
severity: critical
annotations:
summary: >-
PostgreSQL a un fort taux de deadlock
(base de données {{ raw('$labels.datname') }}, valeur {{ raw('$value | printf "%.1f"') }} )
# - alert: PostgresqlReplicationLagBytes
# expr:
# (pg_xlog_position_bytes and pg_replication_is_replica == 0)
# - GROUP_RIGHT(instance) (pg_xlog_position_bytes and pg_replication_is_replica == 1)
# > 1e+09
# for: 0m
# labels:
# severity: critical
# annotations:
# summary: La réplication Postgresql a des octets de retard (instance {{ raw('$labels.name') }}, value {{ raw('$value') }} )
- alert: PostgresqlTooManyDeadTuples
expr:
(
(pg_stat_user_tables_n_dead_tup > 10000)
/ (pg_stat_user_tables_n_live_tup + pg_stat_user_tables_n_dead_tup)
) >= 0.1 unless ON(instance) (pg_replication_is_replica == 1)
for: 2m
labels:
severity: warning
annotations:
summary: >-
Les tuples morts PostgreSQL sont trop volumineux
(base de données {{ raw('$labels.datname') }}, valeur {{ raw('$value | printf "%.1f"') }} )
- alert: PostgresqlSplitBrain
expr: count(pg_replication_is_replica == 0) != 1
for: 0m
labels:
severity: critical
annotations:
summary: >-
Split Brain : trop de bases de données PostgreSQL primaires en mode lecture-écriture
(base de données {{ raw('$labels.datname') }}, valeur {{ raw('$value') }} )
- alert: PostgresqlPromotedNode
expr:
pg_replication_is_replica
and
changes(pg_replication_is_replica[1m]) > 0
for: 0m
labels:
severity: warning
annotations:
summary: >-
Le serveur de secours PostgreSQL a été promu comme nœud principal
(base de données {{ raw('$labels.datname') }}, valeur {{ raw('$value') }})
- alert: PostgresqlTooManyLocksAcquired
expr:
(
(sum (pg_locks_count))
/ (pg_settings_max_locks_per_transaction * pg_settings_max_connections)
) * 100 > 20
for: 2m
labels:
severity: critical
annotations:
summary: >-
Trop de deadlocks acquis sur la base de données.
Si cette alerte se produit fréquemment, nous devrons peut-être augmenter
le paramètre postgres max_locks_per_transaction
(Valeur = {{ raw('$value | printf "%.1f"') }} )
...

View file

@ -20,8 +20,7 @@ alerting:
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files: rule_files:
- "alert.rules.yml" # Monitoring alerts, this is the file you may be searching! - "alerts/*.yml" # Monitoring alerts, this is the file you may be searching!
- "django.rules.yml" # Custom rules specific for Django project monitoring
# A scrape configuration containing exactly one endpoint to scrape: # A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself. # Here it's Prometheus itself.
@ -101,4 +100,44 @@ scrape_configs:
file_sd_configs: file_sd_configs:
- files: - files:
- '/etc/prometheus/targets_docker.json' - '/etc/prometheus/targets_docker.json'
relabel_configs:
# Do not put :8087 in instance name, rather here
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- source_labels: [__param_target]
target_label: __address__
replacement: '$1:8087'
- job_name: postgresql
file_sd_configs:
- files:
- '/etc/prometheus/targets_postgres.json'
relabel_configs:
# Do not put :9187 in instance name, rather here
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- source_labels: [__param_target]
target_label: __address__
replacement: '$1:9187'
- job_name: apc_pdu_snmp
file_sd_configs:
- files:
- '/etc/prometheus/targets_apc_pdu_snmp.json'
metrics_path: /snmp
params:
module:
- apc_pdu
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9116
... ...

View file

@ -7,7 +7,7 @@
groups: groups:
- name: alert.rules - name: server.rules
rules: rules:
- alert: InstanceDown - alert: InstanceDown
@ -50,7 +50,7 @@ groups:
node_memory_SwapFree_bytes node_memory_SwapFree_bytes
/ node_memory_SwapTotal_bytes / node_memory_SwapTotal_bytes
) )
) * 100 > 10 ) * 100 >= 20
for: 3m for: 3m
labels: labels:
severity: warning severity: warning
@ -149,78 +149,11 @@ groups:
summary: > summary: >
Charge à {{ raw('$value') }} Charge à {{ raw('$value') }}
- alert: UpsOutputSourceChanged - alert: UnhealthyDisk
expr: upsOutputSource != 3 expr: smartmon_device_smart_healthy < 1
for: 0m for: 10m
labels: labels:
severity: critical severity: "critical"
annotations: annotations:
summary: >- summary: "Le Disque {{ raw('$labels.disk') }} n'est pas en bonne santé !"
Source d'alimentation changée
- alert: UpsBatteryStatus
expr: upsBatteryStatus == 3
for: 0m
labels:
severity: warning
annotations:
summary: >-
État de la batterie faible
- alert: UpsBatteryStatus
expr: upsBatteryStatus == 4
for: 0m
labels:
severity: critical
annotations:
summary: >-
État de la batterie critique
- alert: UpsHighLoad
expr: upsOutputPercentLoad > 70
for: 3m
labels:
severity: critical
annotations:
summary: >-
Charge de {{ raw('$value | printf "%.1f"') }}%
- alert: UpsWrongInputVoltage
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
for: 5m
labels:
severity: warning
annotations:
summary: >-
Tension d'entrée de {{ raw('$value') }}V
- alert: UpsWrongOutputVoltage
expr: >-
abs(upsInputVoltage - avg_over_time(upsOutputVoltage[1d]))
< 3 * stddev_over_time(upsOutputVoltage[1d])
for: 5m
labels:
severity: warning
annotations:
summary: >-
Tension de sortie de {{ raw('$value') }}V
- alert: UpsTimeRemaining
expr: upsEstimatedMinutesRemaining < 8
for: 0m
labels:
severity: warning
annotations:
summary: >-
Autonomie restante de {{ raw('$value') }} min
- alert: UpsTimeRemaining
expr: upsEstimatedMinutesRemaining < 5
for: 0m
labels:
severity: critical
annotations:
summary: >-
Autonomie restante de {{ raw('$value') }} min
... ...

View file

@ -416,4 +416,70 @@ ubiquiti_unifi:
auth_protocol: SHA auth_protocol: SHA
priv_protocol: AES priv_protocol: AES
priv_password: {{ snmp_unifi_password }} priv_password: {{ snmp_unifi_password }}
apc_pdu:
walk:
- 1.3.6.1.4.1.318.1.1.26.10.2.2.1.8
- 1.3.6.1.4.1.318.1.1.26.4.3.1.4
- 1.3.6.1.4.1.318.1.1.26.4.3.1.5
- 1.3.6.1.4.1.318.1.1.26.4.3.1.6
- 1.3.6.1.4.1.318.1.1.26.6.3.1.9
- 1.3.6.1.4.1.318.1.1.26.9.4.3.1.7
metrics:
- name: rPDU2SensorTempHumidityStatusTempC
oid: 1.3.6.1.4.1.318.1.1.26.10.2.2.1.8
type: gauge
help: Sensor temperature reading in tenths of degrees Celsius - 1.3.6.1.4.1.318.1.1.26.10.2.2.1.8
indexes:
- labelname: rPDU2SensorTempHumidityStatusIndex
type: gauge
- name: rPDU2DeviceStatusLoadState
oid: 1.3.6.1.4.1.318.1.1.26.4.3.1.4
type: gauge
help: Indicates the present load status of the Rack PDU - 1.3.6.1.4.1.318.1.1.26.4.3.1.4
indexes:
- labelname: rPDU2DeviceStatusIndex
type: gauge
- name: rPDU2DeviceStatusPower
oid: 1.3.6.1.4.1.318.1.1.26.4.3.1.5
type: gauge
help: The power consumption of the Rack PDU load in hundredths of kilowatts -
1.3.6.1.4.1.318.1.1.26.4.3.1.5
indexes:
- labelname: rPDU2DeviceStatusIndex
type: gauge
- name: rPDU2DeviceStatusPeakPower
oid: 1.3.6.1.4.1.318.1.1.26.4.3.1.6
type: gauge
help: The peak power consumption of the Rack PDU load in hundredths of kilowatts
- 1.3.6.1.4.1.318.1.1.26.4.3.1.6
indexes:
- labelname: rPDU2DeviceStatusIndex
type: gauge
- name: rPDU2PhaseStatusPowerFactor
oid: 1.3.6.1.4.1.318.1.1.26.6.3.1.9
type: gauge
help: Indicates the load power factor, in hundredths, of the Rack PDU phase being
queried - 1.3.6.1.4.1.318.1.1.26.6.3.1.9
indexes:
- labelname: rPDU2PhaseStatusIndex
type: gauge
- name: rPDU2OutletMeteredStatusPower
oid: 1.3.6.1.4.1.318.1.1.26.9.4.3.1.7
type: gauge
help: Indicates the power draw of the load on the Rack PDU outlet being queried
- 1.3.6.1.4.1.318.1.1.26.9.4.3.1.7
indexes:
- labelname: rPDU2OutletMeteredStatusIndex
type: gauge
version: 3
auth:
security_level: authPriv
username: {{ snmp_pdu_user }}
password: {{ snmp_pdu_password }}
auth_protocol: SHA
priv_protocol: AES
priv_password: {{ snmp_pdu_password }}
... ...

View file

@ -0,0 +1,87 @@
---
{{ ansible_managed | comment }}
{% macro raw(string) -%}
{{ "{{" }} {{ string }} {{ "}}" }}
{%- endmacro %}
groups:
- name: ups.rules
rules:
- alert: UpsOutputSourceChanged
expr: upsOutputSource != 3
for: 0m
labels:
severity: critical
annotations:
summary: >-
Source d'alimentation changée
- alert: UpsBatteryStatus
expr: upsBatteryStatus == 3
for: 0m
labels:
severity: warning
annotations:
summary: >-
État de la batterie faible
- alert: UpsBatteryStatus
expr: upsBatteryStatus == 4
for: 0m
labels:
severity: critical
annotations:
summary: >-
État de la batterie critique
- alert: UpsHighLoad
expr: upsOutputPercentLoad > 70
for: 3m
labels:
severity: critical
annotations:
summary: >-
Charge de {{ raw('$value | printf "%.1f"') }}%
- alert: UpsWrongInputVoltage
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
for: 5m
labels:
severity: warning
annotations:
summary: >-
Tension d'entrée de {{ raw('$value') }}V
- alert: UpsWrongOutputVoltage
expr: >-
abs(upsInputVoltage - avg_over_time(upsOutputVoltage[1d]))
< 3 * stddev_over_time(upsOutputVoltage[1d])
for: 5m
labels:
severity: warning
annotations:
summary: >-
Tension de sortie de {{ raw('$value') }}V
- alert: UpsTimeRemaining
expr: upsEstimatedMinutesRemaining < 8
for: 0m
labels:
severity: warning
annotations:
summary: >-
Autonomie restante de {{ raw('$value') }} min
- alert: UpsTimeRemaining
expr: upsEstimatedMinutesRemaining < 5
for: 0m
labels:
severity: critical
annotations:
summary: >-
Autonomie restante de {{ raw('$value') }} min
...

View file

@ -0,0 +1,112 @@
# Set the command-line arguments to pass to the server.
ARGS="--log.level=debug --storage.tsdb.retention.time=120d"
# Prometheus supports the following options:
# --config.file="/etc/prometheus/prometheus.yml"
# Prometheus configuration file path.
# --web.listen-address="0.0.0.0:9090"
# Address to listen on for UI, API, and telemetry.
# --web.read-timeout=5m Maximum duration before timing out read of the
# request, and closing idle connections.
# --web.max-connections=512 Maximum number of simultaneous connections.
# --web.external-url=<URL> The URL under which Prometheus is externally
# reachable (for example, if Prometheus is served
# via a reverse proxy). Used for generating
# relative and absolute links back to Prometheus
# itself. If the URL has a path portion, it will
# be used to prefix all HTTP endpoints served by
# Prometheus. If omitted, relevant URL components
# will be derived automatically.
# --web.route-prefix=<path> Prefix for the internal routes of web endpoints.
# Defaults to path of --web.external-url.
# --web.local-assets="/usr/share/prometheus/web/"
# Path to static asset/templates directory.
# --web.user-assets=<path> Path to user asset directory, available at
# /user.
# --web.enable-lifecycle Enable shutdown and reload via HTTP request.
# --web.enable-admin-api Enable API endpoints for admin control actions.
# --web.console.templates="/etc/prometheus/consoles"
# Path to the console template directory,
# available at /consoles.
# --web.console.libraries="/etc/prometheus/console_libraries"
# Path to the console library directory.
# --web.page-title="Prometheus Time Series Collection and Processing Server"
# Document title of Prometheus instance.
# --web.cors.origin=".*" Regex for CORS origin. It is fully anchored.
# Example: 'https?://(domain1|domain2)\.com'
# --storage.tsdb.path="/var/lib/prometheus/metrics2/"
# Base path for metrics storage.
# --storage.tsdb.retention=15d
# [DEPRECATED] How long to retain samples in
# storage. This flag has been deprecated, use
# "storage.tsdb.retention.time" instead
# --storage.tsdb.retention.time=15d
# How long to retain samples in storage. When this
# flag is set it overrides
# "storage.tsdb.retention".
# If neither this flag nor "storage.tsdb.retention"
# nor "storage.tsdb.retention.size" is set, the
# retention time defaults to 15d.
# Units Supported: y, w, d, h, m, s, ms.
# --storage.tsdb.retention.size=
# [EXPERIMENTAL] Maximum number of bytes that can
# be stored for blocks. Units supported: KB, MB,
# GB, TB, PB. This flag is experimental and can be
# changed in future releases.
# --storage.tsdb.use-lockfile
# Create a lockfile in data directory.
# --storage.tsdb.allow-overlapping-blocks
# [EXPERIMENTAL] Allow overlapping blocks, which
# in turn enables vertical compaction and
# vertical query merge.
# --storage.tsdb.wal-compression
# Compress the tsdb WAL.
# --storage.remote.flush-deadline=<duration>
# How long to wait flushing sample on shutdown or
# config reload.
# --storage.remote.read-sample-limit=5e7
# Maximum overall number of samples to return via
# the remote read interface, in a single query. 0
# means no limit. This limit is ignored for
# streamed response types.
# --storage.remote.read-concurrent-limit=10
# Maximum number of concurrent remote read calls.
# 0 means no limit.
# --storage.remote.read-max-bytes-in-frame=1048576
# Maximum number of bytes in a single frame for
# streaming remote read response types before
# marshalling. Note that client might have limit on
# frame size as well. 1MB as recommended by
# protobuf by default.
# --rules.alert.for-outage-tolerance=1h
# Max time to tolerate prometheus outage for
# restoring "for" state of alert.
# --rules.alert.for-grace-period=10m
# Minimum duration between alert and restored "for"
# state. This is maintained only for alerts with
# configured "for" time greater than grace period.
# --rules.alert.resend-delay=1m
# Minimum amount of time to wait before resending
# an alert to Alertmanager.
# --alertmanager.notification-queue-capacity=10000
# The capacity of the queue for pending
# Alertmanager notifications.
# --alertmanager.timeout=10s
# Timeout for sending alerts to Alertmanager.
# --query.lookback-delta=5m The maximum lookback duration for retrieving
# metrics during expression evaluations and
# federation.
# --query.timeout=2m Maximum time a query may take before being
# aborted.
# --query.max-concurrency=20
# Maximum number of queries executed concurrently.
# --query.max-samples=50000000
# Maximum number of samples a single query can load
# into memory. Note that queries will fail if they
# try to load more samples than this into memory,
# so this also limits the number of samples a query
# can return.
# --log.level=info Only log messages with the given severity or
# above. One of: [debug, info, warn, error]
# --log.format=logfmt Output format of log messages. One of: [logfmt,
# json]

View file

@ -20,6 +20,15 @@
- alert.rules.yml - alert.rules.yml
notify: Restart Prometheus notify: Restart Prometheus
- name: Define Prometheus retention time
copy:
src: files/prometheus
dest: /etc/default/prometheus
owner: prometheus
group: prometheus
mode: u=r,g=r,o=
notify: Restart Prometheus
# We don't need to restart Prometheus when updating nodes # We don't need to restart Prometheus when updating nodes
- name: Configure Prometheus Federate devices - name: Configure Prometheus Federate devices
copy: copy:
@ -33,13 +42,4 @@
name: prometheus name: prometheus
enabled: true enabled: true
state: started state: started
- include_role:
name: update_motd
vars:
motd_messages:
- key: 05-prometheus-federate
message: >-
Prometheus (en configuration fédération) est déployé sur cette
machine (voir /etc/prometheus)
... ...

View file

@ -31,11 +31,12 @@ scrape_configs:
params: params:
match[]: match[]:
- '{job="servers"}' - '{job="servers"}'
- '{job="postgresql"}'
- '{job="prometheus"}' - '{job="prometheus"}'
- '{job="unifi_snmp"}' - '{job="unifi_snmp"}'
- '{job="django"}' - '{job="django"}'
- '{job="ups_snmp"}' - '{job="ups_snmp"}'
- '{job="django"}' - '{job="apc_pdu_snmp"}'
- '{job="docker"}' - '{job="docker"}'
- '{job="switch_snmp"}' - '{job="switch_snmp"}'
... ...

View file

@ -0,0 +1,32 @@
#!/bin/bash
#
# Description: Expose metrics from apt updates.
#
# Author: Ben Kochie <superq@gmail.com>
upgrades="$(/usr/bin/apt-get --just-print dist-upgrade \
| /usr/bin/awk -F'[()]' \
'/^Inst/ { sub("^[^ ]+ ", "", $2); gsub(" ","",$2);
sub("\\[", " ", $2); sub("\\]", "", $2); print $2 }' \
| /usr/bin/sort \
| /usr/bin/uniq -c \
| awk '{ gsub(/\\\\/, "\\\\", $2); gsub(/\"/, "\\\"", $2);
gsub(/\[/, "", $3); gsub(/\]/, "", $3);
print "apt_upgrades_pending{origin=\"" $2 "\",arch=\"" $NF "\"} " $1}'
)"
echo '# HELP apt_upgrades_pending Apt package pending updates by origin.'
echo '# TYPE apt_upgrades_pending gauge'
if [[ -n "${upgrades}" ]] ; then
echo "${upgrades}"
else
echo 'apt_upgrades_pending{origin="",arch=""} 0'
fi
echo '# HELP node_reboot_required Node reboot is required for software updates.'
echo '# TYPE node_reboot_required gauge'
if [[ -f '/run/reboot-required' ]] ; then
echo 'node_reboot_required 1'
else
echo 'node_reboot_required 0'
fi

View file

@ -0,0 +1,7 @@
[Unit]
Description=Collect apt metrics for prometheus-node-exporter
[Service]
Type=oneshot
Environment=TMPDIR=/var/lib/prometheus/node-exporter
ExecStart=/bin/bash -c "/usr/share/prometheus-node-exporter/apt.sh | sponge /var/lib/prometheus/node-exporter/apt.prom"

View file

@ -0,0 +1,9 @@
[Unit]
Description=Run apt metrics collection every 15 minutes
[Timer]
OnBootSec=0
OnUnitActiveSec=15min
[Install]
WantedBy=timers.target

View file

@ -23,6 +23,16 @@
when: when:
- ansible_lsb.codename == 'stretch' - ansible_lsb.codename == 'stretch'
- name: Install Prometheus node-exporter collectors (bullseye)
apt:
update_cache: true
name: prometheus-node-exporter-collectors
install_recommends: false
register: apt_result
retries: 3
until: apt_result is succeeded
when: ansible_facts['lsb']['codename'] == 'bullseye'
- name: Activate prometheus-node-exporter service - name: Activate prometheus-node-exporter service
systemd: systemd:
name: prometheus-node-exporter name: prometheus-node-exporter

View file

@ -0,0 +1,5 @@
---
- name: Restart prometheus-postgres-exporter
service:
name: prometheus-postgres-exporter
state: restarted

View file

@ -0,0 +1,39 @@
---
- name: Install Prometheus postgres-exporter
apt:
update_cache: true
name: prometheus-postgres-exporter
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Make Prometheus postgres-exporter connect to databases using peercred
lineinfile:
path: /etc/default/prometheus-postgres-exporter
regexp: '^DATA_SOURCE_NAME='
line: |
DATA_SOURCE_NAME="user=postgres host=/var/run/postgresql/ sslmode=disable"
notify: Restart prometheus-postgres-exporter
- name: Make Prometheus postgres-exporter launched by postgres user
lineinfile:
path: /lib/systemd/system/prometheus-postgres-exporter.service
regexp: '^User='
line: |
User=postgres
notify: Restart prometheus-postgres-exporter
- name: Make Prometheus postgres-exporter listen on adm only
lineinfile:
path: /etc/default/prometheus-postgres-exporter
regexp: '^ARGS='
line: |
ARGS="--web.listen-address={{ ansible_hostname }}.adm.auro.re:9187"
notify: Restart prometheus-postgres-exporter
- name: Activate prometheus-postgres-exporter service
systemd:
name: prometheus-postgres-exporter
enabled: true
daemon_reload: true
state: started

View file

@ -129,7 +129,7 @@
name: name:
- postgresql - postgresql
- postgresql-client-11=11.7-0+deb10u1 - postgresql-client-11=11.7-0+deb10u1
force: yes force: true
- name: Install postgresql ansible module requirement(s) - name: Install postgresql ansible module requirement(s)
pip: pip:

View file

@ -41,7 +41,7 @@ AES_KEY = "{{ re2o_aes_key }}"
DEBUG = False DEBUG = False
# A list of admins of the services. Receive mails when an error occurs # A list of admins of the services. Receive mails when an error occurs
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')] ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'),]
# The list of hostname the server will respond to. # The list of hostname the server will respond to.
ALLOWED_HOSTS = ['{{ inventory_hostname }}'] ALLOWED_HOSTS = ['{{ inventory_hostname }}']

View file

@ -39,13 +39,4 @@
owner: "{{ service_user }}" owner: "{{ service_user }}"
group: nogroup group: nogroup
state: link state: link
- include_role:
name: update_motd
vars:
motd_messages:
- key: "15-re2o-service-{{ service_name }}"
message: >-
Le service re2o {{ service_name }} est dans
{{ service_homedir }}/{{ service_name }}.
... ...

View file

@ -1,3 +1,4 @@
--- ---
rsyslog_outputs: [] rsyslog_outputs: []
rsyslog_high_density: false
... ...

View file

@ -1,12 +1,10 @@
--- ---
- name: Install rsyslog - name: Install rsyslog
become: true
apt: apt:
name: rsyslog name: rsyslog
state: present state: present
- name: Install rsyslog modules if needed - name: Install rsyslog modules if needed
become: true
apt: apt:
name: "{{ item.pkg }}" name: "{{ item.pkg }}"
state: present state: present
@ -18,7 +16,6 @@
pkg: rsyslog-hiredis pkg: rsyslog-hiredis
- name: Deploy main rsyslog configuration - name: Deploy main rsyslog configuration
become: true
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
@ -33,7 +30,6 @@
notify: Restart rsyslog notify: Restart rsyslog
- name: Create journald.conf.d directory - name: Create journald.conf.d directory
become: true
file: file:
path: /etc/systemd/journald.conf.d path: /etc/systemd/journald.conf.d
state: directory state: directory
@ -42,7 +38,6 @@
mode: u=rwx,g=rx,o=rx mode: u=rwx,g=rx,o=rx
- name: Deploy journald configuration - name: Deploy journald configuration
become: true
template: template:
src: forward-syslog.conf.j2 src: forward-syslog.conf.j2
dest: /etc/systemd/journald.conf.d/forward-syslog.conf dest: /etc/systemd/journald.conf.d/forward-syslog.conf
@ -52,7 +47,6 @@
notify: Restart systemd-journald notify: Restart systemd-journald
- name: Deploy logrotate configuration - name: Deploy logrotate configuration
become: true
template: template:
src: logrotate.j2 src: logrotate.j2
dest: /etc/logrotate.d/rsyslog dest: /etc/logrotate.d/rsyslog
@ -62,7 +56,6 @@
notify: Reload logrotate notify: Reload logrotate
- name: Enable rsyslog service - name: Enable rsyslog service
become: true
systemd: systemd:
name: rsyslog.service name: rsyslog.service
state: started state: started

View file

@ -91,6 +91,28 @@ ruleset(name="sendLogsToRemote") {
port="{{ output.port }}" port="{{ output.port }}"
{% endif %} {% endif %}
queue.type="LinkedList"
queue.spoolDirectory="/var/spool/rsyslog"
queue.fileName="queue_{{ loop.index }}"
queue.saveOnShutdown="on"
{% if rsyslog_high_density %}
queue.highWatermark="20000"
queue.lowWatermark="5000"
queue.checkpointInterval="10000"
queue.maxDiskSpace="4g"
{% else %}
queue.highWatermark="500"
queue.lowWatermark="100"
queue.checkpointInterval="200"
queue.syncqueuefiles="on"
queue.maxDiskSpace="500m"
{% endif %}
action.resumeRetryCount="-1"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
{% if loop.index > 1 and output.fallback %} {% if loop.index > 1 and output.fallback %}
action.execOnlyWhenPreviousIsSuspended="on" action.execOnlyWhenPreviousIsSuspended="on"
{% endif %} {% endif %}

View file

@ -39,12 +39,4 @@
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- include_role:
name: update_motd
vars:
motd_messages:
- key: 10-unifi-controller
message: >-
Le contrôleur Unifi a été installé sur ce serveur.
... ...

View file

@ -1,6 +1,5 @@
--- ---
- name: Ensure update-motd.d exists - name: Ensure update-motd.d exists
become: true
file: file:
path: /etc/update-motd.d path: /etc/update-motd.d
state: directory state: directory
@ -9,7 +8,6 @@
group: root group: root
- name: Customize motd - name: Customize motd
become: true
template: template:
src: "{{ item }}" src: "{{ item }}"
dest: "/etc/update-motd.d/{{ item }}" dest: "/etc/update-motd.d/{{ item }}"
@ -22,15 +20,19 @@
- 20-uname - 20-uname
notify: Remove cached motd notify: Remove cached motd
- name: Remove Debian uname motd
file:
path: /etc/update-motd.d/10-uname
state: absent
notify: Remove cached motd
- name: Remove Debian warranty motd - name: Remove Debian warranty motd
become: true
file: file:
path: /etc/motd path: /etc/motd
state: absent state: absent
notify: Remove cached motd notify: Remove cached motd
- name: Ensure motd-messages exists - name: Ensure motd-messages exists
become: true
file: file:
path: /etc/motd-messages path: /etc/motd-messages
state: directory state: directory
@ -40,14 +42,13 @@
notify: Remove cached motd notify: Remove cached motd
- name: Install additional motd messages - name: Install additional motd messages
become: true
copy: copy:
content: "✨ {{ item.message }}\n" content: "✨ {{ item.value }}\n"
dest: "/etc/motd-messages/{{ item.key }}" dest: "/etc/motd-messages/{{ item.key }}"
mode: u=rwx,g=rx,o=rx mode: u=rw,g=r,o=r
owner: root owner: root
group: root group: root
loop: "{{ motd_messages }}" loop: "{{ update_motd | dict2items }}"
notify: Remove cached motd notify: Remove cached motd
when: motd_messages is defined when: update_motd is defined
... ...

View file

@ -1,17 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# This is a special playbook to upgrade sudo everywhere after the
# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
# Please always use with --limit myserver.adm.auro.re
# And list updates with --check
- hosts: all
tasks:
- name: Upgrade sudo
apt:
name: sudo
state: latest
update_cache: true
cache_valid_time: 3600 # one hour
register: apt_result
retries: 3
until: apt_result is succeeded