WIP: Setup of a mail server #9
50 changed files with 1397 additions and 247 deletions
5
base.yml
5
base.yml
|
@ -10,3 +10,8 @@
|
|||
- hosts: all,!unifi
|
||||
roles:
|
||||
- ldap_client
|
||||
|
||||
# Install logrotate
|
||||
- hosts: all,!unifi,!pve
|
||||
roles:
|
||||
- logrotate
|
||||
|
|
|
@ -1,177 +1,176 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
36346437356466383866303739373662633734346565653834343433386132346365313265633338
|
||||
6364643437383865653735303532333936653135363535300a343062393966636566323963316664
|
||||
30613136613730623338313565663336633361373136306437633865353838316361613237346634
|
||||
3563623366353332650a633564366135323935303636643061303839636535306334376639663463
|
||||
61363739366566303561353030316431333830313736353237633966393235626665666435313537
|
||||
62323737333564313734366133363739656266323138386339383538333638356235656634303163
|
||||
31343464393863666536636564626136383865343938393061353962653936626235373365313831
|
||||
33363030643430623138643639383862613662303864306361303839313361663737323432336130
|
||||
63613362326664373563646332303563363931303635356132616433643537623562366534396532
|
||||
34633161303965643762313932643330366166653238666234613337353234656235623336396334
|
||||
36663133353933636432346435363738653533306536663836396533623735646433363761356366
|
||||
35316133363039656363623332613939333463646365353434313664633730666463386165613431
|
||||
63313337643134366435656564643862313265326561623533323362343238356666333236373236
|
||||
35383362316637626164663330356332653832366235303935363261643637383963386631616637
|
||||
39316437363235623232653963376264646330333664663262626334393436623966356236303137
|
||||
31636133366232643234363538653963646365373266373262373732653832303839326662346236
|
||||
65393262353663626161346263396335333238393831626362393561346431343662376561616633
|
||||
64666264306536396231376133323036303337333635643634656139333865616336643939346562
|
||||
39643164643031613534323230653535393735306161663465353533323362326566643736373363
|
||||
39303465346533333636663434396239333761326538636462373731323131346335656330636636
|
||||
31666434323336373762633130343630633434373336376336646638313734626161393961306664
|
||||
36373939643633636261353737343262653438356138323864313166316630376634386335313139
|
||||
34376330313763666338316230646137373937616230316137626538323238383964363662326534
|
||||
35633564623762623439613533363361396335313330333733306437333131323233303363333830
|
||||
30306436383666346136383531643362326166643032653966616164633338353531396461343535
|
||||
31353366383263626664376135333739643463386135306335653232643964346533393733363061
|
||||
38383332363962663736643265366331653139313839323633656339616637303439623962343864
|
||||
33643339353964633439336532343835313334316261623439383266383465613238343435653065
|
||||
63653763643061653966323831383239326535383439383663666336303036633762356330636535
|
||||
38646237326562343937633164643732326633613737313262336633363465323238666463396439
|
||||
34303966633132663935666138656463313233333339313835386230373437666561633861626136
|
||||
64643230333838333831353734393837363564616163343534313334383237386332373365643231
|
||||
66333163303230626564336331643934383332336464303630636633326633346439313739656234
|
||||
62626564316530623332383038383130386562643338613761646639363732666566643363396631
|
||||
34346539666662656261663534323933366131393336373166363565373234333938343435386634
|
||||
65306131646665393036333834386233326438343163386665396138356239393339346164373132
|
||||
39343230646536323034343539386566623233373565633833373235373135366530336162363561
|
||||
62626665303430346461383663393534333664323037616639313238303232363335303462643939
|
||||
31643564643838306661656562623764356639613035373962633035343061643661636564626537
|
||||
35336538356131303839363065643561663563363938386634613639633962343364663832313061
|
||||
36383565316230643363383537336436323833343838333432313632396230343232653165356339
|
||||
66663563343431333739653231346436313531646233313237333237323864336265386263626633
|
||||
62623862656232336135363334623134623136316537316631316462303239626431376364323339
|
||||
39626662636239343835376131346536636566323836393733656330346464363431666639653932
|
||||
61636363326362633234386265613531323866373238366531633834363562623134656239373134
|
||||
33343131333766653362653239343137353135373334613739346237383531663736663465386435
|
||||
38633138643434393434383334313639343730616333373734393331653665373765396361623963
|
||||
61306165303933636664333334666161616433326436346438663232323735316366353833613763
|
||||
39396666306361386539303762343062333632663763613930663830666265306531643562386433
|
||||
36366237333931343664323265376130363535646533656436353066333865656261396636663235
|
||||
65376264383131353630303265313836363662346566316335356465353461623239376631643639
|
||||
38663835646433626237663634663961356337613362636638306139363035656461656462326637
|
||||
38353061353338393631376536393164353461623638623139316363623661353736336331313465
|
||||
61313732316535323439376438306135333538623163386535653239306261346463663537353437
|
||||
66363366376664336262363263353637613236333337383834633338666362393439373634353865
|
||||
33323631313436653639393061333334643361656531316639393464373133383936333138663163
|
||||
30353665363532376664373132333333643038303863643765343033306335646564313637383363
|
||||
34643165383438343933613061303437626663653034646637643764336434353438346163336161
|
||||
36393838613635363934376663306433373564653436386266643565396465326338303762343365
|
||||
37366238356430376136616634316431396330343862613336663761623335643761393732643566
|
||||
39376335396466373464623063333639653338663033363362376339303431376166316564333764
|
||||
37356433663436656163353965643465343738363062616337333434366261613966336439343736
|
||||
32636233323037393064366437386630633230663534646133613264636237356465613436363738
|
||||
66316439363339316137366164303230366563376233626630633936313665363764396530323637
|
||||
31616365313935343832393436396661326335386531303230643933663839613933363733356663
|
||||
34313837326639636366623132306162343936376335366534363230313334333661333730343565
|
||||
35643836356361633263343639343233656530373636316161373233373134646137633437346432
|
||||
37643539633432623364333962633861316238386437326632306339356135633836303932336365
|
||||
32656634386632323633326133343134326431333632396163623530323033323839616462306134
|
||||
32636165383061386130303236303865383234646332643964353835633465313465393765353663
|
||||
30323437346632356261396666393534616464363732633164653863666437353239343338623831
|
||||
63396163373865323938383436323839353937623036316631363237393333333862623438623130
|
||||
33616265386138303862333034346631376166386235373339306263323862323464653830306436
|
||||
31386666613463326131303934316536393336633834313033336365656565653437353261663837
|
||||
65366536623832396636313361343465613037303261313532313364636165663361396431663532
|
||||
32356233613734656166373739386435303131356166306636313538623737323835373661633865
|
||||
65393536633766636661613737616331366161383364373033393238656363383932336163396463
|
||||
61653766316461303166326238333465333635366334383131653336333935313737666135663065
|
||||
30626231336161396430616533383231393863303463373063663262376162613963356437343236
|
||||
31396165376635326263313666316535343033336366306339303466663035393236653338646232
|
||||
64353936336339613036633536366265373436653630313833376261663361353530626336363834
|
||||
63333635383666343039623235343832373762626366643165343230643435326238316636333132
|
||||
31333662373666663833393139343232383534313936623039303832383632363238396435353830
|
||||
62663936386630616139306461656239643938363763313634343132333931346335616331663633
|
||||
62633362613132396261383431343835396439376331343833393431363631653466363132316131
|
||||
66613933383265303739326331333862633933346162386637613136326639623764353531313066
|
||||
34386230623435666134643064636137303232386465646636343039393536373534663966393734
|
||||
37306337316436333633626137613936646562306634636263313531376233343763323739373265
|
||||
37633939343139393634323635303536313539323336343134343637343664396165323436353666
|
||||
39303637646462376332626136326136333264393433623337346161613938313566303162646334
|
||||
65633863343862633562623534386239653139386635623862346331316139353539626131623333
|
||||
62623264313832303433383034653161313732316636633533633833363665646134653234333037
|
||||
66383433653930326335396633366366633837366238626238646638653863653936383437393063
|
||||
66313338393837363964616466643438353665666331633164353737656535623066633466336539
|
||||
64633632343638396539366231353631383333656266653732616661613935633037363738646561
|
||||
38646530323462376263613038333631623132333637656664623663386635393062323765646333
|
||||
36383435663562373664303032353939623762613762346133393862353661336230366630626430
|
||||
66613233633036626564633636323962326361353961356561653264396635393861386335663662
|
||||
35643038623633636331643738316532666331653133643763336363643531636234393538323637
|
||||
30343164366138396535383335333464363161616665336166313266343633613835346161396432
|
||||
35383832386135613038323232376461636432653237333230343835613561653038353930353265
|
||||
65383839313366633537343031396562653630313964636339336361353838303431633139333734
|
||||
37366361306338393862616133633939326238393230306432316138393230353338393732303932
|
||||
37646464326531663035373562306464653837366266663437636663666639636133306438353063
|
||||
33623366623036363265303865356564346139646535306137653865353134373566616336353562
|
||||
62396661353166356535613962636337666536623562346335356133636336663232656237373537
|
||||
62376361626432373232343237633730613738613233316334643431393131373539386236376434
|
||||
30653766616261653162643236343930616535393166653563373637343963656465306139346138
|
||||
32323935643635666239643130623034663937633834393539376261326463616237656431653138
|
||||
61303630366337376531393135353662656661393038356137333632336264386533393466313561
|
||||
39373962333932373539346231653862643666373034623037376563333536323633396339316630
|
||||
66333864353664376433366132363636653832383130336466313264376539663530356330353636
|
||||
61653261396663616334663261623766303364376466383236666336383331346534633930613832
|
||||
39393136303936356365666535363331386437656532383565333361316161353064303032616531
|
||||
61373264623338376663643539306631356161623333336263646166656239613134366230303332
|
||||
33343866303265366535326130306634613132353361663366323130303162316135306466306636
|
||||
36653536373665643638373165343266303136653035626530386365623630336364653462396237
|
||||
63376162656638633430353538303137653931656166656531663438353139333737653861613037
|
||||
38666434363231333237323935326462656663356330313338356466366664346635313436323635
|
||||
33386538306537306639343830646136613966366636613639646561393866663230653663613666
|
||||
65633265343664336538316466353832366262623939646532646233626633346463346230656235
|
||||
36326166303839363261353965626261376636663939323334316233643835643831366631316333
|
||||
34393133396130653566366166333632643534613034623536313261363039626636643662313863
|
||||
38383266373866396338313334373664623665386338653230633638353530346335316163316636
|
||||
64343962313331623638666166613630313963353462383463393034376264393938313262323933
|
||||
30613633613339313534363534396534343638383962326437363166373039363933613930346633
|
||||
64386262326636316535363431336431306536303131313861336364343132663437633166613537
|
||||
39313662323338663433333565633266303766636436356536663337353732383039323536313437
|
||||
63376365353339653230613838636233346439333635643765666261313438316238376236393137
|
||||
31353265343265303862653866393237336166376630336162393835393362356634653433356261
|
||||
61343763313666353334666130393338383630383431313238353338383635393535386263653336
|
||||
35306565346638636264636436373235366239653738346239663365353065646536383261356436
|
||||
38303832316166326633313738326636633430346462303237313261333264396532363764336630
|
||||
35323639373334653562666264366639353431303635616330313462353761333830393466363630
|
||||
33333337653934623836656565373237303139643138313031383737626133303638393639353735
|
||||
31373037313764373237333838386637353636623931623135353432666236353537363330386431
|
||||
30643332343538303437303830323333383565653836643939383838323936643136333166383463
|
||||
37633863363439393238373166333831616530323164666230626664303233616131316432626262
|
||||
66633362393562623265323330333939666361353562373364376666626166326437356564336662
|
||||
61626165353861636266643838626563653631396638633336376537376536643335633434366536
|
||||
34336139626632333330383761656632653630343633633635623561633563643231663939306538
|
||||
61653737336463353438373563393335636433363835643162373061343664383736336336623439
|
||||
32323262313966376162623463623365323063663030373566633532363062323966663864396331
|
||||
66656636663665663338316466336638356135353461326561656262343431363337386330323330
|
||||
66386338343266333134386536376362626666336531373464376365633064316238396331323030
|
||||
39653363626636303230666264323364663938353633336631383133396138653139353230643865
|
||||
36353261363362343563613864303536353662373361343231396631613561313639653632663935
|
||||
63616262636231363331313832623632306237323362636361656138646137623137353035663032
|
||||
61376134613562356533616432323734396534373732616434393736333661333430333732303365
|
||||
34646135326130313761643862333630663534303739353932663337613865333839303835383138
|
||||
36663238383532656638643631643862383366383830653830303862663538613033333064383838
|
||||
33623338613038343939323032333333323938396561656539333561303463643366326162313832
|
||||
36333063343961353937323162323031376561393563313833346632646566326139366564383234
|
||||
64613330363239333663393535353038656635656536343364663365386437363330306431653366
|
||||
64366162303537313936356338366333343933386431346365663531613438383834623363343037
|
||||
64626633373065326362663666643764353433336365623365316530613238323639666261663134
|
||||
62663239393866663363623963653732336263313466663361623430626136313539316338663730
|
||||
39396536643536643762373431666132626562396166633661396365396634623837373966373465
|
||||
36363163303135616631343736336336383339313533333866363032386530323466653433343633
|
||||
31366466313334656334386162623061303933373031336131383661633963633235646337303764
|
||||
30633162326163353231323838616432626264363363393538353037666164343735616438336335
|
||||
66386137633237303135383535333834646334346364626266336461663466383537666366653431
|
||||
64303564636365393065303564653538643038643436666535343934343437626131653034623265
|
||||
33616562323462633431383632646237383962376433393561613462376264653666653936613462
|
||||
32346436376663303331623661626265613838363731386363343731323434636461323964346439
|
||||
61313163643033666661353266623561366265623361373632636632306338633334333930366638
|
||||
33373330323663346636303333366464383164666131336636366433643365613661353133653765
|
||||
33393631623037346663376637383934326632396636386330363531323231323236346465323264
|
||||
36323636643736373230636364323339653562636536373763306439653134373036393366323961
|
||||
38343232613135653335396362396534656235383462663439646237376165303734643836656131
|
||||
61333336366537616231326364336266373766626337356565656461386531626132623539646335
|
||||
39316333616233356238366630353533326236636466626363393236383666343065623964313965
|
||||
61303530643339653363646364383666323538383130623930336338616665316561623963666264
|
||||
64366465333965363765313231353436363833383931346637666337336162643664353739646430
|
||||
39386435623334333963333938333931326238626162613864363438666161313733303133623334
|
||||
66393061653037316639
|
||||
66303361306465306436306562636265303832353830313933363965316261376162313738653737
|
||||
3334363661316563633238316632336463323737633066610a306236343636656261623835343466
|
||||
39386437363564623661333465386338613632316563373164363839623138336165343834313237
|
||||
6433343439383431360a633139363034623861396633316632336131333137626239646639326131
|
||||
65613236363733346330636565303039613737366263356230313734383033383435343433386536
|
||||
30653263396339656337626239303662326134373231303364613066656339376662643934323466
|
||||
30643261393463373063623865343537653862353766323538613731353534363639616438313663
|
||||
66366133643462333935636231636638326364636334613430333062616264663961326362613466
|
||||
66313730363933653631646638616166343030626465336361313239323731356534313963613530
|
||||
65383735626234663261393834313232626239666135313566353839616162323732323265633031
|
||||
62393862663438313237663335396332613661313864303630653533343362333834356262363465
|
||||
30666232356539386437353438643038333766363362653432366263616338393066363532633064
|
||||
63646561653264393162303430346662623536363364383862366264393532613461303935653261
|
||||
39376462623561626336306435323934323130613031623865656432626233616563393365343036
|
||||
37643463666436386230653339613463633133333661356564646234653632313931333765383666
|
||||
39646331383939343663306634393531646265363531326636326636616632643437343566656464
|
||||
64643638616264376130656637386134396161306636333064633731646234396566303934626332
|
||||
66393466626137336265653933346362396639383064393663613866333337653166343262646536
|
||||
61333864373737333133626438646538353338663531323961666335333166613363653230643139
|
||||
38616462306461356135306164376332313538613465316563663566373533396635346635646134
|
||||
31386661306533383130633130346539303666316663333762383131623535343038613963353336
|
||||
32336135366435643463613962383833666130363765326631613963363266626633643966663063
|
||||
33363235353765623961346331393963653130663434356234336538626438616334613761636161
|
||||
32346234643531396530653636626531653033393863383963663938646135616238393861373738
|
||||
30346664646465666666333165336636616265303265393236626534343163353633643737366264
|
||||
63303937306637643033663333353633346166636361323538393063353438353135303665616663
|
||||
34613230383836343861613661356162363831623363633435646234353839663530363936356238
|
||||
63383038616631666633653032613435316265626137643730666539393561373264613663656464
|
||||
30613033373435313036633938353461623335396264313236623065323339623537613164316366
|
||||
33356432646438636530353230333762346165336661393038666138356561333363613563656665
|
||||
34306136393233346532303461393736636561316231626231643633333938656435663638306261
|
||||
33393064333662336466313461363638393339373637303735663736353537363364663235363263
|
||||
36623663636235363332616433626266653330393633326339376562636165323539313532363535
|
||||
64386136393631656665343337333738653664613966363361313931313763323563383265623935
|
||||
31643532346363656462646436343761353938626661383336636436373233343530353130626463
|
||||
36346330626432376338306339396563316233313836383863303232396439336436363833383063
|
||||
39663864306533376630623334386336663237666635336661383630616139633736393835666534
|
||||
61393036363763336632623236383236383639373662393761313834653833316332373733653830
|
||||
62616563386435396433653930653637643031636462633336663033306531356239346564663564
|
||||
30636462343263643236316635346163373765393262623365353933313065333532353562333932
|
||||
62656234656363306266386135313466376665663166623038616637663333353731313564356434
|
||||
61343235613639386364663533376362613364653562613431393862656265313432623532343965
|
||||
65326362323534346535326331613262653130623336653231323564376534336261643538333434
|
||||
31333830653933633562626364363364386630343364376337613436663030333865323433316163
|
||||
33356438366161626666653731386438643064656538373036393532396432396138353564313833
|
||||
34643231366439656439336534323039616364396137653661373761343635663366363134623032
|
||||
62313734313061353065613561613337373338623732326362363436616134343864643439363631
|
||||
38346339383864373635383462326466303635383661633665663362646165663934336632633838
|
||||
64373332356664663663613735663163336465353030383365346661326634373832656137393061
|
||||
34626363383964646439356338343439343336626237626366383663386161663037343339383066
|
||||
30356332623337626437313235623161373937663532613238353333326265663937653034616135
|
||||
64663731653965613933636561313730623030656666656232396433646563623137643661643132
|
||||
30383439343764396137313231353161323835393934373561623666653630656335366434636235
|
||||
36306162316464613365616330626433306335396130336266616566653661336335346566613763
|
||||
30373638353230313433333539306664323333646463333334366362613832376534356636383235
|
||||
30626263383036643034303465366137356665366238366663313837323937646631396262623331
|
||||
62323366623530663561643036643733323230343832633639663737356530643564643534666366
|
||||
64646339363235376561363835643166663735643333656230386565653234356565323135333731
|
||||
65313864316166383566386564303461343031356138386362633834316230396436306533306239
|
||||
62306132373535363931306664346637663561323530346339373234343633663062393361323532
|
||||
32653938623738383565353965656636336662323939346331396162623862613038633035643766
|
||||
30346431393237323735386337643062396433366434396531623130643038366465643132303532
|
||||
62366266393166333138643238383764656461623361326236333565373762316431373132356263
|
||||
30396263396264626330613734346361646531626531363639393431366636316135333566393561
|
||||
65393661333837633236396563333631663036376633666538306564333565653030303135313866
|
||||
32366234313532656437393964666438393737363437303562633937396437663062616636383564
|
||||
33393564643066383662323765346535616164633239636235656263336663633562646665393734
|
||||
31393232376662666431393064643161653730653263313536613963376561386536353536616163
|
||||
63316237636630306165346633646437636636626331303262663032653662333236646564613363
|
||||
63616263643266393861386166346139343237633232653734363465303935613264366130336261
|
||||
63333137633266306465363837646163323266363665396266363437303931353938653638343630
|
||||
61386561616663303330663634306235336432316365303461623665393338396434346533366130
|
||||
35303363643334613862613831366464616264386338373566613431303939623638656536306532
|
||||
31346365623766346566353564613761333563303233336139376639363634616564303336393737
|
||||
38333637376566393437383264386561386336653135663135356466663430383634313535626233
|
||||
65646131353961663064316434353564383163646166323832663662373031636531623736643566
|
||||
37336530636133363561643438663563353963373265333333386434336361326338646666636263
|
||||
64396438616335393338376632326162326530636431323466646261623531303335656135313834
|
||||
34613764336234303230373737326662396562303439363535643562386661303861666530366332
|
||||
62316635343436396535656163393737343664333963356539313037306432643166393333353036
|
||||
63663266613332363364313863303465366136333862346164306335353838333830343261323365
|
||||
61373565666665663065666233316639326238323763333336383665653434623031383063613162
|
||||
33666532363638353130303665646536663139633463343764353962643838353037323865623236
|
||||
39613832616265376464363234363532323265366362316564343964636539656263376632313538
|
||||
38653066666165333866646437353264383638366138633538336434623139623264623033656661
|
||||
36643336343764613136653432316361343963313162326439656662386334356535373361303330
|
||||
31653963306365373633323937363332636633613266363064363535366136646639643632343031
|
||||
34393363373861613863313039393336333165386637393265333439396230643735363230363530
|
||||
61643036353062643164663063343930613536653762633231333931646239343661343738386232
|
||||
66373934643837323266623866393166373837323034373662306565623534396562326635323362
|
||||
31613138613261626231663330626664376539366165353836343039336138623931643537363931
|
||||
62313862313164306337383465333464313966656538643836643639653632663564633232343362
|
||||
61323033316630616536633938393735343332653965656565663163396335643738646463303130
|
||||
64363334326165653962656534313939666230373362316438346139356266616566346462356162
|
||||
61316233346463376162356461623734313431623330633239353730643964616662383966323932
|
||||
35373962663333653738616562396638633136376635383032313634333931626530393532663531
|
||||
30356232626566386632356334393939343262393536666130333537646338343063313565623163
|
||||
64383337303665613630393164383337346132346462373338323933316231386233323061353661
|
||||
64336337376231383035653861373639373763633337396236373161613833303630316663626331
|
||||
62633336383834363033316539336261346137303463643337393465393339663966653464336162
|
||||
66633832383734373635356165343336323866663735353931626466613361636632313437326566
|
||||
36386631653935633036373831643763656564643138303564306630396539373536383261663366
|
||||
63333061333431626465353839343564346331323961663939373538636261343336663461336566
|
||||
61343231633064336561666362633739636435633663653432393862356232356434356439343936
|
||||
35326237313033363031336162303436383733626365373832333438393436663938316366343161
|
||||
65656566353535363664386336383137313962333339396530356361363630353365366532656464
|
||||
39353639626639653535316665383962646331326463353663383630633961353031396131393562
|
||||
64663661396330356664316536623666383762623934306532636562663038336165376262633661
|
||||
30373531356163386531623738373837366666323637333932393131366531316439643338373230
|
||||
39663131313531343736353666376532326566313963623432643965646666333939613538643463
|
||||
66333762306162623963306136343930306638383933333835626231616466633561633766383564
|
||||
36653163366336666565626665323966373434383432303430306632333636353337386265323534
|
||||
61306435356164313731393862383531646665346134616330303237396136313765313233313434
|
||||
35393065363264323232323537363237303330386635346263306463636233393461393232306534
|
||||
34636138333038366165343434323937363864366463326330353438313662323035653965383138
|
||||
34646331356237613461393464386465303834373536336666626539313431303635653831303237
|
||||
66643536336330303438393161613833346337336333636137336435333830386137653139386665
|
||||
34636463313438323038616134383932646266656434633861363331393634393030356562646134
|
||||
36653830326330353962393736393566393839366132643163303862316566633838373537613531
|
||||
30396636333564623930313636363762636437373138313835393362346237353731316662343661
|
||||
36636536643534636632646463376333346230383866353736393535313931313066656231336234
|
||||
65333935653537613239663166303636356466653337643362313834303634623535653166613138
|
||||
33316638313233613239386235383737623361376132346666393661393464613963616233613033
|
||||
35386534353462386238313833666234633662353166303463333463346636646565313333613866
|
||||
62313066366131353961323761306461653732393737386539646461346133626363303563353035
|
||||
63313536646234396433306361366338386539326366316163363132326230366632383032646233
|
||||
35626138326633653032393263326261313761623437336630646634636463613533353239353734
|
||||
65363236373038623965353166656131313835373834386635656361323931653237393336333938
|
||||
38373737613966356366313636656366363031396639623633373162363363373830363564356336
|
||||
37373537323462633337663462666637363661313166323038623665393562663862383161383363
|
||||
64366663656537663837373662313564663033333663633333613733656662303639313630623162
|
||||
65663165363164343364633132376538653834323764646664626266343534393763663936616339
|
||||
37336336356164613534653862626230356635333361326266323365353665666531343337613331
|
||||
61303731313431386633616230393562373331643966306161343730336539313935306662343865
|
||||
39303237653733663162303664386237376266333963663034636564363032373235646430363837
|
||||
38636261613564323565336639623533343964663733366138303635303833633738326165643938
|
||||
38616364663737333535346661356333326238303439626138303465663932393839653362393432
|
||||
33613236316161323135373162333866666136623062373037383665633034356534333530643037
|
||||
33363466643030323061373633393233383838616631636266323165656137636532626136353561
|
||||
64663936396364613236363663316534366162623735336235643631373263616330353036623333
|
||||
32393334663663393264376630626630653962393632353239356236626334633833306335386333
|
||||
30356630306630323334663334363063343462383837393663636133343465336537353433663536
|
||||
66313265613032343838633164633366396236343136303163353365343032353239376539393965
|
||||
32316361663438623731336537393135336465336161646661366565356338326537646561376434
|
||||
36626332303661373561306338666533633435393433393832656166656264376266363035366637
|
||||
64346432336339396636353930363263653838343266623430613730373235376538366465373764
|
||||
31326537383336633434663231663865353763323235623866633339393633323836366637303536
|
||||
62313139646562616339356336663838386439313531333030643032333838343332383533663134
|
||||
32323935376462646130346631656362373035346436376266653164303263653566303037393136
|
||||
36313038303862373662356662663437353265326433653330343437316230646338306639646532
|
||||
35653732306239653133656361333330333634376332323737303831666461346165616138663637
|
||||
63376263333365623037616336303038613536303163343930396635386536363936346465326137
|
||||
63653835623135353161643765643563396636313635306461376531626332333335393661646431
|
||||
33323430653464396230366465343236303033356432643066303730323132306238643737376533
|
||||
65643232323138313562346661396361363730643736626166386664313732326136373531663466
|
||||
36383630636161376431393135373863356137353737306166393934656437363063363630393864
|
||||
62663464623932616532636231643964396533396230363837383235666561663032663938373165
|
||||
32313931373935316137643937623161306330653161336138363562313033613132306164623364
|
||||
38336435333432323237353734393666646361626535393665306662393831393765636265373938
|
||||
61303832343631313634393037356662643162643233363731386265323862383034623564393661
|
||||
30646566643336323038633161356437613666626431613762363530343166633735383365323462
|
||||
36336364616531393031326361626638323834353365666437363466653234316532396662343365
|
||||
63393331336336636363313438386461303838306539303161333433313037373361366336653462
|
||||
65626531646338626532646563346566626536643166313432363231343163313039323461633265
|
||||
61396263303433383830333865366537633066366231393034623233633436316133303030653236
|
||||
64366638353634666661666534363763356164333065313136613761626262383239646539626330
|
||||
31636665326134653836626364616161636265393534666138386234373635313834343338646139
|
||||
39363432643962623339636463346264343530666133656361316437333837346236353532613131
|
||||
36626562326536303263373361326565326364363934343430313662376464303532346361653563
|
||||
62333238633765363363363265303438396631303463376561383832643633353065366633633364
|
||||
65663634613638336638376632353733646536313839313335383939613565623463313534633335
|
||||
33333139343633353830663434643139663839323364643235623832386536633264373434336133
|
||||
63303461383063313738626431663361633730343730623865613936373232616663373636646338
|
||||
31376261376139666531376663613331366539303133353564333036336239343233666238303361
|
||||
303137643632666133393733336431393664
|
||||
|
|
8
group_vars/certbot.yml
Normal file
8
group_vars/certbot.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
glob_certbot:
|
||||
dns_rfc2136_server: '10.128.0.30'
|
||||
dns_rfc2136_name: certbot_challenge.
|
||||
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
domains: "auro.re"
|
24
group_vars/nginx.yml
Normal file
24
group_vars/nginx.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
glob_nginx:
|
||||
contact: tech.aurore@lists.crans.org
|
||||
who: "L'équipe technique d'Aurore"
|
||||
service_name: service
|
||||
ssl:
|
||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||
servers:
|
||||
- ssl: false
|
||||
server_name:
|
||||
- "default"
|
||||
- "_"
|
||||
root: "/var/www/html"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params: []
|
||||
upstreams: []
|
||||
|
||||
auth_passwd: []
|
||||
default_server:
|
||||
default_ssl_server:
|
||||
deploy_robots_file: false
|
116
host_vars/portail.adm.auro.re.yml
Normal file
116
host_vars/portail.adm.auro.re.yml
Normal file
|
@ -0,0 +1,116 @@
|
|||
---
|
||||
loc_certbot:
|
||||
domains:
|
||||
- portail-fleming.auro.re
|
||||
- portail-pacaterie.auro.re
|
||||
- portail-rives.auro.re
|
||||
- portail-edc.auro.re
|
||||
- portail-gs.auro.re
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
|
||||
loc_nginx:
|
||||
service_name: captive_portal
|
||||
default_server: '$server_addr'
|
||||
default_ssl_server: '$server_addr'
|
||||
|
||||
servers:
|
||||
- ssl: false
|
||||
server_name:
|
||||
- "10.13.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-fleming.auro.re/portail/"
|
||||
|
||||
- ssl: true
|
||||
server_name:
|
||||
- portail-fleming.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-fleming.auro.re/portail/"
|
||||
|
||||
- ssl: false
|
||||
server_name:
|
||||
- 10.23.0.247
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-pacaterie.auro.re/portail/"
|
||||
|
||||
- ssl: true
|
||||
server_name:
|
||||
- portail-pacaterie.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-pacaterie.auro.re/portail/"
|
||||
|
||||
- ssl: false
|
||||
server_name:
|
||||
- "10.33.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-rives.auro.re/portail/"
|
||||
|
||||
- ssl: true
|
||||
server_name:
|
||||
- portail-rives.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-rives.auro.re/portail/"
|
||||
|
||||
- ssl: false
|
||||
server_name:
|
||||
- "10.43.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-edc.auro.re/portail/"
|
||||
|
||||
- ssl: true
|
||||
server_name:
|
||||
- portail-edc.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-edc.auro.re/portail/"
|
||||
|
||||
- ssl: false
|
||||
server_name:
|
||||
- "10.53.0.247"
|
||||
locations:
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-gs.auro.re/portail/"
|
||||
|
||||
- ssl: true
|
||||
server_name:
|
||||
- portail-gs.auro.re
|
||||
locations:
|
||||
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
|
||||
params:
|
||||
- "proxy_pass http://10.128.0.20"
|
||||
- "include /etc/nginx/snippets/options-proxypass.conf"
|
||||
- filter: "/"
|
||||
params:
|
||||
- "return 302 https://portail-gs.auro.re/portail/"
|
|
@ -2,10 +2,15 @@
|
|||
certbot:
|
||||
domains:
|
||||
- auro.re
|
||||
- chat.auro.re # cname to riot.auro.re
|
||||
- codimd.auro.re
|
||||
- element.auro.re # cname to riot.auro.re
|
||||
- ehterpad.auro.re # cname to pad.auro.re
|
||||
- grafana.auro.re
|
||||
- hedgedoc.auro.re # cname to codimd.auro.re
|
||||
- pad.auro.re
|
||||
- passbolt.auro.re
|
||||
- paste.auro.re # cname to privatebin.auro.re
|
||||
- phabricator.auro.re
|
||||
- privatebin.auro.re
|
||||
- riot.auro.re
|
||||
|
@ -13,7 +18,7 @@ certbot:
|
|||
- status.auro.re
|
||||
- wiki.auro.re
|
||||
- www.auro.re
|
||||
- zero.auro.re
|
||||
- zero.auro.re # cname to privatebin.auro.re
|
||||
mail: tech.aurore@lists.crans.org
|
||||
certname: auro.re
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ nginx:
|
|||
|
||||
redirect_sites:
|
||||
- from: 45.66.111.61
|
||||
to: auro.re
|
||||
to: intranet.auro.re
|
||||
|
||||
reverseproxy_sites:
|
||||
- from: re2o.auro.re
|
||||
|
|
27
hosts
27
hosts
|
@ -29,13 +29,16 @@ stream.adm.auro.re
|
|||
re2o-server.adm.auro.re
|
||||
re2o-ldap.adm.auro.re
|
||||
re2o-db.adm.auro.re
|
||||
pendragon.adm.auro.re
|
||||
services-bdd-local.adm.auro.re
|
||||
backup.adm.auro.re
|
||||
services-web.adm.auro.re
|
||||
mail.auro.re
|
||||
wikijs.adm.auro.re
|
||||
prometheus-aurore.adm.auro.re
|
||||
portail.adm.auro.re
|
||||
|
||||
[aurore_testing_vm]
|
||||
pendragon.adm.auro.re
|
||||
|
||||
###############################################################################
|
||||
# OVH
|
||||
|
@ -337,6 +340,7 @@ gf-5-1.borne.auro.re
|
|||
# Les Rives
|
||||
[rives_pve]
|
||||
thor.adm.auro.re
|
||||
loki.adm.auro.re
|
||||
|
||||
[rives_vm]
|
||||
dhcp-rives-backup.adm.auro.re
|
||||
|
@ -345,6 +349,7 @@ dns-rives-backup.adm.auro.re
|
|||
radius-rives-backup.adm.auro.re
|
||||
routeur-rives-backup.adm.auro.re
|
||||
ldap-replica-rives.adm.auro.re
|
||||
prometheus-rives.adm.auro.re
|
||||
|
||||
[rives_unifi]
|
||||
r3-4-4.borne.auro.re
|
||||
|
@ -396,29 +401,31 @@ ovh_vm
|
|||
[fleming:children]
|
||||
fleming_pve
|
||||
fleming_vm
|
||||
#fleming_unifi
|
||||
fleming_unifi
|
||||
|
||||
# everything at pacaterie
|
||||
[pacaterie:children]
|
||||
pacaterie_pve
|
||||
pacaterie_vm
|
||||
#pacaterie_unifi
|
||||
pacaterie_unifi
|
||||
|
||||
# everything at edc
|
||||
[edc:children]
|
||||
edc_pve
|
||||
edc_vm
|
||||
edc_unifi
|
||||
|
||||
# everything at georgesand
|
||||
[gs:children]
|
||||
gs_pve
|
||||
gs_vm
|
||||
gs_unifi
|
||||
|
||||
# everything at Les Rives
|
||||
[rives:children]
|
||||
rives_pve
|
||||
rives_vm
|
||||
|
||||
rives_unifi
|
||||
|
||||
###############################################################################
|
||||
# Groups by type
|
||||
|
@ -445,6 +452,13 @@ edc_pve
|
|||
gs_pve
|
||||
rives_pve
|
||||
|
||||
# every unifi
|
||||
[unifi:children]
|
||||
gs_unifi
|
||||
edc_unifi
|
||||
fleming_unifi
|
||||
rives_unifi
|
||||
pacaterie_unifi
|
||||
|
||||
###############################################################################
|
||||
# Groups by service
|
||||
|
@ -475,3 +489,8 @@ ldap-replica-ovh.adm.auro.re
|
|||
[ldap_replica_rives]
|
||||
ldap-replica-rives.adm.auro.re
|
||||
|
||||
[certbot]
|
||||
portail.adm.auro.re
|
||||
|
||||
[nginx]
|
||||
portail.adm.auro.re
|
||||
|
|
7
logrotate.yml
Executable file
7
logrotate.yml
Executable file
|
@ -0,0 +1,7 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
# Playbook to run ONLY the logrotate role
|
||||
# Install logrotate
|
||||
- hosts: all,!unifi,!pve
|
||||
roles:
|
||||
- logrotate
|
|
@ -14,7 +14,7 @@
|
|||
roles:
|
||||
- prometheus
|
||||
|
||||
- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
|
||||
- hosts: prometheus-pacaterie.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
@ -25,6 +25,8 @@
|
|||
{{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
|
||||
prometheus_unifi_snmp_targets:
|
||||
- targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-pn-1.ups.auro.re
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
|
@ -34,6 +36,9 @@
|
|||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-ec-1.ups.auro.re
|
||||
|
||||
prometheus_targets:
|
||||
- targets: |
|
||||
{{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
|
||||
|
@ -53,10 +58,42 @@
|
|||
{{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
|
||||
prometheus_unifi_snmp_targets:
|
||||
- targets: "{{ groups['gs_unifi'] | list | sort }}"
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-gk-1.ups.auro.re
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
- hosts: prometheus-rives.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_ups_snmp_targets:
|
||||
- ups-r3-1.ups.auro.re
|
||||
|
||||
prometheus_targets:
|
||||
- targets: |
|
||||
{{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
|
||||
prometheus_unifi_snmp_targets:
|
||||
- targets: "{{ groups['rives_unifi'] | list | sort }}"
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
- hosts: prometheus-aurore.adm.auro.re
|
||||
vars:
|
||||
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
|
||||
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
|
||||
|
||||
# Prometheus targets.json
|
||||
prometheus_targets:
|
||||
- targets: |
|
||||
{{ groups['aurore_pve'] + groups['aurore_vm'] + groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
|
||||
roles:
|
||||
- prometheus
|
||||
|
||||
|
||||
# Monitor all hosts
|
||||
- hosts: all,!unifi,!ovh
|
||||
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
|
||||
roles:
|
||||
- prometheus_node
|
||||
|
|
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: Install unattended-upgrades
|
||||
when: ansible_os_family == "Debian"
|
||||
apt:
|
||||
name: unattended-upgrades
|
||||
state: present
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Configure unattended-upgrades
|
||||
template:
|
||||
src: "apt/{{ item }}.j2"
|
||||
dest: "/etc/apt/apt.conf.d/{{ item }}"
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
loop:
|
||||
- 50unattended-upgrades
|
||||
- 20auto-upgrades
|
||||
...
|
|
@ -4,26 +4,29 @@
|
|||
when: ansible_os_family == "Debian"
|
||||
apt:
|
||||
name:
|
||||
- sudo
|
||||
- molly-guard # prevent reboot
|
||||
- ntp # network time sync
|
||||
- apt # better than apt-get
|
||||
- nano # for vulcain
|
||||
- vim # better than nano
|
||||
- emacs-nox # for maman
|
||||
- htop # better than top
|
||||
- zsh # to be able to ssh @erdnaxe
|
||||
- fish # to motivate @edpibu
|
||||
- oidentd # postgresql identification
|
||||
- aptitude # nice to have for Ansible
|
||||
- acl # advanced ACL
|
||||
- iotop # monitor i/o
|
||||
- tree # create a graphical tree of files
|
||||
- apt # better than apt-get
|
||||
- aptitude # nice to have for Ansible
|
||||
- bash-completion # because bash
|
||||
- curl # better than wget
|
||||
- emacs-nox # for maman
|
||||
- fish # to motivate @edpibu
|
||||
- git # code versioning
|
||||
- htop # better than top
|
||||
- iotop # monitor i/o
|
||||
- less # i like cats
|
||||
- screen # Vulcain asked for this
|
||||
- lsb-release
|
||||
- molly-guard # prevent reboot
|
||||
- nano # for vulcain
|
||||
- net-tools
|
||||
- ntp # network time sync
|
||||
- oidentd # postgresql identification
|
||||
- screen # Vulcain asked for this
|
||||
- sudo
|
||||
- tmux # For shirenn
|
||||
- tree # create a graphical tree of files
|
||||
- vim # better than nano
|
||||
- zsh # to be able to ssh @erdnaxe
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
|
@ -72,6 +75,9 @@
|
|||
# APT-List Changes : send email with changelog
|
||||
- include_tasks: apt-listchanges.yml
|
||||
|
||||
# APT Unattended upgrades
|
||||
- include_tasks: apt-unattended.yml
|
||||
|
||||
# User skeleton
|
||||
- name: Configure user skeleton
|
||||
copy:
|
||||
|
@ -92,13 +98,13 @@
|
|||
apt:
|
||||
pkg: smartmontools
|
||||
state: absent
|
||||
autoremove: yes
|
||||
autoremove: true
|
||||
when: ansible_system_vendor == "QEMU"
|
||||
|
||||
- name: Remove useless packages from the cache
|
||||
apt:
|
||||
autoclean: yes
|
||||
autoclean: true
|
||||
|
||||
- name: Remove dependencies that are no longer required
|
||||
apt:
|
||||
autoremove: yes
|
||||
autoremove: true
|
||||
|
|
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
|
@ -0,0 +1,22 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
};
|
||||
|
||||
Unattended-Upgrade::Package-Blacklist {};
|
||||
|
||||
Unattended-Upgrade::MinimalSteps "true";
|
||||
Unattended-Upgrade::InstallOnShutdown "false";
|
||||
|
||||
Unattended-Upgrade::Mail "{{ monitoring_mail }}";
|
||||
// Unattended-Upgrade::MailOnlyOnError "false";
|
||||
|
||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
|
||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "false";
|
||||
|
||||
Unattended-Upgrade::Automatic-Reboot "false";
|
||||
|
||||
Unattended-Upgrade::SyslogEnable "true";
|
||||
Unattended-Upgrade::SyslogFacility "daemon";
|
8
roles/certbot/handlers/main.yml
Normal file
8
roles/certbot/handlers/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: Reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: Generate certificates
|
||||
command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
- name: Install certbot and nginx plugin
|
||||
- name: Install certbot and RFC2136 plugin
|
||||
apt:
|
||||
update_cache: true
|
||||
name:
|
||||
- certbot
|
||||
- python3-certbot-nginx
|
||||
- python3-certbot-dns-rfc2136
|
||||
register: pkg_result
|
||||
retries: 3
|
||||
until: pkg_result is succeeded
|
||||
|
@ -15,25 +15,24 @@
|
|||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Lookup DNS masters IPv4
|
||||
set_fact:
|
||||
dns_masters_ipv4:
|
||||
- "10.128.0.30"
|
||||
cacheable: true
|
||||
|
||||
- name: Add DNS credentials
|
||||
template:
|
||||
src: letsencrypt/rfc2136.ini.j2
|
||||
dest: /etc/letsencrypt/rfc2136.ini
|
||||
mode: 0600
|
||||
owner: root
|
||||
|
||||
- name: Add Certbot configuration
|
||||
template:
|
||||
src: "letsencrypt/conf.d/certname.ini.j2"
|
||||
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||
mode: 0644
|
||||
register: certbot_config
|
||||
|
||||
- name: Stop services to allow certbot to generate a cert.
|
||||
service:
|
||||
name: nginx
|
||||
state: stopped
|
||||
when: certbot_config.changed
|
||||
|
||||
- name: Generate new certificate if the configuration changed
|
||||
shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||
when: certbot_config.changed
|
||||
|
||||
- name: Restart services to allow certbot to generate a cert.
|
||||
service:
|
||||
name: nginx
|
||||
state: started
|
||||
when: certbot_config.changed
|
||||
notify:
|
||||
- Generate certificates
|
||||
- Reload nginx
|
||||
|
|
|
@ -15,8 +15,13 @@ email = {{ certbot.mail }}
|
|||
# Uncomment to use a text interface instead of ncurses
|
||||
text = True
|
||||
|
||||
# Use nginx challenge
|
||||
authenticator = nginx
|
||||
# Yes I want to sell my soul and my guinea pig.
|
||||
agree-tos = True
|
||||
|
||||
# Use DNS-01 challenge
|
||||
authenticator = dns-rfc2136
|
||||
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
|
||||
dns-rfc2136-propagation-seconds = 30
|
||||
|
||||
# Accept TOS
|
||||
agree-tos = True
|
||||
|
|
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
|
@ -0,0 +1,7 @@
|
|||
{{ ansible_managed | comment(decoration='# ') }}
|
||||
|
||||
dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
|
||||
dns_rfc2136_port = 53
|
||||
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
|
||||
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
|
||||
dns_rfc2136_algorithm = HMAC-SHA512
|
|
@ -18,6 +18,7 @@
|
|||
owner: re2o-services
|
||||
group: nogroup
|
||||
recurse: true
|
||||
mode: 755
|
||||
|
||||
- name: Install isc-dhcp-server
|
||||
apt:
|
||||
|
@ -101,7 +102,7 @@
|
|||
when: is_aurore_host
|
||||
|
||||
- name: force run dhcp re2o-service
|
||||
shell: /var/local/re2o-services/dhcp/main.py --force
|
||||
command: /var/local/re2o-services/dhcp/main.py --force
|
||||
|
||||
- name: Ensure dhcpd is running
|
||||
service:
|
||||
|
|
5
roles/logrotate/handlers/main.yml
Normal file
5
roles/logrotate/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: reload logrotate
|
||||
service:
|
||||
name: logrotate
|
||||
state: reloaded
|
29
roles/logrotate/tasks/main.yml
Normal file
29
roles/logrotate/tasks/main.yml
Normal file
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
# Install and configure logrotate
|
||||
|
||||
# Install the apt package
|
||||
- name: Install logrotate
|
||||
apt:
|
||||
name:
|
||||
- logrotate
|
||||
|
||||
# Copy the configuration and reload the service if it has changed
|
||||
- name: Configure logrotate
|
||||
template:
|
||||
src: logrotate.d/rsyslog.j2
|
||||
dest: /etc/logrotate.d/rsyslog
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload logrotate
|
||||
|
||||
# Make sure the service is enabled and started
|
||||
- name: Enable logrotate service
|
||||
service:
|
||||
name: logrotate
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
# Enforce new logrotate rules now
|
||||
- name: Run logrotate now
|
||||
command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog
|
39
roles/logrotate/templates/logrotate.d/rsyslog.j2
Normal file
39
roles/logrotate/templates/logrotate.d/rsyslog.j2
Normal file
|
@ -0,0 +1,39 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
/var/log/syslog
|
||||
{
|
||||
rotate 7
|
||||
daily
|
||||
missingok
|
||||
notifempty
|
||||
delaycompress
|
||||
compress
|
||||
postrotate
|
||||
/usr/lib/rsyslog/rsyslog-rotate
|
||||
endscript
|
||||
}
|
||||
|
||||
/var/log/mail.info
|
||||
/var/log/mail.warn
|
||||
/var/log/mail.err
|
||||
/var/log/mail.log
|
||||
/var/log/daemon.log
|
||||
/var/log/kern.log
|
||||
/var/log/auth.log
|
||||
/var/log/user.log
|
||||
/var/log/lpr.log
|
||||
/var/log/cron.log
|
||||
/var/log/debug
|
||||
/var/log/messages
|
||||
{
|
||||
rotate 90
|
||||
daily
|
||||
missingok
|
||||
notifempty
|
||||
compress
|
||||
delaycompress
|
||||
sharedscripts
|
||||
postrotate
|
||||
/usr/lib/rsyslog/rsyslog-rotate
|
||||
endscript
|
||||
}
|
5
roles/nginx/handlers/main.yml
Normal file
5
roles/nginx/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Reload nginx
|
||||
systemd:
|
||||
name: nginx
|
||||
state: reloaded
|
121
roles/nginx/tasks/main.yml
Normal file
121
roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,121 @@
|
|||
---
|
||||
- name: Install NGINX
|
||||
apt:
|
||||
update_cache: true
|
||||
name: nginx
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Copy snippets
|
||||
template:
|
||||
src: "nginx/snippets/{{ item }}.j2"
|
||||
dest: "/etc/nginx/snippets/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop:
|
||||
- options-ssl.conf
|
||||
- options-proxypass.conf
|
||||
|
||||
- name: Copy dhparam
|
||||
template:
|
||||
src: letsencrypt/dhparam.j2
|
||||
dest: /etc/letsencrypt/dhparam
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Disable default site
|
||||
file:
|
||||
dest: "/etc/nginx/sites-enabled/default"
|
||||
state: absent
|
||||
|
||||
- name: Copy reverse proxy sites
|
||||
when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
|
||||
template:
|
||||
src: "nginx/sites-available/{{ item }}.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop:
|
||||
- reverseproxy
|
||||
- reverseproxy_redirect_dname
|
||||
- redirect
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate reverse proxy sites
|
||||
when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ item }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
state: link
|
||||
loop:
|
||||
- reverseproxy
|
||||
- reverseproxy_redirect_dname
|
||||
- redirect
|
||||
notify: Reload nginx
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
|
||||
- name: Copy service nginx configuration
|
||||
when: nginx.servers is defined and nginx.servers|length > 0
|
||||
template:
|
||||
src: "nginx/sites-available/service.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate local nginx service site
|
||||
when: nginx.servers is defined and nginx.servers|length > 0
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
|
||||
owner: root
|
||||
group: root
|
||||
state: link
|
||||
notify: Reload nginx
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
|
||||
- name: Copy 50x error page
|
||||
template:
|
||||
src: www/html/50x.html.j2
|
||||
dest: /var/www/html/50x.html
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: 0644
|
||||
|
||||
- name: Copy robots.txt file
|
||||
when: nginx.deploy_robots_file
|
||||
template:
|
||||
src: www/html/robots.txt.j2
|
||||
dest: /var/www/html/robots.txt
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: 0644
|
||||
|
||||
- name: Indicate role in motd
|
||||
template:
|
||||
src: update-motd.d/05-service.j2
|
||||
dest: /etc/update-motd.d/05-nginx
|
||||
mode: 0755
|
||||
|
||||
- name: Install passwords
|
||||
when: nginx.auth_passwd|length > 0
|
||||
template:
|
||||
src: nginx/passwd.j2
|
||||
dest: /etc/nginx/passwd
|
||||
mode: 0644
|
||||
|
||||
- name: Copy 401 error page
|
||||
when: nginx.auth_passwd|length > 0
|
||||
template:
|
||||
src: www/html/401.html.j2
|
||||
dest: /var/www/html/401.html
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: 0644
|
8
roles/nginx/templates/letsencrypt/dhparam.j2
Normal file
8
roles/nginx/templates/letsencrypt/dhparam.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
4
roles/nginx/templates/nginx/passwd.j2
Normal file
4
roles/nginx/templates/nginx/passwd.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
{% for user, hash in nginx.auth_passwd.items() -%}
|
||||
{{ user }}: {{ hash }}
|
||||
{% endfor -%}
|
67
roles/nginx/templates/nginx/sites-available/redirect.j2
Normal file
67
roles/nginx/templates/nginx/sites-available/redirect.j2
Normal file
|
@ -0,0 +1,67 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
{% for site in nginx.redirect_sites %}
|
||||
# Redirect http://{{ site.from }} to http://{{ site.to }}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ site.from }};
|
||||
|
||||
location / {
|
||||
return 302 http://{{ site.to }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Redirect https://{{ site.from }} to https://{{ site.to }}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ site.from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
location / {
|
||||
return 302 https://{{ site.to }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
{# Also redirect for DNAMEs #}
|
||||
{% for dname in nginx.redirect_dnames %}
|
||||
{% for site in nginx.redirect_sites %}
|
||||
{% set from = site.from | regex_replace('crans.org', dname) %}
|
||||
{% if from != site.from %}
|
||||
# Redirect http://{{ from }} to http://{{ site.to }}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ from }};
|
||||
|
||||
location / {
|
||||
return 302 http://{{ site.to }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Redirect https://{{ from }} to https://{{ site.to }}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
location / {
|
||||
return 302 https://{{ site.to }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
56
roles/nginx/templates/nginx/sites-available/reverseproxy.j2
Normal file
56
roles/nginx/templates/nginx/sites-available/reverseproxy.j2
Normal file
|
@ -0,0 +1,56 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# Automatic Connection header for WebSocket support
|
||||
# See http://nginx.org/en/docs/http/websocket.html
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
{% for site in nginx.reverseproxy_sites %}
|
||||
# Redirect http://{{ site.from }} to https://{{ site.from }}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ site.from }};
|
||||
|
||||
location / {
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ site.from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
# Log into separate log files
|
||||
access_log /var/log/nginx/{{ site.from }}.log;
|
||||
error_log /var/log/nginx/{{ site.from }}_error.log;
|
||||
|
||||
# Keep the TCP connection open a bit for faster browsing
|
||||
keepalive_timeout 70;
|
||||
|
||||
# Custom error page
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /var/www/html;
|
||||
}
|
||||
|
||||
set_real_ip_from 10.231.136.0/24;
|
||||
set_real_ip_from 2a0c:700:0:2::/64;
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
location / {
|
||||
proxy_pass http://{{ site.to }};
|
||||
include "/etc/nginx/snippets/options-proxypass.conf";
|
||||
}
|
||||
}
|
||||
|
||||
{% endfor %}
|
|
@ -0,0 +1,37 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
{% for dname in nginx.redirect_dnames %}
|
||||
{% for site in nginx.reverseproxy_sites %}
|
||||
{% set from = site.from | regex_replace('crans.org', dname) %}
|
||||
{% set to = site.from %}
|
||||
{% if from != site.from %}
|
||||
# Redirect http://{{ from }} to http://{{ to }}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ from }};
|
||||
|
||||
location / {
|
||||
return 302 http://{{ to }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Redirect https://{{ from }} to https://{{ to }}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
location / {
|
||||
return 302 https://{{ to }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
114
roles/nginx/templates/nginx/sites-available/service.j2
Normal file
114
roles/nginx/templates/nginx/sites-available/service.j2
Normal file
|
@ -0,0 +1,114 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# Automatic Connection header for WebSocket support
|
||||
# See http://nginx.org/en/docs/http/websocket.html
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
{% for upstream in nginx.upstreams -%}
|
||||
upstream {{ upstream.name }} {
|
||||
# Path of the server
|
||||
server {{ upstream.server }};
|
||||
}
|
||||
{% endfor -%}
|
||||
|
||||
{% if nginx.default_ssl_server -%}
|
||||
# Redirect all services to the main site
|
||||
server {
|
||||
listen 443 default_server ssl;
|
||||
listen [::]:443 default_server ssl;
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
location / {
|
||||
return 302 https://{{ nginx.default_ssl_server }}$request_uri;
|
||||
}
|
||||
}
|
||||
{% endif -%}
|
||||
|
||||
{% if nginx.default_server -%}
|
||||
# Redirect all services to the main site
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
location / {
|
||||
return 302 http://{{ nginx.default_server }}$request_uri;
|
||||
}
|
||||
}
|
||||
{% endif -%}
|
||||
|
||||
{% for server in nginx.servers %}
|
||||
{% if server.ssl is defined and server.ssl -%}
|
||||
# Redirect HTTP to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ server.server_name|join(" ") }};
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
location / {
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
{% endif -%}
|
||||
|
||||
server {
|
||||
{% if server.ssl is defined and server.ssl -%}
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
{% else -%}
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
{% endif -%}
|
||||
|
||||
server_name {{ server.server_name|join(" ") }};
|
||||
charset utf-8;
|
||||
|
||||
# Hide Nginx version
|
||||
server_tokens off;
|
||||
|
||||
{% if server.root is defined -%}
|
||||
root {{ server.root }};
|
||||
{% endif -%}
|
||||
{% if server.index is defined -%}
|
||||
index {{ server.index|join(" ") }};
|
||||
{% endif -%}
|
||||
|
||||
{% if server.access_log is defined -%}
|
||||
access_log {{ server.access_log }};
|
||||
{% endif -%}
|
||||
{% if server.error_log is defined -%}
|
||||
error_log {{ server.error_log }};
|
||||
{% endif -%}
|
||||
|
||||
{% if server.locations is defined -%}
|
||||
|
||||
{% for location in server.locations -%}
|
||||
location {{ location.filter }} {
|
||||
{% for param in location.params -%}
|
||||
{{ param }};
|
||||
{% endfor -%}
|
||||
}
|
||||
{% endfor -%}
|
||||
{% endif -%}
|
||||
}
|
||||
{% endfor %}
|
18
roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
Normal file
18
roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
Normal file
|
@ -0,0 +1,18 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
|
||||
fastcgi_split_path_info (^/[^/]*)(.*)$;
|
||||
|
||||
# check that the PHP script exists before passing it
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
# Bypass the fact that try_files resets $fastcgi_path_info
|
||||
# see: http://trac.nginx.org/nginx/ticket/321
|
||||
set $path_info $fastcgi_path_info;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
|
||||
# Let NGINX handle errors
|
||||
fastcgi_intercept_errors on;
|
||||
|
||||
include /etc/nginx/fastcgi.conf;
|
||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
|
@ -0,0 +1,19 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Pass the real client IP
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
# Tell proxified server that we are HTTPS, fix Wordpress
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# WebSocket support
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
# For Owncloud WebDav
|
||||
client_max_body_size 10G;
|
17
roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
Normal file
17
roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
Normal file
|
@ -0,0 +1,17 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
ssl_certificate {{ nginx.ssl.cert }};
|
||||
ssl_certificate_key {{ nginx.ssl.cert_key }};
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_dhparam /etc/letsencrypt/dhparam;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# Enable OCSP Stapling, point to certificate chain
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
|
||||
|
3
roles/nginx/templates/update-motd.d/05-service.j2
Executable file
3
roles/nginx/templates/update-motd.d/05-service.j2
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/usr/bin/tail +14
|
||||
# {{ ansible_managed }}
|
||||
[0m> [38;5;82mNGINX[0m a été déployé sur cette machine. Voir [38;5;6m/etc/nginx/[0m.
|
18
roles/nginx/templates/www/html/401.html.j2
Normal file
18
roles/nginx/templates/www/html/401.html.j2
Normal file
|
@ -0,0 +1,18 @@
|
|||
{{ ansible_header | comment('xml') }}
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>Accès refusé</title>
|
||||
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||||
</head>
|
||||
<body>
|
||||
<h1>Accès refusé</h1>
|
||||
<p>
|
||||
Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
|
||||
</p>
|
||||
<ul>
|
||||
<li>Identifiant : <em>Stop</em></li>
|
||||
<li>Mot de passe : <em>Spam</em></li>
|
||||
</ul>
|
||||
</body>
|
||||
</html>
|
63
roles/nginx/templates/www/html/50x.html.j2
Normal file
63
roles/nginx/templates/www/html/50x.html.j2
Normal file
|
@ -0,0 +1,63 @@
|
|||
<!doctype html>
|
||||
<html lang="fr">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>502</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<style>
|
||||
* {
|
||||
line-height: 1.2;
|
||||
margin: 0;
|
||||
}
|
||||
|
||||
html {
|
||||
color: #888;
|
||||
display: table;
|
||||
font-family: sans-serif;
|
||||
height: 100%;
|
||||
text-align: center;
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
body {
|
||||
display: table-cell;
|
||||
vertical-align: middle;
|
||||
margin: 2em auto;
|
||||
}
|
||||
|
||||
a {
|
||||
color: #888;
|
||||
text-decoration: underline dotted;
|
||||
}
|
||||
|
||||
h1 {
|
||||
color: #555;
|
||||
font-size: 2em;
|
||||
font-weight: 400;
|
||||
}
|
||||
|
||||
p {
|
||||
margin: 1em auto;
|
||||
max-width: 480px;
|
||||
}
|
||||
|
||||
@media only screen and (max-width: 280px) {
|
||||
body, p {
|
||||
width: 95%;
|
||||
}
|
||||
|
||||
h1 {
|
||||
font-size: 1.5em;
|
||||
margin: 0 0 0.3em;
|
||||
}
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<h1>502</h1>
|
||||
<p>Whoops, le service prend trop de temps à répondre…</p>
|
||||
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
|
||||
à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
|
||||
</body>
|
||||
</html>
|
||||
|
4
roles/nginx/templates/www/html/robots.txt.j2
Normal file
4
roles/nginx/templates/www/html/robots.txt.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
{{ ansible_header | comment }}
|
||||
|
||||
User-agent: *
|
||||
Disallow: /
|
|
@ -9,7 +9,7 @@ server {
|
|||
server_name {{ site.from }};
|
||||
|
||||
location / {
|
||||
return 302 http://{{ site.to }}$request_uri;
|
||||
return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -24,7 +24,7 @@ server {
|
|||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
location / {
|
||||
return 302 https://{{ site.to }}$request_uri;
|
||||
return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -43,7 +43,7 @@ server {
|
|||
server_name {{ from }};
|
||||
|
||||
location / {
|
||||
return 302 http://{{ site.to }}$request_uri;
|
||||
return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -58,7 +58,7 @@ server {
|
|||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
location / {
|
||||
return 302 https://{{ site.to }}$request_uri;
|
||||
return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -47,6 +47,12 @@ server {
|
|||
set_real_ip_from 2a0c:700:0:2::/64;
|
||||
real_ip_header P-Real-Ip;
|
||||
|
||||
{% if site.custom_args is defined -%}
|
||||
{% for arg in site.custom_args %}
|
||||
{{ arg }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
proxy_pass http://{{ site.to }};
|
||||
include "/etc/nginx/snippets/options-proxypass.conf";
|
||||
|
|
|
@ -55,6 +55,14 @@
|
|||
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets_unifi_snmp.json
|
||||
mode: 0644
|
||||
when: prometheus_unifi_snmp_targets is defined
|
||||
|
||||
- name: Configure Prometheus UPS SNMP devices
|
||||
copy:
|
||||
content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n"
|
||||
dest: /etc/prometheus/targets_ups_snmp.json
|
||||
mode: 0644
|
||||
when: prometheus_ups_snmp_targets is defined
|
||||
|
||||
- name: Activate prometheus service
|
||||
systemd:
|
||||
|
|
|
@ -22,7 +22,7 @@ groups:
|
|||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%."
|
||||
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
|
||||
|
||||
# Alert for out of disk space
|
||||
- alert: OutOfDiskSpace
|
||||
|
@ -31,7 +31,7 @@ groups:
|
|||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%."
|
||||
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
|
||||
|
||||
# Alert for out of inode space on disk
|
||||
- alert: OutOfInodes
|
||||
|
@ -49,7 +49,7 @@ groups:
|
|||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "CPU sur {{ $labels.instance }} à {{ $value }}%."
|
||||
summary: "CPU sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
|
||||
|
||||
# Check systemd unit (> buster)
|
||||
- alert: SystemdServiceFailed
|
||||
|
@ -59,4 +59,71 @@ groups:
|
|||
severity: warning
|
||||
annotations:
|
||||
summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
|
||||
|
||||
# Check UPS
|
||||
- alert: UpsOutputSourceChanged
|
||||
expr: upsOutputSource != 3
|
||||
for: 5m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "La source d'alimentation de {{ $labels.instance }} a changé !"
|
||||
|
||||
- alert: UpsBatteryStatusWarning
|
||||
expr: upsBatteryStatus == 3
|
||||
for: 5m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "L'état de la batterie de {{ $labels.instance }} est faible !"
|
||||
|
||||
- alert: UpsBatteryStatusCritical
|
||||
expr: upsBatteryStatus == 4
|
||||
for: 5m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "L'état de la batterie de {{ $labels.instance }} est affaibli !"
|
||||
|
||||
- alert: UpsHighLoad
|
||||
expr: upsOutputPercentLoad > 70
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !"
|
||||
|
||||
- alert: UpsWrongInputVoltage
|
||||
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
|
||||
for: 5m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V."
|
||||
|
||||
- alert: UpsWrongOutputVoltage
|
||||
expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
|
||||
for: 5m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."
|
||||
|
||||
- alert: UpsTimeRemainingWarning
|
||||
expr: upsEstimatedMinutesRemaining < 15
|
||||
for: 5m
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
|
||||
|
||||
- alert: UpsTimeRemainingCritical
|
||||
expr: upsEstimatedMinutesRemaining < 5
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
|
||||
|
||||
|
||||
{% endraw %}
|
||||
|
|
|
@ -65,3 +65,19 @@ scrape_configs:
|
|||
scheme: https
|
||||
static_configs:
|
||||
- targets: []
|
||||
|
||||
- job_name: ups_snmp
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets_ups_snmp.json'
|
||||
metrics_path: /snmp
|
||||
params:
|
||||
module: [eatonups]
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: 127.0.0.1:9116
|
||||
|
||||
|
|
|
@ -6,6 +6,78 @@
|
|||
# - Optimiser les règles pour les bornes Unifi,
|
||||
# on pourrait indexer avec les SSID
|
||||
|
||||
eatonups:
|
||||
walk:
|
||||
- 1.3.6.1.2.1.33.1.2
|
||||
- 1.3.6.1.2.1.33.1.3
|
||||
- 1.3.6.1.2.1.33.1.4
|
||||
- 1.3.6.1.4.1.534.1.6
|
||||
get:
|
||||
- 1.3.6.1.2.1.1.3.0
|
||||
metrics:
|
||||
- name: sysUpTime
|
||||
oid: 1.3.6.1.2.1.1.3
|
||||
type: gauge
|
||||
help: The time (in hundredths of a second) since the network management portion
|
||||
of the system was last re-initialized. - 1.3.6.1.2.1.1.3
|
||||
- name: upsBatteryStatus
|
||||
oid: 1.3.6.1.2.1.33.1.2.1
|
||||
type: gauge
|
||||
help: The indication of the capacity remaining in the UPS system's batteries -
|
||||
1.3.6.1.2.1.33.1.2.1
|
||||
- name: upsEstimatedMinutesRemaining
|
||||
oid: 1.3.6.1.2.1.33.1.2.3
|
||||
type: gauge
|
||||
help: An estimate of the time to battery charge depletion under the present load
|
||||
conditions if the utility power is off and remains off, or if it were to be
|
||||
lost and remain off. - 1.3.6.1.2.1.33.1.2.3
|
||||
- name: upsInputVoltage
|
||||
oid: 1.3.6.1.2.1.33.1.3.3.1.3
|
||||
type: gauge
|
||||
help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3
|
||||
indexes:
|
||||
- labelname: upsInputLineIndex
|
||||
type: gauge
|
||||
- name: upsOutputSource
|
||||
oid: 1.3.6.1.2.1.33.1.4.1
|
||||
type: gauge
|
||||
help: The present source of output power - 1.3.6.1.2.1.33.1.4.1
|
||||
- name: upsOutputVoltage
|
||||
oid: 1.3.6.1.2.1.33.1.4.4.1.2
|
||||
type: gauge
|
||||
help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2
|
||||
indexes:
|
||||
- labelname: upsOutputLineIndex
|
||||
type: gauge
|
||||
- name: upsOutputPower
|
||||
oid: 1.3.6.1.2.1.33.1.4.4.1.4
|
||||
type: gauge
|
||||
help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4
|
||||
indexes:
|
||||
- labelname: upsOutputLineIndex
|
||||
type: gauge
|
||||
- name: upsOutputPercentLoad
|
||||
oid: 1.3.6.1.2.1.33.1.4.4.1.5
|
||||
type: gauge
|
||||
help: The percentage of the UPS power capacity presently being used on this output
|
||||
line, i.e., the greater of the percent load of true power capacity and the percent
|
||||
load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5
|
||||
indexes:
|
||||
- labelname: upsOutputLineIndex
|
||||
type: gauge
|
||||
- name: xupsEnvRemoteTemp
|
||||
oid: 1.3.6.1.4.1.534.1.6.5
|
||||
type: gauge
|
||||
help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
|
||||
- name: xupsEnvRemoteHumidity
|
||||
oid: 1.3.6.1.4.1.534.1.6.6
|
||||
type: gauge
|
||||
help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6
|
||||
version: 1
|
||||
auth:
|
||||
community: public
|
||||
|
||||
|
||||
procurve_switch:
|
||||
walk:
|
||||
- 1.3.6.1.2.1.31.1.1.1.10
|
||||
|
|
|
@ -30,11 +30,19 @@
|
|||
mode: 0644
|
||||
when: "'routeur-aurore' in ansible_hostname"
|
||||
|
||||
- name: Install ipset
|
||||
apt:
|
||||
name: ipset
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Install aurore-firewall (re2o-service)
|
||||
import_role:
|
||||
name: re2o-service
|
||||
vars:
|
||||
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
|
||||
service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git
|
||||
service_name: aurore-firewall
|
||||
service_version: aurore
|
||||
service_config:
|
||||
|
|
|
@ -31,7 +31,7 @@ role = ['routeur']
|
|||
### Specify each interface role
|
||||
|
||||
interfaces_type = {
|
||||
'routable' : ['ens20', 'ens21'],
|
||||
'routable' : ['ens20', 'ens21', 'ens23'],
|
||||
'sortie' : ['ens19'],
|
||||
'admin' : ['ens18']
|
||||
}
|
||||
|
@ -57,9 +57,53 @@ nat = [
|
|||
},
|
||||
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
|
||||
'extra_nat' : {
|
||||
'ens19': {
|
||||
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
|
||||
apartment_block_id }}',
|
||||
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
|
||||
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
|
||||
},
|
||||
}
|
||||
},
|
||||
{
|
||||
'name': 'Accueil',
|
||||
'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
|
||||
'extra_nat': {
|
||||
'ens19': {
|
||||
'10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
|
||||
'10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
|
||||
},
|
||||
'ens23' : {
|
||||
'10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
|
||||
'10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
|
||||
},
|
||||
},
|
||||
'extra_nat_group': {
|
||||
'ens19': 'accueil_ens23_allowed',
|
||||
},
|
||||
},
|
||||
]
|
||||
|
||||
# ATTENTION: on doit avoir retry ≥ grace
|
||||
# ATTENTION: il faut que ip_redirect gère tous les ports
|
||||
# autorisés dans le profile re2o, sinon on laisse sortir
|
||||
# du trafic
|
||||
accueils = [
|
||||
{
|
||||
'iface': 'ens23',
|
||||
'grace_period': 1800,
|
||||
'retry_period': 86400,
|
||||
'ip_sources': [
|
||||
'10.{{ subnet_ids.users_accueil }}.1.0/24',
|
||||
'10.{{ subnet_ids.users_accueil }}.2.0/24',
|
||||
],
|
||||
'ip_redirect': {
|
||||
"tcp": {
|
||||
"10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
|
||||
}
|
||||
},
|
||||
'triggers': [
|
||||
('4', 'tcp', '46.255.53.35', 443), # ComNPay
|
||||
('4', 'tcp', '46.255.53.35', 80),
|
||||
]
|
||||
}
|
||||
]
|
||||
|
|
|
@ -41,9 +41,11 @@ nat = [
|
|||
{
|
||||
'name' : 'AdminVlans',
|
||||
'extra_nat' : {
|
||||
'ens18': {
|
||||
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
|
||||
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
|
||||
},
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
|
|||
|
||||
# Wifi
|
||||
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
|
||||
|
||||
# Accueil
|
||||
10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -23,12 +23,14 @@ server:
|
|||
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
||||
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
||||
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
||||
interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
|
||||
|
||||
|
||||
# IPv6
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
|
||||
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
|
||||
|
||||
|
||||
# By default, anything other than localhost is refused.
|
||||
|
@ -36,12 +38,11 @@ server:
|
|||
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
||||
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
||||
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
||||
access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
|
||||
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
|
||||
|
||||
num-threads: {{ ansible_processor_vcpus }}
|
||||
|
||||
private-address: 10.0.0.0/8
|
||||
|
||||
# The host cache TTL affects blacklisting of supposedly bogus hosts.
|
||||
# The default was 900 (15 minutes).
|
||||
infra-host-ttl: 60
|
||||
|
|
|
@ -15,3 +15,11 @@
|
|||
roles:
|
||||
- certbot
|
||||
- nginx_reverseproxy
|
||||
|
||||
- hosts: portail.adm.auro.re
|
||||
vars:
|
||||
certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
|
||||
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
|
||||
roles:
|
||||
- certbot
|
||||
- nginx
|
||||
|
|
5
test.sh
5
test.sh
|
@ -1,5 +0,0 @@
|
|||
#!/bin/bash
|
||||
for ip in `cat hosts|grep pacaterie.adm.auro.re`; do
|
||||
ssh-copy-id $ip
|
||||
done
|
||||
|
Loading…
Reference in a new issue