WIP: Setup of a mail server #9

Draft
otthorn wants to merge 151 commits from mailserver into master
50 changed files with 1397 additions and 247 deletions
Showing only changes of commit a2cbf4a487 - Show all commits

View file

@ -10,3 +10,8 @@
- hosts: all,!unifi
roles:
- ldap_client
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate

View file

@ -1,177 +1,176 @@
$ANSIBLE_VAULT;1.1;AES256
36346437356466383866303739373662633734346565653834343433386132346365313265633338
6364643437383865653735303532333936653135363535300a343062393966636566323963316664
30613136613730623338313565663336633361373136306437633865353838316361613237346634
3563623366353332650a633564366135323935303636643061303839636535306334376639663463
61363739366566303561353030316431333830313736353237633966393235626665666435313537
62323737333564313734366133363739656266323138386339383538333638356235656634303163
31343464393863666536636564626136383865343938393061353962653936626235373365313831
33363030643430623138643639383862613662303864306361303839313361663737323432336130
63613362326664373563646332303563363931303635356132616433643537623562366534396532
34633161303965643762313932643330366166653238666234613337353234656235623336396334
36663133353933636432346435363738653533306536663836396533623735646433363761356366
35316133363039656363623332613939333463646365353434313664633730666463386165613431
63313337643134366435656564643862313265326561623533323362343238356666333236373236
35383362316637626164663330356332653832366235303935363261643637383963386631616637
39316437363235623232653963376264646330333664663262626334393436623966356236303137
31636133366232643234363538653963646365373266373262373732653832303839326662346236
65393262353663626161346263396335333238393831626362393561346431343662376561616633
64666264306536396231376133323036303337333635643634656139333865616336643939346562
39643164643031613534323230653535393735306161663465353533323362326566643736373363
39303465346533333636663434396239333761326538636462373731323131346335656330636636
31666434323336373762633130343630633434373336376336646638313734626161393961306664
36373939643633636261353737343262653438356138323864313166316630376634386335313139
34376330313763666338316230646137373937616230316137626538323238383964363662326534
35633564623762623439613533363361396335313330333733306437333131323233303363333830
30306436383666346136383531643362326166643032653966616164633338353531396461343535
31353366383263626664376135333739643463386135306335653232643964346533393733363061
38383332363962663736643265366331653139313839323633656339616637303439623962343864
33643339353964633439336532343835313334316261623439383266383465613238343435653065
63653763643061653966323831383239326535383439383663666336303036633762356330636535
38646237326562343937633164643732326633613737313262336633363465323238666463396439
34303966633132663935666138656463313233333339313835386230373437666561633861626136
64643230333838333831353734393837363564616163343534313334383237386332373365643231
66333163303230626564336331643934383332336464303630636633326633346439313739656234
62626564316530623332383038383130386562643338613761646639363732666566643363396631
34346539666662656261663534323933366131393336373166363565373234333938343435386634
65306131646665393036333834386233326438343163386665396138356239393339346164373132
39343230646536323034343539386566623233373565633833373235373135366530336162363561
62626665303430346461383663393534333664323037616639313238303232363335303462643939
31643564643838306661656562623764356639613035373962633035343061643661636564626537
35336538356131303839363065643561663563363938386634613639633962343364663832313061
36383565316230643363383537336436323833343838333432313632396230343232653165356339
66663563343431333739653231346436313531646233313237333237323864336265386263626633
62623862656232336135363334623134623136316537316631316462303239626431376364323339
39626662636239343835376131346536636566323836393733656330346464363431666639653932
61636363326362633234386265613531323866373238366531633834363562623134656239373134
33343131333766653362653239343137353135373334613739346237383531663736663465386435
38633138643434393434383334313639343730616333373734393331653665373765396361623963
61306165303933636664333334666161616433326436346438663232323735316366353833613763
39396666306361386539303762343062333632663763613930663830666265306531643562386433
36366237333931343664323265376130363535646533656436353066333865656261396636663235
65376264383131353630303265313836363662346566316335356465353461623239376631643639
38663835646433626237663634663961356337613362636638306139363035656461656462326637
38353061353338393631376536393164353461623638623139316363623661353736336331313465
61313732316535323439376438306135333538623163386535653239306261346463663537353437
66363366376664336262363263353637613236333337383834633338666362393439373634353865
33323631313436653639393061333334643361656531316639393464373133383936333138663163
30353665363532376664373132333333643038303863643765343033306335646564313637383363
34643165383438343933613061303437626663653034646637643764336434353438346163336161
36393838613635363934376663306433373564653436386266643565396465326338303762343365
37366238356430376136616634316431396330343862613336663761623335643761393732643566
39376335396466373464623063333639653338663033363362376339303431376166316564333764
37356433663436656163353965643465343738363062616337333434366261613966336439343736
32636233323037393064366437386630633230663534646133613264636237356465613436363738
66316439363339316137366164303230366563376233626630633936313665363764396530323637
31616365313935343832393436396661326335386531303230643933663839613933363733356663
34313837326639636366623132306162343936376335366534363230313334333661333730343565
35643836356361633263343639343233656530373636316161373233373134646137633437346432
37643539633432623364333962633861316238386437326632306339356135633836303932336365
32656634386632323633326133343134326431333632396163623530323033323839616462306134
32636165383061386130303236303865383234646332643964353835633465313465393765353663
30323437346632356261396666393534616464363732633164653863666437353239343338623831
63396163373865323938383436323839353937623036316631363237393333333862623438623130
33616265386138303862333034346631376166386235373339306263323862323464653830306436
31386666613463326131303934316536393336633834313033336365656565653437353261663837
65366536623832396636313361343465613037303261313532313364636165663361396431663532
32356233613734656166373739386435303131356166306636313538623737323835373661633865
65393536633766636661613737616331366161383364373033393238656363383932336163396463
61653766316461303166326238333465333635366334383131653336333935313737666135663065
30626231336161396430616533383231393863303463373063663262376162613963356437343236
31396165376635326263313666316535343033336366306339303466663035393236653338646232
64353936336339613036633536366265373436653630313833376261663361353530626336363834
63333635383666343039623235343832373762626366643165343230643435326238316636333132
31333662373666663833393139343232383534313936623039303832383632363238396435353830
62663936386630616139306461656239643938363763313634343132333931346335616331663633
62633362613132396261383431343835396439376331343833393431363631653466363132316131
66613933383265303739326331333862633933346162386637613136326639623764353531313066
34386230623435666134643064636137303232386465646636343039393536373534663966393734
37306337316436333633626137613936646562306634636263313531376233343763323739373265
37633939343139393634323635303536313539323336343134343637343664396165323436353666
39303637646462376332626136326136333264393433623337346161613938313566303162646334
65633863343862633562623534386239653139386635623862346331316139353539626131623333
62623264313832303433383034653161313732316636633533633833363665646134653234333037
66383433653930326335396633366366633837366238626238646638653863653936383437393063
66313338393837363964616466643438353665666331633164353737656535623066633466336539
64633632343638396539366231353631383333656266653732616661613935633037363738646561
38646530323462376263613038333631623132333637656664623663386635393062323765646333
36383435663562373664303032353939623762613762346133393862353661336230366630626430
66613233633036626564633636323962326361353961356561653264396635393861386335663662
35643038623633636331643738316532666331653133643763336363643531636234393538323637
30343164366138396535383335333464363161616665336166313266343633613835346161396432
35383832386135613038323232376461636432653237333230343835613561653038353930353265
65383839313366633537343031396562653630313964636339336361353838303431633139333734
37366361306338393862616133633939326238393230306432316138393230353338393732303932
37646464326531663035373562306464653837366266663437636663666639636133306438353063
33623366623036363265303865356564346139646535306137653865353134373566616336353562
62396661353166356535613962636337666536623562346335356133636336663232656237373537
62376361626432373232343237633730613738613233316334643431393131373539386236376434
30653766616261653162643236343930616535393166653563373637343963656465306139346138
32323935643635666239643130623034663937633834393539376261326463616237656431653138
61303630366337376531393135353662656661393038356137333632336264386533393466313561
39373962333932373539346231653862643666373034623037376563333536323633396339316630
66333864353664376433366132363636653832383130336466313264376539663530356330353636
61653261396663616334663261623766303364376466383236666336383331346534633930613832
39393136303936356365666535363331386437656532383565333361316161353064303032616531
61373264623338376663643539306631356161623333336263646166656239613134366230303332
33343866303265366535326130306634613132353361663366323130303162316135306466306636
36653536373665643638373165343266303136653035626530386365623630336364653462396237
63376162656638633430353538303137653931656166656531663438353139333737653861613037
38666434363231333237323935326462656663356330313338356466366664346635313436323635
33386538306537306639343830646136613966366636613639646561393866663230653663613666
65633265343664336538316466353832366262623939646532646233626633346463346230656235
36326166303839363261353965626261376636663939323334316233643835643831366631316333
34393133396130653566366166333632643534613034623536313261363039626636643662313863
38383266373866396338313334373664623665386338653230633638353530346335316163316636
64343962313331623638666166613630313963353462383463393034376264393938313262323933
30613633613339313534363534396534343638383962326437363166373039363933613930346633
64386262326636316535363431336431306536303131313861336364343132663437633166613537
39313662323338663433333565633266303766636436356536663337353732383039323536313437
63376365353339653230613838636233346439333635643765666261313438316238376236393137
31353265343265303862653866393237336166376630336162393835393362356634653433356261
61343763313666353334666130393338383630383431313238353338383635393535386263653336
35306565346638636264636436373235366239653738346239663365353065646536383261356436
38303832316166326633313738326636633430346462303237313261333264396532363764336630
35323639373334653562666264366639353431303635616330313462353761333830393466363630
33333337653934623836656565373237303139643138313031383737626133303638393639353735
31373037313764373237333838386637353636623931623135353432666236353537363330386431
30643332343538303437303830323333383565653836643939383838323936643136333166383463
37633863363439393238373166333831616530323164666230626664303233616131316432626262
66633362393562623265323330333939666361353562373364376666626166326437356564336662
61626165353861636266643838626563653631396638633336376537376536643335633434366536
34336139626632333330383761656632653630343633633635623561633563643231663939306538
61653737336463353438373563393335636433363835643162373061343664383736336336623439
32323262313966376162623463623365323063663030373566633532363062323966663864396331
66656636663665663338316466336638356135353461326561656262343431363337386330323330
66386338343266333134386536376362626666336531373464376365633064316238396331323030
39653363626636303230666264323364663938353633336631383133396138653139353230643865
36353261363362343563613864303536353662373361343231396631613561313639653632663935
63616262636231363331313832623632306237323362636361656138646137623137353035663032
61376134613562356533616432323734396534373732616434393736333661333430333732303365
34646135326130313761643862333630663534303739353932663337613865333839303835383138
36663238383532656638643631643862383366383830653830303862663538613033333064383838
33623338613038343939323032333333323938396561656539333561303463643366326162313832
36333063343961353937323162323031376561393563313833346632646566326139366564383234
64613330363239333663393535353038656635656536343364663365386437363330306431653366
64366162303537313936356338366333343933386431346365663531613438383834623363343037
64626633373065326362663666643764353433336365623365316530613238323639666261663134
62663239393866663363623963653732336263313466663361623430626136313539316338663730
39396536643536643762373431666132626562396166633661396365396634623837373966373465
36363163303135616631343736336336383339313533333866363032386530323466653433343633
31366466313334656334386162623061303933373031336131383661633963633235646337303764
30633162326163353231323838616432626264363363393538353037666164343735616438336335
66386137633237303135383535333834646334346364626266336461663466383537666366653431
64303564636365393065303564653538643038643436666535343934343437626131653034623265
33616562323462633431383632646237383962376433393561613462376264653666653936613462
32346436376663303331623661626265613838363731386363343731323434636461323964346439
61313163643033666661353266623561366265623361373632636632306338633334333930366638
33373330323663346636303333366464383164666131336636366433643365613661353133653765
33393631623037346663376637383934326632396636386330363531323231323236346465323264
36323636643736373230636364323339653562636536373763306439653134373036393366323961
38343232613135653335396362396534656235383462663439646237376165303734643836656131
61333336366537616231326364336266373766626337356565656461386531626132623539646335
39316333616233356238366630353533326236636466626363393236383666343065623964313965
61303530643339653363646364383666323538383130623930336338616665316561623963666264
64366465333965363765313231353436363833383931346637666337336162643664353739646430
39386435623334333963333938333931326238626162613864363438666161313733303133623334
66393061653037316639
66303361306465306436306562636265303832353830313933363965316261376162313738653737
3334363661316563633238316632336463323737633066610a306236343636656261623835343466
39386437363564623661333465386338613632316563373164363839623138336165343834313237
6433343439383431360a633139363034623861396633316632336131333137626239646639326131
65613236363733346330636565303039613737366263356230313734383033383435343433386536
30653263396339656337626239303662326134373231303364613066656339376662643934323466
30643261393463373063623865343537653862353766323538613731353534363639616438313663
66366133643462333935636231636638326364636334613430333062616264663961326362613466
66313730363933653631646638616166343030626465336361313239323731356534313963613530
65383735626234663261393834313232626239666135313566353839616162323732323265633031
62393862663438313237663335396332613661313864303630653533343362333834356262363465
30666232356539386437353438643038333766363362653432366263616338393066363532633064
63646561653264393162303430346662623536363364383862366264393532613461303935653261
39376462623561626336306435323934323130613031623865656432626233616563393365343036
37643463666436386230653339613463633133333661356564646234653632313931333765383666
39646331383939343663306634393531646265363531326636326636616632643437343566656464
64643638616264376130656637386134396161306636333064633731646234396566303934626332
66393466626137336265653933346362396639383064393663613866333337653166343262646536
61333864373737333133626438646538353338663531323961666335333166613363653230643139
38616462306461356135306164376332313538613465316563663566373533396635346635646134
31386661306533383130633130346539303666316663333762383131623535343038613963353336
32336135366435643463613962383833666130363765326631613963363266626633643966663063
33363235353765623961346331393963653130663434356234336538626438616334613761636161
32346234643531396530653636626531653033393863383963663938646135616238393861373738
30346664646465666666333165336636616265303265393236626534343163353633643737366264
63303937306637643033663333353633346166636361323538393063353438353135303665616663
34613230383836343861613661356162363831623363633435646234353839663530363936356238
63383038616631666633653032613435316265626137643730666539393561373264613663656464
30613033373435313036633938353461623335396264313236623065323339623537613164316366
33356432646438636530353230333762346165336661393038666138356561333363613563656665
34306136393233346532303461393736636561316231626231643633333938656435663638306261
33393064333662336466313461363638393339373637303735663736353537363364663235363263
36623663636235363332616433626266653330393633326339376562636165323539313532363535
64386136393631656665343337333738653664613966363361313931313763323563383265623935
31643532346363656462646436343761353938626661383336636436373233343530353130626463
36346330626432376338306339396563316233313836383863303232396439336436363833383063
39663864306533376630623334386336663237666635336661383630616139633736393835666534
61393036363763336632623236383236383639373662393761313834653833316332373733653830
62616563386435396433653930653637643031636462633336663033306531356239346564663564
30636462343263643236316635346163373765393262623365353933313065333532353562333932
62656234656363306266386135313466376665663166623038616637663333353731313564356434
61343235613639386364663533376362613364653562613431393862656265313432623532343965
65326362323534346535326331613262653130623336653231323564376534336261643538333434
31333830653933633562626364363364386630343364376337613436663030333865323433316163
33356438366161626666653731386438643064656538373036393532396432396138353564313833
34643231366439656439336534323039616364396137653661373761343635663366363134623032
62313734313061353065613561613337373338623732326362363436616134343864643439363631
38346339383864373635383462326466303635383661633665663362646165663934336632633838
64373332356664663663613735663163336465353030383365346661326634373832656137393061
34626363383964646439356338343439343336626237626366383663386161663037343339383066
30356332623337626437313235623161373937663532613238353333326265663937653034616135
64663731653965613933636561313730623030656666656232396433646563623137643661643132
30383439343764396137313231353161323835393934373561623666653630656335366434636235
36306162316464613365616330626433306335396130336266616566653661336335346566613763
30373638353230313433333539306664323333646463333334366362613832376534356636383235
30626263383036643034303465366137356665366238366663313837323937646631396262623331
62323366623530663561643036643733323230343832633639663737356530643564643534666366
64646339363235376561363835643166663735643333656230386565653234356565323135333731
65313864316166383566386564303461343031356138386362633834316230396436306533306239
62306132373535363931306664346637663561323530346339373234343633663062393361323532
32653938623738383565353965656636336662323939346331396162623862613038633035643766
30346431393237323735386337643062396433366434396531623130643038366465643132303532
62366266393166333138643238383764656461623361326236333565373762316431373132356263
30396263396264626330613734346361646531626531363639393431366636316135333566393561
65393661333837633236396563333631663036376633666538306564333565653030303135313866
32366234313532656437393964666438393737363437303562633937396437663062616636383564
33393564643066383662323765346535616164633239636235656263336663633562646665393734
31393232376662666431393064643161653730653263313536613963376561386536353536616163
63316237636630306165346633646437636636626331303262663032653662333236646564613363
63616263643266393861386166346139343237633232653734363465303935613264366130336261
63333137633266306465363837646163323266363665396266363437303931353938653638343630
61386561616663303330663634306235336432316365303461623665393338396434346533366130
35303363643334613862613831366464616264386338373566613431303939623638656536306532
31346365623766346566353564613761333563303233336139376639363634616564303336393737
38333637376566393437383264386561386336653135663135356466663430383634313535626233
65646131353961663064316434353564383163646166323832663662373031636531623736643566
37336530636133363561643438663563353963373265333333386434336361326338646666636263
64396438616335393338376632326162326530636431323466646261623531303335656135313834
34613764336234303230373737326662396562303439363535643562386661303861666530366332
62316635343436396535656163393737343664333963356539313037306432643166393333353036
63663266613332363364313863303465366136333862346164306335353838333830343261323365
61373565666665663065666233316639326238323763333336383665653434623031383063613162
33666532363638353130303665646536663139633463343764353962643838353037323865623236
39613832616265376464363234363532323265366362316564343964636539656263376632313538
38653066666165333866646437353264383638366138633538336434623139623264623033656661
36643336343764613136653432316361343963313162326439656662386334356535373361303330
31653963306365373633323937363332636633613266363064363535366136646639643632343031
34393363373861613863313039393336333165386637393265333439396230643735363230363530
61643036353062643164663063343930613536653762633231333931646239343661343738386232
66373934643837323266623866393166373837323034373662306565623534396562326635323362
31613138613261626231663330626664376539366165353836343039336138623931643537363931
62313862313164306337383465333464313966656538643836643639653632663564633232343362
61323033316630616536633938393735343332653965656565663163396335643738646463303130
64363334326165653962656534313939666230373362316438346139356266616566346462356162
61316233346463376162356461623734313431623330633239353730643964616662383966323932
35373962663333653738616562396638633136376635383032313634333931626530393532663531
30356232626566386632356334393939343262393536666130333537646338343063313565623163
64383337303665613630393164383337346132346462373338323933316231386233323061353661
64336337376231383035653861373639373763633337396236373161613833303630316663626331
62633336383834363033316539336261346137303463643337393465393339663966653464336162
66633832383734373635356165343336323866663735353931626466613361636632313437326566
36386631653935633036373831643763656564643138303564306630396539373536383261663366
63333061333431626465353839343564346331323961663939373538636261343336663461336566
61343231633064336561666362633739636435633663653432393862356232356434356439343936
35326237313033363031336162303436383733626365373832333438393436663938316366343161
65656566353535363664386336383137313962333339396530356361363630353365366532656464
39353639626639653535316665383962646331326463353663383630633961353031396131393562
64663661396330356664316536623666383762623934306532636562663038336165376262633661
30373531356163386531623738373837366666323637333932393131366531316439643338373230
39663131313531343736353666376532326566313963623432643965646666333939613538643463
66333762306162623963306136343930306638383933333835626231616466633561633766383564
36653163366336666565626665323966373434383432303430306632333636353337386265323534
61306435356164313731393862383531646665346134616330303237396136313765313233313434
35393065363264323232323537363237303330386635346263306463636233393461393232306534
34636138333038366165343434323937363864366463326330353438313662323035653965383138
34646331356237613461393464386465303834373536336666626539313431303635653831303237
66643536336330303438393161613833346337336333636137336435333830386137653139386665
34636463313438323038616134383932646266656434633861363331393634393030356562646134
36653830326330353962393736393566393839366132643163303862316566633838373537613531
30396636333564623930313636363762636437373138313835393362346237353731316662343661
36636536643534636632646463376333346230383866353736393535313931313066656231336234
65333935653537613239663166303636356466653337643362313834303634623535653166613138
33316638313233613239386235383737623361376132346666393661393464613963616233613033
35386534353462386238313833666234633662353166303463333463346636646565313333613866
62313066366131353961323761306461653732393737386539646461346133626363303563353035
63313536646234396433306361366338386539326366316163363132326230366632383032646233
35626138326633653032393263326261313761623437336630646634636463613533353239353734
65363236373038623965353166656131313835373834386635656361323931653237393336333938
38373737613966356366313636656366363031396639623633373162363363373830363564356336
37373537323462633337663462666637363661313166323038623665393562663862383161383363
64366663656537663837373662313564663033333663633333613733656662303639313630623162
65663165363164343364633132376538653834323764646664626266343534393763663936616339
37336336356164613534653862626230356635333361326266323365353665666531343337613331
61303731313431386633616230393562373331643966306161343730336539313935306662343865
39303237653733663162303664386237376266333963663034636564363032373235646430363837
38636261613564323565336639623533343964663733366138303635303833633738326165643938
38616364663737333535346661356333326238303439626138303465663932393839653362393432
33613236316161323135373162333866666136623062373037383665633034356534333530643037
33363466643030323061373633393233383838616631636266323165656137636532626136353561
64663936396364613236363663316534366162623735336235643631373263616330353036623333
32393334663663393264376630626630653962393632353239356236626334633833306335386333
30356630306630323334663334363063343462383837393663636133343465336537353433663536
66313265613032343838633164633366396236343136303163353365343032353239376539393965
32316361663438623731336537393135336465336161646661366565356338326537646561376434
36626332303661373561306338666533633435393433393832656166656264376266363035366637
64346432336339396636353930363263653838343266623430613730373235376538366465373764
31326537383336633434663231663865353763323235623866633339393633323836366637303536
62313139646562616339356336663838386439313531333030643032333838343332383533663134
32323935376462646130346631656362373035346436376266653164303263653566303037393136
36313038303862373662356662663437353265326433653330343437316230646338306639646532
35653732306239653133656361333330333634376332323737303831666461346165616138663637
63376263333365623037616336303038613536303163343930396635386536363936346465326137
63653835623135353161643765643563396636313635306461376531626332333335393661646431
33323430653464396230366465343236303033356432643066303730323132306238643737376533
65643232323138313562346661396361363730643736626166386664313732326136373531663466
36383630636161376431393135373863356137353737306166393934656437363063363630393864
62663464623932616532636231643964396533396230363837383235666561663032663938373165
32313931373935316137643937623161306330653161336138363562313033613132306164623364
38336435333432323237353734393666646361626535393665306662393831393765636265373938
61303832343631313634393037356662643162643233363731386265323862383034623564393661
30646566643336323038633161356437613666626431613762363530343166633735383365323462
36336364616531393031326361626638323834353365666437363466653234316532396662343365
63393331336336636363313438386461303838306539303161333433313037373361366336653462
65626531646338626532646563346566626536643166313432363231343163313039323461633265
61396263303433383830333865366537633066366231393034623233633436316133303030653236
64366638353634666661666534363763356164333065313136613761626262383239646539626330
31636665326134653836626364616161636265393534666138386234373635313834343338646139
39363432643962623339636463346264343530666133656361316437333837346236353532613131
36626562326536303263373361326565326364363934343430313662376464303532346361653563
62333238633765363363363265303438396631303463376561383832643633353065366633633364
65663634613638336638376632353733646536313839313335383939613565623463313534633335
33333139343633353830663434643139663839323364643235623832386536633264373434336133
63303461383063313738626431663361633730343730623865613936373232616663373636646338
31376261376139666531376663613331366539303133353564333036336239343233666238303361
303137643632666133393733336431393664

8
group_vars/certbot.yml Normal file
View file

@ -0,0 +1,8 @@
---
glob_certbot:
dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "auro.re"

24
group_vars/nginx.yml Normal file
View file

@ -0,0 +1,24 @@
---
glob_nginx:
contact: tech.aurore@lists.crans.org
who: "L'équipe technique d'Aurore"
service_name: service
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
servers:
- ssl: false
server_name:
- "default"
- "_"
root: "/var/www/html"
locations:
- filter: "/"
params: []
upstreams: []
auth_passwd: []
default_server:
default_ssl_server:
deploy_robots_file: false

View file

@ -0,0 +1,116 @@
---
loc_certbot:
domains:
- portail-fleming.auro.re
- portail-pacaterie.auro.re
- portail-rives.auro.re
- portail-edc.auro.re
- portail-gs.auro.re
mail: tech.aurore@lists.crans.org
certname: auro.re
loc_nginx:
service_name: captive_portal
default_server: '$server_addr'
default_ssl_server: '$server_addr'
servers:
- ssl: false
server_name:
- "10.13.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: true
server_name:
- portail-fleming.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-fleming.auro.re/portail/"
- ssl: false
server_name:
- 10.23.0.247
locations:
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: true
server_name:
- portail-pacaterie.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-pacaterie.auro.re/portail/"
- ssl: false
server_name:
- "10.33.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: true
server_name:
- portail-rives.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-rives.auro.re/portail/"
- ssl: false
server_name:
- "10.43.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: true
server_name:
- portail-edc.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-edc.auro.re/portail/"
- ssl: false
server_name:
- "10.53.0.247"
locations:
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"
- ssl: true
server_name:
- portail-gs.auro.re
locations:
- filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
params:
- "proxy_pass http://10.128.0.20"
- "include /etc/nginx/snippets/options-proxypass.conf"
- filter: "/"
params:
- "return 302 https://portail-gs.auro.re/portail/"

View file

@ -2,10 +2,15 @@
certbot:
domains:
- auro.re
- chat.auro.re # cname to riot.auro.re
- codimd.auro.re
- element.auro.re # cname to riot.auro.re
- ehterpad.auro.re # cname to pad.auro.re
- grafana.auro.re
- hedgedoc.auro.re # cname to codimd.auro.re
- pad.auro.re
- passbolt.auro.re
- paste.auro.re # cname to privatebin.auro.re
- phabricator.auro.re
- privatebin.auro.re
- riot.auro.re
@ -13,7 +18,7 @@ certbot:
- status.auro.re
- wiki.auro.re
- www.auro.re
- zero.auro.re
- zero.auro.re # cname to privatebin.auro.re
mail: tech.aurore@lists.crans.org
certname: auro.re

View file

@ -33,7 +33,7 @@ nginx:
redirect_sites:
- from: 45.66.111.61
to: auro.re
to: intranet.auro.re
reverseproxy_sites:
- from: re2o.auro.re

27
hosts
View file

@ -29,13 +29,16 @@ stream.adm.auro.re
re2o-server.adm.auro.re
re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
pendragon.adm.auro.re
services-bdd-local.adm.auro.re
backup.adm.auro.re
services-web.adm.auro.re
mail.auro.re
wikijs.adm.auro.re
prometheus-aurore.adm.auro.re
portail.adm.auro.re
[aurore_testing_vm]
pendragon.adm.auro.re
###############################################################################
# OVH
@ -337,6 +340,7 @@ gf-5-1.borne.auro.re
# Les Rives
[rives_pve]
thor.adm.auro.re
loki.adm.auro.re
[rives_vm]
dhcp-rives-backup.adm.auro.re
@ -345,6 +349,7 @@ dns-rives-backup.adm.auro.re
radius-rives-backup.adm.auro.re
routeur-rives-backup.adm.auro.re
ldap-replica-rives.adm.auro.re
prometheus-rives.adm.auro.re
[rives_unifi]
r3-4-4.borne.auro.re
@ -396,29 +401,31 @@ ovh_vm
[fleming:children]
fleming_pve
fleming_vm
#fleming_unifi
fleming_unifi
# everything at pacaterie
[pacaterie:children]
pacaterie_pve
pacaterie_vm
#pacaterie_unifi
pacaterie_unifi
# everything at edc
[edc:children]
edc_pve
edc_vm
edc_unifi
# everything at georgesand
[gs:children]
gs_pve
gs_vm
gs_unifi
# everything at Les Rives
[rives:children]
rives_pve
rives_vm
rives_unifi
###############################################################################
# Groups by type
@ -445,6 +452,13 @@ edc_pve
gs_pve
rives_pve
# every unifi
[unifi:children]
gs_unifi
edc_unifi
fleming_unifi
rives_unifi
pacaterie_unifi
###############################################################################
# Groups by service
@ -475,3 +489,8 @@ ldap-replica-ovh.adm.auro.re
[ldap_replica_rives]
ldap-replica-rives.adm.auro.re
[certbot]
portail.adm.auro.re
[nginx]
portail.adm.auro.re

7
logrotate.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Playbook to run ONLY the logrotate role
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate

View file

@ -14,7 +14,7 @@
roles:
- prometheus
- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
- hosts: prometheus-pacaterie.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@ -25,6 +25,8 @@
{{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
prometheus_ups_snmp_targets:
- ups-pn-1.ups.auro.re
roles:
- prometheus
@ -34,6 +36,9 @@
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_ups_snmp_targets:
- ups-ec-1.ups.auro.re
prometheus_targets:
- targets: |
{{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
@ -53,10 +58,42 @@
{{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['gs_unifi'] | list | sort }}"
prometheus_ups_snmp_targets:
- ups-gk-1.ups.auro.re
roles:
- prometheus
- hosts: prometheus-rives.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_ups_snmp_targets:
- ups-r3-1.ups.auro.re
prometheus_targets:
- targets: |
{{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['rives_unifi'] | list | sort }}"
roles:
- prometheus
- hosts: prometheus-aurore.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_targets:
- targets: |
{{ groups['aurore_pve'] + groups['aurore_vm'] + groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
roles:
- prometheus
# Monitor all hosts
- hosts: all,!unifi,!ovh
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
roles:
- prometheus_node

View file

@ -0,0 +1,21 @@
---
- name: Install unattended-upgrades
when: ansible_os_family == "Debian"
apt:
name: unattended-upgrades
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure unattended-upgrades
template:
src: "apt/{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
mode: u=rw,g=r,o=r
loop:
- 50unattended-upgrades
- 20auto-upgrades
...

View file

@ -4,26 +4,29 @@
when: ansible_os_family == "Debian"
apt:
name:
- sudo
- molly-guard # prevent reboot
- ntp # network time sync
- apt # better than apt-get
- nano # for vulcain
- vim # better than nano
- emacs-nox # for maman
- htop # better than top
- zsh # to be able to ssh @erdnaxe
- fish # to motivate @edpibu
- oidentd # postgresql identification
- aptitude # nice to have for Ansible
- acl # advanced ACL
- iotop # monitor i/o
- tree # create a graphical tree of files
- apt # better than apt-get
- aptitude # nice to have for Ansible
- bash-completion # because bash
- curl # better than wget
- emacs-nox # for maman
- fish # to motivate @edpibu
- git # code versioning
- htop # better than top
- iotop # monitor i/o
- less # i like cats
- screen # Vulcain asked for this
- lsb-release
- molly-guard # prevent reboot
- nano # for vulcain
- net-tools
- ntp # network time sync
- oidentd # postgresql identification
- screen # Vulcain asked for this
- sudo
- tmux # For shirenn
- tree # create a graphical tree of files
- vim # better than nano
- zsh # to be able to ssh @erdnaxe
update_cache: true
register: apt_result
retries: 3
@ -72,6 +75,9 @@
# APT-List Changes : send email with changelog
- include_tasks: apt-listchanges.yml
# APT Unattended upgrades
- include_tasks: apt-unattended.yml
# User skeleton
- name: Configure user skeleton
copy:
@ -92,13 +98,13 @@
apt:
pkg: smartmontools
state: absent
autoremove: yes
autoremove: true
when: ansible_system_vendor == "QEMU"
- name: Remove useless packages from the cache
apt:
autoclean: yes
autoclean: true
- name: Remove dependencies that are no longer required
apt:
autoremove: yes
autoremove: true

View file

@ -0,0 +1,4 @@
// {{ ansible_managed }}
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

View file

@ -0,0 +1,22 @@
// {{ ansible_managed }}
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {};
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Mail "{{ monitoring_mail }}";
// Unattended-Upgrade::MailOnlyOnError "false";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";

View file

@ -0,0 +1,8 @@
---
- name: Reload nginx
service:
name: nginx
state: reloaded
- name: Generate certificates
command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"

View file

@ -1,10 +1,10 @@
---
- name: Install certbot and nginx plugin
- name: Install certbot and RFC2136 plugin
apt:
update_cache: true
name:
- certbot
- python3-certbot-nginx
- python3-certbot-dns-rfc2136
register: pkg_result
retries: 3
until: pkg_result is succeeded
@ -15,25 +15,24 @@
state: directory
mode: 0755
- name: Lookup DNS masters IPv4
set_fact:
dns_masters_ipv4:
- "10.128.0.30"
cacheable: true
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
dest: /etc/letsencrypt/rfc2136.ini
mode: 0600
owner: root
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
mode: 0644
register: certbot_config
- name: Stop services to allow certbot to generate a cert.
service:
name: nginx
state: stopped
when: certbot_config.changed
- name: Generate new certificate if the configuration changed
shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
when: certbot_config.changed
- name: Restart services to allow certbot to generate a cert.
service:
name: nginx
state: started
when: certbot_config.changed
notify:
- Generate certificates
- Reload nginx

View file

@ -15,8 +15,13 @@ email = {{ certbot.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
# Use nginx challenge
authenticator = nginx
# Yes I want to sell my soul and my guinea pig.
agree-tos = True
# Use DNS-01 challenge
authenticator = dns-rfc2136
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
dns-rfc2136-propagation-seconds = 30
# Accept TOS
agree-tos = True

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment(decoration='# ') }}
dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512

View file

@ -18,6 +18,7 @@
owner: re2o-services
group: nogroup
recurse: true
mode: 755
- name: Install isc-dhcp-server
apt:
@ -101,7 +102,7 @@
when: is_aurore_host
- name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force
command: /var/local/re2o-services/dhcp/main.py --force
- name: Ensure dhcpd is running
service:

View file

@ -0,0 +1,5 @@
---
- name: reload logrotate
service:
name: logrotate
state: reloaded

View file

@ -0,0 +1,29 @@
---
# Install and configure logrotate
# Install the apt package
- name: Install logrotate
apt:
name:
- logrotate
# Copy the configuration and reload the service if it has changed
- name: Configure logrotate
template:
src: logrotate.d/rsyslog.j2
dest: /etc/logrotate.d/rsyslog
owner: root
group: root
mode: "0644"
notify: reload logrotate
# Make sure the service is enabled and started
- name: Enable logrotate service
service:
name: logrotate
enabled: true
state: started
# Enforce new logrotate rules now
- name: Run logrotate now
command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog

View file

@ -0,0 +1,39 @@
# {{ ansible_managed }}
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 90
daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

View file

@ -0,0 +1,5 @@
---
- name: Reload nginx
systemd:
name: nginx
state: reloaded

121
roles/nginx/tasks/main.yml Normal file
View file

@ -0,0 +1,121 @@
---
- name: Install NGINX
apt:
update_cache: true
name: nginx
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy snippets
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
owner: root
group: root
mode: 0644
loop:
- options-ssl.conf
- options-proxypass.conf
- name: Copy dhparam
template:
src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam
owner: root
group: root
mode: 0644
- name: Disable default site
file:
dest: "/etc/nginx/sites-enabled/default"
state: absent
- name: Copy reverse proxy sites
when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
template:
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
owner: root
group: root
mode: 0644
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Activate reverse proxy sites
when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
owner: root
group: root
state: link
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
ignore_errors: "{{ ansible_check_mode }}"
- name: Copy service nginx configuration
when: nginx.servers is defined and nginx.servers|length > 0
template:
src: "nginx/sites-available/service.j2"
dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
owner: root
group: root
mode: 0644
notify: Reload nginx
- name: Activate local nginx service site
when: nginx.servers is defined and nginx.servers|length > 0
file:
src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
owner: root
group: root
state: link
notify: Reload nginx
ignore_errors: "{{ ansible_check_mode }}"
- name: Copy 50x error page
template:
src: www/html/50x.html.j2
dest: /var/www/html/50x.html
owner: www-data
group: www-data
mode: 0644
- name: Copy robots.txt file
when: nginx.deploy_robots_file
template:
src: www/html/robots.txt.j2
dest: /var/www/html/robots.txt
owner: www-data
group: www-data
mode: 0644
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755
- name: Install passwords
when: nginx.auth_passwd|length > 0
template:
src: nginx/passwd.j2
dest: /etc/nginx/passwd
mode: 0644
- name: Copy 401 error page
when: nginx.auth_passwd|length > 0
template:
src: www/html/401.html.j2
dest: /var/www/html/401.html
owner: www-data
group: www-data
mode: 0644

View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

View file

@ -0,0 +1,4 @@
# {{ ansible_managed }}
{% for user, hash in nginx.auth_passwd.items() -%}
{{ user }}: {{ hash }}
{% endfor -%}

View file

@ -0,0 +1,67 @@
# {{ ansible_managed }}
{% for site in nginx.redirect_sites %}
# Redirect http://{{ site.from }} to http://{{ site.to }}
server {
listen 80;
listen [::]:80;
server_name {{ site.from }};
location / {
return 302 http://{{ site.to }}$request_uri;
}
}
# Redirect https://{{ site.from }} to https://{{ site.to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
}
}
{% endfor %}
{# Also redirect for DNAMEs #}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ site.to }}
server {
listen 80;
listen [::]:80;
server_name {{ from }};
location / {
return 302 http://{{ site.to }}$request_uri;
}
}
# Redirect https://{{ from }} to https://{{ site.to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
}
}
{% endif %}
{% endfor %}
{% endfor %}

View file

@ -0,0 +1,56 @@
# {{ ansible_managed }}
# Automatic Connection header for WebSocket support
# See http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
{% for site in nginx.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
listen [::]:80;
server_name {{ site.from }};
location / {
return 302 https://$host$request_uri;
}
}
# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;
error_log /var/log/nginx/{{ site.from }}_error.log;
# Keep the TCP connection open a bit for faster browsing
keepalive_timeout 70;
# Custom error page
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
set_real_ip_from 10.231.136.0/24;
set_real_ip_from 2a0c:700:0:2::/64;
real_ip_header P-Real-Ip;
location / {
proxy_pass http://{{ site.to }};
include "/etc/nginx/snippets/options-proxypass.conf";
}
}
{% endfor %}

View file

@ -0,0 +1,37 @@
# {{ ansible_managed }}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.reverseproxy_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% set to = site.from %}
{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ to }}
server {
listen 80;
listen [::]:80;
server_name {{ from }};
location / {
return 302 http://{{ to }}$request_uri;
}
}
# Redirect https://{{ from }} to https://{{ to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ to }}$request_uri;
}
}
{% endif %}
{% endfor %}
{% endfor %}

View file

@ -0,0 +1,114 @@
# {{ ansible_managed }}
# Automatic Connection header for WebSocket support
# See http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
{% for upstream in nginx.upstreams -%}
upstream {{ upstream.name }} {
# Path of the server
server {{ upstream.server }};
}
{% endfor -%}
{% if nginx.default_ssl_server -%}
# Redirect all services to the main site
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.conf";
server_name _;
charset utf-8;
# Hide Nginx version
server_tokens off;
location / {
return 302 https://{{ nginx.default_ssl_server }}$request_uri;
}
}
{% endif -%}
{% if nginx.default_server -%}
# Redirect all services to the main site
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
charset utf-8;
# Hide Nginx version
server_tokens off;
location / {
return 302 http://{{ nginx.default_server }}$request_uri;
}
}
{% endif -%}
{% for server in nginx.servers %}
{% if server.ssl is defined and server.ssl -%}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name {{ server.server_name|join(" ") }};
charset utf-8;
# Hide Nginx version
server_tokens off;
location / {
return 302 https://$host$request_uri;
}
}
{% endif -%}
server {
{% if server.ssl is defined and server.ssl -%}
listen 443 ssl;
listen [::]:443 ssl;
include "/etc/nginx/snippets/options-ssl.conf";
{% else -%}
listen 80;
listen [::]:80;
{% endif -%}
server_name {{ server.server_name|join(" ") }};
charset utf-8;
# Hide Nginx version
server_tokens off;
{% if server.root is defined -%}
root {{ server.root }};
{% endif -%}
{% if server.index is defined -%}
index {{ server.index|join(" ") }};
{% endif -%}
{% if server.access_log is defined -%}
access_log {{ server.access_log }};
{% endif -%}
{% if server.error_log is defined -%}
error_log {{ server.error_log }};
{% endif -%}
{% if server.locations is defined -%}
{% for location in server.locations -%}
location {{ location.filter }} {
{% for param in location.params -%}
{{ param }};
{% endfor -%}
}
{% endfor -%}
{% endif -%}
}
{% endfor %}

View file

@ -0,0 +1,18 @@
# {{ ansible_managed }}
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info (^/[^/]*)(.*)$;
# check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
# Let NGINX handle errors
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/var/run/fcgiwrap.socket;

View file

@ -0,0 +1,19 @@
# {{ ansible_managed }}
proxy_redirect off;
proxy_set_header Host $host;
# Pass the real client IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Tell proxified server that we are HTTPS, fix Wordpress
proxy_set_header X-Forwarded-Proto https;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# For Owncloud WebDav
client_max_body_size 10G;

View file

@ -0,0 +1,17 @@
# {{ ansible_managed }}
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};

View file

@ -0,0 +1,3 @@
#!/usr/bin/tail +14
# {{ ansible_managed }}
> NGINX a été déployé sur cette machine. Voir /etc/nginx/.

View file

@ -0,0 +1,18 @@
{{ ansible_header | comment('xml') }}
<html>
<head>
<title>Accès refusé</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<h1>Accès refusé</h1>
<p>
Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
</p>
<ul>
<li>Identifiant : <em>Stop</em></li>
<li>Mot de passe : <em>Spam</em></li>
</ul>
</body>
</html>

View file

@ -0,0 +1,63 @@
<!doctype html>
<html lang="fr">
<head>
<meta charset="utf-8">
<title>502</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
* {
line-height: 1.2;
margin: 0;
}
html {
color: #888;
display: table;
font-family: sans-serif;
height: 100%;
text-align: center;
width: 100%;
}
body {
display: table-cell;
vertical-align: middle;
margin: 2em auto;
}
a {
color: #888;
text-decoration: underline dotted;
}
h1 {
color: #555;
font-size: 2em;
font-weight: 400;
}
p {
margin: 1em auto;
max-width: 480px;
}
@media only screen and (max-width: 280px) {
body, p {
width: 95%;
}
h1 {
font-size: 1.5em;
margin: 0 0 0.3em;
}
}
</style>
</head>
<body>
<h1>502</h1>
<p>Whoops, le service prend trop de temps à répondre…</p>
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
</body>
</html>

View file

@ -0,0 +1,4 @@
{{ ansible_header | comment }}
User-agent: *
Disallow: /

View file

@ -9,7 +9,7 @@ server {
server_name {{ site.from }};
location / {
return 302 http://{{ site.to }}$request_uri;
return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
}
}
@ -24,7 +24,7 @@ server {
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
}
}
@ -43,7 +43,7 @@ server {
server_name {{ from }};
location / {
return 302 http://{{ site.to }}$request_uri;
return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
}
}
@ -58,7 +58,7 @@ server {
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
}
}

View file

@ -47,6 +47,12 @@ server {
set_real_ip_from 2a0c:700:0:2::/64;
real_ip_header P-Real-Ip;
{% if site.custom_args is defined -%}
{% for arg in site.custom_args %}
{{ arg }};
{% endfor %}
{% endif %}
location / {
proxy_pass http://{{ site.to }};
include "/etc/nginx/snippets/options-proxypass.conf";

View file

@ -55,6 +55,14 @@
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
dest: /etc/prometheus/targets_unifi_snmp.json
mode: 0644
when: prometheus_unifi_snmp_targets is defined
- name: Configure Prometheus UPS SNMP devices
copy:
content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n"
dest: /etc/prometheus/targets_ups_snmp.json
mode: 0644
when: prometheus_ups_snmp_targets is defined
- name: Activate prometheus service
systemd:

View file

@ -22,7 +22,7 @@ groups:
labels:
severity: warning
annotations:
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%."
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
# Alert for out of disk space
- alert: OutOfDiskSpace
@ -31,7 +31,7 @@ groups:
labels:
severity: warning
annotations:
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%."
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
# Alert for out of inode space on disk
- alert: OutOfInodes
@ -49,7 +49,7 @@ groups:
labels:
severity: warning
annotations:
summary: "CPU sur {{ $labels.instance }} à {{ $value }}%."
summary: "CPU sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
# Check systemd unit (> buster)
- alert: SystemdServiceFailed
@ -59,4 +59,71 @@ groups:
severity: warning
annotations:
summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
# Check UPS
- alert: UpsOutputSourceChanged
expr: upsOutputSource != 3
for: 5m
labels:
severity: warning
annotations:
summary: "La source d'alimentation de {{ $labels.instance }} a changé !"
- alert: UpsBatteryStatusWarning
expr: upsBatteryStatus == 3
for: 5m
labels:
severity: warning
annotations:
summary: "L'état de la batterie de {{ $labels.instance }} est faible !"
- alert: UpsBatteryStatusCritical
expr: upsBatteryStatus == 4
for: 5m
labels:
severity: warning
annotations:
summary: "L'état de la batterie de {{ $labels.instance }} est affaibli !"
- alert: UpsHighLoad
expr: upsOutputPercentLoad > 70
for: 5m
labels:
severity: critical
annotations:
summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !"
- alert: UpsWrongInputVoltage
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
for: 5m
labels:
severity: warning
annotations:
summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V."
- alert: UpsWrongOutputVoltage
expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
for: 5m
labels:
severity: warning
annotations:
summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."
- alert: UpsTimeRemainingWarning
expr: upsEstimatedMinutesRemaining < 15
for: 5m
labels:
severity: warning
annotations:
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
- alert: UpsTimeRemainingCritical
expr: upsEstimatedMinutesRemaining < 5
for: 5m
labels:
severity: critical
annotations:
summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
{% endraw %}

View file

@ -65,3 +65,19 @@ scrape_configs:
scheme: https
static_configs:
- targets: []
- job_name: ups_snmp
file_sd_configs:
- files:
- '/etc/prometheus/targets_ups_snmp.json'
metrics_path: /snmp
params:
module: [eatonups]
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9116

View file

@ -6,6 +6,78 @@
# - Optimiser les règles pour les bornes Unifi,
# on pourrait indexer avec les SSID
eatonups:
walk:
- 1.3.6.1.2.1.33.1.2
- 1.3.6.1.2.1.33.1.3
- 1.3.6.1.2.1.33.1.4
- 1.3.6.1.4.1.534.1.6
get:
- 1.3.6.1.2.1.1.3.0
metrics:
- name: sysUpTime
oid: 1.3.6.1.2.1.1.3
type: gauge
help: The time (in hundredths of a second) since the network management portion
of the system was last re-initialized. - 1.3.6.1.2.1.1.3
- name: upsBatteryStatus
oid: 1.3.6.1.2.1.33.1.2.1
type: gauge
help: The indication of the capacity remaining in the UPS system's batteries -
1.3.6.1.2.1.33.1.2.1
- name: upsEstimatedMinutesRemaining
oid: 1.3.6.1.2.1.33.1.2.3
type: gauge
help: An estimate of the time to battery charge depletion under the present load
conditions if the utility power is off and remains off, or if it were to be
lost and remain off. - 1.3.6.1.2.1.33.1.2.3
- name: upsInputVoltage
oid: 1.3.6.1.2.1.33.1.3.3.1.3
type: gauge
help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3
indexes:
- labelname: upsInputLineIndex
type: gauge
- name: upsOutputSource
oid: 1.3.6.1.2.1.33.1.4.1
type: gauge
help: The present source of output power - 1.3.6.1.2.1.33.1.4.1
- name: upsOutputVoltage
oid: 1.3.6.1.2.1.33.1.4.4.1.2
type: gauge
help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2
indexes:
- labelname: upsOutputLineIndex
type: gauge
- name: upsOutputPower
oid: 1.3.6.1.2.1.33.1.4.4.1.4
type: gauge
help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4
indexes:
- labelname: upsOutputLineIndex
type: gauge
- name: upsOutputPercentLoad
oid: 1.3.6.1.2.1.33.1.4.4.1.5
type: gauge
help: The percentage of the UPS power capacity presently being used on this output
line, i.e., the greater of the percent load of true power capacity and the percent
load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5
indexes:
- labelname: upsOutputLineIndex
type: gauge
- name: xupsEnvRemoteTemp
oid: 1.3.6.1.4.1.534.1.6.5
type: gauge
help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
- name: xupsEnvRemoteHumidity
oid: 1.3.6.1.4.1.534.1.6.6
type: gauge
help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6
version: 1
auth:
community: public
procurve_switch:
walk:
- 1.3.6.1.2.1.31.1.1.1.10

View file

@ -30,11 +30,19 @@
mode: 0644
when: "'routeur-aurore' in ansible_hostname"
- name: Install ipset
apt:
name: ipset
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Install aurore-firewall (re2o-service)
import_role:
name: re2o-service
vars:
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git
service_name: aurore-firewall
service_version: aurore
service_config:

View file

@ -31,7 +31,7 @@ role = ['routeur']
### Specify each interface role
interfaces_type = {
'routable' : ['ens20', 'ens21'],
'routable' : ['ens20', 'ens21', 'ens23'],
'sortie' : ['ens19'],
'admin' : ['ens18']
}
@ -57,9 +57,53 @@ nat = [
},
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
'extra_nat' : {
'ens19': {
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
apartment_block_id }}',
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
},
}
},
{
'name': 'Accueil',
'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
'extra_nat': {
'ens19': {
'10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
'10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
},
'ens23' : {
'10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
'10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
},
},
'extra_nat_group': {
'ens19': 'accueil_ens23_allowed',
},
},
]
# ATTENTION: on doit avoir retry ≥ grace
# ATTENTION: il faut que ip_redirect gère tous les ports
# autorisés dans le profile re2o, sinon on laisse sortir
# du trafic
accueils = [
{
'iface': 'ens23',
'grace_period': 1800,
'retry_period': 86400,
'ip_sources': [
'10.{{ subnet_ids.users_accueil }}.1.0/24',
'10.{{ subnet_ids.users_accueil }}.2.0/24',
],
'ip_redirect': {
"tcp": {
"10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
}
},
'triggers': [
('4', 'tcp', '46.255.53.35', 443), # ComNPay
('4', 'tcp', '46.255.53.35', 80),
]
}
]

View file

@ -41,9 +41,11 @@ nat = [
{
'name' : 'AdminVlans',
'extra_nat' : {
'ens18': {
'10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
'10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
},
}
}
]

View file

@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
# Wifi
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
# Accueil
10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global
}

View file

@ -23,12 +23,14 @@ server:
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
# IPv6
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
# By default, anything other than localhost is refused.
@ -36,12 +38,11 @@ server:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
num-threads: {{ ansible_processor_vcpus }}
private-address: 10.0.0.0/8
# The host cache TTL affects blacklisting of supposedly bogus hosts.
# The default was 900 (15 minutes).
infra-host-ttl: 60

View file

@ -15,3 +15,11 @@
roles:
- certbot
- nginx_reverseproxy
- hosts: portail.adm.auro.re
vars:
certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
roles:
- certbot
- nginx

View file

@ -1,5 +0,0 @@
#!/bin/bash
for ip in `cat hosts|grep pacaterie.adm.auro.re`; do
ssh-copy-id $ip
done