From b49bd3620b18da6e087467c9911cae9a55daf47c Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sun, 3 Mar 2019 19:06:33 +0100 Subject: [PATCH 001/297] Feat: add ansible-lint to the CI pipeline Signed-off-by: Hadrien Patte --- .gitlab-ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4cf864e..5af274e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,14 @@ --- image: quay.io/ansible/molecule:2.19 +stages: + - lint + yamllint: + stage: lint script: yamllint -c .yamllint.yml . + +ansible-lint: + stage: lint + script: ansible-lint *.yml ... From 5c5195cc2ca8a44633c3913c3a643019997fb35a Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sun, 3 Mar 2019 19:13:22 +0100 Subject: [PATCH 002/297] Fix: use systemd instead of command module Signed-off-by: Hadrien Patte --- roles/codimd/handlers/main.yml | 3 ++- roles/etherpad/handlers/main.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/codimd/handlers/main.yml b/roles/codimd/handlers/main.yml index 4dccff2..ffb2bfc 100644 --- a/roles/codimd/handlers/main.yml +++ b/roles/codimd/handlers/main.yml @@ -9,4 +9,5 @@ # Reload systemd daemons when a service file changes - name: Reload systemd daemons - command: systemctl daemon-reload + systemd: + daemon_reload: true diff --git a/roles/etherpad/handlers/main.yml b/roles/etherpad/handlers/main.yml index ac3842d..46a7fd8 100644 --- a/roles/etherpad/handlers/main.yml +++ b/roles/etherpad/handlers/main.yml @@ -1,4 +1,5 @@ --- # Reload systemd daemons when a service file changes - name: Reload systemd daemons - command: systemctl daemon-reload + systemd: + daemon_reload: true From 4555ca782b46ce04301a9e7d629f8176867cf78f Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sun, 3 Mar 2019 19:15:15 +0100 Subject: [PATCH 003/297] Feat: update ansible-lint to version 4.0.0 Signed-off-by: Hadrien Patte --- .gitlab-ci.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5af274e..e11bdbf 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,14 +1,18 @@ --- -image: quay.io/ansible/molecule:2.19 +image: python:3.6 stages: - lint yamllint: stage: lint - script: yamllint -c .yamllint.yml . + script: + - pip install yamllint==1.15.0 + - yamllint -c .yamllint.yml . ansible-lint: stage: lint - script: ansible-lint *.yml + script: + - pip install ansible-lint==4.0.0 + - ansible-lint *.yml ... From b55a2ee047d19985d8fb78f710fa052c9de23ce3 Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sun, 3 Mar 2019 19:28:57 +0100 Subject: [PATCH 004/297] Fix: add a retry statement to remote package tasks Signed-off-by: Hadrien Patte --- roles/baseconfig/tasks/apt-listchanges.yml | 3 +++ roles/baseconfig/tasks/main.yml | 3 +++ roles/baseconfig/tasks/molly-guard.yml | 3 +++ roles/codimd/tasks/0_apt_dependencies.yml | 3 +++ roles/dokuwiki/tasks/main.yml | 3 +++ roles/etherpad/tasks/0_apt_dependencies.yml | 3 +++ roles/ldap-client/tasks/0_install_ldap.yml | 3 +++ roles/ldap-client/tasks/1_group_security.yml | 3 +++ roles/ldap-replica/tasks/main.yml | 3 +++ roles/matrix-mxisd/tasks/main.yml | 3 +++ roles/matrix-riot/tasks/main.yml | 12 ++++++++++++ roles/matrix-synapse/tasks/main.yml | 3 +++ roles/nginx-reverse-proxy/tasks/main.yml | 3 +++ upgrade.yml | 3 +++ 14 files changed, 51 insertions(+) diff --git a/roles/baseconfig/tasks/apt-listchanges.yml b/roles/baseconfig/tasks/apt-listchanges.yml index 56925b2..ddfebb7 100644 --- a/roles/baseconfig/tasks/apt-listchanges.yml +++ b/roles/baseconfig/tasks/apt-listchanges.yml @@ -6,6 +6,9 @@ name: apt-listchanges state: present update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # Send email when there is something new - name: Configure apt-listchanges diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 27fbd03..807c20d 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -19,6 +19,9 @@ - tree # create a graphical tree of files - ipython # better Python shell - acl # for Ansible become support + register: apt_result + retries: 3 + until: apt_result is succeeded # Pimp my server - name: Customize motd diff --git a/roles/baseconfig/tasks/molly-guard.yml b/roles/baseconfig/tasks/molly-guard.yml index bee8e12..b444b73 100644 --- a/roles/baseconfig/tasks/molly-guard.yml +++ b/roles/baseconfig/tasks/molly-guard.yml @@ -6,6 +6,9 @@ name: molly-guard state: present update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # Always ask for hostname - name: Configure molly-guard diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 158c59e..95dec86 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -21,3 +21,6 @@ - npm - build-essential - zlib1g-dev # uws module + register: apt_result + retries: 3 + until: apt_result is succeeded diff --git a/roles/dokuwiki/tasks/main.yml b/roles/dokuwiki/tasks/main.yml index 0da632d..4e1722f 100644 --- a/roles/dokuwiki/tasks/main.yml +++ b/roles/dokuwiki/tasks/main.yml @@ -24,3 +24,6 @@ apt: name: dokuwiki update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded diff --git a/roles/etherpad/tasks/0_apt_dependencies.yml b/roles/etherpad/tasks/0_apt_dependencies.yml index 4c8d341..c5995f1 100644 --- a/roles/etherpad/tasks/0_apt_dependencies.yml +++ b/roles/etherpad/tasks/0_apt_dependencies.yml @@ -21,3 +21,6 @@ - git - nodejs - npm + register: apt_result + retries: 3 + until: apt_result is succeeded diff --git a/roles/ldap-client/tasks/0_install_ldap.yml b/roles/ldap-client/tasks/0_install_ldap.yml index 79ceb18..16552a0 100644 --- a/roles/ldap-client/tasks/0_install_ldap.yml +++ b/roles/ldap-client/tasks/0_install_ldap.yml @@ -9,6 +9,9 @@ - nslcd - libnss-ldapd - libpam-ldapd + register: apt_result + retries: 3 + until: apt_result is succeeded # Reduce LDAP load # For the moment it is broken on Stretch when using PHP7.3 diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index 40435d6..c40b466 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -11,6 +11,9 @@ package: name: sudo state: present + register: package_result + retries: 3 + until: package_result is succeeded # Set sudo group - name: Configure sudoers diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap-replica/tasks/main.yml index 5face6d..4ad968e 100644 --- a/roles/ldap-replica/tasks/main.yml +++ b/roles/ldap-replica/tasks/main.yml @@ -5,6 +5,9 @@ name: slapd state: present update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # What is written after is really not a nice way to install a schema # because the LDAP is being flushed away always... diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml index d58dc22..fae2a84 100644 --- a/roles/matrix-mxisd/tasks/main.yml +++ b/roles/matrix-mxisd/tasks/main.yml @@ -2,6 +2,9 @@ - name: Install mxisd apt: deb: https://github.com/kamax-matrix/mxisd/releases/download/v{{ mxisd_version }}/mxisd_{{ mxisd_version }}_all.deb + register: apt_result + retries: 3 + until: apt_result is succeeded - name: Configure mxisd template: diff --git a/roles/matrix-riot/tasks/main.yml b/roles/matrix-riot/tasks/main.yml index 007a449..04be56f 100644 --- a/roles/matrix-riot/tasks/main.yml +++ b/roles/matrix-riot/tasks/main.yml @@ -4,6 +4,9 @@ apt: name: apt-transport-https update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # Add the repository into source list - name: Configure riot repository @@ -15,17 +18,26 @@ apt_key: url: https://riot.im/packages/debian/repo-key.asc id: E019645248E8F4A1 + register: apt_key_result + retries: 3 + until: apt_key_result is succeeded # Install riot - name: Install riot-web apt: name: riot-web update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # Install nginx - name: Install nginx apt: name: nginx + register: apt_result + retries: 3 + until: apt_result is succeeded # Configure nginx - name: Configure nginx diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 06e44bc..565bc80 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -4,6 +4,9 @@ name: matrix-synapse update_cache: true default_release: stretch-backports + register: apt_result + retries: 3 + until: apt_result is succeeded - name: Configure matrix-synapse template: diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml index d7a93ee..9ecd403 100644 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ b/roles/nginx-reverse-proxy/tasks/main.yml @@ -4,6 +4,9 @@ apt: name: nginx update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # Install sites - name: Configure NGINX sites diff --git a/upgrade.yml b/upgrade.yml index f5fbbef..7b28ebe 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -9,3 +9,6 @@ upgrade: dist update_cache: true cache_valid_time: 86400 # one day + register: apt_result + retries: 3 + until: apt_result is succeeded From 7302c83f60829032d3fda14a9527ad2229d83bd6 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 Mar 2019 10:18:10 +0100 Subject: [PATCH 005/297] Add new container --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index 34cdde3..8563253 100644 --- a/hosts +++ b/hosts @@ -18,6 +18,7 @@ wiki.adm.auro.re www.adm.auro.re pad.adm.auro.re proxy.adm.auro.re +matrix-services.adm.auro.re [ovh-vm] re2o-server.adm.auro.re From d6627f5cce323a59fe9f8c36909b2f4ea2301dd3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 10 Mar 2019 11:10:59 +0100 Subject: [PATCH 006/297] Add matrix-appservice-discord --- matrix.yml | 6 ++ .../handlers/main.yml | 4 + .../tasks/0_apt_dependencies.yml | 20 +++++ .../tasks/1_user_group.yml | 26 ++++++ .../matrix-appservice-discord/tasks/main.yml | 57 +++++++++++++ .../templates/apt/nodejs.j2 | 5 ++ .../templates/config.yaml.j2 | 85 +++++++++++++++++++ .../matrix-appservice-discord.service.j2 | 18 ++++ 8 files changed, 221 insertions(+) create mode 100644 roles/matrix-appservice-discord/handlers/main.yml create mode 100644 roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml create mode 100644 roles/matrix-appservice-discord/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-discord/tasks/main.yml create mode 100644 roles/matrix-appservice-discord/templates/apt/nodejs.j2 create mode 100644 roles/matrix-appservice-discord/templates/config.yaml.j2 create mode 100644 roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 diff --git a/matrix.yml b/matrix.yml index 1975e50..4767ca5 100644 --- a/matrix.yml +++ b/matrix.yml @@ -13,3 +13,9 @@ - hosts: riot.adm.auro.re roles: - matrix-riot + +# Install Matrix services +- hosts: matrix-services.adm.auro.re + roles: + - debian-backports + - matrix-appservice-discord diff --git a/roles/matrix-appservice-discord/handlers/main.yml b/roles/matrix-appservice-discord/handlers/main.yml new file mode 100644 index 0000000..ac3842d --- /dev/null +++ b/roles/matrix-appservice-discord/handlers/main.yml @@ -0,0 +1,4 @@ +--- +# Reload systemd daemons when a service file changes +- name: Reload systemd daemons + command: systemctl daemon-reload diff --git a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml new file mode 100644 index 0000000..40fbbce --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml @@ -0,0 +1,20 @@ +--- +- name: Configure NodeJS pin + when: + - ansible_distribution == 'Debian' + - ansible_distribution_release == 'stretch' + template: + src: apt/nodejs.j2 + dest: /etc/apt/preferences.d/nodejs + mode: 0644 + +- name: Install required packages + apt: + name: "{{ item }}" + state: present + update_cache: true + with_items: + - git + - nodejs + - npm + - build-essential diff --git a/roles/matrix-appservice-discord/tasks/1_user_group.yml b/roles/matrix-appservice-discord/tasks/1_user_group.yml new file mode 100644 index 0000000..2fe23be --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/1_user_group.yml @@ -0,0 +1,26 @@ +--- +# Security #1 +- name: Create matrix-appservice-discord system group + group: + name: matrix-appservice-discord + system: yes + state: present + +# Security #2 +- name: Create matrix-appservice-discord user + user: + name: matrix-appservice-discord + group: matrix-appservice-discord + home: /var/local/matrix-appservice-discord + comment: Matrix Appservice Discord + system: yes + state: present + +# Security #3 +- name: Secure matrix-appservice-discord home directory + file: + path: /var/local/matrix-appservice-discord + state: directory + owner: matrix-appservice-discord + group: matrix-appservice-discord + mode: 0750 diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml new file mode 100644 index 0000000..a625a00 --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -0,0 +1,57 @@ +--- +# Install APT dependencies +- include_tasks: 0_apt_dependencies.yml + +# Create CodiMD user and group +- include_tasks: 1_user_group.yml + +# Download CodiMD +- name: Clone matrix-appservice-discord project + git: + repo: https://github.com/Half-Shot/matrix-appservice-discord.git + dest: /var/local/matrix-appservice-discord/matrix-appservice-discord + version: v0.4.0 + become: true + become_user: matrix-appservice-discord + +# Setup dependencies +- name: Install matrix-appservice-discord depedencies + command: npm ci + args: + chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + become: true + become_user: matrix-appservice-discord + +# Typescript into javascript +- name: Compile matrix-appservice-discord + command: npm run build + args: + chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + become: true + become_user: matrix-appservice-discord + +# Configure +- name: Configure matrix-appservice-discord + template: + src: config.yaml.j2 + dest: /var/local/matrix-appservice-discord/matrix-appservice-discord/config.yaml + owner: matrix-appservice-discord + group: matrix-appservice-discord + mode: 0600 + +# Service file +- name: Install matrix-appservice-discord systemd unit + template: + src: 'systemd/matrix-appservice-discord.service.j2' + dest: '/etc/systemd/system/matrix-appservice-discord.service' + owner: root + group: root + mode: 0644 + notify: Reload systemd daemons + +# Run +#- name: Ensure that matrix-appservice-discord is started +# service: +# name: matrix-appservice-discord +# state: started +# enabled: true diff --git a/roles/matrix-appservice-discord/templates/apt/nodejs.j2 b/roles/matrix-appservice-discord/templates/apt/nodejs.j2 new file mode 100644 index 0000000..65e5110 --- /dev/null +++ b/roles/matrix-appservice-discord/templates/apt/nodejs.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +Package: node* libuv1* +Pin: release a=stretch-backports +Pin-Priority: 600 diff --git a/roles/matrix-appservice-discord/templates/config.yaml.j2 b/roles/matrix-appservice-discord/templates/config.yaml.j2 new file mode 100644 index 0000000..64e17dd --- /dev/null +++ b/roles/matrix-appservice-discord/templates/config.yaml.j2 @@ -0,0 +1,85 @@ +# {{ ansible_managed }} + +bridge: + # Domain part of the bridge, e.g. matrix.org + domain: "auro.re" + # This should be your publically facing URL because Discord may use it to + # fetch media from the media store. + homeserverUrl: "https://auro.re" + # Interval at which to process users in the 'presence queue'. If you have + # 5 users, one user will be processed every 500 milliseconds according to the + # value below. This has a minimum value of 250. + # WARNING: This has a high chance of spamming the homeserver with presence + # updates since it will send one each time somebody changes state or is online. + presenceInterval: 500 + # Disable setting presence for 'ghost users' which means Discord users on Matrix + # will not be shown as away or online. + disablePresence: false + # Disable sending typing notifications when somebody on Discord types. + disableTypingNotifications: false + # Disable deleting messages on Discord if a message is redacted on Matrix. + disableDeletionForwarding: false + # Enable users to bridge rooms using !discord commands. See + # https://t2bot.io/discord for instructions. + enableSelfServiceBridging: false + # Disable sending of read receipts for Matrix events which have been + # successfully bridged to Discord. + disableReadReceipts: false +# Authentication configuration for the discord bot. +auth: + clientID: "12345" + botToken: "foobar" +logging: + # What level should the logger output to the console at. + console: "warn" #silly, verbose, info, http, warn, error, silent + lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format + files: + - file: "warn.log" # Will capture warnings + level: "warn" + - file: "botlogs.log" # Will capture logs from DiscordBot + level: "info" + enable: + - "DiscordBot" +database: + userStorePath: "user-store.db" + roomStorePath: "room-store.db" + # You may either use SQLite or Postgresql for the bridge database, which contains + # important mappings for events and user puppeting configurations. + # Use the filename option for SQLite, or connString for Postgresql. + # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite + # WARNING: You will almost certainly be fine with sqlite unless your bridge + # is in heavy demand and you suffer from IO slowness. + filename: "discord.db" + # connString: "postgresql://user:password@localhost/database_name" +room: + # Set the default visibility of alias rooms, defaults to "public". + # One of: "public", "private" + defaultVisibility: "public" +channel: + # Pattern of the name given to bridged rooms. + # Can use :guild for the guild name and :name for the channel name. + namePattern: "[Discord] :guild :name" + # Changes made to rooms when a channel is deleted. + deleteOptions: + # Prefix the room name with a string. + #namePrefix: "[Deleted]" + # Prefix the room topic with a string. + #topicPrefix: "This room has been deleted" + # Disable people from talking in the room by raising the event PL to 50 + disableMessaging: false + # Remove the discord alias from the room. + unsetRoomAlias: true + # Remove the room from the directory. + unlistFromDirectory: true + # Set the room to be unavaliable for joining without an invite. + setInviteOnly: true + # Make all the discord users leave the room. + ghostsLeave: true +limits: + # Delay in milliseconds between discord users joining a room. + roomGhostJoinDelay: 6000 + # Delay in milliseconds before sending messages to discord to avoid echos. + # (Copies of a sent message may arrive from discord before we've + # fininished handling it, causing us to echo it back to the room) + discordSendDelay: 750 + diff --git a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 new file mode 100644 index 0000000..afc1b4b --- /dev/null +++ b/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +[Unit] +Description=A bridge between Matrix and Discord +After=syslog.target network-online.target mysql.service postgresql.service +Conflicts=shutdown.target + +[Service] +Type=simple +User=matrix-appservice-discord +Group=matrix-appservice-discord +WorkingDirectory=/var/local/matrix-appservice-discord/matrix-appservice-discord +Environment="NODE_ENV=production" +ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-discord/matrix-appservice-discord/app.js +Restart=always + +[Install] +WantedBy=multi-user.target From 0b887c2abbbe2ef1a4252fdfcfe0c01f12bf082e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 10 Mar 2019 11:50:07 +0100 Subject: [PATCH 007/297] Add matrix-appservice-irc --- matrix.yml | 3 +- roles/matrix-appservice-irc/handlers/main.yml | 4 + .../tasks/0_apt_dependencies.yml | 20 + .../tasks/1_user_group.yml | 26 + roles/matrix-appservice-irc/tasks/main.yml | 48 ++ .../templates/apt/nodejs.j2 | 5 + .../templates/config.yaml.j2 | 443 ++++++++++++++++++ .../systemd/matrix-appservice-irc.service.j2 | 17 + 8 files changed, 565 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-appservice-irc/handlers/main.yml create mode 100644 roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml create mode 100644 roles/matrix-appservice-irc/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-irc/tasks/main.yml create mode 100644 roles/matrix-appservice-irc/templates/apt/nodejs.j2 create mode 100644 roles/matrix-appservice-irc/templates/config.yaml.j2 create mode 100644 roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 diff --git a/matrix.yml b/matrix.yml index 4767ca5..971ceab 100644 --- a/matrix.yml +++ b/matrix.yml @@ -8,6 +8,8 @@ - debian-backports - matrix-synapse - matrix-mxisd + - matrix-appservice-discord + - matrix-appservice-irc # Install Matrix Riot on corresponding containers - hosts: riot.adm.auro.re @@ -18,4 +20,3 @@ - hosts: matrix-services.adm.auro.re roles: - debian-backports - - matrix-appservice-discord diff --git a/roles/matrix-appservice-irc/handlers/main.yml b/roles/matrix-appservice-irc/handlers/main.yml new file mode 100644 index 0000000..ac3842d --- /dev/null +++ b/roles/matrix-appservice-irc/handlers/main.yml @@ -0,0 +1,4 @@ +--- +# Reload systemd daemons when a service file changes +- name: Reload systemd daemons + command: systemctl daemon-reload diff --git a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml new file mode 100644 index 0000000..40fbbce --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml @@ -0,0 +1,20 @@ +--- +- name: Configure NodeJS pin + when: + - ansible_distribution == 'Debian' + - ansible_distribution_release == 'stretch' + template: + src: apt/nodejs.j2 + dest: /etc/apt/preferences.d/nodejs + mode: 0644 + +- name: Install required packages + apt: + name: "{{ item }}" + state: present + update_cache: true + with_items: + - git + - nodejs + - npm + - build-essential diff --git a/roles/matrix-appservice-irc/tasks/1_user_group.yml b/roles/matrix-appservice-irc/tasks/1_user_group.yml new file mode 100644 index 0000000..1c5d507 --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/1_user_group.yml @@ -0,0 +1,26 @@ +--- +# Security #1 +- name: Create matrix-appservice-irc system group + group: + name: matrix-appservice-irc + system: yes + state: present + +# Security #2 +- name: Create matrix-appservice-irc user + user: + name: matrix-appservice-irc + group: matrix-appservice-irc + home: /var/local/matrix-appservice-irc + comment: Matrix Appservice IRC + system: yes + state: present + +# Security #3 +- name: Secure matrix-appservice-irc home directory + file: + path: /var/local/matrix-appservice-irc + state: directory + owner: matrix-appservice-irc + group: matrix-appservice-irc + mode: 0750 diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml new file mode 100644 index 0000000..0f03d5b --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -0,0 +1,48 @@ +--- +# Install APT dependencies +- include_tasks: 0_apt_dependencies.yml + +# Create matrix-appservice-irc user and group +- include_tasks: 1_user_group.yml + +- name: Clone matrix-appservice-irc project + git: + repo: https://github.com/matrix-org/matrix-appservice-irc.git + dest: /var/local/matrix-appservice-irc/matrix-appservice-irc + version: 0.11.2 + become: true + become_user: matrix-appservice-irc + +# Setup dependencies +- name: Install matrix-appservice-irc depedencies + command: npm install + args: + chdir: /var/local/matrix-appservice-irc/matrix-appservice-irc + become: true + become_user: matrix-appservice-irc + +# Configure +- name: Configure matrix-appservice-irc + template: + src: config.yaml.j2 + dest: /var/local/matrix-appservice-irc/matrix-appservice-irc/config.yaml + owner: matrix-appservice-irc + group: matrix-appservice-irc + mode: 0600 + +# Service file +- name: Install matrix-appservice-irc systemd unit + template: + src: 'systemd/matrix-appservice-irc.service.j2' + dest: '/etc/systemd/system/matrix-appservice-irc.service' + owner: root + group: root + mode: 0644 + notify: Reload systemd daemons + +# Run +#- name: Ensure that matrix-appservice-irc is started +# service: +# name: matrix-appservice-irc +# state: started +# enabled: true diff --git a/roles/matrix-appservice-irc/templates/apt/nodejs.j2 b/roles/matrix-appservice-irc/templates/apt/nodejs.j2 new file mode 100644 index 0000000..65e5110 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/apt/nodejs.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +Package: node* libuv1* +Pin: release a=stretch-backports +Pin-Priority: 600 diff --git a/roles/matrix-appservice-irc/templates/config.yaml.j2 b/roles/matrix-appservice-irc/templates/config.yaml.j2 new file mode 100644 index 0000000..72d1a84 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/config.yaml.j2 @@ -0,0 +1,443 @@ +# {{ ansible_managed }} + +homeserver: + # The URL to the home server for client-server API calls, also used to form the + # media URLs as displayed in bridged IRC channels: + url: "https://auro.re" + # + # The URL of the homeserver hosting media files. This is only used to transform + # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By + # default, this is the homeserver URL, specified above. + # + # media_url: "http://media.repo:8008" + + # Drop Matrix messages which are older than this number of seconds, according to + # the event's origin_server_ts. + # If the bridge is down for a while, the homeserver will attempt to send all missed + # events on reconnection. These events may be hours old, which can be confusing to + # IRC users if they are then bridged. This option allows these old messages to be + # dropped. + # CAUTION: This is a very coarse heuristic. Federated homeservers may have different + # clock times and hence produce different origin_server_ts values, which may be old + # enough to cause *all* events from the homeserver to be dropped. + # Default: 0 (don't ever drop) + dropMatrixMessagesAfterSecs: 300 # 5 minutes + + # The 'domain' part for user IDs on this home server. Usually (but not always) + # is the "domain name" part of the HS URL. + domain: "auro.re" + + # Should presence be enabled for matrix clients on this bridge. If disabled on the + # homeserver then it should also be disabled here to avoid excess traffic. + # Default: true + enablePresence: true + +# Configuration specific to the IRC service +ircService: + servers: + # The address of the server to connect to. + irc.crans.org: + # A human-readable short name. This is used to label IRC status rooms + # where matrix users control their connections. + # E.g. 'ExampleNet IRC Bridge status'. + # It is also used in the Third Party Lookup API as the instance `desc` + # property, where each server is an instance. + name: "Crans IRC Bridge status" + + additionalAddresses: [ ] + # + # [DEPRECATED] Use `name`, above, instead. + # A human-readable description string + # description: "Example.com IRC network" + + # An ID for uniquely identifying this server amongst other servers being bridged. + networkId: "crans" + + # URL to an icon used as the network icon whenever this network appear in + # a network list. (Like in the riot room directory, for instance.) + # icon: https://example.com/images/hash.png + + # The port to connect to. Optional. + port: 6697 + # Whether to use SSL or not. Default: false. + ssl: true + # Whether or not IRC server is using a self-signed cert or not providing CA Chain + sslselfsign: false + # Should the connection attempt to identify via SASL (if a server or user password is given) + # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. + sasl: false + # Whether to allow expired certs when connecting to the IRC server. + # Usually this should be off. Default: false. + allowExpiredCerts: false + # A specific CA to trust instead of the default CAs. Optional. + #ca: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # + # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. + # password: 'pa$$w0rd' + # + # Whether or not to send connection/error notices to real Matrix users. Default: true. + sendConnectionMessages: true + + quitDebounce: + # Whether parts due to net-splits are debounced for delayMs, to allow + # time for the netsplit to resolve itself. A netsplit is detected as being + # a QUIT rate higher than quitsPerSecond. Default: false. + enabled: false + # The maximum number of quits per second acceptable above which a netsplit is + # considered ongoing. Default: 5. + quitsPerSecond: 5 + # The time window in which to wait before bridging a QUIT to Matrix that occurred during + # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS + # is not sent many requests to leave rooms all at once if a netsplit occurs and many + # people to not rejoin. + # If the user with the same IRC nick as the one who sent the quit rejoins a channel + # they are considered back online and the quit is not bridged, so long as the rejoin + # occurs before the randomly-jittered timeout is not reached. + # Default: 3600000, = 1h + delayMinMs: 3600000 # 1h + # Default: 7200000, = 2h + delayMaxMs: 7200000 # 2h + + # A map for conversion of IRC user modes to Matrix power levels. This enables bridging + # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has + # been given multiple modes, the one that maps to the highest power level will be used. + modePowerMap: + o: 50 + + botConfig: + # Enable the presence of the bot in IRC channels. The bot serves as the entity + # which maps from IRC -> Matrix. You can disable the bot entirely which + # means IRC -> Matrix chat will be shared by active "M-Nick" connections + # in the room. If there are no users in the room (or if there are users + # but their connections are not on IRC) then nothing will be bridged to + # Matrix. If you're concerned about the bot being treated as a "logger" + # entity, then you may want to disable the bot. If you want IRC->Matrix + # but don't want to have TCP connections to IRC unless a Matrix user speaks + # (because your client connection limit is low), then you may want to keep + # the bot enabled. Default: true. + # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned + # on, else there will be no users and no bot in a channel (meaning no + # messages to Matrix!) until a Matrix user speaks which makes a client + # join the target IRC channel. + # NBB: The bridge bot IRC client will still join the target IRC network so + # it can service bridge-specific queries from the IRC-side e.g. so + # real IRC clients have a way to change their Matrix display name. + # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 + enabled: true + # The nickname to give the AS bot. + nick: "AuroreBot" + # The password to give to NickServ or IRC Server for this nick. Optional. + # password: "helloworld" + # + # Join channels even if there are no Matrix users on the other side of + # the bridge. Set to false to prevent the bot from joining channels which have no + # real matrix users in them, even if there is a mapping for the channel. + # Default: true + joinChannelsIfNoUsers: true + + # Configuration for PMs / private 1:1 communications between users. + privateMessages: + # Enable the ability for PMs to be sent to/from IRC/Matrix. + # Default: true. + enabled: true + # Prevent Matrix users from sending PMs to the following IRC nicks. + # Optional. Default: []. + # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED + + # Should created Matrix PM rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Optional. Default: true. + federate: true + + # Configuration for mappings not explicitly listed in the 'mappings' + # section. + dynamicChannels: + # Enable the ability for Matrix users to join *any* channel on this IRC + # network. + # Default: false. + enabled: true + # Should the AS create a room alias for the new Matrix room? The form of + # the alias can be modified via 'aliasTemplate'. Default: true. + createAlias: true + # Should the AS publish the new Matrix room to the public room list so + # anyone can see it? Default: true. + published: false + # What should the join_rule be for the new Matrix room? If 'public', + # anyone can join the room. If 'invite', only users with an invite can + # join the room. Note that if an IRC channel has +k or +i set on it, + # join_rules will be set to 'invite' until these modes are removed. + # Default: "public". + joinRule: public + # This will set the m.room.related_groups state event in newly created rooms + # with the given groupId. This means flares will show up on IRC users in those rooms. + # This should be set to the same thing as namespaces.users.group_id in irc_registration. + # This does not alter existing rooms. + # Leaving this option empty will not set the event. + groupId: +myircnetwork:localhost + # Should created Matrix rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Default: true. + federate: true + # The room alias template to apply when creating new aliases. This only + # applies if createAlias is 'true'. The following variables are exposed: + # $SERVER => The IRC server address (e.g. "irc.example.com") + # $CHANNEL => The IRC channel (e.g. "#python") + # This MUST have $CHANNEL somewhere in it. + # Default: '#irc_$SERVER_$CHANNEL' + aliasTemplate: "#irc_crans_$CHANNEL" + # A list of user IDs which the AS bot will send invites to in response + # to a !join. Only applies if joinRule is 'invite'. Default: [] + # whitelist: + # - "@foo:example.com" + # - "@bar:example.com" + # + # Prevent the given list of channels from being mapped under any + # circumstances. + # exclude: ["#foo", "#bar"] + + # Configuration for controlling how Matrix and IRC membership lists are + # synced. + membershipLists: + # Enable the syncing of membership lists between IRC and Matrix. This + # can have a significant effect on performance on startup as the lists are + # synced. This must be enabled for anything else in this section to take + # effect. Default: false. + enabled: true + + # Syncing membership lists at startup can result in hundreds of members to + # process all at once. This timer drip feeds membership entries at the + # specified rate. Default: 10000. (10s) + floodDelayMs: 10000 + + global: + ircToMatrix: + # Get a snapshot of all real IRC users on a channel (via NAMES) and + # join their virtual matrix clients to the room. + initial: false + # Make virtual matrix clients join and leave rooms as their real IRC + # counterparts join/part channels. Default: false. + incremental: true + + matrixToIrc: + # Get a snapshot of all real Matrix users in the room and join all of + # them to the mapped IRC channel on startup. Default: false. + initial: false + # Make virtual IRC clients join and leave channels as their real Matrix + # counterparts join/leave rooms. Make sure your 'maxClients' value is + # high enough! Default: false. + incremental: true + + # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. + rooms: + + # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. + channels: + + mappings: + # 1:many mappings from IRC channels to room IDs on this IRC server. + # The matrix room must already exist. Your matrix client should expose + # the room ID in a "settings" page for the room. + # "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] + + # Configuration for virtual matrix users. The following variables are + # exposed: + # $NICK => The IRC nick + # $SERVER => The IRC server address (e.g. "irc.example.com") + matrixClients: + # The user ID template to use when creating virtual matrix users. This + # MUST have $NICK somewhere in it. + # Optional. Default: "@$SERVER_$NICK". + # Example: "@irc.example.com_Alice:example.com" + userTemplate: "@irc_$NICK" + # The display name to use for created matrix clients. This should have + # $NICK somewhere in it if it is specified. Can also use $SERVER to + # insert the IRC domain. + # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" + displayName: "$NICK (IRC)" + # Number of tries a client can attempt to join a room before the request + # is discarded. You can also use -1 to never retry or 0 to never give up. + # Optional. Default: -1 + joinAttempts: -1 + + # Configuration for virtual IRC users. The following variables are exposed: + # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) + # $USERID => The user ID + # $DISPLAY => The display name of this user, with excluded characters + # (e.g. space) removed. If the user has no display name, this + # falls back to $LOCALPART. + ircClients: + # The template to apply to every IRC client nick. This MUST have either + # $DISPLAY or $USERID or $LOCALPART somewhere in it. + # Optional. Default: "M-$DISPLAY". Example: "M-Alice". + nickTemplate: "$DISPLAY[m]" + # True to allow virtual IRC clients to change their nick on this server + # by issuing !nick commands to the IRC AS bot. + # This is completely freeform: it will NOT follow the nickTemplate. + allowNickChanges: true + # The max number of IRC clients that will connect. If the limit is + # reached, the client that spoke the longest time ago will be + # disconnected and replaced. + # Optional. Default: 30. + maxClients: 30 + # IPv6 configuration. + ipv6: + # Optional. Set to true to force IPv6 for outgoing connections. + only: false + # Optional. The IPv6 prefix to use for generating unique addresses for each + # connected user. If not specified, all users will connect from the same + # (default) address. This may require additional OS-specific work to allow + # for the node process to bind to multiple different source addresses + # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library + # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. + # prefix: "2001:0db8:85a3::" # modify appropriately + # + # The maximum amount of time in seconds that the client can exist + # without sending another message before being disconnected. Use 0 to + # not apply an idle timeout. This value is ignored if this IRC server is + # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) + idleTimeout: 10800 + # The number of millseconds to wait between consecutive reconnections if a + # client gets disconnected. Setting to 0 will cause the scheduling to be + # disabled, i.e. it will be scheduled immediately (with jitter. + # Otherwise, the scheduling interval will be used such that one client + # reconnect for this server will be handled every reconnectIntervalMs ms using + # a FIFO queue. + # Default: 5000 (5 seconds) + reconnectIntervalMs: 5000 + # The number of concurrent reconnects if a user has been disconnected unexpectedly + # (e.g. a netsplit). You should set this to a reasonably high number so that + # bridges are not waiting an eternity to reconnect all its clients if + # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs + # setting above which is for connecting on restart of the bridge. Set to 0 to + # immediately try to reconnect all users. + # Default: 50 + concurrentReconnectLimit: 50 + # The number of lines to allow being sent by the IRC client that has received + # a large block of text to send from matrix. If the number of lines that would + # be sent is > lineLimit, the text will instead be uploaded to matrix and the + # resulting URI is treated as a file. As such, a link will be sent to the IRC + # side instead of potentially spamming IRC and getting the IRC client kicked. + # Default: 3. + lineLimit: 3 + # A list of user modes to set on every IRC client. For example, "RiG" would set + # +R, +i and +G on every IRC connection when they have successfully connected. + # User modes vary wildly depending on the IRC network you're connecting to, + # so check before setting this value. Some modes may not work as intended + # through the bridge e.g. caller ID as there is no way to /ACCEPT. + # Default: "" (no user modes) + # userModes: "R" + + # Configuration for an ident server. If you are running a public bridge it is + # advised you setup an ident server so IRC mods can ban specific matrix users + # rather than the application service itself. + ident: + # True to listen for Ident requests and respond with the + # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # Default: false. + enabled: false + # The port to listen on for incoming ident requests. + # Ports below 1024 require root to listen on, and you may not want this to + # run as root. Instead, you can get something like an Apache to yank up + # incoming requests to 113 to a high numbered port. Set the port to listen + # on instead of 113 here. + # Default: 113. + port: 1113 + # The address to listen on for incoming ident requests. + # Default: 0.0.0.0 + address: "::" + + # Configuration for logging. Optional. Default: console debug level logging + # only. + logging: + # Level to log on console/logfile. One of error|warn|info|debug + level: "info" + # The file location to log to. This is relative to the project directory. + logfile: "debug.log" + # The file location to log errors to. This is relative to the project + # directory. + errfile: "errors.log" + # Whether to log to the console or not. + toConsole: true + # The max number of files to keep. Files will be overwritten eventually due + # to rotations. + maxFiles: 5 + + # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: + # $ npm install prom-client@6.3.0 + # Metrics will then be available via GET /metrics on the bridge listening port (-p). + metrics: + # Whether to actually enable the metric endpoint. Default: false + enabled: false + # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + + # The nedb database URI to connect to. This is the name of the directory to + # dump .db files to. This is relative to the project directory. + # Required. + databaseUri: "nedb://data" + + # Configuration options for the debug HTTP API. To access this API, you must + # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. + # + # The debug API exposes the following endpoints: + # + # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. + # + # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. + # Format: new line delimited commands as per IRC protocol. + # + debugApi: + # True to enable the HTTP API endpoint. Default: false. + enabled: false + # The port to host the HTTP API. + port: 11100 + + # Configuration for the provisioning API. + # + # GET /_matrix/provision/link + # GET /_matrix/provision/unlink + # GET /_matrix/provision/listlinks + # + provisioning: + # True to enable the provisioning HTTP endpoint. Default: false. + enabled: false + # The number of seconds to wait before giving up on getting a response from + # an IRC channel operator. If the channel operator does not respond within the + # allotted time period, the provisioning request will fail. + # Default: 300 seconds (5 mins) + requestTimeoutSeconds: 300 + + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # the database. + # + # To generate a .pem file: + # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # + # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # for storage in the database. Passwords are stored by using the admin room command + # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # the Matrix user, this password will be sent as the server password (PASS command). + passwordEncryptionKeyPath: "passkey.pem" + + # Config for Matrix -> IRC bridging + matrixHandler: + # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + eventCacheSize: 4096 + +# Options here are generally only applicable to large-scale bridges and may have +# consequences greater than other options in this configuration file. +advanced: + # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited + # however for large bridges it is important to rate limit the bridge to avoid + # accidentally overloading the homeserver. Defaults to 1000, which should be + # enough for the vast majority of use cases. + maxHttpSockets: 1000 diff --git a/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 new file mode 100644 index 0000000..1f25539 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Unit] +Description=A bridge between Matrix and IRC +After=syslog.target network-online.target mysql.service postgresql.service +Conflicts=shutdown.target + +[Service] +Type=simple +User=matrix-appservice-irc +Group=matrix-appservice-irc +WorkingDirectory=/var/local/matrix-appservice-irc/matrix-appservice-irc +ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-irc/matrix-appservice-irc/app.js -c config.yaml -f my_registration_file.yaml -p 9999 +Restart=always + +[Install] +WantedBy=multi-user.target From c8c7fcbcfd825a9268ee7fb311a40018e11de419 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 10 Mar 2019 13:22:32 +0100 Subject: [PATCH 008/297] Use Python 3 --- group_vars/all/vars.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index c57ea13..05828fc 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -1,4 +1,7 @@ --- +# Use Python 3 +ansible_python_interpreter: '/usr/bin/env python3' + # LDAP binding # You can hash LDAP passwords with `slappasswd` tool ldap_base: 'dc=auro,dc=re' From 761695f9921af572594db0ae81caea20f75b6471 Mon Sep 17 00:00:00 2001 From: Vulcain Date: Sun, 10 Mar 2019 18:46:37 +0100 Subject: [PATCH 009/297] =?UTF-8?q?ajout=20des=20machines=20setup=20=C3=A0?= =?UTF-8?q?=20la=20pacaterie?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hosts b/hosts index 34cdde3..bc7bbee 100644 --- a/hosts +++ b/hosts @@ -36,6 +36,11 @@ re2o-test.adm.auro.re #ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re +[pacaterie-pve] +#merlin.adm.auro.re +#leodagan.adm.auro.re +#mordred.adm.auro.re + # everything at ovh [ovh:children] ovh-pve @@ -51,6 +56,10 @@ ovh-testing-vm fleming-pve fleming-vm-ldap-replica +# everything at pacaterie +[pacaterie:children] +pacaterie-pve + # every LXC container [container:children] ovh-container @@ -64,6 +73,7 @@ fleming-vm-ldap-replica [pve:children] ovh-pve fleming-pve +pacaterie-pve # every LDAP replica [ldap-replica:children] From a08be12b41dcdeba2877f959a6a7dcb5ebda2f6c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 14:52:03 +0100 Subject: [PATCH 010/297] Security policies based on ANSSI recommandations --- base.yml | 1 + roles/basesecurity/tasks/main.yml | 25 +++++++++++++++++++ .../templates/sysctl.d/local.conf.j2 | 17 +++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 roles/basesecurity/tasks/main.yml create mode 100644 roles/basesecurity/templates/sysctl.d/local.conf.j2 diff --git a/base.yml b/base.yml index 90e258b..e10f9d7 100644 --- a/base.yml +++ b/base.yml @@ -3,3 +3,4 @@ - hosts: all roles: - baseconfig + - basesecurity diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml new file mode 100644 index 0000000..6b0f596 --- /dev/null +++ b/roles/basesecurity/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: Configure sysctl + template: + src: 'sysctl.d/local.conf.j2' + dest: '/etc/sysctl.d/local.conf' + mode: 0644 + +# Use this command to list setuid or setgid executables +# find / -type f -perm /6000 -ls 2>/dev/null +- name: Desactivate setuid/setgid on unused binaries + file: + path: "{{ item }}" + mode: u-s,g-s + loop: + - /usr/lib/openssh/sshkeysign # Not used + - /usr/bin/gpasswd # No group auth + - /usr/bin/passwd # Only root should change passwd + - /usr/bin/expiry # With re2o + - /usr/bin/newgrp # No group auth + - /usr/bin/chage # With re2o + - /usr/bin/chsh # With re2o + - /usr/bin/chfn # With re2o + - /bin/mount # Only root should mount + - /bin/umount # Only root should umount + ignore_errors: yes # Sometimes file won't exist diff --git a/roles/basesecurity/templates/sysctl.d/local.conf.j2 b/roles/basesecurity/templates/sysctl.d/local.conf.j2 new file mode 100644 index 0000000..86ef034 --- /dev/null +++ b/roles/basesecurity/templates/sysctl.d/local.conf.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} +# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf + +# Disable core dump of setuid executables +# So an user can't read privileged information in memory +fs.suid_dumpable = 0 + +# Obfuscate kernel memory addresses +kernel.kptr_restrict = 1 + +# Restrict dmesg access +# This can leak specific harware failures to exploit +kernel.dmesg_restrict = 1 + +# Do not load kernel modules after boot +# Some modules have security issues and are used in exploits +kernel.modules_disabled = 1 From ce40a5cb665834a48148939b763ec3f72ef604e8 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 14:55:21 +0100 Subject: [PATCH 011/297] Add screen and remove iPython2 --- roles/baseconfig/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 27fbd03..f592bcf 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -17,8 +17,8 @@ - htop # better than top - less # i like cats - tree # create a graphical tree of files - - ipython # better Python shell - acl # for Ansible become support + - screen # Vulcain asked for this # Pimp my server - name: Customize motd From 563d9658ed9901e18e183b09bcf7481dafd5d43d Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 15:10:17 +0100 Subject: [PATCH 012/297] Add newline at end of 0_apt_dependencies.yml in CodiMD role --- roles/codimd/tasks/0_apt_dependencies.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index c3a45a9..0bf26ad 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -28,4 +28,5 @@ register: apt_result retries: 3 until: apt_result is succeeded - - yarn \ No newline at end of file + - yarn + From f347daa40830f06e5b0641c3dbf4b6fa3963c897 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 15:12:58 +0100 Subject: [PATCH 013/297] Use systemd module rather than command --- roles/matrix-appservice-discord/handlers/main.yml | 3 ++- roles/matrix-appservice-irc/handlers/main.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-appservice-discord/handlers/main.yml b/roles/matrix-appservice-discord/handlers/main.yml index ac3842d..46a7fd8 100644 --- a/roles/matrix-appservice-discord/handlers/main.yml +++ b/roles/matrix-appservice-discord/handlers/main.yml @@ -1,4 +1,5 @@ --- # Reload systemd daemons when a service file changes - name: Reload systemd daemons - command: systemctl daemon-reload + systemd: + daemon_reload: true diff --git a/roles/matrix-appservice-irc/handlers/main.yml b/roles/matrix-appservice-irc/handlers/main.yml index ac3842d..46a7fd8 100644 --- a/roles/matrix-appservice-irc/handlers/main.yml +++ b/roles/matrix-appservice-irc/handlers/main.yml @@ -1,4 +1,5 @@ --- # Reload systemd daemons when a service file changes - name: Reload systemd daemons - command: systemctl daemon-reload + systemd: + daemon_reload: true From 1274ec4be4d16717e2d4e71fa166363ed93652ed Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 15:30:49 +0100 Subject: [PATCH 014/297] Fix last line of CodiMD apt dep --- roles/codimd/tasks/0_apt_dependencies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 0bf26ad..cbf03cb 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -29,4 +29,3 @@ retries: 3 until: apt_result is succeeded - yarn - From 4ebaa4f36f2a7d6b9f84b1b9e192e082f6d06e60 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 15:39:11 +0100 Subject: [PATCH 015/297] Add retries to APT modules in Matrix Appservices --- roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml | 3 +++ roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml index 40fbbce..04288e5 100644 --- a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml +++ b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml @@ -18,3 +18,6 @@ - nodejs - npm - build-essential + register: apt_result + retries: 3 + until: apt_result is succeeded diff --git a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml index 40fbbce..04288e5 100644 --- a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml +++ b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml @@ -18,3 +18,6 @@ - nodejs - npm - build-essential + register: apt_result + retries: 3 + until: apt_result is succeeded From af81b41e83a2c837c18b82ba904dde2c2e72e199 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 17:44:42 +0100 Subject: [PATCH 016/297] Use NPM module for matrix-appservice-irc --- roles/codimd/tasks/main.yml | 2 +- roles/matrix-appservice-discord/tasks/main.yml | 2 +- roles/matrix-appservice-irc/tasks/main.yml | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index 4e80f3c..0e7e49f 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -16,7 +16,7 @@ notify: Build front-end for CodiMD # Setup dependencies and configs -- name: Install CodiMD depedencies +- name: Install CodiMD dependencies command: NODE_ENV="production" bin/setup args: chdir: /var/local/codimd/codimd diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index a625a00..e3ed0b1 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -15,7 +15,7 @@ become_user: matrix-appservice-discord # Setup dependencies -- name: Install matrix-appservice-discord depedencies +- name: Install matrix-appservice-discord dependencies command: npm ci args: chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 0f03d5b..298efa4 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -14,10 +14,10 @@ become_user: matrix-appservice-irc # Setup dependencies -- name: Install matrix-appservice-irc depedencies - command: npm install - args: - chdir: /var/local/matrix-appservice-irc/matrix-appservice-irc +- name: Install matrix-appservice-irc dependencies + npm: + path: /var/local/matrix-appservice-irc/matrix-appservice-irc + production: true become: true become_user: matrix-appservice-irc From b56ae303356a8ce21aa7aad7ba36896fdb8613cd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 17:49:48 +0100 Subject: [PATCH 017/297] Use YARN module from Ansible 2.7 --- README.md | 7 +++++++ roles/codimd/tasks/main.yml | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d91d960..56689f6 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,12 @@ # Playbook et rôles Ansible d'Aurore +Ces politiques de déployement nécessite Ansible 2.7 ou plus récent. +Le paquet dans Debian Buster est suffisamment à jour, sinon vous pouvez l'obtenir de la façon suivante : + +```bash +pip3 install --user ansible +``` + ## Exécution d'un playbook Pour appliquer le playbook `base.yml` : diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index 0e7e49f..7ea0069 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -17,9 +17,9 @@ # Setup dependencies and configs - name: Install CodiMD dependencies - command: NODE_ENV="production" bin/setup - args: - chdir: /var/local/codimd/codimd + yarn: + path: /var/local/codimd/codimd + production: true become: true become_user: codimd From 53b67acb07165f64e4ec0bbe539b40f2d6a9376a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 17:53:12 +0100 Subject: [PATCH 018/297] Fix a error due to previous merge --- roles/codimd/tasks/0_apt_dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index cbf03cb..2b73378 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -25,7 +25,7 @@ - nodejs - npm - build-essential + - yarn register: apt_result retries: 3 until: apt_result is succeeded - - yarn From 84263d7712803522b1eeab29bbe28f5d7f8b7aa0 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 18:02:29 +0100 Subject: [PATCH 019/297] Do not use depreciated loop with APT --- roles/baseconfig/tasks/main.yml | 7 ++----- roles/codimd/tasks/0_apt_dependencies.yml | 14 ++++++-------- roles/etherpad/tasks/0_apt_dependencies.yml | 14 ++++++-------- roles/ldap-client/tasks/0_install_ldap.yml | 10 ++++------ .../tasks/0_apt_dependencies.yml | 12 +++++------- .../tasks/0_apt_dependencies.yml | 12 +++++------- 6 files changed, 28 insertions(+), 41 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 807c20d..447b046 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -3,11 +3,7 @@ - name: Install basic tools when: ansible_os_family == "Debian" apt: - name: "{{ packages }}" - state: present - update_cache: true - vars: - packages: + name: - bash-completion # for bash users - zsh # alternative shell - sudo # to gain root access @@ -19,6 +15,7 @@ - tree # create a graphical tree of files - ipython # better Python shell - acl # for Ansible become support + update_cache: true register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 2b73378..3e30b80 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -17,15 +17,13 @@ # Install CodiMD dependencies - name: Install required packages apt: - name: "{{ item }}" - state: present + name: + - git + - nodejs + - npm + - build-essential + - yarn update_cache: true - with_items: - - git - - nodejs - - npm - - build-essential - - yarn register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/etherpad/tasks/0_apt_dependencies.yml b/roles/etherpad/tasks/0_apt_dependencies.yml index c5995f1..e36321b 100644 --- a/roles/etherpad/tasks/0_apt_dependencies.yml +++ b/roles/etherpad/tasks/0_apt_dependencies.yml @@ -12,15 +12,13 @@ # Install EtherPad dependencies - name: Install required packages apt: - name: "{{ item }}" - state: present + name: + - build-essential + - curl + - git + - nodejs + - npm update_cache: true - with_items: - - build-essential - - curl - - git - - nodejs - - npm register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/ldap-client/tasks/0_install_ldap.yml b/roles/ldap-client/tasks/0_install_ldap.yml index 16552a0..5905d4a 100644 --- a/roles/ldap-client/tasks/0_install_ldap.yml +++ b/roles/ldap-client/tasks/0_install_ldap.yml @@ -2,13 +2,11 @@ # Install LDAP client packages - name: Install LDAP client packages apt: - name: "{{ item }}" - state: present + name: + - nslcd + - libnss-ldapd + - libpam-ldapd update_cache: true - with_items: - - nslcd - - libnss-ldapd - - libpam-ldapd register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml index 04288e5..d61dd10 100644 --- a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml +++ b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml @@ -10,14 +10,12 @@ - name: Install required packages apt: - name: "{{ item }}" - state: present + name: + - git + - nodejs + - npm + - build-essential update_cache: true - with_items: - - git - - nodejs - - npm - - build-essential register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml index 04288e5..d61dd10 100644 --- a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml +++ b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml @@ -10,14 +10,12 @@ - name: Install required packages apt: - name: "{{ item }}" - state: present + name: + - git + - nodejs + - npm + - build-essential update_cache: true - with_items: - - git - - nodejs - - npm - - build-essential register: apt_result retries: 3 until: apt_result is succeeded From b9d5601e368ac721814d7e314abe457d0517fb0f Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 18:10:35 +0100 Subject: [PATCH 020/297] Remove useless PRODUCTION var for webpack CodiMD --- roles/codimd/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/codimd/handlers/main.yml b/roles/codimd/handlers/main.yml index 0f565f3..08525df 100644 --- a/roles/codimd/handlers/main.yml +++ b/roles/codimd/handlers/main.yml @@ -2,7 +2,7 @@ # Build front-end bundle # This can take very long and requires > 2GB of RAM - name: Build front-end for CodiMD - command: NODE_ENV="production" yarn run build + command: yarn run build args: chdir: /var/local/codimd/codimd become: true From 4b5631e60b2110e8a08030ddc22afd3d105cb8a1 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 18:12:55 +0100 Subject: [PATCH 021/297] Retry 3 times npm and yarn --- roles/codimd/tasks/main.yml | 3 +++ roles/matrix-appservice-irc/tasks/main.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index 7ea0069..f3b349f 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -22,6 +22,9 @@ production: true become: true become_user: codimd + register: yarn_result + retries: 3 + until: yarn_result is succeeded # Connection to database - name: Connect CodiMD to PostgreSQL db diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 298efa4..4025fc7 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -20,6 +20,9 @@ production: true become: true become_user: matrix-appservice-irc + register: npm_result + retries: 3 + until: npm_result is succeeded # Configure - name: Configure matrix-appservice-irc From 16ca4956dce7e0e165e78754f85c84c97acc7bd9 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 18:15:17 +0100 Subject: [PATCH 022/297] Make EtherPad default text shorter --- roles/etherpad/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml index a6dea45..dae8ab9 100644 --- a/roles/etherpad/tasks/main.yml +++ b/roles/etherpad/tasks/main.yml @@ -32,7 +32,7 @@ with_dict: title: " \"title\": \"Etherpad Aurore\"," dbType: " \"dbType\" : \"postgres\"," - defaultPadText: " \"defaultPadText\" : \"Bienvenue sur l'EtherPad d'Aurore !\\n\\nCe pad est synchronisé avec les autres utilisateur·rice·s présent·e·s sur cette page.\\n\"," + defaultPadText: " \"defaultPadText\" : \"Bienvenue sur l'EtherPad d'Aurore !\\n\\nCe pad est public.\\n\"," lang: " \"lang\": \"fr-fr\"" # Service file From dd19efaecd9bd7cbae248e9fa6b42c310ec19c0a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 07:47:07 +0100 Subject: [PATCH 023/297] Do not download rest_auth_provider.py --- matrix.yml | 1 - .../files/rest_auth_provider.py | 178 ++++++++++++++++++ roles/matrix-synapse/tasks/main.yml | 4 +- 3 files changed, 180 insertions(+), 3 deletions(-) create mode 100644 roles/matrix-synapse/files/rest_auth_provider.py diff --git a/matrix.yml b/matrix.yml index 971ceab..797215b 100644 --- a/matrix.yml +++ b/matrix.yml @@ -3,7 +3,6 @@ - hosts: synapse.adm.auro.re vars: mxisd_version: 1.3.1 - synapse_rest_auth_url: https://raw.githubusercontent.com/kamax-matrix/matrix-synapse-rest-auth/master/rest_auth_provider.py roles: - debian-backports - matrix-synapse diff --git a/roles/matrix-synapse/files/rest_auth_provider.py b/roles/matrix-synapse/files/rest_auth_provider.py new file mode 100644 index 0000000..1d582d9 --- /dev/null +++ b/roles/matrix-synapse/files/rest_auth_provider.py @@ -0,0 +1,178 @@ +# -*- coding: utf-8 -*- +# +# REST endpoint Authentication module for Matrix synapse +# Copyright (C) 2017 Maxime Dor +# +# https://max.kamax.io/ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +# + +import logging +from twisted.internet import defer +import requests +import json + +logger = logging.getLogger(__name__) + +class RestAuthProvider(object): + + def __init__(self, config, account_handler): + self.account_handler = account_handler + + if not config.endpoint: + raise RuntimeError('Missing endpoint config') + + self.endpoint = config.endpoint + self.regLower = config.regLower + self.config = config + + logger.info('Endpoint: %s', self.endpoint) + logger.info('Enforce lowercase username during registration: %s', self.regLower) + + @defer.inlineCallbacks + def check_password(self, user_id, password): + logger.info("Got password check for " + user_id) + data = {'user':{'id':user_id, 'password':password}} + r = requests.post(self.endpoint + '/_matrix-internal/identity/v1/check_credentials', json = data) + r.raise_for_status() + r = r.json() + if not r["auth"]: + reason = "Invalid JSON data returned from REST endpoint" + logger.warning(reason) + raise RuntimeError(reason) + + auth = r["auth"] + if not auth["success"]: + logger.info("User not authenticated") + defer.returnValue(False) + + localpart = user_id.split(":", 1)[0][1:] + logger.info("User %s authenticated", user_id) + + registration = False + if not (yield self.account_handler.check_user_exists(user_id)): + logger.info("User %s does not exist yet, creating...", user_id) + + if localpart != localpart.lower() and self.regLower: + logger.info('User %s was cannot be created due to username lowercase policy', localpart) + defer.returnValue(False) + + user_id, access_token = (yield self.account_handler.register(localpart=localpart)) + registration = True + logger.info("Registration based on REST data was successful for %s", user_id) + else: + logger.info("User %s already exists, registration skipped", user_id) + + if auth["profile"]: + logger.info("Handling profile data") + profile = auth["profile"] + + store = yield self.account_handler.hs.get_profile_handler().store + if "display_name" in profile and ((registration and self.config.setNameOnRegister) or (self.config.setNameOnLogin)): + display_name = profile["display_name"] + logger.info("Setting display name to '%s' based on profile data", display_name) + yield store.set_profile_displayname(localpart, display_name) + else: + logger.info("Display name was not set because it was not given or policy restricted it") + + if (self.config.updateThreepid): + if "three_pids" in profile: + logger.info("Handling 3PIDs") + for threepid in profile["three_pids"]: + medium = threepid["medium"].lower() + address = threepid["address"].lower() + logger.info("Looking for 3PID %s:%s in user profile", medium, address) + + validated_at = self.account_handler.hs.get_clock().time_msec() + if not (yield store.get_user_id_by_threepid(medium, address)): + logger.info("3PID is not present, adding") + yield store.user_add_threepid( + user_id, + medium, + address, + validated_at, + validated_at + ) + else: + logger.info("3PID is present, skipping") + else: + logger.info("3PIDs were not updated due to policy") + else: + logger.info("No profile data") + + defer.returnValue(True) + + @staticmethod + def parse_config(config): + # verify config sanity + _require_keys(config, ["endpoint"]) + + class _RestConfig(object): + endpoint = '' + regLower = True + setNameOnRegister = True + setNameOnLogin = False + updateThreepid = True + + rest_config = _RestConfig() + rest_config.endpoint = config["endpoint"] + + try: + rest_config.regLower = config['policy']['registration']['username']['enforceLowercase'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + try: + rest_config.setNameOnRegister = config['policy']['registration']['profile']['name'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + try: + rest_config.setNameOnLogin = config['policy']['login']['profile']['name'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + try: + rest_config.updateThreepid = config['policy']['all']['threepid']['update'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + return rest_config + +def _require_keys(config, required): + missing = [key for key in required if key not in config] + if missing: + raise Exception( + "REST Auth enabled but missing required config values: {}".format( + ", ".join(missing) + ) + ) + diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 565bc80..196611f 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -25,8 +25,8 @@ notify: Restart matrix-synapse service - name: Install rest auth provider - get_url: - url: "{{ synapse_rest_auth_url }}" + copy: + src: rest_auth_provider.py dest: /usr/local/lib/python3.5/dist-packages/rest_auth_provider.py mode: 0755 notify: Restart matrix-synapse service From a8656251ab5649f6b1e01f59129964b4a6994a9c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 07:48:09 +0100 Subject: [PATCH 024/297] Tab is useless in sudoers --- roles/ldap-client/tasks/1_group_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index c40b466..13e3261 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -20,4 +20,4 @@ lineinfile: dest: /etc/sudoers regexp: "^%{{ sudo_group }}" - line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" + line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" From 4a6da11837c923c8b5cdc233aed8e86434fd4901 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 16:34:35 +0100 Subject: [PATCH 025/297] Clean up EtherPad dep install --- roles/etherpad/tasks/main.yml | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml index dae8ab9..62aa8d7 100644 --- a/roles/etherpad/tasks/main.yml +++ b/roles/etherpad/tasks/main.yml @@ -10,16 +10,32 @@ git: repo: https://github.com/ether/etherpad-lite.git dest: /var/local/etherpad/etherpad-lite - version: master + version: 1.7.5 become: true become_user: etherpad -# Installation script -# TODO: move this in a handler +# Installation script bin/installDeps.sh (1) +- name: Create node_modules directory + file: + path: /var/local/etherpad/etherpad-lite/node_modules + state: directory + become: true + become_user: etherpad + +# Installation script bin/installDeps.sh (2) +- name: Create symbolic link to EtherPad src + file: + src: /var/local/etherpad/etherpad-lite/src + dest: /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite + state: link + become: true + become_user: etherpad + +# Installation script bin/installDeps.sh (3) +# TODO --no-save - name: Install Etherpad dependencies - command: bin/installDeps.sh - args: - chdir: /var/local/etherpad/etherpad-lite + npm: + path: /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite become: true become_user: etherpad From cc489907984b8fee1ecf4b75c2d8ebcd889f4912 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 16:51:27 +0100 Subject: [PATCH 026/297] Use NPM module in matrix-appservice-discord --- roles/matrix-appservice-discord/tasks/main.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index e3ed0b1..a43642b 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -15,18 +15,20 @@ become_user: matrix-appservice-discord # Setup dependencies +# May create issues with package-lock.json not in gitignore - name: Install matrix-appservice-discord dependencies - command: npm ci - args: - chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + npm: + path: /var/local/matrix-appservice-discord/matrix-appservice-discord become: true become_user: matrix-appservice-discord # Typescript into javascript - name: Compile matrix-appservice-discord - command: npm run build + command: ./node_modules/.bin/tsc args: chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + register: npm_build_result + changed_when: npm_build_result become: true become_user: matrix-appservice-discord From 431b063db7a27c8668027f99e6e23789dd1e2272 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 16:56:01 +0100 Subject: [PATCH 027/297] Maybe last fix for the CI --- roles/etherpad/tasks/main.yml | 9 ++++++--- roles/matrix-appservice-discord/tasks/main.yml | 3 +++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml index 62aa8d7..1e36ffe 100644 --- a/roles/etherpad/tasks/main.yml +++ b/roles/etherpad/tasks/main.yml @@ -25,9 +25,9 @@ # Installation script bin/installDeps.sh (2) - name: Create symbolic link to EtherPad src file: - src: /var/local/etherpad/etherpad-lite/src - dest: /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite - state: link + src: /var/local/etherpad/etherpad-lite/src + dest: /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite + state: link become: true become_user: etherpad @@ -38,6 +38,9 @@ path: /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite become: true become_user: etherpad + register: npm_result + retries: 3 + until: npm_result is succeeded # Configuration - name: Configure EtherPad diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index a43642b..4461fe3 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -21,6 +21,9 @@ path: /var/local/matrix-appservice-discord/matrix-appservice-discord become: true become_user: matrix-appservice-discord + register: npm_result + retries: 3 + until: npm_result is succeeded # Typescript into javascript - name: Compile matrix-appservice-discord From 5dfd8eacc546a09322ac6928b1c3218b039e7c31 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 17:04:06 +0100 Subject: [PATCH 028/297] Replace 'yes' by 'true' --- roles/basesecurity/tasks/main.yml | 2 +- roles/codimd/tasks/1_user_group.yml | 4 ++-- roles/etherpad/tasks/1_user_group.yml | 4 ++-- roles/ldap-replica/tasks/main.yml | 2 +- roles/matrix-appservice-discord/tasks/1_user_group.yml | 4 ++-- roles/matrix-appservice-irc/tasks/1_user_group.yml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index 6b0f596..d21ad5e 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -22,4 +22,4 @@ - /usr/bin/chfn # With re2o - /bin/mount # Only root should mount - /bin/umount # Only root should umount - ignore_errors: yes # Sometimes file won't exist + ignore_errors: true # Sometimes file won't exist diff --git a/roles/codimd/tasks/1_user_group.yml b/roles/codimd/tasks/1_user_group.yml index 4d79ee0..8acc968 100644 --- a/roles/codimd/tasks/1_user_group.yml +++ b/roles/codimd/tasks/1_user_group.yml @@ -3,7 +3,7 @@ - name: Create CodiMD system group group: name: codimd - system: yes + system: true state: present # Security #2 @@ -13,7 +13,7 @@ group: codimd home: /var/local/codimd comment: CodiMD - system: yes + system: true state: present # Security #3 diff --git a/roles/etherpad/tasks/1_user_group.yml b/roles/etherpad/tasks/1_user_group.yml index 8c8110c..01c74ff 100644 --- a/roles/etherpad/tasks/1_user_group.yml +++ b/roles/etherpad/tasks/1_user_group.yml @@ -3,7 +3,7 @@ - name: Create EtherPad system group group: name: etherpad - system: yes + system: true state: present # Security #2 @@ -13,7 +13,7 @@ group: etherpad home: /var/local/etherpad comment: EtherPad - system: yes + system: true state: present # Security #3 diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap-replica/tasks/main.yml index 4ad968e..45f99c5 100644 --- a/roles/ldap-replica/tasks/main.yml +++ b/roles/ldap-replica/tasks/main.yml @@ -51,7 +51,7 @@ path: "{{ item }}" owner: openldap group: openldap - recurse: yes + recurse: true with_items: - '/var/lib/ldap' - '/etc/ldap/slapd.d' diff --git a/roles/matrix-appservice-discord/tasks/1_user_group.yml b/roles/matrix-appservice-discord/tasks/1_user_group.yml index 2fe23be..42cac54 100644 --- a/roles/matrix-appservice-discord/tasks/1_user_group.yml +++ b/roles/matrix-appservice-discord/tasks/1_user_group.yml @@ -3,7 +3,7 @@ - name: Create matrix-appservice-discord system group group: name: matrix-appservice-discord - system: yes + system: true state: present # Security #2 @@ -13,7 +13,7 @@ group: matrix-appservice-discord home: /var/local/matrix-appservice-discord comment: Matrix Appservice Discord - system: yes + system: true state: present # Security #3 diff --git a/roles/matrix-appservice-irc/tasks/1_user_group.yml b/roles/matrix-appservice-irc/tasks/1_user_group.yml index 1c5d507..4c28899 100644 --- a/roles/matrix-appservice-irc/tasks/1_user_group.yml +++ b/roles/matrix-appservice-irc/tasks/1_user_group.yml @@ -3,7 +3,7 @@ - name: Create matrix-appservice-irc system group group: name: matrix-appservice-irc - system: yes + system: true state: present # Security #2 @@ -13,7 +13,7 @@ group: matrix-appservice-irc home: /var/local/matrix-appservice-irc comment: Matrix Appservice IRC - system: yes + system: true state: present # Security #3 From bc1459bc514218f7db59279e1564a5928356420d Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 17:22:39 +0100 Subject: [PATCH 029/297] Fix various yamllint warnings --- matrix.yml | 3 ++- roles/codimd/tasks/0_apt_dependencies.yml | 24 +++++++++++++++++++---- roles/etherpad/tasks/main.yml | 8 +++----- roles/matrix-mxisd/tasks/main.yml | 2 +- 4 files changed, 26 insertions(+), 11 deletions(-) diff --git a/matrix.yml b/matrix.yml index 797215b..56e2a51 100644 --- a/matrix.yml +++ b/matrix.yml @@ -2,7 +2,8 @@ # Install Matrix Synapse on corresponding containers - hosts: synapse.adm.auro.re vars: - mxisd_version: 1.3.1 + mxisd_releases: https://github.com/kamax-matrix/mxisd/releases + mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb" roles: - debian-backports - matrix-synapse diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 3e30b80..2f40e50 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -9,10 +9,26 @@ dest: /etc/apt/preferences.d/nodejs mode: 0644 -# TODO -# apt-transport-https -# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - -# echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list +# For HTTPS apt +- name: Install HTTPS apt + apt: + name: apt-transport-https + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure the apt key + apt_key: + url: https://dl.yarnpkg.com/debian/pubkey.gpg + id: 1646B01B86E50310 + register: apt_key_result + retries: 3 + until: apt_key_result is succeeded + +- name: Configure Yarn repository + apt_repository: + repo: "deb https://dl.yarnpkg.com/debian/ stable main" # Install CodiMD dependencies - name: Install required packages diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml index 1e36ffe..9ccadc2 100644 --- a/roles/etherpad/tasks/main.yml +++ b/roles/etherpad/tasks/main.yml @@ -69,10 +69,8 @@ service: name: etherpad-lite state: started - enabled: True - -# La configuration de la clé `dbSettings` n'est pas encore automatisé ! + enabled: true # TODO-list -# * Configure admin user, logs -# Plugins : https://framacloud.org/fr/cultiver-son-jardin/etherpad.html#concernant-framapad +# La configuration de la clé `dbSettings` n'est pas encore automatisé ! +# * Configure logs diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml index fae2a84..422243f 100644 --- a/roles/matrix-mxisd/tasks/main.yml +++ b/roles/matrix-mxisd/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install mxisd apt: - deb: https://github.com/kamax-matrix/mxisd/releases/download/v{{ mxisd_version }}/mxisd_{{ mxisd_version }}_all.deb + deb: "{{ mxisd_deb }}" register: apt_result retries: 3 until: apt_result is succeeded From 1a447b3807a3a48374930345cb63e2ee717745ca Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 17:56:12 +0100 Subject: [PATCH 030/297] Add matrix-appservice-webhooks and move nodejs tasks --- codimd.yml | 1 + etherpad.yml | 1 + group_vars/all/vars.yml | 4 + group_vars/all/vault.yml | 216 +++++++++--------- matrix.yml | 2 + roles/codimd/tasks/0_apt_dependencies.yml | 17 +- roles/etherpad/tasks/0_apt_dependencies.yml | 24 -- roles/etherpad/tasks/main.yml | 10 +- .../matrix-appservice-discord/tasks/main.yml | 3 - .../tasks/0_apt_dependencies.yml | 21 -- roles/matrix-appservice-irc/tasks/main.yml | 3 - .../handlers/main.yml | 5 + .../tasks/1_user_group.yml | 26 +++ .../matrix-appservice-webhooks/tasks/main.yml | 50 ++++ .../templates/apt/nodejs.j2 | 5 + .../templates/config.yaml.j2 | 39 ++++ .../matrix-appservice-webhooks.service.j2 | 17 ++ .../tasks/main.yml} | 3 +- roles/nodejs/templates/apt/nodejs.j2 | 5 + 19 files changed, 276 insertions(+), 176 deletions(-) delete mode 100644 roles/etherpad/tasks/0_apt_dependencies.yml delete mode 100644 roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml create mode 100644 roles/matrix-appservice-webhooks/handlers/main.yml create mode 100644 roles/matrix-appservice-webhooks/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-webhooks/tasks/main.yml create mode 100644 roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 create mode 100644 roles/matrix-appservice-webhooks/templates/config.yaml.j2 create mode 100644 roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 rename roles/{matrix-appservice-discord/tasks/0_apt_dependencies.yml => nodejs/tasks/main.yml} (88%) create mode 100644 roles/nodejs/templates/apt/nodejs.j2 diff --git a/codimd.yml b/codimd.yml index ac330c8..fe9d788 100644 --- a/codimd.yml +++ b/codimd.yml @@ -3,4 +3,5 @@ - hosts: codimd.adm.auro.re roles: - debian-backports + - nodejs - codimd diff --git a/etherpad.yml b/etherpad.yml index 65f1f26..c60fd49 100644 --- a/etherpad.yml +++ b/etherpad.yml @@ -3,4 +3,5 @@ - hosts: pad.adm.auro.re roles: - debian-backports + - nodejs - etherpad diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index c57ea13..8bb2690 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -30,3 +30,7 @@ ssh_pub_keys: "{{ vault_ssh_pub_keys }}" # Monitoring monitoring_mail: 'monitoring.aurore@lists.crans.org' + +# Matrix +matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" + diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 2b8e8ab..bcc5e18 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,106 +1,112 @@ $ANSIBLE_VAULT;1.1;AES256 -38616339383037366465353638383665643938633061323863386539323861633135363964303364 -6335326537383039316566623031306136633364336337320a343434623066313535363430303866 -61613635663336376530333463363037316230323339393463393465313366643438316565306564 -3263613463653764330a363330623331323762306330336465633538353637373838396231643762 -35353137306132653861343736323934326161663436653737333462333938393330393861363764 -38333837353564396563623039636438663662626330323632383234333662613835633138326161 -33626537633863393864373937306332386131626562323762616439643830626339633833313638 -65363930353162323635356430313030303734386339393730383135323937623939393233663335 -39316564396463643134636363326262343538666234333837373164646434643232623666636162 -61616637396561323166313131393163353166353764396564373330326262346666373034663465 -35326563306538653562333864383662336338656566313432633831313363663131393930336234 -61336230643539303532656437616638323266623434393863623661366237386537386232383332 -38643433626466343633626665386633663964306566643436363839363462326632393863616230 -62386662386363613737613839386436383734623461386363313832636661636334633132363433 -30383135646465353232623936366337663130376232343231376565313563303534313462336462 -39353861663230623536613735663865373238303832306636323532393734303538383837336237 -36613732623539616237663962666263393138303064646335623336343432323266663335363061 -36306361653035653334343031303663373334613365393635616362343461616535343964306666 -36663030373133346663663839373363663163653961323533356361373533643636626339356332 -34663063326363646638646330626666633564373763326636363764653831336134393131653864 -62353163613534386364323430346435316339363338666563366262336536373162346265353165 -66363834306536383465376339323462303265373263333065623837656133623035366366396335 -34313566326565333930386336353333396237633333613336666566393465616563393563633335 -33313232646466313333633564653535343564626566353863613964303732616436626535656135 -39313632346530636639333435643034666138633831313864316266376330336334333263356132 -30613865336164353433383232316637663131653231393235343262666636623461653332323664 -63323637396132666333633863393131363935626435313366646563366366356265346130373162 -66306261303539323763336130616165323863646466643336316437663266303730313433343932 -39643639376531303839636632333063323837306638373863663132386533353735343234666139 -33633462346438356338613830313533306263383263383036363566323437356235386636333432 -31383462626338346339353536653437623731643036363366666437316362356266396634383865 -65663332383837373334393863386531663831643366613131663666303436306336313935643065 -61336661313562326465393936643130393465346636363234386436616165613436393436623664 -33396165376363316334613737613261396633306233643337393936393465313763343439646136 -38643135346234653234316536363964303331303932656134323165333239623362333931323334 -62323634373764663464343031626432653131306664336130396265363964663866663538376239 -33653430366265623733376536613632646662646632653132336537383336303335623966396131 -62303136613934656664386162373433323962336134663435373730366632666135663030653133 -38613632623765616465383266356238313333336434376238396339343031323465343833323665 -61666366326363303832663164363838353739653534313235336530396330346466656432386636 -36613239613239613835633265363064316134346464616338333532376132373637356665346230 -38343461613335663061393037643466383664323263336364356364363262346236326161653362 -63653963303139616430333738373038333661333562376130363061366338346430303231363138 -66373866303331333035316533373336376466346630326166373734353834306237383462356430 -33633332366636613534313933323065633736656432656236653930623663616133336435313337 -36623031663333386362306138343231363130626131323735316562363730656230376132303439 -36323932666362613237666164653037353631353730346466303764326162366266376130316166 -32363739373437333731643936366334376463383664373139363465666538666331636535626462 -32323834616338376264393461626665393635336638383333653466336332316364363330333738 -61303161303564383563653039653263343161336362373563616237373865653965343639343465 -35363536613233313534633665373264303139393731626339646466663431363361373938623334 -38613766643861326538663563656662383665376137393333616566646136336339306333653066 -34373864353230343032386236386165616462316562363062613330636264303632396339646632 -37316630303536316436356138626533653865366137666131363064643964333838633266366365 -64663661333764616635383263376662616239323930643261613161313265633236623834376263 -31623565633964376632346533373037333166346332313266316138613665353530336562643739 -32393161396338353630363838643130323431343339376431373165313238383064616335323064 -36313366633161303635383062656538343538363039343931623736623766343762343563646134 -33626264643639333364343131636163646361626130646237326435373731613237663736393439 -37376639333930396337333938373866383133613730613162356364323265373431633836653838 -34323532613437313064383035313030306636346435396666653933626232313638656531366234 -34313837623136656361393230653637633535333063333662363137323962353232386366656264 -30303164363531343261626262653962383664313131333535313038343461303464326464373337 -34646537353031386265313066313136613533663335306636346237613264313061666233376131 -62346537666362373539626334376630633539343932623133653431393731356266623730353036 -64626133623638303132356639663538363537623739386166333337333431363939666362663137 -62303664306663376136353235613031623435393065376635353032666136396332613861376630 -65633061623466313838383664613839663033333736396536333863636435306263666466313265 -62633539623037616535333164316538616439333838633730313066366232616566646435376530 -66316164323737396230373339333936313532343266303765356530633534643439626236313136 -65373833633461393734353737363566353634353764333961643033393932353236633336393436 -61333537666263666238303736316462356138396232373839343434643730643766333535643565 -38333163353634633637393766346261613931663134363230353633336533643339353832653632 -64343438353266343937373138643635616331336164316166343536643434616665326331353161 -39303732663037653634303263386134366536333830363366663639383033323832653364393766 -30333438313361613764633239373036336230353333343262613761323930656265313031323065 -39666562393565326139373061313061396265386239343462346535623766313364343136343038 -39373462663434633731636662653966383233396163643137373530303134633465643130383265 -61376538626365396236643139336366643966306131393635623438393932313164623766353233 -61643732303837366139356236353937303036343232363537623231303661653035383831343830 -64663763383563303461633335313663643161336435343735333536393661663235636665383662 -37393139333361323136366564383132633830386335376137396563343937306431653665316161 -38323137643437383636373033326236613936396564626466386432393733633361623032326135 -61346166393964313637356330653339646365326365326130386537343535353038643538393336 -66366335316538393333613631346365393038623261303536363732383637643430346632343139 -61643265333466323666633834333462613161653165663432613934353036343937343939303033 -35636134343761666534656636383632363562633634383364323039613431666239346136616231 -37383838316338666462376133613632663633663935643563346333356464663434393734366433 -37376539366139396536323535316539643261636533303065326164643132313439313632306664 -33386136393734613739396336396635353439393531393363326137363562646363333762386135 -32376162373766393763343634326434323034336533336166666635636135393066353238626161 -37376132306339626263313663376638633337656162333431313439643930303332666138643962 -37313331616563643638343464653535653038613136313637336534636537343763376634626538 -64633133656237346461346330333061636663336262646264326237373736366337663331323764 -65353931373266336232366434356631383338386537616535656664323334363963666631363331 -37653666316236613931386161346439663935656466396137643765626632643263323163623138 -34326363373633303365353530383633623936313436616635353733643837656233613635383966 -37356665626530626532356632323338623062386332616332643061623031366366613433383734 -33623732636637363237336439373432616332643638303131363332393230663565323139303163 -36643134363861383834656539626166386164326236336266633435626163383437366338353930 -33373932333832373237343532623537363931366636346132616162343839303965386337316164 -61656233616633323933306165643666306661366632613933383932616664613663663234653431 -30306163346630653239323966396638643162303766363131646430303366303435343866353639 -66373465393764396335346131346331353561643434633364656530626238326333333731383361 -35653232373235383633616634643966636336333461663237653764626534346336 +30643064346235376335653933633134616531356562383833323336316264643335336437376462 +3364343634313734653033343663306565306564623939340a636266646265633634646531323363 +35653136343933303034356333376539353561626638616234636333653764616433393866616536 +3935366266396632340a323866323438653935356265663835393366343833363639313933333464 +32373862303166643331363463656265656531646135653238333566386236316163393738366133 +33653332306664643336323864356364646138616130653861333637373436303433376633366661 +65373636383862306134353738323564393262376561306134303361633161323239303563643934 +63333530653561343862613033343435333336306135373136623139343634616232346364356464 +39363838343538633130363831303064303334353261346239366635363763386262633063303434 +34366531316338326233323634383730623838643535623939306535306634333438653434366662 +35663463306239383835643034343735336131363339666366356138613731333836386266383763 +31666535326630303536376364336432613736353134376230323631326130343262316630373934 +63353166376630336431626530643733623561343335396336616235616532386434626634653631 +35613930393536613633633463393434616131303763613033656262386663663839343662626535 +36373236323733663334306134313433393366653066373464386134303265323564343262336562 +39393738656337316239623466643933663938663433313866626665613263356534386535633837 +61643036666161653434613061653539636137653235663064323766613061333563626563396439 +39323137373162393237356135333632333163613961373533633432333233346463303034366336 +62396363393163363639313763616533333965396162313662626161343362393363313632643031 +35383433343764333238366265313363623561666162633739643232323962316165636436353766 +65666132393366613561363462393966366637613062346337303139666439323861653233353533 +37643138306463613933626162613865383038306133646365616337323164353362626638653765 +38653035323164663130326435356532333864363237333738656636623130383533663130363764 +63313439373336346334336431633263333138326561353366323239343466383039343938386436 +36333634613936393530396536353239316532346361396631393063343439373762306634653336 +36663137613164383061333232646534363632656362616335373066306236636239363663316665 +39313036666337616164633931323465613863316438366361303536633635653862333465316366 +34663662633233353361306537393061373630616262653432653631323638386230666437346664 +37646564623035356536356630376166376365326666323936616139656466343833386238313462 +35623239643765633766623934653963356166323065343266303431353966353063363137613632 +31656338373430326331346538613130363161623035306165666238613565333131376364323839 +61306466666130616334313466643031633664353666346637346161326331383637336339646434 +61643835386466633038663961303339646532643036343532393332636438366234383932376431 +30376165353834616564633062396461393636663464613038383363306264666334616264343361 +33346538386332633333343461623262336133306239646635303332613934306565663633616634 +61383665656531343332353263303534323435383136646235343135373739323563326662316633 +66343733396163353939643939653237393931386361623364653466623935333232666662313865 +32373761346534316334346137653565326633326466316566666362366338353165343761396136 +30346536386266363033323838313138633234346666343739316562356332323632643432333763 +65393032353861303937386437646537623830333866343564313863653033396637626466343463 +32343861623563653566623233363638636634646265643465373161326339346563623765326264 +37366137623734633662366263356135313164343634306232353530313034356333633239383432 +64646564343435303536343263323266663163666466653231363963393537356531313466653731 +37306664303737346431623937343062376562353630383535396533643437353631336438353162 +34373436613962643634333464303033323331666166383932306361643763393333616532623138 +66323366353836306436353437336338386161613336316465663339333461383464376562323530 +64373738656536313530346433663336306536333062653138663035653130376236613333346166 +38643561353030373633336533303666666465373938666633366361333938353332396363393832 +30633761646364393737653165396335353631376137653238386639633664313363333631366365 +30623730353462663530646434326561383265343534636138333065373439636463353539303436 +30353632303433373436383735383332616233363763326566343233613436303233363332363662 +65393062373335666265343830373730646639323730383238616531623934653931646164373765 +30333331336635313935656562383066323834636136303461326433626163363232653037626361 +34356532356263636131363233323336353434383562303166376162306338373461336134653861 +34316330356336303162303963303763643735656139616533616234643233646365386536616335 +30613662333437343233636364663562386363313034343061343137653062626338383432643230 +35323130373561343666326331333561323562623231303066353464653665356165643337323562 +32386139303034333764666662613436623933353964316536363430346631653630643832306634 +35653636326635353839316238643232353465616635633939323837353833386164323861653965 +64636437646166666538386231623338356261346563323831653965613965366633313662303165 +37333066356635623063333637633864303964303635666164316230353239303335623834376632 +38336231336234343433373734313866316332633831396132313164626265643263636262643934 +61313963373638336264653066613531656461386665316635313662343239353565336239306362 +31633738653439386162626235656434363534653735323732636565353862623165613436623961 +34346261383434373231393738353165303465313134303365393261306139613438383138326334 +63623636333132356363366635333834653037353863646633636436383432663663623238643437 +30306433323161316434326332643931346663393935643263333636623037653462626632376634 +36363166393835636163643466383365653731383335656462376533363333363065336137363730 +38386466363636356366383637646265333038663033663763646633613738366666393839346238 +30393961343064653261646337373434626363303534333338613536306336323265393935373363 +34383965353264643266303434316432656531346363353731623834373637343062623538346137 +36346632636666623663396339633830623238366232613862633365663738396434366161653564 +36343066386331303364623865346532613262663161366237363739633565653739626432363330 +39313562623236663130366231396236666139363333383332616333333164396331323465336233 +32626139656132383063376266613335643565303762663962373039393135393961343333303964 +37323563653732373839313361383136313535643738663636306631396432313563323933616561 +30646431656163373938326634373363376565316133616636376338316136343462613963313463 +65653932636431633738613961346566393566636664396137666366313130313666383063373230 +62643531373737626630303837353066376566333165336137323633346239386531353331363462 +64366532373032373339623232383531323761316336343434653035623331366665613261373462 +39336137336134363465613666616531336535323432353430386335616163363333376666306365 +62303339613264333537386262653531623162366635633561663733636530623963353437373134 +39663534363064343162316665666338316134396138396534643934643561386561353730636437 +33303865366261393161353732306338343337376631623531346337396237323662653536313861 +66346561383937616136376234363636663239616666306232613038646433373838653133346164 +36636663393066313434373131646335303730303266313261646531656261396534623964643834 +38613230353034316666643932343837333134656465306239383134366237396438366533643566 +61366236353538316431366165353734326130363239373631656661323966303530373338653539 +38393531326335613831313937303537623933613233313439366330303134643836303466353061 +30353030633936326238353630386663626132636363663638643732643331666664333962323562 +30633837366161356661643963353163636663616339663230353738646463653761393862313861 +63363834623765393461656239613737613231666337333332663262356233633536326531336337 +66626231636634396632343466323433396233636639393136333538386330313837626135306537 +65653130366433303036396530303835643266316333383761643166373838623037356539653166 +63396561616462366461316338323662366232383963376161626132343236643766623431303066 +31386231356361336632663266336661613938313634313038353431343463343433616238356563 +35643739373831383337336136626637313565633365643037363039353134343536333938333239 +37343463313632376333653266303162633838363933373164366563333538333561663539313331 +37666634343138356539366431386361623130613865333439373464336135613036333731633066 +34316234656430343633366361323830303232623565653736316539346662663537336263663331 +66636639333030623061616533356136306239323764373238353734613064616434353666323538 +33363934333930366432363434366365306431623438326534656266303837613034336130623066 +30666632333332623934306338653765386163396535393636376266396663633033663939353765 +35616237306566346230343933633464653537343039623132643538643634333238393961383335 +30323831643263613530373135666437383337636236373563313232393431323332353136633565 +33356236386537363039643861323131323738643864306133636266373731666631646262333032 +33376662336635663464323866626636343032663632326631613866396434623332303833326238 +34386230303233353966373362303365653636623632376331326466623532396661313264666463 +38333766313365376533663262366134373730363163343365326433626636363663363466313733 +39353164343463643462663635383266646161663235336264636463633231633935366663343237 +613361633163336661313532636238353634 diff --git a/matrix.yml b/matrix.yml index 56e2a51..32af6fe 100644 --- a/matrix.yml +++ b/matrix.yml @@ -6,10 +6,12 @@ mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb" roles: - debian-backports + - nodejs - matrix-synapse - matrix-mxisd - matrix-appservice-discord - matrix-appservice-irc + - matrix-appservice-webhooks # Install Matrix Riot on corresponding containers - hosts: riot.adm.auro.re diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 2f40e50..0fcacfb 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -1,14 +1,4 @@ --- -# For NodeJS package -- name: Configure NodeJS pin - when: - - ansible_distribution == 'Debian' - - ansible_distribution_release == 'stretch' - template: - src: apt/nodejs.j2 - dest: /etc/apt/preferences.d/nodejs - mode: 0644 - # For HTTPS apt - name: Install HTTPS apt apt: @@ -33,12 +23,7 @@ # Install CodiMD dependencies - name: Install required packages apt: - name: - - git - - nodejs - - npm - - build-essential - - yarn + name: yarn update_cache: true register: apt_result retries: 3 diff --git a/roles/etherpad/tasks/0_apt_dependencies.yml b/roles/etherpad/tasks/0_apt_dependencies.yml deleted file mode 100644 index e36321b..0000000 --- a/roles/etherpad/tasks/0_apt_dependencies.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# For NodeJS package -- name: Configure NodeJS pin - when: - - ansible_distribution == 'Debian' - - ansible_distribution_release == 'stretch' - template: - src: apt/nodejs.j2 - dest: /etc/apt/preferences.d/nodejs - mode: 0644 - -# Install EtherPad dependencies -- name: Install required packages - apt: - name: - - build-essential - - curl - - git - - nodejs - - npm - update_cache: true - register: apt_result - retries: 3 - until: apt_result is succeeded diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml index 9ccadc2..ab5e3b1 100644 --- a/roles/etherpad/tasks/main.yml +++ b/roles/etherpad/tasks/main.yml @@ -1,6 +1,12 @@ --- -# Install APT dependencies -- include_tasks: 0_apt_dependencies.yml +# Install EtherPad dependencies +- name: Install required packages + apt: + name: curl + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # Create EtherPad user and group - include_tasks: 1_user_group.yml diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index 4461fe3..f043ae3 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -1,7 +1,4 @@ --- -# Install APT dependencies -- include_tasks: 0_apt_dependencies.yml - # Create CodiMD user and group - include_tasks: 1_user_group.yml diff --git a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml deleted file mode 100644 index d61dd10..0000000 --- a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Configure NodeJS pin - when: - - ansible_distribution == 'Debian' - - ansible_distribution_release == 'stretch' - template: - src: apt/nodejs.j2 - dest: /etc/apt/preferences.d/nodejs - mode: 0644 - -- name: Install required packages - apt: - name: - - git - - nodejs - - npm - - build-essential - update_cache: true - register: apt_result - retries: 3 - until: apt_result is succeeded diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 4025fc7..54c8394 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -1,7 +1,4 @@ --- -# Install APT dependencies -- include_tasks: 0_apt_dependencies.yml - # Create matrix-appservice-irc user and group - include_tasks: 1_user_group.yml diff --git a/roles/matrix-appservice-webhooks/handlers/main.yml b/roles/matrix-appservice-webhooks/handlers/main.yml new file mode 100644 index 0000000..46a7fd8 --- /dev/null +++ b/roles/matrix-appservice-webhooks/handlers/main.yml @@ -0,0 +1,5 @@ +--- +# Reload systemd daemons when a service file changes +- name: Reload systemd daemons + systemd: + daemon_reload: true diff --git a/roles/matrix-appservice-webhooks/tasks/1_user_group.yml b/roles/matrix-appservice-webhooks/tasks/1_user_group.yml new file mode 100644 index 0000000..642cf9f --- /dev/null +++ b/roles/matrix-appservice-webhooks/tasks/1_user_group.yml @@ -0,0 +1,26 @@ +--- +# Security #1 +- name: Create matrix-appservice-webhooks system group + group: + name: matrix-appservice-webhooks + system: true + state: present + +# Security #2 +- name: Create matrix-appservice-webhooks user + user: + name: matrix-appservice-webhooks + group: matrix-appservice-webhooks + home: /var/local/matrix-appservice-webhooks + comment: Matrix Appservice WebHooks + system: true + state: present + +# Security #3 +- name: Secure matrix-appservice-webhooks home directory + file: + path: /var/local/matrix-appservice-webhooks + state: directory + owner: matrix-appservice-webhooks + group: matrix-appservice-webhooks + mode: 0750 diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml new file mode 100644 index 0000000..cab48fb --- /dev/null +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -0,0 +1,50 @@ +--- +# Create matrix-appservice-webhooks user and group +- include_tasks: 1_user_group.yml + +- name: Clone matrix-appservice-webhooks project + git: + repo: https://github.com/matrix-org/matrix-appservice-webhooks.git + dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks + version: master + become: true + become_user: matrix-appservice-webhooks + +# Setup dependencies +- name: Install matrix-appservice-webhooks dependencies + npm: + path: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks + production: true + become: true + become_user: matrix-appservice-webhooks + register: npm_result + retries: 3 + until: npm_result is succeeded + +# Configure +- name: Configure matrix-appservice-webhooks + template: + src: config.yaml.j2 + dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/config/config.yaml + owner: matrix-appservice-webhooks + group: matrix-appservice-webhooks + mode: 0600 + +# Service file +- name: Install matrix-appservice-webhooks systemd unit + template: + src: 'systemd/matrix-appservice-webhooks.service.j2' + dest: '/etc/systemd/system/matrix-appservice-webhooks.service' + owner: root + group: root + mode: 0644 + notify: Reload systemd daemons + +# TODO: See https://github.com/turt2live/matrix-appservice-webhooks + +# Run +#- name: Ensure that matrix-appservice-webhooks is started +# service: +# name: matrix-appservice-webhooks +# state: started +# enabled: true diff --git a/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 b/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 new file mode 100644 index 0000000..65e5110 --- /dev/null +++ b/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +Package: node* libuv1* +Pin: release a=stretch-backports +Pin-Priority: 600 diff --git a/roles/matrix-appservice-webhooks/templates/config.yaml.j2 b/roles/matrix-appservice-webhooks/templates/config.yaml.j2 new file mode 100644 index 0000000..59a3139 --- /dev/null +++ b/roles/matrix-appservice-webhooks/templates/config.yaml.j2 @@ -0,0 +1,39 @@ +# {{ ansible_managed }} + +# Configuration specific to the application service. All fields (unless otherwise marked) are required. +homeserver: + # The domain for the client-server API calls. + url: "http://auro.re" + + # The domain part for user IDs on this home server. Usually, but not always, this is the same as the + # home server's URL. + domain: "auro.re" + +# Configuration specific to the bridge. All fields (unless otherwise marked) are required. +webhookBot: + # The localpart to use for the bot. May require re-registering the application service. + localpart: "_webhook" + + # Appearance options for the Matrix bot + appearance: + displayName: "Webhook Bridge" + avatarUrl: "http://i.imgur.com/IDOBtEJ.png" # webhook icon + +# Provisioning API options +provisioning: + # Your secret for the API. Required for all provisioning API requests. + secret: '{{ matrix_webhooks_secret }}' + +# Configuration related to the web portion of the bridge. Handles the inbound webhooks +web: + hookUrlBase: 'http://localhost:9000/' + +logging: + file: logs/webhook.log + console: true + consoleLevel: info + fileLevel: verbose + writeFiles: true + rotate: + size: 52428800 # bytes, default is 50mb + count: 5 diff --git a/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 new file mode 100644 index 0000000..50614c2 --- /dev/null +++ b/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Unit] +Description=A bridge between Matrix and WebHooks +After=syslog.target network-online.target mysql.service postgresql.service +Conflicts=shutdown.target + +[Service] +Type=simple +User=matrix-appservice-webhooks +Group=matrix-appservice-webhooks +WorkingDirectory=/var/local/matrix-appservice-webhooks/matrix-appservice-webhooks +ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/app.js -c config.yaml -f my_registration_file.yaml -p 9999 +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml b/roles/nodejs/tasks/main.yml similarity index 88% rename from roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml rename to roles/nodejs/tasks/main.yml index d61dd10..af8fe52 100644 --- a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml +++ b/roles/nodejs/tasks/main.yml @@ -11,10 +11,9 @@ - name: Install required packages apt: name: - - git - nodejs - npm - - build-essential + - build-essential # To build npm packages update_cache: true register: apt_result retries: 3 diff --git a/roles/nodejs/templates/apt/nodejs.j2 b/roles/nodejs/templates/apt/nodejs.j2 new file mode 100644 index 0000000..65e5110 --- /dev/null +++ b/roles/nodejs/templates/apt/nodejs.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +Package: node* libuv1* +Pin: release a=stretch-backports +Pin-Priority: 600 From c9761e53dd8bb6563b05f0ee12551b334f2617c1 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 18:33:32 +0100 Subject: [PATCH 031/297] Connect to Synapse --- roles/matrix-appservice-webhooks/tasks/main.yml | 8 ++++++-- .../systemd/matrix-appservice-webhooks.service.j2 | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index cab48fb..a96c75b 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -4,7 +4,7 @@ - name: Clone matrix-appservice-webhooks project git: - repo: https://github.com/matrix-org/matrix-appservice-webhooks.git + repo: https://github.com/turt2live/matrix-appservice-webhooks.git dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks version: master become: true @@ -40,7 +40,11 @@ mode: 0644 notify: Reload systemd daemons -# TODO: See https://github.com/turt2live/matrix-appservice-webhooks +# TODO +# node index.js -r -u "http://localhost:9000" -c config/config.yaml +# cp /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/appservice-registration-webhooks.yaml /etc/matrix-synapse/appservice-registration-webhooks.yaml +# chown matrix-synapse:nogroup /etc/matrix-synapse/appservice-registration-webhooks.yaml 440 +# /etc/matrix-synapse/conf.d/app_service_config_files.yaml # Run #- name: Ensure that matrix-appservice-webhooks is started diff --git a/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index 50614c2..9d8c6b6 100644 --- a/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -10,7 +10,7 @@ Type=simple User=matrix-appservice-webhooks Group=matrix-appservice-webhooks WorkingDirectory=/var/local/matrix-appservice-webhooks/matrix-appservice-webhooks -ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/app.js -c config.yaml -f my_registration_file.yaml -p 9999 +ExecStart=/usr/bin/nodejs index.js -p 9000 -c config/config.yaml -f appservice-registration-webhooks.yaml Restart=always [Install] From 0cc36a107c31b97f003a2d6bc89c9f460200938e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 12 Mar 2019 19:58:55 +0100 Subject: [PATCH 032/297] Fix CI --- group_vars/all/vars.yml | 1 - roles/matrix-appservice-webhooks/tasks/main.yml | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 8bb2690..4be3759 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -33,4 +33,3 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org' # Matrix matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" - diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index a96c75b..7cf9e02 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -42,7 +42,8 @@ # TODO # node index.js -r -u "http://localhost:9000" -c config/config.yaml -# cp /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/appservice-registration-webhooks.yaml /etc/matrix-synapse/appservice-registration-webhooks.yaml +# cp /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/appservice-registration-webhooks.yaml +# > /etc/matrix-synapse/appservice-registration-webhooks.yaml # chown matrix-synapse:nogroup /etc/matrix-synapse/appservice-registration-webhooks.yaml 440 # /etc/matrix-synapse/conf.d/app_service_config_files.yaml From a8fa5d69ff6f181ef59aa7777e5f055389a714d3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 10:53:44 +0100 Subject: [PATCH 033/297] Add proxy snippets and use nginx-light --- roles/nginx-reverse-proxy/tasks/main.yml | 25 ++++++++++++---- .../{ => nginx}/nginx-sites-available-main.j2 | 19 ++++++++---- .../{ => nginx}/nginx-sites-available.j2 | 13 ++++++--- .../nginx/snippets/proxy-common-ssl.conf.j2 | 29 +++++++++++++++++++ .../nginx/snippets/proxy-common.conf.j2 | 12 ++++++++ 5 files changed, 82 insertions(+), 16 deletions(-) rename roles/nginx-reverse-proxy/templates/{ => nginx}/nginx-sites-available-main.j2 (86%) rename roles/nginx-reverse-proxy/templates/{ => nginx}/nginx-sites-available.j2 (82%) create mode 100644 roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 create mode 100644 roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml index 7f7483d..c646a23 100644 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ b/roles/nginx-reverse-proxy/tasks/main.yml @@ -1,18 +1,31 @@ --- # nginx is the proxy server +# nginx-light contains less modules +# but also reduces the surface of attack - name: Install NGINX server apt: - name: nginx + name: nginx-light update_cache: true register: apt_result retries: 3 until: apt_result is succeeded +# Install proxy snippets +- name: Configure NGINX proxy snippets + template: + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + mode: 0644 + loop: + - proxy-common.conf + - proxy-common-ssl.conf + notify: Reload NGINX service + # Install sites - name: Configure NGINX sites template: - src: nginx-sites-available.j2 - dest: /etc/nginx/sites-available/{{ item.name }} + src: nginx/nginx-sites-available.j2 + dest: "/etc/nginx/sites-available/{{ item.name }}" mode: 0644 loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service @@ -27,8 +40,8 @@ # Activate sites - name: Activate sites file: - src: /etc/nginx/sites-available/{{ item.name }} - dest: /etc/nginx/sites-enabled/{{ item.name }} + src: "/etc/nginx/sites-available/{{ item.name }}" + dest: "/etc/nginx/sites-enabled/{{ item.name }}" state: link loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service @@ -36,7 +49,7 @@ # Install main site - name: Configure NGINX main site template: - src: nginx-sites-available-main.j2 + src: nginx/nginx-sites-available-main.j2 dest: /etc/nginx/sites-available/main mode: 0644 notify: Reload NGINX service diff --git a/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 similarity index 86% rename from roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 rename to roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 index 43f678f..1df30fd 100644 --- a/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 @@ -1,16 +1,21 @@ # {{ ansible_managed }} server { - server_name auro.re; + # Common proxy snippet include "snippets/proxy-common.conf"; - location / { - return 302 https://$host$request_uri; - } + # Set witch server name we define + server_name auro.re; + + # Permanentely moved to HTTPS + return 301 https://$host$request_uri; } server { + # Common proxy snippet include "snippets/proxy-common-ssl.conf"; + + # Set witch server name we define server_name auro.re; # Separate log files @@ -48,8 +53,10 @@ server { } server { - listen 8448 ssl default_server; - listen [::]:8448 ssl default_server; + listen 8448 ssl; + listen [::]:8448 ssl; + + # Set witch server name we define server_name auro.re; # Separate log files diff --git a/roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 similarity index 82% rename from roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 rename to roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 index 0ddd2df..a733f23 100644 --- a/roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 @@ -1,16 +1,21 @@ # {{ ansible_managed }} server { - server_name {{ item.from }}; + # Common proxy snippet include "snippets/proxy-common.conf"; - location / { - return 302 https://$host$request_uri; - } + # Set witch server name we define + server_name {{ item.from }}; + + # Permanentely moved to HTTPS + return 301 https://$host$request_uri; } server { + # Common proxy snippet include "snippets/proxy-common-ssl.conf"; + + # Set witch server name we define server_name {{ item.from }}; # Separate log files diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 new file mode 100644 index 0000000..1385eb0 --- /dev/null +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -0,0 +1,29 @@ +# {{ ansible_managed }} + +# Listen for IPv4 and IPv6 with HTTP2 +listen [::]:443 ssl http2; +listen 443 ssl http2; + +# Hide NGINX version +server_tokens off; + +# Reverse Proxy Adm +set_real_ip_from 10.128.0.0/16; +real_ip_header P-Real-Ip; + +# SSL +ssl on; +ssl_session_timeout 5m; +ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES"; +ssl_prefer_server_ciphers off; +ssl_session_cache shared:SSL:10m; + +# In buster we will be able to use TLSv1.3 +ssl_protocols TLSv1.2; + +# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer +ssl_dhparam /etc/ssl/certs/dhparam.pem; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 new file mode 100644 index 0000000..b479c14 --- /dev/null +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + +# Listen for IPv4 and IPv6 with HTTP2 +listen 80 http2; +listen [::]:80 http2; + +# Hide NGINX version +server_tokens off; + +# Reverse Proxy Adm +set_real_ip_from 10.128.0.0/16; +real_ip_header P-Real-Ip; From af07bb7c0afad053ebca1654d4e4e585319a46f5 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 11:53:55 +0100 Subject: [PATCH 034/297] Better SSL conf --- .../templates/nginx/snippets/proxy-common-ssl.conf.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 index 1385eb0..3c670a1 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -14,10 +14,13 @@ real_ip_header P-Real-Ip; # SSL ssl on; ssl_session_timeout 5m; -ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES"; -ssl_prefer_server_ciphers off; +ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5"; +ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; +# Use more secure ECDH curve +ssl_ecdh_curve secp521r1:secp384r1; + # In buster we will be able to use TLSv1.3 ssl_protocols TLSv1.2; From fb11981e8a932e1133f286755d036cf552f965dd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 12:25:27 +0100 Subject: [PATCH 035/297] Follow Mozilla guidelines --- .../nginx/snippets/proxy-common-ssl.conf.j2 | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 index 3c670a1..50f4977 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -11,22 +11,22 @@ server_tokens off; set_real_ip_from 10.128.0.0/16; real_ip_header P-Real-Ip; -# SSL +# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl on; -ssl_session_timeout 5m; -ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5"; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_protocols TLSv1.2; +ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; ssl_prefer_server_ciphers on; -ssl_session_cache shared:SSL:10m; +add_header Strict-Transport-Security max-age=15768000; + +# OCSP Stapling, +ssl_stapling on; +ssl_stapling_verify on; # Use more secure ECDH curve ssl_ecdh_curve secp521r1:secp384r1; -# In buster we will be able to use TLSv1.3 -ssl_protocols TLSv1.2; - # Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer ssl_dhparam /etc/ssl/certs/dhparam.pem; - -# Enable OCSP Stapling, point to certificate chain -ssl_stapling on; -ssl_stapling_verify on; From 221be360851101a1e0c0096335d7475335938ccd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 15:45:19 +0100 Subject: [PATCH 036/297] Fail2ban by default --- roles/basesecurity/handlers/main.yml | 10 +++++++ roles/basesecurity/tasks/main.yml | 28 +++++++++++++++++-- .../templates/fail2ban/jail.d/local.conf.j2 | 9 ++++++ 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 roles/basesecurity/handlers/main.yml create mode 100644 roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 diff --git a/roles/basesecurity/handlers/main.yml b/roles/basesecurity/handlers/main.yml new file mode 100644 index 0000000..4891585 --- /dev/null +++ b/roles/basesecurity/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart sshd service + service: + name: sshd + state: restarted + +- name: Restart fail2ban service + service: + name: fail2ban + state: restarted diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index d21ad5e..501bf4a 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -1,8 +1,8 @@ --- - name: Configure sysctl template: - src: 'sysctl.d/local.conf.j2' - dest: '/etc/sysctl.d/local.conf' + src: sysctl.d/local.conf.j2 + dest: /etc/sysctl.d/local.conf mode: 0644 # Use this command to list setuid or setgid executables @@ -23,3 +23,27 @@ - /bin/mount # Only root should mount - /bin/umount # Only root should umount ignore_errors: true # Sometimes file won't exist + +# Only SSH keys to log on root +- name: Prohibit root SSH with password + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin' + insertafter: '^#PermitRootLogin' + line: 'PermitRootLogin prohibit-password' + notify: Restart sshd service + +# See banned client with `fail2ban-client status sshd` +- name: Install fail2ban + apt: + name: fail2ban + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure fail2ban + template: + src: fail2ban/jail.d/local.conf.j2 + dest: /etc/fail2ban/jail.d/local.conf + mode: 0644 + notify: Restart fail2ban service diff --git a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 new file mode 100644 index 0000000..cddbecd --- /dev/null +++ b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} + +# Ban a host for 10mn +# if it has failed 5 times during the last 10mn +[sshd] +enabled = true +bantime = 600 +findtime = 600 +maxretry = 5 From a3b7cf6270b5fb2fca0f8183bb77041b226d5180 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 16 Mar 2019 21:10:00 +0100 Subject: [PATCH 037/297] Hotfix HTTP --- .../templates/nginx/snippets/proxy-common.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 index b479c14..6ac4acb 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 @@ -1,8 +1,8 @@ # {{ ansible_managed }} -# Listen for IPv4 and IPv6 with HTTP2 -listen 80 http2; -listen [::]:80 http2; +# Listen for IPv4 and IPv6 +listen 80; +listen [::]:80; # Hide NGINX version server_tokens off; From 724db5f8c82e665bcc6c8350a1709841b1b9dca0 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 16 Mar 2019 22:06:50 +0100 Subject: [PATCH 038/297] Configure SSH and add debsums --- roles/basesecurity/tasks/main.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index 501bf4a..4fc922e 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -28,9 +28,14 @@ - name: Prohibit root SSH with password lineinfile: dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin' - insertafter: '^#PermitRootLogin' - line: 'PermitRootLogin prohibit-password' + regexp: '^{{ item.0 }}' + insertafter: '^#{{ item.0 }}' + line: '{{ item.0 }} {{ item.1 }}' + loop: + - ["PermitRootLogin", "prohibit-password"] + - ["AllowAgentForwarding", "no"] + - ["X11Forwarding", "no"] + - ["TCPKeepAlive", "no"] notify: Restart sshd service # See banned client with `fail2ban-client status sshd` @@ -47,3 +52,11 @@ dest: /etc/fail2ban/jail.d/local.conf mode: 0644 notify: Restart fail2ban service + +# See altered packages and configurations with `debsums -ca` +- name: Install debsums + apt: + name: debsums + register: apt_result + retries: 3 + until: apt_result is succeeded From 3198a50c933d3b546614cf939fd693b4fb76dae5 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 17 Mar 2019 10:42:43 +0100 Subject: [PATCH 039/297] Changed URL to make the Webhooks appservice work --- roles/matrix-appservice-webhooks/templates/config.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-appservice-webhooks/templates/config.yaml.j2 b/roles/matrix-appservice-webhooks/templates/config.yaml.j2 index 59a3139..8be6b99 100644 --- a/roles/matrix-appservice-webhooks/templates/config.yaml.j2 +++ b/roles/matrix-appservice-webhooks/templates/config.yaml.j2 @@ -3,7 +3,7 @@ # Configuration specific to the application service. All fields (unless otherwise marked) are required. homeserver: # The domain for the client-server API calls. - url: "http://auro.re" + url: "http://localhost:8008" # The domain part for user IDs on this home server. Usually, but not always, this is the same as the # home server's URL. @@ -26,7 +26,7 @@ provisioning: # Configuration related to the web portion of the bridge. Handles the inbound webhooks web: - hookUrlBase: 'http://localhost:9000/' + hookUrlBase: 'http://synapse.adm.auro.re:9000/' logging: file: logs/webhook.log From 9c5f021fd6a2df05856428fcd2a4ed19f445f490 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 18 Mar 2019 18:49:35 +0100 Subject: [PATCH 040/297] Add Pacaterie to inventory --- hosts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts b/hosts index 29a038a..d3934c3 100644 --- a/hosts +++ b/hosts @@ -38,9 +38,9 @@ re2o-test.adm.auro.re #ldap-replica-fleming2.adm.auro.re [pacaterie-pve] -#merlin.adm.auro.re -#leodagan.adm.auro.re -#mordred.adm.auro.re +merlin.adm.auro.re +leodagan.adm.auro.re +mordred.adm.auro.re # everything at ovh [ovh:children] From bd229fb11ed90f45e2ad1019aedc411d0bbb5c13 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 23 Mar 2019 12:52:25 +0100 Subject: [PATCH 041/297] Update matrix-appservice-discord config --- roles/matrix-appservice-discord/templates/apt/nodejs.j2 | 5 ----- roles/matrix-appservice-discord/templates/config.yaml.j2 | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 roles/matrix-appservice-discord/templates/apt/nodejs.j2 diff --git a/roles/matrix-appservice-discord/templates/apt/nodejs.j2 b/roles/matrix-appservice-discord/templates/apt/nodejs.j2 deleted file mode 100644 index 65e5110..0000000 --- a/roles/matrix-appservice-discord/templates/apt/nodejs.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -Package: node* libuv1* -Pin: release a=stretch-backports -Pin-Priority: 600 diff --git a/roles/matrix-appservice-discord/templates/config.yaml.j2 b/roles/matrix-appservice-discord/templates/config.yaml.j2 index 64e17dd..9974565 100644 --- a/roles/matrix-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-appservice-discord/templates/config.yaml.j2 @@ -54,7 +54,7 @@ database: room: # Set the default visibility of alias rooms, defaults to "public". # One of: "public", "private" - defaultVisibility: "public" + defaultVisibility: "private" channel: # Pattern of the name given to bridged rooms. # Can use :guild for the guild name and :name for the channel name. From 01ad50ef951da0175623a52bfa13b9ca30814646 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 23 Mar 2019 13:00:18 +0100 Subject: [PATCH 042/297] Whitelist proxy --- roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 index cddbecd..844ace1 100644 --- a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 +++ b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 @@ -7,3 +7,6 @@ enabled = true bantime = 600 findtime = 600 maxretry = 5 + +# Whitelist bastion +ignoreip = 10.128.0.254 From 489bb5ddcf953f54942cf334ccb5da94a0234f4b Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 23 Mar 2019 13:49:53 +0100 Subject: [PATCH 043/297] sudo group by location --- group_vars/pacaterie/sudo_location_group.yml | 3 +++ roles/ldap-client/tasks/1_group_security.yml | 10 +++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 group_vars/pacaterie/sudo_location_group.yml diff --git a/group_vars/pacaterie/sudo_location_group.yml b/group_vars/pacaterie/sudo_location_group.yml new file mode 100644 index 0000000..6244736 --- /dev/null +++ b/group_vars/pacaterie/sudo_location_group.yml @@ -0,0 +1,3 @@ +--- +# Users in that group will be able to `sudo` +sudo_group_location: 'sudopacaterie' diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index 13e3261..9e01f03 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -16,8 +16,16 @@ until: package_result is succeeded # Set sudo group -- name: Configure sudoers +- name: Configure sudoers sudo group lineinfile: dest: /etc/sudoers regexp: "^%{{ sudo_group }}" line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" + +# Set sudo location group +- name: Configure sudoers sudo location group + lineinfile: + dest: /etc/sudoers + regexp: "^%{{ sudo_group_location }}" + line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL" + when: sudo_group_location is defined From 8463f1cf9634654c4eb00e2b93da9c18a546b435 Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sat, 23 Mar 2019 19:10:56 +0100 Subject: [PATCH 044/297] Feat: use ini_file module Signed-off-by: Hadrien Patte --- roles/baseconfig/tasks/apt-listchanges.yml | 25 +++++++++++----- roles/basesecurity/tasks/main.yml | 30 ++++++++++++++++--- .../templates/fail2ban/jail.d/local.conf.j2 | 12 -------- 3 files changed, 43 insertions(+), 24 deletions(-) delete mode 100644 roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 diff --git a/roles/baseconfig/tasks/apt-listchanges.yml b/roles/baseconfig/tasks/apt-listchanges.yml index ddfebb7..ec68e1f 100644 --- a/roles/baseconfig/tasks/apt-listchanges.yml +++ b/roles/baseconfig/tasks/apt-listchanges.yml @@ -12,11 +12,20 @@ # Send email when there is something new - name: Configure apt-listchanges - lineinfile: - dest: /etc/apt/listchanges.conf - regexp: "^{{ item.key }}=" - line: "{{ item.value }}" - with_dict: - confirm: 'confirm=true' - email_address: "email_address={{ monitoring_mail }}" - which: 'which=both' + ini_file: + path: /etc/apt/listchanges.conf + no_extra_spaces: true + section: apt + option: "{{ item.option }}" + value: "{{ item.value }}" + state: present + loop: + - option: confirm + value: "true" + + - option: email_address + value: "{{ monitoring_mail }}" + + - option: which + value: both +... diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index 4fc922e..a08b869 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -47,11 +47,33 @@ until: apt_result is succeeded - name: Configure fail2ban - template: - src: fail2ban/jail.d/local.conf.j2 - dest: /etc/fail2ban/jail.d/local.conf - mode: 0644 + ini_file: + path: /etc/fail2ban/jail.d/local.conf + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + state: present notify: Restart fail2ban service + loop: + - section: DEFAULT + option: ignoreip + value: 10.128.0.254 # Whitelist bastion + + - section: sshd + option: enabled + value: "true" + + - section: sshd + option: bantime + value: 600 + + - section: sshd + option: findtime + value: 600 + + - section: sshd + option: maxretry + value: 5 # See altered packages and configurations with `debsums -ca` - name: Install debsums diff --git a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 deleted file mode 100644 index 844ace1..0000000 --- a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -# {{ ansible_managed }} - -# Ban a host for 10mn -# if it has failed 5 times during the last 10mn -[sshd] -enabled = true -bantime = 600 -findtime = 600 -maxretry = 5 - -# Whitelist bastion -ignoreip = 10.128.0.254 From 5551fb5c16186b9acee3a9455c44b44dfa02e387 Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sat, 23 Mar 2019 19:13:02 +0100 Subject: [PATCH 045/297] Fix: remove unnecessary quotes Signed-off-by: Hadrien Patte --- roles/baseconfig/tasks/main.yml | 8 ++++---- roles/codimd/tasks/0_apt_dependencies.yml | 2 +- roles/codimd/tasks/main.yml | 4 ++-- roles/ldap-client/handlers/main.yml | 2 +- roles/ldap-client/tasks/1_group_security.yml | 8 ++++---- roles/ldap-client/tasks/2_userland_scripts.yml | 2 +- roles/ldap-replica/tasks/main.yml | 6 +++--- roles/matrix-appservice-discord/tasks/main.yml | 4 ++-- roles/matrix-appservice-irc/tasks/main.yml | 4 ++-- roles/matrix-appservice-webhooks/tasks/main.yml | 4 ++-- roles/matrix-riot/tasks/main.yml | 2 +- roles/nginx-reverse-proxy/tasks/main.yml | 10 +++++----- 12 files changed, 28 insertions(+), 28 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 447b046..9cc21b1 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -23,8 +23,8 @@ # Pimp my server - name: Customize motd copy: - src: 'update-motd.d/00-logo' - dest: '/etc/update-motd.d/00-logo' + src: update-motd.d/00-logo + dest: /etc/update-motd.d/00-logo mode: 0755 # Configure APT mirrors on Debian Stretch @@ -33,8 +33,8 @@ - ansible_distribution == 'Debian' - ansible_distribution_release == 'stretch' template: - src: 'apt/sources.list.j2' - dest: '/etc/apt/sources.list' + src: apt/sources.list.j2 + dest: /etc/apt/sources.list mode: 0644 # Patriotisme diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 0fcacfb..76646e6 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -18,7 +18,7 @@ - name: Configure Yarn repository apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" + repo: deb https://dl.yarnpkg.com/debian/ stable main # Install CodiMD dependencies - name: Install required packages diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index f3b349f..f176b95 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -47,8 +47,8 @@ # Service file - name: Install CodiMD systemd unit template: - src: 'systemd/codimd.service.j2' - dest: '/etc/systemd/system/codimd.service' + src: systemd/codimd.service.j2 + dest: /etc/systemd/system/codimd.service owner: root group: root mode: 0644 diff --git a/roles/ldap-client/handlers/main.yml b/roles/ldap-client/handlers/main.yml index b233281..f0f3111 100644 --- a/roles/ldap-client/handlers/main.yml +++ b/roles/ldap-client/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Reconfigure libnss-ldapd package - command: 'dpkg-reconfigure libnss-ldapd -f noninteractive' + command: dpkg-reconfigure libnss-ldapd -f noninteractive - name: Restart nslcd service service: diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index 9e01f03..d9bf2cb 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -3,8 +3,8 @@ - name: Filter SSH on groups lineinfile: dest: /etc/ssh/sshd_config - regexp: '^AllowGroups' - line: "AllowGroups root sudoldap aurore ssh" + regexp: ^AllowGroups + line: AllowGroups root sudoldap aurore ssh # To gain root access with ldap rights - name: Install SUDO package @@ -19,13 +19,13 @@ - name: Configure sudoers sudo group lineinfile: dest: /etc/sudoers - regexp: "^%{{ sudo_group }}" + regexp: ^%{{ sudo_group }} line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" # Set sudo location group - name: Configure sudoers sudo location group lineinfile: dest: /etc/sudoers - regexp: "^%{{ sudo_group_location }}" + regexp: ^%{{ sudo_group_location }} line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL" when: sudo_group_location is defined diff --git a/roles/ldap-client/tasks/2_userland_scripts.yml b/roles/ldap-client/tasks/2_userland_scripts.yml index 34d0098..4799765 100644 --- a/roles/ldap-client/tasks/2_userland_scripts.yml +++ b/roles/ldap-client/tasks/2_userland_scripts.yml @@ -3,7 +3,7 @@ - name: Copy passwd and chsh scripts template: src: "{{ item }}.j2" - dest: "/usr/local/bin/{{ item }}" + dest: /usr/local/bin/{{ item }} mode: 0755 with_items: - chsh diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap-replica/tasks/main.yml index 45f99c5..bb31e09 100644 --- a/roles/ldap-replica/tasks/main.yml +++ b/roles/ldap-replica/tasks/main.yml @@ -43,7 +43,7 @@ # Install schema as root # We can't do a `become_user` here - name: Install LDAP schema - command: 'slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d' + command: slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d # then fix permissions - name: Fix permissions @@ -53,8 +53,8 @@ group: openldap recurse: true with_items: - - '/var/lib/ldap' - - '/etc/ldap/slapd.d' + - /var/lib/ldap + - /etc/ldap/slapd.d # Save the day - name: Start LDAP server diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index f043ae3..d4f4cb5 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -44,8 +44,8 @@ # Service file - name: Install matrix-appservice-discord systemd unit template: - src: 'systemd/matrix-appservice-discord.service.j2' - dest: '/etc/systemd/system/matrix-appservice-discord.service' + src: systemd/matrix-appservice-discord.service.j2 + dest: /etc/systemd/system/matrix-appservice-discord.service owner: root group: root mode: 0644 diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 54c8394..5db1c1b 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -33,8 +33,8 @@ # Service file - name: Install matrix-appservice-irc systemd unit template: - src: 'systemd/matrix-appservice-irc.service.j2' - dest: '/etc/systemd/system/matrix-appservice-irc.service' + src: systemd/matrix-appservice-irc.service.j2 + dest: /etc/systemd/system/matrix-appservice-irc.service owner: root group: root mode: 0644 diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index 7cf9e02..a0b9e43 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -33,8 +33,8 @@ # Service file - name: Install matrix-appservice-webhooks systemd unit template: - src: 'systemd/matrix-appservice-webhooks.service.j2' - dest: '/etc/systemd/system/matrix-appservice-webhooks.service' + src: systemd/matrix-appservice-webhooks.service.j2 + dest: /etc/systemd/system/matrix-appservice-webhooks.service owner: root group: root mode: 0644 diff --git a/roles/matrix-riot/tasks/main.yml b/roles/matrix-riot/tasks/main.yml index 04be56f..8b83ef1 100644 --- a/roles/matrix-riot/tasks/main.yml +++ b/roles/matrix-riot/tasks/main.yml @@ -11,7 +11,7 @@ # Add the repository into source list - name: Configure riot repository apt_repository: - repo: "deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main" + repo: deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main # Add the key - name: Configure the apt key diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml index c646a23..a570a9f 100644 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ b/roles/nginx-reverse-proxy/tasks/main.yml @@ -13,8 +13,8 @@ # Install proxy snippets - name: Configure NGINX proxy snippets template: - src: "nginx/snippets/{{ item }}.j2" - dest: "/etc/nginx/snippets/{{ item }}" + src: nginx/snippets/{{ item }}.j2 + dest: /etc/nginx/snippets/{{ item }} mode: 0644 loop: - proxy-common.conf @@ -25,7 +25,7 @@ - name: Configure NGINX sites template: src: nginx/nginx-sites-available.j2 - dest: "/etc/nginx/sites-available/{{ item.name }}" + dest: /etc/nginx/sites-available/{{ item.name }} mode: 0644 loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service @@ -40,8 +40,8 @@ # Activate sites - name: Activate sites file: - src: "/etc/nginx/sites-available/{{ item.name }}" - dest: "/etc/nginx/sites-enabled/{{ item.name }}" + src: /etc/nginx/sites-available/{{ item.name }} + dest: /etc/nginx/sites-enabled/{{ item.name }} state: link loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service From e4a60341c54f5dcafdae9644ab6f2fed981358ec Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sat, 23 Mar 2019 19:13:41 +0100 Subject: [PATCH 046/297] Feat: simplify one item lists Signed-off-by: Hadrien Patte --- roles/baseconfig/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 9cc21b1..59cd77b 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -50,8 +50,7 @@ question: locales/default_environment_locale value: fr_FR.UTF-8 vtype: select - notify: - - Reconfigure locales + notify: Reconfigure locales # Molly-Guard : prevent accidental shutdowns - include_tasks: molly-guard.yml From 737ca7b9965f7c44b3e032372a76d57844990e3a Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sat, 23 Mar 2019 19:25:04 +0100 Subject: [PATCH 047/297] Feat: add state Signed-off-by: Hadrien Patte --- roles/basesecurity/tasks/main.yml | 2 ++ roles/codimd/tasks/0_apt_dependencies.yml | 8 ++++++-- roles/dokuwiki/tasks/main.yml | 3 ++- roles/etherpad/tasks/main.yml | 3 ++- roles/ldap-client/tasks/0_install_ldap.yml | 3 ++- roles/ldap-client/tasks/1_group_security.yml | 3 +++ roles/matrix-mxisd/tasks/main.yml | 1 + roles/matrix-riot/tasks/main.yml | 9 +++++++-- roles/matrix-synapse/tasks/main.yml | 3 ++- roles/nginx-reverse-proxy/tasks/main.yml | 3 ++- roles/nodejs/tasks/main.yml | 3 ++- 11 files changed, 31 insertions(+), 10 deletions(-) diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index a08b869..6ff69e8 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -42,6 +42,7 @@ - name: Install fail2ban apt: name: fail2ban + state: present register: apt_result retries: 3 until: apt_result is succeeded @@ -79,6 +80,7 @@ - name: Install debsums apt: name: debsums + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 76646e6..c698390 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -2,8 +2,9 @@ # For HTTPS apt - name: Install HTTPS apt apt: - name: apt-transport-https update_cache: true + name: apt-transport-https + state: present register: apt_result retries: 3 until: apt_result is succeeded @@ -12,6 +13,7 @@ apt_key: url: https://dl.yarnpkg.com/debian/pubkey.gpg id: 1646B01B86E50310 + state: present register: apt_key_result retries: 3 until: apt_key_result is succeeded @@ -19,12 +21,14 @@ - name: Configure Yarn repository apt_repository: repo: deb https://dl.yarnpkg.com/debian/ stable main + state: present # Install CodiMD dependencies - name: Install required packages apt: - name: yarn update_cache: true + name: yarn + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/dokuwiki/tasks/main.yml b/roles/dokuwiki/tasks/main.yml index 4e1722f..76321ba 100644 --- a/roles/dokuwiki/tasks/main.yml +++ b/roles/dokuwiki/tasks/main.yml @@ -22,8 +22,9 @@ # Install - name: Install DokuWiki apt: - name: dokuwiki update_cache: true + name: dokuwiki + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml index ab5e3b1..21667ec 100644 --- a/roles/etherpad/tasks/main.yml +++ b/roles/etherpad/tasks/main.yml @@ -2,8 +2,9 @@ # Install EtherPad dependencies - name: Install required packages apt: - name: curl update_cache: true + name: curl + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/ldap-client/tasks/0_install_ldap.yml b/roles/ldap-client/tasks/0_install_ldap.yml index 5905d4a..31665cc 100644 --- a/roles/ldap-client/tasks/0_install_ldap.yml +++ b/roles/ldap-client/tasks/0_install_ldap.yml @@ -2,11 +2,12 @@ # Install LDAP client packages - name: Install LDAP client packages apt: + update_cache: true name: - nslcd - libnss-ldapd - libpam-ldapd - update_cache: true + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index d9bf2cb..607dce7 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -5,6 +5,7 @@ dest: /etc/ssh/sshd_config regexp: ^AllowGroups line: AllowGroups root sudoldap aurore ssh + state: present # To gain root access with ldap rights - name: Install SUDO package @@ -21,6 +22,7 @@ dest: /etc/sudoers regexp: ^%{{ sudo_group }} line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" + state: present # Set sudo location group - name: Configure sudoers sudo location group @@ -28,4 +30,5 @@ dest: /etc/sudoers regexp: ^%{{ sudo_group_location }} line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL" + state: present when: sudo_group_location is defined diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml index 422243f..ad40117 100644 --- a/roles/matrix-mxisd/tasks/main.yml +++ b/roles/matrix-mxisd/tasks/main.yml @@ -2,6 +2,7 @@ - name: Install mxisd apt: deb: "{{ mxisd_deb }}" + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/matrix-riot/tasks/main.yml b/roles/matrix-riot/tasks/main.yml index 8b83ef1..2214777 100644 --- a/roles/matrix-riot/tasks/main.yml +++ b/roles/matrix-riot/tasks/main.yml @@ -2,8 +2,9 @@ # Install HTTPS support for APT - name: Install apt-transport-https apt: - name: apt-transport-https update_cache: true + name: apt-transport-https + state: present register: apt_result retries: 3 until: apt_result is succeeded @@ -12,12 +13,14 @@ - name: Configure riot repository apt_repository: repo: deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main + state: present # Add the key - name: Configure the apt key apt_key: url: https://riot.im/packages/debian/repo-key.asc id: E019645248E8F4A1 + state: present register: apt_key_result retries: 3 until: apt_key_result is succeeded @@ -25,8 +28,9 @@ # Install riot - name: Install riot-web apt: - name: riot-web update_cache: true + name: riot-web + state: present register: apt_result retries: 3 until: apt_result is succeeded @@ -35,6 +39,7 @@ - name: Install nginx apt: name: nginx + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 196611f..91b66c8 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -1,8 +1,9 @@ --- - name: Install matrix-synapse apt: - name: matrix-synapse update_cache: true + name: matrix-synapse + state: present default_release: stretch-backports register: apt_result retries: 3 diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml index a570a9f..aac1af3 100644 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ b/roles/nginx-reverse-proxy/tasks/main.yml @@ -4,8 +4,9 @@ # but also reduces the surface of attack - name: Install NGINX server apt: - name: nginx-light update_cache: true + name: nginx-light + state: present register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/nodejs/tasks/main.yml b/roles/nodejs/tasks/main.yml index af8fe52..0f17fa8 100644 --- a/roles/nodejs/tasks/main.yml +++ b/roles/nodejs/tasks/main.yml @@ -10,11 +10,12 @@ - name: Install required packages apt: + update_cache: true name: - nodejs - npm - build-essential # To build npm packages - update_cache: true + state: present register: apt_result retries: 3 until: apt_result is succeeded From 8a48110c2157af36e9023804b4c9f390d14e5000 Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sat, 23 Mar 2019 19:42:09 +0100 Subject: [PATCH 048/297] Feat: add validate for sudoers Signed-off-by: Hadrien Patte --- roles/ldap-client/tasks/1_group_security.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index 607dce7..8477ac4 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -23,6 +23,7 @@ regexp: ^%{{ sudo_group }} line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" state: present + validate: /usr/sbin/visudo -cf %s # Set sudo location group - name: Configure sudoers sudo location group @@ -31,4 +32,5 @@ regexp: ^%{{ sudo_group_location }} line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL" state: present + validate: /usr/sbin/visudo -cf %s when: sudo_group_location is defined From c20d4fbf1886d9f83612fa1101dce5434f192b82 Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sat, 23 Mar 2019 19:47:59 +0100 Subject: [PATCH 049/297] Feat: expand YAML syntax Signed-off-by: Hadrien Patte --- roles/ldap-replica/tasks/main.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap-replica/tasks/main.yml index bb31e09..ce19bdb 100644 --- a/roles/ldap-replica/tasks/main.yml +++ b/roles/ldap-replica/tasks/main.yml @@ -28,14 +28,18 @@ # Cry a bit - name: Remove old data - file: path={{ item }} state=absent + file: + path: "{{ item }}" + state: absent with_items: - /etc/ldap/slapd.d - /var/lib/ldap # Cry a lot - name: Recreate structure - file: path={{ item }} state=directory + file: + path: "{{ item }}" + state: directory with_items: - /etc/ldap/slapd.d - /var/lib/ldap @@ -58,4 +62,6 @@ # Save the day - name: Start LDAP server - service: name=slapd state=started + service: + name: slapd + state: started From 66f7b1061a9ed5b0f3bbfcb847bc86444c73d35b Mon Sep 17 00:00:00 2001 From: Hadrien Patte Date: Sat, 23 Mar 2019 19:49:13 +0100 Subject: [PATCH 050/297] Feat: migrate from with_X to loop Signed-off-by: Hadrien Patte --- roles/baseconfig/tasks/main.yml | 10 +++++----- roles/ldap-client/tasks/0_install_ldap.yml | 14 +++++++------- roles/ldap-client/tasks/2_userland_scripts.yml | 2 +- roles/ldap-replica/tasks/main.yml | 6 +++--- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 59cd77b..c3d548e 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -61,8 +61,8 @@ # User skeleton - name: Configure user skeleton copy: - src: skel/{{ item.key }} - dest: /etc/skel/{{ item.value }} - with_dict: - dot_zshrc: .zshrc - dot_zshrc.local: .zshrc.local + src: skel/dot_{{ item.key }} + dest: /etc/skel/.{{ item.value }} + loop: + - zshrc + - zshrc.local diff --git a/roles/ldap-client/tasks/0_install_ldap.yml b/roles/ldap-client/tasks/0_install_ldap.yml index 31665cc..d21bbb9 100644 --- a/roles/ldap-client/tasks/0_install_ldap.yml +++ b/roles/ldap-client/tasks/0_install_ldap.yml @@ -32,11 +32,11 @@ - name: Configure NSS to use LDAP lineinfile: dest: /etc/nsswitch.conf - regexp: "^{{ item.key }}:" - line: "{{ item.value }}" - with_dict: - passwd: 'passwd: files ldap' - group: 'group: files ldap' - shadow: 'shadow: files ldap' - sudoers: 'sudoers: files ldap' + regexp: "^{{ item }}:" + line: "{{ item }}: files ldap" + loop: + - passwd + - group + - shadow + - sudoers notify: Restart nslcd service diff --git a/roles/ldap-client/tasks/2_userland_scripts.yml b/roles/ldap-client/tasks/2_userland_scripts.yml index 4799765..fa41780 100644 --- a/roles/ldap-client/tasks/2_userland_scripts.yml +++ b/roles/ldap-client/tasks/2_userland_scripts.yml @@ -5,7 +5,7 @@ src: "{{ item }}.j2" dest: /usr/local/bin/{{ item }} mode: 0755 - with_items: + loop: - chsh - passwd diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap-replica/tasks/main.yml index ce19bdb..914ce4e 100644 --- a/roles/ldap-replica/tasks/main.yml +++ b/roles/ldap-replica/tasks/main.yml @@ -31,7 +31,7 @@ file: path: "{{ item }}" state: absent - with_items: + loop: - /etc/ldap/slapd.d - /var/lib/ldap @@ -40,7 +40,7 @@ file: path: "{{ item }}" state: directory - with_items: + loop: - /etc/ldap/slapd.d - /var/lib/ldap @@ -56,7 +56,7 @@ owner: openldap group: openldap recurse: true - with_items: + loop: - /var/lib/ldap - /etc/ldap/slapd.d From bbc04d971faf6559846462ab25700c930fa3c7b9 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 24 Mar 2019 12:10:35 +0100 Subject: [PATCH 051/297] Working appservice Discord --- group_vars/all/vars.yml | 2 + group_vars/all/vault.yml | 226 +++++++++--------- .../templates/config.yaml.j2 | 16 +- .../matrix-appservice-discord.service.j2 | 2 +- .../nginx/nginx-sites-available-main.j2 | 10 +- 5 files changed, 135 insertions(+), 121 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 4be3759..20336a0 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -33,3 +33,5 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org' # Matrix matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" +matrix_discord_client_id: "559305991494303747" +matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index bcc5e18..116e51c 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,112 +1,116 @@ $ANSIBLE_VAULT;1.1;AES256 -30643064346235376335653933633134616531356562383833323336316264643335336437376462 -3364343634313734653033343663306565306564623939340a636266646265633634646531323363 -35653136343933303034356333376539353561626638616234636333653764616433393866616536 -3935366266396632340a323866323438653935356265663835393366343833363639313933333464 -32373862303166643331363463656265656531646135653238333566386236316163393738366133 -33653332306664643336323864356364646138616130653861333637373436303433376633366661 -65373636383862306134353738323564393262376561306134303361633161323239303563643934 -63333530653561343862613033343435333336306135373136623139343634616232346364356464 -39363838343538633130363831303064303334353261346239366635363763386262633063303434 -34366531316338326233323634383730623838643535623939306535306634333438653434366662 -35663463306239383835643034343735336131363339666366356138613731333836386266383763 -31666535326630303536376364336432613736353134376230323631326130343262316630373934 -63353166376630336431626530643733623561343335396336616235616532386434626634653631 -35613930393536613633633463393434616131303763613033656262386663663839343662626535 -36373236323733663334306134313433393366653066373464386134303265323564343262336562 -39393738656337316239623466643933663938663433313866626665613263356534386535633837 -61643036666161653434613061653539636137653235663064323766613061333563626563396439 -39323137373162393237356135333632333163613961373533633432333233346463303034366336 -62396363393163363639313763616533333965396162313662626161343362393363313632643031 -35383433343764333238366265313363623561666162633739643232323962316165636436353766 -65666132393366613561363462393966366637613062346337303139666439323861653233353533 -37643138306463613933626162613865383038306133646365616337323164353362626638653765 -38653035323164663130326435356532333864363237333738656636623130383533663130363764 -63313439373336346334336431633263333138326561353366323239343466383039343938386436 -36333634613936393530396536353239316532346361396631393063343439373762306634653336 -36663137613164383061333232646534363632656362616335373066306236636239363663316665 -39313036666337616164633931323465613863316438366361303536633635653862333465316366 -34663662633233353361306537393061373630616262653432653631323638386230666437346664 -37646564623035356536356630376166376365326666323936616139656466343833386238313462 -35623239643765633766623934653963356166323065343266303431353966353063363137613632 -31656338373430326331346538613130363161623035306165666238613565333131376364323839 -61306466666130616334313466643031633664353666346637346161326331383637336339646434 -61643835386466633038663961303339646532643036343532393332636438366234383932376431 -30376165353834616564633062396461393636663464613038383363306264666334616264343361 -33346538386332633333343461623262336133306239646635303332613934306565663633616634 -61383665656531343332353263303534323435383136646235343135373739323563326662316633 -66343733396163353939643939653237393931386361623364653466623935333232666662313865 -32373761346534316334346137653565326633326466316566666362366338353165343761396136 -30346536386266363033323838313138633234346666343739316562356332323632643432333763 -65393032353861303937386437646537623830333866343564313863653033396637626466343463 -32343861623563653566623233363638636634646265643465373161326339346563623765326264 -37366137623734633662366263356135313164343634306232353530313034356333633239383432 -64646564343435303536343263323266663163666466653231363963393537356531313466653731 -37306664303737346431623937343062376562353630383535396533643437353631336438353162 -34373436613962643634333464303033323331666166383932306361643763393333616532623138 -66323366353836306436353437336338386161613336316465663339333461383464376562323530 -64373738656536313530346433663336306536333062653138663035653130376236613333346166 -38643561353030373633336533303666666465373938666633366361333938353332396363393832 -30633761646364393737653165396335353631376137653238386639633664313363333631366365 -30623730353462663530646434326561383265343534636138333065373439636463353539303436 -30353632303433373436383735383332616233363763326566343233613436303233363332363662 -65393062373335666265343830373730646639323730383238616531623934653931646164373765 -30333331336635313935656562383066323834636136303461326433626163363232653037626361 -34356532356263636131363233323336353434383562303166376162306338373461336134653861 -34316330356336303162303963303763643735656139616533616234643233646365386536616335 -30613662333437343233636364663562386363313034343061343137653062626338383432643230 -35323130373561343666326331333561323562623231303066353464653665356165643337323562 -32386139303034333764666662613436623933353964316536363430346631653630643832306634 -35653636326635353839316238643232353465616635633939323837353833386164323861653965 -64636437646166666538386231623338356261346563323831653965613965366633313662303165 -37333066356635623063333637633864303964303635666164316230353239303335623834376632 -38336231336234343433373734313866316332633831396132313164626265643263636262643934 -61313963373638336264653066613531656461386665316635313662343239353565336239306362 -31633738653439386162626235656434363534653735323732636565353862623165613436623961 -34346261383434373231393738353165303465313134303365393261306139613438383138326334 -63623636333132356363366635333834653037353863646633636436383432663663623238643437 -30306433323161316434326332643931346663393935643263333636623037653462626632376634 -36363166393835636163643466383365653731383335656462376533363333363065336137363730 -38386466363636356366383637646265333038663033663763646633613738366666393839346238 -30393961343064653261646337373434626363303534333338613536306336323265393935373363 -34383965353264643266303434316432656531346363353731623834373637343062623538346137 -36346632636666623663396339633830623238366232613862633365663738396434366161653564 -36343066386331303364623865346532613262663161366237363739633565653739626432363330 -39313562623236663130366231396236666139363333383332616333333164396331323465336233 -32626139656132383063376266613335643565303762663962373039393135393961343333303964 -37323563653732373839313361383136313535643738663636306631396432313563323933616561 -30646431656163373938326634373363376565316133616636376338316136343462613963313463 -65653932636431633738613961346566393566636664396137666366313130313666383063373230 -62643531373737626630303837353066376566333165336137323633346239386531353331363462 -64366532373032373339623232383531323761316336343434653035623331366665613261373462 -39336137336134363465613666616531336535323432353430386335616163363333376666306365 -62303339613264333537386262653531623162366635633561663733636530623963353437373134 -39663534363064343162316665666338316134396138396534643934643561386561353730636437 -33303865366261393161353732306338343337376631623531346337396237323662653536313861 -66346561383937616136376234363636663239616666306232613038646433373838653133346164 -36636663393066313434373131646335303730303266313261646531656261396534623964643834 -38613230353034316666643932343837333134656465306239383134366237396438366533643566 -61366236353538316431366165353734326130363239373631656661323966303530373338653539 -38393531326335613831313937303537623933613233313439366330303134643836303466353061 -30353030633936326238353630386663626132636363663638643732643331666664333962323562 -30633837366161356661643963353163636663616339663230353738646463653761393862313861 -63363834623765393461656239613737613231666337333332663262356233633536326531336337 -66626231636634396632343466323433396233636639393136333538386330313837626135306537 -65653130366433303036396530303835643266316333383761643166373838623037356539653166 -63396561616462366461316338323662366232383963376161626132343236643766623431303066 -31386231356361336632663266336661613938313634313038353431343463343433616238356563 -35643739373831383337336136626637313565633365643037363039353134343536333938333239 -37343463313632376333653266303162633838363933373164366563333538333561663539313331 -37666634343138356539366431386361623130613865333439373464336135613036333731633066 -34316234656430343633366361323830303232623565653736316539346662663537336263663331 -66636639333030623061616533356136306239323764373238353734613064616434353666323538 -33363934333930366432363434366365306431623438326534656266303837613034336130623066 -30666632333332623934306338653765386163396535393636376266396663633033663939353765 -35616237306566346230343933633464653537343039623132643538643634333238393961383335 -30323831643263613530373135666437383337636236373563313232393431323332353136633565 -33356236386537363039643861323131323738643864306133636266373731666631646262333032 -33376662336635663464323866626636343032663632326631613866396434623332303833326238 -34386230303233353966373362303365653636623632376331326466623532396661313264666463 -38333766313365376533663262366134373730363163343365326433626636363663363466313733 -39353164343463643462663635383266646161663235336264636463633231633935366663343237 -613361633163336661313532636238353634 +65623637663363313664336437353136643563306565616336366530636530316161356665336233 +3534346635396434386363386466383463666164343065310a343739663162646432303131316564 +33633833323534623039336131383262663236396465663162666566316465613832623131363430 +3930353730636363650a626132323139636130343065633933303435616163353666313233343930 +34616636633465313034666539303837373839363437393639363837613266363733366334323063 +64306335633537613831623433306532393664353662613433356531626339343664306366613636 +36393533626662353630616335396337333562303666616165613464376431646633653335623330 +39356637303630316262343638313565663335363832616463323163316665333766313338613137 +64623936616239303535636533333130333733666466643634356336633064663734383664386666 +35636637306434306166633063326265373437636532376335356365343839646438643263346361 +66343261653031636431333131303930346536346662613463393233306535646165336563633639 +35363633386366316534373936626139666665353937373638663162636638323235613434303239 +34393065346334303865613737306332356436643862373234376333313164303830353061393131 +65646438323335633838626438643834663839613630333131326664313263666238646531616334 +31326530303262366231653139613461653039306530356134336366383431326466373833633865 +65303664343035636464383462613265336535646266393339363363373131623832616562396565 +35636261393038656338306461643364363462376135376535326138356561303464346235656334 +65373432336536393464336436363031363037373039666237626666613331396630336437653837 +62373536376234333962303465633065376431353832313661643864353938643062303464666364 +36393239643166623764643939626336643564316364343732303232626265303238353031363636 +34366639643834393666346161306630383131633236366337316231633666336662393364383061 +36346331636662616333323739663736303663323566323864626135386363313231363864313432 +31633437376437633630343837393537613037623537356531306435663739346137376639333666 +66633366316338333365376466376334623133653132323064343764303363346663616438656633 +31636132663239343032616330373735373962633662616237643131383932303531623132376263 +63366665343834326639386465643465623330323832656237386335633938636164313963626635 +38636562343463383233393938353932303932333265303162366533643166306636326366373233 +66373839623631616162613439663565333633353864323833653335653834343461363063613432 +34633864633232303566613235336563616136353031653634333432346566633139396332386165 +63333264366539356636636537366630623034363563373436646639316461653861666334316662 +34393931363533363436323966656435353266373839616466333034643335343838333063323032 +35303261636133663738643939666631623139383638363261643961306138353563393439313635 +61653436653135343866353538336263363735393038383862316639356462383535663633393461 +30316362306363326235633235343837316661646630613962376464313932336462313435643134 +39373765656462323935363732653365663737643665353039323362613461356362373262316163 +62343334343536376461613633343037653733326164636636316631353830663362383766653538 +38333535343865666131646264323138363036333066316532623438313363303537326131633865 +34626166346665326461656132396237393736313132336263316161343336386431356433393931 +61356636346539613264366465616439356531336166633930633130333361653566333538356436 +38653561386365333262623932616136343836383532383764333537306130326562386662623631 +32313464323234663131613364353631313639306464353162393766303839383030333831656534 +32636362656234336134656235666335656138643330383033313435663035383835666236333564 +66386539333833323165386136336661363033353461336164623734633061386461313935663531 +39326230383233316131616362376133313137656431373463373232356363363964323038356233 +63316132313032333438643664663762333064646337363033366262313433623364623739366131 +32363031656539303261373431666566363266396663373665346639653066303966396266316631 +31363331336464393063373662663065353131303438663433383238663966316264356134633636 +62363433333737366162386265363766623438646337633137653436626130613566626236633837 +65623563363537663261373932326131376236656534616330663131643264333930386331623438 +31376263393662643938633862396665353363613539363039633966313161616338353666653130 +63663761373165363463323831336239616562646432346630393764633362643434626564653433 +39383634376238613833326131373438323937383138656531346435633562396437623163646566 +34643237383331376630333862613164343465373266613338633931636662626364613964613639 +32316365396639313635306261616439386162613366636362633763626135313462326662363834 +34636261353935343436316263623530393362343164373737356539663066336232303530643131 +33303136363431363232636238396233333236663933396639643233376562396234376639356564 +66346338386562646431373232356363303035366365383661356132643963376134323935386333 +39363162343938353135383530646662613139616639393230343363653661306431383633393035 +66303832306465373632343530333737393432623366353639616434346532653337346361363339 +35643937656337316566313534343762393338353830356266386165633262393964386635636430 +32346630383639623433623930323832643132613565376135363161663966646433343335323863 +35376631313864313362346637383932663633346565626231316533356561313637326336373931 +32336461313036356166613166303066303230383166303463373533346130336663386535376635 +37383239356139646335643662636234313666623062633163373931363761326130313537653665 +39393561626165323431386537656665326334373735346562326666623865303432623966366539 +39386431633363323735356230653465633433353937343566653331323334613032333831656432 +31336165633532383066663465306535643637306536646362306235366364643536663134643465 +66383965656133663161393138313963383436373630633761613839383136393865323438333833 +39366166663834633737316666303661653132336563343334373333386261353030343562346536 +31333662663834366466373834646430393964613866336162393162313135373335303533326265 +36373766653865313566643030326633363136323639366238366634626632333836323764363235 +31316531626335333932643164323066303233343233303063316532313236303639323432366463 +64386537666162636134303161366266383639396134333165663231623965386137343662333861 +36343331346361663331646161323331656164363737386336393136343532626661303965333763 +31663731646462356338363664303937316138666337313036643836626631343430363234326430 +39626363633962633138306135636238373230613030323238353264633239383933333666643866 +38656135613035616366346431323934396237623237656561313739616163366138393437333439 +37313732323934636236316533393064316433643232653338633665376565633933623861666335 +61636363613539376337383835623834383164336163393465623861653336313934373539613933 +66306435396163336233363934653263353662396534636537613062393462643932326561313364 +64353232653731636639303938626435656535333935353865386238333464313333646132643039 +33326336643863393835643738323739636139366635343366663335623432333564663661613962 +38336133636532343431353430333466656638316563613764656438316532393234663235396434 +35346133396263653364393038613936373835396430663861333036353639326636616362333030 +65663832353061336665376432353436626332333931303666636464666564336437313434646333 +65303533653832386236633239306263343064393935616238616435346634333063623765336366 +34373161303536666132626531663162633636393436363062613539613337353232363934303735 +34353830616137383237373465313034383663336234303361343432613064663662363438666164 +30636464616262383234396364306638386433643539303066376135633466336135343565383662 +39303166646330393931343066323662633233353637373464626263666337613139393961653761 +64303231353535656438363363393735363066363738316163373331353334313438363564633535 +63323539383637353935653334383637613433353166333630383366616661613366346233666466 +38643332326639633335626365653736646163653063306362356430323031383137366564376165 +66303963323761653364363564653637653032613739396130646166363539363463666130626631 +34613165303261323133303336613837383862663362343533343839313362323334303238633238 +31306664343032383365393035346331646636663663623263643863636233356235323332656339 +39356636386134396561323865363536613764633861323238336531326331616239386530663464 +33336131653936636434636563653538616536316335643636376134343131613665636532326566 +39363436336638393963343637393133613831636364653363613737316636626133333238646362 +36313264353335666461353135376435346161376138623639663337626337376236346230333330 +62353563343335656632393938363363363936643765383063363935383266353037353562363833 +64633661353564333064616264653130646133303662373630396638373833333763306638653661 +34393430353236303465636335383733656162343139613765663732353837313365323466386664 +35323464626663333866376138396132333039313962356439303838373835653837643364363339 +62303062663931646232643234666132363239373035633262623135633531636330373065333435 +36393163393638613663353133666632353639653064353139363134383764666530623834326531 +32653931316539666539656565313462396535346439393534313139393735633437333935396466 +35316165363839396562613130623964626531373337343166656630666638363039376162396336 +30373730353231663534316333336538366661363332316531653334383635356133393266666232 +35366337653131376131396232323332623063626135333630346564343663326532616263333262 +66613436396337353636643866353562366231333933353465306461376138333564656562646261 +66303263356565656431353064343361396131323134323234316230363761373362663234633735 +35663365376264343763333731393363336231366534393933333536356437653837303832646339 +66376262616634376438613864323665356539376139396130376661613930393131363465313063 +333664323830636666653933303034333630 diff --git a/roles/matrix-appservice-discord/templates/config.yaml.j2 b/roles/matrix-appservice-discord/templates/config.yaml.j2 index 9974565..7971fb0 100644 --- a/roles/matrix-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-appservice-discord/templates/config.yaml.j2 @@ -5,7 +5,7 @@ bridge: domain: "auro.re" # This should be your publically facing URL because Discord may use it to # fetch media from the media store. - homeserverUrl: "https://auro.re" + homeserverUrl: "http://auro.re" # Interval at which to process users in the 'presence queue'. If you have # 5 users, one user will be processed every 500 milliseconds according to the # value below. This has a minimum value of 250. @@ -21,14 +21,14 @@ bridge: disableDeletionForwarding: false # Enable users to bridge rooms using !discord commands. See # https://t2bot.io/discord for instructions. - enableSelfServiceBridging: false + enableSelfServiceBridging: true # Disable sending of read receipts for Matrix events which have been # successfully bridged to Discord. disableReadReceipts: false # Authentication configuration for the discord bot. auth: - clientID: "12345" - botToken: "foobar" + clientID: "{{ matrix_discord_client_id }}" + botToken: "{{ matrix_discord_bot_token }}" logging: # What level should the logger output to the console at. console: "warn" #silly, verbose, info, http, warn, error, silent @@ -58,7 +58,7 @@ room: channel: # Pattern of the name given to bridged rooms. # Can use :guild for the guild name and :name for the channel name. - namePattern: "[Discord] :guild :name" + namePattern: ":name :guild" # Changes made to rooms when a channel is deleted. deleteOptions: # Prefix the room name with a string. @@ -68,11 +68,11 @@ channel: # Disable people from talking in the room by raising the event PL to 50 disableMessaging: false # Remove the discord alias from the room. - unsetRoomAlias: true + unsetRoomAlias: false # Remove the room from the directory. - unlistFromDirectory: true + unlistFromDirectory: false # Set the room to be unavaliable for joining without an invite. - setInviteOnly: true + setInviteOnly: false # Make all the discord users leave the room. ghostsLeave: true limits: diff --git a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index afc1b4b..be11020 100644 --- a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -11,7 +11,7 @@ User=matrix-appservice-discord Group=matrix-appservice-discord WorkingDirectory=/var/local/matrix-appservice-discord/matrix-appservice-discord Environment="NODE_ENV=production" -ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-discord/matrix-appservice-discord/app.js +ExecStart=/usr/bin/nodejs ./build/src/discordas.js -p 9005 -c config.yaml Restart=always [Install] diff --git a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 index 1df30fd..ddb8bc3 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 @@ -8,7 +8,15 @@ server { server_name auro.re; # Permanentely moved to HTTPS - return 301 https://$host$request_uri; + location / { + return 301 https://$host$request_uri; + } + + # For Matrix Synapse Discord Appservice Media + location /_matrix { + proxy_pass http://synapse.adm.auro.re:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } } server { From 11e084a1044346bbdb278a6ee5e82a822e3211ab Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 24 Mar 2019 17:05:24 +0100 Subject: [PATCH 052/297] Switch discord appservice to develop --- roles/matrix-appservice-discord/tasks/main.yml | 2 +- roles/matrix-appservice-discord/templates/config.yaml.j2 | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index f043ae3..4f26a71 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -7,7 +7,7 @@ git: repo: https://github.com/Half-Shot/matrix-appservice-discord.git dest: /var/local/matrix-appservice-discord/matrix-appservice-discord - version: v0.4.0 + version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 become: true become_user: matrix-appservice-discord diff --git a/roles/matrix-appservice-discord/templates/config.yaml.j2 b/roles/matrix-appservice-discord/templates/config.yaml.j2 index 7971fb0..028cb99 100644 --- a/roles/matrix-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-appservice-discord/templates/config.yaml.j2 @@ -25,6 +25,8 @@ bridge: # Disable sending of read receipts for Matrix events which have been # successfully bridged to Discord. disableReadReceipts: false + # Disable Join Leave echos from matrix + disableJoinLeaveNotifications: true # Authentication configuration for the discord bot. auth: clientID: "{{ matrix_discord_client_id }}" @@ -54,7 +56,7 @@ database: room: # Set the default visibility of alias rooms, defaults to "public". # One of: "public", "private" - defaultVisibility: "private" + defaultVisibility: "public" channel: # Pattern of the name given to bridged rooms. # Can use :guild for the guild name and :name for the channel name. From 7950191a534b24e25ab6b61d463d26c5f9a3d089 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 25 Mar 2019 10:55:51 +0100 Subject: [PATCH 053/297] Fix PVE unable to mount vfat at boot --- roles/basesecurity/templates/sysctl.d/local.conf.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/basesecurity/templates/sysctl.d/local.conf.j2 b/roles/basesecurity/templates/sysctl.d/local.conf.j2 index 86ef034..663a4e9 100644 --- a/roles/basesecurity/templates/sysctl.d/local.conf.j2 +++ b/roles/basesecurity/templates/sysctl.d/local.conf.j2 @@ -11,7 +11,3 @@ kernel.kptr_restrict = 1 # Restrict dmesg access # This can leak specific harware failures to exploit kernel.dmesg_restrict = 1 - -# Do not load kernel modules after boot -# Some modules have security issues and are used in exploits -kernel.modules_disabled = 1 From ee4f144b4a3a56f854edab29c83440cb6f8f6301 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 26 Mar 2019 08:30:02 +0100 Subject: [PATCH 054/297] Default configuration for Riot --- roles/matrix-riot/tasks/main.yml | 15 +++++++++++---- .../templates/{nginx-riot.j2 => nginx/riot.j2} | 0 2 files changed, 11 insertions(+), 4 deletions(-) rename roles/matrix-riot/templates/{nginx-riot.j2 => nginx/riot.j2} (100%) diff --git a/roles/matrix-riot/tasks/main.yml b/roles/matrix-riot/tasks/main.yml index 04be56f..4f72ef8 100644 --- a/roles/matrix-riot/tasks/main.yml +++ b/roles/matrix-riot/tasks/main.yml @@ -22,7 +22,6 @@ retries: 3 until: apt_key_result is succeeded -# Install riot - name: Install riot-web apt: name: riot-web @@ -31,7 +30,16 @@ retries: 3 until: apt_result is succeeded -# Install nginx +- name: Configure riot-web + lineinfile: + path: /opt/Riot/resources/webapp/config.json + regexp: '^\s*\"{{ item[0] }}' + line: " \"{{ item[0] }}\": \"{{ item[1] }}\"," + loop: + - ['default_hs_url', 'https://auro.re'] + - ['default_is_url', 'https://auro.re'] + - ['brand', 'Riot Aurore'] + - name: Install nginx apt: name: nginx @@ -39,10 +47,9 @@ retries: 3 until: apt_result is succeeded -# Configure nginx - name: Configure nginx template: - src: nginx-riot.j2 + src: nginx/riot.j2 dest: /etc/nginx/sites-available/riot mode: 0644 notify: Reload NGINX service diff --git a/roles/matrix-riot/templates/nginx-riot.j2 b/roles/matrix-riot/templates/nginx/riot.j2 similarity index 100% rename from roles/matrix-riot/templates/nginx-riot.j2 rename to roles/matrix-riot/templates/nginx/riot.j2 From d4d6baed1afba5acf7ef483a93f1088f929c7da9 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 26 Mar 2019 09:17:46 +0100 Subject: [PATCH 055/297] Fix so everything is working fine today --- roles/baseconfig/tasks/main.yml | 4 ++-- roles/basesecurity/tasks/main.yml | 2 +- roles/ldap-client/tasks/0_install_ldap.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index c3d548e..e0b9dbb 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -61,8 +61,8 @@ # User skeleton - name: Configure user skeleton copy: - src: skel/dot_{{ item.key }} - dest: /etc/skel/.{{ item.value }} + src: "skel/dot_{{ item }}" + dest: "/etc/skel/.{{ item }}" loop: - zshrc - zshrc.local diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index 6ff69e8..be168f4 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -56,7 +56,7 @@ state: present notify: Restart fail2ban service loop: - - section: DEFAULT + - section: sshd option: ignoreip value: 10.128.0.254 # Whitelist bastion diff --git a/roles/ldap-client/tasks/0_install_ldap.yml b/roles/ldap-client/tasks/0_install_ldap.yml index d21bbb9..21dd6f6 100644 --- a/roles/ldap-client/tasks/0_install_ldap.yml +++ b/roles/ldap-client/tasks/0_install_ldap.yml @@ -33,7 +33,7 @@ lineinfile: dest: /etc/nsswitch.conf regexp: "^{{ item }}:" - line: "{{ item }}: files ldap" + line: "{{ item }}: files ldap" loop: - passwd - group From 5ccb94e621b3b0a01e84b602438fac43bd8637d3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 29 Mar 2019 19:25:11 +0100 Subject: [PATCH 056/297] Simplify Matrix appservices --- .../defaults/main.yml | 15 +++++ .../tasks/1_user_group.yml | 26 --------- .../matrix-appservice-discord/tasks/main.yml | 58 +++++++++++-------- .../tasks/service_user.yml | 19 ++++++ roles/matrix-appservice-irc/defaults/main.yml | 15 +++++ .../tasks/1_user_group.yml | 26 --------- roles/matrix-appservice-irc/tasks/main.yml | 42 +++++++++----- .../tasks/service_user.yml | 19 ++++++ .../defaults/main.yml | 15 +++++ .../tasks/1_user_group.yml | 26 --------- .../matrix-appservice-webhooks/tasks/main.yml | 57 +++++++++--------- .../tasks/service_user.yml | 19 ++++++ 12 files changed, 192 insertions(+), 145 deletions(-) create mode 100644 roles/matrix-appservice-discord/defaults/main.yml delete mode 100644 roles/matrix-appservice-discord/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-discord/tasks/service_user.yml create mode 100644 roles/matrix-appservice-irc/defaults/main.yml delete mode 100644 roles/matrix-appservice-irc/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-irc/tasks/service_user.yml create mode 100644 roles/matrix-appservice-webhooks/defaults/main.yml delete mode 100644 roles/matrix-appservice-webhooks/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-webhooks/tasks/service_user.yml diff --git a/roles/matrix-appservice-discord/defaults/main.yml b/roles/matrix-appservice-discord/defaults/main.yml new file mode 100644 index 0000000..d282592 --- /dev/null +++ b/roles/matrix-appservice-discord/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# appservice_name is the name of the project on GitHub +appservice_name: matrix-appservice-discord + +# URL to clone +appservice_repo: https://github.com/Half-Shot/matrix-appservice-discord.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +appservice_user: "{{ appservice_name }}" +appservice_homedir: "/var/local/{{ appservice_name }}" + +# appservice_path is where the project is cloned +# It can't be the home directory because of user hidden files. +appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" diff --git a/roles/matrix-appservice-discord/tasks/1_user_group.yml b/roles/matrix-appservice-discord/tasks/1_user_group.yml deleted file mode 100644 index 42cac54..0000000 --- a/roles/matrix-appservice-discord/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create matrix-appservice-discord system group - group: - name: matrix-appservice-discord - system: true - state: present - -# Security #2 -- name: Create matrix-appservice-discord user - user: - name: matrix-appservice-discord - group: matrix-appservice-discord - home: /var/local/matrix-appservice-discord - comment: Matrix Appservice Discord - system: true - state: present - -# Security #3 -- name: Secure matrix-appservice-discord home directory - file: - path: /var/local/matrix-appservice-discord - state: directory - owner: matrix-appservice-discord - group: matrix-appservice-discord - mode: 0750 diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index a1330b0..0ee9eb7 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -1,23 +1,23 @@ --- -# Create CodiMD user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -# Download CodiMD -- name: Clone matrix-appservice-discord project +- name: "Clone {{ appservice_name }} project" git: - repo: https://github.com/Half-Shot/matrix-appservice-discord.git - dest: /var/local/matrix-appservice-discord/matrix-appservice-discord + repo: "{{ appservice_repo }}" + dest: "{{ appservice_path }}" version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 become: true - become_user: matrix-appservice-discord + become_user: "{{ appservice_user }}" # Setup dependencies # May create issues with package-lock.json not in gitignore -- name: Install matrix-appservice-discord dependencies +- name: "Install {{ appservice_name }} dependencies" npm: - path: /var/local/matrix-appservice-discord/matrix-appservice-discord + path: "{{ appservice_path }}" + production: true become: true - become_user: matrix-appservice-discord + become_user: "{{ appservice_user }}" register: npm_result retries: 3 until: npm_result is succeeded @@ -26,34 +26,44 @@ - name: Compile matrix-appservice-discord command: ./node_modules/.bin/tsc args: - chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + chdir: "{{ appservice_path }}" register: npm_build_result changed_when: npm_build_result become: true - become_user: matrix-appservice-discord + become_user: "{{ appservice_user }}" -# Configure -- name: Configure matrix-appservice-discord +- name: "Configure {{ appservice_name }}" template: src: config.yaml.j2 - dest: /var/local/matrix-appservice-discord/matrix-appservice-discord/config.yaml - owner: matrix-appservice-discord - group: matrix-appservice-discord + dest: "{{ appservice_path }}/config.yaml" + owner: "{{ appservice_user }}" + group: nogroup mode: 0600 # Service file -- name: Install matrix-appservice-discord systemd unit +- name: "Install {{ appservice_name }} systemd unit" template: src: systemd/matrix-appservice-discord.service.j2 - dest: /etc/systemd/system/matrix-appservice-discord.service + dest: "/etc/systemd/system/{{ appservice_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons +# TODO generate registration + +- name: Copy appservice registration file + copy: + src: "{{ appservice_path }}/discord-registration.yaml" + dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + owner: matrix-synapse + group: nogroup + mode: 0600 + remote_src: yes + # Run -#- name: Ensure that matrix-appservice-discord is started -# service: -# name: matrix-appservice-discord -# state: started -# enabled: true +- name: "Ensure that {{ appservice_name }} is started" + service: + name: "{{ appservice_name }}" + state: started + enabled: true diff --git a/roles/matrix-appservice-discord/tasks/service_user.yml b/roles/matrix-appservice-discord/tasks/service_user.yml new file mode 100644 index 0000000..4d73739 --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ appservice_user }} user" + user: + name: "{{ appservice_user }}" + group: nogroup + home: "{{ appservice_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ appservice_user }} home directory" + file: + path: "{{ appservice_homedir }}" + state: directory + owner: "{{ appservice_user }}" + group: nogroup + mode: 0700 diff --git a/roles/matrix-appservice-irc/defaults/main.yml b/roles/matrix-appservice-irc/defaults/main.yml new file mode 100644 index 0000000..517275e --- /dev/null +++ b/roles/matrix-appservice-irc/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# appservice_name is the name of the project on GitHub +appservice_name: matrix-appservice-irc + +# URL to clone +appservice_repo: https://github.com/matrix-org/matrix-appservice-irc.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +appservice_user: "{{ appservice_name }}" +appservice_homedir: "/var/local/{{ appservice_name }}" + +# appservice_path is where the project is cloned +# It can't be the home directory because of user hidden files. +appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" diff --git a/roles/matrix-appservice-irc/tasks/1_user_group.yml b/roles/matrix-appservice-irc/tasks/1_user_group.yml deleted file mode 100644 index 4c28899..0000000 --- a/roles/matrix-appservice-irc/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create matrix-appservice-irc system group - group: - name: matrix-appservice-irc - system: true - state: present - -# Security #2 -- name: Create matrix-appservice-irc user - user: - name: matrix-appservice-irc - group: matrix-appservice-irc - home: /var/local/matrix-appservice-irc - comment: Matrix Appservice IRC - system: true - state: present - -# Security #3 -- name: Secure matrix-appservice-irc home directory - file: - path: /var/local/matrix-appservice-irc - state: directory - owner: matrix-appservice-irc - group: matrix-appservice-irc - mode: 0750 diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 5db1c1b..971ca21 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -1,45 +1,55 @@ --- -# Create matrix-appservice-irc user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -- name: Clone matrix-appservice-irc project +- name: "Clone {{ appservice_name }} project" git: - repo: https://github.com/matrix-org/matrix-appservice-irc.git - dest: /var/local/matrix-appservice-irc/matrix-appservice-irc + repo: "{{ appservice_repo }}" + dest: "{{ appservice_path }}" version: 0.11.2 become: true - become_user: matrix-appservice-irc + become_user: "{{ appservice_user }}" # Setup dependencies -- name: Install matrix-appservice-irc dependencies +- name: "Install {{ appservice_name }} dependencies" npm: - path: /var/local/matrix-appservice-irc/matrix-appservice-irc + path: "{{ appservice_path }}" production: true become: true - become_user: matrix-appservice-irc + become_user: "{{ appservice_user }}" register: npm_result retries: 3 until: npm_result is succeeded -# Configure -- name: Configure matrix-appservice-irc +- name: "Configure {{ appservice_name }}" template: src: config.yaml.j2 - dest: /var/local/matrix-appservice-irc/matrix-appservice-irc/config.yaml - owner: matrix-appservice-irc - group: matrix-appservice-irc + dest: "{{ appservice_path }}/config.yaml" + owner: "{{ appservice_user }}" + group: nogroup mode: 0600 # Service file -- name: Install matrix-appservice-irc systemd unit +- name: "Install {{ appservice_name }} systemd unit" template: src: systemd/matrix-appservice-irc.service.j2 - dest: /etc/systemd/system/matrix-appservice-irc.service + dest: "/etc/systemd/system/{{ appservice_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons +# TODO generate registration + +#- name: Copy appservice registration file +# copy: +# src: "{{ appservice_path }}/discord-registration.yaml" +# dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" +# owner: matrix-synapse +# group: nogroup +# mode: 0600 +# remote_src: yes + # Run #- name: Ensure that matrix-appservice-irc is started # service: diff --git a/roles/matrix-appservice-irc/tasks/service_user.yml b/roles/matrix-appservice-irc/tasks/service_user.yml new file mode 100644 index 0000000..4d73739 --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ appservice_user }} user" + user: + name: "{{ appservice_user }}" + group: nogroup + home: "{{ appservice_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ appservice_user }} home directory" + file: + path: "{{ appservice_homedir }}" + state: directory + owner: "{{ appservice_user }}" + group: nogroup + mode: 0700 diff --git a/roles/matrix-appservice-webhooks/defaults/main.yml b/roles/matrix-appservice-webhooks/defaults/main.yml new file mode 100644 index 0000000..ba9de6d --- /dev/null +++ b/roles/matrix-appservice-webhooks/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# appservice_name is the name of the project on GitHub +appservice_name: matrix-appservice-webhooks + +# URL to clone +appservice_repo: https://github.com/turt2live/matrix-appservice-webhooks.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +appservice_user: "{{ appservice_name }}" +appservice_homedir: "/var/local/{{ appservice_name }}" + +# appservice_path is where the project is cloned +# It can't be the home directory because of user hidden files. +appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" diff --git a/roles/matrix-appservice-webhooks/tasks/1_user_group.yml b/roles/matrix-appservice-webhooks/tasks/1_user_group.yml deleted file mode 100644 index 642cf9f..0000000 --- a/roles/matrix-appservice-webhooks/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create matrix-appservice-webhooks system group - group: - name: matrix-appservice-webhooks - system: true - state: present - -# Security #2 -- name: Create matrix-appservice-webhooks user - user: - name: matrix-appservice-webhooks - group: matrix-appservice-webhooks - home: /var/local/matrix-appservice-webhooks - comment: Matrix Appservice WebHooks - system: true - state: present - -# Security #3 -- name: Secure matrix-appservice-webhooks home directory - file: - path: /var/local/matrix-appservice-webhooks - state: directory - owner: matrix-appservice-webhooks - group: matrix-appservice-webhooks - mode: 0750 diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index a0b9e43..9780b60 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -1,55 +1,58 @@ --- -# Create matrix-appservice-webhooks user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -- name: Clone matrix-appservice-webhooks project +- name: "Clone {{ appservice_name }} project" git: - repo: https://github.com/turt2live/matrix-appservice-webhooks.git - dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks + repo: "{{ appservice_repo }}" + dest: "{{ appservice_path }}" version: master become: true - become_user: matrix-appservice-webhooks + become_user: "{{ appservice_user }}" # Setup dependencies -- name: Install matrix-appservice-webhooks dependencies +- name: "Install {{ appservice_name }} dependencies" npm: - path: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks + path: "{{ appservice_path }}" production: true become: true - become_user: matrix-appservice-webhooks + become_user: "{{ appservice_user }}" register: npm_result retries: 3 until: npm_result is succeeded -# Configure -- name: Configure matrix-appservice-webhooks +- name: "Configure {{ appservice_name }}" template: src: config.yaml.j2 - dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/config/config.yaml - owner: matrix-appservice-webhooks - group: matrix-appservice-webhooks + dest: "{{ appservice_path }}/config/config.yaml" + owner: "{{ appservice_user }}" + group: nogroup mode: 0600 # Service file -- name: Install matrix-appservice-webhooks systemd unit +- name: "Install {{ appservice_name }} systemd unit" template: src: systemd/matrix-appservice-webhooks.service.j2 - dest: /etc/systemd/system/matrix-appservice-webhooks.service + dest: "/etc/systemd/system/{{ appservice_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons -# TODO -# node index.js -r -u "http://localhost:9000" -c config/config.yaml -# cp /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/appservice-registration-webhooks.yaml -# > /etc/matrix-synapse/appservice-registration-webhooks.yaml -# chown matrix-synapse:nogroup /etc/matrix-synapse/appservice-registration-webhooks.yaml 440 -# /etc/matrix-synapse/conf.d/app_service_config_files.yaml +# TODO generate registration + +- name: Copy appservice registration file + copy: + src: "{{ appservice_path }}/appservice-registration-webhooks.yaml" + dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + owner: matrix-synapse + group: nogroup + mode: 0600 + remote_src: yes # Run -#- name: Ensure that matrix-appservice-webhooks is started -# service: -# name: matrix-appservice-webhooks -# state: started -# enabled: true +- name: "Ensure that {{ appservice_name }} is started" + service: + name: "{{ appservice_name }}" + state: started + enabled: true diff --git a/roles/matrix-appservice-webhooks/tasks/service_user.yml b/roles/matrix-appservice-webhooks/tasks/service_user.yml new file mode 100644 index 0000000..4d73739 --- /dev/null +++ b/roles/matrix-appservice-webhooks/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ appservice_user }} user" + user: + name: "{{ appservice_user }}" + group: nogroup + home: "{{ appservice_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ appservice_user }} home directory" + file: + path: "{{ appservice_homedir }}" + state: directory + owner: "{{ appservice_user }}" + group: nogroup + mode: 0700 From 48d521fb00cd5a4f6982e14b75972c4acaf8d958 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 30 Mar 2019 13:26:20 +0100 Subject: [PATCH 057/297] Use generic service model for matrix appservices --- .../defaults/main.yml | 14 +++---- .../matrix-appservice-discord/tasks/main.yml | 38 +++++++++---------- .../tasks/service_user.yml | 12 +++--- ...scord.service.j2 => appservice.service.j2} | 6 +-- roles/matrix-appservice-irc/defaults/main.yml | 14 +++---- roles/matrix-appservice-irc/tasks/main.yml | 34 ++++++++--------- .../tasks/service_user.yml | 12 +++--- .../templates/apt/nodejs.j2 | 5 --- .../templates/systemd/appservice.service.j2 | 17 +++++++++ .../systemd/matrix-appservice-irc.service.j2 | 17 --------- .../defaults/main.yml | 14 +++---- .../matrix-appservice-webhooks/tasks/main.yml | 34 ++++++++--------- .../tasks/service_user.yml | 12 +++--- .../templates/apt/nodejs.j2 | 5 --- ...hooks.service.j2 => appservice.service.j2} | 6 +-- 15 files changed, 115 insertions(+), 125 deletions(-) rename roles/matrix-appservice-discord/templates/systemd/{matrix-appservice-discord.service.j2 => appservice.service.j2} (71%) delete mode 100644 roles/matrix-appservice-irc/templates/apt/nodejs.j2 create mode 100644 roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 delete mode 100644 roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 delete mode 100644 roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 rename roles/matrix-appservice-webhooks/templates/systemd/{matrix-appservice-webhooks.service.j2 => appservice.service.j2} (71%) diff --git a/roles/matrix-appservice-discord/defaults/main.yml b/roles/matrix-appservice-discord/defaults/main.yml index d282592..6ad40a4 100644 --- a/roles/matrix-appservice-discord/defaults/main.yml +++ b/roles/matrix-appservice-discord/defaults/main.yml @@ -1,15 +1,15 @@ --- -# appservice_name is the name of the project on GitHub -appservice_name: matrix-appservice-discord +# service_name is the name of the project on GitHub +service_name: matrix-appservice-discord # URL to clone -appservice_repo: https://github.com/Half-Shot/matrix-appservice-discord.git +service_repo: https://github.com/Half-Shot/matrix-appservice-discord.git # name of the service user # It means that you will have to `sudo -u THISUSER zsh` to debug -appservice_user: "{{ appservice_name }}" -appservice_homedir: "/var/local/{{ appservice_name }}" +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" -# appservice_path is where the project is cloned +# service_path is where the project is cloned # It can't be the home directory because of user hidden files. -appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index 0ee9eb7..b7cb95b 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -2,22 +2,22 @@ # Create service user - include_tasks: service_user.yml -- name: "Clone {{ appservice_name }} project" +- name: "Clone {{ service_name }} project" git: - repo: "{{ appservice_repo }}" - dest: "{{ appservice_path }}" + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" # Setup dependencies # May create issues with package-lock.json not in gitignore -- name: "Install {{ appservice_name }} dependencies" +- name: "Install {{ service_name }} dependencies" npm: - path: "{{ appservice_path }}" + path: "{{ service_path }}" production: true become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" register: npm_result retries: 3 until: npm_result is succeeded @@ -26,25 +26,25 @@ - name: Compile matrix-appservice-discord command: ./node_modules/.bin/tsc args: - chdir: "{{ appservice_path }}" + chdir: "{{ service_path }}" register: npm_build_result changed_when: npm_build_result become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" -- name: "Configure {{ appservice_name }}" +- name: "Configure {{ service_name }}" template: src: config.yaml.j2 - dest: "{{ appservice_path }}/config.yaml" - owner: "{{ appservice_user }}" + dest: "{{ service_path }}/config.yaml" + owner: "{{ service_user }}" group: nogroup mode: 0600 # Service file -- name: "Install {{ appservice_name }} systemd unit" +- name: "Install {{ service_name }} systemd unit" template: - src: systemd/matrix-appservice-discord.service.j2 - dest: "/etc/systemd/system/{{ appservice_name }}.service" + src: systemd/appservice.service.j2 + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 @@ -54,16 +54,16 @@ - name: Copy appservice registration file copy: - src: "{{ appservice_path }}/discord-registration.yaml" - dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + src: "{{ service_path }}/discord-registration.yaml" + dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" owner: matrix-synapse group: nogroup mode: 0600 remote_src: yes # Run -- name: "Ensure that {{ appservice_name }} is started" +- name: "Ensure that {{ service_name }} is started" service: - name: "{{ appservice_name }}" + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/matrix-appservice-discord/tasks/service_user.yml b/roles/matrix-appservice-discord/tasks/service_user.yml index 4d73739..0818676 100644 --- a/roles/matrix-appservice-discord/tasks/service_user.yml +++ b/roles/matrix-appservice-discord/tasks/service_user.yml @@ -1,19 +1,19 @@ --- # Having a custom group is useless so use nogroup -- name: "Create {{ appservice_user }} user" +- name: "Create {{ service_user }} user" user: - name: "{{ appservice_user }}" + name: "{{ service_user }}" group: nogroup - home: "{{ appservice_homedir }}" + home: "{{ service_homedir }}" system: true shell: /bin/false state: present # Only service user should be able to go there -- name: "Secure {{ appservice_user }} home directory" +- name: "Secure {{ service_user }} home directory" file: - path: "{{ appservice_homedir }}" + path: "{{ service_homedir }}" state: directory - owner: "{{ appservice_user }}" + owner: "{{ service_user }}" group: nogroup mode: 0700 diff --git a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 similarity index 71% rename from roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 rename to roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 index be11020..29ebdb6 100644 --- a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 @@ -7,12 +7,12 @@ Conflicts=shutdown.target [Service] Type=simple -User=matrix-appservice-discord -Group=matrix-appservice-discord -WorkingDirectory=/var/local/matrix-appservice-discord/matrix-appservice-discord +User={{ service_user }} +WorkingDirectory={{ service_path }} Environment="NODE_ENV=production" ExecStart=/usr/bin/nodejs ./build/src/discordas.js -p 9005 -c config.yaml Restart=always +RestartSec=3 [Install] WantedBy=multi-user.target diff --git a/roles/matrix-appservice-irc/defaults/main.yml b/roles/matrix-appservice-irc/defaults/main.yml index 517275e..845dbab 100644 --- a/roles/matrix-appservice-irc/defaults/main.yml +++ b/roles/matrix-appservice-irc/defaults/main.yml @@ -1,15 +1,15 @@ --- -# appservice_name is the name of the project on GitHub -appservice_name: matrix-appservice-irc +# service_name is the name of the project on GitHub +service_name: matrix-appservice-irc # URL to clone -appservice_repo: https://github.com/matrix-org/matrix-appservice-irc.git +service_repo: https://github.com/matrix-org/matrix-appservice-irc.git # name of the service user # It means that you will have to `sudo -u THISUSER zsh` to debug -appservice_user: "{{ appservice_name }}" -appservice_homedir: "/var/local/{{ appservice_name }}" +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" -# appservice_path is where the project is cloned +# service_path is where the project is cloned # It can't be the home directory because of user hidden files. -appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 971ca21..7c77af0 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -2,38 +2,38 @@ # Create service user - include_tasks: service_user.yml -- name: "Clone {{ appservice_name }} project" +- name: "Clone {{ service_name }} project" git: - repo: "{{ appservice_repo }}" - dest: "{{ appservice_path }}" + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: 0.11.2 become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" # Setup dependencies -- name: "Install {{ appservice_name }} dependencies" +- name: "Install {{ service_name }} dependencies" npm: - path: "{{ appservice_path }}" + path: "{{ service_path }}" production: true become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" register: npm_result retries: 3 until: npm_result is succeeded -- name: "Configure {{ appservice_name }}" +- name: "Configure {{ service_name }}" template: src: config.yaml.j2 - dest: "{{ appservice_path }}/config.yaml" - owner: "{{ appservice_user }}" + dest: "{{ service_path }}/config.yaml" + owner: "{{ service_user }}" group: nogroup mode: 0600 # Service file -- name: "Install {{ appservice_name }} systemd unit" +- name: "Install {{ service_name }} systemd unit" template: - src: systemd/matrix-appservice-irc.service.j2 - dest: "/etc/systemd/system/{{ appservice_name }}.service" + src: systemd/appservice.service.j2 + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 @@ -43,16 +43,16 @@ #- name: Copy appservice registration file # copy: -# src: "{{ appservice_path }}/discord-registration.yaml" -# dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" +# src: "{{ service_path }}/discord-registration.yaml" +# dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" # owner: matrix-synapse # group: nogroup # mode: 0600 # remote_src: yes # Run -#- name: Ensure that matrix-appservice-irc is started +#- name: "Ensure that {{ service_name }} is started" # service: -# name: matrix-appservice-irc +# name: "{{ service_name }}" # state: started # enabled: true diff --git a/roles/matrix-appservice-irc/tasks/service_user.yml b/roles/matrix-appservice-irc/tasks/service_user.yml index 4d73739..0818676 100644 --- a/roles/matrix-appservice-irc/tasks/service_user.yml +++ b/roles/matrix-appservice-irc/tasks/service_user.yml @@ -1,19 +1,19 @@ --- # Having a custom group is useless so use nogroup -- name: "Create {{ appservice_user }} user" +- name: "Create {{ service_user }} user" user: - name: "{{ appservice_user }}" + name: "{{ service_user }}" group: nogroup - home: "{{ appservice_homedir }}" + home: "{{ service_homedir }}" system: true shell: /bin/false state: present # Only service user should be able to go there -- name: "Secure {{ appservice_user }} home directory" +- name: "Secure {{ service_user }} home directory" file: - path: "{{ appservice_homedir }}" + path: "{{ service_homedir }}" state: directory - owner: "{{ appservice_user }}" + owner: "{{ service_user }}" group: nogroup mode: 0700 diff --git a/roles/matrix-appservice-irc/templates/apt/nodejs.j2 b/roles/matrix-appservice-irc/templates/apt/nodejs.j2 deleted file mode 100644 index 65e5110..0000000 --- a/roles/matrix-appservice-irc/templates/apt/nodejs.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -Package: node* libuv1* -Pin: release a=stretch-backports -Pin-Priority: 600 diff --git a/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 b/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 new file mode 100644 index 0000000..0680720 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Unit] +Description=A bridge between Matrix and IRC +After=syslog.target network-online.target mysql.service postgresql.service +Conflicts=shutdown.target + +[Service] +Type=simple +User={{ service_user }} +WorkingDirectory={{ service_path }} +ExecStart=/usr/bin/nodejs ./app.js -c config.yaml -f my_registration_file.yaml -p 9999 +Restart=always +RestartSec=3 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 deleted file mode 100644 index 1f25539..0000000 --- a/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=A bridge between Matrix and IRC -After=syslog.target network-online.target mysql.service postgresql.service -Conflicts=shutdown.target - -[Service] -Type=simple -User=matrix-appservice-irc -Group=matrix-appservice-irc -WorkingDirectory=/var/local/matrix-appservice-irc/matrix-appservice-irc -ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-irc/matrix-appservice-irc/app.js -c config.yaml -f my_registration_file.yaml -p 9999 -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-appservice-webhooks/defaults/main.yml b/roles/matrix-appservice-webhooks/defaults/main.yml index ba9de6d..e4425c8 100644 --- a/roles/matrix-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-appservice-webhooks/defaults/main.yml @@ -1,15 +1,15 @@ --- -# appservice_name is the name of the project on GitHub -appservice_name: matrix-appservice-webhooks +# service_name is the name of the project on GitHub +service_name: matrix-appservice-webhooks # URL to clone -appservice_repo: https://github.com/turt2live/matrix-appservice-webhooks.git +service_repo: https://github.com/turt2live/matrix-appservice-webhooks.git # name of the service user # It means that you will have to `sudo -u THISUSER zsh` to debug -appservice_user: "{{ appservice_name }}" -appservice_homedir: "/var/local/{{ appservice_name }}" +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" -# appservice_path is where the project is cloned +# service_path is where the project is cloned # It can't be the home directory because of user hidden files. -appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index 9780b60..e8ef646 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -2,38 +2,38 @@ # Create service user - include_tasks: service_user.yml -- name: "Clone {{ appservice_name }} project" +- name: "Clone {{ service_name }} project" git: - repo: "{{ appservice_repo }}" - dest: "{{ appservice_path }}" + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: master become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" # Setup dependencies -- name: "Install {{ appservice_name }} dependencies" +- name: "Install {{ service_name }} dependencies" npm: - path: "{{ appservice_path }}" + path: "{{ service_path }}" production: true become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" register: npm_result retries: 3 until: npm_result is succeeded -- name: "Configure {{ appservice_name }}" +- name: "Configure {{ service_name }}" template: src: config.yaml.j2 - dest: "{{ appservice_path }}/config/config.yaml" - owner: "{{ appservice_user }}" + dest: "{{ service_path }}/config/config.yaml" + owner: "{{ service_user }}" group: nogroup mode: 0600 # Service file -- name: "Install {{ appservice_name }} systemd unit" +- name: "Install {{ service_name }} systemd unit" template: - src: systemd/matrix-appservice-webhooks.service.j2 - dest: "/etc/systemd/system/{{ appservice_name }}.service" + src: systemd/appservice.service.j2 + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 @@ -43,16 +43,16 @@ - name: Copy appservice registration file copy: - src: "{{ appservice_path }}/appservice-registration-webhooks.yaml" - dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + src: "{{ service_path }}/appservice-registration-webhooks.yaml" + dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" owner: matrix-synapse group: nogroup mode: 0600 remote_src: yes # Run -- name: "Ensure that {{ appservice_name }} is started" +- name: "Ensure that {{ service_name }} is started" service: - name: "{{ appservice_name }}" + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/matrix-appservice-webhooks/tasks/service_user.yml b/roles/matrix-appservice-webhooks/tasks/service_user.yml index 4d73739..0818676 100644 --- a/roles/matrix-appservice-webhooks/tasks/service_user.yml +++ b/roles/matrix-appservice-webhooks/tasks/service_user.yml @@ -1,19 +1,19 @@ --- # Having a custom group is useless so use nogroup -- name: "Create {{ appservice_user }} user" +- name: "Create {{ service_user }} user" user: - name: "{{ appservice_user }}" + name: "{{ service_user }}" group: nogroup - home: "{{ appservice_homedir }}" + home: "{{ service_homedir }}" system: true shell: /bin/false state: present # Only service user should be able to go there -- name: "Secure {{ appservice_user }} home directory" +- name: "Secure {{ service_user }} home directory" file: - path: "{{ appservice_homedir }}" + path: "{{ service_homedir }}" state: directory - owner: "{{ appservice_user }}" + owner: "{{ service_user }}" group: nogroup mode: 0700 diff --git a/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 b/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 deleted file mode 100644 index 65e5110..0000000 --- a/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -Package: node* libuv1* -Pin: release a=stretch-backports -Pin-Priority: 600 diff --git a/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 similarity index 71% rename from roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 rename to roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 index 9d8c6b6..48239a8 100644 --- a/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 @@ -7,11 +7,11 @@ Conflicts=shutdown.target [Service] Type=simple -User=matrix-appservice-webhooks -Group=matrix-appservice-webhooks -WorkingDirectory=/var/local/matrix-appservice-webhooks/matrix-appservice-webhooks +User={{ service_user }} +WorkingDirectory={{ service_path }} ExecStart=/usr/bin/nodejs index.js -p 9000 -c config/config.yaml -f appservice-registration-webhooks.yaml Restart=always +RestartSec=3 [Install] WantedBy=multi-user.target From 88b9356f7d92056b14d778aef5888a89e680c07e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 30 Mar 2019 13:34:25 +0100 Subject: [PATCH 058/297] Make CodiMD role more generic --- roles/codimd/defaults/main.yml | 15 +++++++ roles/codimd/tasks/1_user_group.yml | 26 ----------- roles/codimd/tasks/main.yml | 44 +++++++++---------- roles/codimd/tasks/service_user.yml | 19 ++++++++ .../templates/systemd/codimd.service.j2 | 8 ++-- 5 files changed, 59 insertions(+), 53 deletions(-) create mode 100644 roles/codimd/defaults/main.yml delete mode 100644 roles/codimd/tasks/1_user_group.yml create mode 100644 roles/codimd/tasks/service_user.yml diff --git a/roles/codimd/defaults/main.yml b/roles/codimd/defaults/main.yml new file mode 100644 index 0000000..b90bf62 --- /dev/null +++ b/roles/codimd/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# service_name is the name of the project on GitHub +service_name: codimd + +# URL to clone +service_repo: https://github.com/hackmdio/codimd.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" + +# service_path is where the project is cloned +# It can't be the home directory because of user hidden files. +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/codimd/tasks/1_user_group.yml b/roles/codimd/tasks/1_user_group.yml deleted file mode 100644 index 8acc968..0000000 --- a/roles/codimd/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create CodiMD system group - group: - name: codimd - system: true - state: present - -# Security #2 -- name: Create CodiMD user - user: - name: codimd - group: codimd - home: /var/local/codimd - comment: CodiMD - system: true - state: present - -# Security #3 -- name: Secure CodiMD home directory - file: - path: /var/local/codimd - state: directory - owner: codimd - group: codimd - mode: 0750 diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index f176b95..f304fad 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -2,26 +2,25 @@ # Install APT dependencies - include_tasks: 0_apt_dependencies.yml -# Create CodiMD user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -# Download CodiMD -- name: Clone CodiMD project +- name: "Clone {{ service_name }} project" git: - repo: https://github.com/hackmdio/codimd.git - dest: /var/local/codimd/codimd + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: 1.3.0 become: true - become_user: codimd + become_user: "{{ service_user }}" notify: Build front-end for CodiMD -# Setup dependencies and configs -- name: Install CodiMD dependencies +# Setup dependencies +- name: "Install {{ service_name }} dependencies" yarn: - path: /var/local/codimd/codimd + path: "{{ service_path }}" production: true become: true - become_user: codimd + become_user: "{{ service_user }}" register: yarn_result retries: 3 until: yarn_result is succeeded @@ -30,33 +29,32 @@ - name: Connect CodiMD to PostgreSQL db template: src: sequelizerc.j2 - dest: /var/local/codimd/codimd/.sequelizerc - owner: codimd - group: codimd + dest: "{{ service_path }}/.sequelizerc" + owner: "{{ service_user }}" + group: nogroup mode: 0600 -# Configure -- name: Configure CodiMD +- name: "Configure {{ service_name }}" template: src: config.json.j2 - dest: /var/local/codimd/codimd/config.json - owner: codimd - group: codimd + dest: "{{ service_path }}/config.json" + owner: "{{ service_user }}" + group: nogroup mode: 0600 # Service file -- name: Install CodiMD systemd unit +- name: "Install {{ service_name }} systemd unit" template: src: systemd/codimd.service.j2 - dest: /etc/systemd/system/codimd.service + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons # Run -- name: Ensure that CodiMD is started +- name: "Ensure that {{ service_name }} is started" service: - name: codimd + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/codimd/tasks/service_user.yml b/roles/codimd/tasks/service_user.yml new file mode 100644 index 0000000..0818676 --- /dev/null +++ b/roles/codimd/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ service_user }} user" + user: + name: "{{ service_user }}" + group: nogroup + home: "{{ service_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ service_user }} home directory" + file: + path: "{{ service_homedir }}" + state: directory + owner: "{{ service_user }}" + group: nogroup + mode: 0700 diff --git a/roles/codimd/templates/systemd/codimd.service.j2 b/roles/codimd/templates/systemd/codimd.service.j2 index 8468dfd..4b80a5b 100644 --- a/roles/codimd/templates/systemd/codimd.service.j2 +++ b/roles/codimd/templates/systemd/codimd.service.j2 @@ -7,12 +7,12 @@ Conflicts=shutdown.target [Service] Type=simple -User=codimd -Group=codimd -WorkingDirectory=/var/local/codimd/codimd +User={{ service_user }} +WorkingDirectory={{ service_path }} Environment="NODE_ENV=production" -ExecStart=/usr/bin/nodejs /var/local/codimd/codimd/app.js +ExecStart=/usr/bin/nodejs ./app.js Restart=always +RestartSec=3 [Install] WantedBy=multi-user.target From 2158c5c6b9cb85f619ce2529547a903e87753ba3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 1 Apr 2019 17:57:13 +0200 Subject: [PATCH 059/297] Pass Matrix Webhook through reverse proxy --- .../nginx/nginx-sites-available-main.j2 | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 index ddb8bc3..f4ebf9a 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 @@ -82,3 +82,26 @@ server { proxy_set_header X-Forwarded-For $remote_addr; } } + +server { + listen 9442 ssl; + listen [::]:9442 ssl; + + # Set witch server name we define + server_name auro.re; + + # Separate log files + access_log /var/log/nginx/main.access.log; + error_log /var/log/nginx/main.error.log; + + # Use LetsEncrypt SSL + ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem; + + # For Matrix Appservice Webhooks + location / { + proxy_pass http://synapse.adm.auro.re:9000; + proxy_set_header X-Forwarded-For $remote_addr; + } +} From 84694900e45a22eab23999422b41b26050b88de4 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 1 Apr 2019 17:57:43 +0200 Subject: [PATCH 060/297] Annonce the right Webhook URL for Matrix --- roles/matrix-appservice-webhooks/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-appservice-webhooks/templates/config.yaml.j2 b/roles/matrix-appservice-webhooks/templates/config.yaml.j2 index 8be6b99..9355aff 100644 --- a/roles/matrix-appservice-webhooks/templates/config.yaml.j2 +++ b/roles/matrix-appservice-webhooks/templates/config.yaml.j2 @@ -26,7 +26,7 @@ provisioning: # Configuration related to the web portion of the bridge. Handles the inbound webhooks web: - hookUrlBase: 'http://synapse.adm.auro.re:9000/' + hookUrlBase: 'https://auro.re:9442/' logging: file: logs/webhook.log From 1b3a6f7bf8a42ba92b854d79d93d7b2cabac62cc Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 1 Apr 2019 18:53:37 +0200 Subject: [PATCH 061/297] Configure IRC Matrix appservice --- roles/matrix-appservice-irc/tasks/main.yml | 27 ++++++++++--------- .../templates/config.yaml.j2 | 26 +++++------------- .../templates/systemd/appservice.service.j2 | 2 +- 3 files changed, 22 insertions(+), 33 deletions(-) diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 7c77af0..881aaee 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -40,19 +40,20 @@ notify: Reload systemd daemons # TODO generate registration +# node app.js -r -f irc-registration.yaml -u "http://localhost:9999" -c config.yaml -l ircbot -#- name: Copy appservice registration file -# copy: -# src: "{{ service_path }}/discord-registration.yaml" -# dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" -# owner: matrix-synapse -# group: nogroup -# mode: 0600 -# remote_src: yes +- name: Copy appservice registration file + copy: + src: "{{ service_path }}/irc-registration.yaml" + dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" + owner: matrix-synapse + group: nogroup + mode: 0600 + remote_src: yes # Run -#- name: "Ensure that {{ service_name }} is started" -# service: -# name: "{{ service_name }}" -# state: started -# enabled: true +- name: "Ensure that {{ service_name }} is started" + service: + name: "{{ service_name }}" + state: started + enabled: true diff --git a/roles/matrix-appservice-irc/templates/config.yaml.j2 b/roles/matrix-appservice-irc/templates/config.yaml.j2 index 72d1a84..5112d96 100644 --- a/roles/matrix-appservice-irc/templates/config.yaml.j2 +++ b/roles/matrix-appservice-irc/templates/config.yaml.j2 @@ -3,13 +3,13 @@ homeserver: # The URL to the home server for client-server API calls, also used to form the # media URLs as displayed in bridged IRC channels: - url: "https://auro.re" + url: "http://auro.re" # # The URL of the homeserver hosting media files. This is only used to transform # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By # default, this is the homeserver URL, specified above. # - # media_url: "http://media.repo:8008" + media_url: "https://auro.re" # Drop Matrix messages which are older than this number of seconds, according to # the event's origin_server_ts. @@ -62,7 +62,7 @@ ircService: # Whether to use SSL or not. Default: false. ssl: true # Whether or not IRC server is using a self-signed cert or not providing CA Chain - sslselfsign: false + sslselfsign: true # Should the connection attempt to identify via SASL (if a server or user password is given) # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. sasl: false @@ -127,7 +127,7 @@ ircService: # it can service bridge-specific queries from the IRC-side e.g. so # real IRC clients have a way to change their Matrix display name. # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 - enabled: true + enabled: false # The nickname to give the AS bot. nick: "AuroreBot" # The password to give to NickServ or IRC Server for this nick. Optional. @@ -165,7 +165,7 @@ ircService: createAlias: true # Should the AS publish the new Matrix room to the public room list so # anyone can see it? Default: true. - published: false + published: true # What should the join_rule be for the new Matrix room? If 'public', # anyone can join the room. If 'invite', only users with an invite can # join the room. Note that if an IRC channel has +k or +i set on it, @@ -217,7 +217,7 @@ ircService: ircToMatrix: # Get a snapshot of all real IRC users on a channel (via NAMES) and # join their virtual matrix clients to the room. - initial: false + initial: true # Make virtual matrix clients join and leave rooms as their real IRC # counterparts join/part channels. Default: false. incremental: true @@ -225,24 +225,12 @@ ircService: matrixToIrc: # Get a snapshot of all real Matrix users in the room and join all of # them to the mapped IRC channel on startup. Default: false. - initial: false + initial: true # Make virtual IRC clients join and leave channels as their real Matrix # counterparts join/leave rooms. Make sure your 'maxClients' value is # high enough! Default: false. incremental: true - # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. - rooms: - - # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. - channels: - - mappings: - # 1:many mappings from IRC channels to room IDs on this IRC server. - # The matrix room must already exist. Your matrix client should expose - # the room ID in a "settings" page for the room. - # "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] - # Configuration for virtual matrix users. The following variables are # exposed: # $NICK => The IRC nick diff --git a/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 b/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 index 0680720..c686551 100644 --- a/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 +++ b/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 @@ -9,7 +9,7 @@ Conflicts=shutdown.target Type=simple User={{ service_user }} WorkingDirectory={{ service_path }} -ExecStart=/usr/bin/nodejs ./app.js -c config.yaml -f my_registration_file.yaml -p 9999 +ExecStart=/usr/bin/nodejs ./app.js -c config.yaml -f irc-registration.yaml -p 9999 Restart=always RestartSec=3 From 55cf8b801d9d9a88c0a7743c863411216be23c59 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 6 Apr 2019 15:19:52 +0200 Subject: [PATCH 062/297] Remove useless systemd handler --- roles/codimd/handlers/main.yml | 5 ----- roles/codimd/tasks/main.yml | 4 ++-- roles/etherpad/handlers/main.yml | 5 ----- roles/etherpad/tasks/main.yml | 4 ++-- roles/matrix-appservice-discord/handlers/main.yml | 5 ----- roles/matrix-appservice-discord/tasks/main.yml | 4 ++-- roles/matrix-appservice-irc/handlers/main.yml | 5 ----- roles/matrix-appservice-irc/tasks/main.yml | 4 ++-- roles/matrix-appservice-webhooks/handlers/main.yml | 5 ----- roles/matrix-appservice-webhooks/tasks/main.yml | 4 ++-- 10 files changed, 10 insertions(+), 35 deletions(-) delete mode 100644 roles/etherpad/handlers/main.yml delete mode 100644 roles/matrix-appservice-discord/handlers/main.yml delete mode 100644 roles/matrix-appservice-irc/handlers/main.yml delete mode 100644 roles/matrix-appservice-webhooks/handlers/main.yml diff --git a/roles/codimd/handlers/main.yml b/roles/codimd/handlers/main.yml index 08525df..76f5f7b 100644 --- a/roles/codimd/handlers/main.yml +++ b/roles/codimd/handlers/main.yml @@ -7,8 +7,3 @@ chdir: /var/local/codimd/codimd become: true become_user: codimd - -# Reload systemd daemons when a service file changes -- name: Reload systemd daemons - systemd: - daemon_reload: true diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index f304fad..54bb712 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -50,11 +50,11 @@ owner: root group: root mode: 0644 - notify: Reload systemd daemons # Run - name: "Ensure that {{ service_name }} is started" - service: + systemd: name: "{{ service_name }}" state: started enabled: true + daemon_reload: true diff --git a/roles/etherpad/handlers/main.yml b/roles/etherpad/handlers/main.yml deleted file mode 100644 index 46a7fd8..0000000 --- a/roles/etherpad/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# Reload systemd daemons when a service file changes -- name: Reload systemd daemons - systemd: - daemon_reload: true diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml index 21667ec..454b4bd 100644 --- a/roles/etherpad/tasks/main.yml +++ b/roles/etherpad/tasks/main.yml @@ -69,14 +69,14 @@ owner: root group: root mode: 0644 - notify: Reload systemd daemons # Run - name: Ensure that EtherPad is started - service: + systemd: name: etherpad-lite state: started enabled: true + daemon_reload: true # TODO-list # La configuration de la clé `dbSettings` n'est pas encore automatisé ! diff --git a/roles/matrix-appservice-discord/handlers/main.yml b/roles/matrix-appservice-discord/handlers/main.yml deleted file mode 100644 index 46a7fd8..0000000 --- a/roles/matrix-appservice-discord/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# Reload systemd daemons when a service file changes -- name: Reload systemd daemons - systemd: - daemon_reload: true diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index b7cb95b..0a04b8c 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -48,7 +48,6 @@ owner: root group: root mode: 0644 - notify: Reload systemd daemons # TODO generate registration @@ -63,7 +62,8 @@ # Run - name: "Ensure that {{ service_name }} is started" - service: + systemd: name: "{{ service_name }}" state: started enabled: true + daemon_reload: true diff --git a/roles/matrix-appservice-irc/handlers/main.yml b/roles/matrix-appservice-irc/handlers/main.yml deleted file mode 100644 index 46a7fd8..0000000 --- a/roles/matrix-appservice-irc/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# Reload systemd daemons when a service file changes -- name: Reload systemd daemons - systemd: - daemon_reload: true diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 881aaee..5c455d7 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -37,7 +37,6 @@ owner: root group: root mode: 0644 - notify: Reload systemd daemons # TODO generate registration # node app.js -r -f irc-registration.yaml -u "http://localhost:9999" -c config.yaml -l ircbot @@ -53,7 +52,8 @@ # Run - name: "Ensure that {{ service_name }} is started" - service: + systemd: name: "{{ service_name }}" state: started enabled: true + daemon_reload: true diff --git a/roles/matrix-appservice-webhooks/handlers/main.yml b/roles/matrix-appservice-webhooks/handlers/main.yml deleted file mode 100644 index 46a7fd8..0000000 --- a/roles/matrix-appservice-webhooks/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# Reload systemd daemons when a service file changes -- name: Reload systemd daemons - systemd: - daemon_reload: true diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index e8ef646..75ec367 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -37,7 +37,6 @@ owner: root group: root mode: 0644 - notify: Reload systemd daemons # TODO generate registration @@ -52,7 +51,8 @@ # Run - name: "Ensure that {{ service_name }} is started" - service: + systemd: name: "{{ service_name }}" state: started enabled: true + daemon_reload: true From 104cc3d09e8b92cfab6a69d1ef06d168675d2df1 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 7 Apr 2019 16:59:19 +0200 Subject: [PATCH 063/297] Move new PVE --- group_vars/edc/sudo_location_group.yml | 3 +++ group_vars/fleming/sudo_location_group.yml | 3 +++ group_vars/georgesand/sudo_location_group.yml | 3 +++ hosts | 18 ++++++++++++++++-- 4 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 group_vars/edc/sudo_location_group.yml create mode 100644 group_vars/fleming/sudo_location_group.yml create mode 100644 group_vars/georgesand/sudo_location_group.yml diff --git a/group_vars/edc/sudo_location_group.yml b/group_vars/edc/sudo_location_group.yml new file mode 100644 index 0000000..a7aec2e --- /dev/null +++ b/group_vars/edc/sudo_location_group.yml @@ -0,0 +1,3 @@ +--- +# Users in that group will be able to `sudo` +sudo_group_location: 'sudoedc' diff --git a/group_vars/fleming/sudo_location_group.yml b/group_vars/fleming/sudo_location_group.yml new file mode 100644 index 0000000..664d024 --- /dev/null +++ b/group_vars/fleming/sudo_location_group.yml @@ -0,0 +1,3 @@ +--- +# Users in that group will be able to `sudo` +sudo_group_location: 'sudofleming' diff --git a/group_vars/georgesand/sudo_location_group.yml b/group_vars/georgesand/sudo_location_group.yml new file mode 100644 index 0000000..4ca3c9d --- /dev/null +++ b/group_vars/georgesand/sudo_location_group.yml @@ -0,0 +1,3 @@ +--- +# Users in that group will be able to `sudo` +sudo_group_location: 'sudogeorgesand' diff --git a/hosts b/hosts index d3934c3..b918522 100644 --- a/hosts +++ b/hosts @@ -38,10 +38,14 @@ re2o-test.adm.auro.re #ldap-replica-fleming2.adm.auro.re [pacaterie-pve] -merlin.adm.auro.re -leodagan.adm.auro.re mordred.adm.auro.re +[edc-pve] +leodagan.adm.auro.re + +[georgesand-pve] +merlin.adm.auro.re + # everything at ovh [ovh:children] ovh-pve @@ -61,6 +65,14 @@ fleming-vm-ldap-replica [pacaterie:children] pacaterie-pve +# everything at edc +[edc:children] +edc-pve + +# everything at georgesand +[georgesand:children] +georgesand-pve + # every LXC container [container:children] ovh-container @@ -75,6 +87,8 @@ fleming-vm-ldap-replica ovh-pve fleming-pve pacaterie-pve +edc-pve +georgesand-pve # every LDAP replica [ldap-replica:children] From 110389ae7ce05225e7fd99c5d0a897dda41f02f9 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 7 Apr 2019 17:00:29 +0200 Subject: [PATCH 064/297] Parallelism --- ansible.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 560f008..457c3d2 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -14,6 +14,9 @@ retry_files_enabled = False # Do not use cows (with cowsay) nocows = 1 +# Do more parallelism +forks = 15 + [privilege_escalation] # Use sudo to get priviledge access From 0c8763c702bdab87493fd00ee80807baf1a61238 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 13:06:26 +0200 Subject: [PATCH 065/297] Create VM with Proxmox API --- proxmox.yml | 39 +++++++++++++++++++++++++++++++++ roles/proxmox-vm/tasks/main.yml | 17 ++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 proxmox.yml create mode 100644 roles/proxmox-vm/tasks/main.yml diff --git a/proxmox.yml b/proxmox.yml new file mode 100644 index 0000000..670db43 --- /dev/null +++ b/proxmox.yml @@ -0,0 +1,39 @@ +--- +# This is a special playbook to create a new VM ! +- hosts: pad.adm.auro.re # Host with python-proxmoxer and python-requests + become: false # We do not need root as we use Proxmox API + + vars: + vm_definitions: + - name: ldap-replica-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-buster-DI-rc1-amd64-netinst.iso + - name: dhcp-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-buster-DI-rc1-amd64-netinst.iso + - name: dns-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-buster-DI-rc1-amd64-netinst.iso + - name: prometheus-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-buster-DI-rc1-amd64-netinst.iso + + vars_prompt: + - name: "password" + prompt: "Enter LDAP password for your user" + private: yes + + roles: + - proxmox-vm diff --git a/roles/proxmox-vm/tasks/main.yml b/roles/proxmox-vm/tasks/main.yml new file mode 100644 index 0000000..be94272 --- /dev/null +++ b/roles/proxmox-vm/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: Define a virtual machine in Proxmox + proxmox_kvm: + api_user: "{{ ansible_user_id }}@pam" + api_password: "{{ password }}" + api_host: "{{ item.virtu }}.adm.auro.re" + name: "{{ item.name }}" + node: "{{ item.virtu }}" + scsihw: virtio-scsi-pci + scsi: '{"scsi0":"{{ item.virtu }}:{{ item.disksize }},format=raw"}' + sata: '{"sata0":"local:iso/{{ item.installiso }},media=cdrom"}' + net: '{"net0":"virtio,bridge=vmbr2"}' # Adm only by default + cores: "{{ item.cores }}" + memory: "{{ item.memory }}" + balloon: "{{ item.memory // 2 }}" + bios: seabios # Ansible module doesn't support UEFI boot disk + loop: "{{ vm_definitions }}" From d761c51c6f7de19ad8cfb6676bde35b905527397 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 13:11:39 +0200 Subject: [PATCH 066/297] Fix identation --- proxmox.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/proxmox.yml b/proxmox.yml index 670db43..f2cf5c2 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -31,9 +31,9 @@ installiso: debian-buster-DI-rc1-amd64-netinst.iso vars_prompt: - - name: "password" - prompt: "Enter LDAP password for your user" - private: yes + - name: "password" + prompt: "Enter LDAP password for your user" + private: yes roles: - proxmox-vm From 32744ca6b65c20c05933c32dff197cd090155e9e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 14:46:24 +0200 Subject: [PATCH 067/297] Add new pacaterie vms --- hosts | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/hosts b/hosts index b918522..db1abc6 100644 --- a/hosts +++ b/hosts @@ -33,13 +33,19 @@ re2o-test.adm.auro.re #freya.adm.auro.re #odin.adm.auro.re -[fleming-vm-ldap-replica] +[fleming-vm] #ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re [pacaterie-pve] mordred.adm.auro.re +[pacaterie-vm] +ldap-replica-pacaterie.adm.auro.re +dhcp-pacaterie.adm.auro.re +dns-pacaterie.adm.auro.re +prometheus-pacaterie.adm.auro.re + [edc-pve] leodagan.adm.auro.re @@ -59,11 +65,12 @@ ovh-testing-vm # everything at fleming [fleming:children] fleming-pve -fleming-vm-ldap-replica +fleming-vm # everything at pacaterie [pacaterie:children] pacaterie-pve +pacaterie-vm # everything at edc [edc:children] @@ -80,7 +87,8 @@ ovh-container # every virtual machine [vm:children] ovh-vm -fleming-vm-ldap-replica +fleming-vm +pacaterie-vm # every PVE [pve:children] @@ -89,7 +97,3 @@ fleming-pve pacaterie-pve edc-pve georgesand-pve - -# every LDAP replica -[ldap-replica:children] -fleming-vm-ldap-replica From 1bcd9741f937a8172c8bf0e864431bc028ea9415 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 14:46:58 +0200 Subject: [PATCH 068/297] Python 3 by default --- group_vars/all/vars.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 20336a0..45601b8 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -1,4 +1,7 @@ --- +# Use Python 3 +ansible_python_interpreter: /usr/bin/python3 + # LDAP binding # You can hash LDAP passwords with `slappasswd` tool ldap_base: 'dc=auro,dc=re' From 5e738f40a79bda3a6aa52ae5fd1b66e2df84b700 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 15:52:50 +0200 Subject: [PATCH 069/297] Uniformize motd --- roles/baseconfig/files/update-motd.d/00-logo | 3 +-- roles/baseconfig/files/update-motd.d/10-uname | 3 +++ roles/baseconfig/tasks/main.yml | 12 ++++++++++-- 3 files changed, 14 insertions(+), 4 deletions(-) create mode 100755 roles/baseconfig/files/update-motd.d/10-uname diff --git a/roles/baseconfig/files/update-motd.d/00-logo b/roles/baseconfig/files/update-motd.d/00-logo index 0a78ea0..025257f 100755 --- a/roles/baseconfig/files/update-motd.d/00-logo +++ b/roles/baseconfig/files/update-motd.d/00-logo @@ -1,6 +1,5 @@ #!/bin/sh -# /etc/update-motd.d/00-logo -# Deployed with Aurore Ansible ! +# {{ ansible_managed }} # Pretty uptime upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)" diff --git a/roles/baseconfig/files/update-motd.d/10-uname b/roles/baseconfig/files/update-motd.d/10-uname new file mode 100755 index 0000000..4586095 --- /dev/null +++ b/roles/baseconfig/files/update-motd.d/10-uname @@ -0,0 +1,3 @@ +#!/bin/sh +# {{ ansible_managed }} +uname -snrvm diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 18ebf0e..9784ac1 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -23,9 +23,17 @@ # Pimp my server - name: Customize motd copy: - src: update-motd.d/00-logo - dest: /etc/update-motd.d/00-logo + src: "update-motd.d/{{ item }}" + dest: "/etc/update-motd.d/{{ item }}" mode: 0755 + loop: + - 00-logo + - 10-uname + +- name: Remove Debian warranty motd + file: + path: /etc/motd + state: absent # Configure APT mirrors on Debian Stretch - name: Configure APT mirrors From aab2daf5b7b46df7efae575f67cc50759ee25244 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 22:42:12 +0200 Subject: [PATCH 070/297] Fix Riot depo key --- roles/matrix-riot/tasks/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-riot/tasks/main.yml b/roles/matrix-riot/tasks/main.yml index e7b4068..f2b7a75 100644 --- a/roles/matrix-riot/tasks/main.yml +++ b/roles/matrix-riot/tasks/main.yml @@ -9,22 +9,22 @@ retries: 3 until: apt_result is succeeded +# Add the key +- name: Configure the apt key + apt_key: + url: https://riot.im/packages/debian/repo-key.asc + id: D7B0B66941D01538 + state: present + register: apt_key_result + retries: 3 + until: apt_key_result is succeeded + # Add the repository into source list - name: Configure riot repository apt_repository: repo: deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main state: present -# Add the key -- name: Configure the apt key - apt_key: - url: https://riot.im/packages/debian/repo-key.asc - id: E019645248E8F4A1 - state: present - register: apt_key_result - retries: 3 - until: apt_key_result is succeeded - - name: Install riot-web apt: update_cache: true From 81ca7a177d18d8688f2d68d3de41f0c4b98f3326 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 22:42:55 +0200 Subject: [PATCH 071/297] Initial DHCP re2o service --- dhcp.yml | 8 +++++++ roles/re2o-service/defaults/main.yml | 3 +++ roles/re2o-service/tasks/main.yml | 24 +++++++++++++++++++ roles/re2o-service/tasks/service_user.yml | 19 +++++++++++++++ .../templates/update-motd.d/05-service.j2 | 3 +++ .../update-motd.d/06-service-user.j2 | 3 +++ 6 files changed, 60 insertions(+) create mode 100644 dhcp.yml create mode 100644 roles/re2o-service/defaults/main.yml create mode 100644 roles/re2o-service/tasks/main.yml create mode 100644 roles/re2o-service/tasks/service_user.yml create mode 100755 roles/re2o-service/templates/update-motd.d/05-service.j2 create mode 100755 roles/re2o-service/templates/update-motd.d/06-service-user.j2 diff --git a/dhcp.yml b/dhcp.yml new file mode 100644 index 0000000..4c2ef3e --- /dev/null +++ b/dhcp.yml @@ -0,0 +1,8 @@ +--- +# Deploy DHCP +- hosts: dhcp-pacaterie.adm.auro.re + vars: + service_repo: https://gitlab.federez.net/re2o/dhcp.git + service_name: dhcp + roles: + - re2o-service diff --git a/roles/re2o-service/defaults/main.yml b/roles/re2o-service/defaults/main.yml new file mode 100644 index 0000000..343c392 --- /dev/null +++ b/roles/re2o-service/defaults/main.yml @@ -0,0 +1,3 @@ +--- +service_user: re2o-services +service_homedir: /var/local/re2o-services diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml new file mode 100644 index 0000000..7333883 --- /dev/null +++ b/roles/re2o-service/tasks/main.yml @@ -0,0 +1,24 @@ +--- +# Create service user +- include_tasks: service_user.yml + +- name: "Clone re2o {{ service_name }} project" + git: + repo: "{{ service_repo }}" + dest: "{{ service_homedir }}/{{ service_name }}" + version: master + become: true + become_user: "{{ service_user }}" + +- name: Indicate in motd service location + template: + src: update-motd.d/05-service.j2 + dest: "/etc/update-motd.d/05-re2o-{{ service_name }}" + mode: 0755 + +- name: Indicate in motd service user + template: + src: update-motd.d/06-service-user.j2 + dest: "/etc/update-motd.d/06-service-user" + mode: 0755 + diff --git a/roles/re2o-service/tasks/service_user.yml b/roles/re2o-service/tasks/service_user.yml new file mode 100644 index 0000000..0818676 --- /dev/null +++ b/roles/re2o-service/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ service_user }} user" + user: + name: "{{ service_user }}" + group: nogroup + home: "{{ service_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ service_user }} home directory" + file: + path: "{{ service_homedir }}" + state: directory + owner: "{{ service_user }}" + group: nogroup + mode: 0700 diff --git a/roles/re2o-service/templates/update-motd.d/05-service.j2 b/roles/re2o-service/templates/update-motd.d/05-service.j2 new file mode 100755 index 0000000..a7b8468 --- /dev/null +++ b/roles/re2o-service/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# {{ ansible_managed }} +echo "✨ Le service re2o {{ service_name }} est dans {{ service_homedir }}/{{ service_name }}." diff --git a/roles/re2o-service/templates/update-motd.d/06-service-user.j2 b/roles/re2o-service/templates/update-motd.d/06-service-user.j2 new file mode 100755 index 0000000..5def259 --- /dev/null +++ b/roles/re2o-service/templates/update-motd.d/06-service-user.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# {{ ansible_managed }} +echo " Pour y accéder, vous devez impersonifier {{ service_user }}." From 41eb131e69f7c71d658ef6cc39d3e5022edfbbaa Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 3 May 2019 22:50:48 +0200 Subject: [PATCH 072/297] Fix true values being yes --- proxmox.yml | 2 +- roles/matrix-appservice-discord/tasks/main.yml | 2 +- roles/matrix-appservice-irc/tasks/main.yml | 5 +++-- roles/matrix-appservice-webhooks/tasks/main.yml | 2 +- roles/re2o-service/tasks/main.yml | 1 - 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/proxmox.yml b/proxmox.yml index f2cf5c2..3354147 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -33,7 +33,7 @@ vars_prompt: - name: "password" prompt: "Enter LDAP password for your user" - private: yes + private: true roles: - proxmox-vm diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index 0a04b8c..01fc45b 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -58,7 +58,7 @@ owner: matrix-synapse group: nogroup mode: 0600 - remote_src: yes + remote_src: true # Run - name: "Ensure that {{ service_name }} is started" diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 5c455d7..36d931c 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -39,7 +39,8 @@ mode: 0644 # TODO generate registration -# node app.js -r -f irc-registration.yaml -u "http://localhost:9999" -c config.yaml -l ircbot +# node app.js -r -f irc-registration.yaml \ +# -u "http://localhost:9999" -c config.yaml -l ircbot - name: Copy appservice registration file copy: @@ -48,7 +49,7 @@ owner: matrix-synapse group: nogroup mode: 0600 - remote_src: yes + remote_src: true # Run - name: "Ensure that {{ service_name }} is started" diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index 75ec367..0afa419 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -47,7 +47,7 @@ owner: matrix-synapse group: nogroup mode: 0600 - remote_src: yes + remote_src: true # Run - name: "Ensure that {{ service_name }} is started" diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 7333883..5653856 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -21,4 +21,3 @@ src: update-motd.d/06-service-user.j2 dest: "/etc/update-motd.d/06-service-user" mode: 0755 - From 5939d434fd8b48084e7fb60a0a537beae22c4598 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 4 May 2019 10:54:51 +0200 Subject: [PATCH 073/297] Beginning of isc-dhcp-server config --- dhcp.yml | 3 ++ roles/isc-dhcp-server/tasks/main.yml | 21 ++++++++++++ .../templates/dhcp/dhcpd.conf.j2 | 33 +++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 roles/isc-dhcp-server/tasks/main.yml create mode 100644 roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 diff --git a/dhcp.yml b/dhcp.yml index 4c2ef3e..4f463c9 100644 --- a/dhcp.yml +++ b/dhcp.yml @@ -4,5 +4,8 @@ vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp + dhcp: + authoritative: true roles: - re2o-service + - isc-dhcp-server diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml new file mode 100644 index 0000000..0004081 --- /dev/null +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install isc-dhcp-server + apt: + update_cache: true + name: isc-dhcp-server + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure isc-dhcp-server + template: + src: dhcp/dhcpd.conf.j2 + dest: /etc/dhcp/dhcpd.conf + mode: 0600 + +- name: Ensure that isc-dhcp-server is started + systemd: + name: isc-dhcp-server + state: started + enabled: true diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 new file mode 100644 index 0000000..3b0da57 --- /dev/null +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -0,0 +1,33 @@ +# dhcpd.conf +# {{ ansible_managed }} + +# option definitions common to all supported networks... +#option domain-name "example.org"; +#option domain-name-servers ns1.example.org, ns2.example.org; + +# We have tagged network so use last 4 bytes for tag (1500 max) +option interface-mtu 1496; + +default-lease-time 600; +max-lease-time 7200; + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +{% if dhcp.authoritative %} +authoritative; +{% else %} +#authoritative; +{% endif %} + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +#log-facility local7; + +# Aurore topology +# TODO From 8b7d4207b86862fd63f69d24ea6917b2a9a8de07 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 4 May 2019 11:46:54 +0200 Subject: [PATCH 074/297] Autogenerate service config --- dhcp.yml | 4 ++++ roles/re2o-service/tasks/main.yml | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/dhcp.yml b/dhcp.yml index 4f463c9..64bf0de 100644 --- a/dhcp.yml +++ b/dhcp.yml @@ -4,6 +4,10 @@ vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp + service_config: + hostname: re2o-server.adm.auro.re + username: service-user + password: V28GJvhhY2OSE dhcp: authoritative: true roles: diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 5653856..3646cdd 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -10,6 +10,25 @@ become: true become_user: "{{ service_user }}" +- name: Configure re2o {{ service_name }} project + ini_file: + path: "{{ service_homedir }}/config.ini" + section: Re2o + option: "{{ item.key }}" + value: "{{ item.value }}" + mode: 0600 + become: true + become_user: "{{ service_user }}" + loop: "{{ service_config|dict2items }}" + +- name: Link config file + file: + src: "{{ service_homedir }}/config.ini" + dest: "{{ service_homedir }}/{{ service_name }}/config.ini" + owner: "{{ service_user }}" + group: nogroup + state: link + - name: Indicate in motd service location template: src: update-motd.d/05-service.j2 From 61e99ed0b13ab5df78f59f112c0dfd67831c03c3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 4 May 2019 12:08:48 +0200 Subject: [PATCH 075/297] Change serviceuser passwd --- dhcp.yml | 2 +- group_vars/all/vault.yml | 235 ++++++++++++++++++++------------------- 2 files changed, 121 insertions(+), 116 deletions(-) diff --git a/dhcp.yml b/dhcp.yml index 64bf0de..6c3b338 100644 --- a/dhcp.yml +++ b/dhcp.yml @@ -7,7 +7,7 @@ service_config: hostname: re2o-server.adm.auro.re username: service-user - password: V28GJvhhY2OSE + password: "{{ vault_serviceuser_passwd }}" dhcp: authoritative: true roles: diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 116e51c..55723c2 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,116 +1,121 @@ $ANSIBLE_VAULT;1.1;AES256 -65623637663363313664336437353136643563306565616336366530636530316161356665336233 -3534346635396434386363386466383463666164343065310a343739663162646432303131316564 -33633833323534623039336131383262663236396465663162666566316465613832623131363430 -3930353730636363650a626132323139636130343065633933303435616163353666313233343930 -34616636633465313034666539303837373839363437393639363837613266363733366334323063 -64306335633537613831623433306532393664353662613433356531626339343664306366613636 -36393533626662353630616335396337333562303666616165613464376431646633653335623330 -39356637303630316262343638313565663335363832616463323163316665333766313338613137 -64623936616239303535636533333130333733666466643634356336633064663734383664386666 -35636637306434306166633063326265373437636532376335356365343839646438643263346361 -66343261653031636431333131303930346536346662613463393233306535646165336563633639 -35363633386366316534373936626139666665353937373638663162636638323235613434303239 -34393065346334303865613737306332356436643862373234376333313164303830353061393131 -65646438323335633838626438643834663839613630333131326664313263666238646531616334 -31326530303262366231653139613461653039306530356134336366383431326466373833633865 -65303664343035636464383462613265336535646266393339363363373131623832616562396565 -35636261393038656338306461643364363462376135376535326138356561303464346235656334 -65373432336536393464336436363031363037373039666237626666613331396630336437653837 -62373536376234333962303465633065376431353832313661643864353938643062303464666364 -36393239643166623764643939626336643564316364343732303232626265303238353031363636 -34366639643834393666346161306630383131633236366337316231633666336662393364383061 -36346331636662616333323739663736303663323566323864626135386363313231363864313432 -31633437376437633630343837393537613037623537356531306435663739346137376639333666 -66633366316338333365376466376334623133653132323064343764303363346663616438656633 -31636132663239343032616330373735373962633662616237643131383932303531623132376263 -63366665343834326639386465643465623330323832656237386335633938636164313963626635 -38636562343463383233393938353932303932333265303162366533643166306636326366373233 -66373839623631616162613439663565333633353864323833653335653834343461363063613432 -34633864633232303566613235336563616136353031653634333432346566633139396332386165 -63333264366539356636636537366630623034363563373436646639316461653861666334316662 -34393931363533363436323966656435353266373839616466333034643335343838333063323032 -35303261636133663738643939666631623139383638363261643961306138353563393439313635 -61653436653135343866353538336263363735393038383862316639356462383535663633393461 -30316362306363326235633235343837316661646630613962376464313932336462313435643134 -39373765656462323935363732653365663737643665353039323362613461356362373262316163 -62343334343536376461613633343037653733326164636636316631353830663362383766653538 -38333535343865666131646264323138363036333066316532623438313363303537326131633865 -34626166346665326461656132396237393736313132336263316161343336386431356433393931 -61356636346539613264366465616439356531336166633930633130333361653566333538356436 -38653561386365333262623932616136343836383532383764333537306130326562386662623631 -32313464323234663131613364353631313639306464353162393766303839383030333831656534 -32636362656234336134656235666335656138643330383033313435663035383835666236333564 -66386539333833323165386136336661363033353461336164623734633061386461313935663531 -39326230383233316131616362376133313137656431373463373232356363363964323038356233 -63316132313032333438643664663762333064646337363033366262313433623364623739366131 -32363031656539303261373431666566363266396663373665346639653066303966396266316631 -31363331336464393063373662663065353131303438663433383238663966316264356134633636 -62363433333737366162386265363766623438646337633137653436626130613566626236633837 -65623563363537663261373932326131376236656534616330663131643264333930386331623438 -31376263393662643938633862396665353363613539363039633966313161616338353666653130 -63663761373165363463323831336239616562646432346630393764633362643434626564653433 -39383634376238613833326131373438323937383138656531346435633562396437623163646566 -34643237383331376630333862613164343465373266613338633931636662626364613964613639 -32316365396639313635306261616439386162613366636362633763626135313462326662363834 -34636261353935343436316263623530393362343164373737356539663066336232303530643131 -33303136363431363232636238396233333236663933396639643233376562396234376639356564 -66346338386562646431373232356363303035366365383661356132643963376134323935386333 -39363162343938353135383530646662613139616639393230343363653661306431383633393035 -66303832306465373632343530333737393432623366353639616434346532653337346361363339 -35643937656337316566313534343762393338353830356266386165633262393964386635636430 -32346630383639623433623930323832643132613565376135363161663966646433343335323863 -35376631313864313362346637383932663633346565626231316533356561313637326336373931 -32336461313036356166613166303066303230383166303463373533346130336663386535376635 -37383239356139646335643662636234313666623062633163373931363761326130313537653665 -39393561626165323431386537656665326334373735346562326666623865303432623966366539 -39386431633363323735356230653465633433353937343566653331323334613032333831656432 -31336165633532383066663465306535643637306536646362306235366364643536663134643465 -66383965656133663161393138313963383436373630633761613839383136393865323438333833 -39366166663834633737316666303661653132336563343334373333386261353030343562346536 -31333662663834366466373834646430393964613866336162393162313135373335303533326265 -36373766653865313566643030326633363136323639366238366634626632333836323764363235 -31316531626335333932643164323066303233343233303063316532313236303639323432366463 -64386537666162636134303161366266383639396134333165663231623965386137343662333861 -36343331346361663331646161323331656164363737386336393136343532626661303965333763 -31663731646462356338363664303937316138666337313036643836626631343430363234326430 -39626363633962633138306135636238373230613030323238353264633239383933333666643866 -38656135613035616366346431323934396237623237656561313739616163366138393437333439 -37313732323934636236316533393064316433643232653338633665376565633933623861666335 -61636363613539376337383835623834383164336163393465623861653336313934373539613933 -66306435396163336233363934653263353662396534636537613062393462643932326561313364 -64353232653731636639303938626435656535333935353865386238333464313333646132643039 -33326336643863393835643738323739636139366635343366663335623432333564663661613962 -38336133636532343431353430333466656638316563613764656438316532393234663235396434 -35346133396263653364393038613936373835396430663861333036353639326636616362333030 -65663832353061336665376432353436626332333931303666636464666564336437313434646333 -65303533653832386236633239306263343064393935616238616435346634333063623765336366 -34373161303536666132626531663162633636393436363062613539613337353232363934303735 -34353830616137383237373465313034383663336234303361343432613064663662363438666164 -30636464616262383234396364306638386433643539303066376135633466336135343565383662 -39303166646330393931343066323662633233353637373464626263666337613139393961653761 -64303231353535656438363363393735363066363738316163373331353334313438363564633535 -63323539383637353935653334383637613433353166333630383366616661613366346233666466 -38643332326639633335626365653736646163653063306362356430323031383137366564376165 -66303963323761653364363564653637653032613739396130646166363539363463666130626631 -34613165303261323133303336613837383862663362343533343839313362323334303238633238 -31306664343032383365393035346331646636663663623263643863636233356235323332656339 -39356636386134396561323865363536613764633861323238336531326331616239386530663464 -33336131653936636434636563653538616536316335643636376134343131613665636532326566 -39363436336638393963343637393133613831636364653363613737316636626133333238646362 -36313264353335666461353135376435346161376138623639663337626337376236346230333330 -62353563343335656632393938363363363936643765383063363935383266353037353562363833 -64633661353564333064616264653130646133303662373630396638373833333763306638653661 -34393430353236303465636335383733656162343139613765663732353837313365323466386664 -35323464626663333866376138396132333039313962356439303838373835653837643364363339 -62303062663931646232643234666132363239373035633262623135633531636330373065333435 -36393163393638613663353133666632353639653064353139363134383764666530623834326531 -32653931316539666539656565313462396535346439393534313139393735633437333935396466 -35316165363839396562613130623964626531373337343166656630666638363039376162396336 -30373730353231663534316333336538366661363332316531653334383635356133393266666232 -35366337653131376131396232323332623063626135333630346564343663326532616263333262 -66613436396337353636643866353562366231333933353465306461376138333564656562646261 -66303263356565656431353064343361396131323134323234316230363761373362663234633735 -35663365376264343763333731393363336231366534393933333536356437653837303832646339 -66376262616634376438613864323665356539376139396130376661613930393131363465313063 -333664323830636666653933303034333630 +38643063333866653931396630643166643964356265363939356638346266333030356538336533 +6364383530613232326566646335663632323937306364300a636337353338333138326534626139 +66386265383261643538353765663965623035663962663061613534623931376434623237383736 +3065323934373065380a633738363137326239333362656266396537623838356663663231353535 +65636633356433636666383133303233643736636134343365313461363866383361623830663831 +61633662626437376537613737363032626638666236313331623631656338306666656537313637 +30303464373331336264356166373531393662363861313034626161633539373134626330363565 +36383735363664386231356261613839396630373831646533393933636638343765633731306464 +30393139626530393165613865396464366165363335333337383064623664646461393462313234 +36343763306334646666376236663136626238326466383731613865316566356462353662313238 +32353166313665316536396233376666653936643439373664303762303832343833616439376164 +35373634316264376639323563643633623466653238656464613938303332663030356138303339 +33636339323339636362643562643238313131343234326438643464333333313130646366343931 +66393735383034346235636337383566336634633331396331666437643738626362663935653933 +66363234363138633362663433653033636666323464376334303864343935333466326432343339 +31393333383033663064343230653434376538343861323639343135353837373438613935323262 +63643164663966346134623861663033626238623331626534613134363166353263366534383232 +33613665333434356264353230623038663232336363646332376533663365316235393436303631 +62623330343132333861663063383733623064303962333833656435376262353063373737623134 +35306361373465393036383764353735303333376130373736303239616462393638653261356366 +66613030653330663763303833656130616639643530623439646133623565626639353762613739 +38613235643034316131666364633535356638653364386635376464356530393637383434616162 +32353937313132626437313338386236663638653830306262333061313064316365336233373264 +64643230613333623037663365306365356334303737623264626635643762616231316133316631 +37633361373737376134623630313834383033663335336338663936326133343233643963656237 +31666339366339333234326233613533636566643639333063306530663239373634636131646534 +66646566393935653533656365346663376532656336373563333535313830633764646434376332 +33616338336362323563393935623938313330386566316531653162653234643633316236396536 +34396166346230346637303635653233626264383061303766343737356131616331363161646330 +30666236643232386539333333363332396238643635656536303130646433323664383262643465 +30323139643335336438643864366239386166393965386137396364633230306666376366626632 +31353762316637626566333830326539663562396531383436303336323261653638663337323833 +39313363306338346435343835386230306465623137633836323662663938653334353936313830 +37366534383265323466656565633831393766353637316464626362643362383639373634633961 +61323032396530636433346463643837643463653565323735653062343164333538376266323930 +62303138333035323233663765306335633037376664626439666365333565303566613834383861 +33623339313962643530313538366362306466633037643532626631393733333338653633383566 +34366466336535663138633464376138386165356665396661633265386562366333356163633563 +63383735663936346339373836373765383536343337656133346132363465373538646134313639 +65623934353365613334623532373334653530353563396338323136623333656235613762376531 +61613562643733323933363263373239663031666364313430353061666530656135666262333462 +38343032343263336237653161383334313664666637663164343935656161353539356162653031 +32656362393732646235366232313937616130323030613934323563363736383331373032303061 +36656231663365643865346634663638306437396562653661303162333361636633383034363136 +65663233623230356265656232373963636263353939303531383235666535316533666439306162 +37646564363566366536323766353935333535306338316437636165316233383231656535626565 +34336633316464323665393365313963636138336661386332313830383039396461383664393833 +61623630626265303861623363663435323164386466316338306331363438643765313234613763 +63333335383033306336663835333536343832613438636331646532373962643434303266336666 +64346662353133313931316631666363353439323935356165336637353366386639616233653630 +64393662326266343366353365303263396436313563646230363963343461343535633437613866 +36313739656335383763366636373330393764333963396237633463663062616130653261363465 +36303965306266366435333663333037633738623431653339323733623765646265613963313235 +63346136303630643563346431306438376535376537396438613463646233333131616261386436 +61643265323636316563363765366534313638656566303339303431396433393663653735373132 +34646432663135623137316532663065303339626633613231353061616261323861663165366136 +39626466393161363166306237323633366130333930653665313937306461363263386637366435 +37666363633463343636656465323939306363646431643130613935633935346132623161613231 +32303362383036306431303036636265636436303066303662633035313332396666643932393364 +31633631653264636539316138666237366630333039393366306233356639323639326333326430 +61393837343863616339336566363339366163363837393238613961373864353564313335326561 +39336236636538373133643063393933636166306361373631323465633638353130343466336534 +35303031666462336635653438633136653461313731336362303438343132303666396634383635 +36656266653365303566326332623963396431623465616161396332633833356565623931626632 +62346132353064333232336162393366623365323635373238643561343236653435363166393166 +32376537383031646333366664346138333531613463386135616364646161363132633065336435 +61653861633737373162346339396130333735393266396661316637306161393536353163623138 +63306362386364363333373633343264653966313763323433366634646264643963626636396637 +38636435326564366536366138373437383962653737383764303066383162383262306661396539 +64366662616166653539623462323538366365396133313639383139636435633638646166373236 +61383262366438383764313262323938363263386334316663363630323133626634616466636363 +33326130326363383739363132393739353735393135316437393036653830333439623265393436 +33373333323564623137313037633165393235366462353932623834333133373932343235623834 +34393137373035663462343063663265646636633334356533646161376534656265646163316533 +37383938373234373861353635616138346639653866353136353166383764393966653738376265 +63366530626562613836393839343536643362613936643339373633313732353663343932386564 +61616166313366313133613866376637306461636362376437663165616436616136626132383461 +30653666393833333933336561663233373131656437313633373964323934313633623235323061 +66363332646630363436386631636137366237356539633663376263656535343438613437316432 +63636436396363323034393262383936623166326462373961616262363438646161353462353334 +66616131343636366161643037613561346661383133383332633661393031343936396333633061 +34626138366632336665383438303033326435326466383634316531303565646365616531663730 +61633137306532643862643963636564626163323331303861316463666639383031663031383866 +62623064616430666366636666373361663638366639623862613930303263336561613566626665 +39313036643233643937623739343731663739343461656134383833643364313238303938373363 +36396134306530303739353636636137303038633635373438306330376536316565356361343766 +61336136653434316262373131663062636161326264663738373363656538303666646266373035 +36366337663661643934363136383266323734613835393837363363376365633237663562373664 +61643865613861666362353539656637316537363963633064383137313536353037336639613262 +33313333643065366534386630633064343638663531636431613539333534656435343163666132 +30306132653836613133393633383432623833633635363535386164353235333861356138336339 +62656535386437393462323261393662376635386131633463653565363038343366626637336430 +33643932653462353231663962316639336263396230616461643538363063363139396364383231 +64333837326662313639386135393133613237613036653837303231333865373131356134656636 +30353139343363373134303933343039656665323833633339663964346132356535313632343563 +36383366636438376362326638653838613830333836636539323734383337393662316234373435 +33616537653333626637613865666461636361373565336536316462383861326132346563313435 +38613366653764303965376335646234316138353964386361356436393064363037636365383639 +35633834636464653464626231323639323361663961366230383336346331386430663133323632 +34343462356461396164666131633433643236623261316139643735336434623234306638326235 +63366234303662633962633232336165313265633232373265643264636238363537383837623963 +31333863326539616434613233343361316334353062653364353335383961613065323930303939 +36313730363335626165626233373265333337363931316462646230643436323764656231663361 +33613363643838323830653561383334313539336234386534646461643931366664623235636136 +35653239616135633962613965306361316464643438653163323339373138336266343935656663 +62393765633337616639306666636633623665346330626163353164376234346164633830366561 +62396138306564343735356538656337393565316336633064333935353135656135633263663466 +63383135323338313334366563633038356262333964353864386662393236666165316461613430 +37366463653662643334303261323530396138383662656431376561356665346639643039383864 +38356537643133633436316231633437653532356333653239303434323339636563646334386662 +65366536323536353537376436646534633061396232376333616532643934376332313635356232 +35303236393635666333663039316234643831353136353061333139366432363531303630626334 +33616334643636336232356562343631376634386633343530336539373137353766643166393231 +35623237663433613835653261363761336238303934616165643364303839333932616562396139 +64343962353162366231303131643965616164623334396637373535373063633763373636306162 +31316231396663313930633936623164336137666466303733393939373937373633323534393438 +65656366653165636363383061653163303564306137626365326633393066376463303765663535 +30323163633231376531323832333938396335636164613962343533326664386132616636663033 +35663837383131613461653433643664366439343531393665333631346162623362626631646433 +61613339303032323261 From 8dc40ecb1e59accb3c0fe704179b50bef41a5ef5 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 4 May 2019 18:43:20 +0200 Subject: [PATCH 076/297] Specify git branch --- dhcp.yml | 1 + roles/re2o-service/tasks/main.yml | 2 +- roles/re2o-service/tasks/service_user.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dhcp.yml b/dhcp.yml index 6c3b338..8434f06 100644 --- a/dhcp.yml +++ b/dhcp.yml @@ -4,6 +4,7 @@ vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp + service_version: master service_config: hostname: re2o-server.adm.auro.re username: service-user diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 3646cdd..3028ce8 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -6,7 +6,7 @@ git: repo: "{{ service_repo }}" dest: "{{ service_homedir }}/{{ service_name }}" - version: master + version: "{{ service_version }}" become: true become_user: "{{ service_user }}" diff --git a/roles/re2o-service/tasks/service_user.yml b/roles/re2o-service/tasks/service_user.yml index 0818676..389b72e 100644 --- a/roles/re2o-service/tasks/service_user.yml +++ b/roles/re2o-service/tasks/service_user.yml @@ -16,4 +16,4 @@ state: directory owner: "{{ service_user }}" group: nogroup - mode: 0700 + mode: 0755 From d5a7ce8bb49958b7a4f003ed842a8b75f7467803 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 4 May 2019 18:43:58 +0200 Subject: [PATCH 077/297] Add a radius at pacaterie --- hosts | 1 + proxmox.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/hosts b/hosts index db1abc6..ebf3386 100644 --- a/hosts +++ b/hosts @@ -45,6 +45,7 @@ ldap-replica-pacaterie.adm.auro.re dhcp-pacaterie.adm.auro.re dns-pacaterie.adm.auro.re prometheus-pacaterie.adm.auro.re +radius-pacaterie.adm.auro.re [edc-pve] leodagan.adm.auro.re diff --git a/proxmox.yml b/proxmox.yml index 3354147..47edd29 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -29,6 +29,12 @@ memory: 1024 # M disksize: 16 # G installiso: debian-buster-DI-rc1-amd64-netinst.iso + - name: radius-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-buster-DI-rc1-amd64-netinst.iso vars_prompt: - name: "password" From 681c79b2f5bc6b349e1d150391472785123935b4 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 4 May 2019 18:56:27 +0200 Subject: [PATCH 078/297] DNS playbook --- dns.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 dns.yml diff --git a/dns.yml b/dns.yml new file mode 100644 index 0000000..601993a --- /dev/null +++ b/dns.yml @@ -0,0 +1,13 @@ +--- +# Deploy DNS +- hosts: serge.adm.auro.re + vars: + service_repo: https://gitlab.crans.org/nounous/re2o-dns.git + service_name: dns + service_version: crans + service_config: + hostname: re2o-server.adm.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" + roles: + - re2o-service From c1c995e38d118747be700693b741ac803093d007 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 5 May 2019 14:07:04 +0200 Subject: [PATCH 079/297] Prometheus role --- monitoring.yml | 22 +++++++ .../prometheus-alertmanager/handlers/main.yml | 5 ++ roles/prometheus-alertmanager/tasks/main.yml | 14 +++++ .../templates/prometheus/alertmanager.yml.j2 | 58 +++++++++++++++++++ roles/prometheus-node/tasks/main.yml | 8 +++ roles/prometheus/handlers/main.yml | 5 ++ roles/prometheus/tasks/main.yml | 26 +++++++++ .../templates/prometheus/alert.rules.yml.j2 | 25 ++++++++ .../templates/prometheus/prometheus.yml.j2 | 32 ++++++++++ 9 files changed, 195 insertions(+) create mode 100644 monitoring.yml create mode 100644 roles/prometheus-alertmanager/handlers/main.yml create mode 100644 roles/prometheus-alertmanager/tasks/main.yml create mode 100644 roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 create mode 100644 roles/prometheus-node/tasks/main.yml create mode 100644 roles/prometheus/handlers/main.yml create mode 100644 roles/prometheus/tasks/main.yml create mode 100644 roles/prometheus/templates/prometheus/alert.rules.yml.j2 create mode 100644 roles/prometheus/templates/prometheus/prometheus.yml.j2 diff --git a/monitoring.yml b/monitoring.yml new file mode 100644 index 0000000..f148c9c --- /dev/null +++ b/monitoring.yml @@ -0,0 +1,22 @@ +--- +# Deploy Prometheus +- hosts: prometheus-pacaterie.adm.auro.re + vars: + # Prometheus targets.json + prometheus_targets: + - labels: + job: node + targets: # TODO {{ ansible_play_batch }} + - prometheus-pacaterie.adm.auro.re:9100 + - labels: + job: prometheus + targets: + - localhost:9090 + roles: + - prometheus + - prometheus-alertmanager + +# Monitor all hosts +- hosts: all + roles: + - prometheus-node diff --git a/roles/prometheus-alertmanager/handlers/main.yml b/roles/prometheus-alertmanager/handlers/main.yml new file mode 100644 index 0000000..3ddbf93 --- /dev/null +++ b/roles/prometheus-alertmanager/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart Prometheus Alertmanager + service: + name: prometheus-alertmanager + state: restarted diff --git a/roles/prometheus-alertmanager/tasks/main.yml b/roles/prometheus-alertmanager/tasks/main.yml new file mode 100644 index 0000000..b65a295 --- /dev/null +++ b/roles/prometheus-alertmanager/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Install Prometheus Alertmanager + apt: + update_cache: true + name: prometheus-alertmanager + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure Prometheus Alertmanager + template: + src: prometheus/alertmanager.yml.j2 + dest: /etc/prometheus/alertmanager.yml + notify: Restart Prometheus Alertmanager diff --git a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 new file mode 100644 index 0000000..209e4d1 --- /dev/null +++ b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 @@ -0,0 +1,58 @@ +# {{ ansible_managed }} + +global: + # The smarthost and SMTP sender used for mail notifications. + smtp_smarthost: 'proxy.auro.re:25' + smtp_from: 'prometheus@auro.re' + #smtp_auth_username: 'alertmanager' + #smtp_auth_password: 'password' + smtp_require_tls: false + +# The directory from which notification templates are read. +templates: +- '/etc/prometheus/alertmanager_templates/*.tmpl' + +# The root route on which each incoming alert enters. +route: + # The labels by which incoming alerts are grouped together. For example, + # multiple alerts coming in for cluster=A and alertname=LatencyHigh would + # be batched into a single group. + group_by: ['alertname', 'cluster', 'service'] + + # When a new group of alerts is created by an incoming alert, wait at + # least 'group_wait' to send the initial notification. + # This way ensures that you get multiple alerts for the same group that start + # firing shortly after another are batched together on the first + # notification. + group_wait: 30s + + # When the first notification was sent, wait 'group_interval' to send a batch + # of new alerts that started firing for that group. + group_interval: 5m + + # If an alert has successfully been sent, wait 'repeat_interval' to + # resend them. + repeat_interval: 3h + + # A default receiver + receiver: team-monitoring-mails + + +# Inhibition rules allow to mute a set of alerts given that another alert is +# firing. +# We use this to mute any warning-level notifications if the same alert is +# already critical. +inhibit_rules: +- source_match: + severity: 'critical' + target_match: + severity: 'warning' + # Apply inhibition if the alertname is the same. + equal: ['alertname', 'cluster', 'service'] + + +receivers: +- name: 'team-monitoring-mails' + email_configs: + - to: 'monitoring.aurore@lists.crans.org' + diff --git a/roles/prometheus-node/tasks/main.yml b/roles/prometheus-node/tasks/main.yml new file mode 100644 index 0000000..15c12b3 --- /dev/null +++ b/roles/prometheus-node/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Install Prometheus node-exporter + apt: + update_cache: true + name: prometheus-node-exporter + register: apt_result + retries: 3 + until: apt_result is succeeded diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml new file mode 100644 index 0000000..4214def --- /dev/null +++ b/roles/prometheus/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart Prometheus + service: + name: prometheus + state: restarted diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml new file mode 100644 index 0000000..3f70542 --- /dev/null +++ b/roles/prometheus/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Install Prometheus + apt: + update_cache: true + name: prometheus + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure Prometheus + template: + src: prometheus/prometheus.yml.j2 + dest: /etc/prometheus/prometheus.yml + notify: Restart Prometheus + +- name: Configure Prometheus alert rules + template: + src: prometheus/alert.rules.yml.j2 + dest: /etc/prometheus/alert.rules.yml + notify: Restart Prometheus + +# We don't need to restart Prometheus when updating nodes +- name: Configure Prometheus nodes + copy: + content: "{{ prometheus_targets | to_nice_json }}" + dest: /etc/prometheus/targets.json diff --git a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 new file mode 100644 index 0000000..9e603a4 --- /dev/null +++ b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 @@ -0,0 +1,25 @@ +# {{ ansible_managed }} +{# As this is also Jinja2 it will conflict without a raw block #} +{% raw %} +groups: +- name: example + rules: + + # Alert for any instance that is unreachable for >5 minutes. + - alert: InstanceDown + expr: up == 0 + for: 5m + labels: + severity: page + annotations: + summary: "Instance {{ $labels.instance }} down" + description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes." + + # Alert for any instance that has a median request latency >1s. + - alert: APIHighRequestLatency + expr: api_http_request_latencies_second{quantile="0.5"} > 1 + for: 10m + annotations: + summary: "High request latency on {{ $labels.instance }}" + description: "{{ $labels.instance }} has a median request latency above 1s (current value: {{ $value }}s)" +{% endraw %} diff --git a/roles/prometheus/templates/prometheus/prometheus.yml.j2 b/roles/prometheus/templates/prometheus/prometheus.yml.j2 new file mode 100644 index 0000000..76573fa --- /dev/null +++ b/roles/prometheus/templates/prometheus/prometheus.yml.j2 @@ -0,0 +1,32 @@ +# {{ ansible_managed }} + +global: + # scrape_interval is set to the global default (60s) + # evaluation_interval is set to the global default (60s) + # scrape_timeout is set to the global default (10s). + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'example' + +# Alertmanager configuration +alerting: + alertmanagers: + - static_configs: + - targets: ['localhost:9093'] + +# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. +rule_files: + - "alert.rules.yml" + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + - job_name: dummy + # This reload dynamically the list of targets + # You don't need to restart Prometheus when updating targets.json + file_sd_configs: + - files: + - '/etc/prometheus/targets.json' + From 95f24b69afae92dc7b657a9657034601b16cd30d Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 5 May 2019 14:26:38 +0200 Subject: [PATCH 080/297] Monitor all pacaterie --- monitoring.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/monitoring.yml b/monitoring.yml index f148c9c..2010d53 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -6,8 +6,13 @@ prometheus_targets: - labels: job: node - targets: # TODO {{ ansible_play_batch }} + targets: + - mordred.adm.auro.re:9100 + - ldap-replica-pacaterie.adm.auro.re:9100 + - dhcp-pacaterie.adm.auro.re:9100 + - dns-pacaterie.adm.auro.re:9100 - prometheus-pacaterie.adm.auro.re:9100 + - radius-pacaterie.adm.auro.re:9100 - labels: job: prometheus targets: @@ -17,6 +22,6 @@ - prometheus-alertmanager # Monitor all hosts -- hosts: all +- hosts: pacaterie roles: - prometheus-node From c53d62712f2145eac814cf053f2c5186d2f158e1 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 5 May 2019 16:17:52 +0200 Subject: [PATCH 081/297] Make prometheus node exporter listen only on adm --- roles/prometheus-node/handlers/main.yml | 5 +++++ roles/prometheus-node/tasks/main.yml | 7 +++++++ 2 files changed, 12 insertions(+) create mode 100644 roles/prometheus-node/handlers/main.yml diff --git a/roles/prometheus-node/handlers/main.yml b/roles/prometheus-node/handlers/main.yml new file mode 100644 index 0000000..b4b64a4 --- /dev/null +++ b/roles/prometheus-node/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart prometheus-node-exporter + service: + name: prometheus-node-exporter + state: restarted diff --git a/roles/prometheus-node/tasks/main.yml b/roles/prometheus-node/tasks/main.yml index 15c12b3..92149b7 100644 --- a/roles/prometheus-node/tasks/main.yml +++ b/roles/prometheus-node/tasks/main.yml @@ -6,3 +6,10 @@ register: apt_result retries: 3 until: apt_result is succeeded + +- name: Make Prometheus node-exporter listen on adm only + lineinfile: + path: /etc/default/prometheus-node-exporter + regexp: '^ARGS=' + line: "ARGS=\"--web.listen-address={{ ansible_fqdn }}:9100\"" + notify: Restart prometheus-node-exporter From b6573e68ae4facef6171fc8193ce54ab4be6c760 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 5 May 2019 16:24:04 +0200 Subject: [PATCH 082/297] Exclude Stretch from node config --- roles/prometheus-node/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/prometheus-node/tasks/main.yml b/roles/prometheus-node/tasks/main.yml index 92149b7..994166e 100644 --- a/roles/prometheus-node/tasks/main.yml +++ b/roles/prometheus-node/tasks/main.yml @@ -7,7 +7,10 @@ retries: 3 until: apt_result is succeeded +# Doesn't work on Debian Stretch - name: Make Prometheus node-exporter listen on adm only + when: + - ansible_distribution_release != 'stretch' lineinfile: path: /etc/default/prometheus-node-exporter regexp: '^ARGS=' From 3a6a891aad7ce40df420e752af1cbdef3c4b9263 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 7 May 2019 18:51:22 +0200 Subject: [PATCH 083/297] Add unifi-pacaterie --- hosts | 1 + proxmox.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/hosts b/hosts index ebf3386..738e0a4 100644 --- a/hosts +++ b/hosts @@ -46,6 +46,7 @@ dhcp-pacaterie.adm.auro.re dns-pacaterie.adm.auro.re prometheus-pacaterie.adm.auro.re radius-pacaterie.adm.auro.re +unifi-pacaterie.adm.auro.re [edc-pve] leodagan.adm.auro.re diff --git a/proxmox.yml b/proxmox.yml index 47edd29..2adece7 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -35,6 +35,12 @@ memory: 1024 # M disksize: 16 # G installiso: debian-buster-DI-rc1-amd64-netinst.iso + - name: unifi-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso vars_prompt: - name: "password" From 72a60a988b263eb70be8602e61d81d92a1799540 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 7 May 2019 18:52:07 +0200 Subject: [PATCH 084/297] Unifi playbook --- roles/unifi-controller/tasks/main.yml | 41 +++++++++++++++++++++++++++ unifi.yml | 5 ++++ 2 files changed, 46 insertions(+) create mode 100644 roles/unifi-controller/tasks/main.yml create mode 100644 unifi.yml diff --git a/roles/unifi-controller/tasks/main.yml b/roles/unifi-controller/tasks/main.yml new file mode 100644 index 0000000..0ff14dd --- /dev/null +++ b/roles/unifi-controller/tasks/main.yml @@ -0,0 +1,41 @@ +--- +# Install HTTPS support for APT +- name: Install apt-transport-https + apt: + update_cache: true + name: + - apt-transport-https + - gpg + - dirmngr + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +# Add the key +- name: Configure the apt key + apt_key: + keyserver: keyserver.ubuntu.com + id: 06E85760C0A52C50 + state: present + register: apt_key_result + retries: 3 + until: apt_key_result is succeeded + loop: + +# Add the repository into source list +- name: Configure unifi repository + apt_repository: + repo: "{{ item }}" + state: present + loop: + - deb http://www.ui.com/downloads/unifi/debian stable ubiquiti + +- name: Install unifi + apt: + update_cache: true + name: unifi + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded diff --git a/unifi.yml b/unifi.yml new file mode 100644 index 0000000..3eb9c7d --- /dev/null +++ b/unifi.yml @@ -0,0 +1,5 @@ +--- +# Deploy Unifi Controller +- hosts: unifi-pacaterie.adm.auro.re + roles: + - unifi-controller From 81b24357ca2533449db9d88464f1e80017666c04 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 23 May 2019 07:00:27 +0200 Subject: [PATCH 085/297] Add passbolt and vpn-ovh --- hosts | 4 +++- proxmox.yml | 13 +++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index 738e0a4..52c050e 100644 --- a/hosts +++ b/hosts @@ -6,7 +6,7 @@ # > Then we regroup everything in global geographic and type groups. [ovh-pve] -horus ansible_host=10.128.0.1 +horus.adm.auro.re [ovh-container] riot.adm.auro.re @@ -25,6 +25,8 @@ re2o-server.adm.auro.re re2o-ldap.adm.auro.re re2o-db.adm.auro.re serge.adm.auro.re +passbolt.adm.auro.re +vpn-ovh.adm.auro.re [ovh-testing-vm] re2o-test.adm.auro.re diff --git a/proxmox.yml b/proxmox.yml index 2adece7..9617e0f 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -41,6 +41,19 @@ memory: 1024 # M disksize: 16 # G installiso: debian-9.9.0-amd64-netinst.iso + - name: passbolt + virtu: horus + cores: 2 # 2 mimimum, 10 maximum + memory: 512 # M + disksize: 8 # G + installiso: debian-buster-DI-rc1-amd64-netinst.iso + - name: vpn-ovh + virtu: horus + cores: 2 # 2 mimimum, 10 maximum + memory: 512 # M + disksize: 8 # G + installiso: debian-9.9.0-amd64-netinst.iso + vars_prompt: - name: "password" From a986ecd36ad8e5ad2d70749829e03c8e139fcbbf Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 23 May 2019 07:28:44 +0200 Subject: [PATCH 086/297] Passbolt playbook --- passbolt.yml | 5 +++++ roles/passbolt/defaults/main.yml | 10 +++++++++ roles/passbolt/tasks/main.yml | 35 ++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+) create mode 100644 passbolt.yml create mode 100644 roles/passbolt/defaults/main.yml create mode 100644 roles/passbolt/tasks/main.yml diff --git a/passbolt.yml b/passbolt.yml new file mode 100644 index 0000000..32f7216 --- /dev/null +++ b/passbolt.yml @@ -0,0 +1,5 @@ +--- +# Deploy Passbolt +- hosts: passbolt.adm.auro.re + roles: + - passbolt diff --git a/roles/passbolt/defaults/main.yml b/roles/passbolt/defaults/main.yml new file mode 100644 index 0000000..d499d24 --- /dev/null +++ b/roles/passbolt/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# URL to clone +passbolt_repo: https://github.com/passbolt/passbolt_api.git +passbolt_version: v2.10.0 + +# Install target +passbolt_path: /var/www/passbolt + +# User used to run passbolt +passbolt_user: www-data diff --git a/roles/passbolt/tasks/main.yml b/roles/passbolt/tasks/main.yml new file mode 100644 index 0000000..e8db586 --- /dev/null +++ b/roles/passbolt/tasks/main.yml @@ -0,0 +1,35 @@ +--- +# See https://help.passbolt.com/hosting/install/ce/from-source.html + +- name: Clone passbolt project + git: + repo: "{{ passbolt_repo }}" + dest: "{{ passbolt_path }}" + version: "{{ passbolt_version }}" + become: true + become_user: "{{ passbolt_user }}" + +- name: Install passbolt dependencies + apt: + name: + - composer + - php-intl + - php-gnupg + - php-gd + state: present + update_cache: yes + register: apt_result + retries: 3 + until: apt_result is succeeded + +# Setup dependencies +- name: Install passbolt PHP dependencies + composer: + command: install + working_dir: "{{ passbolt_path }}" + no_dev: true + become: true + become_user: "{{ passbolt_user }}" + register: composer_result + retries: 3 + until: composer_result is succeeded From 2e0679a973eeb7eaabbb9e375a3be5c59fc41326 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 26 May 2019 12:52:41 +0200 Subject: [PATCH 087/297] [passbolt] Add some dep --- roles/passbolt/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/passbolt/tasks/main.yml b/roles/passbolt/tasks/main.yml index e8db586..6b08a12 100644 --- a/roles/passbolt/tasks/main.yml +++ b/roles/passbolt/tasks/main.yml @@ -13,9 +13,13 @@ apt: name: - composer + - php-fpm - php-intl - php-gnupg - php-gd + - php-mysql + - nginx + - mariadb-server state: present update_cache: yes register: apt_result From 1ed6228728e80a140805fb05389454f4ab61ca1c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 26 May 2019 13:03:09 +0200 Subject: [PATCH 088/297] Simplify help message on server login --- roles/re2o-service/tasks/main.yml | 6 ------ roles/re2o-service/templates/update-motd.d/05-service.j2 | 2 +- .../re2o-service/templates/update-motd.d/06-service-user.j2 | 3 --- 3 files changed, 1 insertion(+), 10 deletions(-) delete mode 100755 roles/re2o-service/templates/update-motd.d/06-service-user.j2 diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 3028ce8..332c371 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -34,9 +34,3 @@ src: update-motd.d/05-service.j2 dest: "/etc/update-motd.d/05-re2o-{{ service_name }}" mode: 0755 - -- name: Indicate in motd service user - template: - src: update-motd.d/06-service-user.j2 - dest: "/etc/update-motd.d/06-service-user" - mode: 0755 diff --git a/roles/re2o-service/templates/update-motd.d/05-service.j2 b/roles/re2o-service/templates/update-motd.d/05-service.j2 index a7b8468..4ed8a74 100755 --- a/roles/re2o-service/templates/update-motd.d/05-service.j2 +++ b/roles/re2o-service/templates/update-motd.d/05-service.j2 @@ -1,3 +1,3 @@ #!/bin/sh # {{ ansible_managed }} -echo "✨ Le service re2o {{ service_name }} est dans {{ service_homedir }}/{{ service_name }}." +echo "✨ Le service re2o {{ service_name }} est dans {{ service_homedir }}/{{ service_name }}" diff --git a/roles/re2o-service/templates/update-motd.d/06-service-user.j2 b/roles/re2o-service/templates/update-motd.d/06-service-user.j2 deleted file mode 100755 index 5def259..0000000 --- a/roles/re2o-service/templates/update-motd.d/06-service-user.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# {{ ansible_managed }} -echo " Pour y accéder, vous devez impersonifier {{ service_user }}." From 9018c69da36cdd8b713e32431315c09bfc032240 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 09:12:55 +0200 Subject: [PATCH 089/297] Fix matrix v1 --- roles/matrix-synapse/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 91b66c8..f6f2a45 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -2,7 +2,7 @@ - name: Install matrix-synapse apt: update_cache: true - name: matrix-synapse + name: matrix-synapse-py3 state: present default_release: stretch-backports register: apt_result @@ -28,6 +28,6 @@ - name: Install rest auth provider copy: src: rest_auth_provider.py - dest: /usr/local/lib/python3.5/dist-packages/rest_auth_provider.py + dest: /opt/venvs/matrix-synapse/lib/python3.5/site-packages/rest_auth_provider.py mode: 0755 notify: Restart matrix-synapse service From 66d870ce3623b71fc97e95a8f989ee11ba8d4995 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 10:32:01 +0200 Subject: [PATCH 090/297] Add docker role --- hosts | 1 + roles/docker/tasks/main.yml | 45 +++++++++++++++++++++++++++++++++++++ services_web.yml | 5 +++++ 3 files changed, 51 insertions(+) create mode 100644 roles/docker/tasks/main.yml create mode 100644 services_web.yml diff --git a/hosts b/hosts index 52c050e..4c21064 100644 --- a/hosts +++ b/hosts @@ -27,6 +27,7 @@ re2o-db.adm.auro.re serge.adm.auro.re passbolt.adm.auro.re vpn-ovh.adm.auro.re +docker-ovh.adm.auro.re [ovh-testing-vm] re2o-test.adm.auro.re diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..3de3d97 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,45 @@ +--- +# Install HTTPS support for APT +- name: Install apt-transport-https + apt: + update_cache: true + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg2 + - software-properties-common + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +# Add the key +- name: Configure the apt key + apt_key: + url: https://download.docker.com/linux/debian/gpg + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + state: present + register: apt_key_result + retries: 3 + until: apt_key_result is succeeded + +# Add the repository into source list +- name: Configure unifi repository + apt_repository: + repo: "{{ item }}" + state: present + loop: + - deb https://download.docker.com/linux/debian buster stable + +- name: Install docker + apt: + update_cache: true + name: + - docker-ce + - docker-ce-cli + - containerd.io + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded diff --git a/services_web.yml b/services_web.yml new file mode 100644 index 0000000..024a3c4 --- /dev/null +++ b/services_web.yml @@ -0,0 +1,5 @@ +--- +# Deploy Docker hosts +- hosts: docker-ovh.adm.auro.re + roles: + - docker From 9a3565016668229ec940b748ee0b4c2b1f82a9dd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 10:32:34 +0200 Subject: [PATCH 091/297] Move Riot web to docker --- matrix.yml | 5 -- roles/matrix-riot/handlers/main.yml | 6 -- roles/matrix-riot/tasks/main.yml | 75 ----------------------- roles/matrix-riot/templates/nginx/riot.j2 | 20 ------ 4 files changed, 106 deletions(-) delete mode 100644 roles/matrix-riot/handlers/main.yml delete mode 100644 roles/matrix-riot/tasks/main.yml delete mode 100644 roles/matrix-riot/templates/nginx/riot.j2 diff --git a/matrix.yml b/matrix.yml index 32af6fe..11e63e8 100644 --- a/matrix.yml +++ b/matrix.yml @@ -13,11 +13,6 @@ - matrix-appservice-irc - matrix-appservice-webhooks -# Install Matrix Riot on corresponding containers -- hosts: riot.adm.auro.re - roles: - - matrix-riot - # Install Matrix services - hosts: matrix-services.adm.auro.re roles: diff --git a/roles/matrix-riot/handlers/main.yml b/roles/matrix-riot/handlers/main.yml deleted file mode 100644 index 4307d64..0000000 --- a/roles/matrix-riot/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# Reload the NGINX service -- name: Reload NGINX service - service: - name: nginx - state: reloaded diff --git a/roles/matrix-riot/tasks/main.yml b/roles/matrix-riot/tasks/main.yml deleted file mode 100644 index f2b7a75..0000000 --- a/roles/matrix-riot/tasks/main.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -# Install HTTPS support for APT -- name: Install apt-transport-https - apt: - update_cache: true - name: apt-transport-https - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - -# Add the key -- name: Configure the apt key - apt_key: - url: https://riot.im/packages/debian/repo-key.asc - id: D7B0B66941D01538 - state: present - register: apt_key_result - retries: 3 - until: apt_key_result is succeeded - -# Add the repository into source list -- name: Configure riot repository - apt_repository: - repo: deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main - state: present - -- name: Install riot-web - apt: - update_cache: true - name: riot-web - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Configure riot-web - lineinfile: - path: /opt/Riot/resources/webapp/config.json - regexp: '^\s*\"{{ item[0] }}' - line: " \"{{ item[0] }}\": \"{{ item[1] }}\"," - loop: - - ['default_hs_url', 'https://auro.re'] - - ['default_is_url', 'https://auro.re'] - - ['brand', 'Riot Aurore'] - -- name: Install nginx - apt: - name: nginx - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Configure nginx - template: - src: nginx/riot.j2 - dest: /etc/nginx/sites-available/riot - mode: 0644 - notify: Reload NGINX service - -# Desactive useless nginx sites -- name: Deactivate the default NGINX site - file: - path: /etc/nginx/sites-enabled/default - state: absent - notify: Reload NGINX service - -# Activate sites -- name: Activate sites - file: - src: /etc/nginx/sites-available/riot - dest: /etc/nginx/sites-enabled/riot - state: link - notify: Reload NGINX service diff --git a/roles/matrix-riot/templates/nginx/riot.j2 b/roles/matrix-riot/templates/nginx/riot.j2 deleted file mode 100644 index c5d128c..0000000 --- a/roles/matrix-riot/templates/nginx/riot.j2 +++ /dev/null @@ -1,20 +0,0 @@ -# {{ ansible_managed }} - -server { - listen 80; - listen [::]:80; - - root /opt/Riot/resources/webapp/; - index index.html; - - access_log /var/log/nginx/riot-access.log; - error_log /var/log/nginx/riot-errors.log; - - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options "SAMEORIGIN" always; - - location / { - try_files $uri $uri/ =404; - } -} From a45ca1a8909c6fab5018efb195a7fe1b51e6f60a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 19:14:43 +0200 Subject: [PATCH 092/297] Move CodiMD to Docker --- group_vars/all/vars.yml | 2 - hosts | 2 - nginx-reverse-proxy.yml | 34 ----------- passbolt.yml | 5 -- roles/codimd/defaults/main.yml | 15 ----- roles/codimd/handlers/main.yml | 9 --- roles/codimd/tasks/0_apt_dependencies.yml | 34 ----------- roles/codimd/tasks/main.yml | 60 ------------------- roles/codimd/tasks/service_user.yml | 19 ------ roles/codimd/templates/apt/nodejs.j2 | 5 -- roles/codimd/templates/config.json.j2 | 39 ------------ roles/codimd/templates/sequelizerc.j2 | 8 --- .../templates/systemd/codimd.service.j2 | 18 ------ services_web.yml | 42 +++++++++++++ 14 files changed, 42 insertions(+), 250 deletions(-) delete mode 100644 nginx-reverse-proxy.yml delete mode 100644 passbolt.yml delete mode 100644 roles/codimd/defaults/main.yml delete mode 100644 roles/codimd/handlers/main.yml delete mode 100644 roles/codimd/tasks/0_apt_dependencies.yml delete mode 100644 roles/codimd/tasks/main.yml delete mode 100644 roles/codimd/tasks/service_user.yml delete mode 100644 roles/codimd/templates/apt/nodejs.j2 delete mode 100644 roles/codimd/templates/config.json.j2 delete mode 100644 roles/codimd/templates/sequelizerc.j2 delete mode 100644 roles/codimd/templates/systemd/codimd.service.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 45601b8..d466fcd 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -10,8 +10,6 @@ ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" -ldap_codimd_bind_dn: "cn=codimd,ou=service-users,{{ ldap_base }}" -ldap_codimd_password: "{{ vault_ldap_codimd_password }}" ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}" ldap_matrix_password: "{{ vault_ldap_matrix_password }}" ldap_replica_password: "{{ vault_ldap_replica_password }}" diff --git a/hosts b/hosts index 4c21064..55337e4 100644 --- a/hosts +++ b/hosts @@ -9,9 +9,7 @@ horus.adm.auro.re [ovh-container] -riot.adm.auro.re synapse.adm.auro.re -codimd.adm.auro.re services-bdd.adm.auro.re phabricator.adm.auro.re wiki.adm.auro.re diff --git a/nginx-reverse-proxy.yml b/nginx-reverse-proxy.yml deleted file mode 100644 index 426e66b..0000000 --- a/nginx-reverse-proxy.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# Install NGINX with reverse proxy conf -- hosts: proxy.adm.auro.re - vars: - reversed_proxy_subdomains: - - name: re2o - from: re2o.auro.re - to: re2o-server.adm.auro.re - - name: intranet - from: intranet.auro.re - to: re2o-server.adm.auro.re - - name: pad - from: pad.auro.re - to: pad.adm.auro.re:9001 - - name: phabricator - from: phabricator.auro.re - to: phabricator.adm.auro.re - - name: wiki - from: wiki.auro.re - to: wiki.adm.auro.re - - name: www - from: www.auro.re - to: www.adm.auro.re - - name: re2o-test - from: re2o-test.auro.re - to: re2o-test.adm.auro.re - - name: riot - from: riot.auro.re - to: riot.adm.auro.re - - name: codimd - from: codimd.auro.re - to: codimd.adm.auro.re:8080 - roles: - - nginx-reverse-proxy diff --git a/passbolt.yml b/passbolt.yml deleted file mode 100644 index 32f7216..0000000 --- a/passbolt.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# Deploy Passbolt -- hosts: passbolt.adm.auro.re - roles: - - passbolt diff --git a/roles/codimd/defaults/main.yml b/roles/codimd/defaults/main.yml deleted file mode 100644 index b90bf62..0000000 --- a/roles/codimd/defaults/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# service_name is the name of the project on GitHub -service_name: codimd - -# URL to clone -service_repo: https://github.com/hackmdio/codimd.git - -# name of the service user -# It means that you will have to `sudo -u THISUSER zsh` to debug -service_user: "{{ service_name }}" -service_homedir: "/var/local/{{ service_name }}" - -# service_path is where the project is cloned -# It can't be the home directory because of user hidden files. -service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/codimd/handlers/main.yml b/roles/codimd/handlers/main.yml deleted file mode 100644 index 76f5f7b..0000000 --- a/roles/codimd/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# Build front-end bundle -# This can take very long and requires > 2GB of RAM -- name: Build front-end for CodiMD - command: yarn run build - args: - chdir: /var/local/codimd/codimd - become: true - become_user: codimd diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml deleted file mode 100644 index c698390..0000000 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# For HTTPS apt -- name: Install HTTPS apt - apt: - update_cache: true - name: apt-transport-https - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Configure the apt key - apt_key: - url: https://dl.yarnpkg.com/debian/pubkey.gpg - id: 1646B01B86E50310 - state: present - register: apt_key_result - retries: 3 - until: apt_key_result is succeeded - -- name: Configure Yarn repository - apt_repository: - repo: deb https://dl.yarnpkg.com/debian/ stable main - state: present - -# Install CodiMD dependencies -- name: Install required packages - apt: - update_cache: true - name: yarn - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml deleted file mode 100644 index 54bb712..0000000 --- a/roles/codimd/tasks/main.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- -# Install APT dependencies -- include_tasks: 0_apt_dependencies.yml - -# Create service user -- include_tasks: service_user.yml - -- name: "Clone {{ service_name }} project" - git: - repo: "{{ service_repo }}" - dest: "{{ service_path }}" - version: 1.3.0 - become: true - become_user: "{{ service_user }}" - notify: Build front-end for CodiMD - -# Setup dependencies -- name: "Install {{ service_name }} dependencies" - yarn: - path: "{{ service_path }}" - production: true - become: true - become_user: "{{ service_user }}" - register: yarn_result - retries: 3 - until: yarn_result is succeeded - -# Connection to database -- name: Connect CodiMD to PostgreSQL db - template: - src: sequelizerc.j2 - dest: "{{ service_path }}/.sequelizerc" - owner: "{{ service_user }}" - group: nogroup - mode: 0600 - -- name: "Configure {{ service_name }}" - template: - src: config.json.j2 - dest: "{{ service_path }}/config.json" - owner: "{{ service_user }}" - group: nogroup - mode: 0600 - -# Service file -- name: "Install {{ service_name }} systemd unit" - template: - src: systemd/codimd.service.j2 - dest: "/etc/systemd/system/{{ service_name }}.service" - owner: root - group: root - mode: 0644 - -# Run -- name: "Ensure that {{ service_name }} is started" - systemd: - name: "{{ service_name }}" - state: started - enabled: true - daemon_reload: true diff --git a/roles/codimd/tasks/service_user.yml b/roles/codimd/tasks/service_user.yml deleted file mode 100644 index 0818676..0000000 --- a/roles/codimd/tasks/service_user.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# Having a custom group is useless so use nogroup -- name: "Create {{ service_user }} user" - user: - name: "{{ service_user }}" - group: nogroup - home: "{{ service_homedir }}" - system: true - shell: /bin/false - state: present - -# Only service user should be able to go there -- name: "Secure {{ service_user }} home directory" - file: - path: "{{ service_homedir }}" - state: directory - owner: "{{ service_user }}" - group: nogroup - mode: 0700 diff --git a/roles/codimd/templates/apt/nodejs.j2 b/roles/codimd/templates/apt/nodejs.j2 deleted file mode 100644 index 65e5110..0000000 --- a/roles/codimd/templates/apt/nodejs.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -Package: node* libuv1* -Pin: release a=stretch-backports -Pin-Priority: 600 diff --git a/roles/codimd/templates/config.json.j2 b/roles/codimd/templates/config.json.j2 deleted file mode 100644 index fc02978..0000000 --- a/roles/codimd/templates/config.json.j2 +++ /dev/null @@ -1,39 +0,0 @@ -{ - "production": { - "domain": "codimd.auro.re", - "debug": false, - "port": 8080, - "useSSL": false, - "protocolUseSSL": true, - "useCDN": false, - "csp": { - "enable": true, - "directives": { - }, - "upgradeInsecureRequests": "auto", - "addDefaults": true - }, - "db": { - "username": "codimd", - "password": "{{ postgresql_codimd_passwd }}", - "database": "codimd", - "host": "{{ postgresql_services_url }}", - "port": "5432", - "dialect": "postgres" - }, - "email": false, - "ldap": { - "url": "{{ ldap_master_uri }}", - "bindDn": "{{ ldap_codimd_bind_dn }}", - "bindCredentials": "{{ ldap_codimd_password }}", - "searchBase": "cn=Utilisateurs,dc=auro,dc=re", - "searchFilter": "(uid={% raw %}{{username}}{% endraw %})", - "searchAttributes": ["uid", "givenName", "mail"], - "usernameField": "uid", - "useridField": "uid", - "providerName": "Compte Aurore" - }, - "allowFreeURL": true - } -} - diff --git a/roles/codimd/templates/sequelizerc.j2 b/roles/codimd/templates/sequelizerc.j2 deleted file mode 100644 index e497bf6..0000000 --- a/roles/codimd/templates/sequelizerc.j2 +++ /dev/null @@ -1,8 +0,0 @@ -var path = require('path'); - -module.exports = { - 'config': path.resolve('config.json'), - 'migrations-path': path.resolve('lib', 'migrations'), - 'models-path': path.resolve('lib', 'models'), - 'url': 'postgres://codimd:{{ postgresql_codimd_passwd }}@{{ postgresql_services_url }}:5432/codimd' -} diff --git a/roles/codimd/templates/systemd/codimd.service.j2 b/roles/codimd/templates/systemd/codimd.service.j2 deleted file mode 100644 index 4b80a5b..0000000 --- a/roles/codimd/templates/systemd/codimd.service.j2 +++ /dev/null @@ -1,18 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=CodiMD -After=syslog.target network-online.target mysql.service postgresql.service -Conflicts=shutdown.target - -[Service] -Type=simple -User={{ service_user }} -WorkingDirectory={{ service_path }} -Environment="NODE_ENV=production" -ExecStart=/usr/bin/nodejs ./app.js -Restart=always -RestartSec=3 - -[Install] -WantedBy=multi-user.target diff --git a/services_web.yml b/services_web.yml index 024a3c4..ee9e4d1 100644 --- a/services_web.yml +++ b/services_web.yml @@ -3,3 +3,45 @@ - hosts: docker-ovh.adm.auro.re roles: - docker + +# Deploy Passbolt +- hosts: passbolt.adm.auro.re + roles: + - passbolt + +# Install NGINX with reverse proxy conf +- hosts: proxy.adm.auro.re + vars: + reversed_proxy_subdomains: + - name: re2o + from: re2o.auro.re + to: re2o-server.adm.auro.re + - name: intranet + from: intranet.auro.re + to: re2o-server.adm.auro.re + - name: pad + from: pad.auro.re + to: pad.adm.auro.re:9001 + - name: phabricator + from: phabricator.auro.re + to: phabricator.adm.auro.re + - name: wiki + from: wiki.auro.re + to: wiki.adm.auro.re + - name: www + from: www.auro.re + to: www.adm.auro.re + - name: re2o-test + from: re2o-test.auro.re + to: re2o-test.adm.auro.re + - name: riot + from: riot.auro.re + to: docker-ovh.adm.auro.re:8080 + - name: codimd + from: codimd.auro.re + to: docker-ovh.adm.auro.re:8081 + - name: grafana + from: grafana.auro.re + to: docker-ovh.adm.auro.re:8082 + roles: + - nginx-reverse-proxy From 4a3851acc871005ac18b039bb1fcf06de62e2605 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 19:17:38 +0200 Subject: [PATCH 093/297] Clean up playbooks --- ansible.cfg | 13 ++++++++----- codimd.yml | 7 ------- dhcp.yml | 16 ---------------- dns.yml | 13 ------------- dokuwiki.yml | 6 ------ etherpad.yml | 7 ------- services_web.yml | 13 +++++++++++++ unifi.yml | 5 ----- 8 files changed, 21 insertions(+), 59 deletions(-) delete mode 100644 codimd.yml delete mode 100644 dhcp.yml delete mode 100644 dns.yml delete mode 100644 dokuwiki.yml delete mode 100644 etherpad.yml delete mode 100644 unifi.yml diff --git a/ansible.cfg b/ansible.cfg index 457c3d2..dc984aa 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,14 +2,14 @@ [defaults] -# Use Aurore inventory +# Do not create .retry files +retry_files_enabled = False + +# Use inventory inventory = ./hosts # Custom header in templates -ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} - -# Do not create retry files -retry_files_enabled = False +ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid} # Do not use cows (with cowsay) nocows = 1 @@ -17,6 +17,9 @@ nocows = 1 # Do more parallelism forks = 15 +# Some SSH connection will take time +timeout = 60 + [privilege_escalation] # Use sudo to get priviledge access diff --git a/codimd.yml b/codimd.yml deleted file mode 100644 index fe9d788..0000000 --- a/codimd.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# Install CodiMD on CodiMD containers -- hosts: codimd.adm.auro.re - roles: - - debian-backports - - nodejs - - codimd diff --git a/dhcp.yml b/dhcp.yml deleted file mode 100644 index 8434f06..0000000 --- a/dhcp.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# Deploy DHCP -- hosts: dhcp-pacaterie.adm.auro.re - vars: - service_repo: https://gitlab.federez.net/re2o/dhcp.git - service_name: dhcp - service_version: master - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - dhcp: - authoritative: true - roles: - - re2o-service - - isc-dhcp-server diff --git a/dns.yml b/dns.yml deleted file mode 100644 index 601993a..0000000 --- a/dns.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Deploy DNS -- hosts: serge.adm.auro.re - vars: - service_repo: https://gitlab.crans.org/nounous/re2o-dns.git - service_name: dns - service_version: crans - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - roles: - - re2o-service diff --git a/dokuwiki.yml b/dokuwiki.yml deleted file mode 100644 index a27d148..0000000 --- a/dokuwiki.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# Install DokuWiki on the wiki TEST container -# When it will be operational, horus-wikitest will replace horus-wiki -- hosts: horus-wikitest - roles: - - dokuwiki diff --git a/etherpad.yml b/etherpad.yml deleted file mode 100644 index c60fd49..0000000 --- a/etherpad.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# Install EtherPad on EtherPad containers -- hosts: pad.adm.auro.re - roles: - - debian-backports - - nodejs - - etherpad diff --git a/services_web.yml b/services_web.yml index ee9e4d1..a8d508d 100644 --- a/services_web.yml +++ b/services_web.yml @@ -9,6 +9,19 @@ roles: - passbolt +# Install EtherPad on EtherPad containers +- hosts: pad.adm.auro.re + roles: + - debian-backports + - nodejs + - etherpad + +# Install DokuWiki on the wiki TEST container +# When it will be operational, horus-wikitest will replace horus-wiki +- hosts: horus-wikitest + roles: + - dokuwiki + # Install NGINX with reverse proxy conf - hosts: proxy.adm.auro.re vars: diff --git a/unifi.yml b/unifi.yml deleted file mode 100644 index 3eb9c7d..0000000 --- a/unifi.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# Deploy Unifi Controller -- hosts: unifi-pacaterie.adm.auro.re - roles: - - unifi-controller From e86cb23660f81c4ab6f268a037523b3a495cb26e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 19:17:54 +0200 Subject: [PATCH 094/297] network playbook --- network.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 network.yml diff --git a/network.yml b/network.yml new file mode 100644 index 0000000..c4b967f --- /dev/null +++ b/network.yml @@ -0,0 +1,34 @@ +--- +# Deploy DHCP +- hosts: dhcp-pacaterie.adm.auro.re + vars: + service_repo: https://gitlab.federez.net/re2o/dhcp.git + service_name: dhcp + service_version: master + service_config: + hostname: re2o-server.adm.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" + dhcp: + authoritative: true + roles: + - re2o-service + - isc-dhcp-server + +# Deploy DNS +- hosts: serge.adm.auro.re + vars: + service_repo: https://gitlab.crans.org/nounous/re2o-dns.git + service_name: dns + service_version: crans + service_config: + hostname: re2o-server.adm.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" + roles: + - re2o-service + +# Deploy Unifi Controller +- hosts: unifi-pacaterie.adm.auro.re + roles: + - unifi-controller From 694501dfa3b712c4d5f6edfe0d0386bdfc2150de Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 20:56:43 +0200 Subject: [PATCH 095/297] Merge crans monitoring --- monitoring.yml | 17 +-- .../templates/prometheus/alertmanager.yml.j2 | 9 +- roles/prometheus-node/tasks/main.yml | 10 +- roles/prometheus/handlers/main.yml | 5 + roles/prometheus/tasks/main.yml | 30 ++++- .../templates/prometheus/alert.rules.yml.j2 | 59 ++++++++-- .../templates/prometheus/django.rules.yml.j2 | 106 ++++++++++++++++++ .../templates/prometheus/prometheus.yml.j2 | 2 +- .../templates/update-motd.d/05-service.j2 | 4 + 9 files changed, 208 insertions(+), 34 deletions(-) create mode 100644 roles/prometheus/templates/prometheus/django.rules.yml.j2 create mode 100755 roles/prometheus/templates/update-motd.d/05-service.j2 diff --git a/monitoring.yml b/monitoring.yml index 2010d53..049d418 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -4,19 +4,10 @@ vars: # Prometheus targets.json prometheus_targets: - - labels: - job: node - targets: - - mordred.adm.auro.re:9100 - - ldap-replica-pacaterie.adm.auro.re:9100 - - dhcp-pacaterie.adm.auro.re:9100 - - dns-pacaterie.adm.auro.re:9100 - - prometheus-pacaterie.adm.auro.re:9100 - - radius-pacaterie.adm.auro.re:9100 - - labels: - job: prometheus - targets: - - localhost:9090 + - labels: {job: node} + targets: "{{ groups['pacaterie'] | map('replace', '.org', '.org:9100') | list | sort }}" + - labels: {job: prometheus} + targets: ['localhost:9090'] roles: - prometheus - prometheus-alertmanager diff --git a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 index 209e4d1..85a31c0 100644 --- a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 +++ b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 @@ -17,22 +17,23 @@ route: # The labels by which incoming alerts are grouped together. For example, # multiple alerts coming in for cluster=A and alertname=LatencyHigh would # be batched into a single group. - group_by: ['alertname', 'cluster', 'service'] + #group_by: ['alertname', 'cluster', 'service'] + group_by: [] # do not group for text chat # When a new group of alerts is created by an incoming alert, wait at # least 'group_wait' to send the initial notification. # This way ensures that you get multiple alerts for the same group that start # firing shortly after another are batched together on the first # notification. - group_wait: 30s + group_wait: 1m # When the first notification was sent, wait 'group_interval' to send a batch # of new alerts that started firing for that group. - group_interval: 5m + group_interval: 1m # If an alert has successfully been sent, wait 'repeat_interval' to # resend them. - repeat_interval: 3h + repeat_interval: 12h # A default receiver receiver: team-monitoring-mails diff --git a/roles/prometheus-node/tasks/main.yml b/roles/prometheus-node/tasks/main.yml index 994166e..96ec332 100644 --- a/roles/prometheus-node/tasks/main.yml +++ b/roles/prometheus-node/tasks/main.yml @@ -7,12 +7,18 @@ retries: 3 until: apt_result is succeeded +- name: Activate prometheus-node-exporter service + systemd: + name: prometheus-node-exporter + enabled: yes + state: started + # Doesn't work on Debian Stretch - name: Make Prometheus node-exporter listen on adm only when: - - ansible_distribution_release != 'stretch' + - ansible_lsb.codename == 'buster' lineinfile: path: /etc/default/prometheus-node-exporter regexp: '^ARGS=' - line: "ARGS=\"--web.listen-address={{ ansible_fqdn }}:9100\"" + line: "ARGS=\"--web.listen-address={{ ansible_hostname }}.adm.auro.re:9100\"" notify: Restart prometheus-node-exporter diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml index 4214def..670847b 100644 --- a/roles/prometheus/handlers/main.yml +++ b/roles/prometheus/handlers/main.yml @@ -3,3 +3,8 @@ service: name: prometheus state: restarted + +- name: Restart prometheus-snmp-exporter + service: + name: prometheus-snmp-exporter + state: restarted diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 3f70542..68be2f9 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -2,7 +2,9 @@ - name: Install Prometheus apt: update_cache: true - name: prometheus + name: + - prometheus + - prometheus-snmp-exporter register: apt_result retries: 3 until: apt_result is succeeded @@ -15,12 +17,34 @@ - name: Configure Prometheus alert rules template: - src: prometheus/alert.rules.yml.j2 - dest: /etc/prometheus/alert.rules.yml + src: "prometheus/{{ item }}.j2" + dest: "/etc/prometheus/{{ item }}" notify: Restart Prometheus + loop: + - alert.rules.yml + - django.rules.yml + +- name: Make Prometheus snmp-exporter listen on localhost only + lineinfile: + path: /etc/default/prometheus-snmp-exporter + regexp: '^ARGS=' + line: "ARGS=\"--web.listen-address=127.0.0.1:9116\"" + notify: Restart prometheus-snmp-exporter # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus nodes copy: content: "{{ prometheus_targets | to_nice_json }}" dest: /etc/prometheus/targets.json + +- name: Activate prometheus service + systemd: + name: prometheus + enabled: yes + state: started + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-prometheus + mode: 0755 diff --git a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 index 9e603a4..0729cc7 100644 --- a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 +++ b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 @@ -1,25 +1,62 @@ # {{ ansible_managed }} {# As this is also Jinja2 it will conflict without a raw block #} +{# Depending of Prometheus Node exporter version, rules can change depending of version #} {% raw %} groups: -- name: example +- name: alert.rules rules: - # Alert for any instance that is unreachable for >5 minutes. + # Alert for any instance that is unreachable for >3 minutes. - alert: InstanceDown expr: up == 0 + for: 3m + labels: + severity: critical + annotations: + summary: "{{ $labels.instance }} est invisible depuis plus de 3 minutes !" + + # Alert for out of memory + - alert: OutOfMemory + expr: ((node_memory_MemFree_bytes or node_memory_MemFree) + (node_memory_Cached_bytes or node_memory_Cached) + (node_memory_Buffers_bytes or node_memory_Buffers)) / (node_memory_MemTotal_bytes or node_memory_MemTotal) * 100 < 10 for: 5m labels: - severity: page + severity: warning annotations: - summary: "Instance {{ $labels.instance }} down" - description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes." + summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%." - # Alert for any instance that has a median request latency >1s. - - alert: APIHighRequestLatency - expr: api_http_request_latencies_second{quantile="0.5"} > 1 - for: 10m + # Alert for out of disk space + - alert: OutOfDiskSpace + expr: (node_filesystem_free_bytes{fstype="ext4"} or node_filesystem_free{fstype="ext4"}) / (node_filesystem_size_bytes{fstype="ext4"} or node_filesystem_size{fstype="ext4"}) * 100 < 10 + for: 5m + labels: + severity: warning annotations: - summary: "High request latency on {{ $labels.instance }}" - description: "{{ $labels.instance }} has a median request latency above 1s (current value: {{ $value }}s)" + summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%." + + # Alert for out of inode space on disk + - alert: OutOfInodes + expr: node_filesystem_files_free{fstype="ext4"} / node_filesystem_files{fstype="ext4"} * 100 < 10 + for: 5m + labels: + severity: warning + annotations: + summary: "Presque plus d'inodes disponibles ({{ $value }}% restant) dans {{ $labels.mountpoint }} sur {{ $labels.instance }}." + + # Alert for high CPU usage + - alert: CpuUsage + expr: ((100 - avg by (instance) (irate(node_cpu{mode="idle"}[5m])) * 100) or (100 - avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)) > 75 + for: 5m + labels: + severity: warning + annotations: + summary: "CPU sur {{ $labels.instance }} à {{ $value }}%." + + # Check systemd unit (> buster) + - alert: SystemdServiceFailed + expr: node_systemd_unit_state{state="failed"} == 1 + for: 10m + labels: + severity: warning + annotations: + summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}" {% endraw %} diff --git a/roles/prometheus/templates/prometheus/django.rules.yml.j2 b/roles/prometheus/templates/prometheus/django.rules.yml.j2 new file mode 100644 index 0000000..fddd398 --- /dev/null +++ b/roles/prometheus/templates/prometheus/django.rules.yml.j2 @@ -0,0 +1,106 @@ +# {{ ansible_managed }} +{# As this is also Jinja2 it will conflict without a raw block #} +{% raw %} +groups: +- name: django.rules + rules: + - record: job:django_http_requests_before_middlewares_total:sum_rate30s + expr: sum(rate(django_http_requests_before_middlewares_total[30s])) BY (job) + - record: job:django_http_requests_unknown_latency_total:sum_rate30s + expr: sum(rate(django_http_requests_unknown_latency_total[30s])) BY (job) + - record: job:django_http_ajax_requests_total:sum_rate30s + expr: sum(rate(django_http_ajax_requests_total[30s])) BY (job) + - record: job:django_http_responses_before_middlewares_total:sum_rate30s + expr: sum(rate(django_http_responses_before_middlewares_total[30s])) BY (job) + - record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s + expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) + BY (job) + - record: job:django_http_requests_body_total_bytes:sum_rate30s + expr: sum(rate(django_http_requests_body_total_bytes[30s])) BY (job) + - record: job:django_http_responses_streaming_total:sum_rate30s + expr: sum(rate(django_http_responses_streaming_total[30s])) BY (job) + - record: job:django_http_responses_body_total_bytes:sum_rate30s + expr: sum(rate(django_http_responses_body_total_bytes[30s])) BY (job) + - record: job:django_http_requests_total:sum_rate30s + expr: sum(rate(django_http_requests_total_by_method[30s])) BY (job) + - record: job:django_http_requests_total_by_method:sum_rate30s + expr: sum(rate(django_http_requests_total_by_method[30s])) BY (job, method) + - record: job:django_http_requests_total_by_transport:sum_rate30s + expr: sum(rate(django_http_requests_total_by_transport[30s])) BY (job, transport) + - record: job:django_http_requests_total_by_view:sum_rate30s + expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) BY (job, + view) + - record: job:django_http_requests_total_by_view_transport_method:sum_rate30s + expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) BY (job, + view, transport, method) + - record: job:django_http_responses_total_by_templatename:sum_rate30s + expr: sum(rate(django_http_responses_total_by_templatename[30s])) BY (job, templatename) + - record: job:django_http_responses_total_by_status:sum_rate30s + expr: sum(rate(django_http_responses_total_by_status[30s])) BY (job, status) + - record: job:django_http_responses_total_by_charset:sum_rate30s + expr: sum(rate(django_http_responses_total_by_charset[30s])) BY (job, charset) + - record: job:django_http_exceptions_total_by_type:sum_rate30s + expr: sum(rate(django_http_exceptions_total_by_type[30s])) BY (job, type) + - record: job:django_http_exceptions_total_by_view:sum_rate30s + expr: sum(rate(django_http_exceptions_total_by_view[30s])) BY (job, view) + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.5, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "50" + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "95" + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "99" + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "99.9" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.5, sum(rate(django_http_requests_latency_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "50" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "95" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "99" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) + BY (job, le)) + labels: + quantile: "99.9" + - record: job:django_model_inserts_total:sum_rate1m + expr: sum(rate(django_model_inserts_total[1m])) BY (job, model) + - record: job:django_model_updates_total:sum_rate1m + expr: sum(rate(django_model_updates_total[1m])) BY (job, model) + - record: job:django_model_deletes_total:sum_rate1m + expr: sum(rate(django_model_deletes_total[1m])) BY (job, model) + - record: job:django_db_new_connections_total:sum_rate30s + expr: sum(rate(django_db_new_connections_total[30s])) BY (alias, vendor) + - record: job:django_db_new_connection_errors_total:sum_rate30s + expr: sum(rate(django_db_new_connection_errors_total[30s])) BY (alias, vendor) + - record: job:django_db_execute_total:sum_rate30s + expr: sum(rate(django_db_execute_total[30s])) BY (alias, vendor) + - record: job:django_db_execute_many_total:sum_rate30s + expr: sum(rate(django_db_execute_many_total[30s])) BY (alias, vendor) + - record: job:django_db_errors_total:sum_rate30s + expr: sum(rate(django_db_errors_total[30s])) BY (alias, vendor, type) + - record: job:django_migrations_applied_total:max + expr: max(django_migrations_applied_total) BY (job, connection) + - record: job:django_migrations_unapplied_total:max + expr: max(django_migrations_unapplied_total) BY (job, connection) +{% endraw %} diff --git a/roles/prometheus/templates/prometheus/prometheus.yml.j2 b/roles/prometheus/templates/prometheus/prometheus.yml.j2 index 76573fa..8b8fecb 100644 --- a/roles/prometheus/templates/prometheus/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus/prometheus.yml.j2 @@ -19,6 +19,7 @@ alerting: # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files: - "alert.rules.yml" + - "django.rules.yml" # A scrape configuration containing exactly one endpoint to scrape: # Here it's Prometheus itself. @@ -29,4 +30,3 @@ scrape_configs: file_sd_configs: - files: - '/etc/prometheus/targets.json' - diff --git a/roles/prometheus/templates/update-motd.d/05-service.j2 b/roles/prometheus/templates/update-motd.d/05-service.j2 new file mode 100755 index 0000000..f027dc4 --- /dev/null +++ b/roles/prometheus/templates/update-motd.d/05-service.j2 @@ -0,0 +1,4 @@ +#!/bin/sh +# {{ ansible_managed }} +echo "> prometheus a été déployé sur cette machine." +echo " Voir /etc/prometheus/" From 7f07556cfa6b523e2aa116f3fea76f43b8e8ed28 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 20:57:16 +0200 Subject: [PATCH 096/297] Merge LDAP into base playbook --- base.yml | 11 +++++++++++ ldap.yml | 11 ----------- 2 files changed, 11 insertions(+), 11 deletions(-) delete mode 100644 ldap.yml diff --git a/base.yml b/base.yml index e10f9d7..208401e 100644 --- a/base.yml +++ b/base.yml @@ -4,3 +4,14 @@ roles: - baseconfig - basesecurity + +# Plug LDAP on all servers +- hosts: all + roles: + - ldap-client + +# Clone LDAP on local geographic location +# DON'T DO THIS AS IT RECREATES THE REPLICA +# - hosts: ldap-replica +# roles: +# - ldap-replica diff --git a/ldap.yml b/ldap.yml deleted file mode 100644 index 59d33f3..0000000 --- a/ldap.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# Plug LDAP on all servers -- hosts: all - roles: - - ldap-client - -# Clone LDAP on local geographic location -# DON'T DO THIS AS IT RECREATES THE REPLICA -# - hosts: ldap-replica -# roles: -# - ldap-replica From a2e9ab7d3f716367755e5f7d788f80a45fc84797 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 20:57:32 +0200 Subject: [PATCH 097/297] Merge crans Ansible conf --- README.md | 121 ++++++++++++++++++++++++++++++++++++++-------------- ansible.cfg | 2 +- 2 files changed, 91 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 56689f6..a1abc50 100644 --- a/README.md +++ b/README.md @@ -1,56 +1,115 @@ -# Playbook et rôles Ansible d'Aurore +# Recettes Ansible d'Aurore -Ces politiques de déployement nécessite Ansible 2.7 ou plus récent. -Le paquet dans Debian Buster est suffisamment à jour, sinon vous pouvez l'obtenir de la façon suivante : +Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore. +Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7. -```bash -pip3 install --user ansible -``` +## Ansible 101 -## Exécution d'un playbook +Si vous n'avez jamais touché à Ansible avant, voilà une rapide introduction. -Pour appliquer le playbook `base.yml` : -```bash -ansible-playbook --ask-vault-pass base.yml -``` +**Inventory** : c'est le fichier `hosts` d'inventaire. +Il contient la définition de chaque machine et le regroupement. -Il est souhaitable de faire un test avant avec `--check` si on a des doutes ! +Quand on regroupe avec un `:children` en réalité on groupe des groupes. -## FAQ +Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine +avec ce hostname, car c'est ce qu'Ansible fera. -### Mettre sa clé SSH sur une machine +**Playbook** : c'est une politique de déploiement. +Il contient les associations des rôles avec les machines. + +L'idée au Crans est de regrouper par thème. Exemple, le playbook `monitoring.yml` +va contenir toutes les définitions machines-rôles qui touchent au monitoring. +Cela permet de déployer manuellement tout le monitoring sans toucher au reste. + +**Rôle** : un playbook donne des rôles à des machines. Ces rôles sont tous dans +le dossier `roles/`. Un rôle installe un service précis sur un serveur. + +Il est préférable d'être atomique sur les rôles plutôt d'en coder un énorme +qui sera difficilement maintenable. + +*Exemples de rôle* : activer les backports pour ma version de Debian, installer NodeJS, +déployer un serveur prometheus, déployer une node prometheus… + +**Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule +action. Elle est associée à un module Ansible. + +*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans +un fichier avec le module `lineinfile`, copier une template avec le module `template`… + +Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante, +récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions… + +N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules +d'Ansible ! + +### Gestion des groupes de machines + +Pour la liste complète, je vous invite à lire le fichier `hosts`. + + * pour tester les versions de Debian, + + ```YAML + ansible_lsb.codename == 'stretch' + ``` + + * pour tester si c'est un CPU Intel x86_64, + + ```YAML + ansible_processor[0].find('Intel') != -1 + and ansible_architecture == 'x86_64' + ``` + +Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi +de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever +les machines pertinentes directement dans les playbooks. + +### Lister tout ce que sait Ansible sur un hôte + +Lors du lancement d'Ansible, il collecte un ensemble de faits sur les serveurs +qui peuvent ensuite être utilisés dans des variables. +Pour lister tous les faits qu'Ansible collecte nativement d'un serveur +on peut exécuter le module `setup` manuellement. ``` -ssh-copy-id -i ~/.ssh/id_rsa_aurore.pub virtu.fede-aurore.net +ansible proxy.adm.auro.re -m setup --ask-vault-pass ``` -### Automatiquement ajouter fingerprint ECDSA (dangereux !) +## Exécution d'Ansible -Il faut changer la variable d'environnement suivante : -`ANSIBLE_HOST_KEY_CHECKING=0`. +### Configurer la connexion au vlan adm -### Configurer la connexion au bastion +Envoyer son agent SSH peut être dangereux +([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)). -Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)). - -On va utiliser plutôt ProxyJump. +On va utiliser plutôt `ProxyJump`. Dans la configuration SSH : ``` -# Use a key to log on all Aurore servers -# and use a bastion +# Use a key to log on all Crans servers +# and use a proxy server Host 10.128.0.* *.adm.auro.re - IdentityFile ~/.ssh/id_rsa_aurore - ProxyJump proxy.auro.re + IdentityFile ~/.ssh/id_rsa + ProxyJump auro.re ``` Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées vers les serveurs puis détruites à la fin de l'exécution. -Il faut donc éviter de lancer une connexion SSH persistante pendant l'exécution -d'Ansible. -### Lister tout ce que sait Ansible sur un hôte +Il faut sa clé SSH configurée sur le serveur que l'on déploit. +```bash +ssh-copy-id proxy.adm.auro.re +``` +### Lancer Ansible + +Pour tester le playbook `base.yml` : +```bash +ansible-playbook --ask-vault-pass base.yml --check ``` -ansible -i hosts ldap-replica-fleming1.adm.auro.re -m setup --ask-vault-pass -``` + +Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements ! + +Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une +première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`. + diff --git a/ansible.cfg b/ansible.cfg index dc984aa..8d528bd 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,4 +1,4 @@ -# Aurore Ansible configuration +# Ansible configuration [defaults] From 7161d59157d54477fe7c487ad135af93554d536c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 20:57:44 +0200 Subject: [PATCH 098/297] Update inventory to Ansible 2.8 --- hosts | 62 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/hosts b/hosts index 55337e4..e640cb1 100644 --- a/hosts +++ b/hosts @@ -5,10 +5,10 @@ # > So all containers at OVH are in ovh-container. # > Then we regroup everything in global geographic and type groups. -[ovh-pve] +[ovh_pve] horus.adm.auro.re -[ovh-container] +[ovh_container] synapse.adm.auro.re services-bdd.adm.auro.re phabricator.adm.auro.re @@ -18,7 +18,7 @@ pad.adm.auro.re proxy.adm.auro.re matrix-services.adm.auro.re -[ovh-vm] +[ovh_vm] re2o-server.adm.auro.re re2o-ldap.adm.auro.re re2o-db.adm.auro.re @@ -27,21 +27,21 @@ passbolt.adm.auro.re vpn-ovh.adm.auro.re docker-ovh.adm.auro.re -[ovh-testing-vm] +[ovh_testing_vm] re2o-test.adm.auro.re -[fleming-pve] +[fleming_pve] #freya.adm.auro.re #odin.adm.auro.re -[fleming-vm] +[fleming_vm] #ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re -[pacaterie-pve] +[pacaterie_pve] mordred.adm.auro.re -[pacaterie-vm] +[pacaterie_vm] ldap-replica-pacaterie.adm.auro.re dhcp-pacaterie.adm.auro.re dns-pacaterie.adm.auro.re @@ -49,54 +49,54 @@ prometheus-pacaterie.adm.auro.re radius-pacaterie.adm.auro.re unifi-pacaterie.adm.auro.re -[edc-pve] +[edc_pve] leodagan.adm.auro.re -[georgesand-pve] +[georgesand_pve] merlin.adm.auro.re # everything at ovh [ovh:children] -ovh-pve -ovh-container -ovh-vm +ovh_pve +ovh_container +ovh_vm -# everything at ovh-testing -[ovh-testing:children] -ovh-testing-vm +# everything at ovh_testing +[ovh_testing:children] +ovh_testing_vm # everything at fleming [fleming:children] -fleming-pve -fleming-vm +fleming_pve +fleming_vm # everything at pacaterie [pacaterie:children] -pacaterie-pve -pacaterie-vm +pacaterie_pve +pacaterie_vm # everything at edc [edc:children] -edc-pve +edc_pve # everything at georgesand [georgesand:children] -georgesand-pve +georgesand_pve # every LXC container [container:children] -ovh-container +ovh_container # every virtual machine [vm:children] -ovh-vm -fleming-vm -pacaterie-vm +ovh_vm +fleming_vm +pacaterie_vm # every PVE [pve:children] -ovh-pve -fleming-pve -pacaterie-pve -edc-pve -georgesand-pve +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +georgesand_pve From 2e753db873b0358725eb8344cd25bde4fc3c36c6 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 21:00:05 +0200 Subject: [PATCH 099/297] Indicate unifi role --- roles/unifi-controller/tasks/main.yml | 6 ++++++ .../unifi-controller/templates/update-motd.d/05-service.j2 | 3 +++ 2 files changed, 9 insertions(+) create mode 100755 roles/unifi-controller/templates/update-motd.d/05-service.j2 diff --git a/roles/unifi-controller/tasks/main.yml b/roles/unifi-controller/tasks/main.yml index 0ff14dd..7f886f2 100644 --- a/roles/unifi-controller/tasks/main.yml +++ b/roles/unifi-controller/tasks/main.yml @@ -39,3 +39,9 @@ register: apt_result retries: 3 until: apt_result is succeeded + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-unifi-controller + mode: 0755 diff --git a/roles/unifi-controller/templates/update-motd.d/05-service.j2 b/roles/unifi-controller/templates/update-motd.d/05-service.j2 new file mode 100755 index 0000000..b768773 --- /dev/null +++ b/roles/unifi-controller/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# {{ ansible_managed }} +echo "> Le contrôleur Unifi a été déployé sur cette machine." From 24331ca25b9192bb548b0636596aea19a7fbc84f Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 22 Jul 2019 21:04:58 +0200 Subject: [PATCH 100/297] Fix CI --- base.yml | 4 ++-- roles/passbolt/tasks/main.yml | 2 +- roles/prometheus-node/tasks/main.yml | 2 +- roles/prometheus/tasks/main.yml | 2 +- services_web.yml | 8 ++++---- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/base.yml b/base.yml index 208401e..dc3c2dc 100644 --- a/base.yml +++ b/base.yml @@ -2,8 +2,8 @@ # Put a common configuration on all servers - hosts: all roles: - - baseconfig - - basesecurity + - baseconfig + - basesecurity # Plug LDAP on all servers - hosts: all diff --git a/roles/passbolt/tasks/main.yml b/roles/passbolt/tasks/main.yml index 6b08a12..0c10a53 100644 --- a/roles/passbolt/tasks/main.yml +++ b/roles/passbolt/tasks/main.yml @@ -21,7 +21,7 @@ - nginx - mariadb-server state: present - update_cache: yes + update_cache: true register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/prometheus-node/tasks/main.yml b/roles/prometheus-node/tasks/main.yml index 96ec332..5d6f56f 100644 --- a/roles/prometheus-node/tasks/main.yml +++ b/roles/prometheus-node/tasks/main.yml @@ -10,7 +10,7 @@ - name: Activate prometheus-node-exporter service systemd: name: prometheus-node-exporter - enabled: yes + enabled: true state: started # Doesn't work on Debian Stretch diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 68be2f9..6e730af 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -40,7 +40,7 @@ - name: Activate prometheus service systemd: name: prometheus - enabled: yes + enabled: true state: started - name: Indicate role in motd diff --git a/services_web.yml b/services_web.yml index a8d508d..ae0f50d 100644 --- a/services_web.yml +++ b/services_web.yml @@ -12,15 +12,15 @@ # Install EtherPad on EtherPad containers - hosts: pad.adm.auro.re roles: - - debian-backports - - nodejs - - etherpad + - debian-backports + - nodejs + - etherpad # Install DokuWiki on the wiki TEST container # When it will be operational, horus-wikitest will replace horus-wiki - hosts: horus-wikitest roles: - - dokuwiki + - dokuwiki # Install NGINX with reverse proxy conf - hosts: proxy.adm.auro.re From e0b69be43a2a0b98c720cf16e887d3009d4e4408 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 25 Jul 2019 11:05:21 +0200 Subject: [PATCH 101/297] Add privatebin to proxy --- services_web.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services_web.yml b/services_web.yml index ae0f50d..6063837 100644 --- a/services_web.yml +++ b/services_web.yml @@ -56,5 +56,8 @@ - name: grafana from: grafana.auro.re to: docker-ovh.adm.auro.re:8082 + - name: privatebin + from: privatebin.auro.re + to: docker-ovh.adm.auro.re:8083 roles: - nginx-reverse-proxy From 5ee11728614f5f9d4b9882e6ac4cd8c039d84a70 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 25 Jul 2019 11:28:17 +0200 Subject: [PATCH 102/297] Fix monitoring --- monitoring.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monitoring.yml b/monitoring.yml index 049d418..5681331 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -5,7 +5,7 @@ # Prometheus targets.json prometheus_targets: - labels: {job: node} - targets: "{{ groups['pacaterie'] | map('replace', '.org', '.org:9100') | list | sort }}" + targets: "{{ groups['pacaterie'] | map('replace', '.re', '.re:9100') | list | sort }}" - labels: {job: prometheus} targets: ['localhost:9090'] roles: From b48800757808bbb2d03cfd1e4114419c15143e5d Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 25 Jul 2019 19:10:50 +0200 Subject: [PATCH 103/297] [docker] Install docker-compose --- roles/docker/tasks/main.yml | 15 ++++++++++++++- .../docker/templates/update-motd.d/05-service.j2 | 3 +++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100755 roles/docker/templates/update-motd.d/05-service.j2 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3de3d97..66eed8c 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -25,7 +25,7 @@ until: apt_key_result is succeeded # Add the repository into source list -- name: Configure unifi repository +- name: Configure docker repository apt_repository: repo: "{{ item }}" state: present @@ -43,3 +43,16 @@ register: apt_result retries: 3 until: apt_result is succeeded + +# Compose need to be updated to use new Docker features +- name: Install Docker Compose + get_url: + url: https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64 + dest: /usr/local/bin/docker-compose + mode: "0755" + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-docker + mode: 0755 diff --git a/roles/docker/templates/update-motd.d/05-service.j2 b/roles/docker/templates/update-motd.d/05-service.j2 new file mode 100755 index 0000000..ce5faaa --- /dev/null +++ b/roles/docker/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# {{ ansible_managed }} +echo "> Les recettes Docker-compose se trouvent dans /var/local/ansible-docker" From 044e8af3aa520ae20083ff002e898e359ebd4f39 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 26 Jul 2019 08:50:07 +0200 Subject: [PATCH 104/297] Move EtherPad to Docker --- hosts | 1 - proxmox.yml | 2 +- roles/etherpad/tasks/1_user_group.yml | 26 ------ roles/etherpad/tasks/main.yml | 83 ------------------- roles/etherpad/templates/apt/nodejs.j2 | 5 -- .../systemd/etherpad-lite.service.j2 | 17 ---- services_web.yml | 16 ++-- 7 files changed, 7 insertions(+), 143 deletions(-) delete mode 100644 roles/etherpad/tasks/1_user_group.yml delete mode 100644 roles/etherpad/tasks/main.yml delete mode 100644 roles/etherpad/templates/apt/nodejs.j2 delete mode 100644 roles/etherpad/templates/systemd/etherpad-lite.service.j2 diff --git a/hosts b/hosts index e640cb1..cff737b 100644 --- a/hosts +++ b/hosts @@ -14,7 +14,6 @@ services-bdd.adm.auro.re phabricator.adm.auro.re wiki.adm.auro.re www.adm.auro.re -pad.adm.auro.re proxy.adm.auro.re matrix-services.adm.auro.re diff --git a/proxmox.yml b/proxmox.yml index 9617e0f..ca122ba 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -1,6 +1,6 @@ --- # This is a special playbook to create a new VM ! -- hosts: pad.adm.auro.re # Host with python-proxmoxer and python-requests +- hosts: proxy.adm.auro.re # Host with python-proxmoxer and python-requests become: false # We do not need root as we use Proxmox API vars: diff --git a/roles/etherpad/tasks/1_user_group.yml b/roles/etherpad/tasks/1_user_group.yml deleted file mode 100644 index 01c74ff..0000000 --- a/roles/etherpad/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create EtherPad system group - group: - name: etherpad - system: true - state: present - -# Security #2 -- name: Create EtherPad user - user: - name: etherpad - group: etherpad - home: /var/local/etherpad - comment: EtherPad - system: true - state: present - -# Security #3 -- name: Secure Etherpad home directory - file: - path: /var/local/etherpad - state: directory - owner: etherpad - group: etherpad - mode: 0750 diff --git a/roles/etherpad/tasks/main.yml b/roles/etherpad/tasks/main.yml deleted file mode 100644 index 454b4bd..0000000 --- a/roles/etherpad/tasks/main.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -# Install EtherPad dependencies -- name: Install required packages - apt: - update_cache: true - name: curl - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - -# Create EtherPad user and group -- include_tasks: 1_user_group.yml - -# Download EtherPad -- name: Clone EtherPad project - git: - repo: https://github.com/ether/etherpad-lite.git - dest: /var/local/etherpad/etherpad-lite - version: 1.7.5 - become: true - become_user: etherpad - -# Installation script bin/installDeps.sh (1) -- name: Create node_modules directory - file: - path: /var/local/etherpad/etherpad-lite/node_modules - state: directory - become: true - become_user: etherpad - -# Installation script bin/installDeps.sh (2) -- name: Create symbolic link to EtherPad src - file: - src: /var/local/etherpad/etherpad-lite/src - dest: /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite - state: link - become: true - become_user: etherpad - -# Installation script bin/installDeps.sh (3) -# TODO --no-save -- name: Install Etherpad dependencies - npm: - path: /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite - become: true - become_user: etherpad - register: npm_result - retries: 3 - until: npm_result is succeeded - -# Configuration -- name: Configure EtherPad - lineinfile: - dest: /var/local/etherpad/etherpad-lite/settings.json - regexp: '^\s*"{{ item.key }}"' - line: "{{ item.value }}" - with_dict: - title: " \"title\": \"Etherpad Aurore\"," - dbType: " \"dbType\" : \"postgres\"," - defaultPadText: " \"defaultPadText\" : \"Bienvenue sur l'EtherPad d'Aurore !\\n\\nCe pad est public.\\n\"," - lang: " \"lang\": \"fr-fr\"" - -# Service file -- name: Install EtherPad systemd unit - template: - src: systemd/etherpad-lite.service.j2 - dest: /etc/systemd/system/etherpad-lite.service - owner: root - group: root - mode: 0644 - -# Run -- name: Ensure that EtherPad is started - systemd: - name: etherpad-lite - state: started - enabled: true - daemon_reload: true - -# TODO-list -# La configuration de la clé `dbSettings` n'est pas encore automatisé ! -# * Configure logs diff --git a/roles/etherpad/templates/apt/nodejs.j2 b/roles/etherpad/templates/apt/nodejs.j2 deleted file mode 100644 index 65e5110..0000000 --- a/roles/etherpad/templates/apt/nodejs.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -Package: node* libuv1* -Pin: release a=stretch-backports -Pin-Priority: 600 diff --git a/roles/etherpad/templates/systemd/etherpad-lite.service.j2 b/roles/etherpad/templates/systemd/etherpad-lite.service.j2 deleted file mode 100644 index fcaf95d..0000000 --- a/roles/etherpad/templates/systemd/etherpad-lite.service.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=Etherpad-lite, the collaborative editor. -After=syslog.target network-online.target mysql.service postgresql.service -Conflicts=shutdown.target - -[Service] -Type=simple -User=etherpad -Group=etherpad -WorkingDirectory=/var/local/etherpad/etherpad-lite -ExecStart=/usr/bin/nodejs /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/services_web.yml b/services_web.yml index 6063837..e6e135f 100644 --- a/services_web.yml +++ b/services_web.yml @@ -9,13 +9,6 @@ roles: - passbolt -# Install EtherPad on EtherPad containers -- hosts: pad.adm.auro.re - roles: - - debian-backports - - nodejs - - etherpad - # Install DokuWiki on the wiki TEST container # When it will be operational, horus-wikitest will replace horus-wiki - hosts: horus-wikitest @@ -32,9 +25,6 @@ - name: intranet from: intranet.auro.re to: re2o-server.adm.auro.re - - name: pad - from: pad.auro.re - to: pad.adm.auro.re:9001 - name: phabricator from: phabricator.auro.re to: phabricator.adm.auro.re @@ -59,5 +49,11 @@ - name: privatebin from: privatebin.auro.re to: docker-ovh.adm.auro.re:8083 + - name: pad + from: pad.auro.re + to: docker-ovh.adm.auro.re:8084 + - name: cas + from: cas.auro.re + to: docker-ovh.adm.auro.re:8085 roles: - nginx-reverse-proxy From 2be40222fcdebbc9d629d6a4a157848a67d86305 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 26 Jul 2019 22:47:10 +0200 Subject: [PATCH 105/297] Add fleming conf --- hosts | 5 +++-- monitoring.yml | 14 +++++++++++- network.yml | 13 +++++++++++ proxmox.yml | 58 +++++++++++++++++++++++++++++++++++--------------- 4 files changed, 70 insertions(+), 20 deletions(-) diff --git a/hosts b/hosts index cff737b..d3e769d 100644 --- a/hosts +++ b/hosts @@ -25,16 +25,17 @@ serge.adm.auro.re passbolt.adm.auro.re vpn-ovh.adm.auro.re docker-ovh.adm.auro.re +switchs-manager.adm.auro.re [ovh_testing_vm] re2o-test.adm.auro.re [fleming_pve] -#freya.adm.auro.re +freya.adm.auro.re #odin.adm.auro.re [fleming_vm] -#ldap-replica-fleming1.adm.auro.re +ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re [pacaterie_pve] diff --git a/monitoring.yml b/monitoring.yml index 5681331..d962547 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -1,5 +1,17 @@ --- # Deploy Prometheus +- hosts: prometheus-fleming.adm.auro.re + vars: + # Prometheus targets.json + prometheus_targets: + - labels: {job: node} + targets: "{{ groups['fleming'] | map('replace', '.re', '.re:9100') | list | sort }}" + - labels: {job: prometheus} + targets: ['localhost:9090'] + roles: + - prometheus + - prometheus-alertmanager + - hosts: prometheus-pacaterie.adm.auro.re vars: # Prometheus targets.json @@ -13,6 +25,6 @@ - prometheus-alertmanager # Monitor all hosts -- hosts: pacaterie +- hosts: fleming,pacaterie roles: - prometheus-node diff --git a/network.yml b/network.yml index c4b967f..eaa0705 100644 --- a/network.yml +++ b/network.yml @@ -32,3 +32,16 @@ - hosts: unifi-pacaterie.adm.auro.re roles: - unifi-controller + +# Deploy Re2o switch service +- hosts: switchs-manager.adm.auro.re + vars: + service_repo: https://gitlab.federez.net/re2o/switchs.git + service_name: switchs + service_version: master + service_config: + hostname: re2o-server.adm.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" + roles: + - re2o-service diff --git a/proxmox.yml b/proxmox.yml index ca122ba..9e22c7e 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -10,50 +10,74 @@ cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G - installiso: debian-buster-DI-rc1-amd64-netinst.iso + installiso: debian-10.0.0-amd64-netinst.iso - name: dhcp-pacaterie virtu: mordred cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G - installiso: debian-buster-DI-rc1-amd64-netinst.iso + installiso: debian-10.0.0-amd64-netinst.iso - name: dns-pacaterie virtu: mordred cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G - installiso: debian-buster-DI-rc1-amd64-netinst.iso + installiso: debian-10.0.0-amd64-netinst.iso - name: prometheus-pacaterie virtu: mordred cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G - installiso: debian-buster-DI-rc1-amd64-netinst.iso + installiso: debian-10.0.0-amd64-netinst.iso - name: radius-pacaterie virtu: mordred cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G - installiso: debian-buster-DI-rc1-amd64-netinst.iso + installiso: debian-10.0.0-amd64-netinst.iso - name: unifi-pacaterie virtu: mordred cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G installiso: debian-9.9.0-amd64-netinst.iso - - name: passbolt - virtu: horus - cores: 2 # 2 mimimum, 10 maximum - memory: 512 # M - disksize: 8 # G - installiso: debian-buster-DI-rc1-amd64-netinst.iso - - name: vpn-ovh - virtu: horus - cores: 2 # 2 mimimum, 10 maximum - memory: 512 # M - disksize: 8 # G - installiso: debian-9.9.0-amd64-netinst.iso + - name: ldap-replica-fleming1 + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso vars_prompt: - name: "password" From 281a2dcadf69f93837e9e0f716ae6220bee550fc Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 27 Jul 2019 21:31:33 +0200 Subject: [PATCH 106/297] Add fleming network infra --- hosts | 5 +++++ network.yml | 4 ++-- proxmox.yml | 3 +++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index d3e769d..3c93b45 100644 --- a/hosts +++ b/hosts @@ -37,6 +37,11 @@ freya.adm.auro.re [fleming_vm] ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re +dhcp-fleming.adm.auro.re +dns-fleming.adm.auro.re +prometheus-fleming.adm.auro.re +radius-fleming.adm.auro.re +unifi-fleming.adm.auro.re [pacaterie_pve] mordred.adm.auro.re diff --git a/network.yml b/network.yml index eaa0705..cdff053 100644 --- a/network.yml +++ b/network.yml @@ -1,6 +1,6 @@ --- # Deploy DHCP -- hosts: dhcp-pacaterie.adm.auro.re +- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -29,7 +29,7 @@ - re2o-service # Deploy Unifi Controller -- hosts: unifi-pacaterie.adm.auro.re +- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re roles: - unifi-controller diff --git a/proxmox.yml b/proxmox.yml index 9e22c7e..15914d4 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -5,6 +5,8 @@ vars: vm_definitions: + + # Réseau Pacaterie - name: ldap-replica-pacaterie virtu: mordred cores: 2 # 2 mimimum, 10 maximum @@ -42,6 +44,7 @@ disksize: 16 # G installiso: debian-9.9.0-amd64-netinst.iso + # Réseau Fleming - name: ldap-replica-fleming1 virtu: freya cores: 2 # 2 mimimum, 10 maximum From e15ea7854a86441ea981485e36c2e750c7d3ddd6 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 29 Aug 2019 07:02:15 +0200 Subject: [PATCH 107/297] Base config sync with crans --- roles/baseconfig/tasks/main.yml | 33 +++++++++++++++----------- roles/baseconfig/tasks/molly-guard.yml | 18 -------------- 2 files changed, 19 insertions(+), 32 deletions(-) delete mode 100644 roles/baseconfig/tasks/molly-guard.yml diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 9784ac1..5249244 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -4,17 +4,25 @@ when: ansible_os_family == "Debian" apt: name: - - bash-completion # for bash users - - zsh # alternative shell - - sudo # to gain root access - - git # code versioning - - nano # basic text editor - - vim # like nano but more powerful and complex - - htop # better than top - - less # i like cats - - tree # create a graphical tree of files - - acl # for Ansible become support - - screen # Vulcain asked for this + - sudo + - molly-guard # prevent reboot + - ntp # network time sync + - apt # better than apt-get + - nano # for vulcain + - vim # better than nano + - emacs-nox # for maman + - htop # better than top + - zsh # to be able to ssh @erdnaxe + - fish # to motivate @edpibu + - oidentd # postgresql identification + - aptitude # nice to have for Ansible + - acl # advanced ACL + - iotop # monitor i/o + - tree # create a graphical tree of files + - bash-completion # because bash + - git # code versioning + - less # i like cats + - screen # Vulcain asked for this update_cache: true register: apt_result retries: 3 @@ -60,9 +68,6 @@ vtype: select notify: Reconfigure locales -# Molly-Guard : prevent accidental shutdowns -- include_tasks: molly-guard.yml - # APT-List Changes : send email with changelog - include_tasks: apt-listchanges.yml diff --git a/roles/baseconfig/tasks/molly-guard.yml b/roles/baseconfig/tasks/molly-guard.yml deleted file mode 100644 index b444b73..0000000 --- a/roles/baseconfig/tasks/molly-guard.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# Install molly-guard -- name: Install molly-guard - when: ansible_os_family == "Debian" - apt: - name: molly-guard - state: present - update_cache: true - register: apt_result - retries: 3 - until: apt_result is succeeded - -# Always ask for hostname -- name: Configure molly-guard - lineinfile: - dest: /etc/molly-guard/rc - regexp: '^#*\s*ALWAYS_QUERY_HOSTNAME.*$' - line: 'ALWAYS_QUERY_HOSTNAME=true' From 743e902e85abbf98a12488491b878bc23a0f2ad1 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 29 Aug 2019 07:03:05 +0200 Subject: [PATCH 108/297] Refractor ldap --- .../tasks/{0_install_ldap.yml => install_ldap.yml} | 10 +--------- roles/ldap-client/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 10 deletions(-) rename roles/ldap-client/tasks/{0_install_ldap.yml => install_ldap.yml} (77%) diff --git a/roles/ldap-client/tasks/0_install_ldap.yml b/roles/ldap-client/tasks/install_ldap.yml similarity index 77% rename from roles/ldap-client/tasks/0_install_ldap.yml rename to roles/ldap-client/tasks/install_ldap.yml index 21dd6f6..5e8dae3 100644 --- a/roles/ldap-client/tasks/0_install_ldap.yml +++ b/roles/ldap-client/tasks/install_ldap.yml @@ -7,19 +7,12 @@ - nslcd - libnss-ldapd - libpam-ldapd + - nscd # local cache state: present register: apt_result retries: 3 until: apt_result is succeeded -# Reduce LDAP load -# For the moment it is broken on Stretch when using PHP7.3 -# - name: Install LDAP cache package -# apt: -# name: nscd -# state: present -# update_cache: true - # Configure /etc/nslcd.conf - name: Configure nslcd LDAP credentials template: @@ -38,5 +31,4 @@ - passwd - group - shadow - - sudoers notify: Restart nslcd service diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml index c367dd6..8599950 100644 --- a/roles/ldap-client/tasks/main.yml +++ b/roles/ldap-client/tasks/main.yml @@ -1,6 +1,6 @@ --- # Install and configure main LDAP tools -- include_tasks: 0_install_ldap.yml +- include_tasks: install_ldap.yml # Filter who can access server and sudo on groups - include_tasks: 1_group_security.yml From 6cc0a6a6b72e3d2ea872d83421543f69cd534c30 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 29 Aug 2019 07:03:54 +0200 Subject: [PATCH 109/297] Remove appservice Discord --- matrix.yml | 1 - .../defaults/main.yml | 15 ---- .../matrix-appservice-discord/tasks/main.yml | 69 --------------- .../tasks/service_user.yml | 19 ---- .../templates/config.yaml.j2 | 87 ------------------- .../templates/systemd/appservice.service.j2 | 18 ---- 6 files changed, 209 deletions(-) delete mode 100644 roles/matrix-appservice-discord/defaults/main.yml delete mode 100644 roles/matrix-appservice-discord/tasks/main.yml delete mode 100644 roles/matrix-appservice-discord/tasks/service_user.yml delete mode 100644 roles/matrix-appservice-discord/templates/config.yaml.j2 delete mode 100644 roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 diff --git a/matrix.yml b/matrix.yml index 11e63e8..939486e 100644 --- a/matrix.yml +++ b/matrix.yml @@ -9,7 +9,6 @@ - nodejs - matrix-synapse - matrix-mxisd - - matrix-appservice-discord - matrix-appservice-irc - matrix-appservice-webhooks diff --git a/roles/matrix-appservice-discord/defaults/main.yml b/roles/matrix-appservice-discord/defaults/main.yml deleted file mode 100644 index 6ad40a4..0000000 --- a/roles/matrix-appservice-discord/defaults/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# service_name is the name of the project on GitHub -service_name: matrix-appservice-discord - -# URL to clone -service_repo: https://github.com/Half-Shot/matrix-appservice-discord.git - -# name of the service user -# It means that you will have to `sudo -u THISUSER zsh` to debug -service_user: "{{ service_name }}" -service_homedir: "/var/local/{{ service_name }}" - -# service_path is where the project is cloned -# It can't be the home directory because of user hidden files. -service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml deleted file mode 100644 index 01fc45b..0000000 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -# Create service user -- include_tasks: service_user.yml - -- name: "Clone {{ service_name }} project" - git: - repo: "{{ service_repo }}" - dest: "{{ service_path }}" - version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 - become: true - become_user: "{{ service_user }}" - -# Setup dependencies -# May create issues with package-lock.json not in gitignore -- name: "Install {{ service_name }} dependencies" - npm: - path: "{{ service_path }}" - production: true - become: true - become_user: "{{ service_user }}" - register: npm_result - retries: 3 - until: npm_result is succeeded - -# Typescript into javascript -- name: Compile matrix-appservice-discord - command: ./node_modules/.bin/tsc - args: - chdir: "{{ service_path }}" - register: npm_build_result - changed_when: npm_build_result - become: true - become_user: "{{ service_user }}" - -- name: "Configure {{ service_name }}" - template: - src: config.yaml.j2 - dest: "{{ service_path }}/config.yaml" - owner: "{{ service_user }}" - group: nogroup - mode: 0600 - -# Service file -- name: "Install {{ service_name }} systemd unit" - template: - src: systemd/appservice.service.j2 - dest: "/etc/systemd/system/{{ service_name }}.service" - owner: root - group: root - mode: 0644 - -# TODO generate registration - -- name: Copy appservice registration file - copy: - src: "{{ service_path }}/discord-registration.yaml" - dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" - owner: matrix-synapse - group: nogroup - mode: 0600 - remote_src: true - -# Run -- name: "Ensure that {{ service_name }} is started" - systemd: - name: "{{ service_name }}" - state: started - enabled: true - daemon_reload: true diff --git a/roles/matrix-appservice-discord/tasks/service_user.yml b/roles/matrix-appservice-discord/tasks/service_user.yml deleted file mode 100644 index 0818676..0000000 --- a/roles/matrix-appservice-discord/tasks/service_user.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# Having a custom group is useless so use nogroup -- name: "Create {{ service_user }} user" - user: - name: "{{ service_user }}" - group: nogroup - home: "{{ service_homedir }}" - system: true - shell: /bin/false - state: present - -# Only service user should be able to go there -- name: "Secure {{ service_user }} home directory" - file: - path: "{{ service_homedir }}" - state: directory - owner: "{{ service_user }}" - group: nogroup - mode: 0700 diff --git a/roles/matrix-appservice-discord/templates/config.yaml.j2 b/roles/matrix-appservice-discord/templates/config.yaml.j2 deleted file mode 100644 index 028cb99..0000000 --- a/roles/matrix-appservice-discord/templates/config.yaml.j2 +++ /dev/null @@ -1,87 +0,0 @@ -# {{ ansible_managed }} - -bridge: - # Domain part of the bridge, e.g. matrix.org - domain: "auro.re" - # This should be your publically facing URL because Discord may use it to - # fetch media from the media store. - homeserverUrl: "http://auro.re" - # Interval at which to process users in the 'presence queue'. If you have - # 5 users, one user will be processed every 500 milliseconds according to the - # value below. This has a minimum value of 250. - # WARNING: This has a high chance of spamming the homeserver with presence - # updates since it will send one each time somebody changes state or is online. - presenceInterval: 500 - # Disable setting presence for 'ghost users' which means Discord users on Matrix - # will not be shown as away or online. - disablePresence: false - # Disable sending typing notifications when somebody on Discord types. - disableTypingNotifications: false - # Disable deleting messages on Discord if a message is redacted on Matrix. - disableDeletionForwarding: false - # Enable users to bridge rooms using !discord commands. See - # https://t2bot.io/discord for instructions. - enableSelfServiceBridging: true - # Disable sending of read receipts for Matrix events which have been - # successfully bridged to Discord. - disableReadReceipts: false - # Disable Join Leave echos from matrix - disableJoinLeaveNotifications: true -# Authentication configuration for the discord bot. -auth: - clientID: "{{ matrix_discord_client_id }}" - botToken: "{{ matrix_discord_bot_token }}" -logging: - # What level should the logger output to the console at. - console: "warn" #silly, verbose, info, http, warn, error, silent - lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format - files: - - file: "warn.log" # Will capture warnings - level: "warn" - - file: "botlogs.log" # Will capture logs from DiscordBot - level: "info" - enable: - - "DiscordBot" -database: - userStorePath: "user-store.db" - roomStorePath: "room-store.db" - # You may either use SQLite or Postgresql for the bridge database, which contains - # important mappings for events and user puppeting configurations. - # Use the filename option for SQLite, or connString for Postgresql. - # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite - # WARNING: You will almost certainly be fine with sqlite unless your bridge - # is in heavy demand and you suffer from IO slowness. - filename: "discord.db" - # connString: "postgresql://user:password@localhost/database_name" -room: - # Set the default visibility of alias rooms, defaults to "public". - # One of: "public", "private" - defaultVisibility: "public" -channel: - # Pattern of the name given to bridged rooms. - # Can use :guild for the guild name and :name for the channel name. - namePattern: ":name :guild" - # Changes made to rooms when a channel is deleted. - deleteOptions: - # Prefix the room name with a string. - #namePrefix: "[Deleted]" - # Prefix the room topic with a string. - #topicPrefix: "This room has been deleted" - # Disable people from talking in the room by raising the event PL to 50 - disableMessaging: false - # Remove the discord alias from the room. - unsetRoomAlias: false - # Remove the room from the directory. - unlistFromDirectory: false - # Set the room to be unavaliable for joining without an invite. - setInviteOnly: false - # Make all the discord users leave the room. - ghostsLeave: true -limits: - # Delay in milliseconds between discord users joining a room. - roomGhostJoinDelay: 6000 - # Delay in milliseconds before sending messages to discord to avoid echos. - # (Copies of a sent message may arrive from discord before we've - # fininished handling it, causing us to echo it back to the room) - discordSendDelay: 750 - diff --git a/roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 b/roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 deleted file mode 100644 index 29ebdb6..0000000 --- a/roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 +++ /dev/null @@ -1,18 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=A bridge between Matrix and Discord -After=syslog.target network-online.target mysql.service postgresql.service -Conflicts=shutdown.target - -[Service] -Type=simple -User={{ service_user }} -WorkingDirectory={{ service_path }} -Environment="NODE_ENV=production" -ExecStart=/usr/bin/nodejs ./build/src/discordas.js -p 9005 -c config.yaml -Restart=always -RestartSec=3 - -[Install] -WantedBy=multi-user.target From e91d47ea8d3cc92646e40e1be05110779e7fefd0 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 29 Aug 2019 07:04:37 +0200 Subject: [PATCH 110/297] Update matrix conf --- roles/matrix-synapse/tasks/main.yml | 2 +- .../templates/matrix-synapse/conf.d/listeners.yaml.j2 | 9 ++------- roles/re2o-service/tasks/main.yml | 2 ++ 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index f6f2a45..4ac864e 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -28,6 +28,6 @@ - name: Install rest auth provider copy: src: rest_auth_provider.py - dest: /opt/venvs/matrix-synapse/lib/python3.5/site-packages/rest_auth_provider.py + dest: /opt/venvs/matrix-synapse/lib/python3.7/site-packages/rest_auth_provider.py mode: 0755 notify: Restart matrix-synapse service diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 b/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 index a5523a0..0c3693e 100644 --- a/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 +++ b/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 @@ -3,15 +3,10 @@ listeners: - port: 8008 tls: false - bind_addresses: - - '::' - - '0.0.0.0' + bind_addresses: ['::', '0.0.0.0'] type: http - x_forwarded: true resources: - - names: [client] - compress: true - - names: [federation] + - names: [client, federation] compress: false diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 332c371..473a4d7 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -2,6 +2,8 @@ # Create service user - include_tasks: service_user.yml +# python3-iso8601 python3-jinja2 + - name: "Clone re2o {{ service_name }} project" git: repo: "{{ service_repo }}" From 6c1d904791779f9d840ccc4c8afd67016341464e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 1 Sep 2019 11:18:23 +0200 Subject: [PATCH 111/297] Vault in passbolt --- group_vars/all/vault.yml | 240 +++++++++++++++++++-------------------- 1 file changed, 120 insertions(+), 120 deletions(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 55723c2..8f0765f 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,121 +1,121 @@ $ANSIBLE_VAULT;1.1;AES256 -38643063333866653931396630643166643964356265363939356638346266333030356538336533 -6364383530613232326566646335663632323937306364300a636337353338333138326534626139 -66386265383261643538353765663965623035663962663061613534623931376434623237383736 -3065323934373065380a633738363137326239333362656266396537623838356663663231353535 -65636633356433636666383133303233643736636134343365313461363866383361623830663831 -61633662626437376537613737363032626638666236313331623631656338306666656537313637 -30303464373331336264356166373531393662363861313034626161633539373134626330363565 -36383735363664386231356261613839396630373831646533393933636638343765633731306464 -30393139626530393165613865396464366165363335333337383064623664646461393462313234 -36343763306334646666376236663136626238326466383731613865316566356462353662313238 -32353166313665316536396233376666653936643439373664303762303832343833616439376164 -35373634316264376639323563643633623466653238656464613938303332663030356138303339 -33636339323339636362643562643238313131343234326438643464333333313130646366343931 -66393735383034346235636337383566336634633331396331666437643738626362663935653933 -66363234363138633362663433653033636666323464376334303864343935333466326432343339 -31393333383033663064343230653434376538343861323639343135353837373438613935323262 -63643164663966346134623861663033626238623331626534613134363166353263366534383232 -33613665333434356264353230623038663232336363646332376533663365316235393436303631 -62623330343132333861663063383733623064303962333833656435376262353063373737623134 -35306361373465393036383764353735303333376130373736303239616462393638653261356366 -66613030653330663763303833656130616639643530623439646133623565626639353762613739 -38613235643034316131666364633535356638653364386635376464356530393637383434616162 -32353937313132626437313338386236663638653830306262333061313064316365336233373264 -64643230613333623037663365306365356334303737623264626635643762616231316133316631 -37633361373737376134623630313834383033663335336338663936326133343233643963656237 -31666339366339333234326233613533636566643639333063306530663239373634636131646534 -66646566393935653533656365346663376532656336373563333535313830633764646434376332 -33616338336362323563393935623938313330386566316531653162653234643633316236396536 -34396166346230346637303635653233626264383061303766343737356131616331363161646330 -30666236643232386539333333363332396238643635656536303130646433323664383262643465 -30323139643335336438643864366239386166393965386137396364633230306666376366626632 -31353762316637626566333830326539663562396531383436303336323261653638663337323833 -39313363306338346435343835386230306465623137633836323662663938653334353936313830 -37366534383265323466656565633831393766353637316464626362643362383639373634633961 -61323032396530636433346463643837643463653565323735653062343164333538376266323930 -62303138333035323233663765306335633037376664626439666365333565303566613834383861 -33623339313962643530313538366362306466633037643532626631393733333338653633383566 -34366466336535663138633464376138386165356665396661633265386562366333356163633563 -63383735663936346339373836373765383536343337656133346132363465373538646134313639 -65623934353365613334623532373334653530353563396338323136623333656235613762376531 -61613562643733323933363263373239663031666364313430353061666530656135666262333462 -38343032343263336237653161383334313664666637663164343935656161353539356162653031 -32656362393732646235366232313937616130323030613934323563363736383331373032303061 -36656231663365643865346634663638306437396562653661303162333361636633383034363136 -65663233623230356265656232373963636263353939303531383235666535316533666439306162 -37646564363566366536323766353935333535306338316437636165316233383231656535626565 -34336633316464323665393365313963636138336661386332313830383039396461383664393833 -61623630626265303861623363663435323164386466316338306331363438643765313234613763 -63333335383033306336663835333536343832613438636331646532373962643434303266336666 -64346662353133313931316631666363353439323935356165336637353366386639616233653630 -64393662326266343366353365303263396436313563646230363963343461343535633437613866 -36313739656335383763366636373330393764333963396237633463663062616130653261363465 -36303965306266366435333663333037633738623431653339323733623765646265613963313235 -63346136303630643563346431306438376535376537396438613463646233333131616261386436 -61643265323636316563363765366534313638656566303339303431396433393663653735373132 -34646432663135623137316532663065303339626633613231353061616261323861663165366136 -39626466393161363166306237323633366130333930653665313937306461363263386637366435 -37666363633463343636656465323939306363646431643130613935633935346132623161613231 -32303362383036306431303036636265636436303066303662633035313332396666643932393364 -31633631653264636539316138666237366630333039393366306233356639323639326333326430 -61393837343863616339336566363339366163363837393238613961373864353564313335326561 -39336236636538373133643063393933636166306361373631323465633638353130343466336534 -35303031666462336635653438633136653461313731336362303438343132303666396634383635 -36656266653365303566326332623963396431623465616161396332633833356565623931626632 -62346132353064333232336162393366623365323635373238643561343236653435363166393166 -32376537383031646333366664346138333531613463386135616364646161363132633065336435 -61653861633737373162346339396130333735393266396661316637306161393536353163623138 -63306362386364363333373633343264653966313763323433366634646264643963626636396637 -38636435326564366536366138373437383962653737383764303066383162383262306661396539 -64366662616166653539623462323538366365396133313639383139636435633638646166373236 -61383262366438383764313262323938363263386334316663363630323133626634616466636363 -33326130326363383739363132393739353735393135316437393036653830333439623265393436 -33373333323564623137313037633165393235366462353932623834333133373932343235623834 -34393137373035663462343063663265646636633334356533646161376534656265646163316533 -37383938373234373861353635616138346639653866353136353166383764393966653738376265 -63366530626562613836393839343536643362613936643339373633313732353663343932386564 -61616166313366313133613866376637306461636362376437663165616436616136626132383461 -30653666393833333933336561663233373131656437313633373964323934313633623235323061 -66363332646630363436386631636137366237356539633663376263656535343438613437316432 -63636436396363323034393262383936623166326462373961616262363438646161353462353334 -66616131343636366161643037613561346661383133383332633661393031343936396333633061 -34626138366632336665383438303033326435326466383634316531303565646365616531663730 -61633137306532643862643963636564626163323331303861316463666639383031663031383866 -62623064616430666366636666373361663638366639623862613930303263336561613566626665 -39313036643233643937623739343731663739343461656134383833643364313238303938373363 -36396134306530303739353636636137303038633635373438306330376536316565356361343766 -61336136653434316262373131663062636161326264663738373363656538303666646266373035 -36366337663661643934363136383266323734613835393837363363376365633237663562373664 -61643865613861666362353539656637316537363963633064383137313536353037336639613262 -33313333643065366534386630633064343638663531636431613539333534656435343163666132 -30306132653836613133393633383432623833633635363535386164353235333861356138336339 -62656535386437393462323261393662376635386131633463653565363038343366626637336430 -33643932653462353231663962316639336263396230616461643538363063363139396364383231 -64333837326662313639386135393133613237613036653837303231333865373131356134656636 -30353139343363373134303933343039656665323833633339663964346132356535313632343563 -36383366636438376362326638653838613830333836636539323734383337393662316234373435 -33616537653333626637613865666461636361373565336536316462383861326132346563313435 -38613366653764303965376335646234316138353964386361356436393064363037636365383639 -35633834636464653464626231323639323361663961366230383336346331386430663133323632 -34343462356461396164666131633433643236623261316139643735336434623234306638326235 -63366234303662633962633232336165313265633232373265643264636238363537383837623963 -31333863326539616434613233343361316334353062653364353335383961613065323930303939 -36313730363335626165626233373265333337363931316462646230643436323764656231663361 -33613363643838323830653561383334313539336234386534646461643931366664623235636136 -35653239616135633962613965306361316464643438653163323339373138336266343935656663 -62393765633337616639306666636633623665346330626163353164376234346164633830366561 -62396138306564343735356538656337393565316336633064333935353135656135633263663466 -63383135323338313334366563633038356262333964353864386662393236666165316461613430 -37366463653662643334303261323530396138383662656431376561356665346639643039383864 -38356537643133633436316231633437653532356333653239303434323339636563646334386662 -65366536323536353537376436646534633061396232376333616532643934376332313635356232 -35303236393635666333663039316234643831353136353061333139366432363531303630626334 -33616334643636336232356562343631376634386633343530336539373137353766643166393231 -35623237663433613835653261363761336238303934616165643364303839333932616562396139 -64343962353162366231303131643965616164623334396637373535373063633763373636306162 -31316231396663313930633936623164336137666466303733393939373937373633323534393438 -65656366653165636363383061653163303564306137626365326633393066376463303765663535 -30323163633231376531323832333938396335636164613962343533326664386132616636663033 -35663837383131613461653433643664366439343531393665333631346162623362626631646433 -61613339303032323261 +63383763633231303965383737313737656433616465303432663764393065613739663934646462 +6433653264666237643634303032653438323363646433370a333663623139343464376432313337 +66633139313363356562393431353961613032616234323834633539396639643035353131373065 +3566623037356638610a323961303461636661323864656564333637353331633139333437373065 +64393764646332306535613863626634383063366132343936336365376237626637643032353031 +34343137366236326535393665386634323164633765613238383166393961623133313738336464 +32613039643531636663636334303636326333316664383636333030386136656331396237363931 +35306563613961393634336165396466373063363362623734386435383663363438336631666461 +65323434373836316363353964666462646139316465656434396537373364326565306231663164 +66666561366135316132386262646165303738356564333736336539623939393238313135643137 +38653234663331646435383361393638616464663530666663643036316665396665663861373039 +65316138396662363664626363383632383562393730623366393165633832626635663661353537 +64653931366135316662303339353434373837666262383836653536326230303336613439353339 +34393638373763663035356236633866396237396139613561626664636430336336396233363730 +64316632633364356337623239383536363163623137653134383761393433656431393264333161 +37633562396133353664613933363134313432653737633166396532343963613937383363663962 +38613964646336333239373562633233366436393833306536636637373362653661393831376437 +36393332386239356634633434613566323232346561333063323763346634656537343665383966 +39363962336266373033356165356466386166653864663632613431333134363437653464636630 +66636261363466393566326433363337323865333131643337336462633033386262663031396164 +33666634643034326537653463346564616462356535393237386432336237393365373131636636 +63633934333863313032623363353763313938376431313532343462303361353139383962336261 +39336266393239353839386530613066643566383136303334353366366561633934653962333133 +63646239336261386239623034383863303839383031666232636339383739626434636332653834 +39663630663331663237373731656530386138666330376664623065653262636665646238646564 +30663631643236306662373336376262663136666637323964343464623563656336333761336537 +38623633393465323761363438353032323138313830613966393038393137336362303861376130 +34316164316537373266316166366332623630363130633366656531386361346235316335313837 +30386430366165343437653239303862306539393062333066326337353037643038333162303931 +64333164323635393139663031306231343437306233636262643433653763366665623966626432 +34326562346139383538656531643966633363336439333130666330623061383234326461646439 +38343838373431326366646436306463643563373836326534343461313265346336316630356534 +66393834633361313330623134616631343035643231373562363863363066373166646566633735 +63343535366634346233306138373936303132333861306534323930386636626366393638376235 +38616238303763366561373337636466616535363837393237396437636435653564353339613137 +61303963313461336633623563653463323462636563663765336230623231613936353435636638 +37333535646436373430633336336238316666623336396663643933633966633639343861306532 +31646537393532353135643833383830333635653531333737383237313331383362386536313534 +63666334306562656332613132353337373263353836363362363861633736616537346539383932 +66303864396366363731353430303566366339313137393934323566633933373938316261313734 +35323835343038653130366133393566656361356333396332313431356530653430393937323237 +35393535633438616433343035353766393162353031343637646230393562613535336234326530 +38636133326537613533653130396536343638663738343438626432653636323562313164363434 +36363066373264626331623161386339616430623366353137656534303935653631643334313264 +66666138653033323333323239333036613433646631636535393061623132626163653736366636 +65666632613334383233353565626631346463393037343866373464613762326663666438313865 +38323733373836376531316138383965393236356463656164373835383032306163336232306236 +36376563323063393931356633323434643265306163393839653866316433656636666632363065 +39393231633834633233373464383634613338333335303239623863646437333133623033306634 +61363764626462313733666239383333383934313530353964333166336564666133326338326634 +33373739323538383761313162346436363261373437306361343431373163366639303263303565 +63363932623638643062643337643634316230613665643634643333643436643061333538383831 +32356636366562373164363339393331336436653434633963636134613664626664346432303638 +66643464613166643032376437333338626531613666366238663631373266373862356236306434 +63363464376165346232356538396538353135303038626630623566646336653531396264316232 +35613734663766303734626436663161393231643365313032373565383338376533656635333462 +64636130306463656436646633346362666138623336356634313863316561636561356635643434 +35316164623533613133393861313865336338626530663131366563616137643961366539636332 +34386431326539636565396432666565373132616130613839386164393963643039303132623036 +33643763383531356438333232643165346336646535356133646161323234353236623734613564 +62623638616438366631656536343334636561643432356234386231313332656234313761613362 +65386538353630623631623731383065623762613661393838666233656437383634313931626536 +37613464383764633763383465643734356530353834656139326366663065363135663266663866 +34326261353164613731626365386562663364613033396564326633346462666566376139313934 +64306135393862626663613332316161623965323364613762336630353561336562323939323039 +38616636306432393032323865663932383362646663666564666337343432333038343736656232 +35663938386665663263646634363833343264656136373237383164656163366261613639343063 +30383632626561313833336432626239353464313834383532373864636130663232313830356261 +37333538646430356536393062386636653862616432663636336634323435383039343661343230 +64353739336665353630376431303061343333343433663662343138326230333561333537363735 +36636136353138383864373335386139643134366364373761623835633763616631396331383738 +32393131643762646532313733353465666339626366323034663637656434313033663633343863 +63363861373434376637623337623732373265656237616364326266363430653035643835323233 +34363461323131346264646234616131396431623734666163363135323834376534343937393838 +38626665373934346638363832626133316238373064653334653236316233353561396238383461 +63396333663736636436663935383932303633323231316534623664633332613166316334326430 +30343561653766636634363764643262363130353331363931666539376134326232646661376633 +34623936346637633530613538626166303362323365343935623466326630646537633034636164 +33326436643137343238656531386464326239643661616465366638346163616663383034333732 +61333365643739333464356233343238326339346334633764373765313832646131313862336237 +62663163393632656637646338316565643165353965366664343339356135666130393835633031 +31363738306639376233356134313637613438653465383131623733643039353361313465343966 +36636430613932386238633165353662616165393332313966623635633365376266346261623562 +66653038633237653061656136643939316562663961626633623361643739343863333464396164 +32633661653337616230366235386131653034363533323836373636346231373335396536623765 +30346430616335363738353035343738353330343930646330653161633330383238623636613765 +61616266663533663665343230353734636464333162313434663263343739303833316630306432 +36386131313431633564633830356266383762313038633237303034646661633536316438316664 +61346462366635613938616333613033356335316333363464663734313436663739323462383263 +62376437656634386432656133363261373765333531646433303936386562616433323261396130 +32333934313733643665613137666237666561376136306632313861613535623032626261396563 +32326566366437363839656564333862316339303262323164653331626563316565353362303135 +65373264656236653266656462353034366466616139333239323039386163616365346562393637 +65646466336337313734386434343561613935343065646464666162643731616362653234326431 +65366437376437666531383263393434303633616666643832323865663962663639643264326364 +35313465303464636632373139313435626464616136353839373135343934653363363564353061 +64363166303761396131336464383532396339623065323736313661646366336438356634383865 +66333263383130363835386662343730346632626335653566353933363366323938346165646464 +36363731643561316231306330373431313431643835346236313765393134313263653637353530 +66613566383635356132343537373838343564393964613537633165323037363734303963626534 +37323430383631396631666162393435663336656235333065353731383031386233646266343636 +38363639633365363231656263376438643331663164613262386265333234613733666166366364 +64626365313731336431633532366265353938363861313731323361313131376562623234666233 +66613761363336303062363466393035613536623263663366336132383062663732376163306333 +36303337616363346565663736353937353735383338363838343561393833393837373836633430 +39366531663335386233333735613363313866636332336538376166353237376138616566323535 +31383336306563303631653162353030613631333662623065636131303565303337633631613639 +38316639363033363364393063376635376431356132386361333138343139383066643436663264 +62383666313236383737393632653764663836303736393838353532633735653730663064313035 +30656265313430303765646536623534646338323539366465653564656562643864386462643965 +63343334613038353734616335663064656433616265346437303338636539346235323964323633 +39376663306464636364306639616136613861363364623236626233336561393065303035653539 +39643661323331346362343861323739303264333237356233323534383534373338613637373832 +30343964626236643538616439643837306432656534623235623731373538616431616335376637 +65663234643132386666376431616337633435663061303734363236363066373230366337393136 +33393734353866313563386537363831646166326134613561663133666430356364613761643337 +31363433303765343731333163313865386265363163303138393262313466666333313236323430 +35643135383464656431316438653638333264633432313133656432636634393035623762343134 +37393036663938613732616435333666643963343566343930323037363862363530373439626464 +30616264363235326665 From a03c775dbdbfd160bfcc7c2a4e5616a6034cf92a Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 1 Sep 2019 13:27:58 +0200 Subject: [PATCH 112/297] =?UTF-8?q?ajout=20des=20vm=20de=20DS=20et=20d'EdC?= =?UTF-8?q?,=20ajout=20de=20qqes=20h=C3=B4tes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts | 9 +++++-- proxmox.yml | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 3c93b45..8aa1bbb 100644 --- a/hosts +++ b/hosts @@ -42,6 +42,7 @@ dns-fleming.adm.auro.re prometheus-fleming.adm.auro.re radius-fleming.adm.auro.re unifi-fleming.adm.auro.re +10.128.1.240 [pacaterie_pve] mordred.adm.auro.re @@ -55,10 +56,13 @@ radius-pacaterie.adm.auro.re unifi-pacaterie.adm.auro.re [edc_pve] -leodagan.adm.auro.re +10.128.4.1 + +[edc_vm] +10.128.4.240 [georgesand_pve] -merlin.adm.auro.re +10.128.5.2 # everything at ovh [ovh:children] @@ -83,6 +87,7 @@ pacaterie_vm # everything at edc [edc:children] edc_pve +edc_vm # everything at georgesand [georgesand:children] diff --git a/proxmox.yml b/proxmox.yml index 15914d4..f0ed543 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -82,6 +82,82 @@ disksize: 16 # G installiso: debian-9.9.0-amd64-netinst.iso + # Réseau EdC + - name: ldap-replica-edc1 + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + + # Réseau George Sand + - name: ldap-replica-gs1 + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-gs + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + vars_prompt: - name: "password" prompt: "Enter LDAP password for your user" From 203815c429b732cb2d9ed82d82de048f37524d10 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 1 Sep 2019 21:53:51 +0200 Subject: [PATCH 113/297] modified hosts and network playbook --- hosts | 82 ++++++++++++++++++++++++++++++----------------------- network.yml | 2 +- proxmox.yml | 6 ++-- 3 files changed, 50 insertions(+), 40 deletions(-) diff --git a/hosts b/hosts index 8aa1bbb..0ed4896 100644 --- a/hosts +++ b/hosts @@ -6,63 +6,72 @@ # > Then we regroup everything in global geographic and type groups. [ovh_pve] -horus.adm.auro.re +#horus.adm.auro.re [ovh_container] -synapse.adm.auro.re -services-bdd.adm.auro.re -phabricator.adm.auro.re -wiki.adm.auro.re -www.adm.auro.re -proxy.adm.auro.re -matrix-services.adm.auro.re +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re [ovh_vm] -re2o-server.adm.auro.re -re2o-ldap.adm.auro.re -re2o-db.adm.auro.re -serge.adm.auro.re -passbolt.adm.auro.re -vpn-ovh.adm.auro.re -docker-ovh.adm.auro.re -switchs-manager.adm.auro.re +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re [ovh_testing_vm] -re2o-test.adm.auro.re +#re2o-test.adm.auro.re [fleming_pve] -freya.adm.auro.re -#odin.adm.auro.re +#freya.adm.auro.re [fleming_vm] -ldap-replica-fleming1.adm.auro.re +#ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re -dhcp-fleming.adm.auro.re -dns-fleming.adm.auro.re -prometheus-fleming.adm.auro.re -radius-fleming.adm.auro.re -unifi-fleming.adm.auro.re -10.128.1.240 +#dhcp-fleming.adm.auro.re +#dns-fleming.adm.auro.re +#prometheus-fleming.adm.auro.re +#radius-fleming.adm.auro.re +#unifi-fleming.adm.auro.re +#routeur-fleming.adm.auro.re [pacaterie_pve] -mordred.adm.auro.re +#mordred.adm.auro.re [pacaterie_vm] -ldap-replica-pacaterie.adm.auro.re -dhcp-pacaterie.adm.auro.re -dns-pacaterie.adm.auro.re -prometheus-pacaterie.adm.auro.re -radius-pacaterie.adm.auro.re -unifi-pacaterie.adm.auro.re +#ldap-replica-pacaterie.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dns-pacaterie.adm.auro.re +#prometheus-pacaterie.adm.auro.re +#radius-pacaterie.adm.auro.re +#unifi-pacaterie.adm.auro.re +#routeur-pacaterie.adm.auro.re [edc_pve] -10.128.4.1 +#chapalux.adm.auro.re [edc_vm] -10.128.4.240 +#routeur-edc.adm.auro.re +#dns-edc.adm.auro.re +#dhcp-edc.adm.auro.re [georgesand_pve] -10.128.5.2 +#perceval.adm.auro.re + +[georgesand_vm] +#routeur-gs.adm.auro.re +#unifi-gs.adm.auro.re +#radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -92,6 +101,7 @@ edc_vm # everything at georgesand [georgesand:children] georgesand_pve +georgesand_vm # every LXC container [container:children] diff --git a/network.yml b/network.yml index cdff053..9137778 100644 --- a/network.yml +++ b/network.yml @@ -1,6 +1,6 @@ --- # Deploy DHCP -- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re +- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re,dhcp-gs.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp diff --git a/proxmox.yml b/proxmox.yml index f0ed543..fb51466 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -145,14 +145,14 @@ memory: 1024 # M disksize: 16 # G installiso: debian-10.0.0-amd64-netinst.iso - - name: radius-fleming - virtu: freya + - name: radius-gs + virtu: perceval cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G installiso: debian-10.0.0-amd64-netinst.iso - name: unifi-gs - virtu: freya + virtu: perceval cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G From 5b3ac2a21ad960d68556bbc8b0f3f3d38c2dafc6 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 1 Nov 2019 14:16:32 +0100 Subject: [PATCH 114/297] Merge crans version --- .gitignore | 1 + README.md | 8 +- hosts | 98 +++--- monitoring.yml | 14 +- roles/ldap-client/tasks/install_ldap.yml | 2 +- .../templates/prometheus/alertmanager.yml.j2 | 27 +- roles/prometheus-node/tasks/main.yml | 23 +- roles/prometheus/tasks/main.yml | 15 + .../templates/prometheus/alert.rules.yml.j2 | 8 +- .../templates/prometheus/prometheus.yml.j2 | 45 ++- .../templates/prometheus/snmp.yml.j2 | 297 ++++++++++++++++++ 11 files changed, 460 insertions(+), 78 deletions(-) create mode 100644 roles/prometheus/templates/prometheus/snmp.yml.j2 diff --git a/.gitignore b/.gitignore index a8b42eb..fa7c034 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.retry +__pycache__ diff --git a/README.md b/README.md index a1abc50..4f5f92a 100644 --- a/README.md +++ b/README.md @@ -86,16 +86,12 @@ On va utiliser plutôt `ProxyJump`. Dans la configuration SSH : ``` -# Use a key to log on all Crans servers -# and use a proxy server +# Use a proxy jump server to log on all Aurore inventory Host 10.128.0.* *.adm.auro.re IdentityFile ~/.ssh/id_rsa ProxyJump auro.re ``` -Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées -vers les serveurs puis détruites à la fin de l'exécution. - Il faut sa clé SSH configurée sur le serveur que l'on déploit. ```bash ssh-copy-id proxy.adm.auro.re @@ -103,6 +99,8 @@ ssh-copy-id proxy.adm.auro.re ### Lancer Ansible +Il faut `python3-netaddr` sur sa machine. + Pour tester le playbook `base.yml` : ```bash ansible-playbook --ask-vault-pass base.yml --check diff --git a/hosts b/hosts index 3c93b45..7d039c7 100644 --- a/hosts +++ b/hosts @@ -2,10 +2,9 @@ # How to name your server ? # > We name servers according to location, then type. -# > So all containers at OVH are in ovh-container. # > Then we regroup everything in global geographic and type groups. -[ovh_pve] +[ovh_physical] horus.adm.auro.re [ovh_container] @@ -27,49 +26,52 @@ vpn-ovh.adm.auro.re docker-ovh.adm.auro.re switchs-manager.adm.auro.re -[ovh_testing_vm] -re2o-test.adm.auro.re - -[fleming_pve] +[fleming_physical] freya.adm.auro.re -#odin.adm.auro.re +marki.adm.auro.re [fleming_vm] -ldap-replica-fleming1.adm.auro.re +#ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re -dhcp-fleming.adm.auro.re -dns-fleming.adm.auro.re -prometheus-fleming.adm.auro.re -radius-fleming.adm.auro.re -unifi-fleming.adm.auro.re +#dhcp-fleming.adm.auro.re +#dns-fleming.adm.auro.re +#prometheus-fleming.adm.auro.re +#radius-fleming.adm.auro.re +#unifi-fleming.adm.auro.re -[pacaterie_pve] +[pacaterie_physical] mordred.adm.auro.re +titan.adm.auro.re [pacaterie_vm] -ldap-replica-pacaterie.adm.auro.re -dhcp-pacaterie.adm.auro.re -dns-pacaterie.adm.auro.re -prometheus-pacaterie.adm.auro.re -radius-pacaterie.adm.auro.re -unifi-pacaterie.adm.auro.re +#ldap-replica-pacaterie.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dns-pacaterie.adm.auro.re +#prometheus-pacaterie.adm.auro.re +#radius-pacaterie.adm.auro.re +#unifi-pacaterie.adm.auro.re -[edc_pve] -leodagan.adm.auro.re +[edc_physical] +chapalux.adm.auro.re -[georgesand_pve] -merlin.adm.auro.re +[edc_vm] + +[georgesand_physical] +perceval.adm.auro.re + +[georgesand_vm] + + +##################### +# Geographic groups # +##################### # everything at ovh [ovh:children] -ovh_pve +ovh_physical ovh_container ovh_vm -# everything at ovh_testing -[ovh_testing:children] -ovh_testing_vm - # everything at fleming [fleming:children] fleming_pve @@ -77,16 +79,22 @@ fleming_vm # everything at pacaterie [pacaterie:children] -pacaterie_pve +pacaterie_physical pacaterie_vm # everything at edc [edc:children] -edc_pve +edc_physical +edc_vm # everything at georgesand [georgesand:children] -georgesand_pve +georgesand_physical +georgesand_vm + +##################### +# Type groups # +##################### # every LXC container [container:children] @@ -97,11 +105,23 @@ ovh_container ovh_vm fleming_vm pacaterie_vm +edc_vm +georgesand_vm -# every PVE -[pve:children] -ovh_pve -fleming_pve -pacaterie_pve -edc_pve -georgesand_pve +# every physical +[physical:children] +ovh_physical +fleming_physical +pacaterie_physical +edc_physical +georgesand_physical + +# every server (except access points) +[server:children] +container +physical +vm + +[all:vars] +# Force remote to use Python 3 +ansible_python_interpreter=/usr/bin/python3 diff --git a/monitoring.yml b/monitoring.yml index d962547..1e3a57c 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -4,10 +4,9 @@ vars: # Prometheus targets.json prometheus_targets: - - labels: {job: node} - targets: "{{ groups['fleming'] | map('replace', '.re', '.re:9100') | list | sort }}" - - labels: {job: prometheus} - targets: ['localhost:9090'] + - targets: "{{ groups['server'] | list | sort }}" + prometheus_unifi_snmp_targets: + - targets: [] roles: - prometheus - prometheus-alertmanager @@ -16,10 +15,9 @@ vars: # Prometheus targets.json prometheus_targets: - - labels: {job: node} - targets: "{{ groups['pacaterie'] | map('replace', '.re', '.re:9100') | list | sort }}" - - labels: {job: prometheus} - targets: ['localhost:9090'] + - targets: "{{ groups['server'] | list | sort }}" + prometheus_unifi_snmp_targets: + - targets: [] roles: - prometheus - prometheus-alertmanager diff --git a/roles/ldap-client/tasks/install_ldap.yml b/roles/ldap-client/tasks/install_ldap.yml index 5e8dae3..2f81e11 100644 --- a/roles/ldap-client/tasks/install_ldap.yml +++ b/roles/ldap-client/tasks/install_ldap.yml @@ -26,7 +26,7 @@ lineinfile: dest: /etc/nsswitch.conf regexp: "^{{ item }}:" - line: "{{ item }}: files ldap" + line: "{{ item }}: files ldap" loop: - passwd - group diff --git a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 index 85a31c0..d25fbd6 100644 --- a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 +++ b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 @@ -1,12 +1,16 @@ # {{ ansible_managed }} +# See https://prometheus.io/docs/alerting/configuration/ for documentation. global: # The smarthost and SMTP sender used for mail notifications. - smtp_smarthost: 'proxy.auro.re:25' - smtp_from: 'prometheus@auro.re' + smtp_smarthost: 'localhost:25' + smtp_from: 'alertmanager@example.org' #smtp_auth_username: 'alertmanager' #smtp_auth_password: 'password' - smtp_require_tls: false + # The auth token for Hipchat. + hipchat_auth_token: '1234556789' + # Alternative host for Hipchat. + hipchat_api_url: 'https://hipchat.foobar.org/' # The directory from which notification templates are read. templates: @@ -17,26 +21,25 @@ route: # The labels by which incoming alerts are grouped together. For example, # multiple alerts coming in for cluster=A and alertname=LatencyHigh would # be batched into a single group. - #group_by: ['alertname', 'cluster', 'service'] - group_by: [] # do not group for text chat + group_by: ['instance'] # group per instance # When a new group of alerts is created by an incoming alert, wait at # least 'group_wait' to send the initial notification. # This way ensures that you get multiple alerts for the same group that start # firing shortly after another are batched together on the first # notification. - group_wait: 1m + group_wait: 30s # When the first notification was sent, wait 'group_interval' to send a batch # of new alerts that started firing for that group. - group_interval: 1m + group_interval: 5m # If an alert has successfully been sent, wait 'repeat_interval' to # resend them. repeat_interval: 12h # A default receiver - receiver: team-monitoring-mails + receiver: webhook # Inhibition rules allow to mute a set of alerts given that another alert is @@ -53,7 +56,7 @@ inhibit_rules: receivers: -- name: 'team-monitoring-mails' - email_configs: - - to: 'monitoring.aurore@lists.crans.org' - +- name: 'webhook' + webhook_configs: + - url: 'http://URL A METTRE ICI VERS WEBHOOK DISCORD TODO/' + send_resolved: true diff --git a/roles/prometheus-node/tasks/main.yml b/roles/prometheus-node/tasks/main.yml index 5d6f56f..7ca6350 100644 --- a/roles/prometheus-node/tasks/main.yml +++ b/roles/prometheus-node/tasks/main.yml @@ -3,9 +3,25 @@ apt: update_cache: true name: prometheus-node-exporter + install_recommends: false # Do not install smartmontools register: apt_result retries: 3 until: apt_result is succeeded + when: + - ansible_lsb.codename == 'buster' + +# Prometheus 2 node is in stretch-backports +- name: Install Prometheus node-exporter (stretch-backports) + apt: + update_cache: true + name: prometheus-node-exporter + install_recommends: false + default_release: stretch-backports + register: apt_result + retries: 3 + until: apt_result is succeeded + when: + - ansible_lsb.codename == 'stretch' - name: Activate prometheus-node-exporter service systemd: @@ -13,12 +29,11 @@ enabled: true state: started -# Doesn't work on Debian Stretch +# Doesn't work on Debian Stretch with the old prometheus package - name: Make Prometheus node-exporter listen on adm only - when: - - ansible_lsb.codename == 'buster' lineinfile: path: /etc/default/prometheus-node-exporter regexp: '^ARGS=' - line: "ARGS=\"--web.listen-address={{ ansible_hostname }}.adm.auro.re:9100\"" + line: | + ARGS="--web.listen-address={{ ansible_hostname }}.adm.auro.re:9100" notify: Restart prometheus-node-exporter diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 6e730af..62dde31 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -31,12 +31,27 @@ line: "ARGS=\"--web.listen-address=127.0.0.1:9116\"" notify: Restart prometheus-snmp-exporter +# This file store SNMP OIDs +- name: Configure Prometheus snmp-exporter + template: + src: "prometheus/snmp.yml.j2" + dest: "/etc/prometheus/snmp.yml" + mode: 0600 + owner: prometheus + notify: Restart prometheus-snmp-exporter + # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus nodes copy: content: "{{ prometheus_targets | to_nice_json }}" dest: /etc/prometheus/targets.json +# We don't need to restart Prometheus when updating nodes +- name: Configure Prometheus Ubiquity Unifi SNMP devices + copy: + content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" + dest: /etc/prometheus/targets_unifi_snmp.json + - name: Activate prometheus service systemd: name: prometheus diff --git a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 index 0729cc7..2a10358 100644 --- a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 +++ b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 @@ -17,7 +17,7 @@ groups: # Alert for out of memory - alert: OutOfMemory - expr: ((node_memory_MemFree_bytes or node_memory_MemFree) + (node_memory_Cached_bytes or node_memory_Cached) + (node_memory_Buffers_bytes or node_memory_Buffers)) / (node_memory_MemTotal_bytes or node_memory_MemTotal) * 100 < 10 + expr: (node_memory_MemFree_bytes + node_memory_Cached_bytes + node_memory_Buffers_bytes) / node_memory_MemTotal_bytes * 100 < 10 for: 5m labels: severity: warning @@ -26,7 +26,7 @@ groups: # Alert for out of disk space - alert: OutOfDiskSpace - expr: (node_filesystem_free_bytes{fstype="ext4"} or node_filesystem_free{fstype="ext4"}) / (node_filesystem_size_bytes{fstype="ext4"} or node_filesystem_size{fstype="ext4"}) * 100 < 10 + expr: node_filesystem_free_bytes{fstype="ext4"} / node_filesystem_size_bytes{fstype="ext4"} * 100 < 10 for: 5m labels: severity: warning @@ -44,8 +44,8 @@ groups: # Alert for high CPU usage - alert: CpuUsage - expr: ((100 - avg by (instance) (irate(node_cpu{mode="idle"}[5m])) * 100) or (100 - avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)) > 75 - for: 5m + expr: (100 - avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 75 + for: 10m labels: severity: warning annotations: diff --git a/roles/prometheus/templates/prometheus/prometheus.yml.j2 b/roles/prometheus/templates/prometheus/prometheus.yml.j2 index 8b8fecb..19c64ef 100644 --- a/roles/prometheus/templates/prometheus/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus/prometheus.yml.j2 @@ -11,6 +11,7 @@ global: monitor: 'example' # Alertmanager configuration +# Use prometheus alertmanager installed on the same machine alerting: alertmanagers: - static_configs: @@ -18,15 +19,49 @@ alerting: # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files: - - "alert.rules.yml" - - "django.rules.yml" + - "alert.rules.yml" # Monitoring alerts, this is the file you may be searching! + - "django.rules.yml" # Custom rules specific for Django project monitoring # A scrape configuration containing exactly one endpoint to scrape: # Here it's Prometheus itself. scrape_configs: - - job_name: dummy - # This reload dynamically the list of targets - # You don't need to restart Prometheus when updating targets.json + # The .json in file_sd_configs is dynamically reloaded + + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + - job_name: servers file_sd_configs: - files: - '/etc/prometheus/targets.json' + relabel_configs: + # Do not put :9100 in instance name, rather here + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - source_labels: [__param_target] + target_label: __address__ + replacement: '$1:9100' + + - job_name: unifi_snmp + file_sd_configs: + - files: + - '/etc/prometheus/targets_unifi_snmp.json' + metrics_path: /snmp + params: + module: [ubiquiti_unifi] + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: 127.0.0.1:9116 + + - job_name: django + scheme: https + static_configs: + - targets: [] diff --git a/roles/prometheus/templates/prometheus/snmp.yml.j2 b/roles/prometheus/templates/prometheus/snmp.yml.j2 new file mode 100644 index 0000000..84dcb65 --- /dev/null +++ b/roles/prometheus/templates/prometheus/snmp.yml.j2 @@ -0,0 +1,297 @@ +# {{ ansible_managed }} +# TODOlist : +# - Faire fonctionner le monitoring des switchs défini ici +# * Configurer tous les switchs avec un compte SNMPv3 +# * Mettre l'inventaire des switchs dans Ansible +# - Optimiser les règles pour les bornes Unifi, +# on pourrait indexer avec les SSID + +procurve_switch: + walk: + - 1.3.6.1.2.1.31.1.1.1.10 + - 1.3.6.1.2.1.31.1.1.1.6 + get: + - 1.3.6.1.2.1.1.3.0 + - 1.3.6.1.2.1.1.5.0 + - 1.3.6.1.2.1.1.6.0 + metrics: + - name: sysUpTime + oid: 1.3.6.1.2.1.1.3 + type: gauge + help: The time (in hundredths of a second) since the network management portion + of the system was last re-initialized. - 1.3.6.1.2.1.1.3 + - name: sysName + oid: 1.3.6.1.2.1.1.5 + type: DisplayString + help: An administratively-assigned name for this managed node - 1.3.6.1.2.1.1.5 + - name: sysLocation + oid: 1.3.6.1.2.1.1.6 + type: DisplayString + help: The physical location of this node (e.g., 'telephone closet, 3rd floor') + - 1.3.6.1.2.1.1.6 + - name: ifHCOutOctets + oid: 1.3.6.1.2.1.31.1.1.1.10 + type: counter + help: The total number of octets transmitted out of the interface, including framing + characters - 1.3.6.1.2.1.31.1.1.1.10 + indexes: + - labelname: ifIndex + type: gauge + - name: ifHCInOctets + oid: 1.3.6.1.2.1.31.1.1.1.6 + type: counter + help: The total number of octets received on the interface, including framing + characters - 1.3.6.1.2.1.31.1.1.1.6 + indexes: + - labelname: ifIndex + type: gauge + version: 3 + auth: + username: prometheus + +ubiquiti_unifi: + walk: + - 1.3.6.1.4.1.41112.1.6 + get: + - 1.3.6.1.2.1.1.5.0 + - 1.3.6.1.2.1.1.6.0 + metrics: +# Pour faire une WifiMap un jour, on peut entrer la location dans la conf des bornes +# - name: sysLocation +# oid: 1.3.6.1.2.1.1.6 +# type: DisplayString +# help: The physical location of this node (e.g., 'telephone closet, 3rd floor') +# - 1.3.6.1.2.1.1.6 + - name: unifiVapIndex + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.1 + type: gauge + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.1' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapChannel + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.4 + type: gauge + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.4' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapEssId + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6 + type: DisplayString + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.6' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapName + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.7 + type: DisplayString + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.7' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapNumStations + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8 + type: gauge + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapRadio + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9 + type: DisplayString + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.9' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapRxBytes + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.10 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.10' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapRxCrypts + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.11 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.11' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapRxDropped + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.12 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.12' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapRxErrors + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.13 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.13' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapRxFrags + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.14 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.14' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapRxPackets + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.15 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.15' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapTxBytes + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.16 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.16' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapTxDropped + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.17 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.17' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapTxErrors + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.18 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.18' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapTxPackets + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.19 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.19' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapTxRetries + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.20 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.20' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapTxPower + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.21 + type: gauge + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.21' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapUp + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.22 + type: gauge + help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.22' + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiVapUsage + oid: 1.3.6.1.4.1.41112.1.6.1.2.1.23 + type: DisplayString + help: guest or regular user - 1.3.6.1.4.1.41112.1.6.1.2.1.23 + indexes: + - labelname: unifiVapIndex + type: gauge + - name: unifiIfIndex + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.1 + type: gauge + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.1' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfName + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.5 + type: DisplayString + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.5' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfRxBytes + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.6 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.6' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfRxDropped + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.7 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.7' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfRxError + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.8 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.8' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfRxMulticast + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.9 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.9' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfRxPackets + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.10 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.10' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfTxBytes + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.12 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.12' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfTxDropped + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.13 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.13' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfTxError + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.14 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.14' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiIfTxPackets + oid: 1.3.6.1.4.1.41112.1.6.2.1.1.15 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.15' + indexes: + - labelname: unifiIfIndex + type: gauge + - name: unifiApSystemModel + oid: 1.3.6.1.4.1.41112.1.6.3.3 + type: DisplayString + help: ' - 1.3.6.1.4.1.41112.1.6.3.3' + - name: unifiApSystemUptime + oid: 1.3.6.1.4.1.41112.1.6.3.5 + type: counter + help: ' - 1.3.6.1.4.1.41112.1.6.3.5' + version: 3 + auth: + security_level: authPriv + username: snmp_prometheus + password: {{ snmp_unifi_password }} + auth_protocol: SHA + priv_protocol: AES + priv_password: {{ snmp_unifi_password }} From 6dec3ed0d1df44f451814b30db938d75375ba9ce Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 1 Nov 2019 15:17:59 +0100 Subject: [PATCH 115/297] Proxmox playbook and unifi ap --- hosts | 227 +++++++++++++++++++++++--- monitoring.yml | 37 ++++- proxmox.yml | 273 ++++++++++++++++++++++---------- roles/proxmox-vm/tasks/main.yml | 17 -- 4 files changed, 432 insertions(+), 122 deletions(-) delete mode 100644 roles/proxmox-vm/tasks/main.yml diff --git a/hosts b/hosts index 7d039c7..27def90 100644 --- a/hosts +++ b/hosts @@ -31,36 +31,222 @@ freya.adm.auro.re marki.adm.auro.re [fleming_vm] -#ldap-replica-fleming1.adm.auro.re -#ldap-replica-fleming2.adm.auro.re -#dhcp-fleming.adm.auro.re -#dns-fleming.adm.auro.re -#prometheus-fleming.adm.auro.re -#radius-fleming.adm.auro.re -#unifi-fleming.adm.auro.re +ldap-replica-fleming.adm.auro.re +dhcp-fleming.adm.auro.re +dns-fleming.adm.auro.re +prometheus-fleming.adm.auro.re +radius-fleming.adm.auro.re +unifi-fleming.adm.auro.re +routeur-fleming.adm.auro.re + +[fleming_unifi] +fa-0-1.borne.auro.re +fa-1-1.borne.auro.re +fa-2-1.borne.auro.re +fa-2-2.borne.auro.re +fa-3-1.borne.auro.re +fa-4-1.borne.auro.re +fb-0-1.borne.auro.re +fb-1-1.borne.auro.re +fb-1-2.borne.auro.re +fb-2-1.borne.auro.re +fb-2-2.borne.auro.re +fb-3-1.borne.auro.re +fb-3-2.borne.auro.re +fb-4-1.borne.auro.re +fb-4-2.borne.auro.re +fc-0-1.borne.auro.re +fc-1-1.borne.auro.re +fc-2-1.borne.auro.re +fc-3-1.borne.auro.re +fc-4-1.borne.auro.re +fd-0-1.borne.auro.re +fd-1-1.borne.auro.re +fd-2-1.borne.auro.re +fd-3-1.borne.auro.re +fd-4-1.borne.auro.re +fe-0-1.borne.auro.re +fe-1-1.borne.auro.re +fe-1-2.borne.auro.re +fe-2-1.borne.auro.re +fe-2-2.borne.auro.re +fe-3-1.borne.auro.re +fe-3-2.borne.auro.re +fe-4-1.borne.auro.re +fe-4-2.borne.auro.re +ff-0-1.borne.auro.re +ff-0-f.borne.auro.re +ff-1-1.borne.auro.re +ff-1-2.borne.auro.re +ff-2-1.borne.auro.re +ff-2-2.borne.auro.re +ff-3-1.borne.auro.re +ff-3-2.borne.auro.re +ff-4-1.borne.auro.re +ff-4-2.borne.auro.re +fg-0-1.borne.auro.re +fg-1-1.borne.auro.re +fg-1-2.borne.auro.re +fg-2-1.borne.auro.re +fg-2-2.borne.auro.re +fg-3-1.borne.auro.re +fg-3-2.borne.auro.re +fg-4-1.borne.auro.re +fg-4-2.borne.auro.re +fh-0-1.borne.auro.re +fh-1-1.borne.auro.re +fh-1-2.borne.auro.re +fh-2-1.borne.auro.re +fh-2-2.borne.auro.re +fh-3-1.borne.auro.re +fh-3-2.borne.auro.re +fh-4-1.borne.auro.re +fh-4-2.borne.auro.re +fi-0-1.borne.auro.re +fi-1-1.borne.auro.re +fi-1-2.borne.auro.re +fi-2-1.borne.auro.re +fi-2-2.borne.auro.re +fi-3-1.borne.auro.re +fi-3-2.borne.auro.re +fi-4-1.borne.auro.re +fi-4-2.borne.auro.re +fj-0-1.borne.auro.re +fj-1-1.borne.auro.re +fj-1-2.borne.auro.re +fj-2-1.borne.auro.re +fj-2-2.borne.auro.re +fj-3-1.borne.auro.re +fj-3-2.borne.auro.re +fj-4-1.borne.auro.re +fj-4-2.borne.auro.re +fk-0-1.borne.auro.re +fk-1-1.borne.auro.re +fk-1-2.borne.auro.re +fk-2-1.borne.auro.re +fk-2-2.borne.auro.re +fk-3-1.borne.auro.re +fk-3-2.borne.auro.re +fk-4-1.borne.auro.re +fk-4-2.borne.auro.re +fl-0-1.borne.auro.re +fl-1-1.borne.auro.re +fl-1-2.borne.auro.re +fl-2-1.borne.auro.re +fl-2-2.borne.auro.re +fl-3-1.borne.auro.re +fl-3-2.borne.auro.re +fl-4-1.borne.auro.re +fl-4-2.borne.auro.re [pacaterie_physical] mordred.adm.auro.re titan.adm.auro.re [pacaterie_vm] -#ldap-replica-pacaterie.adm.auro.re -#dhcp-pacaterie.adm.auro.re -#dns-pacaterie.adm.auro.re -#prometheus-pacaterie.adm.auro.re -#radius-pacaterie.adm.auro.re -#unifi-pacaterie.adm.auro.re +ldap-replica-pacaterie.adm.auro.re +dhcp-pacaterie.adm.auro.re +dns-pacaterie.adm.auro.re +prometheus-pacaterie.adm.auro.re +radius-pacaterie.adm.auro.re +unifi-pacaterie.adm.auro.re +routeur-pacaterie.adm.auro.re + +[pacaterie_unifi] +pc-1-1.borne.auro.re +pn-0-1.borne.auro.re +pn-0-2.borne.auro.re +pn-0-3.borne.auro.re +pn-1-1.borne.auro.re +pn-1-2.borne.auro.re +pn-1-3.borne.auro.re +pn-2-1.borne.auro.re +pn-2-2.borne.auro.re +pn-2-3.borne.auro.re +pn-3-1.borne.auro.re +pn-3-2.borne.auro.re +pn-3-3.borne.auro.re +pn-4-1.borne.auro.re +pn-4-2.borne.auro.re +pn-4-3.borne.auro.re +ps-0-1.borne.auro.re +ps-0-2.borne.auro.re +ps-0-3.borne.auro.re +ps-1-1.borne.auro.re +ps-1-2.borne.auro.re +ps-1-3.borne.auro.re +ps-2-1.borne.auro.re +ps-2-2.borne.auro.re +ps-2-3.borne.auro.re +ps-3-1.borne.auro.re +ps-3-2.borne.auro.re +ps-4-1.borne.auro.re +ps-4-2.borne.auro.re +ps-4-3.borne.auro.re [edc_physical] chapalux.adm.auro.re [edc_vm] +ldap-replica-edc.adm.auro.re +dhcp-edc.adm.auro.re +dns-edc.adm.auro.re +prometheus-edc.adm.auro.re +radius-edc.adm.auro.re +unifi-edc.adm.auro.re +routeur-edc.adm.auro.re + +[edc_unifi] +ep-0-1.borne.auro.re [georgesand_physical] perceval.adm.auro.re [georgesand_vm] +ldap-replica-georgesand.adm.auro.re +dhcp-georgesand.adm.auro.re +dns-georgesand.adm.auro.re +prometheus-georgesand.adm.auro.re +radius-georgesand.adm.auro.re +unifi-georgesand.adm.auro.re +routeur-georgesand.adm.auro.re +[georgesand_unifi] +ga-0-1.borne.auro.re +ga-1-1.borne.auro.re +ga-2-1.borne.auro.re +ga-3-1.borne.auro.re +ga-4-1.borne.auro.re +ga-5-1.borne.auro.re +ga-5-2.borne.auro.re +gb-1-1.borne.auro.re +gb-2-1.borne.auro.re +gb-3-1.borne.auro.re +gb-4-1.borne.auro.re +gb-5-1.borne.auro.re +gc-1-1.borne.auro.re +gc-2-1.borne.auro.re +gc-3-1.borne.auro.re +gc-4-1.borne.auro.re +gc-5-1.borne.auro.re +gd-1-1.borne.auro.re +gd-2-1.borne.auro.re +gd-3-1.borne.auro.re +gd-4-1.borne.auro.re +gd-5-1.borne.auro.re +gd-garage-1.borne.auro.re +ge-0-1.borne.auro.re +ge-1-1.borne.auro.re +ge-2-1.borne.auro.re +ge-3-1.borne.auro.re +ge-4-1.borne.auro.re +ge-5-1.borne.auro.re +gf-0-1.borne.auro.re +gf-1-1.borne.auro.re +gf-2-1.borne.auro.re +gf-3-1.borne.auro.re +gf-4-1.borne.auro.re +gf-5-1.borne.auro.re ##################### # Geographic groups # @@ -76,21 +262,25 @@ ovh_vm [fleming:children] fleming_pve fleming_vm +fleming_unifi # everything at pacaterie [pacaterie:children] pacaterie_physical pacaterie_vm +pacaterie_unifi # everything at edc [edc:children] edc_physical edc_vm +edc_unifi # everything at georgesand [georgesand:children] georgesand_physical georgesand_vm +georgesand_unifi ##################### # Type groups # @@ -116,11 +306,12 @@ pacaterie_physical edc_physical georgesand_physical -# every server (except access points) -[server:children] -container -physical -vm +# every unifi access point +[unifi:children] +fleming_unifi +pacaterie_unifi +edc_unifi +georgesand_unifi [all:vars] # Force remote to use Python 3 diff --git a/monitoring.yml b/monitoring.yml index 1e3a57c..f58cca1 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -1,12 +1,12 @@ --- -# Deploy Prometheus - hosts: prometheus-fleming.adm.auro.re vars: # Prometheus targets.json prometheus_targets: - - targets: "{{ groups['server'] | list | sort }}" + - targets: | + {{ groups['fleming_physical'] + groups['fleming_vm'] | list | sort }} prometheus_unifi_snmp_targets: - - targets: [] + - targets: "{{ groups['fleming_unifi'] | list | sort }}" roles: - prometheus - prometheus-alertmanager @@ -15,14 +15,39 @@ vars: # Prometheus targets.json prometheus_targets: - - targets: "{{ groups['server'] | list | sort }}" + - targets: | + {{ groups['pacaterie_physical'] + groups['pacaterie_vm'] | list | sort }} prometheus_unifi_snmp_targets: - - targets: [] + - targets: "{{ groups['pacaterie_unifi'] | list | sort }}" + roles: + - prometheus + - prometheus-alertmanager + +- hosts: prometheus-edc.adm.auro.re + vars: + # Prometheus targets.json + prometheus_targets: + - targets: | + {{ groups['edc_physical'] + groups['edc_vm'] | list | sort }} + prometheus_unifi_snmp_targets: + - targets: "{{ groups['edc_unifi'] | list | sort }}" + roles: + - prometheus + - prometheus-alertmanager + +- hosts: prometheus-georgesand.adm.auro.re + vars: + # Prometheus targets.json + prometheus_targets: + - targets: | + {{ groups['georgesand_physical'] + groups['georgesand_vm'] | list | sort }} + prometheus_unifi_snmp_targets: + - targets: "{{ groups['georgesand_unifi'] | list | sort }}" roles: - prometheus - prometheus-alertmanager # Monitor all hosts -- hosts: fleming,pacaterie +- hosts: all,!unifi,!ovh roles: - prometheus-node diff --git a/proxmox.yml b/proxmox.yml index 15914d4..a0fef88 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -3,89 +3,200 @@ - hosts: proxy.adm.auro.re # Host with python-proxmoxer and python-requests become: false # We do not need root as we use Proxmox API - vars: - vm_definitions: - - # Réseau Pacaterie - - name: ldap-replica-pacaterie - virtu: mordred - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: dhcp-pacaterie - virtu: mordred - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: dns-pacaterie - virtu: mordred - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: prometheus-pacaterie - virtu: mordred - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: radius-pacaterie - virtu: mordred - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: unifi-pacaterie - virtu: mordred - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-9.9.0-amd64-netinst.iso - - # Réseau Fleming - - name: ldap-replica-fleming1 - virtu: freya - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: dhcp-fleming - virtu: freya - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: dns-fleming - virtu: freya - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: prometheus-fleming - virtu: freya - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: radius-fleming - virtu: freya - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-10.0.0-amd64-netinst.iso - - name: unifi-fleming - virtu: freya - cores: 2 # 2 mimimum, 10 maximum - memory: 1024 # M - disksize: 16 # G - installiso: debian-9.9.0-amd64-netinst.iso - vars_prompt: - name: "password" prompt: "Enter LDAP password for your user" private: true - roles: - - proxmox-vm + tasks: + - name: Define a virtual machine in Proxmox + proxmox_kvm: + api_user: "{{ ansible_user_id }}@pam" + api_password: "{{ password }}" + api_host: "{{ item.virtu }}.adm.auro.re" + name: "{{ item.name }}" + node: "{{ item.virtu }}" + scsihw: virtio-scsi-pci + scsi: '{"scsi0":"{{ item.virtu }}:{{ item.disksize }},format=raw"}' + sata: '{"sata0":"local:iso/{{ item.installiso }},media=cdrom"}' + net: '{"net0":"virtio,bridge=vmbr2"}' # Adm only by default + cores: "{{ item.cores }}" + memory: "{{ item.memory }}" + balloon: "{{ item.memory // 2 }}" + bios: seabios # Ansible module doesn't support UEFI boot disk + loop: + # Réseau Fleming + - name: ldap-replica-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + - name: routeur-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + + # Réseau Pacaterie + - name: ldap-replica-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + - name: routeur-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + + # Réseau EDC + - name: ldap-replica-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + - name: routeur-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + + # Réseau George Sand + - name: ldap-replica-georgesand + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-georgesand + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-georgesand + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-georgesand + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-georgesand + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-georgesand + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + - name: routeur-georgesand + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso diff --git a/roles/proxmox-vm/tasks/main.yml b/roles/proxmox-vm/tasks/main.yml deleted file mode 100644 index be94272..0000000 --- a/roles/proxmox-vm/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Define a virtual machine in Proxmox - proxmox_kvm: - api_user: "{{ ansible_user_id }}@pam" - api_password: "{{ password }}" - api_host: "{{ item.virtu }}.adm.auro.re" - name: "{{ item.name }}" - node: "{{ item.virtu }}" - scsihw: virtio-scsi-pci - scsi: '{"scsi0":"{{ item.virtu }}:{{ item.disksize }},format=raw"}' - sata: '{"sata0":"local:iso/{{ item.installiso }},media=cdrom"}' - net: '{"net0":"virtio,bridge=vmbr2"}' # Adm only by default - cores: "{{ item.cores }}" - memory: "{{ item.memory }}" - balloon: "{{ item.memory // 2 }}" - bios: seabios # Ansible module doesn't support UEFI boot disk - loop: "{{ vm_definitions }}" From ccbd7d3770661425f9966dd608f1b125e800a819 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 1 Nov 2019 15:38:35 +0100 Subject: [PATCH 116/297] Failover VMs --- base.yml | 4 +- hosts | 24 ++++++ monitoring.yml | 20 +++-- proxmox.yml | 74 +++++++++++++++++++ .../prometheus-alertmanager/handlers/main.yml | 5 -- roles/prometheus-alertmanager/tasks/main.yml | 14 ---- .../templates/prometheus/alertmanager.yml.j2 | 62 ---------------- .../templates/prometheus/prometheus.yml.j2 | 2 +- 8 files changed, 113 insertions(+), 92 deletions(-) delete mode 100644 roles/prometheus-alertmanager/handlers/main.yml delete mode 100644 roles/prometheus-alertmanager/tasks/main.yml delete mode 100644 roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 diff --git a/base.yml b/base.yml index dc3c2dc..cb83112 100644 --- a/base.yml +++ b/base.yml @@ -1,12 +1,12 @@ --- # Put a common configuration on all servers -- hosts: all +- hosts: all,!unifi roles: - baseconfig - basesecurity # Plug LDAP on all servers -- hosts: all +- hosts: all,!unifi roles: - ldap-client diff --git a/hosts b/hosts index 27def90..d65e07f 100644 --- a/hosts +++ b/hosts @@ -32,12 +32,18 @@ marki.adm.auro.re [fleming_vm] ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-fo.adm.auro.re dhcp-fleming.adm.auro.re +dhcp-fleming-fo.adm.auro.re dns-fleming.adm.auro.re +dns-fleming-fo.adm.auro.re prometheus-fleming.adm.auro.re +prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re +radius-fleming-fo.adm.auro.re unifi-fleming.adm.auro.re routeur-fleming.adm.auro.re +routeur-fleming-fo.adm.auro.re [fleming_unifi] fa-0-1.borne.auro.re @@ -145,12 +151,18 @@ titan.adm.auro.re [pacaterie_vm] ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-fo.adm.auro.re dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-fo.adm.auro.re dns-pacaterie.adm.auro.re +dns-pacaterie-fo.adm.auro.re prometheus-pacaterie.adm.auro.re +prometheus-pacaterie-fo.adm.auro.re radius-pacaterie.adm.auro.re +radius-pacaterie-fo.adm.auro.re unifi-pacaterie.adm.auro.re routeur-pacaterie.adm.auro.re +routeur-pacaterie-fo.adm.auro.re [pacaterie_unifi] pc-1-1.borne.auro.re @@ -189,12 +201,18 @@ chapalux.adm.auro.re [edc_vm] ldap-replica-edc.adm.auro.re +ldap-replica-edc-fo.adm.auro.re dhcp-edc.adm.auro.re +dhcp-edc-fo.adm.auro.re dns-edc.adm.auro.re +dns-edc-fo.adm.auro.re prometheus-edc.adm.auro.re +prometheus-edc-fo.adm.auro.re radius-edc.adm.auro.re +radius-edc-fo.adm.auro.re unifi-edc.adm.auro.re routeur-edc.adm.auro.re +routeur-edc-fo.adm.auro.re [edc_unifi] ep-0-1.borne.auro.re @@ -204,12 +222,18 @@ perceval.adm.auro.re [georgesand_vm] ldap-replica-georgesand.adm.auro.re +ldap-replica-georgesand-fo.adm.auro.re dhcp-georgesand.adm.auro.re +dhcp-georgesand-fo.adm.auro.re dns-georgesand.adm.auro.re +dns-georgesand-fo.adm.auro.re prometheus-georgesand.adm.auro.re +prometheus-georgesand-fo.adm.auro.re radius-georgesand.adm.auro.re +radius-georgesand-fo.adm.auro.re unifi-georgesand.adm.auro.re routeur-georgesand.adm.auro.re +routeur-georgesand-fo.adm.auro.re [georgesand_unifi] ga-0-1.borne.auro.re diff --git a/monitoring.yml b/monitoring.yml index f58cca1..2f26803 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -1,6 +1,8 @@ --- -- hosts: prometheus-fleming.adm.auro.re +- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re vars: + prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + # Prometheus targets.json prometheus_targets: - targets: | @@ -9,10 +11,11 @@ - targets: "{{ groups['fleming_unifi'] | list | sort }}" roles: - prometheus - - prometheus-alertmanager -- hosts: prometheus-pacaterie.adm.auro.re +- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re vars: + prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + # Prometheus targets.json prometheus_targets: - targets: | @@ -21,10 +24,11 @@ - targets: "{{ groups['pacaterie_unifi'] | list | sort }}" roles: - prometheus - - prometheus-alertmanager -- hosts: prometheus-edc.adm.auro.re +- hosts: prometheus-edc.adm.auro.re,prometheus-edc-fo.adm.auro.re vars: + prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + # Prometheus targets.json prometheus_targets: - targets: | @@ -33,10 +37,11 @@ - targets: "{{ groups['edc_unifi'] | list | sort }}" roles: - prometheus - - prometheus-alertmanager -- hosts: prometheus-georgesand.adm.auro.re +- hosts: prometheus-georgesand.adm.auro.re,prometheus-georgesand-fo.adm.auro.re vars: + prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + # Prometheus targets.json prometheus_targets: - targets: | @@ -45,7 +50,6 @@ - targets: "{{ groups['georgesand_unifi'] | list | sort }}" roles: - prometheus - - prometheus-alertmanager # Monitor all hosts - hosts: all,!unifi,!ovh diff --git a/proxmox.yml b/proxmox.yml index a0fef88..8aa56fb 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -69,6 +69,43 @@ disksize: 16 # G installiso: debian-10.0.0-amd64-netinst.iso + - name: ldap-replica-fleming-fo + virtu: marki + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-fleming-fo + virtu: marki + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-fleming-fo + virtu: marki + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-fleming-fo + virtu: marki + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-fleming-fo + virtu: marki + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: routeur-fleming-fo + virtu: marki + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + # Réseau Pacaterie - name: ldap-replica-pacaterie virtu: mordred @@ -113,6 +150,43 @@ disksize: 16 # G installiso: debian-10.0.0-amd64-netinst.iso + - name: ldap-replica-pacaterie-fo + virtu: titan + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-pacaterie-fo + virtu: titan + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-pacaterie-fo + virtu: titan + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-pacaterie-fo + virtu: titan + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-pacaterie-fo + virtu: titan + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: routeur-pacaterie-fo + virtu: titan + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + # Réseau EDC - name: ldap-replica-edc virtu: chapalux diff --git a/roles/prometheus-alertmanager/handlers/main.yml b/roles/prometheus-alertmanager/handlers/main.yml deleted file mode 100644 index 3ddbf93..0000000 --- a/roles/prometheus-alertmanager/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart Prometheus Alertmanager - service: - name: prometheus-alertmanager - state: restarted diff --git a/roles/prometheus-alertmanager/tasks/main.yml b/roles/prometheus-alertmanager/tasks/main.yml deleted file mode 100644 index b65a295..0000000 --- a/roles/prometheus-alertmanager/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Install Prometheus Alertmanager - apt: - update_cache: true - name: prometheus-alertmanager - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Configure Prometheus Alertmanager - template: - src: prometheus/alertmanager.yml.j2 - dest: /etc/prometheus/alertmanager.yml - notify: Restart Prometheus Alertmanager diff --git a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 deleted file mode 100644 index d25fbd6..0000000 --- a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 +++ /dev/null @@ -1,62 +0,0 @@ -# {{ ansible_managed }} -# See https://prometheus.io/docs/alerting/configuration/ for documentation. - -global: - # The smarthost and SMTP sender used for mail notifications. - smtp_smarthost: 'localhost:25' - smtp_from: 'alertmanager@example.org' - #smtp_auth_username: 'alertmanager' - #smtp_auth_password: 'password' - # The auth token for Hipchat. - hipchat_auth_token: '1234556789' - # Alternative host for Hipchat. - hipchat_api_url: 'https://hipchat.foobar.org/' - -# The directory from which notification templates are read. -templates: -- '/etc/prometheus/alertmanager_templates/*.tmpl' - -# The root route on which each incoming alert enters. -route: - # The labels by which incoming alerts are grouped together. For example, - # multiple alerts coming in for cluster=A and alertname=LatencyHigh would - # be batched into a single group. - group_by: ['instance'] # group per instance - - # When a new group of alerts is created by an incoming alert, wait at - # least 'group_wait' to send the initial notification. - # This way ensures that you get multiple alerts for the same group that start - # firing shortly after another are batched together on the first - # notification. - group_wait: 30s - - # When the first notification was sent, wait 'group_interval' to send a batch - # of new alerts that started firing for that group. - group_interval: 5m - - # If an alert has successfully been sent, wait 'repeat_interval' to - # resend them. - repeat_interval: 12h - - # A default receiver - receiver: webhook - - -# Inhibition rules allow to mute a set of alerts given that another alert is -# firing. -# We use this to mute any warning-level notifications if the same alert is -# already critical. -inhibit_rules: -- source_match: - severity: 'critical' - target_match: - severity: 'warning' - # Apply inhibition if the alertname is the same. - equal: ['alertname', 'cluster', 'service'] - - -receivers: -- name: 'webhook' - webhook_configs: - - url: 'http://URL A METTRE ICI VERS WEBHOOK DISCORD TODO/' - send_resolved: true diff --git a/roles/prometheus/templates/prometheus/prometheus.yml.j2 b/roles/prometheus/templates/prometheus/prometheus.yml.j2 index 19c64ef..31df6bd 100644 --- a/roles/prometheus/templates/prometheus/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus/prometheus.yml.j2 @@ -15,7 +15,7 @@ global: alerting: alertmanagers: - static_configs: - - targets: ['localhost:9093'] + - targets: ['{{ prometheus_alertmanager }}'] # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files: From 07e71659efdcc4157cd30b6fa13d4b05b685002c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 1 Nov 2019 19:02:21 +0100 Subject: [PATCH 117/297] Monitor Unifi AP --- group_vars/all/vault.yml | 243 ++++++++++++++++++++------------------- hosts | 42 +++---- monitoring.yml | 4 + 3 files changed, 148 insertions(+), 141 deletions(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 8f0765f..4d728f7 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,121 +1,124 @@ $ANSIBLE_VAULT;1.1;AES256 -63383763633231303965383737313737656433616465303432663764393065613739663934646462 -6433653264666237643634303032653438323363646433370a333663623139343464376432313337 -66633139313363356562393431353961613032616234323834633539396639643035353131373065 -3566623037356638610a323961303461636661323864656564333637353331633139333437373065 -64393764646332306535613863626634383063366132343936336365376237626637643032353031 -34343137366236326535393665386634323164633765613238383166393961623133313738336464 -32613039643531636663636334303636326333316664383636333030386136656331396237363931 -35306563613961393634336165396466373063363362623734386435383663363438336631666461 -65323434373836316363353964666462646139316465656434396537373364326565306231663164 -66666561366135316132386262646165303738356564333736336539623939393238313135643137 -38653234663331646435383361393638616464663530666663643036316665396665663861373039 -65316138396662363664626363383632383562393730623366393165633832626635663661353537 -64653931366135316662303339353434373837666262383836653536326230303336613439353339 -34393638373763663035356236633866396237396139613561626664636430336336396233363730 -64316632633364356337623239383536363163623137653134383761393433656431393264333161 -37633562396133353664613933363134313432653737633166396532343963613937383363663962 -38613964646336333239373562633233366436393833306536636637373362653661393831376437 -36393332386239356634633434613566323232346561333063323763346634656537343665383966 -39363962336266373033356165356466386166653864663632613431333134363437653464636630 -66636261363466393566326433363337323865333131643337336462633033386262663031396164 -33666634643034326537653463346564616462356535393237386432336237393365373131636636 -63633934333863313032623363353763313938376431313532343462303361353139383962336261 -39336266393239353839386530613066643566383136303334353366366561633934653962333133 -63646239336261386239623034383863303839383031666232636339383739626434636332653834 -39663630663331663237373731656530386138666330376664623065653262636665646238646564 -30663631643236306662373336376262663136666637323964343464623563656336333761336537 -38623633393465323761363438353032323138313830613966393038393137336362303861376130 -34316164316537373266316166366332623630363130633366656531386361346235316335313837 -30386430366165343437653239303862306539393062333066326337353037643038333162303931 -64333164323635393139663031306231343437306233636262643433653763366665623966626432 -34326562346139383538656531643966633363336439333130666330623061383234326461646439 -38343838373431326366646436306463643563373836326534343461313265346336316630356534 -66393834633361313330623134616631343035643231373562363863363066373166646566633735 -63343535366634346233306138373936303132333861306534323930386636626366393638376235 -38616238303763366561373337636466616535363837393237396437636435653564353339613137 -61303963313461336633623563653463323462636563663765336230623231613936353435636638 -37333535646436373430633336336238316666623336396663643933633966633639343861306532 -31646537393532353135643833383830333635653531333737383237313331383362386536313534 -63666334306562656332613132353337373263353836363362363861633736616537346539383932 -66303864396366363731353430303566366339313137393934323566633933373938316261313734 -35323835343038653130366133393566656361356333396332313431356530653430393937323237 -35393535633438616433343035353766393162353031343637646230393562613535336234326530 -38636133326537613533653130396536343638663738343438626432653636323562313164363434 -36363066373264626331623161386339616430623366353137656534303935653631643334313264 -66666138653033323333323239333036613433646631636535393061623132626163653736366636 -65666632613334383233353565626631346463393037343866373464613762326663666438313865 -38323733373836376531316138383965393236356463656164373835383032306163336232306236 -36376563323063393931356633323434643265306163393839653866316433656636666632363065 -39393231633834633233373464383634613338333335303239623863646437333133623033306634 -61363764626462313733666239383333383934313530353964333166336564666133326338326634 -33373739323538383761313162346436363261373437306361343431373163366639303263303565 -63363932623638643062643337643634316230613665643634643333643436643061333538383831 -32356636366562373164363339393331336436653434633963636134613664626664346432303638 -66643464613166643032376437333338626531613666366238663631373266373862356236306434 -63363464376165346232356538396538353135303038626630623566646336653531396264316232 -35613734663766303734626436663161393231643365313032373565383338376533656635333462 -64636130306463656436646633346362666138623336356634313863316561636561356635643434 -35316164623533613133393861313865336338626530663131366563616137643961366539636332 -34386431326539636565396432666565373132616130613839386164393963643039303132623036 -33643763383531356438333232643165346336646535356133646161323234353236623734613564 -62623638616438366631656536343334636561643432356234386231313332656234313761613362 -65386538353630623631623731383065623762613661393838666233656437383634313931626536 -37613464383764633763383465643734356530353834656139326366663065363135663266663866 -34326261353164613731626365386562663364613033396564326633346462666566376139313934 -64306135393862626663613332316161623965323364613762336630353561336562323939323039 -38616636306432393032323865663932383362646663666564666337343432333038343736656232 -35663938386665663263646634363833343264656136373237383164656163366261613639343063 -30383632626561313833336432626239353464313834383532373864636130663232313830356261 -37333538646430356536393062386636653862616432663636336634323435383039343661343230 -64353739336665353630376431303061343333343433663662343138326230333561333537363735 -36636136353138383864373335386139643134366364373761623835633763616631396331383738 -32393131643762646532313733353465666339626366323034663637656434313033663633343863 -63363861373434376637623337623732373265656237616364326266363430653035643835323233 -34363461323131346264646234616131396431623734666163363135323834376534343937393838 -38626665373934346638363832626133316238373064653334653236316233353561396238383461 -63396333663736636436663935383932303633323231316534623664633332613166316334326430 -30343561653766636634363764643262363130353331363931666539376134326232646661376633 -34623936346637633530613538626166303362323365343935623466326630646537633034636164 -33326436643137343238656531386464326239643661616465366638346163616663383034333732 -61333365643739333464356233343238326339346334633764373765313832646131313862336237 -62663163393632656637646338316565643165353965366664343339356135666130393835633031 -31363738306639376233356134313637613438653465383131623733643039353361313465343966 -36636430613932386238633165353662616165393332313966623635633365376266346261623562 -66653038633237653061656136643939316562663961626633623361643739343863333464396164 -32633661653337616230366235386131653034363533323836373636346231373335396536623765 -30346430616335363738353035343738353330343930646330653161633330383238623636613765 -61616266663533663665343230353734636464333162313434663263343739303833316630306432 -36386131313431633564633830356266383762313038633237303034646661633536316438316664 -61346462366635613938616333613033356335316333363464663734313436663739323462383263 -62376437656634386432656133363261373765333531646433303936386562616433323261396130 -32333934313733643665613137666237666561376136306632313861613535623032626261396563 -32326566366437363839656564333862316339303262323164653331626563316565353362303135 -65373264656236653266656462353034366466616139333239323039386163616365346562393637 -65646466336337313734386434343561613935343065646464666162643731616362653234326431 -65366437376437666531383263393434303633616666643832323865663962663639643264326364 -35313465303464636632373139313435626464616136353839373135343934653363363564353061 -64363166303761396131336464383532396339623065323736313661646366336438356634383865 -66333263383130363835386662343730346632626335653566353933363366323938346165646464 -36363731643561316231306330373431313431643835346236313765393134313263653637353530 -66613566383635356132343537373838343564393964613537633165323037363734303963626534 -37323430383631396631666162393435663336656235333065353731383031386233646266343636 -38363639633365363231656263376438643331663164613262386265333234613733666166366364 -64626365313731336431633532366265353938363861313731323361313131376562623234666233 -66613761363336303062363466393035613536623263663366336132383062663732376163306333 -36303337616363346565663736353937353735383338363838343561393833393837373836633430 -39366531663335386233333735613363313866636332336538376166353237376138616566323535 -31383336306563303631653162353030613631333662623065636131303565303337633631613639 -38316639363033363364393063376635376431356132386361333138343139383066643436663264 -62383666313236383737393632653764663836303736393838353532633735653730663064313035 -30656265313430303765646536623534646338323539366465653564656562643864386462643965 -63343334613038353734616335663064656433616265346437303338636539346235323964323633 -39376663306464636364306639616136613861363364623236626233336561393065303035653539 -39643661323331346362343861323739303264333237356233323534383534373338613637373832 -30343964626236643538616439643837306432656534623235623731373538616431616335376637 -65663234643132386666376431616337633435663061303734363236363066373230366337393136 -33393734353866313563386537363831646166326134613561663133666430356364613761643337 -31363433303765343731333163313865386265363163303138393262313466666333313236323430 -35643135383464656431316438653638333264633432313133656432636634393035623762343134 -37393036663938613732616435333666643963343566343930323037363862363530373439626464 -30616264363235326665 +62336464303865306137613162653332366434323836343734363565306537666430353664663335 +6135646632336436383038666436313536306236336535620a666366353761356232333366643339 +38323938366431343563666134663533626431366661333864623461663435313636303732366564 +3038343434366662660a323330643133376264616166653963643434666436666638363830376536 +37383065633161666139613930383062346464303030636561656230646537383663623665663339 +64633931303536383033643535366164363661363062313333643939383736663634616436336230 +37313863353731373064643436653535383736396665666565666365636232626639323339636633 +31346130373762343237333335383935393238663265303864343333613865386637316562313534 +65623064393864653635313130646432623964663065373139646461623836333538616238626234 +66373839363636313765366235363231306262636561636163623839643032613839343338613538 +32386236343135376633636436363439653530653330333930316530363132653765623737316138 +31363938636165333639646233323763383162623933316231646638376535643434656338643561 +33336164336365323736373835613335623238373637663936386364313966376163326539633766 +33376638393134643831653066653930643530333861383565346132323739383066656439373262 +64303466393862303535333031386365666164373136356562393137393039306632646262623533 +62656133336230353833623363636663353937616262393337656230623361386637643232306233 +39646439626265653463326164396537666664326364373734303337306263303164343034633331 +34393166386264656133396432356539653166616134636536313062643662656364366135653237 +38326463656637343163373835633732616634653039646633366637346231393063643030396165 +38646463363262656631623438323838396631656362306438313132633866306639626133336337 +61623161636630666532346166383135393336343265323536666535343237323364366137386337 +64636339653663356439633731313966363035656433633463363331323636376337313137643932 +34343438363030653939376566313265393330323561373131663562333138623139353136356166 +39343962356563666663613532363434663037373434613337393635656230633230653031373437 +61653238353438373062363133623065633465363938333438626666393463333965323130393939 +36653930336564306162616537313031616238333830386332386136366534656338333934333664 +31633266386530643431643036353966313866333763633233363737303034393364323961643464 +66386230386435613436316133613134646532616633353830396565373562303230653531363537 +30396135373631343938366439373466656538613562623361623164333235643137656432396234 +65306236653139656138393032363732323239353965326538323365656261373834343434616137 +35656235623566663931303533643331623636643636623461386635623337393933666663663136 +31306537333730336636636632333432363336313766303966326663356635396264663231303839 +39333136653531333466333830313065636564323133393731633064633232656631343461393232 +32636530303730396532336664653532646132386432656463323235626531633163643165333938 +31383938333362323631376535383336366635343032353336303138313433316133663863633061 +30386638386539643262623364626139613035363531393865373237343935633630303538303361 +39643662623438306565653539316364343530303165633262653839363031633632633637313964 +36613934653835353739346637623635666130343166306561396266636335363137366631623263 +33343036653139313734613238333261653762353239366239383535636532346365646565613663 +34663563623362616631323266323237323839633834303264663163313866333761633461333731 +35303434333838323432653064633066613237346339653336643466326338353262396261346131 +34383530643638636332626337346636306232393261633637303965383534616662353435653136 +31383636636436353636333635373631386364656534613666323062373763626232393232303364 +62363439356232303337303165386630336130313235393037353063343236396433333263356437 +61656538613361613761633134626462353561663037313733386634343935316237303939636130 +35613662346332646432613431353062323766663765306236363362343163616238346266363434 +61393566616166663833306431616335353962323835386263623932393733313436376562313463 +34656633393931633131386432313531396266356234623262306661643736393637343237396636 +63353436633435306138613330636637666435333339396230376231616534373662376535366235 +65613366663261386165656134653737363035633130663966663630613235383161613035343636 +62313833623734383366643433363966623465386333343939303732623234383766343839633532 +30326133323564323237316530613964616538376537353434316539393739616437346639643835 +39663532363963393562383764303565306639666632336236616130343239353332633262373138 +35383663613461343138653762383337373739623637306365353362623038313266306631613132 +36366435363165666463343330326466623932653337663735326137323034656534653536636230 +38623631366464393337383261313065373561616463666164626161363863616139666365303431 +32306361666432653231663065383734393035323465353434326563366365363463313436613561 +36383165346664636165643239653131646334393638333365656662346432373033343132373437 +65363930623332336137393539313136663035666335386231666431383839306135303832633835 +65633266346238343935666534626261333635663233626230393361663137666530623466363230 +64613431616164393133396131333131356339343336373066313931646263353563623436383837 +31343961393431653336633037643862303932326637333339393430383961326664643537353436 +65633833653064623034613637656666353939323464303238393638393264343062373538326266 +33356561353261343037306239333938363861643133376538366230343162363762653864366362 +62666334376330303765383465623835663064346164363436326234613733366365393939323831 +61613834346363303136333264306465313565303830663436636661333733376632633864666233 +38633131306664316537346264663966613535393438313136323338333762613035323563616664 +39663334306261363136313132646362383766313561626237646334333935343466636465656132 +30353533666531613062393661303131346235323766643132653039393839616563316165313637 +36646234633465366535663765303830396231636662633634383538306362613666356666333163 +35373533633762653639333439633665333033626362366261663566633864343737363762663962 +34326432626162353639383164636261613031346439623736316261636139353939613030363661 +34346232383464656266383532666661356133623835613431373631396231343430396363343838 +39616365303730393631656233336635653132626161656538393931666239636538393961633035 +62336464633565636564636235626639386232393535343738363965633763393737313732396238 +34626131336463343333326336633163303862366164363132323339393035323132343833303436 +35653566333334343332303731326339633330636437653839366264363566376139316261383731 +39323231346138373032333762396530383139623532336466353833613731393032303664636132 +64306533356438336634643961306164336463643062343137393036396430323464666235343637 +37386338353930663166663234646535663366666132663561383731623937663433383239326231 +37306434303137643431383938353434666632373132656431663563303864376339373430653839 +61333032343666386430386639326632383637366637363961656463353835353664393164613333 +30383061656633376239633838303637316432633637633638643162633861396263646363626632 +65353935626362363332336262313834356461393933636432666532623433346663656666376563 +39666434343836366133316234333039313239306135303935323735336236396365383564386663 +39626239396630363435316138363230336265613162323831323362376362643639363935626237 +39663265666533626430663135303932386365626565636665373030373963373465613964653331 +63333637366464376239363262313338663331306634323732333636653464396165376639613863 +35343133393265363335353263313664613864343765633061383233323839653030313366613237 +66376134396362663332333038303333313064393161333066623739363138316435643439656638 +32366130326133653462623437633439386338333630626334656437653530633565393565643936 +37363233396263633339353331633633356661363961663762306364323765303261343063363130 +62616566623665623435636333333935613734373233376335313139633062353230613739663665 +34333930353164396261303433653966336435333463313837613464643961393737366638326538 +61376233633431346331366532336366626530626666373932383932643235343433353764616161 +30396136363838626136363430383537343439636261636636373236353565353932626364663834 +64363963393739373166343365303036353035336333323665373633623863363861383832633539 +36636136383133353839326362333065613232343235366365663733623838643033393862326236 +33373665313339643737646138663233346365663061386266383336633134306562313664326238 +35306565343039313063663634393762383836393034333639306533333534656165636436666466 +33303235376132393164626532636563653939613635396139366133383337666237646330306264 +32633738653663386235373061356661353236613838366663373233373034363337366339353836 +39353931623039646662313966383061343631373362616264346564383239303865633830323034 +39633564393537346334633637333030356134353464616333323330643731336139653630356137 +33383938383135373138616564366236653536386366636436656563346663663964343664336536 +31386362333762353237663334323464663335633838353038636164656135633562643036343833 +37623435623437393363613639326166386666646464376131666432346164386265303366333165 +34333339323635663430643931616335646532303330646532643339316435643636643262363032 +31363333636631373036383465623138316537343135383763613138393130383733343333363334 +31636461346432346434633431663036343564313837343034633762356236623332656166373634 +35323365363333633837346434653339373531653135643132613062613366613263356536666237 +38313231396239316665666230653035633763633766326364376231366634383434633731393564 +39346436363239633738626631636339613165333439316566646464356632326131383337306430 +35363135376562373064646638373238623335623165316231323531336132346137356166313638 +66656535336666313162666434336130383162393764653931633763626630316532383330393563 +38646236313737303364656230653664623334643033373364616334343534346235666137336136 +32306630373865376631366363633434313135313063626161303635646137383561373634356430 +35626238346263313566653434326236666435396238386533383964633131353534636135326362 +35383464653336306438656430343436366236313466356531326132316263363463353730363930 +63653435343764363939303762353132333366353832303531343637323235313437316530336638 +65343033353363326336633735623538663930663838613533393132303161633033386432643931 +65656361343462663435376337353633336437303736613463633162366131623363626166636134 +353533336133303463356663323736326332 diff --git a/hosts b/hosts index d65e07f..990c862 100644 --- a/hosts +++ b/hosts @@ -32,35 +32,35 @@ marki.adm.auro.re [fleming_vm] ldap-replica-fleming.adm.auro.re -ldap-replica-fleming-fo.adm.auro.re +#ldap-replica-fleming-fo.adm.auro.re dhcp-fleming.adm.auro.re -dhcp-fleming-fo.adm.auro.re +#dhcp-fleming-fo.adm.auro.re dns-fleming.adm.auro.re -dns-fleming-fo.adm.auro.re +#dns-fleming-fo.adm.auro.re prometheus-fleming.adm.auro.re -prometheus-fleming-fo.adm.auro.re +#prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re -radius-fleming-fo.adm.auro.re +#radius-fleming-fo.adm.auro.re unifi-fleming.adm.auro.re routeur-fleming.adm.auro.re -routeur-fleming-fo.adm.auro.re +#routeur-fleming-fo.adm.auro.re [fleming_unifi] fa-0-1.borne.auro.re fa-1-1.borne.auro.re fa-2-1.borne.auro.re -fa-2-2.borne.auro.re +#fa-2-2.borne.auro.re fa-3-1.borne.auro.re fa-4-1.borne.auro.re fb-0-1.borne.auro.re fb-1-1.borne.auro.re -fb-1-2.borne.auro.re +#fb-1-2.borne.auro.re fb-2-1.borne.auro.re -fb-2-2.borne.auro.re +#fb-2-2.borne.auro.re fb-3-1.borne.auro.re -fb-3-2.borne.auro.re +#fb-3-2.borne.auro.re fb-4-1.borne.auro.re -fb-4-2.borne.auro.re +#fb-4-2.borne.auro.re fc-0-1.borne.auro.re fc-1-1.borne.auro.re fc-2-1.borne.auro.re @@ -70,7 +70,7 @@ fd-0-1.borne.auro.re fd-1-1.borne.auro.re fd-2-1.borne.auro.re fd-3-1.borne.auro.re -fd-4-1.borne.auro.re +#fd-4-1.borne.auro.re fe-0-1.borne.auro.re fe-1-1.borne.auro.re fe-1-2.borne.auro.re @@ -92,13 +92,13 @@ ff-4-1.borne.auro.re ff-4-2.borne.auro.re fg-0-1.borne.auro.re fg-1-1.borne.auro.re -fg-1-2.borne.auro.re +#fg-1-2.borne.auro.re fg-2-1.borne.auro.re fg-2-2.borne.auro.re fg-3-1.borne.auro.re fg-3-2.borne.auro.re fg-4-1.borne.auro.re -fg-4-2.borne.auro.re +#fg-4-2.borne.auro.re fh-0-1.borne.auro.re fh-1-1.borne.auro.re fh-1-2.borne.auro.re @@ -151,18 +151,18 @@ titan.adm.auro.re [pacaterie_vm] ldap-replica-pacaterie.adm.auro.re -ldap-replica-pacaterie-fo.adm.auro.re +#ldap-replica-pacaterie-fo.adm.auro.re dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-fo.adm.auro.re +#dhcp-pacaterie-fo.adm.auro.re dns-pacaterie.adm.auro.re -dns-pacaterie-fo.adm.auro.re +#dns-pacaterie-fo.adm.auro.re prometheus-pacaterie.adm.auro.re -prometheus-pacaterie-fo.adm.auro.re +#prometheus-pacaterie-fo.adm.auro.re radius-pacaterie.adm.auro.re -radius-pacaterie-fo.adm.auro.re +#radius-pacaterie-fo.adm.auro.re unifi-pacaterie.adm.auro.re routeur-pacaterie.adm.auro.re -routeur-pacaterie-fo.adm.auro.re +#routeur-pacaterie-fo.adm.auro.re [pacaterie_unifi] pc-1-1.borne.auro.re @@ -284,7 +284,7 @@ ovh_vm # everything at fleming [fleming:children] -fleming_pve +fleming_physical fleming_vm fleming_unifi diff --git a/monitoring.yml b/monitoring.yml index 2f26803..76e063b 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -2,6 +2,7 @@ - hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re vars: prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + snmp_unifi_password: "{{ vault_snmp_unifi_password }}" # Prometheus targets.json prometheus_targets: @@ -15,6 +16,7 @@ - hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re vars: prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + snmp_unifi_password: "{{ vault_snmp_unifi_password }}" # Prometheus targets.json prometheus_targets: @@ -28,6 +30,7 @@ - hosts: prometheus-edc.adm.auro.re,prometheus-edc-fo.adm.auro.re vars: prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + snmp_unifi_password: "{{ vault_snmp_unifi_password }}" # Prometheus targets.json prometheus_targets: @@ -41,6 +44,7 @@ - hosts: prometheus-georgesand.adm.auro.re,prometheus-georgesand-fo.adm.auro.re vars: prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + snmp_unifi_password: "{{ vault_snmp_unifi_password }}" # Prometheus targets.json prometheus_targets: From 639fbbcd28f77bd86fc19bc781cf31281c59ba3d Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 2 Dec 2019 20:33:29 +0100 Subject: [PATCH 118/297] =?UTF-8?q?test=20s=C3=A9minaire?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index cdff053..1a353f5 100644 --- a/network.yml +++ b/network.yml @@ -10,7 +10,7 @@ username: service-user password: "{{ vault_serviceuser_passwd }}" dhcp: - authoritative: true + authoritative: yes roles: - re2o-service - isc-dhcp-server From b60ca7111acd9d9d1bc8c8920f942a9e421ea9cd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 5 Dec 2019 14:07:08 +0100 Subject: [PATCH 119/297] Mini useful script --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 4f5f92a..ab2d34c 100644 --- a/README.md +++ b/README.md @@ -111,3 +111,11 @@ Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements ! Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`. +### Ajouter tous les empruntes de serveur + +```bash +#!/bin/bash +for ip in `cat hosts|grep .adm.auro.re`; do + ssh-copy-id -i ~/.ssh/id_rsa.pub $ip +done +``` From 5061a029e05673e8e846b4a289b90a455f571de7 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 5 Dec 2019 14:07:48 +0100 Subject: [PATCH 120/297] Do not ask why, it was not there --- roles/baseconfig/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 5249244..bf88ae2 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -23,6 +23,7 @@ - git # code versioning - less # i like cats - screen # Vulcain asked for this + - lsb-release update_cache: true register: apt_result retries: 3 From a44c7064d2159d299fb48bebb0bc1fd6db1aa0b7 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 5 Dec 2019 14:08:08 +0100 Subject: [PATCH 121/297] Add more logic --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index 990c862..25d42b3 100644 --- a/hosts +++ b/hosts @@ -31,7 +31,7 @@ freya.adm.auro.re marki.adm.auro.re [fleming_vm] -ldap-replica-fleming.adm.auro.re +ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming-fo.adm.auro.re dhcp-fleming.adm.auro.re #dhcp-fleming-fo.adm.auro.re From d9f2d06c44981da39122efb2aaef6b1e6057f106 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sat, 15 Feb 2020 21:33:57 +0100 Subject: [PATCH 122/297] added aurore's hosts --- ansible.cfg | 1 + hosts | 51 ++++++++++++++++---- hosts.save | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++++ network.yml | 32 ++++++------- 4 files changed, 191 insertions(+), 24 deletions(-) create mode 100644 hosts.save diff --git a/ansible.cfg b/ansible.cfg index 8d528bd..960e6df 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,3 +33,4 @@ become_ask_pass = True # TO know what changed always = yes +scp_if_ssh = True diff --git a/hosts b/hosts index 0ed4896..eb4e03a 100644 --- a/hosts +++ b/hosts @@ -5,6 +5,12 @@ # > So all containers at OVH are in ovh-container. # > Then we regroup everything in global geographic and type groups. +[aurore_pve] +merlin.adm.auro.re + +[aurore_vm] +#radius-aurore.adm.auro.re + [ovh_pve] #horus.adm.auro.re @@ -26,6 +32,7 @@ #vpn-ovh.adm.auro.re #docker-ovh.adm.auro.re #switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re [ovh_testing_vm] #re2o-test.adm.auro.re @@ -37,11 +44,15 @@ #ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re #dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re #dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re #prometheus-fleming.adm.auro.re #radius-fleming.adm.auro.re +#radius-fleming-backup.adm.auro.re #unifi-fleming.adm.auro.re #routeur-fleming.adm.auro.re +#routeur-fleming-backup.adm.auro.re [pacaterie_pve] #mordred.adm.auro.re @@ -49,11 +60,15 @@ [pacaterie_vm] #ldap-replica-pacaterie.adm.auro.re #dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re #dns-pacaterie.adm.auro.re +#dns-pacaterie-backup.adm.auro.re #prometheus-pacaterie.adm.auro.re #radius-pacaterie.adm.auro.re +#radius-pacaterie-backup.adm.auro.re #unifi-pacaterie.adm.auro.re #routeur-pacaterie.adm.auro.re +#routeur-pacaterie-backup.adm.auro.re [edc_pve] #chapalux.adm.auro.re @@ -62,16 +77,19 @@ #routeur-edc.adm.auro.re #dns-edc.adm.auro.re #dhcp-edc.adm.auro.re +#unifi-edc.adm.auro.re +#radius-edc.adm.auro.re +#routeur-aurore.adm.auro.re -[georgesand_pve] +[gs_pve] #perceval.adm.auro.re -[georgesand_vm] +[gs_vm] #routeur-gs.adm.auro.re #unifi-gs.adm.auro.re #radius-gs.adm.auro.re -dns-gs.adm.auro.re -dhcp-gs.adm.auro.re +#dns-gs.adm.auro.re +#dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -99,9 +117,9 @@ edc_pve edc_vm # everything at georgesand -[georgesand:children] -georgesand_pve -georgesand_vm +[gs:children] +gs_pve +gs_vm # every LXC container [container:children] @@ -112,6 +130,7 @@ ovh_container ovh_vm fleming_vm pacaterie_vm +gs_vm # every PVE [pve:children] @@ -119,4 +138,20 @@ ovh_pve fleming_pve pacaterie_pve edc_pve -georgesand_pve +gs_pve + +[dhcp] +#dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re +#dhcp-edc.adm.auro.re +#dhcp-gs.adm.auro.re + +[dns] +#dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re +#dns-pacaterie.adm.auro.re +#dns-pacaterie-backup.adm.auro.re +#dns-edc.adm.auro.re +#dns-gs.adm.auro.re diff --git a/hosts.save b/hosts.save new file mode 100644 index 0000000..c806780 --- /dev/null +++ b/hosts.save @@ -0,0 +1,131 @@ +# Aurore servers inventory + +# How to name your server ? +# > We name servers according to location, then type. +# > So all containers at OVH are in ovh-container. +# > Then we regroup everything in global geographic and type groups. + +[ovh_pve] +#horus.adm.auro.re + +[ovh_container] +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re + +[ovh_vm] +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re + +[ovh_testing_vm] +#re2o-test.adm.auro.re + +[fleming_pve] +#freya.adm.auro.re + +[fleming_vm] +#ldap-replica-fleming1.adm.auro.re +#ldap-replica-fleming2.adm.auro.re +#dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re +#dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re +#radius-fleming.adm.auro.re +#radius-fleming-backup.adm.auro.re +#routeur-fleming.adm.auro.re +#routeur-fleming-backup.adm.auro.re +#unifi-fleming.adm.auro.re +#prometheus + +[pacaterie_pve] +#mordred.adm.auro.re + +[pacaterie_vm] +#ldap-replica-pacaterie.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dns-pacaterie.adm.auro.re +#prometheus-pacaterie.adm.auro.re +#radius-pacaterie.adm.auro.re +#unifi-pacaterie.adm.auro.re +#routeur-pacaterie.adm.auro.re + +[edc_pve] +#chapalux.adm.auro.re + +[edc_vm] +#routeur-edc.adm.auro.re +#dns-edc.adm.auro.re +#dhcp-edc.adm.auro.re +#unifi-edc.adm.auro.re +#radius-edc.adm.auro.re +#routeur-aurore.adm.auro.re +#10.128.0.254 + +[georgesand_pve] +#perceval.adm.auro.re + +[georgesand_vm] +#routeur-gs.adm.auro.re +#unifi-gs.adm.auro.re +#radius-gs.adm.auro.re +#dns-gs.adm.auro.re +#dhcp-gs.adm.auro.re + +# everything at ovh +[ovh:children] +ovh_pve +ovh_container +ovh_vm + +# everything at ovh_testing +[ovh_testing:children] +ovh_testing_vm + +# everything at fleming +[fleming:children] +fleming_pve +fleming_vm + +# everything at pacaterie +[pacaterie:children] +pacaterie_pve +pacaterie_vm + +# everything at edc +[edc:children] +edc_pve +edc_vm + +# everything at georgesand +[georgesand:children] +georgesand_pve +georgesand_vm + +# every LXC container +[container:children] +ovh_container + +# every virtual machine +[vm:children] +ovh_vm +fleming_vm +pacaterie_vm + +# every PVE +[pve:children] +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +georgesand_pve diff --git a/network.yml b/network.yml index 9137778..0b5e51b 100644 --- a/network.yml +++ b/network.yml @@ -1,6 +1,6 @@ --- # Deploy DHCP -- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re,dhcp-gs.adm.auro.re +- hosts: dhcp vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -16,7 +16,7 @@ - isc-dhcp-server # Deploy DNS -- hosts: serge.adm.auro.re +- hosts: dns vars: service_repo: https://gitlab.crans.org/nounous/re2o-dns.git service_name: dns @@ -29,19 +29,19 @@ - re2o-service # Deploy Unifi Controller -- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re - roles: - - unifi-controller +#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re +# roles: +# - unifi-controller # Deploy Re2o switch service -- hosts: switchs-manager.adm.auro.re - vars: - service_repo: https://gitlab.federez.net/re2o/switchs.git - service_name: switchs - service_version: master - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - roles: - - re2o-service +#- hosts: switchs-manager.adm.auro.re +# vars: +# service_repo: https://gitlab.federez.net/re2o/switchs.git +# service_name: switchs +# service_version: master +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service From 08fcf49e626c4d0b03573fe1c8b101a7af053cc5 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 16:23:10 +0100 Subject: [PATCH 123/297] modified mainly hosts to match new servers and vms --- hosts | 141 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/hosts b/hosts index eb4e03a..c88b606 100644 --- a/hosts +++ b/hosts @@ -9,87 +9,90 @@ merlin.adm.auro.re [aurore_vm] -#radius-aurore.adm.auro.re +radius-aurore.adm.auro.re [ovh_pve] -#horus.adm.auro.re +horus.adm.auro.re [ovh_container] -#synapse.adm.auro.re -#services-bdd.adm.auro.re -#phabricator.adm.auro.re -#wiki.adm.auro.re -#www.adm.auro.re -#proxy.adm.auro.re -#matrix-services.adm.auro.re +synapse.adm.auro.re +services-bdd.adm.auro.re +phabricator.adm.auro.re +wiki.adm.auro.re +www.adm.auro.re +proxy.adm.auro.re +matrix-services.adm.auro.re [ovh_vm] -#re2o-server.adm.auro.re -#re2o-ldap.adm.auro.re -#re2o-db.adm.auro.re -#serge.adm.auro.re -#passbolt.adm.auro.re -#vpn-ovh.adm.auro.re -#docker-ovh.adm.auro.re -#switchs-manager.adm.auro.re -#radius-aurore.adm.auro.re +re2o-server.adm.auro.re +re2o-ldap.adm.auro.re +re2o-db.adm.auro.re +serge.adm.auro.re +passbolt.adm.auro.re +vpn-ovh.adm.auro.re +docker-ovh.adm.auro.re +switchs-manager.adm.auro.re +radius-aurore.adm.auro.re [ovh_testing_vm] -#re2o-test.adm.auro.re +re2o-test.adm.auro.re [fleming_pve] -#freya.adm.auro.re +freya.adm.auro.re +marki.adm.auro.re [fleming_vm] -#ldap-replica-fleming1.adm.auro.re -#ldap-replica-fleming2.adm.auro.re -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re -#dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#prometheus-fleming.adm.auro.re -#radius-fleming.adm.auro.re -#radius-fleming-backup.adm.auro.re -#unifi-fleming.adm.auro.re -#routeur-fleming.adm.auro.re -#routeur-fleming-backup.adm.auro.re +ldap-replica-fleming1.adm.auro.re +ldap-replica-fleming2.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +prometheus-fleming.adm.auro.re +radius-fleming.adm.auro.re +radius-fleming-backup.adm.auro.re +unifi-fleming.adm.auro.re +routeur-fleming.adm.auro.re +routeur-fleming-backup.adm.auro.re [pacaterie_pve] -#mordred.adm.auro.re +mordred.adm.auro.re +titan.adm.auro.re [pacaterie_vm] -#ldap-replica-pacaterie.adm.auro.re -#dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re -#prometheus-pacaterie.adm.auro.re -#radius-pacaterie.adm.auro.re -#radius-pacaterie-backup.adm.auro.re -#unifi-pacaterie.adm.auro.re -#routeur-pacaterie.adm.auro.re -#routeur-pacaterie-backup.adm.auro.re +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +prometheus-pacaterie.adm.auro.re +radius-pacaterie.adm.auro.re +radius-pacaterie-backup.adm.auro.re +unifi-pacaterie.adm.auro.re +routeur-pacaterie.adm.auro.re +routeur-pacaterie-backup.adm.auro.re [edc_pve] -#chapalux.adm.auro.re +chapalux.adm.auro.re [edc_vm] -#routeur-edc.adm.auro.re -#dns-edc.adm.auro.re -#dhcp-edc.adm.auro.re -#unifi-edc.adm.auro.re -#radius-edc.adm.auro.re -#routeur-aurore.adm.auro.re +routeur-edc.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re [gs_pve] -#perceval.adm.auro.re +perceval.adm.auro.re [gs_vm] -#routeur-gs.adm.auro.re -#unifi-gs.adm.auro.re -#radius-gs.adm.auro.re -#dns-gs.adm.auro.re -#dhcp-gs.adm.auro.re +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -141,17 +144,17 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re -#dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-backup.adm.auro.re -#dhcp-edc.adm.auro.re -#dhcp-gs.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dhcp-edc.adm.auro.re +dhcp-gs.adm.auro.re [dns] -#dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re -#dns-edc.adm.auro.re -#dns-gs.adm.auro.re +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +dns-edc.adm.auro.re +dns-gs.adm.auro.re From 73a22ba77ff9d2682a845ac99a84431770f75f04 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 16:51:56 +0100 Subject: [PATCH 124/297] added group ldap-replica to hosts --- hosts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts b/hosts index c88b606..948c917 100644 --- a/hosts +++ b/hosts @@ -158,3 +158,9 @@ dns-pacaterie.adm.auro.re dns-pacaterie-backup.adm.auro.re dns-edc.adm.auro.re dns-gs.adm.auro.re + +[ldap-replica] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re From 3a399bd04cfd13d11c09e019d9edc8032701056f Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 18:42:34 +0100 Subject: [PATCH 125/297] added ldap-replica support for ldap-clients of pacaterie and fleming --- base.yml | 6 +- copy_keys_to_aurore.sh | 4 + hosts | 98 ++++++------- hosts.save.1 | 165 ++++++++++++++++++++++ roles/ldap-client/templates/nslcd.conf.j2 | 9 +- 5 files changed, 229 insertions(+), 53 deletions(-) create mode 100755 copy_keys_to_aurore.sh create mode 100644 hosts.save.1 diff --git a/base.yml b/base.yml index dc3c2dc..bafc56b 100644 --- a/base.yml +++ b/base.yml @@ -12,6 +12,6 @@ # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA -# - hosts: ldap-replica -# roles: -# - ldap-replica +#- hosts: ldap-replica +# roles: +# - ldap-replica diff --git a/copy_keys_to_aurore.sh b/copy_keys_to_aurore.sh new file mode 100755 index 0000000..12cf2c6 --- /dev/null +++ b/copy_keys_to_aurore.sh @@ -0,0 +1,4 @@ +#!/bin/bash +for ip in `cat hosts|grep .adm.auro.re`; do + sshpass -v -p "6+Fwa9h2L>L6]C*y" ssh-copy-id -o StrictHostKeyChecking=no fpoutre@$ip +done diff --git a/hosts b/hosts index 948c917..bdffb4d 100644 --- a/hosts +++ b/hosts @@ -6,44 +6,44 @@ # > Then we regroup everything in global geographic and type groups. [aurore_pve] -merlin.adm.auro.re +#merlin.adm.auro.re [aurore_vm] -radius-aurore.adm.auro.re +#radius-aurore.adm.auro.re [ovh_pve] -horus.adm.auro.re +#horus.adm.auro.re [ovh_container] -synapse.adm.auro.re -services-bdd.adm.auro.re -phabricator.adm.auro.re -wiki.adm.auro.re -www.adm.auro.re -proxy.adm.auro.re -matrix-services.adm.auro.re +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re [ovh_vm] -re2o-server.adm.auro.re -re2o-ldap.adm.auro.re -re2o-db.adm.auro.re -serge.adm.auro.re -passbolt.adm.auro.re -vpn-ovh.adm.auro.re -docker-ovh.adm.auro.re -switchs-manager.adm.auro.re -radius-aurore.adm.auro.re +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re [ovh_testing_vm] -re2o-test.adm.auro.re +#re2o-test.adm.auro.re [fleming_pve] freya.adm.auro.re marki.adm.auro.re [fleming_vm] -ldap-replica-fleming1.adm.auro.re -ldap-replica-fleming2.adm.auro.re +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re @@ -74,25 +74,25 @@ routeur-pacaterie.adm.auro.re routeur-pacaterie-backup.adm.auro.re [edc_pve] -chapalux.adm.auro.re +#chapalux.adm.auro.re [edc_vm] -routeur-edc.adm.auro.re -dns-edc.adm.auro.re -dhcp-edc.adm.auro.re -unifi-edc.adm.auro.re -radius-edc.adm.auro.re -routeur-aurore.adm.auro.re +#routeur-edc.adm.auro.re +#dns-edc.adm.auro.re +#dhcp-edc.adm.auro.re +#unifi-edc.adm.auro.re +#radius-edc.adm.auro.re +#routeur-aurore.adm.auro.re [gs_pve] -perceval.adm.auro.re +#perceval.adm.auro.re [gs_vm] -routeur-gs.adm.auro.re -unifi-gs.adm.auro.re -radius-gs.adm.auro.re -dns-gs.adm.auro.re -dhcp-gs.adm.auro.re +#routeur-gs.adm.auro.re +#unifi-gs.adm.auro.re +#radius-gs.adm.auro.re +#dns-gs.adm.auro.re +#dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -144,23 +144,25 @@ edc_pve gs_pve [dhcp] -dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re -dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-backup.adm.auro.re -dhcp-edc.adm.auro.re -dhcp-gs.adm.auro.re +#dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re +#dhcp-edc.adm.auro.re +#dhcp-gs.adm.auro.re [dns] -dns-fleming.adm.auro.re -dns-fleming-backup.adm.auro.re -dns-pacaterie.adm.auro.re -dns-pacaterie-backup.adm.auro.re -dns-edc.adm.auro.re -dns-gs.adm.auro.re +#dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re +#dns-pacaterie.adm.auro.re +#dns-pacaterie-backup.adm.auro.re +#dns-edc.adm.auro.re +#dns-gs.adm.auro.re -[ldap-replica] +[ldap_replica_fleming] ldap-replica-fleming.adm.auro.re ldap-replica-fleming-backup.adm.auro.re + +[ldap_replica_pacaterie] ldap-replica-pacaterie.adm.auro.re ldap-replica-pacaterie-backup.adm.auro.re diff --git a/hosts.save.1 b/hosts.save.1 new file mode 100644 index 0000000..db677b4 --- /dev/null +++ b/hosts.save.1 @@ -0,0 +1,165 @@ +# Aurore servers inventory + +# How to name your server ? +# > We name servers according to location, then type. +# > So all containers at OVH are in ovh-container. +# > Then we regroup everything in global geographic and type groups. + +[aurore_pve] +merlin.adm.auro.re + +[aurore_vm] +radius-aurore.adm.auro.re + +[ovh_pve] +horus.adm.auro.re + +[ovh_container] +synapse.adm.auro.re +services-bdd.adm.auro.re +phabricator.adm.auro.re +wiki.adm.auro.re +www.adm.auro.re +proxy.adm.auro.re +matrix-services.adm.auro.re + +[ovh_vm] +re2o-server.adm.auro.re +re2o-ldap.adm.auro.re +re2o-db.adm.auro.re +serge.adm.auro.re +passbolt.adm.auro.re +vpn-ovh.adm.auro.re +docker-ovh.adm.auro.re +switchs-manager.adm.auro.re +radius-aurore.adm.auro.re + +[ovh_testing_vm] +re2o-test.adm.auro.re + +[fleming_pve] +freya.adm.auro.re +marki.adm.auro.re + +[fleming_vm] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +prometheus-fleming.adm.auro.re +radius-fleming.adm.auro.re +radius-fleming-backup.adm.auro.re +unifi-fleming.adm.auro.re +routeur-fleming.adm.auro.re +routeur-fleming-backup.adm.auro.re + +[pacaterie_pve] +mordred.adm.auro.re +titan.adm.auro.re + +[pacaterie_vm] +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +prometheus-pacaterie.adm.auro.re +radius-pacaterie.adm.auro.re +radius-pacaterie-backup.adm.auro.re +unifi-pacaterie.adm.auro.re +routeur-pacaterie.adm.auro.re +routeur-pacaterie-backup.adm.auro.re + +[edc_pve] +chapalux.adm.auro.re + +[edc_vm] +routeur-edc.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re + +[gs_pve] +perceval.adm.auro.re + +[gs_vm] +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re + +# everything at ovh +[ovh:children] +ovh_pve +ovh_container +ovh_vm + +# everything at ovh_testing +[ovh_testing:children] +ovh_testing_vm + +# everything at fleming +[fleming:children] +fleming_pve +fleming_vm + +# everything at pacaterie +[pacaterie:children] +pacaterie_pve +pacaterie_vm + +# everything at edc +[edc:children] +edc_pve +edc_vm + +# everything at georgesand +[gs:children] +gs_pve +gs_vm + +# every LXC container +[container:children] +ovh_container + +# every virtual machine +[vm:children] +ovh_vm +fleming_vm +pacaterie_vm +gs_vm + +# every PVE +[pve:children] +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +gs_pve + +[dhcp] +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dhcp-edc.adm.auro.re +dhcp-gs.adm.auro.re + +[dns] +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +dns-edc.adm.auro.re +dns-gs.adm.auro.re + +[ldap-replica] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index db05bdc..ab8d556 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -5,11 +5,16 @@ uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. -{% if ldap_local_replica_uri is defined %} -{% for uri in ldap_local_replica_uri %} +{% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %} +{% for uri in groups['ldap_replica_fleming'] %} uri {{ uri }} {% endfor %} {% endif %} +{% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %} +{% for uri in groups['ldap_replica_pacaterie'] %} +uri ldap://{{ uri }} +{% endfor %} +{% endif %} uri {{ ldap_master_uri }} # The search base that will be used for all queries. From c0692c9ea804f55223ffb7c587d692c3226153ba Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 18:42:57 +0100 Subject: [PATCH 126/297] added ldap-replica support for ldap-clients of pacaterie and fleming --- copy_keys_to_aurore.sh | 4 ---- 1 file changed, 4 deletions(-) delete mode 100755 copy_keys_to_aurore.sh diff --git a/copy_keys_to_aurore.sh b/copy_keys_to_aurore.sh deleted file mode 100755 index 12cf2c6..0000000 --- a/copy_keys_to_aurore.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -for ip in `cat hosts|grep .adm.auro.re`; do - sshpass -v -p "6+Fwa9h2L>L6]C*y" ssh-copy-id -o StrictHostKeyChecking=no fpoutre@$ip -done From b7b32dc4960879fe5730a3c49a04708816dab448 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 19:08:09 +0100 Subject: [PATCH 127/297] modified the master_ldap_uri to use a ndd --- group_vars/all/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index d466fcd..d55fd60 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -6,7 +6,7 @@ ansible_python_interpreter: /usr/bin/python3 # You can hash LDAP passwords with `slappasswd` tool ldap_base: 'dc=auro,dc=re' ldap_master_ipv4: '10.128.0.11' -ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" +ldap_master_uri: "ldap://re2o-ldap.adm.auro.re" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" From 23f1b7a4a1b8714e6094801165ec00b34747048b Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 22 Mar 2020 18:42:00 +0100 Subject: [PATCH 128/297] added support for edc and gs in ldap replica backup configuration --- hosts | 14 ++++++++++++++ roles/ldap-client/templates/nslcd.conf.j2 | 11 ++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index bdffb4d..25fcbb3 100644 --- a/hosts +++ b/hosts @@ -159,6 +159,12 @@ gs_pve #dns-edc.adm.auro.re #dns-gs.adm.auro.re +[ldap_replica] +ldap_replica_fleming +ldap_replica_pacaterie +ldap_replica_edc +ldap_replica_gs + [ldap_replica_fleming] ldap-replica-fleming.adm.auro.re ldap-replica-fleming-backup.adm.auro.re @@ -166,3 +172,11 @@ ldap-replica-fleming-backup.adm.auro.re [ldap_replica_pacaterie] ldap-replica-pacaterie.adm.auro.re ldap-replica-pacaterie-backup.adm.auro.re + +[ldap_replica_edc] +ldap-replica-edc.adm.auro.re +ldap-replica-edc-backup.adm.auro.re + +[ldap_replica_gs] +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index ab8d556..bd256dc 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -15,6 +15,16 @@ uri {{ uri }} uri ldap://{{ uri }} {% endfor %} {% endif %} +{% if 'edc_vm' in group_names or 'edc_pve' in group_names %} +{% for uri in groups['ldap_replica_edc'] %} +uri {{ uri }} +{% endfor %} +{% endif %} +{% if 'gs_vm' in group_names or 'gs_pve' in group_names %} +{% for uri in groups['ldap_replica_gs'] %} +uri {{ uri }} +{% endfor %} +{% endif %} uri {{ ldap_master_uri }} # The search base that will be used for all queries. @@ -40,4 +50,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub - From 0e61fcff908bdde04d1c19b1190eb104938dc1a9 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 22 Mar 2020 18:43:57 +0100 Subject: [PATCH 129/297] added support for ldap-replicas in the base.yml for edc and gs --- hosts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts b/hosts index 25fcbb3..7caec9b 100644 --- a/hosts +++ b/hosts @@ -83,6 +83,8 @@ routeur-pacaterie-backup.adm.auro.re #unifi-edc.adm.auro.re #radius-edc.adm.auro.re #routeur-aurore.adm.auro.re +ldap-replica-edc.adm.auro.re +ldap-replica-edc-backup.adm.auro.re [gs_pve] #perceval.adm.auro.re @@ -93,6 +95,8 @@ routeur-pacaterie-backup.adm.auro.re #radius-gs.adm.auro.re #dns-gs.adm.auro.re #dhcp-gs.adm.auro.re +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re # everything at ovh [ovh:children] From 40e915a7e0af83b9e4aca78651de835d7b95d92e Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 22 Mar 2020 19:06:38 +0100 Subject: [PATCH 130/297] happy little mistakes --- hosts | 33 ++++++++++++----------- roles/ldap-client/templates/nslcd.conf.j2 | 6 ++--- 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/hosts b/hosts index 7caec9b..2e83677 100644 --- a/hosts +++ b/hosts @@ -74,29 +74,29 @@ routeur-pacaterie.adm.auro.re routeur-pacaterie-backup.adm.auro.re [edc_pve] -#chapalux.adm.auro.re +chapalux.adm.auro.re [edc_vm] -#routeur-edc.adm.auro.re -#dns-edc.adm.auro.re -#dhcp-edc.adm.auro.re -#unifi-edc.adm.auro.re -#radius-edc.adm.auro.re -#routeur-aurore.adm.auro.re +routeur-edc.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re ldap-replica-edc.adm.auro.re -ldap-replica-edc-backup.adm.auro.re +#ldap-replica-edc-backup.adm.auro.re [gs_pve] #perceval.adm.auro.re [gs_vm] -#routeur-gs.adm.auro.re -#unifi-gs.adm.auro.re -#radius-gs.adm.auro.re -#dns-gs.adm.auro.re -#dhcp-gs.adm.auro.re -ldap-replica-gs.adm.auro.re -ldap-replica-gs-backup.adm.auro.re +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re +#ldap-replica-gs.adm.auro.re +#ldap-replica-gs-backup.adm.auro.re # everything at ovh [ovh:children] @@ -137,6 +137,7 @@ ovh_container ovh_vm fleming_vm pacaterie_vm +edc_vm gs_vm # every PVE @@ -163,7 +164,7 @@ gs_pve #dns-edc.adm.auro.re #dns-gs.adm.auro.re -[ldap_replica] +[ldap_replica:children] ldap_replica_fleming ldap_replica_pacaterie ldap_replica_edc diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index bd256dc..1cb7856 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -7,7 +7,7 @@ gid nslcd # The location at which the LDAP server(s) should be reachable. {% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %} {% for uri in groups['ldap_replica_fleming'] %} -uri {{ uri }} +uri ldap://{{ uri }} {% endfor %} {% endif %} {% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %} @@ -17,12 +17,12 @@ uri ldap://{{ uri }} {% endif %} {% if 'edc_vm' in group_names or 'edc_pve' in group_names %} {% for uri in groups['ldap_replica_edc'] %} -uri {{ uri }} +uri ldap://{{ uri }} {% endfor %} {% endif %} {% if 'gs_vm' in group_names or 'gs_pve' in group_names %} {% for uri in groups['ldap_replica_gs'] %} -uri {{ uri }} +uri ldap://{{ uri }} {% endfor %} {% endif %} uri {{ ldap_master_uri }} From e6b2f80b49812c9396585f1c46f0100dbd1f036a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 17:39:27 +0200 Subject: [PATCH 131/297] templatisation de la config dhcpd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit non encore testé --- group_vars/fleming/dhcp.yml | 11 +++ group_vars/pacaterie/dhcp.yml | 7 ++ .../templates/dhcp/dhcpd.conf.j2 | 77 ++++++++++++++++--- 3 files changed, 85 insertions(+), 10 deletions(-) create mode 100644 group_vars/fleming/dhcp.yml create mode 100644 group_vars/pacaterie/dhcp.yml diff --git a/group_vars/fleming/dhcp.yml b/group_vars/fleming/dhcp.yml new file mode 100644 index 0000000..97456e9 --- /dev/null +++ b/group_vars/fleming/dhcp.yml @@ -0,0 +1,11 @@ +--- +apartment_block: fleming + +subnet_ids: + ap: 141 + users_wired: 10 + users_wifi: 11 + +failover: + own-address: 10.128.2.254 + peer-address: 10.128.2.154 diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/dhcp.yml new file mode 100644 index 0000000..043d26d --- /dev/null +++ b/group_vars/pacaterie/dhcp.yml @@ -0,0 +1,7 @@ +--- +apartment_block: pacaterie + +subnet_ids: + ap: 142 + users_wired: 20 + users_wifi: 21 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 3b0da57..93527bd 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,15 +1,16 @@ # dhcpd.conf -# {{ ansible_managed }} +{{ ansible_managed }} -# option definitions common to all supported networks... -#option domain-name "example.org"; -#option domain-name-servers ns1.example.org, ns2.example.org; +default-lease-time 86400; +max-lease-time 86400; -# We have tagged network so use last 4 bytes for tag (1500 max) -option interface-mtu 1496; +# Option definitions common to all supported networks. -default-lease-time 600; -max-lease-time 7200; +# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). +option interface-mtu 1400; +# XXX: hardcoded DNS for now +option domain-name-servers 80.67.169.12, 1.1.1.1; +option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the @@ -29,5 +30,61 @@ authoritative; # have to hack syslog.conf to complete the redirection). #log-facility local7; -# Aurore topology -# TODO + +# Bornes WiFi +subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { + interface "ens19"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.ap }}.255.255; + option routers 10.{{ subnet_ids.ap }}.0.250; + option domain-name-servers 80.67.169.12, 1.1.1.1; + option domain-name "borne.auro.re"; + option domain-search "borne.auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; + + deny unknown-clients; +} + +# Users filaire +subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { + interface "ens20"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; + option routers 10.{{ subnet_ids.users_wired }}.0.240; + option domain-name "fil.{{ apartment_block }}.auro.re"; + option domain-search "auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; + + deny unknown-clients; +} + + +# Users WiFi +subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { + interface "ens21"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; + option routers 10.{{ subnet_ids.users_wired }}.0.240; + option domain-name "wifi.{{ apartment_block }}.auro.re"; + option domain-search "auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; + + pool { + range 10.{{ subnet_ids.users_wired }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; + + {% if failover is defined %} + failover peer "dhcp-failover" { + primary; + split 128; + mclt 3600; + address {{ failover.own_address }}; + port 647; + peer address {{ failover.peer_address }}; + peer port 647; + max-response-delay 30; + max-unacked-updates 10; + load balance max seconds 3; + } + {% endif %} + } +} From 709e4614c2f104b1c549d91dc9b1ac1f8232036a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 19:04:03 +0200 Subject: [PATCH 132/297] =?UTF-8?q?suppression=20d'une=20d=C3=A9claration?= =?UTF-8?q?=20DNS=20redondante?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 93527bd..2236e6d 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -37,7 +37,6 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.ap }}.255.255; option routers 10.{{ subnet_ids.ap }}.0.250; - option domain-name-servers 80.67.169.12, 1.1.1.1; option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; From 6b369d5b28914dede16f398e612404f16bb660ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 19:51:03 +0200 Subject: [PATCH 133/297] fix ProxyJump in README --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index a1abc50..e64776c 100644 --- a/README.md +++ b/README.md @@ -89,8 +89,7 @@ Dans la configuration SSH : # Use a key to log on all Crans servers # and use a proxy server Host 10.128.0.* *.adm.auro.re - IdentityFile ~/.ssh/id_rsa - ProxyJump auro.re + ProxyJump passerelle.auro.re ``` Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées From 2a0a2e2ac657e89faeb2cbb987f40c9302672981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 19:48:56 +0200 Subject: [PATCH 134/297] dhcp: fix silly mix-ups --- base.yml | 6 ++++++ group_vars/fleming/dhcp.yml | 3 --- group_vars/pacaterie/dhcp.yml | 4 ++++ hosts | 4 ++-- .../isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 16 ++++++---------- 5 files changed, 18 insertions(+), 15 deletions(-) diff --git a/base.yml b/base.yml index bafc56b..a668ae5 100644 --- a/base.yml +++ b/base.yml @@ -10,6 +10,12 @@ roles: - ldap-client + +# Set up DHCP servers. +- hosts: dhcp + roles: + - isc-dhcp-server + # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA #- hosts: ldap-replica diff --git a/group_vars/fleming/dhcp.yml b/group_vars/fleming/dhcp.yml index 97456e9..f0d1f8f 100644 --- a/group_vars/fleming/dhcp.yml +++ b/group_vars/fleming/dhcp.yml @@ -6,6 +6,3 @@ subnet_ids: users_wired: 10 users_wifi: 11 -failover: - own-address: 10.128.2.254 - peer-address: 10.128.2.154 diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/dhcp.yml index 043d26d..3fdf3c8 100644 --- a/group_vars/pacaterie/dhcp.yml +++ b/group_vars/pacaterie/dhcp.yml @@ -5,3 +5,7 @@ subnet_ids: ap: 142 users_wired: 20 users_wifi: 21 + +failover: + own_address: 10.128.2.254 + peer_address: 10.128.2.154 diff --git a/hosts b/hosts index 2e83677..d8defaf 100644 --- a/hosts +++ b/hosts @@ -149,9 +149,9 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re +dhcp-fleming.adm.auro.re #dhcp-fleming-backup.adm.auro.re -#dhcp-pacaterie.adm.auro.re +dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 2236e6d..5ab2be5 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -20,11 +20,7 @@ ddns-update-style none; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. -{% if dhcp.authoritative %} authoritative; -{% else %} -#authoritative; -{% endif %} # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). @@ -59,19 +55,19 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { # Users WiFi -subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { +subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { interface "ens21"; option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; - option routers 10.{{ subnet_ids.users_wired }}.0.240; + option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; + option routers 10.{{ subnet_ids.users_wifi }}.0.240; option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { - range 10.{{ subnet_ids.users_wired }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; + range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; - {% if failover is defined %} +{% if failover is defined %} failover peer "dhcp-failover" { primary; split 128; @@ -84,6 +80,6 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { max-unacked-updates 10; load balance max seconds 3; } - {% endif %} +{% endif %} } } From 34b448faece84a67043d8bb9a21aee9f5dc2f4ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 14:41:34 +0200 Subject: [PATCH 135/297] dhcp: implement failover peer configuration --- group_vars/dhcp/vars.yml | 4 ++ group_vars/pacaterie/dhcp.yml | 4 -- hosts | 4 +- .../templates/dhcp/dhcpd.conf.j2 | 40 ++++++++++++++----- 4 files changed, 37 insertions(+), 15 deletions(-) create mode 100644 group_vars/dhcp/vars.yml diff --git a/group_vars/dhcp/vars.yml b/group_vars/dhcp/vars.yml new file mode 100644 index 0000000..77933c1 --- /dev/null +++ b/group_vars/dhcp/vars.yml @@ -0,0 +1,4 @@ +--- +dhcp_failover: + primary_host: dhcp-{{ apartment_block }}.adm.auro.re + secondary_host: dhcp-{{ apartment_block }}-backup.adm.auro.re diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/dhcp.yml index 3fdf3c8..043d26d 100644 --- a/group_vars/pacaterie/dhcp.yml +++ b/group_vars/pacaterie/dhcp.yml @@ -5,7 +5,3 @@ subnet_ids: ap: 142 users_wired: 20 users_wifi: 21 - -failover: - own_address: 10.128.2.254 - peer_address: 10.128.2.154 diff --git a/hosts b/hosts index d8defaf..83a6c53 100644 --- a/hosts +++ b/hosts @@ -150,9 +150,9 @@ gs_pve [dhcp] dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re +dhcp-fleming-backup.adm.auro.re dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-backup.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 5ab2be5..da9f4d1 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,5 +1,5 @@ # dhcpd.conf -{{ ansible_managed }} +# {{ ansible_managed }} default-lease-time 86400; max-lease-time 86400; @@ -24,6 +24,7 @@ authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). +# XXX: This was enabled in one building and disabled in another. #log-facility local7; @@ -65,21 +66,42 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { - range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; + range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; -{% if failover is defined %} - failover peer "dhcp-failover" { +{% if dhcp_failover is defined %} + failover peer "dhcp-failover"; +{% endif %} + } +} + +{% if dhcp_failover is defined %} +failover peer "dhcp-failover" { +{% if inventory_hostname == dhcp_failover.primary_host %} primary; - split 128; + + # MCLT = Maximum Client Lead Time. + # Must be specified on the primary, forbidden on the secondary. mclt 3600; - address {{ failover.own_address }}; + + # Address or DNS name on which this node listens for connections + # from its failover peer. + address {{ dhcp_failover.primary_host }}; + peer address {{ dhcp_failover.secondary_host }}; +{% endif %} +{% if inventory_hostname == dhcp_failover.secondary_host %} + secondary; + # Address and peer address are reversed on the secondary node. + address {{ dhcp_failover.secondary_host }}; + peer address {{ dhcp_failover.primary_host }}; +{% endif %} + + # The following options can be shared between primary and + # secondary failover peers. port 647; - peer address {{ failover.peer_address }}; peer port 647; + split 128; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; } {% endif %} - } -} From fc21a5fa3db470a30dccddfb83fa37e1a5e2367e Mon Sep 17 00:00:00 2001 From: F/Poutre Date: Mon, 6 Apr 2020 16:30:52 +0200 Subject: [PATCH 136/297] Update base.yml --- base.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/base.yml b/base.yml index a668ae5..bafc56b 100644 --- a/base.yml +++ b/base.yml @@ -10,12 +10,6 @@ roles: - ldap-client - -# Set up DHCP servers. -- hosts: dhcp - roles: - - isc-dhcp-server - # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA #- hosts: ldap-replica From 7ed34f79bd1547d0fe6062bc5547c65b6f1b5d73 Mon Sep 17 00:00:00 2001 From: F/Poutre Date: Mon, 6 Apr 2020 16:31:32 +0200 Subject: [PATCH 137/297] Update network.yml --- network.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/network.yml b/network.yml index 0b5e51b..bcd31cc 100644 --- a/network.yml +++ b/network.yml @@ -1,4 +1,5 @@ --- +''' # Deploy DHCP - hosts: dhcp vars: @@ -14,6 +15,12 @@ roles: - re2o-service - isc-dhcp-server +''' + +# Set up DHCP servers. +- hosts: dhcp + roles: + - isc-dhcp-server # Deploy DNS - hosts: dns From 01439c2388609c67b0c91914339d2181148dd50d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:37:10 +0200 Subject: [PATCH 138/297] fix network.yml syntax --- network.yml | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/network.yml b/network.yml index bcd31cc..66dd260 100644 --- a/network.yml +++ b/network.yml @@ -1,21 +1,19 @@ --- -''' -# Deploy DHCP -- hosts: dhcp - vars: - service_repo: https://gitlab.federez.net/re2o/dhcp.git - service_name: dhcp - service_version: master - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - dhcp: - authoritative: true - roles: - - re2o-service - - isc-dhcp-server -''' +## Deploy DHCP +#- hosts: dhcp +# vars: +# service_repo: https://gitlab.federez.net/re2o/dhcp.git +# service_name: dhcp +# service_version: master +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# dhcp: +# authoritative: true +# roles: +# - re2o-service +# - isc-dhcp-server # Set up DHCP servers. - hosts: dhcp From 89a0dc57abe8588a606705c85770f78ff13fd8f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:49:14 +0200 Subject: [PATCH 139/297] run corresponding re2o-service on DHCP servers --- network.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/network.yml b/network.yml index 66dd260..ffb109b 100644 --- a/network.yml +++ b/network.yml @@ -17,7 +17,16 @@ # Set up DHCP servers. - hosts: dhcp + vars: + service_repo: https://gitlab.federez.net/re2o/dhcp.git + service_name: dhcp + service_version: master + service_config: + hostname: re2o-server.adm.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" roles: + - re2o-service - isc-dhcp-server # Deploy DNS From e760f9ad91165098d53d68ab0ee2306853d1f7eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:53:59 +0200 Subject: [PATCH 140/297] re2o-service: fix hostname --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index ffb109b..082df3d 100644 --- a/network.yml +++ b/network.yml @@ -22,7 +22,7 @@ service_name: dhcp service_version: master service_config: - hostname: re2o-server.adm.auro.re + hostname: re2o.adm.auro.re username: service-user password: "{{ vault_serviceuser_passwd }}" roles: From d323b78c168a655c3f126098be8fad79dbc1cb2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:54:20 +0200 Subject: [PATCH 141/297] fix bogus dhcpd config - move failover peer declaration to beginning of file - set split only on primary - fix re2o-service hostname - add /etc/default/isc-dhcp-server --- network.yml | 2 +- roles/isc-dhcp-server/tasks/main.yml | 11 ++- .../templates/default/isc-dhcp-server.j2 | 18 +++++ .../templates/dhcp/dhcpd.conf.j2 | 67 ++++++++++--------- 4 files changed, 65 insertions(+), 33 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 diff --git a/network.yml b/network.yml index 082df3d..f402921 100644 --- a/network.yml +++ b/network.yml @@ -22,7 +22,7 @@ service_name: dhcp service_version: master service_config: - hostname: re2o.adm.auro.re + hostname: re2o.auro.re username: service-user password: "{{ vault_serviceuser_passwd }}" roles: diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 0004081..c227e24 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -8,14 +8,21 @@ retries: 3 until: apt_result is succeeded + +- name: Configure /etc/default/isc-dhcp-server + template: + src: default/isc-dhcp-server.j2 + dest: /etc/default/isc-dhcp-server + mode: 0644 + - name: Configure isc-dhcp-server template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 -- name: Ensure that isc-dhcp-server is started +- name: Ensure that isc-dhcp-server is started / reloaded systemd: name: isc-dhcp-server - state: started + state: restarted enabled: true diff --git a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 new file mode 100644 index 0000000..83f7cae --- /dev/null +++ b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +#DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="ens19 ens20 ens21" +INTERFACESv6="" diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index da9f4d1..1f2196e 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -28,6 +28,43 @@ authoritative; #log-facility local7; +# TODO: move this failover peer declaration to a separate file and include it. +{% if dhcp_failover is defined %} +failover peer "dhcp-failover" { +{% if inventory_hostname == dhcp_failover.primary_host %} + primary; + + # MCLT = Maximum Client Lead Time. + # Must be specified on the primary, forbidden on the secondary. + mclt 3600; + + # Address or DNS name on which this node listens for connections + # from its failover peer. + address {{ dhcp_failover.primary_host }}; + peer address {{ dhcp_failover.secondary_host }}; + + # Load balancing. + split 128; +{% endif %} +{% if inventory_hostname == dhcp_failover.secondary_host %} + secondary; + # Address and peer address are reversed on the secondary node. + address {{ dhcp_failover.secondary_host }}; + peer address {{ dhcp_failover.primary_host }}; +{% endif %} + + # The following options can be shared between primary and + # secondary failover peers. + port 647; + peer port 647; + max-response-delay 30; + max-unacked-updates 10; + load balance max seconds 3; + } +{% endif %} + + + # Bornes WiFi subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { interface "ens19"; @@ -74,34 +111,4 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { } } -{% if dhcp_failover is defined %} -failover peer "dhcp-failover" { -{% if inventory_hostname == dhcp_failover.primary_host %} - primary; - # MCLT = Maximum Client Lead Time. - # Must be specified on the primary, forbidden on the secondary. - mclt 3600; - - # Address or DNS name on which this node listens for connections - # from its failover peer. - address {{ dhcp_failover.primary_host }}; - peer address {{ dhcp_failover.secondary_host }}; -{% endif %} -{% if inventory_hostname == dhcp_failover.secondary_host %} - secondary; - # Address and peer address are reversed on the secondary node. - address {{ dhcp_failover.secondary_host }}; - peer address {{ dhcp_failover.primary_host }}; -{% endif %} - - # The following options can be shared between primary and - # secondary failover peers. - port 647; - peer port 647; - split 128; - max-response-delay 30; - max-unacked-updates 10; - load balance max seconds 3; - } -{% endif %} From 51fdb899404ce7585e3f53bb53f0d48231165abe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 17:28:04 +0200 Subject: [PATCH 142/297] extract dhcp-failover.conf into separate file --- roles/isc-dhcp-server/tasks/main.yml | 10 +++++- .../templates/dhcp/dhcp-failover.conf.j2 | 31 +++++++++++++++++ .../templates/dhcp/dhcpd.conf.j2 | 34 +------------------ 3 files changed, 41 insertions(+), 34 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index c227e24..171d782 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -15,7 +15,15 @@ dest: /etc/default/isc-dhcp-server mode: 0644 -- name: Configure isc-dhcp-server + +- name: Configure dhcp-failover.conf + template: + src: dhcp/dhcp-failover.conf.j2 + dest: /etc/dhcp/dhcp-failover.conf + mode: 0600 + when: dhcp_failover is defined + +- name: Configure dhcpd.conf template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 new file mode 100644 index 0000000..6252343 --- /dev/null +++ b/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 @@ -0,0 +1,31 @@ +failover peer "dhcp-failover" { +{% if inventory_hostname == dhcp_failover.primary_host %} + primary; + + # MCLT = Maximum Client Lead Time. + # Must be specified on the primary, forbidden on the secondary. + mclt 3600; + + # Address or DNS name on which this node listens for connections + # from its failover peer. + address {{ dhcp_failover.primary_host }}; + peer address {{ dhcp_failover.secondary_host }}; + + # Load balancing. + split 128; +{% endif %} +{% if inventory_hostname == dhcp_failover.secondary_host %} + secondary; + # Address and peer address are reversed on the secondary node. + address {{ dhcp_failover.secondary_host }}; + peer address {{ dhcp_failover.primary_host }}; +{% endif %} + + # The following options can be shared between primary and + # secondary failover peers. + port 647; + peer port 647; + max-response-delay 30; + max-unacked-updates 10; + load balance max seconds 3; +} diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 1f2196e..01b0a8d 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -30,40 +30,8 @@ authoritative; # TODO: move this failover peer declaration to a separate file and include it. {% if dhcp_failover is defined %} -failover peer "dhcp-failover" { -{% if inventory_hostname == dhcp_failover.primary_host %} - primary; - - # MCLT = Maximum Client Lead Time. - # Must be specified on the primary, forbidden on the secondary. - mclt 3600; - - # Address or DNS name on which this node listens for connections - # from its failover peer. - address {{ dhcp_failover.primary_host }}; - peer address {{ dhcp_failover.secondary_host }}; - - # Load balancing. - split 128; +include "/etc/dhcp/dhcp-failover.conf"; {% endif %} -{% if inventory_hostname == dhcp_failover.secondary_host %} - secondary; - # Address and peer address are reversed on the secondary node. - address {{ dhcp_failover.secondary_host }}; - peer address {{ dhcp_failover.primary_host }}; -{% endif %} - - # The following options can be shared between primary and - # secondary failover peers. - port 647; - peer port 647; - max-response-delay 30; - max-unacked-updates 10; - load balance max seconds 3; - } -{% endif %} - - # Bornes WiFi subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { From 7347829494ee0e4d1d80dd09db3321fbb9928ee6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 17:42:54 +0200 Subject: [PATCH 143/297] tackle logs --- roles/isc-dhcp-server/tasks/main.yml | 14 +++++++++++++- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 5 +---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 171d782..269843e 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -8,6 +8,19 @@ retries: 3 until: apt_result is succeeded +- name: Ensure dhcp log directory exists + file: + path: /var/log/dhcp + owner: root + group: root + mode: u=rwx,g=rx,a=rx + state: directory + +- name: Ensute rsyslog knows where to send dhcp logs + lineinfile: + path: /etc/rsyslog.conf + regexp: '^local7[.][*]' + line: "local7.* /var/log/dhcp/dhcpd.log" - name: Configure /etc/default/isc-dhcp-server template: @@ -15,7 +28,6 @@ dest: /etc/default/isc-dhcp-server mode: 0644 - - name: Configure dhcp-failover.conf template: src: dhcp/dhcp-failover.conf.j2 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 01b0a8d..9b166c2 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -22,10 +22,7 @@ ddns-update-style none; # network, the authoritative directive should be uncommented. authoritative; -# Use this to send dhcp log messages to a different log file (you also -# have to hack syslog.conf to complete the redirection). -# XXX: This was enabled in one building and disabled in another. -#log-facility local7; +log-facility local7; # TODO: move this failover peer declaration to a separate file and include it. From 6cce62850dbbf336413c02ce7bf2830fa556ea5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 17:58:02 +0200 Subject: [PATCH 144/297] dhcp: configure log rotation --- roles/isc-dhcp-server/tasks/main.yml | 16 +++++++++++++--- .../templates/logrotate.d/dhcp.j2 | 11 +++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 269843e..2916941 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -16,11 +16,21 @@ mode: u=rwx,g=rx,a=rx state: directory -- name: Ensute rsyslog knows where to send dhcp logs +- name: Ensure rsyslog knows where to send dhcp logs lineinfile: path: /etc/rsyslog.conf - regexp: '^local7[.][*]' - line: "local7.* /var/log/dhcp/dhcpd.log" + line: "local7.* /var/log/dhcp/dhcpd.log" + +- name: Configure dhcp log rotation + template: + src: logrotate.d/dhcp.j2 + dest: /etc/logrotate.d/dhcp + mode: 0644 + +- name: restart rsyslog + systemd: + name: rsyslog + state: restarted - name: Configure /etc/default/isc-dhcp-server template: diff --git a/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 b/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 new file mode 100644 index 0000000..9823aed --- /dev/null +++ b/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 @@ -0,0 +1,11 @@ +/var/log/dhcp/dhcpd.log { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + copytruncate +} From 8579b99b2ee239b122b58eab9c715a6a55b79ab9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 19:03:10 +0200 Subject: [PATCH 145/297] dhcp: cron.d entry + let main.py restart the server --- roles/isc-dhcp-server/tasks/main.yml | 19 +++++++++++++------ .../templates/cron.d/re2o-services | 4 ++++ 2 files changed, 17 insertions(+), 6 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/cron.d/re2o-services diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 2916941..4d6ef54 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -27,6 +27,19 @@ dest: /etc/logrotate.d/dhcp mode: 0644 +- name: set up cron to reload dhcp re2o service + cron: + # Do not change this name or idempotence *might* be lost. + name: dhcp-re2o-service + cron_file: re2o-services + minute: "*" + hour: "*" + day: "*" + weekday: "*" + month: "*" + user: root + job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py" + - name: restart rsyslog systemd: name: rsyslog @@ -50,9 +63,3 @@ src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 - -- name: Ensure that isc-dhcp-server is started / reloaded - systemd: - name: isc-dhcp-server - state: restarted - enabled: true diff --git a/roles/isc-dhcp-server/templates/cron.d/re2o-services b/roles/isc-dhcp-server/templates/cron.d/re2o-services new file mode 100644 index 0000000..abc05dd --- /dev/null +++ b/roles/isc-dhcp-server/templates/cron.d/re2o-services @@ -0,0 +1,4 @@ +# Régénération des services re2o + +# Régénération du dhcp +* * * * * root /usr/bin/python3 /var/local/re2o-services/dhcp/main.py From 8fee0857c139e7ced6e51e5179464d860759a69f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 19:03:38 +0200 Subject: [PATCH 146/297] re2o-service: force clone git repository --- roles/re2o-service/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 473a4d7..74ac8fd 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -9,6 +9,7 @@ repo: "{{ service_repo }}" dest: "{{ service_homedir }}/{{ service_name }}" version: "{{ service_version }}" + force: true become: true become_user: "{{ service_user }}" From 9b043d95d379d62305590a3cd00be46b85647a67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 19:06:53 +0200 Subject: [PATCH 147/297] dhcp: don't touch pacaterie yet --- hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 83a6c53..c5561a3 100644 --- a/hosts +++ b/hosts @@ -151,8 +151,8 @@ gs_pve [dhcp] dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re -dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-backup.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re From b3712ed3354cef44c015b38c16aa6d2d7897ce77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 13 Apr 2020 16:35:09 +0200 Subject: [PATCH 148/297] unbound: initial deployment --- group_vars/edc/ldap_local_replica.yml | 4 + group_vars/fleming/{dhcp.yml => main.yml} | 0 group_vars/pacaterie/{dhcp.yml => main.yml} | 0 hosts | 6 +- network.yml | 47 +++++------ roles/unbound/tasks/main.yml | 25 ++++++ roles/unbound/templates/recursive.conf.j2 | 89 +++++++++++++++++++++ roles/unbound/templates/unbound.conf.j2 | 10 +++ 8 files changed, 152 insertions(+), 29 deletions(-) create mode 100644 group_vars/edc/ldap_local_replica.yml rename group_vars/fleming/{dhcp.yml => main.yml} (100%) rename group_vars/pacaterie/{dhcp.yml => main.yml} (100%) create mode 100644 roles/unbound/tasks/main.yml create mode 100644 roles/unbound/templates/recursive.conf.j2 create mode 100644 roles/unbound/templates/unbound.conf.j2 diff --git a/group_vars/edc/ldap_local_replica.yml b/group_vars/edc/ldap_local_replica.yml new file mode 100644 index 0000000..bad6801 --- /dev/null +++ b/group_vars/edc/ldap_local_replica.yml @@ -0,0 +1,4 @@ +--- +ldap_local_replica_uri: + - 'ldap://ldap-replica-edc.adm.auro.re' + diff --git a/group_vars/fleming/dhcp.yml b/group_vars/fleming/main.yml similarity index 100% rename from group_vars/fleming/dhcp.yml rename to group_vars/fleming/main.yml diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/main.yml similarity index 100% rename from group_vars/pacaterie/dhcp.yml rename to group_vars/pacaterie/main.yml diff --git a/hosts b/hosts index c5561a3..8bdbb48 100644 --- a/hosts +++ b/hosts @@ -149,15 +149,15 @@ edc_pve gs_pve [dhcp] -dhcp-fleming.adm.auro.re +#dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[dns] -#dns-fleming.adm.auro.re +[recursive_dns] +dns-fleming.adm.auro.re #dns-fleming-backup.adm.auro.re #dns-pacaterie.adm.auro.re #dns-pacaterie-backup.adm.auro.re diff --git a/network.yml b/network.yml index f402921..70c5641 100644 --- a/network.yml +++ b/network.yml @@ -1,20 +1,4 @@ --- -## Deploy DHCP -#- hosts: dhcp -# vars: -# service_repo: https://gitlab.federez.net/re2o/dhcp.git -# service_name: dhcp -# service_version: master -# service_config: -# hostname: re2o-server.adm.auro.re -# username: service-user -# password: "{{ vault_serviceuser_passwd }}" -# dhcp: -# authoritative: true -# roles: -# - re2o-service -# - isc-dhcp-server - # Set up DHCP servers. - hosts: dhcp vars: @@ -29,18 +13,29 @@ - re2o-service - isc-dhcp-server -# Deploy DNS -- hosts: dns + + +# Deploy unbound DNS server (recursive). +- hosts: recursive_dns vars: - service_repo: https://gitlab.crans.org/nounous/re2o-dns.git - service_name: dns - service_version: crans - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" + - dns_host_suffix: 253 roles: - - re2o-service + - unbound + + +# WIP: Deploy authoritative DNS servers +# - hosts: authoritative_dns +# vars: +# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git +# service_name: dns +# service_version: crans +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service + # Deploy Unifi Controller #- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..6358173 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +- name: install unbound + apt: + update_cache: true + name: unbound + state: present + +- name: setup main unbound config file + template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + mode: 0644 + +- name: setup recursive DNS server config + template: + src: recursive.conf.j2 + dest: /etc/unbound/unbound.conf.d/recursive.conf + mode: 0644 + + +- name: restart unbound after editing config + systemd: + state: restarted + name: unbound diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 new file mode 100644 index 0000000..1660ccb --- /dev/null +++ b/roles/unbound/templates/recursive.conf.j2 @@ -0,0 +1,89 @@ +server: + verbosity: 1 + use-syslog: yes + logfile: "/var/log/unbound.log" + log-time-ascii: yes + + # IP addresses on which to listen. + interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + + # By default, anything other than localhost is refused. + # Whitelist some subnets: + access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + + do-ip4: yes + # FIXME: IPv6 deployment... someday... + do-ip6: no + + do-udp: yes + do-tcp: yes + + num-threads: {{ ansible_processor_vcpus }} + + # power of 2 close to num-threads + # TODO: compute this dynamically w/ Ansible + msg-cache-slabs: 16 + rrset-cache-slabs: 16 + infra-cache-slabs: 16 + key-cache-slabs: 16 + + # Read the root hints from this file + # FIXME: missing file. + # root-hints: "/var/lib/unbound/root.hints" + + harden-referral-path: yes + use-caps-for-id: yes + hide-identity: yes + hide-version: yes + harden-glue: yes + harden-dnssec-stripped: yes + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # WARNING : against protocol rule but efficient against stupidly too low TTLs + + cache-min-ttl: 3600 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + cache-max-ttl: 86400 + + prefetch: yes + + # If nonzero, unwanted replies are not only reported in statistics, but also + # a running total is kept per thread. If it reaches the threshold, a warning + # is printed and a defensive action is taken, the cache is cleared to flush + # potential poison out of it. A suggested value is 10000000, the default is + # 0 (turned off). We think 10K is a good value. + unwanted-reply-threshold: 10000 + + # Should additional section of secure message also be kept clean of unsecure + # data. Useful to shield the users of this validator from potential bogus + # data in the additional section. All unsigned data in the additional section + # is removed from secure messages. + val-clean-additional: yes + + # Log validation failures + val-log-level: 2 + + + private-address: 10.0.0.0/8 + + # Optimise + # https://unbound.net/documentation/howto_optimise.html + + # Faster UDP with multithreading (only on Linux). + so-reuseport: yes + + # Taille du cache + rrset-cache-size: 100m + msg-cache-size: 50m + + # gestion DNSSEC + harden-below-nxdomain: yes + harden-dnssec-stripped: yes diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..b2d7672 --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,10 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include: "/etc/unbound/unbound.conf.d/*.conf" From f05e92dc5ef67a7679201b0a0bf887c0ffb5d4f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 13 Apr 2020 18:24:45 +0200 Subject: [PATCH 149/297] unbound: remove unchecked configuration keys --- roles/unbound/templates/recursive.conf.j2 | 78 ++--------------------- 1 file changed, 6 insertions(+), 72 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 1660ccb..f650b6c 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -1,9 +1,11 @@ server: - verbosity: 1 - use-syslog: yes - logfile: "/var/log/unbound.log" + # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes - + + do-ip4: yes + # FIXME: IPv6 deployment... someday... + do-ip6: no + # IP addresses on which to listen. interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} @@ -16,74 +18,6 @@ server: access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow - do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no - - do-udp: yes - do-tcp: yes - num-threads: {{ ansible_processor_vcpus }} - - # power of 2 close to num-threads - # TODO: compute this dynamically w/ Ansible - msg-cache-slabs: 16 - rrset-cache-slabs: 16 - infra-cache-slabs: 16 - key-cache-slabs: 16 - - # Read the root hints from this file - # FIXME: missing file. - # root-hints: "/var/lib/unbound/root.hints" - - harden-referral-path: yes - use-caps-for-id: yes - hide-identity: yes - hide-version: yes - harden-glue: yes - harden-dnssec-stripped: yes - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. - # WARNING : against protocol rule but efficient against stupidly too low TTLs - - cache-min-ttl: 3600 - - # the time to live (TTL) value cap for RRsets and messages in the - # cache. Items are not cached for longer. In seconds. - cache-max-ttl: 86400 - - prefetch: yes - - # If nonzero, unwanted replies are not only reported in statistics, but also - # a running total is kept per thread. If it reaches the threshold, a warning - # is printed and a defensive action is taken, the cache is cleared to flush - # potential poison out of it. A suggested value is 10000000, the default is - # 0 (turned off). We think 10K is a good value. - unwanted-reply-threshold: 10000 - - # Should additional section of secure message also be kept clean of unsecure - # data. Useful to shield the users of this validator from potential bogus - # data in the additional section. All unsigned data in the additional section - # is removed from secure messages. - val-clean-additional: yes - - # Log validation failures - val-log-level: 2 - private-address: 10.0.0.0/8 - - # Optimise - # https://unbound.net/documentation/howto_optimise.html - - # Faster UDP with multithreading (only on Linux). - so-reuseport: yes - - # Taille du cache - rrset-cache-size: 100m - msg-cache-size: 50m - - # gestion DNSSEC - harden-below-nxdomain: yes - harden-dnssec-stripped: yes From 7275ebda47f48df7af5d3f553e6c2034bc281dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:39:32 +0200 Subject: [PATCH 150/297] dhcp: ask clients to use our DNS servers --- group_vars/all/vars.yml | 14 ++++++++++++++ network.yml | 2 -- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 14 ++++++++------ 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index d55fd60..0cb89fc 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -36,3 +36,17 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org' matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" matrix_discord_client_id: "559305991494303747" matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" + +### +# DNS +### + +# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque +# résidence. +dns_host_suffix: 253 + +upstream_dns_servers: + - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + - "1.1.1.1" # Cloudflare + + diff --git a/network.yml b/network.yml index 70c5641..9e8980c 100644 --- a/network.yml +++ b/network.yml @@ -17,8 +17,6 @@ # Deploy unbound DNS server (recursive). - hosts: recursive_dns - vars: - - dns_host_suffix: 253 roles: - unbound diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 9b166c2..47da1d9 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,4 +1,3 @@ -# dhcpd.conf # {{ ansible_managed }} default-lease-time 86400; @@ -8,8 +7,6 @@ max-lease-time 86400; # The MTU theoretically could go as high as 1496 (4-byte VLAN tag). option interface-mtu 1400; -# XXX: hardcoded DNS for now -option domain-name-servers 80.67.169.12, 1.1.1.1; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will @@ -24,8 +21,6 @@ authoritative; log-facility local7; - -# TODO: move this failover peer declaration to a separate file and include it. {% if dhcp_failover is defined %} include "/etc/dhcp/dhcp-failover.conf"; {% endif %} @@ -38,6 +33,8 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.ap }}.0.250; option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; + + option domain-name-servers 10.{{ subnet_ids.ap }}.0.253, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -51,6 +48,9 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wired }}.0.240; option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.253, {{ upstream_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; deny unknown-clients; @@ -65,6 +65,9 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wifi }}.0.240; option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.253, {{ upstream_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { @@ -76,4 +79,3 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { } } - From 1777d0e154f09e754710c583cdf7437d3c8f8430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:42:31 +0200 Subject: [PATCH 151/297] unbound: log to /var/log/unbound.log, errors only --- roles/unbound/templates/recursive.conf.j2 | 7 +++++++ roles/unbound/templates/unbound.conf.j2 | 2 ++ 2 files changed, 9 insertions(+) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index f650b6c..f5f7f69 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -1,7 +1,14 @@ +# {{ ansible_managed }} + server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes + logfile: /var/log/unbound.log + + # Only log errors. + verbosity: 0 + do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index b2d7672..ee9a1cf 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} +# # Unbound configuration file for Debian. # # See the unbound.conf(5) man page. From bfc7d542df8d82ed922371cfc80c3bd9d051f2d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:43:39 +0200 Subject: [PATCH 152/297] hosts: add all DNS VMs from fleming and pacaterie --- hosts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts b/hosts index 8bdbb48..e731c4c 100644 --- a/hosts +++ b/hosts @@ -158,9 +158,9 @@ dhcp-fleming-backup.adm.auro.re [recursive_dns] dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re #dns-edc.adm.auro.re #dns-gs.adm.auro.re From 22166bc69bef0f0ba9eb5c8623ba6e178053a4dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:23:57 +0200 Subject: [PATCH 153/297] unbound: log to journalctl --- group_vars/all/vars.yml | 2 +- hosts | 2 +- roles/unbound/tasks/main.yml | 1 - roles/unbound/templates/recursive.conf.j2 | 6 ++++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 0cb89fc..153e4f5 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -49,4 +49,4 @@ upstream_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "1.1.1.1" # Cloudflare - +unbound_log_file: "/var/log/unbound.log" diff --git a/hosts b/hosts index e731c4c..0fc686d 100644 --- a/hosts +++ b/hosts @@ -150,7 +150,7 @@ gs_pve [dhcp] #dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re +#dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 6358173..4dfaa59 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -18,7 +18,6 @@ dest: /etc/unbound/unbound.conf.d/recursive.conf mode: 0644 - - name: restart unbound after editing config systemd: state: restarted diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index f5f7f69..ebfd445 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -4,11 +4,13 @@ server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes - logfile: /var/log/unbound.log - # Only log errors. verbosity: 0 + # "" sends logs to stderr, journalctl will pick things up. + logfile: "" + + do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no From b57fa6e356b529568151f6b1a70dbd2928e4eb67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:51:37 +0200 Subject: [PATCH 154/297] dhcp: use backup DNS servers too --- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 47da1d9..4c352ea 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -34,7 +34,7 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; - option domain-name-servers 10.{{ subnet_ids.ap }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -49,7 +49,7 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; @@ -66,7 +66,7 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; From a0651d770378f02dcfd1776b522a96f5de7958ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:52:13 +0200 Subject: [PATCH 155/297] unbound: bind to the right addresses on backup hosts --- group_vars/all/vars.yml | 4 ++-- hosts | 13 +++++++++++-- roles/unbound/tasks/main.yml | 10 ++++++++++ 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 153e4f5..5c438a9 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -43,10 +43,10 @@ matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" # Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque # résidence. -dns_host_suffix: 253 +dns_host_suffix_main: 253 +dns_host_suffix_backup: 153 upstream_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "1.1.1.1" # Cloudflare -unbound_log_file: "/var/log/unbound.log" diff --git a/hosts b/hosts index 0fc686d..9ec7bef 100644 --- a/hosts +++ b/hosts @@ -156,11 +156,20 @@ gs_pve #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[recursive_dns] +[recursive_dns:children] +rdns_main +rdns_backup + +[rdns_main] dns-fleming.adm.auro.re -dns-fleming-backup.adm.auro.re dns-pacaterie.adm.auro.re + +[rdns_backup] +dns-fleming-backup.adm.auro.re dns-pacaterie-backup.adm.auro.re + + +# FIXME: #dns-edc.adm.auro.re #dns-gs.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 4dfaa59..18f99ce 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,5 +1,15 @@ --- +# This is used to let unbound bind to the right IP addresses. +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_main }}" + when: "'rdns_main' in group_names" + +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_backup }}" + when: "'rdns_backup' in group_names" + + - name: install unbound apt: update_cache: true From 12022389c4523e875fb571790d420a8e9103bcf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:57:18 +0200 Subject: [PATCH 156/297] hosts: enable dhcp deployment on fleming --- hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 9ec7bef..f1ac5fd 100644 --- a/hosts +++ b/hosts @@ -149,8 +149,8 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re From 662452065fd0168c7afad42a49f991970507707d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 17:06:38 +0200 Subject: [PATCH 157/297] dhcp: remove Cloudflare from backup DNS and rename variable, since these are not technically upstream DNS servers (unbound will ask the root servers, not these) --- group_vars/all/vars.yml | 3 +-- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5c438a9..be601da 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -46,7 +46,6 @@ matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" dns_host_suffix_main: 253 dns_host_suffix_backup: 153 -upstream_dns_servers: +backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - - "1.1.1.1" # Cloudflare diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 4c352ea..f0a35fe 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -34,7 +34,7 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; - option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -49,7 +49,7 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; @@ -66,7 +66,7 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; From ded5f38aecfa6732c37f31c0bf8b9b40076afce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 17:36:25 +0200 Subject: [PATCH 158/297] unbound: name set_fact tasks --- roles/unbound/tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 18f99ce..44a4358 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,11 +1,13 @@ --- # This is used to let unbound bind to the right IP addresses. -- set_fact: +- name: set dns_host_suffix (main) + set_fact: dns_host_suffix: "{{ dns_host_suffix_main }}" when: "'rdns_main' in group_names" -- set_fact: +- name: set dns_host_suffix (backup) + set_fact: dns_host_suffix: "{{ dns_host_suffix_backup }}" when: "'rdns_backup' in group_names" From bac131791b80f6caf6da5293f361e975d9ee2087 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 28 Apr 2020 20:13:56 +0200 Subject: [PATCH 159/297] unbound: bump verbosity up to 3 Some users are having issues resolving *.auro.re domains from our network, and the bug does not show itself reliably. Increased verbosity should help us pinpoint its source. --- roles/unbound/templates/recursive.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index ebfd445..2b4a442 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -5,7 +5,7 @@ server: log-time-ascii: yes # Only log errors. - verbosity: 0 + verbosity: 3 # "" sends logs to stderr, journalctl will pick things up. logfile: "" From b4482b6d3b6fb3ece1453599e7a811e95ada6e11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 28 Apr 2020 20:21:47 +0200 Subject: [PATCH 160/297] unbound: configure unbound-control --- roles/unbound/tasks/main.yml | 23 +++++++++++++++++++ .../unbound/templates/unbound-control.conf.j2 | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 roles/unbound/templates/unbound-control.conf.j2 diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 44a4358..6b116cd 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -17,6 +17,29 @@ update_cache: true name: unbound state: present + register: unbound_install + +- name: check if unbound-control certificate exists + stat: + path: /etc/unbound/unbound_control.pem + register: ubc_control_pem + + +- name: check if unbound server certificate exists + stat: + path: /etc/unbound/unbound_server.pem + register: ubc_server_pem + +- name: run unbound-control-setup if a certificate is missing + command: unbound-control-setup + become: yes + when: ubc_control_pem.stat.exists == False or ubc_server_pem.stat.exists == False + +- name: add unbound-control configuration + template: + src: unbound-control.conf.j2 + dest: /etc/unbound/unbound.conf.d/unbound-control.conf + mode: 0644 - name: setup main unbound config file template: diff --git a/roles/unbound/templates/unbound-control.conf.j2 b/roles/unbound/templates/unbound-control.conf.j2 new file mode 100644 index 0000000..edaa6c2 --- /dev/null +++ b/roles/unbound/templates/unbound-control.conf.j2 @@ -0,0 +1,23 @@ +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + control-interface: 127.0.0.1 + + # port number for remote control operations. + control-port: 8953 + + # unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" From 3695a3d771ad19b4350041ae836d6e4cae606933 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 28 Apr 2020 23:14:43 +0200 Subject: [PATCH 161/297] unbound: attempt to fix spurious blacklisting --- roles/unbound/templates/recursive.conf.j2 | 24 +++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 2b4a442..a65bd43 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -30,3 +30,27 @@ server: num-threads: {{ ansible_processor_vcpus }} private-address: 10.0.0.0/8 + + # XXX + # We've been having issues with bogus DNSSEC responses, and unintended + # blacklisting of nameservers because of that. + # The following is intended as a stopgap solution. + # + # unbound had issues with auro.re's DS records, apparently; + # it kept receiving an error, which subsequently caused a blacklisting + # of relevant servers and an inability to resolve auro.re and its + # subdomains. + # + # auro.re does not have DNSSEC anyway, so we can treat it as insecure. + domain-insecure: "auro.re" + + + # The host cache TTL affects blacklisting of supposedly bogus hosts. + # The default was 900 (15 minutes). + infra-host-ttl: 60 + + harden-dnssec-stripped: no + disable-dnssec-lame-check: yes + + + From b94c62d7107003ffd55b0b60257a66f29d2ae92e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 16:37:21 +0200 Subject: [PATCH 162/297] unbound-control: no certificates for local use --- roles/unbound/tasks/main.yml | 16 ---------------- roles/unbound/templates/unbound-control.conf.j2 | 14 +++----------- 2 files changed, 3 insertions(+), 27 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 6b116cd..7374281 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -19,22 +19,6 @@ state: present register: unbound_install -- name: check if unbound-control certificate exists - stat: - path: /etc/unbound/unbound_control.pem - register: ubc_control_pem - - -- name: check if unbound server certificate exists - stat: - path: /etc/unbound/unbound_server.pem - register: ubc_server_pem - -- name: run unbound-control-setup if a certificate is missing - command: unbound-control-setup - become: yes - when: ubc_control_pem.stat.exists == False or ubc_server_pem.stat.exists == False - - name: add unbound-control configuration template: src: unbound-control.conf.j2 diff --git a/roles/unbound/templates/unbound-control.conf.j2 b/roles/unbound/templates/unbound-control.conf.j2 index edaa6c2..a3ba77a 100644 --- a/roles/unbound/templates/unbound-control.conf.j2 +++ b/roles/unbound/templates/unbound-control.conf.j2 @@ -10,14 +10,6 @@ remote-control: # port number for remote control operations. control-port: 8953 - # unbound server key file. - server-key-file: "/etc/unbound/unbound_server.key" - - # unbound server certificate file. - server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. - control-key-file: "/etc/unbound/unbound_control.key" - - # unbound-control certificate file. - control-cert-file: "/etc/unbound/unbound_control.pem" + # Disable the use of certificates for unbound-control. + # It's only listening locally, there's no need for the added complexity. + control-use-cert: "no" From 1dca5d2259a1f5e19e79b12868fea7c77f635364 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 16:43:44 +0200 Subject: [PATCH 163/297] unbound: use handlers Only restart unbound if the configuration was actually updated. --- roles/unbound/handlers/main.yml | 4 ++++ roles/unbound/tasks/main.yml | 8 +++----- 2 files changed, 7 insertions(+), 5 deletions(-) create mode 100644 roles/unbound/handlers/main.yml diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..c2efa8f --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart unbound + systemd: + state: restarted + name: unbound diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 7374281..cabae99 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -24,20 +24,18 @@ src: unbound-control.conf.j2 dest: /etc/unbound/unbound.conf.d/unbound-control.conf mode: 0644 + notify: restart unbound - name: setup main unbound config file template: src: unbound.conf.j2 dest: /etc/unbound/unbound.conf mode: 0644 + notify: restart unbound - name: setup recursive DNS server config template: src: recursive.conf.j2 dest: /etc/unbound/unbound.conf.d/recursive.conf mode: 0644 - -- name: restart unbound after editing config - systemd: - state: restarted - name: unbound + notify: restart unbound From c54e8f5d675a23e26a454dc9e95abf439350cfbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 16:49:33 +0200 Subject: [PATCH 164/297] unbound: smarter logging - stop using journald, write to /var/log/unbound/ - set up frequent log rotation for the huge log files we are producing --- roles/unbound/handlers/main.yml | 3 +++ roles/unbound/tasks/main.yml | 21 +++++++++++++++++++ roles/unbound/templates/recursive.conf.j2 | 3 +-- .../unbound/templates/unbound-apparmor-config | 1 + roles/unbound/templates/unbound-logrotate.j2 | 13 ++++++++++++ 5 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 roles/unbound/templates/unbound-apparmor-config create mode 100644 roles/unbound/templates/unbound-logrotate.j2 diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index c2efa8f..a619b94 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -2,3 +2,6 @@ systemd: state: restarted name: unbound + +- name: read unbound apparmor config + command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index cabae99..ff45ec1 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -33,6 +33,27 @@ mode: 0644 notify: restart unbound +- name: ensure unbound log directory exists + file: + path: /var/log/unbound + state: directory + mode: '0755' + owner: unbound + group: unbound + +- name: ask apparmor to allow unbound to write to log file + template: + src: unbound-apparmor-config + dest: /etc/apparmor.d/local/usr.sbin.unbound + mode: '0644' + notify: read unbound apparmor config + +- name: setup unbound log rotation + template: + src: unbound-logrotate.j2 + dest: /etc/logrotate.d/unbound + mode: 0644 + - name: setup recursive DNS server config template: src: recursive.conf.j2 diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index a65bd43..b24613f 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -8,8 +8,7 @@ server: verbosity: 3 # "" sends logs to stderr, journalctl will pick things up. - logfile: "" - + logfile: "/var/log/unbound/unbound.log" do-ip4: yes # FIXME: IPv6 deployment... someday... diff --git a/roles/unbound/templates/unbound-apparmor-config b/roles/unbound/templates/unbound-apparmor-config new file mode 100644 index 0000000..f40ee05 --- /dev/null +++ b/roles/unbound/templates/unbound-apparmor-config @@ -0,0 +1 @@ +/var/log/unbound/unbound.log rw, diff --git a/roles/unbound/templates/unbound-logrotate.j2 b/roles/unbound/templates/unbound-logrotate.j2 new file mode 100644 index 0000000..d57e83e --- /dev/null +++ b/roles/unbound/templates/unbound-logrotate.j2 @@ -0,0 +1,13 @@ +/var/log/unbound/*.log { + daily + rotate 30 + missingok + notifempty + compress + delaycompress + sharedscripts + create 644 + postrotate + /usr/local/sbin/unbound-control log_reopen + endscript +} From aae7e0120a00e7523ee28aef49c0fede76effa7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 18:06:58 +0200 Subject: [PATCH 165/297] unbound: drop verbosity but log SERVFAILs TODO: less frequent log rotation because of decreased log volume --- roles/unbound/templates/recursive.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index b24613f..0ba6f5b 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -5,9 +5,9 @@ server: log-time-ascii: yes # Only log errors. - verbosity: 3 + verbosity: 0 + log-servfail: yes - # "" sends logs to stderr, journalctl will pick things up. logfile: "/var/log/unbound/unbound.log" do-ip4: yes From a77b2c4f0f3d095a536ea2304da4078f7c5c63d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 18:44:17 +0200 Subject: [PATCH 166/297] unbound: fix MTU settings That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state. --- group_vars/all/vars.yml | 2 ++ .../templates/dhcp/dhcpd.conf.j2 | 3 +-- roles/unbound/templates/recursive.conf.j2 | 25 +++++++------------ 3 files changed, 12 insertions(+), 18 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index be601da..6a0b66b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -49,3 +49,5 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + +mtu: 1400 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index f0a35fe..dc642ae 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -5,8 +5,7 @@ max-lease-time 86400; # Option definitions common to all supported networks. -# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). -option interface-mtu 1400; +option interface-mtu {{ mtu }}; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 0ba6f5b..62c93be 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -30,26 +30,19 @@ server: private-address: 10.0.0.0/8 - # XXX - # We've been having issues with bogus DNSSEC responses, and unintended - # blacklisting of nameservers because of that. - # The following is intended as a stopgap solution. - # - # unbound had issues with auro.re's DS records, apparently; - # it kept receiving an error, which subsequently caused a blacklisting - # of relevant servers and an inability to resolve auro.re and its - # subdomains. - # - # auro.re does not have DNSSEC anyway, so we can treat it as insecure. - domain-insecure: "auro.re" - - # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 - harden-dnssec-stripped: no - disable-dnssec-lame-check: yes + # The following is vital, we were having issues + # with DNSSEC that turned out to be due to UDP responses that were too + # large. + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + edns-buffer-size: {{ mtu }} + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + max-udp-size: {{ mtu }} From 29991141f51b3c316c13599190ec34aafc7caf09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 3 May 2020 11:17:10 +0200 Subject: [PATCH 167/297] misc: add script to copy SSH keys This one has the advantage of actually working :) I had to blacklist some hosts because they would either outright refuse connections or would refuse my LDAP credentials. --- .gitignore | 1 + copy-keys.sh | 17 +++++++++++++++++ ssh-blacklist.txt | 4 ++++ 3 files changed, 22 insertions(+) create mode 100755 copy-keys.sh create mode 100644 ssh-blacklist.txt diff --git a/.gitignore b/.gitignore index a8b42eb..fc586ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.retry +ldap-password.txt diff --git a/copy-keys.sh b/copy-keys.sh new file mode 100755 index 0000000..e5343fd --- /dev/null +++ b/copy-keys.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +# Grab valid unique hostnames from the Ansible inventory. +HOSTS=$(grep -ve '^[#\[]' hosts \ +| grep -ve '^$' \ +| grep -F adm.auro.re \ +| grep -vf ssh-blacklist.txt \ +| sort -u) + +for host in $HOSTS; do + echo "Handling host $host" + + # sshpass can be used for non-interactive password authentication. + # place your password in ldap-password.txt. + sshpass -f ldap-password.txt ssh-copy-id "$host" +done diff --git a/ssh-blacklist.txt b/ssh-blacklist.txt new file mode 100644 index 0000000..248f525 --- /dev/null +++ b/ssh-blacklist.txt @@ -0,0 +1,4 @@ +ldap-replica-edc-backup.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re From 3b72e2fe2d19fcd3a7bf5f0eaf8a0aefbfca0587 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 17:26:10 +0200 Subject: [PATCH 168/297] Remove SSH blacklist --- copy-keys.sh | 2 -- ssh-blacklist.txt | 4 ---- 2 files changed, 6 deletions(-) delete mode 100644 ssh-blacklist.txt diff --git a/copy-keys.sh b/copy-keys.sh index e5343fd..95fc428 100755 --- a/copy-keys.sh +++ b/copy-keys.sh @@ -3,9 +3,7 @@ set -e # Grab valid unique hostnames from the Ansible inventory. HOSTS=$(grep -ve '^[#\[]' hosts \ -| grep -ve '^$' \ | grep -F adm.auro.re \ -| grep -vf ssh-blacklist.txt \ | sort -u) for host in $HOSTS; do diff --git a/ssh-blacklist.txt b/ssh-blacklist.txt deleted file mode 100644 index 248f525..0000000 --- a/ssh-blacklist.txt +++ /dev/null @@ -1,4 +0,0 @@ -ldap-replica-edc-backup.adm.auro.re -ldap-replica-fleming-backup.adm.auro.re -ldap-replica-gs.adm.auro.re -ldap-replica-gs-backup.adm.auro.re From dc2db3d6a38ddaec3f28cc46b8f365f1bd5fe539 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 18:40:26 +0200 Subject: [PATCH 169/297] Decomment hosts --- copy-keys.sh | 9 ++- hosts | 43 +++++++------- hosts.save | 131 ---------------------------------------- hosts.save.1 | 165 --------------------------------------------------- 4 files changed, 29 insertions(+), 319 deletions(-) delete mode 100644 hosts.save delete mode 100644 hosts.save.1 diff --git a/copy-keys.sh b/copy-keys.sh index 95fc428..6aa1bb6 100755 --- a/copy-keys.sh +++ b/copy-keys.sh @@ -6,10 +6,15 @@ HOSTS=$(grep -ve '^[#\[]' hosts \ | grep -F adm.auro.re \ | sort -u) +# Ask password +read -s -p "Hello adventurer, what is your LDAP password? " passwd +echo + for host in $HOSTS; do - echo "Handling host $host" + echo "[+] Handling host $host" # sshpass can be used for non-interactive password authentication. # place your password in ldap-password.txt. - sshpass -f ldap-password.txt ssh-copy-id "$host" + SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host" done + diff --git a/hosts b/hosts index 8718a1d..9ab7012 100644 --- a/hosts +++ b/hosts @@ -5,33 +5,33 @@ # > Then we regroup everything in global geographic and type groups. [aurore_pve] -#merlin.adm.auro.re +merlin.adm.auro.re [aurore_vm] -#radius-aurore.adm.auro.re +radius-aurore.adm.auro.re [ovh_pve] -#horus.adm.auro.re +horus.adm.auro.re [ovh_container] -#synapse.adm.auro.re -#services-bdd.adm.auro.re -#phabricator.adm.auro.re -#wiki.adm.auro.re -#www.adm.auro.re -#proxy.adm.auro.re -#matrix-services.adm.auro.re +synapse.adm.auro.re +services-bdd.adm.auro.re +phabricator.adm.auro.re +wiki.adm.auro.re +www.adm.auro.re +proxy.adm.auro.re +matrix-services.adm.auro.re [ovh_vm] -#re2o-server.adm.auro.re -#re2o-ldap.adm.auro.re -#re2o-db.adm.auro.re -#serge.adm.auro.re -#passbolt.adm.auro.re -#vpn-ovh.adm.auro.re -#docker-ovh.adm.auro.re -#switchs-manager.adm.auro.re -#radius-aurore.adm.auro.re +re2o-server.adm.auro.re +re2o-ldap.adm.auro.re +re2o-db.adm.auro.re +serge.adm.auro.re +passbolt.adm.auro.re +vpn-ovh.adm.auro.re +docker-ovh.adm.auro.re +switchs-manager.adm.auro.re +radius-aurore.adm.auro.re [ovh_testing_vm] #re2o-test.adm.auro.re @@ -88,7 +88,7 @@ ldap-replica-edc.adm.auro.re #ldap-replica-edc-backup.adm.auro.re [gs_pve] -#perceval.adm.auro.re +perceval.adm.auro.re [gs_vm] routeur-gs.adm.auro.re @@ -96,6 +96,7 @@ unifi-gs.adm.auro.re radius-gs.adm.auro.re dns-gs.adm.auro.re dhcp-gs.adm.auro.re +prometheus-gs.adm.auro.re #ldap-replica-gs.adm.auro.re #ldap-replica-gs-backup.adm.auro.re @@ -188,7 +189,7 @@ ldap-replica-pacaterie-backup.adm.auro.re [ldap_replica_edc] ldap-replica-edc.adm.auro.re -ldap-replica-edc-backup.adm.auro.re +#ldap-replica-edc-backup.adm.auro.re [ldap_replica_gs] ldap-replica-gs.adm.auro.re diff --git a/hosts.save b/hosts.save deleted file mode 100644 index c806780..0000000 --- a/hosts.save +++ /dev/null @@ -1,131 +0,0 @@ -# Aurore servers inventory - -# How to name your server ? -# > We name servers according to location, then type. -# > So all containers at OVH are in ovh-container. -# > Then we regroup everything in global geographic and type groups. - -[ovh_pve] -#horus.adm.auro.re - -[ovh_container] -#synapse.adm.auro.re -#services-bdd.adm.auro.re -#phabricator.adm.auro.re -#wiki.adm.auro.re -#www.adm.auro.re -#proxy.adm.auro.re -#matrix-services.adm.auro.re - -[ovh_vm] -#re2o-server.adm.auro.re -#re2o-ldap.adm.auro.re -#re2o-db.adm.auro.re -#serge.adm.auro.re -#passbolt.adm.auro.re -#vpn-ovh.adm.auro.re -#docker-ovh.adm.auro.re -#switchs-manager.adm.auro.re -#radius-aurore.adm.auro.re - -[ovh_testing_vm] -#re2o-test.adm.auro.re - -[fleming_pve] -#freya.adm.auro.re - -[fleming_vm] -#ldap-replica-fleming1.adm.auro.re -#ldap-replica-fleming2.adm.auro.re -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re -#dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#radius-fleming.adm.auro.re -#radius-fleming-backup.adm.auro.re -#routeur-fleming.adm.auro.re -#routeur-fleming-backup.adm.auro.re -#unifi-fleming.adm.auro.re -#prometheus - -[pacaterie_pve] -#mordred.adm.auro.re - -[pacaterie_vm] -#ldap-replica-pacaterie.adm.auro.re -#dhcp-pacaterie.adm.auro.re -#dns-pacaterie.adm.auro.re -#prometheus-pacaterie.adm.auro.re -#radius-pacaterie.adm.auro.re -#unifi-pacaterie.adm.auro.re -#routeur-pacaterie.adm.auro.re - -[edc_pve] -#chapalux.adm.auro.re - -[edc_vm] -#routeur-edc.adm.auro.re -#dns-edc.adm.auro.re -#dhcp-edc.adm.auro.re -#unifi-edc.adm.auro.re -#radius-edc.adm.auro.re -#routeur-aurore.adm.auro.re -#10.128.0.254 - -[georgesand_pve] -#perceval.adm.auro.re - -[georgesand_vm] -#routeur-gs.adm.auro.re -#unifi-gs.adm.auro.re -#radius-gs.adm.auro.re -#dns-gs.adm.auro.re -#dhcp-gs.adm.auro.re - -# everything at ovh -[ovh:children] -ovh_pve -ovh_container -ovh_vm - -# everything at ovh_testing -[ovh_testing:children] -ovh_testing_vm - -# everything at fleming -[fleming:children] -fleming_pve -fleming_vm - -# everything at pacaterie -[pacaterie:children] -pacaterie_pve -pacaterie_vm - -# everything at edc -[edc:children] -edc_pve -edc_vm - -# everything at georgesand -[georgesand:children] -georgesand_pve -georgesand_vm - -# every LXC container -[container:children] -ovh_container - -# every virtual machine -[vm:children] -ovh_vm -fleming_vm -pacaterie_vm - -# every PVE -[pve:children] -ovh_pve -fleming_pve -pacaterie_pve -edc_pve -georgesand_pve diff --git a/hosts.save.1 b/hosts.save.1 deleted file mode 100644 index db677b4..0000000 --- a/hosts.save.1 +++ /dev/null @@ -1,165 +0,0 @@ -# Aurore servers inventory - -# How to name your server ? -# > We name servers according to location, then type. -# > So all containers at OVH are in ovh-container. -# > Then we regroup everything in global geographic and type groups. - -[aurore_pve] -merlin.adm.auro.re - -[aurore_vm] -radius-aurore.adm.auro.re - -[ovh_pve] -horus.adm.auro.re - -[ovh_container] -synapse.adm.auro.re -services-bdd.adm.auro.re -phabricator.adm.auro.re -wiki.adm.auro.re -www.adm.auro.re -proxy.adm.auro.re -matrix-services.adm.auro.re - -[ovh_vm] -re2o-server.adm.auro.re -re2o-ldap.adm.auro.re -re2o-db.adm.auro.re -serge.adm.auro.re -passbolt.adm.auro.re -vpn-ovh.adm.auro.re -docker-ovh.adm.auro.re -switchs-manager.adm.auro.re -radius-aurore.adm.auro.re - -[ovh_testing_vm] -re2o-test.adm.auro.re - -[fleming_pve] -freya.adm.auro.re -marki.adm.auro.re - -[fleming_vm] -ldap-replica-fleming.adm.auro.re -ldap-replica-fleming-backup.adm.auro.re -dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re -dns-fleming.adm.auro.re -dns-fleming-backup.adm.auro.re -prometheus-fleming.adm.auro.re -radius-fleming.adm.auro.re -radius-fleming-backup.adm.auro.re -unifi-fleming.adm.auro.re -routeur-fleming.adm.auro.re -routeur-fleming-backup.adm.auro.re - -[pacaterie_pve] -mordred.adm.auro.re -titan.adm.auro.re - -[pacaterie_vm] -ldap-replica-pacaterie.adm.auro.re -ldap-replica-pacaterie-backup.adm.auro.re -dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-backup.adm.auro.re -dns-pacaterie.adm.auro.re -dns-pacaterie-backup.adm.auro.re -prometheus-pacaterie.adm.auro.re -radius-pacaterie.adm.auro.re -radius-pacaterie-backup.adm.auro.re -unifi-pacaterie.adm.auro.re -routeur-pacaterie.adm.auro.re -routeur-pacaterie-backup.adm.auro.re - -[edc_pve] -chapalux.adm.auro.re - -[edc_vm] -routeur-edc.adm.auro.re -dns-edc.adm.auro.re -dhcp-edc.adm.auro.re -unifi-edc.adm.auro.re -radius-edc.adm.auro.re -routeur-aurore.adm.auro.re - -[gs_pve] -perceval.adm.auro.re - -[gs_vm] -routeur-gs.adm.auro.re -unifi-gs.adm.auro.re -radius-gs.adm.auro.re -dns-gs.adm.auro.re -dhcp-gs.adm.auro.re - -# everything at ovh -[ovh:children] -ovh_pve -ovh_container -ovh_vm - -# everything at ovh_testing -[ovh_testing:children] -ovh_testing_vm - -# everything at fleming -[fleming:children] -fleming_pve -fleming_vm - -# everything at pacaterie -[pacaterie:children] -pacaterie_pve -pacaterie_vm - -# everything at edc -[edc:children] -edc_pve -edc_vm - -# everything at georgesand -[gs:children] -gs_pve -gs_vm - -# every LXC container -[container:children] -ovh_container - -# every virtual machine -[vm:children] -ovh_vm -fleming_vm -pacaterie_vm -gs_vm - -# every PVE -[pve:children] -ovh_pve -fleming_pve -pacaterie_pve -edc_pve -gs_pve - -[dhcp] -dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re -dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-backup.adm.auro.re -dhcp-edc.adm.auro.re -dhcp-gs.adm.auro.re - -[dns] -dns-fleming.adm.auro.re -dns-fleming-backup.adm.auro.re -dns-pacaterie.adm.auro.re -dns-pacaterie-backup.adm.auro.re -dns-edc.adm.auro.re -dns-gs.adm.auro.re - -[ldap-replica] -ldap-replica-fleming.adm.auro.re -ldap-replica-fleming-backup.adm.auro.re -ldap-replica-pacaterie-backup.adm.auro.re From 36343d90fdc8d747d9740cdfd911aff010d12676 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 18:45:07 +0200 Subject: [PATCH 170/297] BangShebang! --- base.yml | 1 + matrix.yml | 1 + monitoring.yml | 1 + network.yml | 1 + proxmox.yml | 1 + services_web.yml | 1 + upgrade.yml | 1 + 7 files changed, 7 insertions(+) mode change 100644 => 100755 base.yml mode change 100644 => 100755 matrix.yml mode change 100644 => 100755 monitoring.yml mode change 100644 => 100755 network.yml mode change 100644 => 100755 proxmox.yml mode change 100644 => 100755 services_web.yml mode change 100644 => 100755 upgrade.yml diff --git a/base.yml b/base.yml old mode 100644 new mode 100755 index 191d80d..fc2a037 --- a/base.yml +++ b/base.yml @@ -1,3 +1,4 @@ +#!/usr/bin/env ansible-playbook --- # Put a common configuration on all servers - hosts: all,!unifi diff --git a/matrix.yml b/matrix.yml old mode 100644 new mode 100755 index 939486e..634f063 --- a/matrix.yml +++ b/matrix.yml @@ -1,3 +1,4 @@ +#!/usr/bin/env ansible-playbook --- # Install Matrix Synapse on corresponding containers - hosts: synapse.adm.auro.re diff --git a/monitoring.yml b/monitoring.yml old mode 100644 new mode 100755 index 76e063b..616e380 --- a/monitoring.yml +++ b/monitoring.yml @@ -1,3 +1,4 @@ +#!/usr/bin/env ansible-playbook --- - hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re vars: diff --git a/network.yml b/network.yml old mode 100644 new mode 100755 index 9e8980c..a83b2d9 --- a/network.yml +++ b/network.yml @@ -1,3 +1,4 @@ +#!/usr/bin/env ansible-playbook --- # Set up DHCP servers. - hosts: dhcp diff --git a/proxmox.yml b/proxmox.yml old mode 100644 new mode 100755 index 98af1cc..15b62ca --- a/proxmox.yml +++ b/proxmox.yml @@ -1,3 +1,4 @@ +#!/usr/bin/env ansible-playbook --- # This is a special playbook to create a new VM ! - hosts: proxy.adm.auro.re # Host with python-proxmoxer and python-requests diff --git a/services_web.yml b/services_web.yml old mode 100644 new mode 100755 index e6e135f..10f961a --- a/services_web.yml +++ b/services_web.yml @@ -1,3 +1,4 @@ +#!/usr/bin/env ansible-playbook --- # Deploy Docker hosts - hosts: docker-ovh.adm.auro.re diff --git a/upgrade.yml b/upgrade.yml old mode 100644 new mode 100755 index 7b28ebe..72cf409 --- a/upgrade.yml +++ b/upgrade.yml @@ -1,3 +1,4 @@ +#!/usr/bin/env ansible-playbook --- # This is a special playbook to upgrade all selected servers ! # Please always use with --limit myserver.adm.auro.re From ef88d0a42bd9f9720a52b40fcfe708073503fd98 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 20:50:29 +0200 Subject: [PATCH 171/297] Some clean up in hosts --- hosts | 55 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 45 insertions(+), 10 deletions(-) diff --git a/hosts b/hosts index 9ab7012..d188cb5 100644 --- a/hosts +++ b/hosts @@ -1,8 +1,12 @@ # Aurore servers inventory # How to name your server ? -# > We name servers according to location, then type. -# > Then we regroup everything in global geographic and type groups. +# > We name servers according to location, then type, then function. +# > Then we regroup everything in global geographic, type and function groups. + + +############################################################################### +# Aurore : main services [aurore_pve] merlin.adm.auro.re @@ -10,6 +14,10 @@ merlin.adm.auro.re [aurore_vm] radius-aurore.adm.auro.re + +############################################################################### +# OVH + [ovh_pve] horus.adm.auro.re @@ -36,6 +44,10 @@ radius-aurore.adm.auro.re [ovh_testing_vm] #re2o-test.adm.auro.re + +############################################################################### +# Les Jardins de Fleming + [fleming_pve] freya.adm.auro.re marki.adm.auro.re @@ -55,6 +67,10 @@ unifi-fleming.adm.auro.re routeur-fleming.adm.auro.re routeur-fleming-backup.adm.auro.re + +############################################################################### +# Pacaterie + [pacaterie_physical] mordred.adm.auro.re titan.adm.auro.re @@ -74,6 +90,10 @@ unifi-pacaterie.adm.auro.re routeur-pacaterie.adm.auro.re routeur-pacaterie-backup.adm.auro.re + +############################################################################### +# Emilie du Chatelet + [edc_pve] chapalux.adm.auro.re @@ -87,18 +107,26 @@ routeur-aurore.adm.auro.re ldap-replica-edc.adm.auro.re #ldap-replica-edc-backup.adm.auro.re + +############################################################################### +# George Sand + [gs_pve] perceval.adm.auro.re [gs_vm] +dhcp-gs.adm.auro.re +dns-gs.adm.auro.re routeur-gs.adm.auro.re unifi-gs.adm.auro.re radius-gs.adm.auro.re -dns-gs.adm.auro.re -dhcp-gs.adm.auro.re prometheus-gs.adm.auro.re -#ldap-replica-gs.adm.auro.re -#ldap-replica-gs-backup.adm.auro.re +#inexistant : ldap-replica-gs.adm.auro.re +#inexistant : ldap-replica-gs-backup.adm.auro.re + + +############################################################################### +# Groups by location # everything at ovh [ovh:children] @@ -128,6 +156,10 @@ edc_vm gs_pve gs_vm + +############################################################################### +# Groups by type + # every LXC container [container:children] ovh_container @@ -148,6 +180,10 @@ pacaterie_pve edc_pve gs_pve + +############################################################################### +# Groups by service + [dhcp] dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re @@ -156,10 +192,6 @@ dhcp-fleming-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[recursive_dns:children] -rdns_main -rdns_backup - [rdns_main] dns-fleming.adm.auro.re dns-pacaterie.adm.auro.re @@ -168,6 +200,9 @@ dns-pacaterie.adm.auro.re dns-fleming-backup.adm.auro.re dns-pacaterie-backup.adm.auro.re +[recursive_dns:children] +rdns_main +rdns_backup # FIXME: #dns-edc.adm.auro.re From 9c1f18668228fa85feb5c4caa983c86f2a74d574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 4 May 2020 18:48:00 +0200 Subject: [PATCH 172/297] hosts: s/physical/pve/g, add new backup hosts --- hosts | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/hosts b/hosts index d188cb5..670a8c8 100644 --- a/hosts +++ b/hosts @@ -13,6 +13,8 @@ merlin.adm.auro.re [aurore_vm] radius-aurore.adm.auro.re +dhcp-aurore.adm.auro.re +dns-aurore.adm.auro.re ############################################################################### @@ -71,7 +73,7 @@ routeur-fleming-backup.adm.auro.re ############################################################################### # Pacaterie -[pacaterie_physical] +[pacaterie_pve] mordred.adm.auro.re titan.adm.auro.re @@ -100,12 +102,14 @@ chapalux.adm.auro.re [edc_vm] routeur-edc.adm.auro.re dns-edc.adm.auro.re +dns-edc-backup.adm.auro.re dhcp-edc.adm.auro.re unifi-edc.adm.auro.re radius-edc.adm.auro.re +radius-edc-backup.adm.auro.re routeur-aurore.adm.auro.re ldap-replica-edc.adm.auro.re -#ldap-replica-edc-backup.adm.auro.re +ldap-replica-edc-backup.adm.auro.re ############################################################################### @@ -130,21 +134,21 @@ prometheus-gs.adm.auro.re # everything at ovh [ovh:children] -ovh_physical +ovh_pve ovh_container ovh_vm # everything at fleming [fleming:children] -fleming_physical +fleming_pve fleming_vm -fleming_unifi +#fleming_unifi # everything at pacaterie [pacaterie:children] -pacaterie_physical +pacaterie_pve pacaterie_vm -pacaterie_unifi +#pacaterie_unifi # everything at edc [edc:children] @@ -224,7 +228,7 @@ ldap-replica-pacaterie-backup.adm.auro.re [ldap_replica_edc] ldap-replica-edc.adm.auro.re -#ldap-replica-edc-backup.adm.auro.re +ldap-replica-edc-backup.adm.auro.re [ldap_replica_gs] ldap-replica-gs.adm.auro.re From 7e9c4352a0ef77b410ae4f0bb9a978f6f975ad57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 4 May 2020 18:49:51 +0200 Subject: [PATCH 173/297] base: group name is ldap_replica It's an underscore, not a hyphen --- base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base.yml b/base.yml index fc2a037..935f60e 100755 --- a/base.yml +++ b/base.yml @@ -13,6 +13,6 @@ # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA -#- hosts: ldap-replica +#- hosts: ldap_replica # roles: # - ldap-replica From 7c7abb6be59b918c69bbdd18d618b6361fe94866 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 12:53:59 +0200 Subject: [PATCH 174/297] baseconfig: set up /etc/resolv.conf --- roles/baseconfig/tasks/main.yml | 6 ++++++ roles/baseconfig/templates/resolv.conf | 4 ++++ 2 files changed, 10 insertions(+) create mode 100644 roles/baseconfig/templates/resolv.conf diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index bf88ae2..e4d2db1 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -80,3 +80,9 @@ loop: - zshrc - zshrc.local + +- name: Configure resolvconf + template: + src: resolv.conf + dest: /etc/resolv.conf + mode: 0644 diff --git a/roles/baseconfig/templates/resolv.conf b/roles/baseconfig/templates/resolv.conf new file mode 100644 index 0000000..d1b19b5 --- /dev/null +++ b/roles/baseconfig/templates/resolv.conf @@ -0,0 +1,4 @@ +domain auro.re +search auro.re. +nameserver 10.128.0.253 +nameserver 80.67.169.12 From 0db7713bbf167594dec83994e0903eb112cc6162 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 12:55:19 +0200 Subject: [PATCH 175/297] hosts: add dhcp-edc-backup --- hosts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index 670a8c8..1471933 100644 --- a/hosts +++ b/hosts @@ -104,6 +104,7 @@ routeur-edc.adm.auro.re dns-edc.adm.auro.re dns-edc-backup.adm.auro.re dhcp-edc.adm.auro.re +dhcp-edc-backup.adm.auro.re unifi-edc.adm.auro.re radius-edc.adm.auro.re radius-edc-backup.adm.auro.re @@ -193,7 +194,8 @@ dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re -#dhcp-edc.adm.auro.re +#dhcp-edc.adm.auro.re # WARNING: wrong interface names!!! +dhcp-edc-backup.adm.auro.re #dhcp-gs.adm.auro.re [rdns_main] From 3f5e0d0035a381248a2aec15cda2e402693d6c53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 13:03:44 +0200 Subject: [PATCH 176/297] edc: add group vars required for dhcp deployment --- group_vars/edc/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 group_vars/edc/main.yml diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml new file mode 100644 index 0000000..48f10cd --- /dev/null +++ b/group_vars/edc/main.yml @@ -0,0 +1,8 @@ +--- +apartment_block: edc + +subnet_ids: + ap: 144 + users_wired: 40 + users_wifi: 41 + From 24a6063a91942e372ba15b213c0089aea539f60a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 14:51:02 +0200 Subject: [PATCH 177/297] baseconfig: fix resolv.conf --- roles/baseconfig/templates/resolv.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/baseconfig/templates/resolv.conf b/roles/baseconfig/templates/resolv.conf index d1b19b5..c94128f 100644 --- a/roles/baseconfig/templates/resolv.conf +++ b/roles/baseconfig/templates/resolv.conf @@ -1,4 +1,3 @@ -domain auro.re -search auro.re. +domain adm.auro.re nameserver 10.128.0.253 nameserver 80.67.169.12 From 4f224ee8174c5f726bfa4ff249d7cd5e948b12f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 14:55:12 +0200 Subject: [PATCH 178/297] re2o-service: install Python dependencies --- roles/re2o-service/tasks/main.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 74ac8fd..5b7d039 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -2,7 +2,15 @@ # Create service user - include_tasks: service_user.yml -# python3-iso8601 python3-jinja2 +- name: Install Python dependencies + apt: + name: + - python3-iso8601 + - python3-jinja2 + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded - name: "Clone re2o {{ service_name }} project" git: From 3d742c391c7ba88582ee0783dc9f8a76cbfb4ac0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 17:06:48 +0200 Subject: [PATCH 179/297] hosts: add routeur-edc-backup --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index 1471933..8ee54c7 100644 --- a/hosts +++ b/hosts @@ -101,6 +101,7 @@ chapalux.adm.auro.re [edc_vm] routeur-edc.adm.auro.re +routeur-edc-backup.adm.auro.re dns-edc.adm.auro.re dns-edc-backup.adm.auro.re dhcp-edc.adm.auro.re From e4d428d1dc57ab4e517204f18af5cacbad278b76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 18:49:31 +0200 Subject: [PATCH 180/297] unbound: change task order Seems to be necessary to restart unbound manually for some reason?... --- roles/unbound/tasks/main.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index ff45ec1..3baed92 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -19,6 +19,15 @@ state: present register: unbound_install +- name: ensure unbound log directory exists + file: + path: /var/log/unbound + state: directory + mode: '0755' + owner: unbound + group: unbound + notify: restart unbound + - name: add unbound-control configuration template: src: unbound-control.conf.j2 @@ -33,13 +42,6 @@ mode: 0644 notify: restart unbound -- name: ensure unbound log directory exists - file: - path: /var/log/unbound - state: directory - mode: '0755' - owner: unbound - group: unbound - name: ask apparmor to allow unbound to write to log file template: From 268c4d2419d03c6f1fa2c894787242360e15f3c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 18:51:45 +0200 Subject: [PATCH 181/297] hosts: manage recursive DNS on EDC --- hosts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts b/hosts index 8ee54c7..3e436e1 100644 --- a/hosts +++ b/hosts @@ -202,10 +202,12 @@ dhcp-edc-backup.adm.auro.re [rdns_main] dns-fleming.adm.auro.re dns-pacaterie.adm.auro.re +dns-edc.adm.auro.re [rdns_backup] dns-fleming-backup.adm.auro.re dns-pacaterie-backup.adm.auro.re +dns-edc-backup.adm.auro.re [recursive_dns:children] rdns_main From c77ae7f4c397c9ba791f59d3a3d417eb46cfc9e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 19:24:02 +0200 Subject: [PATCH 182/297] aurore-firewall: initial setup group_vars: add apartment_block_id var dhcp: move vars to role --- group_vars/edc/main.yml | 1 + group_vars/fleming/main.yml | 1 + group_vars/georgesand/main.yml | 3 + group_vars/pacaterie/main.yml | 1 + network.yml | 5 +- roles/aurore-firewall/tasks/main.yml | 18 ++++++ .../templates/firewall_config.py | 64 +++++++++++++++++++ .../isc-dhcp-server/vars/main.yml | 0 8 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 group_vars/georgesand/main.yml create mode 100644 roles/aurore-firewall/tasks/main.yml create mode 100644 roles/aurore-firewall/templates/firewall_config.py rename group_vars/dhcp/vars.yml => roles/isc-dhcp-server/vars/main.yml (100%) diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index 48f10cd..d6cc8d4 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -1,5 +1,6 @@ --- apartment_block: edc +apartment_block_id: 4 subnet_ids: ap: 144 diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index f0d1f8f..93abe36 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -1,5 +1,6 @@ --- apartment_block: fleming +apartment_block_id: 1 subnet_ids: ap: 141 diff --git a/group_vars/georgesand/main.yml b/group_vars/georgesand/main.yml new file mode 100644 index 0000000..0d233a5 --- /dev/null +++ b/group_vars/georgesand/main.yml @@ -0,0 +1,3 @@ +--- +apartment_block: gs +apartment_block_id: 5 diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml index 043d26d..e51113e 100644 --- a/group_vars/pacaterie/main.yml +++ b/group_vars/pacaterie/main.yml @@ -1,5 +1,6 @@ --- apartment_block: pacaterie +apartment_block_id: 2 subnet_ids: ap: 142 diff --git a/network.yml b/network.yml index a83b2d9..e8abe02 100755 --- a/network.yml +++ b/network.yml @@ -15,12 +15,15 @@ - isc-dhcp-server - # Deploy unbound DNS server (recursive). - hosts: recursive_dns roles: - unbound +- hosts: routeur-*.adm.auro.re + roles: + - aurore-firewall + # WIP: Deploy authoritative DNS servers # - hosts: authoritative_dns diff --git a/roles/aurore-firewall/tasks/main.yml b/roles/aurore-firewall/tasks/main.yml new file mode 100644 index 0000000..a6bb7e7 --- /dev/null +++ b/roles/aurore-firewall/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: Configure aurore-firewall + template: + src: firewall_config.py + dest: /var/local/re2o-services/aurore-firewall/firewall_config.py + mode: 0644 + +- name: Install corresponding re2o service + import_role: + name: re2o-service + vars: + service_repo: https://gitlab.federez.net/re2o/aurore-firewall.git + service_name: aurore-firewall + service_version: master + service_config: + hostname: re2o.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" diff --git a/roles/aurore-firewall/templates/firewall_config.py b/roles/aurore-firewall/templates/firewall_config.py new file mode 100644 index 0000000..d782cdb --- /dev/null +++ b/roles/aurore-firewall/templates/firewall_config.py @@ -0,0 +1,64 @@ +# -*- mode: python; coding: utf-8 -*- +# +# {{ ansible_managed }} +# +# Re2o est un logiciel d'administration développé initiallement au rezometz. Il +# se veut agnostique au réseau considéré, de manière à être installable en +# quelques clics. +# +# Copyright © 2017 Gabriel Détraz +# Copyright © 2017 Goulven Kermarec +# Copyright © 2017 Augustin Lemesle +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +### Give me a role + +role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}'''] + + +### Specify each interface role + +interfaces_type = { + 'routable' : ['ens20', 'ens21'], + 'sortie' : ['ens19'], + 'admin' : ['ens18'] +} + + +### Specify nat settings: name, interfaces with range, and global range for nat +### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST +### contain /16 range + +nat = [ + { + 'name' : 'Wifi', + 'interfaces_ip_to_nat' : { + 'ens19' : '45.66.109.0/24', + }, + 'ip_sources' : '10.{{ subnet_ids.users_wifi }}.0.0/16', + 'extra_nat' : {} + }, + { + 'name' : 'Filaire', + 'interfaces_ip_to_nat' : { + 'ens19' : '45.66.108.0/24', + }, + 'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16', + 'extra_nat' : { + '10.129.{{ apartment_block_id }}.240' : '45.66.108.25{{ apartment_block_id }}' + } + } +] diff --git a/group_vars/dhcp/vars.yml b/roles/isc-dhcp-server/vars/main.yml similarity index 100% rename from group_vars/dhcp/vars.yml rename to roles/isc-dhcp-server/vars/main.yml From 5ee7bb3069b82870a7077efc4b4d66ec15700f7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 19:41:31 +0200 Subject: [PATCH 183/297] ansible.cfg: unset scp_if_ssh --- ansible.cfg | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 960e6df..8d528bd 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,4 +33,3 @@ become_ask_pass = True # TO know what changed always = yes -scp_if_ssh = True From 1a10729b674e65af986fa4ecda936e13cee53469 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 19:43:03 +0200 Subject: [PATCH 184/297] hosts: manage dhcp-edc --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index 3e436e1..6e81281 100644 --- a/hosts +++ b/hosts @@ -195,7 +195,7 @@ dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re -#dhcp-edc.adm.auro.re # WARNING: wrong interface names!!! +dhcp-edc.adm.auro.re dhcp-edc-backup.adm.auro.re #dhcp-gs.adm.auro.re From 44be43e528f3162c93e587e7a845162481e27cd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 19:57:00 +0200 Subject: [PATCH 185/297] aurore-firewall: add config after cloning --- roles/aurore-firewall/tasks/main.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/aurore-firewall/tasks/main.yml b/roles/aurore-firewall/tasks/main.yml index a6bb7e7..44d10d1 100644 --- a/roles/aurore-firewall/tasks/main.yml +++ b/roles/aurore-firewall/tasks/main.yml @@ -1,11 +1,5 @@ --- -- name: Configure aurore-firewall - template: - src: firewall_config.py - dest: /var/local/re2o-services/aurore-firewall/firewall_config.py - mode: 0644 - -- name: Install corresponding re2o service +- name: Install aurore-firewall (re2o-service) import_role: name: re2o-service vars: @@ -16,3 +10,10 @@ hostname: re2o.auro.re username: service-user password: "{{ vault_serviceuser_passwd }}" + + +- name: Configure aurore-firewall + template: + src: firewall_config.py + dest: /var/local/re2o-services/aurore-firewall/firewall_config.py + mode: 0644 From 8ba2de1698226349a6597a4e250a81c2524c9986 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 20:01:44 +0200 Subject: [PATCH 186/297] aurore-firewall: fix repo address + branch --- roles/aurore-firewall/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aurore-firewall/tasks/main.yml b/roles/aurore-firewall/tasks/main.yml index 44d10d1..691cb71 100644 --- a/roles/aurore-firewall/tasks/main.yml +++ b/roles/aurore-firewall/tasks/main.yml @@ -3,9 +3,9 @@ import_role: name: re2o-service vars: - service_repo: https://gitlab.federez.net/re2o/aurore-firewall.git + service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git service_name: aurore-firewall - service_version: master + service_version: aurore service_config: hostname: re2o.auro.re username: service-user From fea73a13aa31a2ce8e6d8b825e58e7032a1b203a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 20:23:30 +0200 Subject: [PATCH 187/297] aurore-firewall: correct backup router ip --- roles/aurore-firewall/templates/firewall_config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aurore-firewall/templates/firewall_config.py b/roles/aurore-firewall/templates/firewall_config.py index d782cdb..052c6d2 100644 --- a/roles/aurore-firewall/templates/firewall_config.py +++ b/roles/aurore-firewall/templates/firewall_config.py @@ -58,7 +58,7 @@ nat = [ }, 'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16', 'extra_nat' : { - '10.129.{{ apartment_block_id }}.240' : '45.66.108.25{{ apartment_block_id }}' + '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}' } } ] From e45bdcbba8916941cd96e1a1d2d235a47eef6957 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 20:27:36 +0200 Subject: [PATCH 188/297] network.yml: ensure safety without --limit --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index e8abe02..9c5dbb0 100755 --- a/network.yml +++ b/network.yml @@ -20,7 +20,7 @@ roles: - unbound -- hosts: routeur-*.adm.auro.re +- hosts: routeur-edc-backup.adm.auro.re # temporaire roles: - aurore-firewall From 26524eccc5506c2028c0df9aa37a7306d6e64400 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 7 May 2020 20:33:25 +0200 Subject: [PATCH 189/297] ansible-list: allow lack of idempotence --- .ansible-lint | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..d03cb8f --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '301' From e58ee1c4b5cfbaf77aab3711820d2317fd0c2cc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Fri, 8 May 2020 15:54:54 +0200 Subject: [PATCH 190/297] keepalived: initial config --- network.yml | 6 +- roles/aurore-firewall/tasks/main.yml | 19 ------ roles/router/handlers/main.yml | 9 +++ roles/router/tasks/main.yml | 49 ++++++++++++++++ roles/router/templates/cron.d/re2o-services | 3 + .../templates/firewall_config.py | 7 ++- roles/router/templates/keepalived.conf | 58 +++++++++++++++++++ 7 files changed, 128 insertions(+), 23 deletions(-) delete mode 100644 roles/aurore-firewall/tasks/main.yml create mode 100644 roles/router/handlers/main.yml create mode 100644 roles/router/tasks/main.yml create mode 100644 roles/router/templates/cron.d/re2o-services rename roles/{aurore-firewall => router}/templates/firewall_config.py (89%) create mode 100644 roles/router/templates/keepalived.conf diff --git a/network.yml b/network.yml index 9c5dbb0..d61db7f 100755 --- a/network.yml +++ b/network.yml @@ -20,9 +20,11 @@ roles: - unbound -- hosts: routeur-edc-backup.adm.auro.re # temporaire + +# Déploiement du service re2o aurore-firewall et keepalived +- hosts: routeur-edc*.adm.auro.re roles: - - aurore-firewall + - router # WIP: Deploy authoritative DNS servers diff --git a/roles/aurore-firewall/tasks/main.yml b/roles/aurore-firewall/tasks/main.yml deleted file mode 100644 index 691cb71..0000000 --- a/roles/aurore-firewall/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Install aurore-firewall (re2o-service) - import_role: - name: re2o-service - vars: - service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git - service_name: aurore-firewall - service_version: aurore - service_config: - hostname: re2o.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - - -- name: Configure aurore-firewall - template: - src: firewall_config.py - dest: /var/local/re2o-services/aurore-firewall/firewall_config.py - mode: 0644 diff --git a/roles/router/handlers/main.yml b/roles/router/handlers/main.yml new file mode 100644 index 0000000..11ba484 --- /dev/null +++ b/roles/router/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart keepalived + systemd: + state: restarted + name: keepalived + +- name: run aurore-firewall + command: python3 main.py --force + args: + chdir: /var/local/re2o-services/aurore-firewall/ diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml new file mode 100644 index 0000000..6073afe --- /dev/null +++ b/roles/router/tasks/main.yml @@ -0,0 +1,49 @@ +--- + +- name: Enable IPv4 packet forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + +- name: Install aurore-firewall (re2o-service) + import_role: + name: re2o-service + vars: + service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git + service_name: aurore-firewall + service_version: aurore + service_config: + hostname: re2o.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" + notify: run aurore-firewall + +- name: Configure aurore-firewall + template: + src: firewall_config.py + dest: /var/local/re2o-services/aurore-firewall/firewall_config.py + mode: 0644 + notify: run aurore-firewall + +- name: Install keepalived + apt: + name: keepalived + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure keepalived + template: + src: keepalived.conf + dest: /etc/keepalived/keepalived.conf + mode: 0644 + notify: restart keepalived + + +- name: Configure cron + template: + src: cron.d/re2o-services + dest: /etc/cron.d/re2o-services + mode: 0644 diff --git a/roles/router/templates/cron.d/re2o-services b/roles/router/templates/cron.d/re2o-services new file mode 100644 index 0000000..e732887 --- /dev/null +++ b/roles/router/templates/cron.d/re2o-services @@ -0,0 +1,3 @@ +# Régénération du firewall +*/5 * * * * root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py +@reboot root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py --force diff --git a/roles/aurore-firewall/templates/firewall_config.py b/roles/router/templates/firewall_config.py similarity index 89% rename from roles/aurore-firewall/templates/firewall_config.py rename to roles/router/templates/firewall_config.py index 052c6d2..d78707d 100644 --- a/roles/aurore-firewall/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -26,7 +26,8 @@ ### Give me a role -role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}'''] +# routeur4 = routeur IPv4 +role = ['routeur4'] ### Specify each interface role @@ -58,7 +59,9 @@ nat = [ }, 'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16', 'extra_nat' : { - '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}' + '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ + apartment_block_id }}', + '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}' } } ] diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf new file mode 100644 index 0000000..3f15878 --- /dev/null +++ b/roles/router/templates/keepalived.conf @@ -0,0 +1,58 @@ +# {{ ansible_managed }} +global_defs { + notification_email { + monitoring.aurore@lists.crans.org + } + notification_email_from routeur-edc-backup@auro.re + smtp_server smtp.crans.org +} + + +vrrp_instance VI_ROUT_{{ apartment_block }} { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens18 + + # Shared by MASTER and BACKUP + virtual_router_id {{ apartment_block_id }} + + # Timeout in seconds before failover kicks in. + advert_int 2 + + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass pLOP # temporary password; DO NOT USE + } + + smtp_alert + + virtual_ipaddress { + # Routing subnet + 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global + + # Public subnet: wired + 45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global + # Public subnet: wifi + 45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global + + # Wired + 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global + # Wifi + 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global + } + + virtual_routes { + # 10.129.0.1 is Yggdrasil + src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 + } +} From 4372b219761c37b83a12333bffde0d46c2e09112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Fri, 8 May 2020 16:36:07 +0200 Subject: [PATCH 191/297] dhcp: allow different router IP suffix This variable is only needed because we're in the process of deploying keepalived. For now it's only at EDC. --- group_vars/edc/main.yml | 1 + group_vars/fleming/main.yml | 1 + group_vars/georgesand/main.yml | 2 ++ group_vars/pacaterie/main.yml | 2 ++ roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 4 ++-- 5 files changed, 8 insertions(+), 2 deletions(-) diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index d6cc8d4..54f11bc 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -7,3 +7,4 @@ subnet_ids: users_wired: 40 users_wifi: 41 +router_ip_suffix: 254 diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index 93abe36..5552c57 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -7,3 +7,4 @@ subnet_ids: users_wired: 10 users_wifi: 11 +router_ip_suffix: 240 diff --git a/group_vars/georgesand/main.yml b/group_vars/georgesand/main.yml index 0d233a5..0161c8a 100644 --- a/group_vars/georgesand/main.yml +++ b/group_vars/georgesand/main.yml @@ -1,3 +1,5 @@ --- apartment_block: gs apartment_block_id: 5 + +router_ip_suffix: 240 diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml index e51113e..bb0face 100644 --- a/group_vars/pacaterie/main.yml +++ b/group_vars/pacaterie/main.yml @@ -6,3 +6,5 @@ subnet_ids: ap: 142 users_wired: 20 users_wifi: 21 + +router_ip_suffix: 240 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index dc642ae..bad8558 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -44,7 +44,7 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { interface "ens20"; option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; - option routers 10.{{ subnet_ids.users_wired }}.0.240; + option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }}; option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; @@ -61,7 +61,7 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { interface "ens21"; option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; - option routers 10.{{ subnet_ids.users_wifi }}.0.240; + option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }}; option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; From 223578eefab5d00dd29d6ebff80ee18f83109c26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Fri, 8 May 2020 16:43:49 +0200 Subject: [PATCH 192/297] keepalived: no ansible_managed Used to restart keepalived needlessly --- roles/router/templates/firewall_config.py | 2 -- roles/router/templates/keepalived.conf | 1 - 2 files changed, 3 deletions(-) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index d78707d..bd013d3 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -1,7 +1,5 @@ # -*- mode: python; coding: utf-8 -*- # -# {{ ansible_managed }} -# # Re2o est un logiciel d'administration développé initiallement au rezometz. Il # se veut agnostique au réseau considéré, de manière à être installable en # quelques clics. diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 3f15878..ad4a64a 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -1,4 +1,3 @@ -# {{ ansible_managed }} global_defs { notification_email { monitoring.aurore@lists.crans.org From a4d0f051b6a753ae943b66ef6e6eadc83a805570 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Fri, 8 May 2020 16:44:08 +0200 Subject: [PATCH 193/297] dhcp: restart server on config update --- roles/isc-dhcp-server/handlers/main.yml | 4 ++++ roles/isc-dhcp-server/tasks/main.yml | 4 ++++ roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 2 -- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 roles/isc-dhcp-server/handlers/main.yml diff --git a/roles/isc-dhcp-server/handlers/main.yml b/roles/isc-dhcp-server/handlers/main.yml new file mode 100644 index 0000000..2df3eac --- /dev/null +++ b/roles/isc-dhcp-server/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart dhcpd + systemd: + state: restarted + name: isc-dhcp-server diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 4d6ef54..13ba3b7 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -7,6 +7,7 @@ register: apt_result retries: 3 until: apt_result is succeeded + notify: restart dhcpd - name: Ensure dhcp log directory exists file: @@ -50,6 +51,7 @@ src: default/isc-dhcp-server.j2 dest: /etc/default/isc-dhcp-server mode: 0644 + notify: restart dhcpd - name: Configure dhcp-failover.conf template: @@ -57,9 +59,11 @@ dest: /etc/dhcp/dhcp-failover.conf mode: 0600 when: dhcp_failover is defined + notify: restart dhcpd - name: Configure dhcpd.conf template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 + notify: restart dhcpd diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index bad8558..f4150e7 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,5 +1,3 @@ -# {{ ansible_managed }} - default-lease-time 86400; max-lease-time 86400; From 3f26e7d4b45f4ca2e51729c8211d5170cbd4f7f3 Mon Sep 17 00:00:00 2001 From: Pierre Date: Fri, 8 May 2020 18:39:05 +0200 Subject: [PATCH 194/297] routeur de la pacaterie en ...254 au lieu de ...240 pour keepalived --- group_vars/pacaterie/main.yml | 2 +- hosts | 4 ++-- network.yml | 14 +++++++------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml index bb0face..4a4ca3f 100644 --- a/group_vars/pacaterie/main.yml +++ b/group_vars/pacaterie/main.yml @@ -7,4 +7,4 @@ subnet_ids: users_wired: 20 users_wifi: 21 -router_ip_suffix: 240 +router_ip_suffix: 254 diff --git a/hosts b/hosts index 6e81281..75a504d 100644 --- a/hosts +++ b/hosts @@ -193,8 +193,8 @@ gs_pve [dhcp] dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re -#dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re dhcp-edc.adm.auro.re dhcp-edc-backup.adm.auro.re #dhcp-gs.adm.auro.re diff --git a/network.yml b/network.yml index d61db7f..9613461 100755 --- a/network.yml +++ b/network.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Set up DHCP servers. -- hosts: dhcp +- hosts: dhcp-pacaterie*.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -16,15 +16,15 @@ # Deploy unbound DNS server (recursive). -- hosts: recursive_dns - roles: - - unbound +#- hosts: recursive_dns +# roles: +# - unbound # Déploiement du service re2o aurore-firewall et keepalived -- hosts: routeur-edc*.adm.auro.re - roles: - - router +#- hosts: routeur-pacaterie.adm.auro.re +# roles: +# - router # WIP: Deploy authoritative DNS servers From dea4dda28500f9af70c404d102fbed45c986a661 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 9 May 2020 10:15:28 +0200 Subject: [PATCH 195/297] hosts: remove dhcp and recursive_dns groups Use patterns instead for now. --- hosts | 27 --------------------------- network.yml | 14 +++++++------- roles/unbound/tasks/main.yml | 4 ++-- 3 files changed, 9 insertions(+), 36 deletions(-) diff --git a/hosts b/hosts index 75a504d..eb71e7f 100644 --- a/hosts +++ b/hosts @@ -190,33 +190,6 @@ gs_pve ############################################################################### # Groups by service -[dhcp] -dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re -dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-backup.adm.auro.re -dhcp-edc.adm.auro.re -dhcp-edc-backup.adm.auro.re -#dhcp-gs.adm.auro.re - -[rdns_main] -dns-fleming.adm.auro.re -dns-pacaterie.adm.auro.re -dns-edc.adm.auro.re - -[rdns_backup] -dns-fleming-backup.adm.auro.re -dns-pacaterie-backup.adm.auro.re -dns-edc-backup.adm.auro.re - -[recursive_dns:children] -rdns_main -rdns_backup - -# FIXME: -#dns-edc.adm.auro.re -#dns-gs.adm.auro.re - [ldap_replica:children] ldap_replica_fleming ldap_replica_pacaterie diff --git a/network.yml b/network.yml index 9613461..f3e72af 100755 --- a/network.yml +++ b/network.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Set up DHCP servers. -- hosts: dhcp-pacaterie*.adm.auro.re +- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re,!dhcp-gs*.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -16,15 +16,15 @@ # Deploy unbound DNS server (recursive). -#- hosts: recursive_dns -# roles: -# - unbound +- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re,!dns-gs*.adm.auro.re + roles: + - unbound # Déploiement du service re2o aurore-firewall et keepalived -#- hosts: routeur-pacaterie.adm.auro.re -# roles: -# - router +- hosts: ~routeur-(pacaterie|edc).*\.adm\.auro\.re + roles: + - router # WIP: Deploy authoritative DNS servers diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 3baed92..d20db0c 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -4,12 +4,12 @@ - name: set dns_host_suffix (main) set_fact: dns_host_suffix: "{{ dns_host_suffix_main }}" - when: "'rdns_main' in group_names" + when: "'backup' not in inventory_hostname" - name: set dns_host_suffix (backup) set_fact: dns_host_suffix: "{{ dns_host_suffix_backup }}" - when: "'rdns_backup' in group_names" + when: "'backup' in inventory_hostname" - name: install unbound From eae3a3ff44bd3eced388154d741b85cded1c43f2 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 12:21:36 +0200 Subject: [PATCH 196/297] Deploy docker-worker1-aurore and proxy-backup --- hosts | 2 ++ services_web.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index eb71e7f..b688b50 100644 --- a/hosts +++ b/hosts @@ -15,6 +15,8 @@ merlin.adm.auro.re radius-aurore.adm.auro.re dhcp-aurore.adm.auro.re dns-aurore.adm.auro.re +docker-worker1-aurore.adm.auro.re +proxy-backup.adm.auro.re ############################################################################### diff --git a/services_web.yml b/services_web.yml index 10f961a..047e00e 100755 --- a/services_web.yml +++ b/services_web.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re +- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re roles: - docker From 544498c81a808999099d8bbac340ff16cb398369 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 12:52:17 +0200 Subject: [PATCH 197/297] New reverse proxy role --- roles/nginx-reverse-proxy/handlers/main.yml | 6 - roles/nginx-reverse-proxy/tasks/main.yml | 64 ----------- .../nginx/nginx-sites-available-main.j2 | 107 ------------------ .../templates/nginx/nginx-sites-available.j2 | 40 ------- .../nginx/snippets/proxy-common-ssl.conf.j2 | 32 ------ .../nginx/snippets/proxy-common.conf.j2 | 12 -- roles/nginx-reverseproxy/handlers/main.yml | 5 + roles/nginx-reverseproxy/tasks/main.yml | 53 +++++++++ .../templates/letsencrypt/dhparam.j2 | 8 ++ .../nginx/sites-available/redirect.j2 | 67 +++++++++++ .../nginx/sites-available/reverseproxy.j2 | 56 +++++++++ .../reverseproxy_redirect_dname.j2 | 37 ++++++ .../nginx/snippets/options-proxypass.conf.j2 | 19 ++++ .../nginx/snippets/options-ssl.conf.j2 | 17 +++ .../templates/update-motd.d/05-service.j2 | 3 + .../templates/www/html/50x.html.j2 | 63 +++++++++++ 16 files changed, 328 insertions(+), 261 deletions(-) delete mode 100644 roles/nginx-reverse-proxy/handlers/main.yml delete mode 100644 roles/nginx-reverse-proxy/tasks/main.yml delete mode 100644 roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 delete mode 100644 roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 delete mode 100644 roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 delete mode 100644 roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 create mode 100644 roles/nginx-reverseproxy/handlers/main.yml create mode 100644 roles/nginx-reverseproxy/tasks/main.yml create mode 100644 roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 create mode 100755 roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 create mode 100644 roles/nginx-reverseproxy/templates/www/html/50x.html.j2 diff --git a/roles/nginx-reverse-proxy/handlers/main.yml b/roles/nginx-reverse-proxy/handlers/main.yml deleted file mode 100644 index aa28cf0..0000000 --- a/roles/nginx-reverse-proxy/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# Reload NGINX when a site changes -- name: Reload NGINX service - service: - name: nginx - state: reloaded diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml deleted file mode 100644 index aac1af3..0000000 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -# nginx is the proxy server -# nginx-light contains less modules -# but also reduces the surface of attack -- name: Install NGINX server - apt: - update_cache: true - name: nginx-light - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - -# Install proxy snippets -- name: Configure NGINX proxy snippets - template: - src: nginx/snippets/{{ item }}.j2 - dest: /etc/nginx/snippets/{{ item }} - mode: 0644 - loop: - - proxy-common.conf - - proxy-common-ssl.conf - notify: Reload NGINX service - -# Install sites -- name: Configure NGINX sites - template: - src: nginx/nginx-sites-available.j2 - dest: /etc/nginx/sites-available/{{ item.name }} - mode: 0644 - loop: "{{ reversed_proxy_subdomains }}" - notify: Reload NGINX service - -# Desactive useless nginx sites -- name: Deactivate the default NGINX site - file: - path: /etc/nginx/sites-enabled/default - state: absent - notify: Reload NGINX service - -# Activate sites -- name: Activate sites - file: - src: /etc/nginx/sites-available/{{ item.name }} - dest: /etc/nginx/sites-enabled/{{ item.name }} - state: link - loop: "{{ reversed_proxy_subdomains }}" - notify: Reload NGINX service - -# Install main site -- name: Configure NGINX main site - template: - src: nginx/nginx-sites-available-main.j2 - dest: /etc/nginx/sites-available/main - mode: 0644 - notify: Reload NGINX service - -# Activate main site -- name: Activate main site - file: - src: /etc/nginx/sites-available/main - dest: /etc/nginx/sites-enabled/main - state: link - notify: Reload NGINX service diff --git a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 deleted file mode 100644 index f4ebf9a..0000000 --- a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2 +++ /dev/null @@ -1,107 +0,0 @@ -# {{ ansible_managed }} - -server { - # Common proxy snippet - include "snippets/proxy-common.conf"; - - # Set witch server name we define - server_name auro.re; - - # Permanentely moved to HTTPS - location / { - return 301 https://$host$request_uri; - } - - # For Matrix Synapse Discord Appservice Media - location /_matrix { - proxy_pass http://synapse.adm.auro.re:8008; - proxy_set_header X-Forwarded-For $remote_addr; - } -} - -server { - # Common proxy snippet - include "snippets/proxy-common-ssl.conf"; - - # Set witch server name we define - server_name auro.re; - - # Separate log files - access_log /var/log/nginx/main.access.log; - error_log /var/log/nginx/main.error.log; - - # Use LetsEncrypt SSL - ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem; - - location / { - proxy_redirect off; - proxy_pass http://www.adm.auro.re; - proxy_set_header Host auro.re; - proxy_set_header P-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - - # "A man is not dead while his name is still spoken." -- Going Postal - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - } - - # For Matrix identity server - location /_matrix/identity { - proxy_pass http://synapse.adm.auro.re:8090/_matrix/identity; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } - - # For Matrix Synapse - location /_matrix { - proxy_pass http://synapse.adm.auro.re:8008; - proxy_set_header X-Forwarded-For $remote_addr; - } -} - -server { - listen 8448 ssl; - listen [::]:8448 ssl; - - # Set witch server name we define - server_name auro.re; - - # Separate log files - access_log /var/log/nginx/main.access.log; - error_log /var/log/nginx/main.error.log; - - # Use LetsEncrypt SSL - ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem; - - # For Matrix Synapse federation - location / { - proxy_pass http://synapse.adm.auro.re:8008; - proxy_set_header X-Forwarded-For $remote_addr; - } -} - -server { - listen 9442 ssl; - listen [::]:9442 ssl; - - # Set witch server name we define - server_name auro.re; - - # Separate log files - access_log /var/log/nginx/main.access.log; - error_log /var/log/nginx/main.error.log; - - # Use LetsEncrypt SSL - ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem; - - # For Matrix Appservice Webhooks - location / { - proxy_pass http://synapse.adm.auro.re:9000; - proxy_set_header X-Forwarded-For $remote_addr; - } -} diff --git a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 b/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 deleted file mode 100644 index a733f23..0000000 --- a/roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2 +++ /dev/null @@ -1,40 +0,0 @@ -# {{ ansible_managed }} - -server { - # Common proxy snippet - include "snippets/proxy-common.conf"; - - # Set witch server name we define - server_name {{ item.from }}; - - # Permanentely moved to HTTPS - return 301 https://$host$request_uri; -} - -server { - # Common proxy snippet - include "snippets/proxy-common-ssl.conf"; - - # Set witch server name we define - server_name {{ item.from }}; - - # Separate log files - access_log /var/log/nginx/{{ item.name }}.access.log; - error_log /var/log/nginx/{{ item.name }}.error.log; - - # Use LetsEncrypt SSL - ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem; - - location / { - proxy_redirect off; - proxy_pass http://{{ item.to }}; - proxy_set_header Host {{ item.from }}; - proxy_set_header P-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - - # "A man is not dead while his name is still spoken." -- Going Postal - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - } -} diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 deleted file mode 100644 index 50f4977..0000000 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 +++ /dev/null @@ -1,32 +0,0 @@ -# {{ ansible_managed }} - -# Listen for IPv4 and IPv6 with HTTP2 -listen [::]:443 ssl http2; -listen 443 ssl http2; - -# Hide NGINX version -server_tokens off; - -# Reverse Proxy Adm -set_real_ip_from 10.128.0.0/16; -real_ip_header P-Real-Ip; - -# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/ -ssl on; -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -ssl_session_tickets off; -ssl_protocols TLSv1.2; -ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; -ssl_prefer_server_ciphers on; -add_header Strict-Transport-Security max-age=15768000; - -# OCSP Stapling, -ssl_stapling on; -ssl_stapling_verify on; - -# Use more secure ECDH curve -ssl_ecdh_curve secp521r1:secp384r1; - -# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer -ssl_dhparam /etc/ssl/certs/dhparam.pem; diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 deleted file mode 100644 index 6ac4acb..0000000 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -# {{ ansible_managed }} - -# Listen for IPv4 and IPv6 -listen 80; -listen [::]:80; - -# Hide NGINX version -server_tokens off; - -# Reverse Proxy Adm -set_real_ip_from 10.128.0.0/16; -real_ip_header P-Real-Ip; diff --git a/roles/nginx-reverseproxy/handlers/main.yml b/roles/nginx-reverseproxy/handlers/main.yml new file mode 100644 index 0000000..6dfcdd7 --- /dev/null +++ b/roles/nginx-reverseproxy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml new file mode 100644 index 0000000..b1e3945 --- /dev/null +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -0,0 +1,53 @@ +--- +- name: Install NGINX + apt: + update_cache: true + name: nginx + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Copy snippets + template: + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + loop: + - options-ssl.conf + - options-proxypass.conf + +- name: Copy dhparam + template: + src: letsencrypt/dhparam.j2 + dest: /etc/letsencrypt/dhparam + +- name: Copy reverse proxy sites + template: + src: "nginx/sites-available/{{ item }}.j2" + dest: "/etc/nginx/sites-available/{{ item }}" + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Activate sites + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + state: link + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Copy 50x error page + template: + src: www/html/50x.html.j2 + dest: /var/www/html/50x.html + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-nginx + mode: 0755 diff --git a/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 new file mode 100644 index 0000000..9cdb545 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 @@ -0,0 +1,67 @@ +{{ ansible_header | comment }} + +{% for site in nginx.redirect_sites %} +# Redirect http://{{ site.from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ site.from }} to https://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endfor %} + +{# Also redirect for DNAMEs #} +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.redirect_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +{% if from != site.from %} +# Redirect http://{{ from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endif %} +{% endfor %} +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 new file mode 100644 index 0000000..0898da0 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -0,0 +1,56 @@ +{{ ansible_header | comment }} + +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +{% for site in nginx.reverseproxy_sites %} +# Redirect http://{{ site.from }} to https://{{ site.from }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 https://$host$request_uri; + } +} + +# Reverse proxify https://{{ site.from }} to http://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + # Log into separate log files + access_log /var/log/nginx/{{ site.from }}.log; + error_log /var/log/nginx/{{ site.from }}_error.log; + + # Keep the TCP connection open a bit for faster browsing + keepalive_timeout 70; + + # Custom error page + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/www/html; + } + + set_real_ip_from 10.231.136.0/24; + set_real_ip_from 2a0c:700:0:2::/64; + real_ip_header P-Real-Ip; + + location / { + proxy_pass http://{{ site.to }}; + include "/etc/nginx/snippets/options-proxypass.conf"; + } +} + +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 new file mode 100644 index 0000000..988b6d1 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -0,0 +1,37 @@ +{{ ansible_header | comment }} + +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.reverseproxy_sites %} +{% set from = site.from | regex_replace('auro.re', dname) %} +{% set to = site.from %} +{% if from != site.from %} +# Redirect http://{{ from }} to http://{{ to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ to }}$request_uri; + } +} + +{% endif %} +{% endfor %} +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 new file mode 100644 index 0000000..0b864a6 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 @@ -0,0 +1,19 @@ +{{ ansible_header | comment }} + +proxy_redirect off; +proxy_set_header Host $host; + +# Pass the real client IP +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +# Tell proxified server that we are HTTPS, fix Wordpress +proxy_set_header X-Forwarded-Proto https; + +# WebSocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; + +# For Owncloud WebDav +client_max_body_size 10G; diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 new file mode 100644 index 0000000..1a9273a --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +ssl_certificate {{ nginx.ssl.cert }}; +ssl_certificate_key {{ nginx.ssl.cert_key }}; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_dhparam /etc/letsencrypt/dhparam; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 new file mode 100755 index 0000000..82373d0 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +> NGINX a été déployé sur cette machine. Voir /etc/nginx/. diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 new file mode 100644 index 0000000..e5c8733 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 @@ -0,0 +1,63 @@ + + + + + 502 + + + + +

502

+

Whoops, le service prend trop de temps à répondre…

+

Essayez de rafraîchir la page. Si le problème persiste, pensez + à contacter l'équipe technique d'Aurore.

+ + + From 9c226c680cf3930cd5f65ef7ecde444464ea78c4 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 12:54:38 +0200 Subject: [PATCH 198/297] Certbot wildcard role --- roles/certbot/tasks/main.yml | 34 ++++++++ .../letsencrypt/conf.d/certname.ini.j2 | 25 ++++++ .../templates/letsencrypt/rfc2136.ini.j2 | 7 ++ services_web.yml | 86 +++++++++---------- 4 files changed, 106 insertions(+), 46 deletions(-) create mode 100644 roles/certbot/tasks/main.yml create mode 100644 roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 create mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2 diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml new file mode 100644 index 0000000..66cae27 --- /dev/null +++ b/roles/certbot/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Install certbot and RFC2136 plugin + apt: + update_cache: true + name: + - certbot + - python3-certbot-dns-rfc2136 + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Lookup DNS masters IPv4 + set_fact: + dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}" + cacheable: true + +- name: Add DNS credentials + template: + src: letsencrypt/rfc2136.ini.j2 + dest: /etc/letsencrypt/rfc2136.ini + mode: 0600 + owner: root + +- name: Create /etc/letsencrypt/conf.d + file: + path: /etc/letsencrypt/conf.d + state: directory + +- name: Add Certbot configuration + template: + src: "letsencrypt/conf.d/certname.ini.j2" + dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + mode: 0644 diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 new file mode 100644 index 0000000..837a60a --- /dev/null +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -0,0 +1,25 @@ +{{ ansible_header | comment(decoration='# ') }} + +# Pour appliquer cette conf et générer la conf de renewal : +# certbot --config wildcard.ini certonly + +# Use a 4096 bit RSA key instead of 2048 +rsa-key-size = 4096 + +# Always use the staging/testing server +# server = https://acme-staging.api.letsencrypt.org/directory + +# Uncomment and update to register with the specified e-mail address +email = {{ certbot.mail }} + +# Uncomment to use a text interface instead of ncurses +text = True + +# Use DNS-01 challenge +authenticator = dns-rfc2136 +dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini +dns-rfc2136-propagation-seconds = 30 + +# Wildcard the domain +cert-name = {{ certbot.certname }} +domains = {{ certbot.domains }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 new file mode 100644 index 0000000..a41a547 --- /dev/null +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -0,0 +1,7 @@ +{{ ansible_header | comment(decoration='# ') }} + +dns_rfc2136_server = {{ dns_masters_ipv4 | first }} +dns_rfc2136_port = 53 +dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} +dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} +dns_rfc2136_algorithm = HMAC-SHA512 diff --git a/services_web.yml b/services_web.yml index 047e00e..2d75448 100755 --- a/services_web.yml +++ b/services_web.yml @@ -10,51 +10,45 @@ roles: - passbolt -# Install DokuWiki on the wiki TEST container -# When it will be operational, horus-wikitest will replace horus-wiki -- hosts: horus-wikitest - roles: - - dokuwiki - -# Install NGINX with reverse proxy conf -- hosts: proxy.adm.auro.re +# Deploy reverse proxy +- hosts: proxy*.adm.auro.re vars: - reversed_proxy_subdomains: - - name: re2o - from: re2o.auro.re - to: re2o-server.adm.auro.re - - name: intranet - from: intranet.auro.re - to: re2o-server.adm.auro.re - - name: phabricator - from: phabricator.auro.re - to: phabricator.adm.auro.re - - name: wiki - from: wiki.auro.re - to: wiki.adm.auro.re - - name: www - from: www.auro.re - to: www.adm.auro.re - - name: re2o-test - from: re2o-test.auro.re - to: re2o-test.adm.auro.re - - name: riot - from: riot.auro.re - to: docker-ovh.adm.auro.re:8080 - - name: codimd - from: codimd.auro.re - to: docker-ovh.adm.auro.re:8081 - - name: grafana - from: grafana.auro.re - to: docker-ovh.adm.auro.re:8082 - - name: privatebin - from: privatebin.auro.re - to: docker-ovh.adm.auro.re:8083 - - name: pad - from: pad.auro.re - to: docker-ovh.adm.auro.re:8084 - - name: cas - from: cas.auro.re - to: docker-ovh.adm.auro.re:8085 + certbot: + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net" + dns_masters_ipv4: 92.222.211.196 + nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: + - aurores.net + - fede-aurore.net + + reverseproxy_sites: + - {from: re2o.auro.re, to: 10.128.0.10} + - {from: intranet.auro.re, to: 10.128.0.10} + + - {from: phabricator.auro.re, to: 10.128.0.50} + - {from: wiki.auro.re, to: 10.128.0.51} + - {from: www.auro.re, to: 10.128.0.52} + + - {from: re2o-test.auro.re, to: 10.128.0.100} + + - {from: riot.auro.re, to: "10.128.0.150:8080"} + - {from: codimd.auro.re, to: "10.128.0.150:8081"} + - {from: grafana.auro.re, to: "10.128.0.150:8082"} + - {from: privatebin.auro.re, to: "10.128.0.150:8083"} + - {from: pad.auro.re, to: "10.128.0.150:8084"} + - {from: cas.auro.re, to: "10.128.0.150:8085"} + + redirect_sites: + - {from: auro.re, to: www.auro.re} roles: - - nginx-reverse-proxy + - certbot + - nginx-reverseproxy From a99261238164755ac197949f3d2872545015ef74 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 13:03:31 +0200 Subject: [PATCH 199/297] Add certbot challenge DNS-01 key --- group_vars/all/vault.yml | 253 ++++++++++++++++++++------------------- 1 file changed, 130 insertions(+), 123 deletions(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 4d728f7..3a0384d 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,124 +1,131 @@ $ANSIBLE_VAULT;1.1;AES256 -62336464303865306137613162653332366434323836343734363565306537666430353664663335 -6135646632336436383038666436313536306236336535620a666366353761356232333366643339 -38323938366431343563666134663533626431366661333864623461663435313636303732366564 -3038343434366662660a323330643133376264616166653963643434666436666638363830376536 -37383065633161666139613930383062346464303030636561656230646537383663623665663339 -64633931303536383033643535366164363661363062313333643939383736663634616436336230 -37313863353731373064643436653535383736396665666565666365636232626639323339636633 -31346130373762343237333335383935393238663265303864343333613865386637316562313534 -65623064393864653635313130646432623964663065373139646461623836333538616238626234 -66373839363636313765366235363231306262636561636163623839643032613839343338613538 -32386236343135376633636436363439653530653330333930316530363132653765623737316138 -31363938636165333639646233323763383162623933316231646638376535643434656338643561 -33336164336365323736373835613335623238373637663936386364313966376163326539633766 -33376638393134643831653066653930643530333861383565346132323739383066656439373262 -64303466393862303535333031386365666164373136356562393137393039306632646262623533 -62656133336230353833623363636663353937616262393337656230623361386637643232306233 -39646439626265653463326164396537666664326364373734303337306263303164343034633331 -34393166386264656133396432356539653166616134636536313062643662656364366135653237 -38326463656637343163373835633732616634653039646633366637346231393063643030396165 -38646463363262656631623438323838396631656362306438313132633866306639626133336337 -61623161636630666532346166383135393336343265323536666535343237323364366137386337 -64636339653663356439633731313966363035656433633463363331323636376337313137643932 -34343438363030653939376566313265393330323561373131663562333138623139353136356166 -39343962356563666663613532363434663037373434613337393635656230633230653031373437 -61653238353438373062363133623065633465363938333438626666393463333965323130393939 -36653930336564306162616537313031616238333830386332386136366534656338333934333664 -31633266386530643431643036353966313866333763633233363737303034393364323961643464 -66386230386435613436316133613134646532616633353830396565373562303230653531363537 -30396135373631343938366439373466656538613562623361623164333235643137656432396234 -65306236653139656138393032363732323239353965326538323365656261373834343434616137 -35656235623566663931303533643331623636643636623461386635623337393933666663663136 -31306537333730336636636632333432363336313766303966326663356635396264663231303839 -39333136653531333466333830313065636564323133393731633064633232656631343461393232 -32636530303730396532336664653532646132386432656463323235626531633163643165333938 -31383938333362323631376535383336366635343032353336303138313433316133663863633061 -30386638386539643262623364626139613035363531393865373237343935633630303538303361 -39643662623438306565653539316364343530303165633262653839363031633632633637313964 -36613934653835353739346637623635666130343166306561396266636335363137366631623263 -33343036653139313734613238333261653762353239366239383535636532346365646565613663 -34663563623362616631323266323237323839633834303264663163313866333761633461333731 -35303434333838323432653064633066613237346339653336643466326338353262396261346131 -34383530643638636332626337346636306232393261633637303965383534616662353435653136 -31383636636436353636333635373631386364656534613666323062373763626232393232303364 -62363439356232303337303165386630336130313235393037353063343236396433333263356437 -61656538613361613761633134626462353561663037313733386634343935316237303939636130 -35613662346332646432613431353062323766663765306236363362343163616238346266363434 -61393566616166663833306431616335353962323835386263623932393733313436376562313463 -34656633393931633131386432313531396266356234623262306661643736393637343237396636 -63353436633435306138613330636637666435333339396230376231616534373662376535366235 -65613366663261386165656134653737363035633130663966663630613235383161613035343636 -62313833623734383366643433363966623465386333343939303732623234383766343839633532 -30326133323564323237316530613964616538376537353434316539393739616437346639643835 -39663532363963393562383764303565306639666632336236616130343239353332633262373138 -35383663613461343138653762383337373739623637306365353362623038313266306631613132 -36366435363165666463343330326466623932653337663735326137323034656534653536636230 -38623631366464393337383261313065373561616463666164626161363863616139666365303431 -32306361666432653231663065383734393035323465353434326563366365363463313436613561 -36383165346664636165643239653131646334393638333365656662346432373033343132373437 -65363930623332336137393539313136663035666335386231666431383839306135303832633835 -65633266346238343935666534626261333635663233626230393361663137666530623466363230 -64613431616164393133396131333131356339343336373066313931646263353563623436383837 -31343961393431653336633037643862303932326637333339393430383961326664643537353436 -65633833653064623034613637656666353939323464303238393638393264343062373538326266 -33356561353261343037306239333938363861643133376538366230343162363762653864366362 -62666334376330303765383465623835663064346164363436326234613733366365393939323831 -61613834346363303136333264306465313565303830663436636661333733376632633864666233 -38633131306664316537346264663966613535393438313136323338333762613035323563616664 -39663334306261363136313132646362383766313561626237646334333935343466636465656132 -30353533666531613062393661303131346235323766643132653039393839616563316165313637 -36646234633465366535663765303830396231636662633634383538306362613666356666333163 -35373533633762653639333439633665333033626362366261663566633864343737363762663962 -34326432626162353639383164636261613031346439623736316261636139353939613030363661 -34346232383464656266383532666661356133623835613431373631396231343430396363343838 -39616365303730393631656233336635653132626161656538393931666239636538393961633035 -62336464633565636564636235626639386232393535343738363965633763393737313732396238 -34626131336463343333326336633163303862366164363132323339393035323132343833303436 -35653566333334343332303731326339633330636437653839366264363566376139316261383731 -39323231346138373032333762396530383139623532336466353833613731393032303664636132 -64306533356438336634643961306164336463643062343137393036396430323464666235343637 -37386338353930663166663234646535663366666132663561383731623937663433383239326231 -37306434303137643431383938353434666632373132656431663563303864376339373430653839 -61333032343666386430386639326632383637366637363961656463353835353664393164613333 -30383061656633376239633838303637316432633637633638643162633861396263646363626632 -65353935626362363332336262313834356461393933636432666532623433346663656666376563 -39666434343836366133316234333039313239306135303935323735336236396365383564386663 -39626239396630363435316138363230336265613162323831323362376362643639363935626237 -39663265666533626430663135303932386365626565636665373030373963373465613964653331 -63333637366464376239363262313338663331306634323732333636653464396165376639613863 -35343133393265363335353263313664613864343765633061383233323839653030313366613237 -66376134396362663332333038303333313064393161333066623739363138316435643439656638 -32366130326133653462623437633439386338333630626334656437653530633565393565643936 -37363233396263633339353331633633356661363961663762306364323765303261343063363130 -62616566623665623435636333333935613734373233376335313139633062353230613739663665 -34333930353164396261303433653966336435333463313837613464643961393737366638326538 -61376233633431346331366532336366626530626666373932383932643235343433353764616161 -30396136363838626136363430383537343439636261636636373236353565353932626364663834 -64363963393739373166343365303036353035336333323665373633623863363861383832633539 -36636136383133353839326362333065613232343235366365663733623838643033393862326236 -33373665313339643737646138663233346365663061386266383336633134306562313664326238 -35306565343039313063663634393762383836393034333639306533333534656165636436666466 -33303235376132393164626532636563653939613635396139366133383337666237646330306264 -32633738653663386235373061356661353236613838366663373233373034363337366339353836 -39353931623039646662313966383061343631373362616264346564383239303865633830323034 -39633564393537346334633637333030356134353464616333323330643731336139653630356137 -33383938383135373138616564366236653536386366636436656563346663663964343664336536 -31386362333762353237663334323464663335633838353038636164656135633562643036343833 -37623435623437393363613639326166386666646464376131666432346164386265303366333165 -34333339323635663430643931616335646532303330646532643339316435643636643262363032 -31363333636631373036383465623138316537343135383763613138393130383733343333363334 -31636461346432346434633431663036343564313837343034633762356236623332656166373634 -35323365363333633837346434653339373531653135643132613062613366613263356536666237 -38313231396239316665666230653035633763633766326364376231366634383434633731393564 -39346436363239633738626631636339613165333439316566646464356632326131383337306430 -35363135376562373064646638373238623335623165316231323531336132346137356166313638 -66656535336666313162666434336130383162393764653931633763626630316532383330393563 -38646236313737303364656230653664623334643033373364616334343534346235666137336136 -32306630373865376631366363633434313135313063626161303635646137383561373634356430 -35626238346263313566653434326236666435396238386533383964633131353534636135326362 -35383464653336306438656430343436366236313466356531326132316263363463353730363930 -63653435343764363939303762353132333366353832303531343637323235313437316530336638 -65343033353363326336633735623538663930663838613533393132303161633033386432643931 -65656361343462663435376337353633336437303736613463633162366131623363626166636134 -353533336133303463356663323736326332 +62643234636139616164363265623661393962383934663430373065643835383031613064303530 +6533656530383930313836353935613664333034396261300a613962326430396232343934313266 +63323562633736396139376535633666353534343037396465343635363566666533343061376566 +6436383361303830650a383834323864323863373237303931636332623835633632353864396564 +62633234313833633936626261326334316664623239343762613133623534353730343161333439 +34656438643530393330343363623330383034373966383037333931366431656136613365656339 +62663237653538623366653333366363306331616363313035316134376164303565613332393732 +62373239353236393461393636323134393662313037633564643932333963373562396564306661 +65656639333336326331653861656531383039346631373665376562366339336532623837363038 +66326635346634343536643861343766303464346639643838623331623066393031643462346238 +33336465386338633665633437303831333238626234356434336535313266643637383863653137 +37333432353138366338316333643634643337313135646638356262636435356638336162393234 +33643630336534303132333332643938616334363761353163633063636561623066663666623065 +65626338323762656262663939336362613265376362626633633732356135663136616365666534 +31323836396232613233326665666434396532663864623262623639663235333262633637326463 +63316539616539666665333231656630313734386432616531323266393031343734363730306663 +37663666343032383338373462333136626361333535663663643261623063323933366334343235 +35356230653863306135316335346631666639383063316662656464643932323665356131666239 +32396463613866336565323430333062323432333932623462663765393262656266623238363530 +62343736633436376136663363623065386233623830346338333933356461383631623939666561 +61336435356535633731383963323731633132366333373263323539363763376633663835633730 +35306332303532326464353562306266383233623264313863653063303831636133313639656135 +65303731613734343434386262363336376561383637323434626334646533636539356233356131 +36356434343264623836333962376138363931666636393665356435643366633331353634383165 +33303738363463333836623531313836643464363131653038316530643165343739343636653136 +64373737656633343431366337346533373163643234303861653234656565636261633430303230 +36376466343265306365653937623830376334316664306135363330623431666537616538636562 +65643763643230666263306464346635613866616662633134383836356535326237663862633764 +61336235333866663236313637626661653939373338393765393762363934623962346564623865 +33663939623565366137393030313835376435393939633236373566313439663164616138666434 +32653330656163356438633965393338376461333139663239623338613461333738616337343836 +32616235306334333065643831383666336236346665343835356632383231643238666431383463 +64396132313465653065653237303432653165366464643232323733613164636132623661363439 +31613030333036366362623563306539376137653065383635353361653565356232623730393436 +61346163336464646530343566353161653032313038653933366537633461313438396466333030 +37313531313066613134353965323861396262383038616265303537383364383261653534323031 +30643537323635373762366463303339376661313930393732616232386535313665393231643061 +34623064346332663963366438303162363265626132666563616562633666353161656165383265 +61653538313630363337396461373635633432326566613235633761393230383937373937316333 +31363538343930343733353135326664326666653239353565653839336564313364336466363839 +30313538333533303765333532303436393935393834386563343239356330643464623036383264 +33386537303865353334613466376636313934353562323436396137303432393833656534643061 +31303435363830376639353461616633393464353833653231626162643563303532643036336563 +38616535383036643732326562653735653063393361613033346630633264303034353932326265 +39666163633637366662323561393163353538626638653164646331356363653730353163383663 +66656566623361663465326634633537353532343430613362393734393265646539363836323734 +65326364363564633031653030623838386137376131373663383837323038383238663137633865 +66666633626164366437353935323961343766383264326639336465626566323166343665323365 +62323734653162643836303339373161623530396630396432623266393766383833343964626233 +64666163336530393937393361613464363032363533353864633038643935643535306661323636 +64646163396266653234343463653833386235396336623737616432613636336537623034313734 +36613637663261343864393964396435303464393965613133656233633132316662306532376636 +33303334613031663337393163336463373132376135363639343462386132356562663435633036 +62313536653966323431643330643866356666316638656666666330623763323466303639623733 +66373835393931393735616434393031323962663831313032383631666235363664386532373531 +63626662333937613739336437353937316536313437643234373230396538663238613233623534 +39653563336562643365366231663338353032366662306339343461386335346634326234643135 +38383334333937353236636234376163663336383262343561376639633365613966653665343363 +62313434346131656366393739353039306162366531633938623034613934386566386461326130 +35616635323933336237323265633135356434326462613034386530316134366662623465336133 +31373831303862363965376266656161393637383236396265653237303437346335313537643139 +64343862663964626639646630636635643535363232643039636633656565333630626136316638 +39666166366638623235336638333838633963353362633964653334656164333034643437616532 +64613963326236643764623734363233383865613038373436643432333131336164376264613833 +34316332393637383238323730646639613439353136393563303331656561663835653164326333 +38373266623466636461636434343261636362623338663831626133313166396261363331663231 +33623534303662323839363965316436393034663865353230613236323164663339326130383037 +31333165393666393739636462383061353637303961333833636666383030353265373333613236 +35616164653565303537663639386638326163323364346266623530343433346563326637356130 +30353231326633386262326333363731303639316633366631623235636461666366306137613531 +61386238646265363962643931303161633635633066613164656265383264306662616339316361 +33393835333230663164343565383566396633346532346366333334386262343030376631346639 +30623461633539656462353433666532306432393134663835626330313939393463303136323932 +34656134663033343231343431333762653866626431343262396362653566663335653762316333 +31646264316163616136643635313134616139646436343066633862353334353832366632643563 +62366537336562316363363762323234353437623762356665366338373765353462373464316333 +33303834393933396662316437663863373534653763363133653366613063643766323437353166 +66323164306366323766643061613638306661636236306461346466386232626131393966366133 +32303865633432643836613865623436373361343039306437353839383264336666663466393066 +35396434326262303334643533386534323034643530376632333435626639623939336439356335 +30363739373339646664613837653961333162643661306664663862663436613366663431363130 +32666562343237303932616563643361643235393630376232623164353537376330383161316530 +34623936363663373163323061326337373965373438333461386562373339363538633234663838 +65393964313630316238633961353532383938613063656661333535396130656233383363313164 +33643266366662366265313334663731363661656166303562643635663666663231623238326232 +65333934346335613333303163316531653731646133383164393530366232633064333636663162 +33306466663534386533643132366433343632386263643631336432393263303038326535653836 +30303538656534626233323437623264646164613134343736353737383835646237396235646166 +31336236306632356263353331356164393931343432633131366331373732386230343130393631 +38623663303232396564336236313163343538613463313938393362623164336663396364663565 +31613866313465326236346664376630383933303032666363346630336432636236666137333235 +38326433346566616465356531666537313662623530373637386134306465383336393432383536 +38306432356639613765393738643830396631666463636334363134346638653532316231643166 +61343432386236626266616438396235343965366636396163646432373737393561346430633662 +38333664393732616231636163303462613033646530333661373166653666316461313965333732 +31653537316637633831646137636461636336363763316433306430333064646662623330323035 +34303135396666646333333039363937636664336331633465343737663261336237316335326630 +32333038303537306134613033663135343032643530363631663736626634663734343461646330 +32336334323037303761336663386433643130353737363432363564353730643261323331643037 +63343063646461626335646239616332396464613964373838653339336462653738373636366139 +63666335396265333535653861613033656235623162663965336465646131643039313661666133 +64316164313834623664633231333931333133383465353934306637323564373630373734643636 +65346463343439393230653462353430656361633331316135303433623730306164373834663664 +36613766623162633165613339343739643239633263613064366334376431363933336433363461 +30663436366562396464336661616633396362333630383839386561363736663736376262366330 +38303864363734383431383266323934393236346664663864653830313935633030316265626436 +33613432346332393532303332383866663961653236643739333839633134663237366231386162 +32656337333866653737626432396231373465343362323261353535633266623039366432643665 +64353734313864336461366432653832636164623537663435333361393834396364313039643134 +33663561313662313238656230366338306562656538643437633630353931646136356532623638 +64636663386637313061366564303436316436363237636236336535363561346435333361613061 +30393766346362346631343464633230646235646430323833396561303035396136633662323466 +39303164383234323734326530613733376230666330383365326233353062316535323764396462 +62643865383165356630356265663832383666373936313931333030656433316165323338653933 +38666637633064383461323832326466643433636163663735666538386336356463363831623265 +30353435393532653338613265376535323162633431363561393064633665396134393765656138 +63386565666133353462613235356137393933363938343562303037646434633262336163323062 +63313139643363373933323764663165666134636334346637376664383234386633333235646638 +33656539363138323536313635616263333635306435353231316664393937366631353937313030 +62363639383762646138653165383438343038393264646161616430663533613934383062623938 +31663666313536633064626366323665376661393531353666313464386332656562643262643661 +32343532623533313337323938353265646137353630643962366230326262323035326466353866 +64313939643935316433396233306136663864303030653536356335303933613561306139346262 +65376338393762653335643935363234373835373736666164393064386364303664633130353436 +66646536373333386133643432366266346366663263303534366361383839396431343563303866 +61656665653533353539396465343166336134333136613862333631353261346431633132373162 +61653366393663343234386465383064323031333430316266626230643866653064303636323636 +33656563323363353965653832363834323235323635373232373863326431386532326337333664 +33383361343738386530386165633933316130633836333934346532383532613964303237303536 +6631613735336162333231333662653234396437366331653036 From ba3aec348f834f1283f0b7889f1d3c7b9c4da97c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 9 May 2020 16:07:04 +0200 Subject: [PATCH 200/297] keepalived: deploy to fleming w/ proper password --- group_vars/all/vars.yml | 2 + group_vars/all/vault.yml | 268 +++++++++++++------------ group_vars/edc/main.yml | 1 + group_vars/fleming/main.yml | 2 +- network.yml | 2 +- roles/router/templates/keepalived.conf | 2 +- 6 files changed, 144 insertions(+), 133 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 6a0b66b..3b18f8e 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -51,3 +51,5 @@ backup_dns_servers: mtu: 1400 + +keepalived_password: "{{ vault_keepalived_password[apartment_block] }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 3a0384d..8767c07 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,131 +1,139 @@ $ANSIBLE_VAULT;1.1;AES256 -62643234636139616164363265623661393962383934663430373065643835383031613064303530 -6533656530383930313836353935613664333034396261300a613962326430396232343934313266 -63323562633736396139376535633666353534343037396465343635363566666533343061376566 -6436383361303830650a383834323864323863373237303931636332623835633632353864396564 -62633234313833633936626261326334316664623239343762613133623534353730343161333439 -34656438643530393330343363623330383034373966383037333931366431656136613365656339 -62663237653538623366653333366363306331616363313035316134376164303565613332393732 -62373239353236393461393636323134393662313037633564643932333963373562396564306661 -65656639333336326331653861656531383039346631373665376562366339336532623837363038 -66326635346634343536643861343766303464346639643838623331623066393031643462346238 -33336465386338633665633437303831333238626234356434336535313266643637383863653137 -37333432353138366338316333643634643337313135646638356262636435356638336162393234 -33643630336534303132333332643938616334363761353163633063636561623066663666623065 -65626338323762656262663939336362613265376362626633633732356135663136616365666534 -31323836396232613233326665666434396532663864623262623639663235333262633637326463 -63316539616539666665333231656630313734386432616531323266393031343734363730306663 -37663666343032383338373462333136626361333535663663643261623063323933366334343235 -35356230653863306135316335346631666639383063316662656464643932323665356131666239 -32396463613866336565323430333062323432333932623462663765393262656266623238363530 -62343736633436376136663363623065386233623830346338333933356461383631623939666561 -61336435356535633731383963323731633132366333373263323539363763376633663835633730 -35306332303532326464353562306266383233623264313863653063303831636133313639656135 -65303731613734343434386262363336376561383637323434626334646533636539356233356131 -36356434343264623836333962376138363931666636393665356435643366633331353634383165 -33303738363463333836623531313836643464363131653038316530643165343739343636653136 -64373737656633343431366337346533373163643234303861653234656565636261633430303230 -36376466343265306365653937623830376334316664306135363330623431666537616538636562 -65643763643230666263306464346635613866616662633134383836356535326237663862633764 -61336235333866663236313637626661653939373338393765393762363934623962346564623865 -33663939623565366137393030313835376435393939633236373566313439663164616138666434 -32653330656163356438633965393338376461333139663239623338613461333738616337343836 -32616235306334333065643831383666336236346665343835356632383231643238666431383463 -64396132313465653065653237303432653165366464643232323733613164636132623661363439 -31613030333036366362623563306539376137653065383635353361653565356232623730393436 -61346163336464646530343566353161653032313038653933366537633461313438396466333030 -37313531313066613134353965323861396262383038616265303537383364383261653534323031 -30643537323635373762366463303339376661313930393732616232386535313665393231643061 -34623064346332663963366438303162363265626132666563616562633666353161656165383265 -61653538313630363337396461373635633432326566613235633761393230383937373937316333 -31363538343930343733353135326664326666653239353565653839336564313364336466363839 -30313538333533303765333532303436393935393834386563343239356330643464623036383264 -33386537303865353334613466376636313934353562323436396137303432393833656534643061 -31303435363830376639353461616633393464353833653231626162643563303532643036336563 -38616535383036643732326562653735653063393361613033346630633264303034353932326265 -39666163633637366662323561393163353538626638653164646331356363653730353163383663 -66656566623361663465326634633537353532343430613362393734393265646539363836323734 -65326364363564633031653030623838386137376131373663383837323038383238663137633865 -66666633626164366437353935323961343766383264326639336465626566323166343665323365 -62323734653162643836303339373161623530396630396432623266393766383833343964626233 -64666163336530393937393361613464363032363533353864633038643935643535306661323636 -64646163396266653234343463653833386235396336623737616432613636336537623034313734 -36613637663261343864393964396435303464393965613133656233633132316662306532376636 -33303334613031663337393163336463373132376135363639343462386132356562663435633036 -62313536653966323431643330643866356666316638656666666330623763323466303639623733 -66373835393931393735616434393031323962663831313032383631666235363664386532373531 -63626662333937613739336437353937316536313437643234373230396538663238613233623534 -39653563336562643365366231663338353032366662306339343461386335346634326234643135 -38383334333937353236636234376163663336383262343561376639633365613966653665343363 -62313434346131656366393739353039306162366531633938623034613934386566386461326130 -35616635323933336237323265633135356434326462613034386530316134366662623465336133 -31373831303862363965376266656161393637383236396265653237303437346335313537643139 -64343862663964626639646630636635643535363232643039636633656565333630626136316638 -39666166366638623235336638333838633963353362633964653334656164333034643437616532 -64613963326236643764623734363233383865613038373436643432333131336164376264613833 -34316332393637383238323730646639613439353136393563303331656561663835653164326333 -38373266623466636461636434343261636362623338663831626133313166396261363331663231 -33623534303662323839363965316436393034663865353230613236323164663339326130383037 -31333165393666393739636462383061353637303961333833636666383030353265373333613236 -35616164653565303537663639386638326163323364346266623530343433346563326637356130 -30353231326633386262326333363731303639316633366631623235636461666366306137613531 -61386238646265363962643931303161633635633066613164656265383264306662616339316361 -33393835333230663164343565383566396633346532346366333334386262343030376631346639 -30623461633539656462353433666532306432393134663835626330313939393463303136323932 -34656134663033343231343431333762653866626431343262396362653566663335653762316333 -31646264316163616136643635313134616139646436343066633862353334353832366632643563 -62366537336562316363363762323234353437623762356665366338373765353462373464316333 -33303834393933396662316437663863373534653763363133653366613063643766323437353166 -66323164306366323766643061613638306661636236306461346466386232626131393966366133 -32303865633432643836613865623436373361343039306437353839383264336666663466393066 -35396434326262303334643533386534323034643530376632333435626639623939336439356335 -30363739373339646664613837653961333162643661306664663862663436613366663431363130 -32666562343237303932616563643361643235393630376232623164353537376330383161316530 -34623936363663373163323061326337373965373438333461386562373339363538633234663838 -65393964313630316238633961353532383938613063656661333535396130656233383363313164 -33643266366662366265313334663731363661656166303562643635663666663231623238326232 -65333934346335613333303163316531653731646133383164393530366232633064333636663162 -33306466663534386533643132366433343632386263643631336432393263303038326535653836 -30303538656534626233323437623264646164613134343736353737383835646237396235646166 -31336236306632356263353331356164393931343432633131366331373732386230343130393631 -38623663303232396564336236313163343538613463313938393362623164336663396364663565 -31613866313465326236346664376630383933303032666363346630336432636236666137333235 -38326433346566616465356531666537313662623530373637386134306465383336393432383536 -38306432356639613765393738643830396631666463636334363134346638653532316231643166 -61343432386236626266616438396235343965366636396163646432373737393561346430633662 -38333664393732616231636163303462613033646530333661373166653666316461313965333732 -31653537316637633831646137636461636336363763316433306430333064646662623330323035 -34303135396666646333333039363937636664336331633465343737663261336237316335326630 -32333038303537306134613033663135343032643530363631663736626634663734343461646330 -32336334323037303761336663386433643130353737363432363564353730643261323331643037 -63343063646461626335646239616332396464613964373838653339336462653738373636366139 -63666335396265333535653861613033656235623162663965336465646131643039313661666133 -64316164313834623664633231333931333133383465353934306637323564373630373734643636 -65346463343439393230653462353430656361633331316135303433623730306164373834663664 -36613766623162633165613339343739643239633263613064366334376431363933336433363461 -30663436366562396464336661616633396362333630383839386561363736663736376262366330 -38303864363734383431383266323934393236346664663864653830313935633030316265626436 -33613432346332393532303332383866663961653236643739333839633134663237366231386162 -32656337333866653737626432396231373465343362323261353535633266623039366432643665 -64353734313864336461366432653832636164623537663435333361393834396364313039643134 -33663561313662313238656230366338306562656538643437633630353931646136356532623638 -64636663386637313061366564303436316436363237636236336535363561346435333361613061 -30393766346362346631343464633230646235646430323833396561303035396136633662323466 -39303164383234323734326530613733376230666330383365326233353062316535323764396462 -62643865383165356630356265663832383666373936313931333030656433316165323338653933 -38666637633064383461323832326466643433636163663735666538386336356463363831623265 -30353435393532653338613265376535323162633431363561393064633665396134393765656138 -63386565666133353462613235356137393933363938343562303037646434633262336163323062 -63313139643363373933323764663165666134636334346637376664383234386633333235646638 -33656539363138323536313635616263333635306435353231316664393937366631353937313030 -62363639383762646138653165383438343038393264646161616430663533613934383062623938 -31663666313536633064626366323665376661393531353666313464386332656562643262643661 -32343532623533313337323938353265646137353630643962366230326262323035326466353866 -64313939643935316433396233306136663864303030653536356335303933613561306139346262 -65376338393762653335643935363234373835373736666164393064386364303664633130353436 -66646536373333386133643432366266346366663263303534366361383839396431343563303866 -61656665653533353539396465343166336134333136613862333631353261346431633132373162 -61653366393663343234386465383064323031333430316266626230643866653064303636323636 -33656563323363353965653832363834323235323635373232373863326431386532326337333664 -33383361343738386530386165633933316130633836333934346532383532613964303237303536 -6631613735336162333231333662653234396437366331653036 +37633237643762656366393132393038636634373839633762363931353431633834663235356136 +6534646138363864353633323363313032333262383630370a303839306464396439666133383961 +32333933633933373932313535663464393066303836396136393433623966373565396636356633 +6265323735376234310a383263346434333333366262363538383265626363663338326133396634 +61386365363663313061303038313862363363356261326366356363316236643236386566333962 +66663864613866313932666362396235373965343833326531653931643061386662393162363763 +35363439636630366337343638393964636235303934666333313330656663353163663561353263 +35653631323835613463366339306663343933393138663032363265336361613162633538346566 +66643436363130366630396539303463366537323465656663333138373039313434313063663633 +34343438363663376530623334353832373564316364613039306133643335386534656565646663 +35303330623137343430613331326530333531303362343433633534316565306462623663653439 +32623834386663623232363237373461366165303039353362656431633463623830643734396236 +30303731343632313066376631373065323730623839333535636662326136356537333837653335 +30633530633733356335393661343265646637393564653535643265626335613134323430356565 +65643933363137646638393530316463396339333461633063633765343938333966313835656137 +36346366386333643631353630343533343839376263366631346566306563366431666434356236 +37376536666638336230303630393364363936616666366561336262393833366538653132363361 +63333161343839383163313566653832386134663430623338636230663736333064306636643138 +63656533343634643737633234373134656665663964333464373264633763346664376139333530 +31633639346538353439623964653661633863373733353837356231373832643831313138643263 +66316461363666363635636361343835346533393431643132653537323535343163363639396335 +38373762613961336530313963653437643032343032626536633638646137646439346362336564 +61353463306238643062623532616539646239313761356434653965343165376134326437623539 +33313164656262386436653537366436333563613731323262323932323839623338303236363935 +35396265656161663339653538383735616264633931326633636264323434623030626434626361 +65393766383434353463636534353332636338353332306237363338373566383636306366613838 +33363639316330346237663031616330366130306231663634353266373735343434626136353730 +61366166333761323535323435336461646461366632353233303639656639313434393133616564 +35616436393863356266303138373765323037663764383731373362373234353866383139613264 +37303138666337303461313065353866313864353834383336613031623866313338376533656265 +33393138363536613930396631666439336535636336633837623739326166363139343434353662 +66613761396266363030333537626637633365653339356534616266353338633163326633333262 +36323962653863663738613536663838613037356662643866363033383963363465663830353361 +61356464656562373036303834336639643937363134396437356130326634336230323562666136 +35616532626235363737633938363362373430643935333133386539326530333061396463333234 +65356663323463303136643035666138636366363961356165653930396534663038613435383731 +31306638303837646464333164353832626637313537653430313465303061353266373563663261 +63393031336362313935393963303431366666366535333238326334373563343634646238373164 +30333132656230326436306131313264653639343531313333303535346433356533383664666239 +61666666373135306536356439643531343031623134303335383132383330646437663135376232 +35623366323630323762633730303330353839356332653435363962383738346636633632346235 +37343336386361653033626638393939383763323065663135653530613461653438653762626466 +35383139363435393863333032393963303638303936616534373639646564363930653539643937 +35653566353262303266303966313062306438653665353464653465373761343135656433666132 +32623438336330306363623666336133656563653837363766316465386138373234656631333338 +62663866363632643236656530656266653033396438636431653361646538623336626563316638 +30323532356634356538653534643535306135393037323632666538393734653063653234396638 +39623363323233333738336364383663653461356362363334343365343432643531376633323061 +65623530376438646564633236393738333635396230666234363062663839366263373431666637 +30616261313830383962633034376136336432623333663164396335613932656135613830653366 +33633464356366653837386432613037376532373264633737363263613835376536633530663735 +63336636613937623435303830663231353364313435363366666332623339303934643830363835 +38363666633435323732646265343630646531326333653838366531663037383665636632333539 +38613235656566326666363566356130616335643361623262353934646630326430373733386132 +64366165306664383337353837653363313661616463346132333536613232313761666235643663 +36383764336435316138383161353666383530633039373935613665316130353665393334666633 +66363339393266376364306137303335376231396264643231396361366663383335623737636263 +34333464396434343263383938376433393963646337363665623364343065323638666663353462 +31633134326566303930383831366364616365663363666564666532393561303231383063353665 +32333862313531316135363034653137636265653530373761366239366136346236353238323331 +38393834666139666331343166623261393264373330326264636363346564313333316564396530 +37656635666239323439373239396635366661326139623031626130643834663834383765303630 +65646661653030613237663137643639366337313261356231323536346632633961613333336236 +35343033616536306430383533656232343635666234653331373638306264353733663064626137 +63396235653830326438623131316663376266373738383130383536383637343035386532373739 +33323333663164613437323637323333643864353630623361363631386166353737313835643937 +30336234363639666635633931383238646532313864326439656662636432646563316563313337 +33313432333636343161306139323565653434333663613639373834316432643438373936636461 +38616263313335333339346239613464373336616337323766643337633936653031346462353932 +64303865363164663533343464663838313364316664346539623961656630333464633236333135 +33643966343234666138363930363436373433643730616134653361363738316662373136303562 +63646662643132353236643161626331343636623164376532353734363861663865666262376232 +32323533383435386464376134643066653533366430626662343238633432326363393061643466 +38343265626366656638386634636637346366316430636530646334303938653062376236366462 +61346436303032363933366137663863353638363564643231353030303264336132653332623164 +65316165316435326631313763616530656265333735613039343939333134663234633732316265 +36303133303639383738636365393935323562343135633232366637303935663166303335643539 +37353030323466633834363137353233663433623831336161323365376330323839666263306135 +30313762663537393936626361623031623961313932656666313062303462613331643463313863 +61333834313633356233306565366136643832626639663138353865316134653462663331653431 +32336237353663303231346137366239366362313863386131363139346661363331336235336132 +36393636353362616263663830363239643261303334626138353233666338633062646239396363 +34643763663031613365303561376462646262386534386536666532343361366136623132393035 +35383561653864326230316436393334306133353937633363313365336564393234633334383232 +36626133626130326663646162363238316461373034646634346135353337343737393936373438 +33373931383638376632626633626666396536386237376331646131633566613464663762663933 +36313964393461323839366562313537373533366561396130313731623831313638303664333634 +39313364663432313130376163306166363162623163636437633934346662383337396164363239 +37643536363531653236396539306663303265373537376334656635303162383239303262316431 +33313433663038306666383738313630366235323936656562376338366332653366363665623936 +39356237303563623634666335616436376638373464333338643666376563353033356562366566 +38303333306430386539306664666234633433383935396635396534646465336438616431653438 +62616465343161376464663065343930646435643137376331323637363566613736333664643936 +65323363323565343761613865316432643537323661633732326230626435646363613635313161 +31303836336234663834633137343533653438386362623236333864663563646365653036626561 +32333261383435363763656238303438363035656538383037643339353131636162303762363039 +37363864653665313861663235353963383938353065306561313536646562396430636363623132 +36646562663436343331656236383031363764336638323263646562663634343932303431376465 +34336636613836386238373764343030363163366232356536313966643938316533353338323464 +61353033396334633536373834613735396665383861313064626239336439376166633066636664 +37306235386632343835666264653165656164373031653337333533656531353936396339613066 +63366131356131313736613762626235656565373537646566313438393833643234666238383330 +66313038386566356632613833623734616233343732333431316666376636386262666336323936 +38636134353261666666623466313330303834646362336134656163313766376432636437623237 +32376264363361613163306439623965363763356161363030363262386565386438646564613533 +33356331333137663935326338313336653233303235353339363164666639623234613165616166 +35656235356634653638646134356230646236656264333134656138323662623363363565343035 +30326563313566346335393738623237316431326538363434353436356139653965663762613437 +39346232333938303065393561303134626333393666306134326636353430353736383739643539 +63373063316633383765663236366235353035656639326638346661313136613530666461633764 +33646262393733316263633064396139656661343634326336653932373335306331303938633935 +31623661633231633265656166363662396133666231623230393761313966353932326135396134 +34663636353535623963666463386431376166633130343834393934323461303934363066386565 +37386563396335363430383135656437316635623764386631333665646563373735666333613633 +32303430663066336334383533643434326566343861323932326131313032316636643135363166 +66386361623266616536363365663131326537333762373538653238646334303138333636326530 +32643833333331633435646331363764633835666537356665663130656138613661383762323630 +39366531333964656633313130373733373631313936663961386162333564343866616238383863 +63326134336534346233316134643136393564363431373563323233393938653063383131303561 +39383733306566646563363137373662653935623366666363383837373031613036306637313330 +31366434303432373432646333326462336133343762393730346534633934363565323766363234 +66653836663832316632613436313030393161303031363932353562623437336335393463643335 +63636435323034373637323235663665346166346235356662626465383538616166653138653933 +65633065613938623234363362336332376366336236313731656462643531366634663664333939 +39313730313365363332613532623762303330386632303136383961616438616237386432653234 +32636463303235323930306463316234343262393363383430373961646264643930386131623930 +64613430303236393830666531303430653638363838396464373863383766386365653435366564 +35626462613533323735323537373236666233663935343763623465393039386664333561623363 +66383866326331613136303864333339393134613563613664633039316535636531363339396439 +38653732336139313235333932383337313838653934663563613966633634313538653262393130 +35383866326463636634393062376633316363613338656663323336616538383938646166323333 +39643739663232363631653637306266653939363835366637613261613837313664643731373063 +64613561366663386566656230306139386265633238383230613966376265383136663039356365 +30383963373663323430633036616164306639306134306632656137663065666364626435613034 +63623534326562336262393036336432653566306234663762633232383365353936646236383430 +62303331343635616131623065353465396534653439303535623165373461343464643734643565 +36356133306434346461616462343139616533386266653932613762303835636663326265323863 +3561656265306635653232343032396139336135373232616637 diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index 54f11bc..fce0f8a 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -8,3 +8,4 @@ subnet_ids: users_wifi: 41 router_ip_suffix: 254 + diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index 5552c57..1913a87 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -7,4 +7,4 @@ subnet_ids: users_wired: 10 users_wifi: 11 -router_ip_suffix: 240 +router_ip_suffix: 254 diff --git a/network.yml b/network.yml index f3e72af..188cf90 100755 --- a/network.yml +++ b/network.yml @@ -22,7 +22,7 @@ # Déploiement du service re2o aurore-firewall et keepalived -- hosts: ~routeur-(pacaterie|edc).*\.adm\.auro\.re +- hosts: ~routeur-(pacaterie|edc|fleming).*\.adm\.auro\.re roles: - router diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index ad4a64a..6e51fd9 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -30,7 +30,7 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Used to authenticate VRRP communication between master and backup. authentication { auth_type PASS - auth_pass pLOP # temporary password; DO NOT USE + auth_pass {{ keepalived_password }} } smtp_alert From 87b2e4f8cfc8734077770e85caba1f454869489e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 9 May 2020 16:15:56 +0200 Subject: [PATCH 201/297] pacaterie: raise MTU to 1500 --- group_vars/edc/main.yml | 1 - group_vars/pacaterie/main.yml | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index fce0f8a..54f11bc 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -8,4 +8,3 @@ subnet_ids: users_wifi: 41 router_ip_suffix: 254 - diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml index 4a4ca3f..7d6e30c 100644 --- a/group_vars/pacaterie/main.yml +++ b/group_vars/pacaterie/main.yml @@ -8,3 +8,5 @@ subnet_ids: users_wifi: 21 router_ip_suffix: 254 + +mtu: 1500 From 6d00e2733b606554b3c894e8bf1a0de8897066ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 11 May 2020 20:18:23 +0200 Subject: [PATCH 202/297] unbound: fix log rotation Was too frequent, now that we only log SERVFAILs. Rotate according to file size. Fix unbound-control binary path. --- roles/unbound/templates/unbound-logrotate.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/unbound/templates/unbound-logrotate.j2 b/roles/unbound/templates/unbound-logrotate.j2 index d57e83e..35fe72f 100644 --- a/roles/unbound/templates/unbound-logrotate.j2 +++ b/roles/unbound/templates/unbound-logrotate.j2 @@ -1,6 +1,6 @@ /var/log/unbound/*.log { - daily - rotate 30 + size 1G + rotate 4 missingok notifempty compress @@ -8,6 +8,6 @@ sharedscripts create 644 postrotate - /usr/local/sbin/unbound-control log_reopen + /usr/sbin/unbound-control log_reopen endscript } From 835554613187f32b6721089db38b063f09027585 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 14 May 2020 17:50:06 +0200 Subject: [PATCH 203/297] edc: raise DHCP-announced MTU to 1500 --- group_vars/edc/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index 54f11bc..88e6c2b 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -8,3 +8,5 @@ subnet_ids: users_wifi: 41 router_ip_suffix: 254 + +mtu: 1500 From 266b0dde6f13277bb55e3faba627dc6ec0b8b0d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 16 May 2020 21:43:23 +0200 Subject: [PATCH 204/297] radius: initial setup --- group_vars/all/vars.yml | 15 +- group_vars/all/vault.yml | 298 ++++++++------- network.yml | 6 + roles/radius/tasks/main.yml | 80 ++++ roles/radius/templates/clients.conf.j2 | 18 + .../templates/freeradius-python3.postinst.j2 | 14 + roles/radius/templates/proxy.conf.j2 | 53 +++ roles/radius/templates/settings_local.py.j2 | 116 ++++++ .../radius/templates/sites-enabled/default.j2 | 239 ++++++++++++ .../templates/sites-enabled/inner-tunnel.j2 | 345 ++++++++++++++++++ 10 files changed, 1045 insertions(+), 139 deletions(-) create mode 100644 roles/radius/tasks/main.yml create mode 100644 roles/radius/templates/clients.conf.j2 create mode 100644 roles/radius/templates/freeradius-python3.postinst.j2 create mode 100644 roles/radius/templates/proxy.conf.j2 create mode 100644 roles/radius/templates/settings_local.py.j2 create mode 100644 roles/radius/templates/sites-enabled/default.j2 create mode 100644 roles/radius/templates/sites-enabled/inner-tunnel.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 3b18f8e..42f9a7b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -13,6 +13,7 @@ ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}" ldap_matrix_password: "{{ vault_ldap_matrix_password }}" ldap_replica_password: "{{ vault_ldap_replica_password }}" +ldap_admin_password: "{{ vault_ldap_admin_password }}" ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}" # Databases @@ -49,7 +50,19 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - +# Misc mtu: 1400 + +# Keepalived keepalived_password: "{{ vault_keepalived_password[apartment_block] }}" + + +# Re2o config +re2o_secret_key: "{{ vault_re2o_secret_key }}" +re2o_db_password: "{{ vault_re2o_db_password }}" +re2o_aes_key: "{{ vault_re2o_aes_key }}" + +# Radius +radius_secret_wifi: "{{ vault_radius_secrets.wifi }}" +radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 8767c07..39aea61 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,139 +1,161 @@ $ANSIBLE_VAULT;1.1;AES256 -37633237643762656366393132393038636634373839633762363931353431633834663235356136 -6534646138363864353633323363313032333262383630370a303839306464396439666133383961 -32333933633933373932313535663464393066303836396136393433623966373565396636356633 -6265323735376234310a383263346434333333366262363538383265626363663338326133396634 -61386365363663313061303038313862363363356261326366356363316236643236386566333962 -66663864613866313932666362396235373965343833326531653931643061386662393162363763 -35363439636630366337343638393964636235303934666333313330656663353163663561353263 -35653631323835613463366339306663343933393138663032363265336361613162633538346566 -66643436363130366630396539303463366537323465656663333138373039313434313063663633 -34343438363663376530623334353832373564316364613039306133643335386534656565646663 -35303330623137343430613331326530333531303362343433633534316565306462623663653439 -32623834386663623232363237373461366165303039353362656431633463623830643734396236 -30303731343632313066376631373065323730623839333535636662326136356537333837653335 -30633530633733356335393661343265646637393564653535643265626335613134323430356565 -65643933363137646638393530316463396339333461633063633765343938333966313835656137 -36346366386333643631353630343533343839376263366631346566306563366431666434356236 -37376536666638336230303630393364363936616666366561336262393833366538653132363361 -63333161343839383163313566653832386134663430623338636230663736333064306636643138 -63656533343634643737633234373134656665663964333464373264633763346664376139333530 -31633639346538353439623964653661633863373733353837356231373832643831313138643263 -66316461363666363635636361343835346533393431643132653537323535343163363639396335 -38373762613961336530313963653437643032343032626536633638646137646439346362336564 -61353463306238643062623532616539646239313761356434653965343165376134326437623539 -33313164656262386436653537366436333563613731323262323932323839623338303236363935 -35396265656161663339653538383735616264633931326633636264323434623030626434626361 -65393766383434353463636534353332636338353332306237363338373566383636306366613838 -33363639316330346237663031616330366130306231663634353266373735343434626136353730 -61366166333761323535323435336461646461366632353233303639656639313434393133616564 -35616436393863356266303138373765323037663764383731373362373234353866383139613264 -37303138666337303461313065353866313864353834383336613031623866313338376533656265 -33393138363536613930396631666439336535636336633837623739326166363139343434353662 -66613761396266363030333537626637633365653339356534616266353338633163326633333262 -36323962653863663738613536663838613037356662643866363033383963363465663830353361 -61356464656562373036303834336639643937363134396437356130326634336230323562666136 -35616532626235363737633938363362373430643935333133386539326530333061396463333234 -65356663323463303136643035666138636366363961356165653930396534663038613435383731 -31306638303837646464333164353832626637313537653430313465303061353266373563663261 -63393031336362313935393963303431366666366535333238326334373563343634646238373164 -30333132656230326436306131313264653639343531313333303535346433356533383664666239 -61666666373135306536356439643531343031623134303335383132383330646437663135376232 -35623366323630323762633730303330353839356332653435363962383738346636633632346235 -37343336386361653033626638393939383763323065663135653530613461653438653762626466 -35383139363435393863333032393963303638303936616534373639646564363930653539643937 -35653566353262303266303966313062306438653665353464653465373761343135656433666132 -32623438336330306363623666336133656563653837363766316465386138373234656631333338 -62663866363632643236656530656266653033396438636431653361646538623336626563316638 -30323532356634356538653534643535306135393037323632666538393734653063653234396638 -39623363323233333738336364383663653461356362363334343365343432643531376633323061 -65623530376438646564633236393738333635396230666234363062663839366263373431666637 -30616261313830383962633034376136336432623333663164396335613932656135613830653366 -33633464356366653837386432613037376532373264633737363263613835376536633530663735 -63336636613937623435303830663231353364313435363366666332623339303934643830363835 -38363666633435323732646265343630646531326333653838366531663037383665636632333539 -38613235656566326666363566356130616335643361623262353934646630326430373733386132 -64366165306664383337353837653363313661616463346132333536613232313761666235643663 -36383764336435316138383161353666383530633039373935613665316130353665393334666633 -66363339393266376364306137303335376231396264643231396361366663383335623737636263 -34333464396434343263383938376433393963646337363665623364343065323638666663353462 -31633134326566303930383831366364616365663363666564666532393561303231383063353665 -32333862313531316135363034653137636265653530373761366239366136346236353238323331 -38393834666139666331343166623261393264373330326264636363346564313333316564396530 -37656635666239323439373239396635366661326139623031626130643834663834383765303630 -65646661653030613237663137643639366337313261356231323536346632633961613333336236 -35343033616536306430383533656232343635666234653331373638306264353733663064626137 -63396235653830326438623131316663376266373738383130383536383637343035386532373739 -33323333663164613437323637323333643864353630623361363631386166353737313835643937 -30336234363639666635633931383238646532313864326439656662636432646563316563313337 -33313432333636343161306139323565653434333663613639373834316432643438373936636461 -38616263313335333339346239613464373336616337323766643337633936653031346462353932 -64303865363164663533343464663838313364316664346539623961656630333464633236333135 -33643966343234666138363930363436373433643730616134653361363738316662373136303562 -63646662643132353236643161626331343636623164376532353734363861663865666262376232 -32323533383435386464376134643066653533366430626662343238633432326363393061643466 -38343265626366656638386634636637346366316430636530646334303938653062376236366462 -61346436303032363933366137663863353638363564643231353030303264336132653332623164 -65316165316435326631313763616530656265333735613039343939333134663234633732316265 -36303133303639383738636365393935323562343135633232366637303935663166303335643539 -37353030323466633834363137353233663433623831336161323365376330323839666263306135 -30313762663537393936626361623031623961313932656666313062303462613331643463313863 -61333834313633356233306565366136643832626639663138353865316134653462663331653431 -32336237353663303231346137366239366362313863386131363139346661363331336235336132 -36393636353362616263663830363239643261303334626138353233666338633062646239396363 -34643763663031613365303561376462646262386534386536666532343361366136623132393035 -35383561653864326230316436393334306133353937633363313365336564393234633334383232 -36626133626130326663646162363238316461373034646634346135353337343737393936373438 -33373931383638376632626633626666396536386237376331646131633566613464663762663933 -36313964393461323839366562313537373533366561396130313731623831313638303664333634 -39313364663432313130376163306166363162623163636437633934346662383337396164363239 -37643536363531653236396539306663303265373537376334656635303162383239303262316431 -33313433663038306666383738313630366235323936656562376338366332653366363665623936 -39356237303563623634666335616436376638373464333338643666376563353033356562366566 -38303333306430386539306664666234633433383935396635396534646465336438616431653438 -62616465343161376464663065343930646435643137376331323637363566613736333664643936 -65323363323565343761613865316432643537323661633732326230626435646363613635313161 -31303836336234663834633137343533653438386362623236333864663563646365653036626561 -32333261383435363763656238303438363035656538383037643339353131636162303762363039 -37363864653665313861663235353963383938353065306561313536646562396430636363623132 -36646562663436343331656236383031363764336638323263646562663634343932303431376465 -34336636613836386238373764343030363163366232356536313966643938316533353338323464 -61353033396334633536373834613735396665383861313064626239336439376166633066636664 -37306235386632343835666264653165656164373031653337333533656531353936396339613066 -63366131356131313736613762626235656565373537646566313438393833643234666238383330 -66313038386566356632613833623734616233343732333431316666376636386262666336323936 -38636134353261666666623466313330303834646362336134656163313766376432636437623237 -32376264363361613163306439623965363763356161363030363262386565386438646564613533 -33356331333137663935326338313336653233303235353339363164666639623234613165616166 -35656235356634653638646134356230646236656264333134656138323662623363363565343035 -30326563313566346335393738623237316431326538363434353436356139653965663762613437 -39346232333938303065393561303134626333393666306134326636353430353736383739643539 -63373063316633383765663236366235353035656639326638346661313136613530666461633764 -33646262393733316263633064396139656661343634326336653932373335306331303938633935 -31623661633231633265656166363662396133666231623230393761313966353932326135396134 -34663636353535623963666463386431376166633130343834393934323461303934363066386565 -37386563396335363430383135656437316635623764386631333665646563373735666333613633 -32303430663066336334383533643434326566343861323932326131313032316636643135363166 -66386361623266616536363365663131326537333762373538653238646334303138333636326530 -32643833333331633435646331363764633835666537356665663130656138613661383762323630 -39366531333964656633313130373733373631313936663961386162333564343866616238383863 -63326134336534346233316134643136393564363431373563323233393938653063383131303561 -39383733306566646563363137373662653935623366666363383837373031613036306637313330 -31366434303432373432646333326462336133343762393730346534633934363565323766363234 -66653836663832316632613436313030393161303031363932353562623437336335393463643335 -63636435323034373637323235663665346166346235356662626465383538616166653138653933 -65633065613938623234363362336332376366336236313731656462643531366634663664333939 -39313730313365363332613532623762303330386632303136383961616438616237386432653234 -32636463303235323930306463316234343262393363383430373961646264643930386131623930 -64613430303236393830666531303430653638363838396464373863383766386365653435366564 -35626462613533323735323537373236666233663935343763623465393039386664333561623363 -66383866326331613136303864333339393134613563613664633039316535636531363339396439 -38653732336139313235333932383337313838653934663563613966633634313538653262393130 -35383866326463636634393062376633316363613338656663323336616538383938646166323333 -39643739663232363631653637306266653939363835366637613261613837313664643731373063 -64613561366663386566656230306139386265633238383230613966376265383136663039356365 -30383963373663323430633036616164306639306134306632656137663065666364626435613034 -63623534326562336262393036336432653566306234663762633232383365353936646236383430 -62303331343635616131623065353465396534653439303535623165373461343464643734643565 -36356133306434346461616462343139616533386266653932613762303835636663326265323863 -3561656265306635653232343032396139336135373232616637 +33396439643732346636636465616537313231333032616436323166633235663131343961373834 +6365316236333532313361323063373130643031386131610a343036393035633431656434323466 +30333836636565323163613631386663313934633264373734366438626636313137393233623835 +3930643831626164330a396233393834623635363864656466393236313837663739303065353437 +38356539306333663062656439333938306433343632633861363430346631386238353462393334 +61366263383062353136363632323330336637616538333866386534656662646639383335653931 +33393166656166343166356334623266373533653938313064393533363331636365343161373665 +62336466386536356637383663333661303135663835623432306231373034373435353562636265 +31326561626665376566633066346366613364333135366363623030613131353833336135306464 +66306133373634393431313866343464616633393165353830373436666136396633396131363763 +39306162666437346138373132323132376237346137643861363235646134616132653235326362 +32626135613530643766333930613164663935356332626232616330373237633835313231373066 +66323431366332663965393239623337646666613566363132383232643235363237316437653261 +63653361663038653764633266356433323234323132336232636337303763323736316662386638 +34326233376465303561643830646635353965623331633934393639313236373236343836366532 +30613964343835353130386533623262633261373831616635643861373133333237663666646334 +64636139323038353265333336626233346266353637343232383930376330643831633030643664 +61356231653135363664363063383331666137336433613966343839623161393135643738333537 +61363164623539353634353932363762336165643961333931316338343036336435356533616433 +30396335643634333366383233623034373164303564643639323030333461323965306638653063 +31383161336531376231626332343436353635663466396134313530383563306566626566643964 +35323465623562346439363036623139303932663539396662356336666362666463616432633162 +31393231323963356538336436653032323462623462366130323963636136666131646636333532 +32613136373162383037646137663230343536336161666132383964666239303663356430303361 +66653963326135643963393931356231666666376466326135353261356265653230633935376235 +32356330383163623132386363623239643531313163373539646166383964663661393663633465 +39346666353062643964316532313363336562373035306635383138666336616239633932383437 +63396138376138636561336539333564393033393466633066303138616136316638373138356161 +39666632666339373836343363653530633130643733386339633536636135373365643363373032 +64633837656235363137633364313662363134306330376537326634353731346463643832396534 +64386361326635663032663464343432626237643365333330613466656163313930343266616139 +36393036353864316661343066653237333737643038396538666139643034396636643765366163 +30646366343636343364336639653436383038353637623131373738306566623033633863333634 +61363861306463353130393130613232643134313765363033646330666662353961343664316438 +36396339376366393236326432663434366634333935386662373538306236343938333563376263 +65346637346433366637336532656337393730303934653835313839656535353731333737656162 +65356531663737663164336338333336613230623836363435326132643131326534393634326261 +32663564646536663338623035653138373835306530316536316664663039383032366465303363 +38626138386164366332613933363434363132383336626430356331376239373031633262366532 +62646435653932636264323164636465366138636631313538346530306163373466393866383266 +30643739316336373462326138313666643263333463373764323832383230366465376539623937 +62363536333238363735306563333731663862653932393565663034636238643434633161626632 +33326164366336343734653234363930616634643933306264656138396631646135343437303462 +39343237663262303933393865346165353934356662376136633636343636626634343666343134 +37346166373963356638666338353438323831613538313961643339663230626565306261376665 +32613438303964656161653535313436643662393032396532303738653662343762323538366133 +32323036393530316630316261323731393865323433383961316664623435363130646239666132 +31623935663637373763356562613964636338343666393833386634356465333866643831393531 +38343261663636333336366539306366636137346131316161383661666431353235313536646538 +39663866376336633739356337633461613261316435393063653633336636333738656631313032 +62323130396164636431343961643237646533396639373863396333653936663964623337363063 +32366162343635333132636239363039326565383262633163336436613430323039356439613964 +39376563353663373637313035393839646633343963356433316333323732613035303432646338 +62306639316139306531393236656265383836653436646136326666336137623936366630346332 +33303465623537653461363437373036343439656134333930393862306339653161633365333335 +63643937393761363463333637623039643265366462356632343263393434326435346634613736 +38323561613134363330636562336264633465363762393736333934353237633162393238353961 +65303634333331333537356134616539653462363035316330303338663430303536643230313133 +64653739656233616131653731343733616661626662636139393039633636666132346230333966 +34353831383036313663396339326237323038633231306230663563643562363030613332633362 +38383463393961373635356539633839646337666132393034343264333739346432326333383432 +32663030663739666237333435643734333663383238636130636135666561343961613861323666 +33623637366232316430643331643863666261636266383030653263383766353861306631343934 +62663761663366353763623966313035343330316563623238626537396439373235663862626565 +35356234383534653231396632306137373037643531303434393433353134326532313332326538 +66343236396636356231353234346438613866353763303136366137616338326532353039306639 +34613234356664333339363134646532666631623132663462316562326266316365623738623663 +32363562376234313038616530373335363935313135636466336237356632336537623538346433 +33643563343936623836356238613139623730343236663464626262323330653362616238356137 +64343563653863326638643834623665393333313262353732626638373634643633613836623164 +63396136643066616133346131313833303064343534353963386638363462316435646637623232 +32633332356263383533626635316231393865336636353430383365333131316633666164306138 +33363330303464386563353436646562623337656633333963333431353837313362653931613033 +37383330643730616432333538356430626462303730343430336465623938613732383138646330 +39363161323665643333383461333730323734613134386461636339653431323033663434643364 +38383762306139313465613461323436306137336463383439633230353266333137656330633237 +62306230363031353361333462393136396234663231356434393438326533363434376537376266 +66323364313934616232393931616234666166616532663865316538346536326266326133613635 +62373839343639313861316539643461663161386435323161613436353433616230633734316239 +35373332353539666636303934396661663831313935616262323639633561636433663135626633 +61313730356664316262353832336334616330393431346363373265626661336332313135666639 +31646134613635643765353833633231623034316163663031376366353430373230666466633536 +34393132313738336163363035663435666262633161373336343932383366633765646366313132 +66623933343362636633376339303363383165373336313134613330386530616335363263643166 +32333162633035376562303332633732636530616432326234636236323434366164656437666464 +63666536663261373565366437326636333232623934363033653837626230323934666138626462 +66663639316630326662336263343365303630366234383530646139363936653866373162323435 +35333139353831643232666533333065386130666137653931336638623137616639653533656562 +32386431373865393561353537396632653239623839306234643938643261383730346431376234 +32643030353537333665363232383562646662656131346433653065613763613532313461636663 +37363565633864626136646663363334633239376537353066373466306431366132633931346464 +66653164356134323834366364643637343833396666373039383861663435343238353462396438 +33386131393839346663653433633333653564663665343265363831343937396436646262653738 +33633761343362343762376239333963306264326333366437636661616233383737636234346538 +35383861646332656664353339386331646236663036383033663262353336323634323365623661 +36376561643864303832386634623032356563306138333532623434633166646130313239343539 +66663566366636323835633661636331383066303131626132306332323430333333323734626433 +66303839346261386364316530373736373362323339376462363130643964666638383935346330 +33313830343965353338643139663834373863336636383730323662363836653536366433666166 +61623265656431303661346664646135373438386335303437333734613761663031353235623062 +36656432666266333161346238356532373464353835336561366138653031623264616563353836 +61353731396361343939616437313532303766333962363536666139663064626636306239313962 +65306336333739346435353636303534366635303362363631383264306435383662323930393230 +30623134356439613436643861343036363366336332623665306239623234386435346337323930 +61343061393961663133333764333362346137636132636532396135643839633863386638346330 +34653131656332376538613039333066366232663432353666633334613331393863333236656662 +34646630616263356363613162646533623336623164643561333934343565373936326135323230 +38366335336562653861643732653930623461616366343239303862313339383031346630656538 +65363865623666306436303165373734646464303637333939666262363163343230376161373734 +37636433663139616261386534386466633862373739636262386631333334336238333862636335 +33386530393762626161303331633735363039373636346432626236336635323232313661623234 +66366637316439393465373066383864336638326533346438343162336161663436323031643235 +65633735613538666133353962646134353430633037663761353464313230336332323035386539 +39323363633863383861356162333137643433653135323433366636383966363137376339383131 +63356230333434643738383938396535313561356236656532376435623933343236636136353666 +37376434393664386438626661663431396430343431633435343436636665366138623632613665 +35373433613065666436313266373332313731633534386161383437386432353138636265346563 +39643862623936623636326664636365313765653666393433386631373162623332653139313133 +61376534313835666165313762653061633236353832633161313533376630636131666465313338 +39356530346332623633343536333130346230363233386435346239353535316561623331613533 +34623235336563613939333739643331343832353631333436653361623934626234343464613232 +36303263363530396334373438653166343661346531363764353233366464666263646161653432 +64313236653735323664323965366563316166623362393032396262636339306562643964653932 +36643534346235383066326331313338333366343335393038633137663836313831313632386464 +36626136666665623262373762643233653036383839666130623866313236393265306534343562 +38346261353663383730346666626131313766643233323865626437643633326438303735353663 +31373665343363666236326661336534333534363666396665396437656266386331303563323666 +37326336663562353835313062646538323735336466626461333836366435313835636462356163 +64636437346562343463643338353730303932623732396232396133366130626539663738313361 +62373133396233366636653032306637303735373838346432653637303663616631323162373361 +36623565306364343330376538336534323964633034383765616666636438316466663662623263 +65666636666236353630633037393038373338373536336165623264306135656635383464353938 +32343131316330616139663864383938386437333662323463626636383964623264343737363738 +38613232663539656266343561653465356431393765643062336236653664626133353234383163 +35346235343935386130376135363535316539313164613732643631623439653962313839386637 +32613532666265346633336435346464656666346335656235373962633965626264343035633961 +66666231383164313239373033373361343038373436346537353536303338613035366330393039 +31613638353037616338376630356630306230376564306532343838323236316137356130386665 +62353166633038643032393530373461386465663935666430386238656637633265356362393237 +63356464373734623561643863386431643266313139353033663162386361626133303064663563 +64623537323734666665393537343963613036383331363262663933313365613866316366663730 +62613466303836383861323563356362333333653564303938366235626362623965336438313932 +38383164303232323166643533393738663536336666656433313537316264643930303634333637 +30636231326462376562646636363136393761383665626663303133313336613766613366626436 +64333466353461356631326433366634653338303362363230613863623735363934623133666430 +64376637336635613838396235633164343933333237323133313632656464343039323763353663 +37343133646633663762656331396362346635343463646236656330346363633533316531636566 +37303662393034386263643563363564363663356635636236396638656136306664366363616165 +62333366626433336461623032353831346662643934346430636535306439363839356132316466 +36393164633030386538653135323461663632646266653663613366353339363437663537373931 +63393135646539353162376635663833653462653964356135623138653137343431643339316239 +64653734353631646661373833353436636134383038623539666662666439343039663230643133 +31303262396164383439613063306462666662346464663235343637363565393238663138613862 +63313064376336363637663832343134333236323466323662666334356232323537663734623466 +32323766616663356435613737396639366635636663346535653534666431323966623463333039 +64353365353031653136383561353439383266323365353361653530313933383130646539326337 +32383266346433613264643939396364656633313766383333336132393936666433346263386264 +38613034396430323235366564636365346563383935626330626130326236623361326161396363 +65323635323361623864643864346633343239626438306131303039393362363764646432366332 +34333931623535633439 diff --git a/network.yml b/network.yml index 188cf90..300c0d2 100755 --- a/network.yml +++ b/network.yml @@ -27,6 +27,12 @@ - router +# Radius (backup only for now) +- hosts: radius-edc-backup.adm.auro.re + roles: + - radius + + # WIP: Deploy authoritative DNS servers # - hosts: authoritative_dns # vars: diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml new file mode 100644 index 0000000..1622e1a --- /dev/null +++ b/roles/radius/tasks/main.yml @@ -0,0 +1,80 @@ +- name: Add backports repositories + apt_repository: + repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free" + loop: + - "deb" + - "deb-src" + +- name: Ensure /var/www exists + file: + name: "/var/www" + state: directory + +- name: Clone re2o repo + git: + repo: "https://gitlab.federez.net/re2o/re2o.git" + dest: "/var/www/re2o" + version: "master_freeradius_python3" + force: true + +- name: Template local settings + template: + src: settings_local.py.j2 + dest: "/var/www/re2o/re2o/settings_local.py" + + + +# What follows is a hideous abomination. +# Blame freeradius-python3 on backports. + +- name: try to install freeradius-python3 (this will fail on post-install) + apt: + name: freeradius-python3 + ignore_errors: yes + no_log: yes + +- name: fix freeradius-python3 postinstall script + template: + src: freeradius-python3.postinst.j2 + dest: /var/lib/dpkg/info/freeradius-python3.postinst + +- name: Setup radius symlinks + file: + src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" + dest: "/etc/freeradius/3.0/{{ item.filename }}" + state: link + force: yes + loop: + - local_prefix: "" + filename: auth.py + - local_prefix: freeradius3/ + filename: radiusd.conf + - local_prefix: freeradius3/ + filename: mods-enabled/python + - local_prefix: freeradius3/ + filename: mods-enabled/eap + +- name: Configure radius clients.conf + template: + src: "{{ item }}.j2" + dest: "/etc/freeradius/3.0/{{ item }}" + loop: + - clients.conf + - sites-enabled/default + - sites-enabled/inner-tunnel + +- name: reinstall broken backpage + apt: + name: freeradius-python3 + force: yes + +- name: Install radius requirements (except freeradius-python3) + shell: + cmd: "{{ item }}" + chdir: /var/www/re2o/ + loop: + - "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install" + - "pip3 install -r pip_requirements.txt" + + +# End of hideousness (hopefully). diff --git a/roles/radius/templates/clients.conf.j2 b/roles/radius/templates/clients.conf.j2 new file mode 100644 index 0000000..6909978 --- /dev/null +++ b/roles/radius/templates/clients.conf.j2 @@ -0,0 +1,18 @@ +client radius-filaire { + ipaddr = 10.130.{{ apartment_block_id }}.0 + netmask = 24 + secret = {{ radius_secret_wired }} + require_message_authenticator = no + nastype = other + virtual_server = radius-filaire +} + + +client aurore-wifi { + ipaddr = 10.{{ subnet_ids.ap }}.0.0 + netmask = 16 + secret = {{ radius_secret_wifi }} + require_message_authenticator = no + nastype = other + virtual_server = radius-wifi +} diff --git a/roles/radius/templates/freeradius-python3.postinst.j2 b/roles/radius/templates/freeradius-python3.postinst.j2 new file mode 100644 index 0000000..058ec38 --- /dev/null +++ b/roles/radius/templates/freeradius-python3.postinst.j2 @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius restart + ;; +esac + + + +exit 0 diff --git a/roles/radius/templates/proxy.conf.j2 b/roles/radius/templates/proxy.conf.j2 new file mode 100644 index 0000000..0d74b84 --- /dev/null +++ b/roles/radius/templates/proxy.conf.j2 @@ -0,0 +1,53 @@ +# -*- mode: conf-unix; coding: utf-8 -*- +proxy server { + default_fallback = no +} + + +realm LOCAL { + +} + +realm NULL { + +} + +#Proxy FedeRez ##### + +realm AUROREFEDEREZ { + auth_pool = aurore_central_radius_servers +# nostrip +} + +home_server radius_aurore_v4 { + type = auth + ipaddr = 10.128.0.251 + port = 1812 + secret = aaVVvNUYD/MgE + require_message_authenticator =yes + response_window = 20 + zombie_period = 40 + revive_interval = 120 + status_check = status-server + check_interval = 30 + num_answers_to_alive = 3 +} + +#home_server _v6 { +# type = auth +# ipaddr = +# port = 1812 +# secret = +# require_message_authenticator =yes +# response_window = 20 +# zombie_period = 40 +# revive_interval = 120 +# status_check = status-server +# check_interval = 30 +# num_answers_to_alive = 3 +#} + +home_server_pool aurore_central_radius_servers { + type = fail-over + home_server = radius_aurore_v4 +} diff --git a/roles/radius/templates/settings_local.py.j2 b/roles/radius/templates/settings_local.py.j2 new file mode 100644 index 0000000..1a6308e --- /dev/null +++ b/roles/radius/templates/settings_local.py.j2 @@ -0,0 +1,116 @@ +# coding: utf-8 +# Re2o est un logiciel d'administration développé initiallement au rezometz. Il +# se veut agnostique au réseau considéré, de manière à être installable en +# quelques clics. +# +# Copyright © 2017 Gabriel Détraz +# Copyright © 2017 Goulven Kermarec +# Copyright © 2017 Augustin Lemesle +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +"""re2o.settings_locale +The file with all the available options for a locale configuration of re2o +""" + +from __future__ import unicode_literals + +# A secret key used by the server. +SECRET_KEY = "{{ re2o_secret_key }}" + +# The password to access the project database +DB_PASSWORD = "{{ re2o_db_password }}" + +# AES key for secret key encryption. +# The length must be a multiple of 16 +AES_KEY = "{{ re2o_aes_key }}" + +# Should the server run in debug mode ? +# SECURITY WARNING: don't run with debug turned on in production! +DEBUG = False + +# A list of admins of the services. Receive mails when an error occurs +ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')] + +# The list of hostname the server will respond to. +ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re'] + +# The time zone the server is runned in +TIME_ZONE = 'Europe/Paris' + +# The storage systems parameters to use +DATABASES = { + 'default': { # The DB + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'NAME': 're2o', + 'USER': 're2o', + 'PASSWORD': DB_PASSWORD, + 'HOST': 're2o-db.adm.auro.re', + 'TEST': { + 'CHARSET': 'utf8', + 'COLLATION': 'utf8_general_ci' + } + }, + 'ldap': { # The LDAP + 'ENGINE': 'ldapdb.backends.ldap', + 'NAME': 'ldap://10.128.0.11/', + 'USER': 'cn=admin,dc=auro,dc=re', + 'TLS': False, + 'PASSWORD': '{{ ldap_admin_password }}', + } +} + +# Security settings for secure https +# Activate once https is correctly configured +SECURE_CONTENT_TYPE_NOSNIFF = False +SECURE_BROWSER_XSS_FILTER = False +SESSION_COOKIE_SECURE = False +CSRF_COOKIE_SECURE = False +CSRF_COOKIE_HTTPONLY = False +X_FRAME_OPTIONS = 'DENY' +SESSION_COOKIE_AGE = 60 * 60 * 3 + +# The path where your organization logo is stored +LOGO_PATH = "static_files/logo.png" + +# The mail configuration for Re2o to send mails +SERVER_EMAIL = 'no-reply@auro.re' # The mail address to use +EMAIL_HOST = 'localhost' # The host to use +EMAIL_PORT = 25 # The port to use + +# Settings of the LDAP structure +LDAP = { + 'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re', + 'base_userservice_dn': 'ou=service-users,dc=auro,dc=re', + 'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re', + 'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re', + 'user_gid': 100, + } + +# A range of UID to use. Used in linux environement +UID_RANGES = { + 'users': [21001, 30000], + 'service-users': [20000, 21000], +} + +# A range of GID to use. Used in linux environement +GID_RANGES = { + 'posix': [501, 600], +} + +# Some optionnal Re2o Apps +OPTIONNAL_APPS_RE2O = () + +# Some Django apps you want to add in you local project +OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + () diff --git a/roles/radius/templates/sites-enabled/default.j2 b/roles/radius/templates/sites-enabled/default.j2 new file mode 100644 index 0000000..a406559 --- /dev/null +++ b/roles/radius/templates/sites-enabled/default.j2 @@ -0,0 +1,239 @@ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# If you are using 802.1X (EAP) authentication, please see also +# the "inner-tunnel" virtual server. You will likely have to edit +# that, too, for authentication to work. +# +# $Id: 083407596aa5074d665adac9606e7de655b634aa $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### + +server default { +listen { + type = auth + ipaddr = * + port = 0 + + limit { + max_connections = 16 + lifetime = 0 + idle_timeout = 30 + } +} + +listen { + ipaddr = * + port = 0 + type = acct + + limit { + } +} + +# IPv6 versions of the above - read their full config to understand options +listen { + type = auth + ipv6addr = :: # any. ::1 == localhost + port = 0 + limit { + max_connections = 16 + lifetime = 0 + idle_timeout = 30 + } +} + +listen { + ipv6addr = :: + port = 0 + type = acct + + limit { + } +} +} + +server radius-wifi { +authorize { + rewrite_calling_station_id + + if (User-Name =~ /^(.*)@(.*)/){ + if (User-Name !~ /^(.*)@(.*)auro(.*)/){ + update control{ + Proxy-To-Realm := 'AUROREFEDEREZ' + } + } + + if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){ + update request{ + Stripped-User-Name := "%{1}" + } + } + } + + filter_username + + preprocess + + suffix + + eap { + ok = return + } + + expiration + logintime + + pap + +} + +authenticate { + Auth-Type PAP { + pap + } + + Auth-Type CHAP { + chap + } + + Auth-Type MS-CHAP { + mschap + } + + mschap + + digest + + eap +} + + +preacct { + preprocess + + acct_unique + + suffix + files +} + +accounting { + + detail + + unix + exec + +} + +session { +} + +post-auth { + update { + &reply: += &session-state: + } + + exec + + + remove_reply_message_if_eap + + Post-Auth-Type REJECT { + -sql + attr_filter.access_reject + + eap + + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} +} + + + +server radius-filaire{ + authorize{ + + re2o + expiration + logintime + pap + } + authenticate{ + Auth-Type PAP{ + pap + } + Auth-Type CHAP{ + chap + } + Auth-Type MS-CHAP{ + mschap + } + digest + eap + + } + preacct{ + preprocess + acct_unique + suffix + files + } + accounting{ + } + session{ + } + post-auth{ + re2o + exec + } + pre-proxy{ + } + post-proxy{ + eap + } +} diff --git a/roles/radius/templates/sites-enabled/inner-tunnel.j2 b/roles/radius/templates/sites-enabled/inner-tunnel.j2 new file mode 100644 index 0000000..ee6e929 --- /dev/null +++ b/roles/radius/templates/sites-enabled/inner-tunnel.j2 @@ -0,0 +1,345 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $ +# +###################################################################### + +server inner-tunnel { + +# +# This next section is here to allow testing of the "inner-tunnel" +# authentication methods, independently from the "default" server. +# It is listening on "localhost", so that it can only be used from +# the same machine. +# +# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If it works, you have configured the inner tunnel correctly. To check +# if PEAP will work, use: +# +# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If that works, PEAP should work. If that command doesn't work, then +# +# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. +# +# Do NOT do any PEAP tests. It won't help. Instead, concentrate +# on fixing the inner tunnel configuration. DO NOTHING ELSE. +# +listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth +} + + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){ + update request{ + Stripped-User-Name := "%{1}" + } + } + # + # Take a User-Name, and perform some checks on it, for spaces and other + # invalid characters. If the User-Name appears invalid, reject the + # request. + # + # See policy.d/filter for the definition of the filter_username policy. + # + filter_username + + re2o + + # + # Do checks on outer / inner User-Name, so that users + # can't spoof us by using incompatible identities + # +# filter_inner_identity + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # +# unix + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + # Note that proxying the inner tunnel authentication means + # that the user MAY use one identity in the outer session + # (e.g. "anonymous", and a different one here + # (e.g. "user@example.com"). The inner session will then be + # proxied elsewhere for authentication. If you are not + # careful, this means that the user can cause you to forward + # the authentication to another RADIUS server, and have the + # accounting logs *not* sent to the other server. This makes + # it difficult to bill people for their network activity. + # + suffix +# ntdomain + + # + # The "suffix" module takes care of stripping the domain + # (e.g. "@example.com") from the User-Name attribute, and the + # next few lines ensure that the request is not proxied. + # + # If you want the inner tunnel request to be proxied, delete + # the next few lines. + # + update control { + &Proxy-To-Realm := LOCAL + } + + # + # This module takes care of EAP-MSCHAPv2 authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Read the 'users' file + #files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf + #-sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # enable the "smbpasswd" module. +# smbpasswd + + # + # The ldap module reads passwords from the LDAP database. + #-ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the appropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # For old names, too. + # + mschap + + # + # Allow EAP authentication. + eap +} + +###################################################################### +# +# There are no accounting requests inside of EAP-TTLS or PEAP +# tunnels. +# +###################################################################### + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +# +# Note that the last packet of the inner-tunnel authentication +# MAY NOT BE the last packet of the outer session. So updating +# the outer reply MIGHT work, and sometimes MIGHT NOT. The +# exact functionality depends on both the inner and outer +# authentication methods. +# +# If you need to send a reply attribute in the outer session, +# the ONLY safe way is to set "use_tunneled_reply = yes", and +# then update the inner-tunnel reply. +post-auth { + re2o + + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. + -sql + attr_filter.access_reject + + # + # Let the outer session know which module failed, and why. + # + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap +} + +} # inner-tunnel server block From e2fa1964af51db7ee635f45c0a77a1bab6cb4323 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 14:19:28 +0200 Subject: [PATCH 205/297] radius: change proxy.conf password, use vault and also actually template it... it wasn't being uploaded. --- group_vars/all/vars.yml | 1 + group_vars/all/vault.yml | 321 ++++++++++++++------------- roles/radius/tasks/main.yml | 1 + roles/radius/templates/proxy.conf.j2 | 2 +- 4 files changed, 164 insertions(+), 161 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 42f9a7b..eb846b4 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -64,5 +64,6 @@ re2o_db_password: "{{ vault_re2o_db_password }}" re2o_aes_key: "{{ vault_re2o_aes_key }}" # Radius +radius_secret_aurore: "{{ vault_radius_secrets.aurore }}" radius_secret_wifi: "{{ vault_radius_secrets.wifi }}" radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 39aea61..1443e22 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,161 +1,162 @@ $ANSIBLE_VAULT;1.1;AES256 -33396439643732346636636465616537313231333032616436323166633235663131343961373834 -6365316236333532313361323063373130643031386131610a343036393035633431656434323466 -30333836636565323163613631386663313934633264373734366438626636313137393233623835 -3930643831626164330a396233393834623635363864656466393236313837663739303065353437 -38356539306333663062656439333938306433343632633861363430346631386238353462393334 -61366263383062353136363632323330336637616538333866386534656662646639383335653931 -33393166656166343166356334623266373533653938313064393533363331636365343161373665 -62336466386536356637383663333661303135663835623432306231373034373435353562636265 -31326561626665376566633066346366613364333135366363623030613131353833336135306464 -66306133373634393431313866343464616633393165353830373436666136396633396131363763 -39306162666437346138373132323132376237346137643861363235646134616132653235326362 -32626135613530643766333930613164663935356332626232616330373237633835313231373066 -66323431366332663965393239623337646666613566363132383232643235363237316437653261 -63653361663038653764633266356433323234323132336232636337303763323736316662386638 -34326233376465303561643830646635353965623331633934393639313236373236343836366532 -30613964343835353130386533623262633261373831616635643861373133333237663666646334 -64636139323038353265333336626233346266353637343232383930376330643831633030643664 -61356231653135363664363063383331666137336433613966343839623161393135643738333537 -61363164623539353634353932363762336165643961333931316338343036336435356533616433 -30396335643634333366383233623034373164303564643639323030333461323965306638653063 -31383161336531376231626332343436353635663466396134313530383563306566626566643964 -35323465623562346439363036623139303932663539396662356336666362666463616432633162 -31393231323963356538336436653032323462623462366130323963636136666131646636333532 -32613136373162383037646137663230343536336161666132383964666239303663356430303361 -66653963326135643963393931356231666666376466326135353261356265653230633935376235 -32356330383163623132386363623239643531313163373539646166383964663661393663633465 -39346666353062643964316532313363336562373035306635383138666336616239633932383437 -63396138376138636561336539333564393033393466633066303138616136316638373138356161 -39666632666339373836343363653530633130643733386339633536636135373365643363373032 -64633837656235363137633364313662363134306330376537326634353731346463643832396534 -64386361326635663032663464343432626237643365333330613466656163313930343266616139 -36393036353864316661343066653237333737643038396538666139643034396636643765366163 -30646366343636343364336639653436383038353637623131373738306566623033633863333634 -61363861306463353130393130613232643134313765363033646330666662353961343664316438 -36396339376366393236326432663434366634333935386662373538306236343938333563376263 -65346637346433366637336532656337393730303934653835313839656535353731333737656162 -65356531663737663164336338333336613230623836363435326132643131326534393634326261 -32663564646536663338623035653138373835306530316536316664663039383032366465303363 -38626138386164366332613933363434363132383336626430356331376239373031633262366532 -62646435653932636264323164636465366138636631313538346530306163373466393866383266 -30643739316336373462326138313666643263333463373764323832383230366465376539623937 -62363536333238363735306563333731663862653932393565663034636238643434633161626632 -33326164366336343734653234363930616634643933306264656138396631646135343437303462 -39343237663262303933393865346165353934356662376136633636343636626634343666343134 -37346166373963356638666338353438323831613538313961643339663230626565306261376665 -32613438303964656161653535313436643662393032396532303738653662343762323538366133 -32323036393530316630316261323731393865323433383961316664623435363130646239666132 -31623935663637373763356562613964636338343666393833386634356465333866643831393531 -38343261663636333336366539306366636137346131316161383661666431353235313536646538 -39663866376336633739356337633461613261316435393063653633336636333738656631313032 -62323130396164636431343961643237646533396639373863396333653936663964623337363063 -32366162343635333132636239363039326565383262633163336436613430323039356439613964 -39376563353663373637313035393839646633343963356433316333323732613035303432646338 -62306639316139306531393236656265383836653436646136326666336137623936366630346332 -33303465623537653461363437373036343439656134333930393862306339653161633365333335 -63643937393761363463333637623039643265366462356632343263393434326435346634613736 -38323561613134363330636562336264633465363762393736333934353237633162393238353961 -65303634333331333537356134616539653462363035316330303338663430303536643230313133 -64653739656233616131653731343733616661626662636139393039633636666132346230333966 -34353831383036313663396339326237323038633231306230663563643562363030613332633362 -38383463393961373635356539633839646337666132393034343264333739346432326333383432 -32663030663739666237333435643734333663383238636130636135666561343961613861323666 -33623637366232316430643331643863666261636266383030653263383766353861306631343934 -62663761663366353763623966313035343330316563623238626537396439373235663862626565 -35356234383534653231396632306137373037643531303434393433353134326532313332326538 -66343236396636356231353234346438613866353763303136366137616338326532353039306639 -34613234356664333339363134646532666631623132663462316562326266316365623738623663 -32363562376234313038616530373335363935313135636466336237356632336537623538346433 -33643563343936623836356238613139623730343236663464626262323330653362616238356137 -64343563653863326638643834623665393333313262353732626638373634643633613836623164 -63396136643066616133346131313833303064343534353963386638363462316435646637623232 -32633332356263383533626635316231393865336636353430383365333131316633666164306138 -33363330303464386563353436646562623337656633333963333431353837313362653931613033 -37383330643730616432333538356430626462303730343430336465623938613732383138646330 -39363161323665643333383461333730323734613134386461636339653431323033663434643364 -38383762306139313465613461323436306137336463383439633230353266333137656330633237 -62306230363031353361333462393136396234663231356434393438326533363434376537376266 -66323364313934616232393931616234666166616532663865316538346536326266326133613635 -62373839343639313861316539643461663161386435323161613436353433616230633734316239 -35373332353539666636303934396661663831313935616262323639633561636433663135626633 -61313730356664316262353832336334616330393431346363373265626661336332313135666639 -31646134613635643765353833633231623034316163663031376366353430373230666466633536 -34393132313738336163363035663435666262633161373336343932383366633765646366313132 -66623933343362636633376339303363383165373336313134613330386530616335363263643166 -32333162633035376562303332633732636530616432326234636236323434366164656437666464 -63666536663261373565366437326636333232623934363033653837626230323934666138626462 -66663639316630326662336263343365303630366234383530646139363936653866373162323435 -35333139353831643232666533333065386130666137653931336638623137616639653533656562 -32386431373865393561353537396632653239623839306234643938643261383730346431376234 -32643030353537333665363232383562646662656131346433653065613763613532313461636663 -37363565633864626136646663363334633239376537353066373466306431366132633931346464 -66653164356134323834366364643637343833396666373039383861663435343238353462396438 -33386131393839346663653433633333653564663665343265363831343937396436646262653738 -33633761343362343762376239333963306264326333366437636661616233383737636234346538 -35383861646332656664353339386331646236663036383033663262353336323634323365623661 -36376561643864303832386634623032356563306138333532623434633166646130313239343539 -66663566366636323835633661636331383066303131626132306332323430333333323734626433 -66303839346261386364316530373736373362323339376462363130643964666638383935346330 -33313830343965353338643139663834373863336636383730323662363836653536366433666166 -61623265656431303661346664646135373438386335303437333734613761663031353235623062 -36656432666266333161346238356532373464353835336561366138653031623264616563353836 -61353731396361343939616437313532303766333962363536666139663064626636306239313962 -65306336333739346435353636303534366635303362363631383264306435383662323930393230 -30623134356439613436643861343036363366336332623665306239623234386435346337323930 -61343061393961663133333764333362346137636132636532396135643839633863386638346330 -34653131656332376538613039333066366232663432353666633334613331393863333236656662 -34646630616263356363613162646533623336623164643561333934343565373936326135323230 -38366335336562653861643732653930623461616366343239303862313339383031346630656538 -65363865623666306436303165373734646464303637333939666262363163343230376161373734 -37636433663139616261386534386466633862373739636262386631333334336238333862636335 -33386530393762626161303331633735363039373636346432626236336635323232313661623234 -66366637316439393465373066383864336638326533346438343162336161663436323031643235 -65633735613538666133353962646134353430633037663761353464313230336332323035386539 -39323363633863383861356162333137643433653135323433366636383966363137376339383131 -63356230333434643738383938396535313561356236656532376435623933343236636136353666 -37376434393664386438626661663431396430343431633435343436636665366138623632613665 -35373433613065666436313266373332313731633534386161383437386432353138636265346563 -39643862623936623636326664636365313765653666393433386631373162623332653139313133 -61376534313835666165313762653061633236353832633161313533376630636131666465313338 -39356530346332623633343536333130346230363233386435346239353535316561623331613533 -34623235336563613939333739643331343832353631333436653361623934626234343464613232 -36303263363530396334373438653166343661346531363764353233366464666263646161653432 -64313236653735323664323965366563316166623362393032396262636339306562643964653932 -36643534346235383066326331313338333366343335393038633137663836313831313632386464 -36626136666665623262373762643233653036383839666130623866313236393265306534343562 -38346261353663383730346666626131313766643233323865626437643633326438303735353663 -31373665343363666236326661336534333534363666396665396437656266386331303563323666 -37326336663562353835313062646538323735336466626461333836366435313835636462356163 -64636437346562343463643338353730303932623732396232396133366130626539663738313361 -62373133396233366636653032306637303735373838346432653637303663616631323162373361 -36623565306364343330376538336534323964633034383765616666636438316466663662623263 -65666636666236353630633037393038373338373536336165623264306135656635383464353938 -32343131316330616139663864383938386437333662323463626636383964623264343737363738 -38613232663539656266343561653465356431393765643062336236653664626133353234383163 -35346235343935386130376135363535316539313164613732643631623439653962313839386637 -32613532666265346633336435346464656666346335656235373962633965626264343035633961 -66666231383164313239373033373361343038373436346537353536303338613035366330393039 -31613638353037616338376630356630306230376564306532343838323236316137356130386665 -62353166633038643032393530373461386465663935666430386238656637633265356362393237 -63356464373734623561643863386431643266313139353033663162386361626133303064663563 -64623537323734666665393537343963613036383331363262663933313365613866316366663730 -62613466303836383861323563356362333333653564303938366235626362623965336438313932 -38383164303232323166643533393738663536336666656433313537316264643930303634333637 -30636231326462376562646636363136393761383665626663303133313336613766613366626436 -64333466353461356631326433366634653338303362363230613863623735363934623133666430 -64376637336635613838396235633164343933333237323133313632656464343039323763353663 -37343133646633663762656331396362346635343463646236656330346363633533316531636566 -37303662393034386263643563363564363663356635636236396638656136306664366363616165 -62333366626433336461623032353831346662643934346430636535306439363839356132316466 -36393164633030386538653135323461663632646266653663613366353339363437663537373931 -63393135646539353162376635663833653462653964356135623138653137343431643339316239 -64653734353631646661373833353436636134383038623539666662666439343039663230643133 -31303262396164383439613063306462666662346464663235343637363565393238663138613862 -63313064376336363637663832343134333236323466323662666334356232323537663734623466 -32323766616663356435613737396639366635636663346535653534666431323966623463333039 -64353365353031653136383561353439383266323365353361653530313933383130646539326337 -32383266346433613264643939396364656633313766383333336132393936666433346263386264 -38613034396430323235366564636365346563383935626330626130326236623361326161396363 -65323635323361623864643864346633343239626438306131303039393362363764646432366332 -34333931623535633439 +61336339613837303864333338376131306234356334366237613038323565363539656161643663 +3630396462363834616166383634323735386461653430330a353861386131386130613733663465 +66363639336164303137326133373364643539663032303237633831333764376534366464313030 +6161663162613636660a393262663061656235333836356331366638313263333364306262636631 +62393434336561313630343366626136393933383966613463353135643334666432366433383038 +39306538616266656536373435363963336463366635653433666566343162623065323738336339 +38346632383039663666623137393431313931656538326136356433386261303638616165626336 +63326134336330646236336631306266306532366435323830333233363565366134373236623263 +62653836386362613166643762633865303239666662313138363866373335333566353033613732 +38663634313962373264393763303733616236346230393665633366316538666334333537306536 +61643061356633646133616138396163346538633065313935666639623531303861303663666466 +63346531666362386363383534303436376338653034633565383361386430386636336664626431 +62613263306132633336363562323030613832373363646464303263616264353431386664626137 +36633434343536346333383530343965313262353639363266656562633132343036656137383938 +63333165333835636634336336343732383865306634393939343332396565643661313666656239 +61633635623236383764646664356539383834303437636338633138343465656337643962616365 +37633032303161616664333264336331626531613031363066323137313539373637646533623663 +66313662356438666566313364653933316335376438313939313430643865643432356139353231 +31356236663234383564383162633431376436396331613838613039343762336562343562653738 +33383163653535373538646237623865356462626665613136316365623036396536373633363536 +30613932656534313966633664303661336366336561656434373438373361643532623335643234 +61353466323636663463643262616635653639633463373235636432616561623662393838636335 +30646164633962353138396164303666633366363364373039393339383063316238393332623139 +62333166393831636232373738643962613063396530633132366536663839333136656338336464 +37633039626138666261343863363232633936323234386362373463353737343330656430643966 +30633037613033383134653133653232373236353535663033323634633564656636316636383537 +65373663393235323561386232613634663962653564373634333034373530353264333037663431 +32326438613436333935346335313364363361383732323362383437626234663533396235333935 +31333132366534373832636637333664346365393236353366363937306138333961393939626138 +33333036653839623138373832613233326262633836363562346261323639383536353433613764 +63323434663437653236383334346634633765636339646665653638333938303665643132643735 +63393838363732646339343937323732653939656466313637383738626131396261303838326565 +34393934333738323137646264666633386661343637613462393864613134383538653966383732 +64383738653833306266663431623162643333616537656136373439373462626266383663303031 +63666265373664653334373266616437653764623765616539343139373934356133613338376239 +63393735613066636432663466353865666661316232393361306438623036643438346130383937 +36373762316263643764303638383633373161383862373630386465643462396432656134313764 +61666534636565366136653438666339346539303238613135613261333431336361346138333161 +33393130333765326361336239373365366332626566396639643966313434666561626262646664 +37386534316136613061343333656630303839356366623835656239306562646436656131366366 +36346635393235663630633331646231313737363535643663333162616135316566396530303030 +33346331303935326631646563663833663266323937383134396162353131396231323837656631 +66373864316332646433316131633435386133373239333261616136613632613162346366643366 +30363030393736343438643866343363366331393031633638333731393732646132393165383361 +31303637386535366535386332666133316564366463313465313637393663623662373431646234 +62663461353961626237343663356664623731376432343538656332613866323135373637313831 +34396132343961656266656430663838643464353362393732623739393938353764323065303464 +66656435303333616432313232333431326535613635396536663835626361643733363461653831 +33313634656632633831313866306233363633316330313037313035366537373034326231383463 +34633062353635396261353438633564623564346536356131353166353835336135316662343262 +34386333353731313335333339323936643862386264363565373737383364623366663265353339 +62663730623430303535333138653636323864383039653361383435383062336537633865356466 +64303532303338383365326635353363363161613962336166663764353562666236336133353538 +35343733343338346666366139363261313662633866306263666331313336336330326537636538 +37326330393732636163333161643831356533393238303039643663663766613634376336303062 +66316138396433356365623437323932663632393831613835366632653138656530336236383063 +31376433343664643863396537663730663335656262306663303961333832343366343835616362 +34393032363862636639656338656462636436343238616663616634393365353432623361323763 +66323937643936636537323866353461653232653136663631313231613731353231313130353565 +31373336643261336535663739316366626634323635616537666131653534333164353836336531 +36613763353135346630323138643039383634393234656330306664346136346238343762646639 +38383466356332383063613565383765313931356235363330366138333064383938316538373933 +32353836663535613339636130303832323231633832353366393166373235306538656364633666 +62386134643738363830613130353565666337343861653538366530373966626330343032393531 +64373162626336353631306661623837353036663364383930303633613561373432303366323463 +37633963633835363565643131343962656463376163336366383531303164303263663034303530 +30616337373466663939333666313761313334626335376236363436376563626534626666383230 +35373537633135346138323231316565633862666432626430386231653532663132333532373837 +38316161316565346663323138623538356130303564306638623461323765366634633161356234 +39313862336532326161346436363865353833663663376566303865616264303035323864633739 +30383435653961303861646365356462376261663634383433383137363734616337643836333730 +37643737626339646434386638326439663264373362333165623637306664396330303164363366 +66353234386137343136363764633463666137653438393131393436613563313934313736303165 +33633638373561623933623033333036346339346533373435336262346164656162303561366638 +30383035623338653430343731353766653164616139616638636563643630313735333463376662 +62666661623438333936323762616433373236396439636563646237313535343866333064393432 +64336139623933323265333633616131396661656264396262646662303633346262356662633535 +31333038666163316132613365386662396330366630313562663561313962366261323131623939 +33626634303663353466306631653439633430383138643534386430623238326332303232623965 +61653165323132303335353338353366323462633763623062616335663831653266323463353364 +61303339336162663235303837643432383333343466333365333535633763396664353636613165 +38306536656665333731376339383061383232346437643564346134396265633362616161306339 +63333264656235393639386435353631333438376166646662656631353838326338656438326231 +65326563363431653266623034393435383061333533316235363236393131333231366665343964 +65376438653165633265646233343131373133313939666163313735336564333038333765623766 +38633061303731623832353638396566373238393535383631396566343035656137353461613838 +65363239303664613132363466383336313038653962343939616363323339333866343036613238 +34656537663765346430623332656266323035343435616361343537306263363466373665306361 +39663066633833306330336334306437323430643764306266626634633139396231353638633665 +66336364633536323931343930623832306331393533626539306361333961306663353266303631 +30326633326332353861383735656362306334646238656137656533323835633937313439356538 +38653130656465656531623635343565663739306665313932356562313131373934393435623932 +38663737306135306332373730613466386631353463633261663532393933663034633634343934 +34353437393934663866323236346236383664343963383239636332643639623131376466656363 +32336363616661303535633037303334343861616263616334626430396334633934303162633839 +65613163303037653963353535343132323431326262643862393365356437316566393130383866 +32666133333166656566373532373064373138333335313563633963393938383363396464396532 +61303037326665316634363536653537393933666532396339366531636362306537626638623634 +32383363663134623133626332343132333335356133646134656330376339306538633165353634 +65663731313832613264633430393531633765353233363766386137306364303138373339633438 +62323837653531393738636531303130653530656632393535393739363565666162376436376138 +65656131656165626636386435346132623030626664656437633261383037396332323534653664 +31306137313162356638653064363236336434626134313966613335653633623338356230323133 +61653437663537376561633235646361633233316662313331303962303161393937346565333366 +31326362303735353937313734363738636439323338646531383235626137393334306363393031 +32383861643734396132626231333537656431656165316261376237333734623635623837623366 +61346566663433366364326561313663333732303737346533363536313365353863333632386232 +63363639656230373639336636333464336136343839353835616565313165336537613666613233 +33313130373838633736306237326666383736616663343838323137663632626630313334623063 +34313737613334343331613864343062663130633963386466626233386332633233663762306237 +35316635396439333934363836353134363538643430363066616636343634643230383630626138 +65623931383631396465353163636161376337346335303738326433363835346162643732393464 +32346462383432636530636166633466393239316631663834653562353436636637393136663933 +36326538646331333436316262373037343065656662623563313465643832626539326261333738 +62353063373461373835333662626465303030366535303332336362663166633736316237313535 +32336533333536626461383737643161373738616539396339336165333162333830633661363162 +38626365616633363431303333613237343538393734653533663831613336346164343734313435 +62366264323738383038393938663366613533666438393261636336363266393736636634323436 +37643262316663663938353338343338373162356337313566376134313464643336326138313838 +36366136306163306265663836663235623231306334633734633736306239316334616132303531 +39663562373762653634666438333861626563353366396231356232663737396436633934363734 +33353738656430383066373463313336623231613530313830633965356361323138396139353664 +38393339613064303365343766663536643061393864313466343966356666633231353765376364 +37636439356164646633313231346365376566663930386563633062633234303163333131663332 +38653431303264636266326665633465303635373762363663303164636330356636616137626633 +30366466626164333332613933396362666135623137636537653838646664643235626233303531 +64373833646434653530613935336434323737313061333930316563653331643938623438626632 +34386236633462616231353063353330346663323535333335383465366135653064343535616233 +31613236303238663331613739623261366231613661653033626562376664336161303134646535 +36393461626237666466353862303564306333356635303035346237653062663238323030313866 +37613530346335623031316165666137626631653965333236396162323966356633306630633934 +66323465643834396635363131343735643365363163646132373537383233663830643330643666 +38316461313830326433643566366566343966376362373661373839353933353231653539393534 +61373437663937616237353064653934333330306230373034376631633963316236626232643136 +36633865343363373530646566313636326130323136346235636430346561333030393361623161 +38636531626632633632616139613861363332383030396338356461623865323262663763303564 +33643661353230336430383930643433613938646133316636666463626363396264643638363762 +30343135643530356633373330353565373264383665333237663331373035613336653135333133 +37386439303763616138313661333335626532633731373939633966323332646364383665333331 +35623133303865346464313761396462613435613262383339663735386639393536646634323935 +34646661613839386639313733333036623439666536396463336663393737383130383962366336 +37656431653533333338633162663938646432306163376438396134376565353531353832663439 +34366435326364356464366633356332656231623164646361653737333331653636353136626465 +63353233396234386630643864333364373562643333343036386639333036326362383264313431 +62636362663631376666383034303337393562613135376537376335343939343630343766356362 +63326435646163663737633133313735316663386337363830646261396333636431363938623062 +63363338373334343634366139363866343731626561626565663339643164633731396363353435 +32663634366532343939366130363233373634323664313765636235383638613061323034663364 +65646665653732326530383962313762313035353866636362363835613261643331666135336365 +35353161663966643564383935386331633730386134343837613164623537393462313130636235 +66653539396639623264303733636232343131373339303034633337333930393061306139373638 +30363139386238636436316239366537663662363432366132346361666436353337663830363037 +38643365366339343961383234313830623138316235383464346439396166363739623937653166 +31323639383838323362323663316265333162393664346262323562646232613134626335366231 +63366230623733643336373132383633356530653766653834663430383538366366363966393237 +64633436653332646336343037303665306465323162643863336235623435666131636661616635 +34336562393961383737393632623035633362383763666138343533363166363731323832343534 +31343038666533343130396264613836396434323363396434653938353131336262373936353333 +65373265306132623235316439373936353834376639386364383763643438373039393263383538 +30366532313335306332306261333434613733383430356633626338643537373030336434383231 +39656162643264316239646339643835343934323639623334303931613938363531 diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 1622e1a..9820e4b 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -62,6 +62,7 @@ - clients.conf - sites-enabled/default - sites-enabled/inner-tunnel + - proxy.conf - name: reinstall broken backpage apt: diff --git a/roles/radius/templates/proxy.conf.j2 b/roles/radius/templates/proxy.conf.j2 index 0d74b84..36a7acc 100644 --- a/roles/radius/templates/proxy.conf.j2 +++ b/roles/radius/templates/proxy.conf.j2 @@ -23,7 +23,7 @@ home_server radius_aurore_v4 { type = auth ipaddr = 10.128.0.251 port = 1812 - secret = aaVVvNUYD/MgE + secret = {{ radius_secret_aurore }} require_message_authenticator =yes response_window = 20 zombie_period = 40 From 99070ed5efaf7c865ad47bc780a8354094164536 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 18:06:37 +0200 Subject: [PATCH 206/297] radius: step 2 of deployment (WIP) --- README.md | 13 + group_vars/all/vars.yml | 3 + group_vars/all/vault.yml | 326 +++++++++--------- network.yml | 2 +- roles/radius/tasks/main.yml | 134 ++++++- .../radius/templates/freeradius-logrotate.j2 | 50 +++ roles/re2o-service/tasks/main.yml | 4 +- roles/router/tasks/main.yml | 2 +- 8 files changed, 363 insertions(+), 171 deletions(-) create mode 100644 roles/radius/templates/freeradius-logrotate.j2 diff --git a/README.md b/README.md index 6b7d611..d52b7aa 100644 --- a/README.md +++ b/README.md @@ -118,3 +118,16 @@ for ip in `cat hosts|grep .adm.auro.re`; do ssh-copy-id -i ~/.ssh/id_rsa.pub $ip done ``` + + +### Passage à Ansible 2.10 (release: 30 juillet) + +```bash +ansible-galaxy collection install community.general +ansible-galaxy collection install ansible.posix +``` + +Erreur avec sudo ? +Workaround: `$ export ANSIBLE_BECOME_PASS=''` +(notez l'espace au début pour ne pas log la commande dans votre historique +shell) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index eb846b4..3b0c131 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -67,3 +67,6 @@ re2o_aes_key: "{{ vault_re2o_aes_key }}" radius_secret_aurore: "{{ vault_radius_secrets.aurore }}" radius_secret_wifi: "{{ vault_radius_secrets.wifi }}" radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" + +radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" +radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 1443e22..ff1c922 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,162 +1,166 @@ $ANSIBLE_VAULT;1.1;AES256 -61336339613837303864333338376131306234356334366237613038323565363539656161643663 -3630396462363834616166383634323735386461653430330a353861386131386130613733663465 -66363639336164303137326133373364643539663032303237633831333764376534366464313030 -6161663162613636660a393262663061656235333836356331366638313263333364306262636631 -62393434336561313630343366626136393933383966613463353135643334666432366433383038 -39306538616266656536373435363963336463366635653433666566343162623065323738336339 -38346632383039663666623137393431313931656538326136356433386261303638616165626336 -63326134336330646236336631306266306532366435323830333233363565366134373236623263 -62653836386362613166643762633865303239666662313138363866373335333566353033613732 -38663634313962373264393763303733616236346230393665633366316538666334333537306536 -61643061356633646133616138396163346538633065313935666639623531303861303663666466 -63346531666362386363383534303436376338653034633565383361386430386636336664626431 -62613263306132633336363562323030613832373363646464303263616264353431386664626137 -36633434343536346333383530343965313262353639363266656562633132343036656137383938 -63333165333835636634336336343732383865306634393939343332396565643661313666656239 -61633635623236383764646664356539383834303437636338633138343465656337643962616365 -37633032303161616664333264336331626531613031363066323137313539373637646533623663 -66313662356438666566313364653933316335376438313939313430643865643432356139353231 -31356236663234383564383162633431376436396331613838613039343762336562343562653738 -33383163653535373538646237623865356462626665613136316365623036396536373633363536 -30613932656534313966633664303661336366336561656434373438373361643532623335643234 -61353466323636663463643262616635653639633463373235636432616561623662393838636335 -30646164633962353138396164303666633366363364373039393339383063316238393332623139 -62333166393831636232373738643962613063396530633132366536663839333136656338336464 -37633039626138666261343863363232633936323234386362373463353737343330656430643966 -30633037613033383134653133653232373236353535663033323634633564656636316636383537 -65373663393235323561386232613634663962653564373634333034373530353264333037663431 -32326438613436333935346335313364363361383732323362383437626234663533396235333935 -31333132366534373832636637333664346365393236353366363937306138333961393939626138 -33333036653839623138373832613233326262633836363562346261323639383536353433613764 -63323434663437653236383334346634633765636339646665653638333938303665643132643735 -63393838363732646339343937323732653939656466313637383738626131396261303838326565 -34393934333738323137646264666633386661343637613462393864613134383538653966383732 -64383738653833306266663431623162643333616537656136373439373462626266383663303031 -63666265373664653334373266616437653764623765616539343139373934356133613338376239 -63393735613066636432663466353865666661316232393361306438623036643438346130383937 -36373762316263643764303638383633373161383862373630386465643462396432656134313764 -61666534636565366136653438666339346539303238613135613261333431336361346138333161 -33393130333765326361336239373365366332626566396639643966313434666561626262646664 -37386534316136613061343333656630303839356366623835656239306562646436656131366366 -36346635393235663630633331646231313737363535643663333162616135316566396530303030 -33346331303935326631646563663833663266323937383134396162353131396231323837656631 -66373864316332646433316131633435386133373239333261616136613632613162346366643366 -30363030393736343438643866343363366331393031633638333731393732646132393165383361 -31303637386535366535386332666133316564366463313465313637393663623662373431646234 -62663461353961626237343663356664623731376432343538656332613866323135373637313831 -34396132343961656266656430663838643464353362393732623739393938353764323065303464 -66656435303333616432313232333431326535613635396536663835626361643733363461653831 -33313634656632633831313866306233363633316330313037313035366537373034326231383463 -34633062353635396261353438633564623564346536356131353166353835336135316662343262 -34386333353731313335333339323936643862386264363565373737383364623366663265353339 -62663730623430303535333138653636323864383039653361383435383062336537633865356466 -64303532303338383365326635353363363161613962336166663764353562666236336133353538 -35343733343338346666366139363261313662633866306263666331313336336330326537636538 -37326330393732636163333161643831356533393238303039643663663766613634376336303062 -66316138396433356365623437323932663632393831613835366632653138656530336236383063 -31376433343664643863396537663730663335656262306663303961333832343366343835616362 -34393032363862636639656338656462636436343238616663616634393365353432623361323763 -66323937643936636537323866353461653232653136663631313231613731353231313130353565 -31373336643261336535663739316366626634323635616537666131653534333164353836336531 -36613763353135346630323138643039383634393234656330306664346136346238343762646639 -38383466356332383063613565383765313931356235363330366138333064383938316538373933 -32353836663535613339636130303832323231633832353366393166373235306538656364633666 -62386134643738363830613130353565666337343861653538366530373966626330343032393531 -64373162626336353631306661623837353036663364383930303633613561373432303366323463 -37633963633835363565643131343962656463376163336366383531303164303263663034303530 -30616337373466663939333666313761313334626335376236363436376563626534626666383230 -35373537633135346138323231316565633862666432626430386231653532663132333532373837 -38316161316565346663323138623538356130303564306638623461323765366634633161356234 -39313862336532326161346436363865353833663663376566303865616264303035323864633739 -30383435653961303861646365356462376261663634383433383137363734616337643836333730 -37643737626339646434386638326439663264373362333165623637306664396330303164363366 -66353234386137343136363764633463666137653438393131393436613563313934313736303165 -33633638373561623933623033333036346339346533373435336262346164656162303561366638 -30383035623338653430343731353766653164616139616638636563643630313735333463376662 -62666661623438333936323762616433373236396439636563646237313535343866333064393432 -64336139623933323265333633616131396661656264396262646662303633346262356662633535 -31333038666163316132613365386662396330366630313562663561313962366261323131623939 -33626634303663353466306631653439633430383138643534386430623238326332303232623965 -61653165323132303335353338353366323462633763623062616335663831653266323463353364 -61303339336162663235303837643432383333343466333365333535633763396664353636613165 -38306536656665333731376339383061383232346437643564346134396265633362616161306339 -63333264656235393639386435353631333438376166646662656631353838326338656438326231 -65326563363431653266623034393435383061333533316235363236393131333231366665343964 -65376438653165633265646233343131373133313939666163313735336564333038333765623766 -38633061303731623832353638396566373238393535383631396566343035656137353461613838 -65363239303664613132363466383336313038653962343939616363323339333866343036613238 -34656537663765346430623332656266323035343435616361343537306263363466373665306361 -39663066633833306330336334306437323430643764306266626634633139396231353638633665 -66336364633536323931343930623832306331393533626539306361333961306663353266303631 -30326633326332353861383735656362306334646238656137656533323835633937313439356538 -38653130656465656531623635343565663739306665313932356562313131373934393435623932 -38663737306135306332373730613466386631353463633261663532393933663034633634343934 -34353437393934663866323236346236383664343963383239636332643639623131376466656363 -32336363616661303535633037303334343861616263616334626430396334633934303162633839 -65613163303037653963353535343132323431326262643862393365356437316566393130383866 -32666133333166656566373532373064373138333335313563633963393938383363396464396532 -61303037326665316634363536653537393933666532396339366531636362306537626638623634 -32383363663134623133626332343132333335356133646134656330376339306538633165353634 -65663731313832613264633430393531633765353233363766386137306364303138373339633438 -62323837653531393738636531303130653530656632393535393739363565666162376436376138 -65656131656165626636386435346132623030626664656437633261383037396332323534653664 -31306137313162356638653064363236336434626134313966613335653633623338356230323133 -61653437663537376561633235646361633233316662313331303962303161393937346565333366 -31326362303735353937313734363738636439323338646531383235626137393334306363393031 -32383861643734396132626231333537656431656165316261376237333734623635623837623366 -61346566663433366364326561313663333732303737346533363536313365353863333632386232 -63363639656230373639336636333464336136343839353835616565313165336537613666613233 -33313130373838633736306237326666383736616663343838323137663632626630313334623063 -34313737613334343331613864343062663130633963386466626233386332633233663762306237 -35316635396439333934363836353134363538643430363066616636343634643230383630626138 -65623931383631396465353163636161376337346335303738326433363835346162643732393464 -32346462383432636530636166633466393239316631663834653562353436636637393136663933 -36326538646331333436316262373037343065656662623563313465643832626539326261333738 -62353063373461373835333662626465303030366535303332336362663166633736316237313535 -32336533333536626461383737643161373738616539396339336165333162333830633661363162 -38626365616633363431303333613237343538393734653533663831613336346164343734313435 -62366264323738383038393938663366613533666438393261636336363266393736636634323436 -37643262316663663938353338343338373162356337313566376134313464643336326138313838 -36366136306163306265663836663235623231306334633734633736306239316334616132303531 -39663562373762653634666438333861626563353366396231356232663737396436633934363734 -33353738656430383066373463313336623231613530313830633965356361323138396139353664 -38393339613064303365343766663536643061393864313466343966356666633231353765376364 -37636439356164646633313231346365376566663930386563633062633234303163333131663332 -38653431303264636266326665633465303635373762363663303164636330356636616137626633 -30366466626164333332613933396362666135623137636537653838646664643235626233303531 -64373833646434653530613935336434323737313061333930316563653331643938623438626632 -34386236633462616231353063353330346663323535333335383465366135653064343535616233 -31613236303238663331613739623261366231613661653033626562376664336161303134646535 -36393461626237666466353862303564306333356635303035346237653062663238323030313866 -37613530346335623031316165666137626631653965333236396162323966356633306630633934 -66323465643834396635363131343735643365363163646132373537383233663830643330643666 -38316461313830326433643566366566343966376362373661373839353933353231653539393534 -61373437663937616237353064653934333330306230373034376631633963316236626232643136 -36633865343363373530646566313636326130323136346235636430346561333030393361623161 -38636531626632633632616139613861363332383030396338356461623865323262663763303564 -33643661353230336430383930643433613938646133316636666463626363396264643638363762 -30343135643530356633373330353565373264383665333237663331373035613336653135333133 -37386439303763616138313661333335626532633731373939633966323332646364383665333331 -35623133303865346464313761396462613435613262383339663735386639393536646634323935 -34646661613839386639313733333036623439666536396463336663393737383130383962366336 -37656431653533333338633162663938646432306163376438396134376565353531353832663439 -34366435326364356464366633356332656231623164646361653737333331653636353136626465 -63353233396234386630643864333364373562643333343036386639333036326362383264313431 -62636362663631376666383034303337393562613135376537376335343939343630343766356362 -63326435646163663737633133313735316663386337363830646261396333636431363938623062 -63363338373334343634366139363866343731626561626565663339643164633731396363353435 -32663634366532343939366130363233373634323664313765636235383638613061323034663364 -65646665653732326530383962313762313035353866636362363835613261643331666135336365 -35353161663966643564383935386331633730386134343837613164623537393462313130636235 -66653539396639623264303733636232343131373339303034633337333930393061306139373638 -30363139386238636436316239366537663662363432366132346361666436353337663830363037 -38643365366339343961383234313830623138316235383464346439396166363739623937653166 -31323639383838323362323663316265333162393664346262323562646232613134626335366231 -63366230623733643336373132383633356530653766653834663430383538366366363966393237 -64633436653332646336343037303665306465323162643863336235623435666131636661616635 -34336562393961383737393632623035633362383763666138343533363166363731323832343534 -31343038666533343130396264613836396434323363396434653938353131336262373936353333 -65373265306132623235316439373936353834376639386364383763643438373039393263383538 -30366532313335306332306261333434613733383430356633626338643537373030336434383231 -39656162643264316239646339643835343934323639623334303931613938363531 +62663038646261303939313365653235313039653639333833663661336439363961633861346332 +6236636666353436383264333661303737653131333031360a633432616130616665623732633332 +31346339633935366164316539393134343864376265333336393863356438313638393563656635 +3765386136656566350a663032663462646337616365313966373735663062323766653935336638 +64396235383663633066643039613630383266663430356639366635333334653035653932386238 +39323937646437306435656464653833383139656138393861653836653435316265623764393739 +61626636646335633238333337393163653465333136626238373931363561663034633035623335 +66653531623235633535363363373333356366636438643666636133336166313839373836333436 +36333831306261376363663633306432656361326133663732633161636633323439343830613863 +32333036373463343138656639303762396237396365613665643231393837616531626261663439 +36363165313033366365383134303333316336363264663966393637393933363931353766363264 +64383363316361663939396463373938396562313434626235653532666237613035313734343764 +33303339653038656632316538653337653330326261653037626165323533363335306635613133 +61346234613266646538636465323231623830363264336465626436373434613339646236326335 +33633036663663303633326136613838653662653165643832666365656561313064313138643061 +37653664343666386138306164626263313634366232633033396238323737373230346261376436 +65643433613465333230356366383333653665653361663262326530653930303637303565333936 +39613130356165363731343037303630376438613533396235313161333366303235373561386261 +64656562373031323031363933663966663362303534643965616162616436393037346563393864 +66663438616139323137663466383338323833393030366162353430613233323366356537356335 +62636137393338326136353532386130366362346366316538386139663832386534643664306561 +62646362306265333532666364303364373334613139386438306439643235346630363631396661 +61643265666337303437633535353833353866633234343262353330383232373932623134623164 +31353566313861376334613665343838626432303130383537613235316261633664613865376430 +30386265353461626232626339316232333561346139346165623531353732313033636530363634 +35626334633734623132626534393134306366356535623739303364383865306135393338653862 +33303435323864376335356162343634383361363066386335636337363138353337613061666165 +36363439393130323234666630303239613735633633306534376135363832613331633766623433 +32633761663361643164613036333266653037363361646538636162343535306463643461643663 +36353062303636616563393535656163316364623832393863393738383532366234326139643635 +35626339663238613566616163336565383963393734663131396438353633363936393965633363 +33366131636563623537656634613439643732373532333238626364373631303534376134306237 +31643163306663353164616234303061366163623434393137373432316565386133363865633036 +37396334383364393238666331386663386433613134316231636431653464623639346266323363 +37333033663738313061303339626539343632303235363032346362393462313866363363623366 +34353432383630663765643138613936653538376464333737626437353939393637333038356161 +66353663363730613633616431636237363961306661343638656164666165656338313465663463 +31313037353665396338663233386266346231333366373464623163353036363832336463633731 +39373665666231396136393462633163333738633362633464646263643237646663633730616163 +38653632333638396138656531653438643731636530313034656237313830366336383037343162 +66313835303432616437613931643165643763636333363163643864613531313339353765313864 +61643234326633316564326135633036656234336131353166643236643362343565646264346635 +38313063613238316432363830383334636261643537303338343362376131373661316634633936 +62646237326638343338613163373562643232366231626166616338326532396465366461343732 +34663366653837666339633931303735326437396562306534613366336137373361323563346333 +64363730633033316630613832356633613637646362653039393462636530363532633930323934 +63376136313339393530323538633831356432353338393365363432363639373064383761336362 +62346261343135643430666662643762656361613736356537616636613337363462366530313833 +63656439303162373830643231313432613166663036616564613966333562363063376565363132 +62323562353665343837393966646366396538656562646264653265383737386265626265656635 +37613331623763363638383331626364353666396330306666366633363264333166393038393537 +38326263313534643763313064386437653835373831356531653633336636383336323438346531 +62303162306362396464653663363162343734613538653163343533383431346661363230323264 +30393661306661336266396361616637373334343535656564363962386262336234346133306233 +62366261666238363238336536636564303635363131643235636537656233303862363132316138 +30373631326635653437616464326436666462393564343834313464663230303538393937343066 +61346439626337663230393962623261333638373534623935396265633364373334383434613664 +63646338326239333365646335666232316265653338373836373435343966653464393163323464 +66616466653130343566336432313465313664313938636535343330633331383435346265386463 +37363864663561363334633864303534393434363237383032353636373261303566633461666138 +39333234313838663837616664353634666435323134663436366665326262333863356337313363 +32313839666232616133636363326661316133396533386639316166353831663361393130396438 +38396161633031333736353636366130613439376163626664386366656335636235303537323462 +38316233373664666531326566323738613635393035336139663164313333323464396439623264 +38383738373866303462336533633238303731633531613338653132393436626137323066363861 +61653333383637623638643533633039303734666466666566353638393564643361643630613638 +30633964346337613235366230393337653337633837303032613465623339373838336432623236 +34316365653964313235373337323534316330396363303365313037383064323430656534613033 +36623366373335613766336339633535396364356130306365366634306463336630323365653932 +36666664393739303631353438353466383332633662346364313466303839356632316537306139 +61363037633933343131643365343565396532326631643738336635333430306365383563666462 +38616439363131366637333533326162663030313535643664643130613535666135653263313031 +37316465343839613231656135383734663163343232303930376131323239353838393464336163 +36616233396266663637383439313239383834353465666634363739323565633934353734666135 +37393231323066313161616331343537663462356339323136363463383833316637663931633931 +38336331646365303461663362663839306566396666323834376562326134663765393161373866 +38396232663036343362326364303230353762376562306230653966633132393837633464323761 +35653339373861303763333131636464373031386333633036663635313234663639356238376665 +32626265653637626663336531383964636232376334666365373330353337386333653665323263 +38636233393837626131663161643532623836306339303464346166376431616435323363333864 +32383161656331306539363130653633313561326230653234396464326333613431383537376464 +65393862386532363465343266393231306566316464366537316631653764356638336138663331 +63656361383165303463326536383039616438646362303632643334613336323266616136613435 +64373533313266363861363938306565363734353135393734303231313539386239323538316164 +37376139333839343135613465376335663466383663623131346437356639373335396666323265 +62376561353436653832636639383265663961343661346365616536653737343132396333393966 +33376465396666316230616635313463386439623862373332656161333739656236386131636436 +66336439613537326439333862353032316238343736386236343932636165663766313765333665 +37303630383339323464663061333663346438656663383737643862333761373834613435353830 +38303937613136323666643266393032376137376438616261326563383862356436616230613331 +65316234616334353365353930326536623836313833643236636437323735363832383638373162 +37636466636339326163613164306365356334616437643565306339303262633539363234363261 +39346433656635373635343731393039633261643332313735373930633030613938383530373935 +63656633623931616530306661353261386462393365646536393733323731616462653465356161 +34626134653532653265393839346438613639643264666236393532643764643066333462353936 +39373431656363303831626230353037353139323834633266353663386635306335346166633065 +64386366333531363530393531326438633937373238303730383261616163663962383263633561 +38613764303439643361373832356266363539326162643462653661366666353234353631383761 +38623433393766633965323062303964663331353863663063396365313631643464656138656131 +34393362313366313737633032663763336462373134316439663635363563346332333335363937 +36613837363430663961396439313462326435323639616363303638313566373266373830633261 +34393434616438636231303331666331396162383332646139636362373630363731396134373930 +36383030333061353532653338383735623634623232316333663133393934666339343763366231 +31323738626637353230356633336165303466333666616534653330303634643532353264373236 +32613833623935383162346263633330356633613565626539326662333035376533373962306237 +34333936336264656533373062366332623937333031396237616331383039356539343036613735 +35323061393233343662616231313235383635326237383435363031306137343465386438623635 +39303331613862643533313363333036383866646534346331313133333339616665633236393031 +63323737633065323465653964393162663337633238643764346362623437653739333438666237 +32366230353736323866343436363335653761663931613239333131646565376430376162326164 +65343136313434303332373464363339363564306564353061643432653566653562643633653439 +66356339313934663534613161316137653638613862613439313762353035653861626230336461 +65663733616339313830316266633738333662623466336333333065623533393734353064363332 +31326165343834376265396634623739356334383762353135333863373437353936333034313562 +64626238393339636538633233313364303837356531356237373930393864663733646539626639 +66383966653333626264663732326635326232393334646464303364643531333831366638666263 +30636433353439343463656636326565393733616339623635326362303739356331316334303732 +62323964643961326465323964383763663337643961366634306439343337616361393661613938 +38376338363834366339663630363464633665336364326133323631326561623935316134366237 +65636137326164346238363630633337626231633836623235323636623033323031383031653466 +34333431386338626265356538366335396531333839343461633164383831326337663236653166 +64383834326362633238653537643362663561323337316339633038383731643538326466636364 +31383530396565393464313130336565653963306563306531636639373236306165383365663036 +37303162663261633236376666393533616661643530333731333637356431326438333665303334 +64613363653635643336323462353733346330643030653434643165346165303332646165346665 +63646663366165313064636433303034613366356437383438353734353565366638353930383530 +62323537356136306635623630623239346464353064666538373565366162316466303261623866 +65303663313231343864656434306239663564356465636632316466346236383862393966613534 +39343631303732393764316436366264326133336537383131626261343265333034383037633165 +64313933653665396535616266633933613061393838386262336135303166663464363134323764 +31386261373937373765613935323964386232653135353038653766396531363663383039393431 +38623465316231313162383666383239306263303035613465313463396133613939666664613237 +30343265383163646531623837303662343463323431343337656331643664633639626635313232 +62386333656538326634663935646330386662376136373362616630303431346235313364613661 +35383533613432343238653536333736303537333063366262313136343032323061636239313261 +30616164373265663636646162366235363733386431623766636331396431316664303837383362 +64346631643033623731623863393037623865306531336338393166313561353436396561646464 +62653534303735623830663432316636303533353866336234613166616664643738363862623665 +38313661313266663163363936636631303437356634316337663936613935333834626631643335 +33356632396438333530316236333639303562646539663533613637613338663661376161336164 +66316232336365306330616434623837356438373435323136363363623737373837623264363765 +39373862633865333566643134626139316231323331363930626462373331653433613932316632 +64616630356631643862623436303533323665313965396532363537313263313463643662323230 +31393662633663323964363262643563396435323038626261366631323465613366633562393938 +39653661356432366466616166643034653835643263383961323161373764656334303031356264 +35366165666234343031646463303038323261653765366332326137356564306637663633376333 +61633361313765666638336135326632613434323131346464646632303064396335653334613732 +66616136393638313038313365393838366163656264326466666636656162323135613761376336 +31333533383632376339383761393537333339623735393133373463613965343631626530313661 +30623637356436323636363537363730376462643133343039303932663763336435616561346461 +66383431353530393039613437323334366238333464336261656434616666633863663061353665 +33303166653364303538653938393465356330386665313639383232666261653638333065346362 +38663037303339306439373166666637663965613839666334383237663133663831373139653166 +65663931353066633262396662393234366361363361333034303836343939663030363732323536 +32376565316639353434343163653066646162643130393332373766336564613139316263386631 +65343563326261333962363536323438666536373861386365396366646439653564393263653332 +32663434653339363939616231383933613331393539333264633739383239336464633437643631 +32303961366333646130653036366661373062613832373362306439363338313737343232313264 +65333138333561353031326266633564326331643532363563613131383235653663376464636365 +38386465353431386331626633306162386334313331353634313631393066613233656431656235 +33316534663934346636316134616664623633376266633535386264383961383665666262346439 +32343133316332636338363732646630656637623565363836656432366538663261666663323864 +36626430383765353437653030356566396263363238333635386237353535663238356132646464 +65326266616533666231333336353430303663666630643435613763376534666663653434373061 +64633863343439323932616231333030633038366135393761396134343665363238 diff --git a/network.yml b/network.yml index 300c0d2..4958116 100755 --- a/network.yml +++ b/network.yml @@ -28,7 +28,7 @@ # Radius (backup only for now) -- hosts: radius-edc-backup.adm.auro.re +- hosts: ~radius-(edc|fleming)-backup\.adm\.auro\.re roles: - radius diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 9820e4b..574a3ef 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -5,6 +5,7 @@ - "deb" - "deb-src" + - name: Ensure /var/www exists file: name: "/var/www" @@ -17,7 +18,7 @@ version: "master_freeradius_python3" force: true -- name: Template local settings +- name: Template local re2o settings template: src: settings_local.py.j2 dest: "/var/www/re2o/re2o/settings_local.py" @@ -30,6 +31,8 @@ - name: try to install freeradius-python3 (this will fail on post-install) apt: name: freeradius-python3 + default_release: buster-backports + update_cache: yes ignore_errors: yes no_log: yes @@ -38,6 +41,12 @@ src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst +- name: reinstall broken backpage + apt: + name: freeradius-python3 + default_release: buster-backports + force: yes + - name: Setup radius symlinks file: src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" @@ -54,7 +63,7 @@ - local_prefix: freeradius3/ filename: mods-enabled/eap -- name: Configure radius clients.conf +- name: Configure freeradius template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" @@ -64,10 +73,6 @@ - sites-enabled/inner-tunnel - proxy.conf -- name: reinstall broken backpage - apt: - name: freeradius-python3 - force: yes - name: Install radius requirements (except freeradius-python3) shell: @@ -79,3 +84,120 @@ # End of hideousness (hopefully). + +- name: Configure log rotation + template: + src: "freeradius-logrotate.j2" + dest: "/etc/logrotate.d/freeradius" + + + +# Database setup + + +- name: Install postgresql + apt: + name: + - postgresql + - postgresql-client + +- name: Install postgresql ansible module requirement(s) + pip: + name: psycopg2 + +- name: Create read-only user + community.general.postgresql_user: + name: re2o_ro + password: "{{ radius_pg_re2o_ro_password }}" + become_user: postgres + +- name: Create replication user + community.general.postgresql_user: + name: replication + password: "{{ radius_pg_replication_password }}" + become_user: postgres + +- name: Create local DB + community.general.postgresql_db: + name: re2o + owner: replication + state: present + encoding: "UTF8" + lc_collate: 'fr_FR.UTF-8' + lc_ctype: 'fr_FR.UTF-8' + become_user: postgres + + +- name: Dump radius re2o PostgreSQL database schema from master + community.general.postgresql_db: + name: re2o + state: dump + target: /tmp/re2o-schema.sql + target_opts: '-s' + login_host: 10.128.0.12 + login_user: replication + login_password: "{{ radius_pg_replication_password }}" + + +- name: Restore DB + tags: + - restore + community.general.postgresql_db: + name: re2o + state: restore + target: /tmp/re2o-schema.sql + target_opts: "-s" + login_host: localhost + login_user: replication + login_password: "{{ radius_pg_replication_password }}" + + +- name: Grant select permissions on all tables to read-only user + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: SELECT + objs: ALL_IN_SCHEMA + schema: public + roles: re2o_ro + become_user: postgres + +- name: Grant usage permission on schema to read-only user + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: USAGE + objs: public + type: schema + roles: re2o_ro + become_user: postgres + +- name: Set default privileges in schema + tags: + - perms + community.general.postgresql_privs: + database: re2o + privs: SELECT + schema: public + objs: TABLES + type: default_privs + roles: re2o_ro + become_user: postgres + + +- name: Set up subscription to main database + tags: + - sub + community.general.postgresql_subscription: + name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" + connparams: + host: re2o-db.adm.auro.re + user: replication + password: "{{ radius_pg_replication_password }}" + dbname: re2o + db: re2o + publications: + - re2o_pub + become_user: postgres diff --git a/roles/radius/templates/freeradius-logrotate.j2 b/roles/radius/templates/freeradius-logrotate.j2 new file mode 100644 index 0000000..91d5df4 --- /dev/null +++ b/roles/radius/templates/freeradius-logrotate.j2 @@ -0,0 +1,50 @@ +# The main server log +/var/log/freeradius/radius.log { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + copytruncate +} + +# (in order) +# Session monitoring utilities +# Session database modules +# SQL log files +/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log +/var/log/freeradius/radutmp /var/log/freeradius/radwtmp +/var/log/freeradius/sqllog.sql +{ + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + nocreate +} + +# There are different detail-rotating strategies you can use. One is +# to write to a single detail file per IP and use the rotate config +# below. Another is to write to a daily detail file per IP with: +# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail +# (or similar) in radiusd.conf, without rotation. If you go with the +# second technique, you will need another cron job that removes old +# detail files. You do not need to comment out the below for method #2. +/var/log/freeradius/radacct/*/detail { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + nocreate +} diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 5b7d039..68e963c 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -21,8 +21,8 @@ become: true become_user: "{{ service_user }}" -- name: Configure re2o {{ service_name }} project - ini_file: +- name: "Configure re2o {{ service_name }} project" + community.general.ini_file: path: "{{ service_homedir }}/config.ini" section: Re2o option: "{{ item.key }}" diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 6073afe..dd7f865 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Enable IPv4 packet forwarding - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes From 8ce63d14b6e7d46ed6b31d7cd1a32a1e102f406b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 18:08:20 +0200 Subject: [PATCH 207/297] radius: fix settings_local.py --- roles/radius/tasks/main.yml | 8 +++--- roles/radius/templates/local_routers.py.j2 | 28 +++++++++++++++++++++ roles/radius/templates/settings_local.py.j2 | 19 +++++++++++--- 3 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 roles/radius/templates/local_routers.py.j2 diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 574a3ef..dfdeac8 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -20,9 +20,11 @@ - name: Template local re2o settings template: - src: settings_local.py.j2 - dest: "/var/www/re2o/re2o/settings_local.py" - + src: "{{ item }}.j2" + dest: "/var/www/re2o/re2o/{{ item }}" + loop: + - settings_local.py + - local_routers.py # What follows is a hideous abomination. diff --git a/roles/radius/templates/local_routers.py.j2 b/roles/radius/templates/local_routers.py.j2 new file mode 100644 index 0000000..ce42020 --- /dev/null +++ b/roles/radius/templates/local_routers.py.j2 @@ -0,0 +1,28 @@ +class DbRouter(object): + """ + A router to control all database operations on models in the + auth application. + """ + def db_for_read(self, model, **hints): + """ + Attempts to read remote models go to local database. + """ + return 'default' + + def db_for_write(self, model, **hints): + """ + Attempts to write remote models go to the remote database. + """ + return 'master' + + def allow_relation(self, obj1, obj2, **hints): + """ + Allow relations involving the remote database + """ + return True + + def allow_migrate(self, db, app_label, model_name=None, **hints): + """ + Allow migrations on the remote database + """ + return True diff --git a/roles/radius/templates/settings_local.py.j2 b/roles/radius/templates/settings_local.py.j2 index 1a6308e..01d9043 100644 --- a/roles/radius/templates/settings_local.py.j2 +++ b/roles/radius/templates/settings_local.py.j2 @@ -44,14 +44,14 @@ DEBUG = False ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')] # The list of hostname the server will respond to. -ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re'] +ALLOWED_HOSTS = ['{{ inventory_hostname }}'] # The time zone the server is runned in TIME_ZONE = 'Europe/Paris' # The storage systems parameters to use DATABASES = { - 'default': { # The DB + 'master': { 'ENGINE': 'django.db.backends.postgresql_psycopg2', 'NAME': 're2o', 'USER': 're2o', @@ -62,7 +62,18 @@ DATABASES = { 'COLLATION': 'utf8_general_ci' } }, - 'ldap': { # The LDAP + 'default': { + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'NAME': 're2o', + 'USER': 're2o_ro', + 'PASSWORD': "{{ radius_pg_re2o_ro_password }}", + 'HOST': 'localhost', + 'TEST': { + 'CHARSET': 'utf8', + 'COLLATION': 'utf8_general_ci' + } + }, + 'ldap': { 'ENGINE': 'ldapdb.backends.ldap', 'NAME': 'ldap://10.128.0.11/', 'USER': 'cn=admin,dc=auro,dc=re', @@ -114,3 +125,5 @@ OPTIONNAL_APPS_RE2O = () # Some Django apps you want to add in you local project OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + () + +LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"] From fe62055cdd625ec5bab692be0b1a8c57584d629e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 19:25:30 +0200 Subject: [PATCH 208/297] radius: enable service, fix details --- network.yml | 2 +- roles/radius/tasks/main.yml | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/network.yml b/network.yml index 4958116..d16893d 100755 --- a/network.yml +++ b/network.yml @@ -28,7 +28,7 @@ # Radius (backup only for now) -- hosts: ~radius-(edc|fleming)-backup\.adm\.auro\.re +- hosts: ~radius-(edc|fleming|pacaterie).* roles: - radius diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index dfdeac8..9172c79 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -36,18 +36,18 @@ default_release: buster-backports update_cache: yes ignore_errors: yes - no_log: yes - name: fix freeradius-python3 postinstall script template: src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst -- name: reinstall broken backpage +- name: reinstall broken package (this might fail too, for different reasons) apt: name: freeradius-python3 default_release: buster-backports force: yes + ignore_errors: yes - name: Setup radius symlinks file: @@ -93,7 +93,6 @@ dest: "/etc/logrotate.d/freeradius" - # Database setup @@ -203,3 +202,11 @@ publications: - re2o_pub become_user: postgres + + +- name: Restart freeradius, ensure enabled + systemd: + name: freeradius + enabled: yes + state: restarted + daemon_reload: yes From 63b4425a27ade122ed98f3a0f78945a57035fc20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 19:45:35 +0200 Subject: [PATCH 209/297] gs: fix vars --- group_vars/all/vault.yml | 332 +++++++++--------- group_vars/{georgesand => gs}/main.yml | 5 + .../sudo_location_group.yml | 0 network.yml | 2 +- 4 files changed, 173 insertions(+), 166 deletions(-) rename group_vars/{georgesand => gs}/main.yml (54%) rename group_vars/{georgesand => gs}/sudo_location_group.yml (100%) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index ff1c922..093dc63 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,166 +1,168 @@ $ANSIBLE_VAULT;1.1;AES256 -62663038646261303939313365653235313039653639333833663661336439363961633861346332 -6236636666353436383264333661303737653131333031360a633432616130616665623732633332 -31346339633935366164316539393134343864376265333336393863356438313638393563656635 -3765386136656566350a663032663462646337616365313966373735663062323766653935336638 -64396235383663633066643039613630383266663430356639366635333334653035653932386238 -39323937646437306435656464653833383139656138393861653836653435316265623764393739 -61626636646335633238333337393163653465333136626238373931363561663034633035623335 -66653531623235633535363363373333356366636438643666636133336166313839373836333436 -36333831306261376363663633306432656361326133663732633161636633323439343830613863 -32333036373463343138656639303762396237396365613665643231393837616531626261663439 -36363165313033366365383134303333316336363264663966393637393933363931353766363264 -64383363316361663939396463373938396562313434626235653532666237613035313734343764 -33303339653038656632316538653337653330326261653037626165323533363335306635613133 -61346234613266646538636465323231623830363264336465626436373434613339646236326335 -33633036663663303633326136613838653662653165643832666365656561313064313138643061 -37653664343666386138306164626263313634366232633033396238323737373230346261376436 -65643433613465333230356366383333653665653361663262326530653930303637303565333936 -39613130356165363731343037303630376438613533396235313161333366303235373561386261 -64656562373031323031363933663966663362303534643965616162616436393037346563393864 -66663438616139323137663466383338323833393030366162353430613233323366356537356335 -62636137393338326136353532386130366362346366316538386139663832386534643664306561 -62646362306265333532666364303364373334613139386438306439643235346630363631396661 -61643265666337303437633535353833353866633234343262353330383232373932623134623164 -31353566313861376334613665343838626432303130383537613235316261633664613865376430 -30386265353461626232626339316232333561346139346165623531353732313033636530363634 -35626334633734623132626534393134306366356535623739303364383865306135393338653862 -33303435323864376335356162343634383361363066386335636337363138353337613061666165 -36363439393130323234666630303239613735633633306534376135363832613331633766623433 -32633761663361643164613036333266653037363361646538636162343535306463643461643663 -36353062303636616563393535656163316364623832393863393738383532366234326139643635 -35626339663238613566616163336565383963393734663131396438353633363936393965633363 -33366131636563623537656634613439643732373532333238626364373631303534376134306237 -31643163306663353164616234303061366163623434393137373432316565386133363865633036 -37396334383364393238666331386663386433613134316231636431653464623639346266323363 -37333033663738313061303339626539343632303235363032346362393462313866363363623366 -34353432383630663765643138613936653538376464333737626437353939393637333038356161 -66353663363730613633616431636237363961306661343638656164666165656338313465663463 -31313037353665396338663233386266346231333366373464623163353036363832336463633731 -39373665666231396136393462633163333738633362633464646263643237646663633730616163 -38653632333638396138656531653438643731636530313034656237313830366336383037343162 -66313835303432616437613931643165643763636333363163643864613531313339353765313864 -61643234326633316564326135633036656234336131353166643236643362343565646264346635 -38313063613238316432363830383334636261643537303338343362376131373661316634633936 -62646237326638343338613163373562643232366231626166616338326532396465366461343732 -34663366653837666339633931303735326437396562306534613366336137373361323563346333 -64363730633033316630613832356633613637646362653039393462636530363532633930323934 -63376136313339393530323538633831356432353338393365363432363639373064383761336362 -62346261343135643430666662643762656361613736356537616636613337363462366530313833 -63656439303162373830643231313432613166663036616564613966333562363063376565363132 -62323562353665343837393966646366396538656562646264653265383737386265626265656635 -37613331623763363638383331626364353666396330306666366633363264333166393038393537 -38326263313534643763313064386437653835373831356531653633336636383336323438346531 -62303162306362396464653663363162343734613538653163343533383431346661363230323264 -30393661306661336266396361616637373334343535656564363962386262336234346133306233 -62366261666238363238336536636564303635363131643235636537656233303862363132316138 -30373631326635653437616464326436666462393564343834313464663230303538393937343066 -61346439626337663230393962623261333638373534623935396265633364373334383434613664 -63646338326239333365646335666232316265653338373836373435343966653464393163323464 -66616466653130343566336432313465313664313938636535343330633331383435346265386463 -37363864663561363334633864303534393434363237383032353636373261303566633461666138 -39333234313838663837616664353634666435323134663436366665326262333863356337313363 -32313839666232616133636363326661316133396533386639316166353831663361393130396438 -38396161633031333736353636366130613439376163626664386366656335636235303537323462 -38316233373664666531326566323738613635393035336139663164313333323464396439623264 -38383738373866303462336533633238303731633531613338653132393436626137323066363861 -61653333383637623638643533633039303734666466666566353638393564643361643630613638 -30633964346337613235366230393337653337633837303032613465623339373838336432623236 -34316365653964313235373337323534316330396363303365313037383064323430656534613033 -36623366373335613766336339633535396364356130306365366634306463336630323365653932 -36666664393739303631353438353466383332633662346364313466303839356632316537306139 -61363037633933343131643365343565396532326631643738336635333430306365383563666462 -38616439363131366637333533326162663030313535643664643130613535666135653263313031 -37316465343839613231656135383734663163343232303930376131323239353838393464336163 -36616233396266663637383439313239383834353465666634363739323565633934353734666135 -37393231323066313161616331343537663462356339323136363463383833316637663931633931 -38336331646365303461663362663839306566396666323834376562326134663765393161373866 -38396232663036343362326364303230353762376562306230653966633132393837633464323761 -35653339373861303763333131636464373031386333633036663635313234663639356238376665 -32626265653637626663336531383964636232376334666365373330353337386333653665323263 -38636233393837626131663161643532623836306339303464346166376431616435323363333864 -32383161656331306539363130653633313561326230653234396464326333613431383537376464 -65393862386532363465343266393231306566316464366537316631653764356638336138663331 -63656361383165303463326536383039616438646362303632643334613336323266616136613435 -64373533313266363861363938306565363734353135393734303231313539386239323538316164 -37376139333839343135613465376335663466383663623131346437356639373335396666323265 -62376561353436653832636639383265663961343661346365616536653737343132396333393966 -33376465396666316230616635313463386439623862373332656161333739656236386131636436 -66336439613537326439333862353032316238343736386236343932636165663766313765333665 -37303630383339323464663061333663346438656663383737643862333761373834613435353830 -38303937613136323666643266393032376137376438616261326563383862356436616230613331 -65316234616334353365353930326536623836313833643236636437323735363832383638373162 -37636466636339326163613164306365356334616437643565306339303262633539363234363261 -39346433656635373635343731393039633261643332313735373930633030613938383530373935 -63656633623931616530306661353261386462393365646536393733323731616462653465356161 -34626134653532653265393839346438613639643264666236393532643764643066333462353936 -39373431656363303831626230353037353139323834633266353663386635306335346166633065 -64386366333531363530393531326438633937373238303730383261616163663962383263633561 -38613764303439643361373832356266363539326162643462653661366666353234353631383761 -38623433393766633965323062303964663331353863663063396365313631643464656138656131 -34393362313366313737633032663763336462373134316439663635363563346332333335363937 -36613837363430663961396439313462326435323639616363303638313566373266373830633261 -34393434616438636231303331666331396162383332646139636362373630363731396134373930 -36383030333061353532653338383735623634623232316333663133393934666339343763366231 -31323738626637353230356633336165303466333666616534653330303634643532353264373236 -32613833623935383162346263633330356633613565626539326662333035376533373962306237 -34333936336264656533373062366332623937333031396237616331383039356539343036613735 -35323061393233343662616231313235383635326237383435363031306137343465386438623635 -39303331613862643533313363333036383866646534346331313133333339616665633236393031 -63323737633065323465653964393162663337633238643764346362623437653739333438666237 -32366230353736323866343436363335653761663931613239333131646565376430376162326164 -65343136313434303332373464363339363564306564353061643432653566653562643633653439 -66356339313934663534613161316137653638613862613439313762353035653861626230336461 -65663733616339313830316266633738333662623466336333333065623533393734353064363332 -31326165343834376265396634623739356334383762353135333863373437353936333034313562 -64626238393339636538633233313364303837356531356237373930393864663733646539626639 -66383966653333626264663732326635326232393334646464303364643531333831366638666263 -30636433353439343463656636326565393733616339623635326362303739356331316334303732 -62323964643961326465323964383763663337643961366634306439343337616361393661613938 -38376338363834366339663630363464633665336364326133323631326561623935316134366237 -65636137326164346238363630633337626231633836623235323636623033323031383031653466 -34333431386338626265356538366335396531333839343461633164383831326337663236653166 -64383834326362633238653537643362663561323337316339633038383731643538326466636364 -31383530396565393464313130336565653963306563306531636639373236306165383365663036 -37303162663261633236376666393533616661643530333731333637356431326438333665303334 -64613363653635643336323462353733346330643030653434643165346165303332646165346665 -63646663366165313064636433303034613366356437383438353734353565366638353930383530 -62323537356136306635623630623239346464353064666538373565366162316466303261623866 -65303663313231343864656434306239663564356465636632316466346236383862393966613534 -39343631303732393764316436366264326133336537383131626261343265333034383037633165 -64313933653665396535616266633933613061393838386262336135303166663464363134323764 -31386261373937373765613935323964386232653135353038653766396531363663383039393431 -38623465316231313162383666383239306263303035613465313463396133613939666664613237 -30343265383163646531623837303662343463323431343337656331643664633639626635313232 -62386333656538326634663935646330386662376136373362616630303431346235313364613661 -35383533613432343238653536333736303537333063366262313136343032323061636239313261 -30616164373265663636646162366235363733386431623766636331396431316664303837383362 -64346631643033623731623863393037623865306531336338393166313561353436396561646464 -62653534303735623830663432316636303533353866336234613166616664643738363862623665 -38313661313266663163363936636631303437356634316337663936613935333834626631643335 -33356632396438333530316236333639303562646539663533613637613338663661376161336164 -66316232336365306330616434623837356438373435323136363363623737373837623264363765 -39373862633865333566643134626139316231323331363930626462373331653433613932316632 -64616630356631643862623436303533323665313965396532363537313263313463643662323230 -31393662633663323964363262643563396435323038626261366631323465613366633562393938 -39653661356432366466616166643034653835643263383961323161373764656334303031356264 -35366165666234343031646463303038323261653765366332326137356564306637663633376333 -61633361313765666638336135326632613434323131346464646632303064396335653334613732 -66616136393638313038313365393838366163656264326466666636656162323135613761376336 -31333533383632376339383761393537333339623735393133373463613965343631626530313661 -30623637356436323636363537363730376462643133343039303932663763336435616561346461 -66383431353530393039613437323334366238333464336261656434616666633863663061353665 -33303166653364303538653938393465356330386665313639383232666261653638333065346362 -38663037303339306439373166666637663965613839666334383237663133663831373139653166 -65663931353066633262396662393234366361363361333034303836343939663030363732323536 -32376565316639353434343163653066646162643130393332373766336564613139316263386631 -65343563326261333962363536323438666536373861386365396366646439653564393263653332 -32663434653339363939616231383933613331393539333264633739383239336464633437643631 -32303961366333646130653036366661373062613832373362306439363338313737343232313264 -65333138333561353031326266633564326331643532363563613131383235653663376464636365 -38386465353431386331626633306162386334313331353634313631393066613233656431656235 -33316534663934346636316134616664623633376266633535386264383961383665666262346439 -32343133316332636338363732646630656637623565363836656432366538663261666663323864 -36626430383765353437653030356566396263363238333635386237353535663238356132646464 -65326266616533666231333336353430303663666630643435613763376534666663653434373061 -64633863343439323932616231333030633038366135393761396134343665363238 +30303466313332386663653437633162366435303931386433386437393133326338653433383838 +6536366261346666303239313536353263616235363761640a306262643931333035653162333839 +31343430386661623938333332393336313564353435633961323532623037333535333966643539 +6138306433636235390a353464616630376261613839643263613063386437313766666165613336 +37353431623631363662346134386466346163616432353361356632313861323130633338353264 +65353230643532343036353736623065383635333662363263663063363163656633646235613336 +36323466353530303434363037623964303931643462323437313733366636303766633262303465 +64333066313562313733356365636530316533633532636632626637626462636133666133353338 +37333866333337353162386139376463313030346636336231626166663231626130343738633166 +65343833316632643532393531363037313936656364356630616137373734356631333464396464 +66643237393039633461363433386432373935626631313465656539656538663931313866343863 +37626261373737666630623966333436336163636338336439653363356632656463346662333234 +64663936323634373733333262646531333437393562376232633266343738643266353633663437 +61656166363763333933323961666637653464396533356635643835643566633938363762313065 +63396566313830393935653339666262346463626266373734356532306461633961333930336261 +61383762643464396131653838376337353462396533336231353230306431373162306437633266 +32626365363031646233663632353730366234366539326137623331386263396435386433396232 +61633664636164373734623138306563643263363839313434643036396437653832343334613365 +66643433393831646338363830653739316234356632666365306364653262613836653933636636 +61623038303063376137633531386531386634313536323466623636313334393661636634373638 +63383139343061643634346166303037636531396636366165306266346131326532306537663963 +30666532376462306435383735643439313739343039613533653231353338393439376638646565 +38323162343435643033336532353636663831313433626534653334343939623864656138653035 +62383566396663653037623866633934363863646538306562636531373762613863343937383531 +63303932363739306131643331323032626466636535613966663631646436353830356439393361 +32353764383239386437303363323337666339663966653332303230653236616339353930336137 +66646533366666663632383530373663653335303161623664633932356636343664393865336137 +63313766313831346661656134353736666463336561343162326263376239373934373163393035 +64303630663537623435356136336237386666313331666138366530356130306139323538353833 +63633230333432636433393635383061656265376535313038316461363561363733316231386234 +33366262343866323936623266353061613931396663386638306466343636626133393561636536 +63653833393633346463643737346334646338383835646364633235393037643462653662353039 +37323436633231303464386530303434636130336561653833666536303166373030353633656238 +66663562393164303563653935333438336231613064393765653030373064663462363030356561 +64303934663362633436636633613538353664633361353566623663643961663432386530376538 +66643735383038366436323865383563353132626331336339393666333164396631376562396636 +39316435343261656266643232643931356566333336303666623331316236346265383230333835 +30636165316461393936633566346438616464333031343163636462326630653061353332353565 +37323032333633653463383338333265386434306666333930326664363863663636366666643438 +36346662326562366163303665376234336633646435313834616335313363363332653962316662 +64376463356430613266626535353563326530626330356235346537656633313964383932356465 +34336664353861363436306361336337323565376238373439626130393866663134396135643136 +32346333386266636437333631363330663065613036303437353631303131373430386234316538 +36373934373064366664653139336265646361363631333863383731363737323230613931353333 +31666436653361333931316463643730366636303932333730623939323533613532396238306238 +62353066646435663365336635393030346233333138333766613661613039393161333234613066 +39663537353562313035363036343064323263623537646632393362613839383836643166366635 +31656662663665383238656634363062393133343033343933353938326633343061313732346562 +39376561633939616538303833383235663338636164613336333036353334313332666531366230 +32373135336136343934356264656664653730313963363733313833306361613139643434646430 +64343235366437363931623731353239623764343931633330343737626163623632353864646639 +61636430373637316635323533373162633536393439393338623331303662333962613532323133 +33343336626462626132376235303165643164313761313136376631653731356535363465666661 +33363737363338366534333835363837393565653562623436333835653936663834376664333864 +36643333353263303533623531373732616365333030643735363533366463333035363136616139 +37386532373336663264643433633432653631313262333735353265373161353463303362353630 +38666363336539633564306132376565616463643662343136623461363230356564386335643732 +39653132646431636436383437366166373465336435356638643865346265643335383864363037 +63303633616233333233343962343037363465623635653831656539363662373035663163383238 +39643833356331323764386264373062306435383132656236313734643564396432396363363366 +65663630336539353261323739633765653036356632303739373239323334356133373133383631 +31343462323032393434326133343135653938353534666339356334636134363937363835646630 +38326561623264616439386264646635373063353966373936346634316239323464313531353035 +36656533333232313261316334323534336538626430363363353363363631386362363864616661 +34656462373230633364663963313662343334633235643034663231626362646163333563386638 +31363831363137353862613337323036626338653634653664303262656333663538633566646137 +31333264383535323336613262643636323733336461313339643665356134376161323262363331 +39353237653931316662393538383463373636653834333334303137643037353436303131353466 +62393037363565616564393732326334633035353337616638366537633238353465346234643134 +37303961343837636638303761313536663862333864663733663266623931353863323466636461 +37353764353034383833383533626430376537376233346539663966323061386135663463323665 +33333038363138663264326432313432666632333234376366663963356534623137333831353632 +31623038653034666236333934646539653361343839333533636563303636303434336434363932 +31376639336130353666363361633535323932376535626230376632613734653633323334633464 +33616532336363346632356662396631633133616337663161646531386632353433613864386331 +36356337346539313963396238346333323266366332353863653363396335383935343436656263 +63613634643461333434623062333232623135626665623731366536346532613063653566386133 +31336239663964643662373964643665616134653235666164656236306565623638623330353630 +64396139343463383732336536623561363639366663636163643236336635323538323336666137 +38373334393837393563333331336638376162303532393066343839343633616162326665313738 +62643731626666336634303639376337366666306238663235636265303833646231616239316665 +37336132303462306462386334306132353930643461303664666563613261643633636635363731 +66633638313230363136343632626464336335643833613162383930346439313637646139623631 +36376661346265333334666535323063656430306463613938366632306366363631663232663433 +38313663663937336435643338623837653731333961356264663965373234353938623232353065 +64633039316663343139666338363662393362643966613466316664323437396532356465616639 +61326364663565643537633633316163646362613063653562646165326435353632396566626530 +62343732356437613334363361373237643839323431366238316434376562326334343431353466 +61396636396636326466386131653133316437306263303630363830306366666636323937653533 +61616634616161333035303132353664393333316263313863656463393736356533636535623035 +35363734393465326263383862613062613235663538386166333235653765306663383332653338 +62323031303932626331633162393062643833383631333265303431653836336563313561303533 +33643236663930653766303930646132383064663031373466633732376438323238383035626232 +35356533613133326239353537383866306338616538643839343162623932613439623538643130 +33363130366463356434623265326664353064656233373536353235663936363266623562663362 +35613436333363376438643331353536666134303561613239626634656135303862323432303761 +32326438313162633262653163643534393934353337393262333461313166373339333532373635 +39326535303239386135326138666133363531353865663934326332356161356364313561613364 +61363133336165646462373932643135653438626130643364626531346339656237373935386563 +39313830396631366466363066653464316165306261306461343636656562653234313933316331 +37323335653538663537646332616665303138346138363134393631336566326562346265343138 +35316666333336663231373963383265633832656462313961376430613338616238613562323931 +33353931666538383134373230353830633136376134326131386435353834366335666566396634 +63363930366631313661363538616261363532373332613966363030363662356132373261343637 +34303038653531383134326231333562643639666638653631633436323234643931653734333338 +30343938323534353063643664663536353733343430616336383161643633616337383734366162 +38363838633334343232353737303239643733646166323263363039353939633136616362393662 +65653765353566616430373632383137386331313966393731393861353763323633643163663065 +37613266326361656666653662303131343036383133646435656362623439313733323638623633 +63366236326634643133656131363061353632386438336435313062653961363563653065346265 +64613762393830616336346362373232623234303330613034326236636163616364303366313163 +36613930616663643438373238336661663962616330383635653564353366383234653735656231 +65393866653535616230376464653030346334343865303439636236656432396433663534333434 +31336332303535386237333336636436396235653265323361393935323937393336336232303531 +64303732303365333962356464663134303237326133333464616638303131306138626132633962 +36353866313635373230316262326263623531316135663631363838633362316664626438313461 +38613862376435383961376436643630653436343461336165656331393764646161376164666462 +37633030383361393864643063353232366161353934343461393366356538373261333663656638 +36663830633266663938333736366234376564646539356462393930643062666538306632393237 +61356632633561386565613730613131343261386662656333313363336432383637386133346261 +30396666646434666466626236666365323039313037636466636331373137366663623339643261 +35643937666362316538613830346138363437376664633233666230663131353437666435613466 +30346131373462356232613761356564363264646338313537366637396230313634653430323061 +39386435666631373339666236623661633631623635313366383139636361356231393462613437 +34373862646130636261663831376332316133396262316437633739383437646435633236333661 +30336366306564393538623431396665626537313130656334636234313464376564613434633831 +33633737613130643334376131356330646634333834303062613736393534313065623834346562 +35393564383962636133346461313131363864373334653264633561326136323361313936653734 +31383130663239333063623837373139633031363331663535633832653831303264336265666463 +39353434383866666439633936353462303231663936633862303961386630636535656331373535 +35366263646665623236656463653063383233306262396461363639303563383736323038663164 +36363161346262306362366236656433353337316437373631363832303437633933386538366430 +33313366616161646264333235623864626238646263636461393037373234333437363534363532 +32386363656664303138623134396338316638346531366538636239303638626462396132373437 +31653131313335306239393431353533633362303966353938623237356131386237616366346638 +66623434313831366333323265653131323233373862383530633538623965393765323034323934 +34326131303562646433343961626139356263396462626534336639623534663465613338636337 +66363137313033373765626136616131363832653063616131666538666263646133613562383830 +39336630636666386364666262623235386134353063323331376238616133336666306161383830 +36353131316263633933356336653166313334363365383562373233356461383533326661663331 +39353665363365333835383034393136353466323438633933363062393134613365633532613131 +38626530353431636363626131333633626139616465643963306262333639356431313362363332 +38386661343731393437393566613961383463646434653038323063396666653461663932376366 +39663738323537363630363666323062623339633266303862376435393762303363366162313565 +34616464613065383639633865373764363230306437303236616261333766363738343131623765 +61373962343236333361396635363562343565386266383063633331366131306262643130653037 +66383562326438383562656535373835353335316639663166343163623365613263343364383435 +32336162356561313737333665383732643565393030643132333934373339643535383033313263 +37333365386663353437636236303339633631613266343238636638613634336233353462653335 +32316538646339663435363962626537373632303631653339306633336266623264396665376165 +61623963366336306230333937636466383035383262356664323361326234343561336338616237 +30373461343465646366373564363838326266326566356166333935356261633066613438613331 +31363232653831636634643765323036663266643862363431373465313465316630313261353538 +31356233363435323937393439333838373462313033336338356666343432656162626461643238 +66386464316262303433363231376535363437653562326264313135643737383462656365666361 +64366234633535333434373163333164643666653638386639616436373739353431313730346461 +64366665336561313830393036616239376234343239383833376138323261633831303735303330 +61643462353839633934326639663839386565353736356535383836626231323430366136626535 +65366332383438343235623034636234613566653137386163626634653065626163376139313938 +33646366626234663934666235393661663435336334333362626633353730633538346231643034 +32303964363134336163356537663535306235363664623938323339643663336365373035393235 +36313731376534356166333266383163663264646634396334303166343637626233333162326536 +38343430396136663231343834373535336632666532313037373336383233306634306566396230 +35653264643339613634343538336439356539346462663336316361663435376332323330373461 +34313537646234383536633239363734356564336334633434383333393733323466336231666362 +65353562623565656462316462643466386432303063363461373836316236616433646334666561 +323965343133626434643938396633643338 diff --git a/group_vars/georgesand/main.yml b/group_vars/gs/main.yml similarity index 54% rename from group_vars/georgesand/main.yml rename to group_vars/gs/main.yml index 0161c8a..10a85ab 100644 --- a/group_vars/georgesand/main.yml +++ b/group_vars/gs/main.yml @@ -2,4 +2,9 @@ apartment_block: gs apartment_block_id: 5 +subnet_ids: + ap: 145 + users_wired: 50 + users_wifi: 51 + router_ip_suffix: 240 diff --git a/group_vars/georgesand/sudo_location_group.yml b/group_vars/gs/sudo_location_group.yml similarity index 100% rename from group_vars/georgesand/sudo_location_group.yml rename to group_vars/gs/sudo_location_group.yml diff --git a/network.yml b/network.yml index d16893d..4b4a9dc 100755 --- a/network.yml +++ b/network.yml @@ -28,7 +28,7 @@ # Radius (backup only for now) -- hosts: ~radius-(edc|fleming|pacaterie).* +- hosts: ~radius-(edc|fleming|pacaterie|gs).* roles: - radius From 4866ce915c6b468c8693c501876f704a70f96a5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 19:46:39 +0200 Subject: [PATCH 210/297] clean up README for ansible(devel) --- README.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d52b7aa..00897a4 100644 --- a/README.md +++ b/README.md @@ -122,12 +122,19 @@ done ### Passage à Ansible 2.10 (release: 30 juillet) +Installez la version de développement d'ansible pour faire fonctionner les +playbooks de ce repo, ainsi que les collections suivantes : + ```bash ansible-galaxy collection install community.general ansible-galaxy collection install ansible.posix ``` -Erreur avec sudo ? -Workaround: `$ export ANSIBLE_BECOME_PASS=''` -(notez l'espace au début pour ne pas log la commande dans votre historique -shell) + +Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un +workaround est le suivant : + +`$ export ANSIBLE_BECOME_PASS=''` + +Notez l'espace au début pour ne pas log la commande dans votre historique +shell. From a6b15c0e10249f1ddbe2d7a246b4b45496e797d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 21 May 2020 20:06:47 +0200 Subject: [PATCH 211/297] vars: use apartment block id for subnets --- group_vars/all/vars.yml | 9 +++++++++ group_vars/edc/main.yml | 5 ----- group_vars/fleming/main.yml | 5 ----- group_vars/gs/main.yml | 5 ----- group_vars/pacaterie/main.yml | 5 ----- 5 files changed, 9 insertions(+), 20 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 3b0c131..572a607 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -53,6 +53,11 @@ backup_dns_servers: # Misc mtu: 1400 +subnet_ids: + ap: "14{{ apartment_block_id }}" + users_wired: "{{ apartment_block_id }}0" + users_wifi: "{{ apartment_block_id }}1" + # Keepalived keepalived_password: "{{ vault_keepalived_password[apartment_block] }}" @@ -70,3 +75,7 @@ radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" + + + + diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml index 88e6c2b..942e068 100644 --- a/group_vars/edc/main.yml +++ b/group_vars/edc/main.yml @@ -2,11 +2,6 @@ apartment_block: edc apartment_block_id: 4 -subnet_ids: - ap: 144 - users_wired: 40 - users_wifi: 41 - router_ip_suffix: 254 mtu: 1500 diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index 1913a87..c01bc59 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -2,9 +2,4 @@ apartment_block: fleming apartment_block_id: 1 -subnet_ids: - ap: 141 - users_wired: 10 - users_wifi: 11 - router_ip_suffix: 254 diff --git a/group_vars/gs/main.yml b/group_vars/gs/main.yml index 10a85ab..0161c8a 100644 --- a/group_vars/gs/main.yml +++ b/group_vars/gs/main.yml @@ -2,9 +2,4 @@ apartment_block: gs apartment_block_id: 5 -subnet_ids: - ap: 145 - users_wired: 50 - users_wifi: 51 - router_ip_suffix: 240 diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml index 7d6e30c..8ddb5ff 100644 --- a/group_vars/pacaterie/main.yml +++ b/group_vars/pacaterie/main.yml @@ -2,11 +2,6 @@ apartment_block: pacaterie apartment_block_id: 2 -subnet_ids: - ap: 142 - users_wired: 20 - users_wifi: 21 - router_ip_suffix: 254 mtu: 1500 From 337906c6c0ff413a6062dcca402544246f510a63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Jul 2020 18:40:54 +0200 Subject: [PATCH 212/297] add gs dhcp, dns, routing and add thor to inventory --- .gitignore | 1 + group_vars/all/vars.yml | 3 +-- group_vars/gs/main.yml | 4 +++- hosts | 19 +++++++++++++++++++ network.yml | 6 +++--- .../templates/dhcp/dhcpd.conf.j2 | 8 ++++---- 6 files changed, 31 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index fc586ce..ea2eabf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.retry +tmp ldap-password.txt diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 572a607..c3f0502 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -77,5 +77,4 @@ radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" - - +apartment_block_dhcp: "{{ apartment_block }}" diff --git a/group_vars/gs/main.yml b/group_vars/gs/main.yml index 0161c8a..25c3139 100644 --- a/group_vars/gs/main.yml +++ b/group_vars/gs/main.yml @@ -1,5 +1,7 @@ --- apartment_block: gs +apartment_block_dhcp: sand + apartment_block_id: 5 -router_ip_suffix: 240 +router_ip_suffix: 254 diff --git a/hosts b/hosts index b688b50..bbc392f 100644 --- a/hosts +++ b/hosts @@ -121,17 +121,31 @@ ldap-replica-edc-backup.adm.auro.re [gs_pve] perceval.adm.auro.re +lancelot.adm.auro.re +odin.adm.auro.re [gs_vm] dhcp-gs.adm.auro.re +dhcp-gs-backup.adm.auro.re dns-gs.adm.auro.re +dns-gs-backup.adm.auro.re routeur-gs.adm.auro.re +routeur-gs-backup.adm.auro.re unifi-gs.adm.auro.re radius-gs.adm.auro.re +radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re #inexistant : ldap-replica-gs.adm.auro.re #inexistant : ldap-replica-gs-backup.adm.auro.re +############################################################################### +# Les Rives +[rives_pve] +thor.adm.auro.re + + + + ############################################################################### # Groups by location @@ -164,6 +178,10 @@ edc_vm gs_pve gs_vm +# everything at Les Rives +[rives:children] +rives_pve + ############################################################################### # Groups by type @@ -187,6 +205,7 @@ fleming_pve pacaterie_pve edc_pve gs_pve +rives_pve ############################################################################### diff --git a/network.yml b/network.yml index 4b4a9dc..bca43c0 100755 --- a/network.yml +++ b/network.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Set up DHCP servers. -- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re,!dhcp-gs*.adm.auro.re +- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -16,13 +16,13 @@ # Deploy unbound DNS server (recursive). -- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re,!dns-gs*.adm.auro.re +- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re roles: - unbound # Déploiement du service re2o aurore-firewall et keepalived -- hosts: ~routeur-(pacaterie|edc|fleming).*\.adm\.auro\.re +- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index f4150e7..cde8d25 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -43,12 +43,12 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }}; - option domain-name "fil.{{ apartment_block }}.auro.re"; + option domain-name "fil.{{ apartment_block_dhcp }}.auro.re"; option domain-search "auro.re"; option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list"; deny unknown-clients; } @@ -60,12 +60,12 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }}; - option domain-name "wifi.{{ apartment_block }}.auro.re"; + option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re"; option domain-search "auro.re"; option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list"; pool { range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; From f7617c4478b28ce131290b526be8cd72a4bc6965 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Mon, 6 Jul 2020 18:52:46 +0200 Subject: [PATCH 213/297] added ldap-replica-gs to hosts --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index bbc392f..dee3e1e 100644 --- a/hosts +++ b/hosts @@ -135,7 +135,7 @@ unifi-gs.adm.auro.re radius-gs.adm.auro.re radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re -#inexistant : ldap-replica-gs.adm.auro.re +ldap-replica-gs.adm.auro.re #inexistant : ldap-replica-gs-backup.adm.auro.re ############################################################################### From 511734a978eb8abb87efe85f82fa2ecd56567285 Mon Sep 17 00:00:00 2001 From: TinyLinux Date: Mon, 6 Jul 2020 22:06:16 +0200 Subject: [PATCH 214/297] Add ldap-replica-gs-backup to hosts --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index dee3e1e..1f41aab 100644 --- a/hosts +++ b/hosts @@ -136,7 +136,7 @@ radius-gs.adm.auro.re radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re ldap-replica-gs.adm.auro.re -#inexistant : ldap-replica-gs-backup.adm.auro.re +ldap-replica-gs-backup.adm.auro.re ############################################################################### # Les Rives From 354a5e7d632fd6df6c0b4091b1d4e1f902895879 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Mon, 6 Jul 2020 22:27:53 +0200 Subject: [PATCH 215/297] created a dedicated ldap_replica role --- base.yml | 5 ----- ldap_replica.yml | 7 +++++++ 2 files changed, 7 insertions(+), 5 deletions(-) create mode 100755 ldap_replica.yml diff --git a/base.yml b/base.yml index 935f60e..2e26b95 100755 --- a/base.yml +++ b/base.yml @@ -11,8 +11,3 @@ roles: - ldap-client -# Clone LDAP on local geographic location -# DON'T DO THIS AS IT RECREATES THE REPLICA -#- hosts: ldap_replica -# roles: -# - ldap-replica diff --git a/ldap_replica.yml b/ldap_replica.yml new file mode 100755 index 0000000..1686293 --- /dev/null +++ b/ldap_replica.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +# Clone LDAP on local geographic location +# DON'T DO THIS AS IT RECREATES THE REPLICA +- hosts: ldap_replica + roles: + - ldap-replica From c7c6e50dd931fba6e82f5e9b11ff26d7f1876c0f Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Wed, 22 Jul 2020 10:04:25 +0200 Subject: [PATCH 216/297] Remove matrix mxisd --- matrix.yml | 1 - roles/matrix-mxisd/handlers/main.yml | 6 -- roles/matrix-mxisd/tasks/main.yml | 16 ---- .../templates/mxisd/mxisd.yaml.j2 | 89 ------------------- roles/matrix-synapse/tasks/main.yml | 11 +-- .../conf.d/password_providers.yaml.j2 | 14 ++- 6 files changed, 14 insertions(+), 123 deletions(-) delete mode 100644 roles/matrix-mxisd/handlers/main.yml delete mode 100644 roles/matrix-mxisd/tasks/main.yml delete mode 100644 roles/matrix-mxisd/templates/mxisd/mxisd.yaml.j2 diff --git a/matrix.yml b/matrix.yml index 634f063..b25fc0d 100755 --- a/matrix.yml +++ b/matrix.yml @@ -9,7 +9,6 @@ - debian-backports - nodejs - matrix-synapse - - matrix-mxisd - matrix-appservice-irc - matrix-appservice-webhooks diff --git a/roles/matrix-mxisd/handlers/main.yml b/roles/matrix-mxisd/handlers/main.yml deleted file mode 100644 index 73933ed..0000000 --- a/roles/matrix-mxisd/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# Restart mxisd when configuration changes -- name: Restart mxisd service - service: - name: mxisd - state: restarted diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml deleted file mode 100644 index ad40117..0000000 --- a/roles/matrix-mxisd/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Install mxisd - apt: - deb: "{{ mxisd_deb }}" - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Configure mxisd - template: - src: mxisd/mxisd.yaml.j2 - dest: /etc/mxisd/mxisd.yaml - mode: 0600 - owner: mxisd - notify: Restart mxisd service diff --git a/roles/matrix-mxisd/templates/mxisd/mxisd.yaml.j2 b/roles/matrix-mxisd/templates/mxisd/mxisd.yaml.j2 deleted file mode 100644 index be427c1..0000000 --- a/roles/matrix-mxisd/templates/mxisd/mxisd.yaml.j2 +++ /dev/null @@ -1,89 +0,0 @@ -# {{ ansible_managed }} - -####################### -# Matrix config items # -####################### -# Matrix domain, same as 'server_name' in synapse configuration. -matrix: - domain: 'auro.re' - - -################ -# Signing keys # -################ -# Absolute path for the Identity Server signing keys database. -# /!\ THIS MUST **NOT** BE YOUR HOMESERVER KEYS FILE /!\ -# If this path does not exist, it will be auto-generated. -key: - path: '/var/lib/mxisd/keys' - - -# Path to the SQLite DB file for mxisd internal storage -# /!\ THIS MUST **NOT** BE YOUR HOMESERVER DATABASE /!\ -storage: - provider: - sqlite: - database: '/var/lib/mxisd/store.db' - - -################### -# Identity Stores # -################### -ldap: - enabled: true - connection: - host: '{{ ldap_master_ipv4 }}' - port: 389 - bindDn: '{{ ldap_matrix_bind_dn }}' - bindPassword: '{{ ldap_matrix_password }}' - baseDNs: - - '{{ ldap_user_tree }}' - attribute: - uid: - type: 'uid' - value: 'uid' - name: 'uid' - - -################################################# -# Notifications for invites/addition to profile # -################################################# -# This is mandatory to deal with anything e-mail related. -# -# For an introduction to sessions, invites and 3PIDs in general, -# see https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/session/session.md#3pid-sessions -# -# If you would like to change the content of the notifications, -# see https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md -# -#### E-mail connector -threepid: - medium: - email: - identity: - # The e-mail to send as. - from: "matrix@auro.re" - - connectors: - smtp: - # SMTP host - host: "smtp.crans.org" - - # SMTP port - port: 587 - - # STARTLS mode for the connection. - # SSL/TLS is currently not supported. See https://github.com/kamax-matrix/mxisd/issues/125 - # - # Possible values: - # 0 Disable any kind of TLS entirely - # 1 Enable STARTLS if supported by server (default) - # 2 Force STARTLS and fail if not available - # - tls: 1 - - # Login for SMTP - login: "matrix@auro.re" - - # Password for the account - password: "" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 4ac864e..f5339b9 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -2,7 +2,9 @@ - name: Install matrix-synapse apt: update_cache: true - name: matrix-synapse-py3 + name: + - matrix-synapse-py3 + - matrix-synapse-ldap3 state: present default_release: stretch-backports register: apt_result @@ -24,10 +26,3 @@ - server_name.yaml - trusted_third_party_id_servers.yaml notify: Restart matrix-synapse service - -- name: Install rest auth provider - copy: - src: rest_auth_provider.py - dest: /opt/venvs/matrix-synapse/lib/python3.7/site-packages/rest_auth_provider.py - mode: 0755 - notify: Restart matrix-synapse service diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 b/roles/matrix-synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 index 8281be3..4f84014 100644 --- a/roles/matrix-synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 +++ b/roles/matrix-synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 @@ -1,5 +1,13 @@ # {{ ansible_managed }} password_providers: - - module: "rest_auth_provider.RestAuthProvider" - config: - endpoint: "http://127.0.0.1:8090" + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: "ldap://{{ ldap_master_ipv4 }}:389" + base: "{{ ldap_user_tree }}" + attributes: + uid: "uid" + mail: "mail" + name: "uid" + bind_dn: "{{ ldap_matrix_bind_dn }}" + bind_password: "{{ ldap_matrix_password }}" From a32116131d2f4f5adc1a066b645b073ac5cb30ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 12:02:37 +0200 Subject: [PATCH 217/297] raise MTU at fleming already been deployed for a while, forgot to push --- group_vars/fleming/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml index c01bc59..94f9cc8 100644 --- a/group_vars/fleming/main.yml +++ b/group_vars/fleming/main.yml @@ -3,3 +3,5 @@ apartment_block: fleming apartment_block_id: 1 router_ip_suffix: 254 + +mtu: 1500 From a4841e6947f38943f686c4c0efd3175f6b8989c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 12:56:23 +0200 Subject: [PATCH 218/297] add radvd role, deploy in routers --- network.yml | 1 + roles/radvd/handlers/main.yml | 4 ++ roles/radvd/tasks/main.yml | 20 +++++++++ roles/radvd/templates/radvd.conf.j2 | 67 +++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 roles/radvd/handlers/main.yml create mode 100644 roles/radvd/tasks/main.yml create mode 100644 roles/radvd/templates/radvd.conf.j2 diff --git a/network.yml b/network.yml index bca43c0..fec4170 100755 --- a/network.yml +++ b/network.yml @@ -25,6 +25,7 @@ - hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router + - radvd # Radius (backup only for now) diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml new file mode 100644 index 0000000..0bc0b9d --- /dev/null +++ b/roles/radvd/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart radvd + systemd: + state: restarted + name: radvd diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml new file mode 100644 index 0000000..7b68b76 --- /dev/null +++ b/roles/radvd/tasks/main.yml @@ -0,0 +1,20 @@ +--- + + +# Warning: radvd installation seems to fail if the configuration +# file doesn't already exist when the package is installed, +# so the order is important. +- name: Configure radvd + template: + src: radvd.conf.j2 + dest: /etc/radvd.conf + mode: 0644 + notify: restart radvd + +- name: Install radvd + apt: + update_cache: true + name: radvd + state: present + notify: restart radvd + diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 new file mode 100644 index 0000000..e2f91e2 --- /dev/null +++ b/roles/radvd/templates/radvd.conf.j2 @@ -0,0 +1,67 @@ +# -*- mode: conf-unix; coding: utf-8 -*- + +## +# Bornes Wi-Fi +## + +interface ens19 { # XXX - FIX THE INTERFACE NAME + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + + prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { + AdvRouterAddr on; + }; + + # La zone DNS + DNSSL borne.auro.re {}; + + # Les DNS récursifs + RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +}; + + + + +## +# Utilisateurs filaire +## +interface ens20 { # XXX + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + prefix 2a09:6840:{{ subnet_ids.users_wired }}::/64 { + AdvRouterAddr on; + }; + + DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; +}; + + +## +# Utilisateurs wifi +## +interface ens20 { # XXX: interface name + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + prefix 2a09:6840:{{ subnet_ids.users_wifi }}::/64 { + AdvRouterAddr on; + }; + + DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; +}; + From f09b0906c6a73ed7c6f68fd21ec829160eb9326b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:20:08 +0200 Subject: [PATCH 219/297] radvd: fix wifi interface, comment out APs for now --- roles/radvd/templates/radvd.conf.j2 | 46 ++++++++++++++++------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index e2f91e2..f773514 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -4,32 +4,33 @@ # Bornes Wi-Fi ## -interface ens19 { # XXX - FIX THE INTERFACE NAME - AdvSendAdvert on; - AdvLinkMTU {{ mtu }}; - AdvDefaultPreference high; - MaxRtrAdvInterval 30; - - - prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { - AdvRouterAddr on; - }; - - # La zone DNS - DNSSL borne.auro.re {}; - - # Les DNS récursifs - RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; -}; - +# Not deployed yet! +# Need to add an interface for this VLAN on "routeur-*" hosts. +# interface ens19 { # XXX - FIX THE INTERFACE NAME +# AdvSendAdvert on; +# AdvLinkMTU {{ mtu }}; +# AdvDefaultPreference high; +# MaxRtrAdvInterval 30; +# +# +# prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { +# AdvRouterAddr on; +# }; +# +# # La zone DNS +# DNSSL borne.auro.re {}; +# +# # Les DNS récursifs +# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; +# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +# }; ## # Utilisateurs filaire ## -interface ens20 { # XXX +interface ens20 { AdvSendAdvert on; AdvLinkMTU {{ mtu }}; AdvDefaultPreference high; @@ -49,7 +50,7 @@ interface ens20 { # XXX ## # Utilisateurs wifi ## -interface ens20 { # XXX: interface name +interface ens21 { AdvSendAdvert on; AdvLinkMTU {{ mtu }}; AdvDefaultPreference high; @@ -65,3 +66,6 @@ interface ens20 { # XXX: interface name RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; }; + + +# For public IPs: will use DHCPv6, deployed on routeur-aurore alone. From 468bb9abded364757acf44e56c8d2879ececd777 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:22:30 +0200 Subject: [PATCH 220/297] add radvd comment --- network.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network.yml b/network.yml index fec4170..43f2297 100755 --- a/network.yml +++ b/network.yml @@ -22,6 +22,8 @@ # Déploiement du service re2o aurore-firewall et keepalived +# radvd: IPv6 SLAAC (/64 subnets, private IPs). +# Must NOT be on routeur-aurore-*, or will with DHCPv6! - hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router From d54da8d2b91d1da97150ee7eef67b7728d6bf262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:31:49 +0200 Subject: [PATCH 221/297] add ipv6_base_prefix variable --- group_vars/all/vars.yml | 6 ++++++ roles/radvd/templates/radvd.conf.j2 | 18 +++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index c3f0502..cc30765 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -78,3 +78,9 @@ radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" apartment_block_dhcp: "{{ apartment_block }}" + + + +# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28). +# However, we ALWAYS keep the trailing 0 to have byte alignment. +ipv6_base_prefix: "2a09:6840" diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index f773514..bf301a9 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -14,7 +14,7 @@ # MaxRtrAdvInterval 30; # # -# prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { +# prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; # @@ -22,8 +22,8 @@ # DNSSL borne.auro.re {}; # # # Les DNS récursifs -# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; -# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; # }; @@ -36,14 +36,14 @@ interface ens20 { AdvDefaultPreference high; MaxRtrAdvInterval 30; - prefix 2a09:6840:{{ subnet_ids.users_wired }}::/64 { + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { AdvRouterAddr on; }; DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. - RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; }; @@ -56,14 +56,14 @@ interface ens21 { AdvDefaultPreference high; MaxRtrAdvInterval 30; - prefix 2a09:6840:{{ subnet_ids.users_wifi }}::/64 { + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { AdvRouterAddr on; }; DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. - RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; }; From 713c93ac44256336358105276c4df633137ff3e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:32:02 +0200 Subject: [PATCH 222/297] update unbound role for IPv6 --- roles/unbound/templates/recursive.conf.j2 | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 62c93be..47ad938 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -11,20 +11,32 @@ server: logfile: "/var/log/unbound/unbound.log" do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no + do-ip6: yes # IP addresses on which to listen. + # + # Note: dns_host_suffix is dynamically set in this role's tasks, + # and changes depending on whether we're handling the main or backup + # recursive DNS node. + + # IPv4 interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + # IPv6 + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} + # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} From 194c19fbf33efe1769f7710622569231bb16ae7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 15:34:49 +0200 Subject: [PATCH 223/297] fix wrong hardcoded email for keepalived monitoring --- roles/router/templates/keepalived.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 6e51fd9..1bb305e 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -2,7 +2,7 @@ global_defs { notification_email { monitoring.aurore@lists.crans.org } - notification_email_from routeur-edc-backup@auro.re + notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re smtp_server smtp.crans.org } From 56808e4e60392acbf80c2ae51d29505f06a1c412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 15:46:41 +0200 Subject: [PATCH 224/297] wip: begin updating 'router' role for IPv6 pending: update virtual routes --- roles/router/tasks/main.yml | 6 ++++++ roles/router/templates/firewall_config.py | 2 +- roles/router/templates/keepalived.conf | 13 ++++++++++--- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index dd7f865..06595a2 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -6,6 +6,12 @@ value: '1' sysctl_set: yes +- name: Enable IPv6 packet forwarding + ansible.posix.sysctl: + name: net.ipv6.ip_forward + value: '1' + sysctl_set: yes + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index bd013d3..1a3579c 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,7 +25,7 @@ ### Give me a role # routeur4 = routeur IPv4 -role = ['routeur4'] +role = ['routeur4', 'routeur6'] ### Specify each interface role diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 1bb305e..875c132 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -26,7 +26,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Timeout in seconds before failover kicks in. advert_int 2 - # Used to authenticate VRRP communication between master and backup. authentication { auth_type PASS @@ -38,18 +37,26 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_ipaddress { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global + {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global - # Public subnet: wired + + # NATed subnet: wired 45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global - # Public subnet: wifi + + # NATed subnet: wifi 45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global + {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global + # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global + {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global } + + # FIXME: update for IPv6 virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 From 2e6306b61e9e71b8ef9f1e87570e5b60c845234f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 16:05:41 +0200 Subject: [PATCH 225/297] radvd: advertise keepalived VIP --- roles/radvd/templates/radvd.conf.j2 | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index bf301a9..ab63ea8 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -12,8 +12,11 @@ # AdvLinkMTU {{ mtu }}; # AdvDefaultPreference high; # MaxRtrAdvInterval 30; -# -# +# +# AdvRASrcAddress { +# {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller +# }; +# # prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; @@ -26,7 +29,6 @@ # RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; # }; - ## # Utilisateurs filaire ## @@ -36,6 +38,10 @@ interface ens20 { AdvDefaultPreference high; MaxRtrAdvInterval 30; + AdvRASrcAddress { + {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }}; + }; + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { AdvRouterAddr on; }; @@ -56,6 +62,10 @@ interface ens21 { AdvDefaultPreference high; MaxRtrAdvInterval 30; + AdvRASrcAddress { + {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }}; + }; + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { AdvRouterAddr on; }; From 361fd54414d34d677b2862da98cf02a2feeb2c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 16:07:27 +0200 Subject: [PATCH 226/297] keepalived: add IPv6 virtual route --- roles/router/templates/keepalived.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 875c132..a07ec07 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -60,5 +60,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 + + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19 } } From 3a8112bf0d70d7ce64bb7cbfccb4c76473f7bda1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 17:48:39 +0200 Subject: [PATCH 227/297] roll out (private) IPv6 on George Sand --- group_vars/all/vars.yml | 4 +- roles/radvd/tasks/main.yml | 2 + roles/radvd/templates/radvd.conf.j2 | 4 +- roles/router/tasks/main.yml | 2 +- roles/router/templates/firewall_config.py | 4 +- roles/router/templates/keepalived.conf | 61 +++++++++++++++++++---- roles/unbound/templates/recursive.conf.j2 | 2 +- 7 files changed, 61 insertions(+), 18 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index cc30765..2b53213 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -50,8 +50,8 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) -# Misc -mtu: 1400 +# Finally raised! +mtu: 1500 subnet_ids: ap: "14{{ apartment_block_id }}" diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml index 7b68b76..75c72c1 100644 --- a/roles/radvd/tasks/main.yml +++ b/roles/radvd/tasks/main.yml @@ -10,6 +10,8 @@ dest: /etc/radvd.conf mode: 0644 notify: restart radvd + tags: + - radconf - name: Install radvd apt: diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index ab63ea8..94720f5 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -39,7 +39,7 @@ interface ens20 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { @@ -63,7 +63,7 @@ interface ens21 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 06595a2..d09a2c8 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -8,7 +8,7 @@ - name: Enable IPv6 packet forwarding ansible.posix.sysctl: - name: net.ipv6.ip_forward + name: net.ipv6.conf.all.forwarding value: '1' sysctl_set: yes diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 1a3579c..4f6b755 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -24,8 +24,8 @@ ### Give me a role -# routeur4 = routeur IPv4 -role = ['routeur4', 'routeur6'] +# previously: routeur4 = routeur IPv4 +role = ['routeur'] ### Specify each interface role diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index a07ec07..cd217f3 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -7,7 +7,7 @@ global_defs { } -vrrp_instance VI_ROUT_{{ apartment_block }} { +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 { {% if 'backup' in inventory_hostname %} state BACKUP priority 100 @@ -21,7 +21,7 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { interface ens18 # Shared by MASTER and BACKUP - virtual_router_id {{ apartment_block_id }} + virtual_router_id 4{{ apartment_block_id }} # Timeout in seconds before failover kicks in. advert_int 2 @@ -37,7 +37,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_ipaddress { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global - {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global # NATed subnet: wired @@ -48,21 +47,63 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global } - # FIXME: update for IPv6 virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 - - # For IPv6, the master router is routeur-aurore, NOT yggdrasil, - # because yggdrasil doesn't support BGPv6 announcements. - src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19 } } + +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens18 + + # Shared by MASTER and BACKUP + virtual_router_id 6{{ apartment_block_id }} + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing subnet + fe80::1/64 dev ens19 scope global + {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global + + # Wired + fe80::1/64 dev ens20 scope global + + # Wifi + fe80::1/64 dev ens21 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19 + } +} + + diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 47ad938..efdebe1 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -36,7 +36,7 @@ server: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow - access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) + access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} From 8360e212cc038515027756f7d6658f01aea8e94c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:14:57 +0200 Subject: [PATCH 228/297] enable SSH pipelining (THE SPEED!) --- ansible.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 8d528bd..e2d6a32 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,3 +33,6 @@ become_ask_pass = True # TO know what changed always = yes + +[ssh_connection] +pipelining = True From de36a3bb9538fc9f0e114b5eb465f7e35a9c0a78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:15:15 +0200 Subject: [PATCH 229/297] announce IPv6 recursive resolver (untested) --- roles/baseconfig/templates/resolv.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/baseconfig/templates/resolv.conf b/roles/baseconfig/templates/resolv.conf index c94128f..935eeeb 100644 --- a/roles/baseconfig/templates/resolv.conf +++ b/roles/baseconfig/templates/resolv.conf @@ -1,3 +1,4 @@ domain adm.auro.re nameserver 10.128.0.253 +nameserver 2a09:6840:128::253 nameserver 80.67.169.12 From e7620914356f5ae41ce9fba6133a519f7a692571 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:15:27 +0200 Subject: [PATCH 230/297] explain fe80::1 keepalived/radvd magic --- roles/radvd/templates/radvd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index 94720f5..dc5f1a2 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -39,7 +39,7 @@ interface ens20 { MaxRtrAdvInterval 30; AdvRASrcAddress { - fe80::1; + fe80::1; # link-local virtual IP used with keepalived }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { From 30e503458ef2e7e63b092d622928fd006c061c42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 6 Aug 2020 09:57:54 +0200 Subject: [PATCH 231/297] add ability to nuke radius DBs --- nuke-radius-dbs.yml | 7 +++++++ roles/radius/tasks/main.yml | 26 ++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100755 nuke-radius-dbs.yml diff --git a/nuke-radius-dbs.yml b/nuke-radius-dbs.yml new file mode 100755 index 0000000..b23f08f --- /dev/null +++ b/nuke-radius-dbs.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: ~radius-(edc|fleming|pacaterie|gs).* + roles: + - radius + vars: + nuke_radius: true diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 9172c79..ba3024e 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -15,7 +15,7 @@ git: repo: "https://gitlab.federez.net/re2o/re2o.git" dest: "/var/www/re2o" - version: "master_freeradius_python3" + version: "dev" force: true - name: Template local re2o settings @@ -118,6 +118,29 @@ password: "{{ radius_pg_replication_password }}" become_user: postgres + +- name: Nuking - Stop freeradius + systemd: + name: freeradius + state: stopped + when: nuke_radius|bool + +- name: Nuking - Remove old subscription if it exists + community.general.postgresql_subscription: + name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" + db: re2o + state: absent + become_user: postgres + when: nuke_radius|bool + ignore_errors: yes + +- name: Nuking - Destroy old local DB if it exists + community.general.postgresql_db: + name: re2o + state: absent + become_user: postgres + when: nuke_radius|bool + - name: Create local DB community.general.postgresql_db: name: re2o @@ -128,7 +151,6 @@ lc_ctype: 'fr_FR.UTF-8' become_user: postgres - - name: Dump radius re2o PostgreSQL database schema from master community.general.postgresql_db: name: re2o From af3c3dc132ed4889a3c54604fcf4b8572f51b560 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 11:19:16 +0200 Subject: [PATCH 232/297] enable radvd service --- roles/radvd/handlers/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml index 0bc0b9d..f2ce52c 100644 --- a/roles/radvd/handlers/main.yml +++ b/roles/radvd/handlers/main.yml @@ -2,3 +2,4 @@ systemd: state: restarted name: radvd + enabled: yes From b199c45d97d0e1757ac754c62701b1aaad47a0b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 11:32:06 +0200 Subject: [PATCH 233/297] fix broken radius role Would crash if called from anything other than the nuke radius DBs playbook --- roles/radius/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index ba3024e..e7943f0 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -123,7 +123,7 @@ systemd: name: freeradius state: stopped - when: nuke_radius|bool + when: nuke_radius|default(false) - name: Nuking - Remove old subscription if it exists community.general.postgresql_subscription: @@ -131,7 +131,7 @@ db: re2o state: absent become_user: postgres - when: nuke_radius|bool + when: nuke_radius|default(false) ignore_errors: yes - name: Nuking - Destroy old local DB if it exists @@ -139,7 +139,7 @@ name: re2o state: absent become_user: postgres - when: nuke_radius|bool + when: nuke_radius|default(false) - name: Create local DB community.general.postgresql_db: From 12b0bc91dc403efaf112d3029550657830823078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 11:32:34 +0200 Subject: [PATCH 234/297] radvd: cosmetic changes --- roles/radvd/templates/radvd.conf.j2 | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index dc5f1a2..300f50b 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -4,19 +4,18 @@ # Bornes Wi-Fi ## -# Not deployed yet! -# Need to add an interface for this VLAN on "routeur-*" hosts. - -# interface ens19 { # XXX - FIX THE INTERFACE NAME +# # Need to add an interface for this VLAN on "routeur-*" hosts. +# +# interface ens19 { # AdvSendAdvert on; # AdvLinkMTU {{ mtu }}; # AdvDefaultPreference high; # MaxRtrAdvInterval 30; -# +# # AdvRASrcAddress { # {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller # }; -# +# # prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; From 646ebd3ba9c01b0c1706e7901ea071dbb53071de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 8 Aug 2020 17:10:01 +0200 Subject: [PATCH 235/297] router: ansibilize routeur-aurore{,backup} --- group_vars/all/vault.yml | 336 +++++++++--------- group_vars/aurore/main.yml | 4 + hosts | 8 +- network.yml | 5 + roles/router/handlers/main.yml | 1 + roles/router/tasks/main.yml | 39 +- .../templates/firewall_config_aurore.py | 49 +++ roles/router/templates/interfaces-aurore | 84 +++++ roles/router/templates/keepalived-aurore.conf | 121 +++++++ 9 files changed, 477 insertions(+), 170 deletions(-) create mode 100644 group_vars/aurore/main.yml create mode 100644 roles/router/templates/firewall_config_aurore.py create mode 100644 roles/router/templates/interfaces-aurore create mode 100644 roles/router/templates/keepalived-aurore.conf diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 093dc63..c9330fd 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,168 +1,170 @@ $ANSIBLE_VAULT;1.1;AES256 -30303466313332386663653437633162366435303931386433386437393133326338653433383838 -6536366261346666303239313536353263616235363761640a306262643931333035653162333839 -31343430386661623938333332393336313564353435633961323532623037333535333966643539 -6138306433636235390a353464616630376261613839643263613063386437313766666165613336 -37353431623631363662346134386466346163616432353361356632313861323130633338353264 -65353230643532343036353736623065383635333662363263663063363163656633646235613336 -36323466353530303434363037623964303931643462323437313733366636303766633262303465 -64333066313562313733356365636530316533633532636632626637626462636133666133353338 -37333866333337353162386139376463313030346636336231626166663231626130343738633166 -65343833316632643532393531363037313936656364356630616137373734356631333464396464 -66643237393039633461363433386432373935626631313465656539656538663931313866343863 -37626261373737666630623966333436336163636338336439653363356632656463346662333234 -64663936323634373733333262646531333437393562376232633266343738643266353633663437 -61656166363763333933323961666637653464396533356635643835643566633938363762313065 -63396566313830393935653339666262346463626266373734356532306461633961333930336261 -61383762643464396131653838376337353462396533336231353230306431373162306437633266 -32626365363031646233663632353730366234366539326137623331386263396435386433396232 -61633664636164373734623138306563643263363839313434643036396437653832343334613365 -66643433393831646338363830653739316234356632666365306364653262613836653933636636 -61623038303063376137633531386531386634313536323466623636313334393661636634373638 -63383139343061643634346166303037636531396636366165306266346131326532306537663963 -30666532376462306435383735643439313739343039613533653231353338393439376638646565 -38323162343435643033336532353636663831313433626534653334343939623864656138653035 -62383566396663653037623866633934363863646538306562636531373762613863343937383531 -63303932363739306131643331323032626466636535613966663631646436353830356439393361 -32353764383239386437303363323337666339663966653332303230653236616339353930336137 -66646533366666663632383530373663653335303161623664633932356636343664393865336137 -63313766313831346661656134353736666463336561343162326263376239373934373163393035 -64303630663537623435356136336237386666313331666138366530356130306139323538353833 -63633230333432636433393635383061656265376535313038316461363561363733316231386234 -33366262343866323936623266353061613931396663386638306466343636626133393561636536 -63653833393633346463643737346334646338383835646364633235393037643462653662353039 -37323436633231303464386530303434636130336561653833666536303166373030353633656238 -66663562393164303563653935333438336231613064393765653030373064663462363030356561 -64303934663362633436636633613538353664633361353566623663643961663432386530376538 -66643735383038366436323865383563353132626331336339393666333164396631376562396636 -39316435343261656266643232643931356566333336303666623331316236346265383230333835 -30636165316461393936633566346438616464333031343163636462326630653061353332353565 -37323032333633653463383338333265386434306666333930326664363863663636366666643438 -36346662326562366163303665376234336633646435313834616335313363363332653962316662 -64376463356430613266626535353563326530626330356235346537656633313964383932356465 -34336664353861363436306361336337323565376238373439626130393866663134396135643136 -32346333386266636437333631363330663065613036303437353631303131373430386234316538 -36373934373064366664653139336265646361363631333863383731363737323230613931353333 -31666436653361333931316463643730366636303932333730623939323533613532396238306238 -62353066646435663365336635393030346233333138333766613661613039393161333234613066 -39663537353562313035363036343064323263623537646632393362613839383836643166366635 -31656662663665383238656634363062393133343033343933353938326633343061313732346562 -39376561633939616538303833383235663338636164613336333036353334313332666531366230 -32373135336136343934356264656664653730313963363733313833306361613139643434646430 -64343235366437363931623731353239623764343931633330343737626163623632353864646639 -61636430373637316635323533373162633536393439393338623331303662333962613532323133 -33343336626462626132376235303165643164313761313136376631653731356535363465666661 -33363737363338366534333835363837393565653562623436333835653936663834376664333864 -36643333353263303533623531373732616365333030643735363533366463333035363136616139 -37386532373336663264643433633432653631313262333735353265373161353463303362353630 -38666363336539633564306132376565616463643662343136623461363230356564386335643732 -39653132646431636436383437366166373465336435356638643865346265643335383864363037 -63303633616233333233343962343037363465623635653831656539363662373035663163383238 -39643833356331323764386264373062306435383132656236313734643564396432396363363366 -65663630336539353261323739633765653036356632303739373239323334356133373133383631 -31343462323032393434326133343135653938353534666339356334636134363937363835646630 -38326561623264616439386264646635373063353966373936346634316239323464313531353035 -36656533333232313261316334323534336538626430363363353363363631386362363864616661 -34656462373230633364663963313662343334633235643034663231626362646163333563386638 -31363831363137353862613337323036626338653634653664303262656333663538633566646137 -31333264383535323336613262643636323733336461313339643665356134376161323262363331 -39353237653931316662393538383463373636653834333334303137643037353436303131353466 -62393037363565616564393732326334633035353337616638366537633238353465346234643134 -37303961343837636638303761313536663862333864663733663266623931353863323466636461 -37353764353034383833383533626430376537376233346539663966323061386135663463323665 -33333038363138663264326432313432666632333234376366663963356534623137333831353632 -31623038653034666236333934646539653361343839333533636563303636303434336434363932 -31376639336130353666363361633535323932376535626230376632613734653633323334633464 -33616532336363346632356662396631633133616337663161646531386632353433613864386331 -36356337346539313963396238346333323266366332353863653363396335383935343436656263 -63613634643461333434623062333232623135626665623731366536346532613063653566386133 -31336239663964643662373964643665616134653235666164656236306565623638623330353630 -64396139343463383732336536623561363639366663636163643236336635323538323336666137 -38373334393837393563333331336638376162303532393066343839343633616162326665313738 -62643731626666336634303639376337366666306238663235636265303833646231616239316665 -37336132303462306462386334306132353930643461303664666563613261643633636635363731 -66633638313230363136343632626464336335643833613162383930346439313637646139623631 -36376661346265333334666535323063656430306463613938366632306366363631663232663433 -38313663663937336435643338623837653731333961356264663965373234353938623232353065 -64633039316663343139666338363662393362643966613466316664323437396532356465616639 -61326364663565643537633633316163646362613063653562646165326435353632396566626530 -62343732356437613334363361373237643839323431366238316434376562326334343431353466 -61396636396636326466386131653133316437306263303630363830306366666636323937653533 -61616634616161333035303132353664393333316263313863656463393736356533636535623035 -35363734393465326263383862613062613235663538386166333235653765306663383332653338 -62323031303932626331633162393062643833383631333265303431653836336563313561303533 -33643236663930653766303930646132383064663031373466633732376438323238383035626232 -35356533613133326239353537383866306338616538643839343162623932613439623538643130 -33363130366463356434623265326664353064656233373536353235663936363266623562663362 -35613436333363376438643331353536666134303561613239626634656135303862323432303761 -32326438313162633262653163643534393934353337393262333461313166373339333532373635 -39326535303239386135326138666133363531353865663934326332356161356364313561613364 -61363133336165646462373932643135653438626130643364626531346339656237373935386563 -39313830396631366466363066653464316165306261306461343636656562653234313933316331 -37323335653538663537646332616665303138346138363134393631336566326562346265343138 -35316666333336663231373963383265633832656462313961376430613338616238613562323931 -33353931666538383134373230353830633136376134326131386435353834366335666566396634 -63363930366631313661363538616261363532373332613966363030363662356132373261343637 -34303038653531383134326231333562643639666638653631633436323234643931653734333338 -30343938323534353063643664663536353733343430616336383161643633616337383734366162 -38363838633334343232353737303239643733646166323263363039353939633136616362393662 -65653765353566616430373632383137386331313966393731393861353763323633643163663065 -37613266326361656666653662303131343036383133646435656362623439313733323638623633 -63366236326634643133656131363061353632386438336435313062653961363563653065346265 -64613762393830616336346362373232623234303330613034326236636163616364303366313163 -36613930616663643438373238336661663962616330383635653564353366383234653735656231 -65393866653535616230376464653030346334343865303439636236656432396433663534333434 -31336332303535386237333336636436396235653265323361393935323937393336336232303531 -64303732303365333962356464663134303237326133333464616638303131306138626132633962 -36353866313635373230316262326263623531316135663631363838633362316664626438313461 -38613862376435383961376436643630653436343461336165656331393764646161376164666462 -37633030383361393864643063353232366161353934343461393366356538373261333663656638 -36663830633266663938333736366234376564646539356462393930643062666538306632393237 -61356632633561386565613730613131343261386662656333313363336432383637386133346261 -30396666646434666466626236666365323039313037636466636331373137366663623339643261 -35643937666362316538613830346138363437376664633233666230663131353437666435613466 -30346131373462356232613761356564363264646338313537366637396230313634653430323061 -39386435666631373339666236623661633631623635313366383139636361356231393462613437 -34373862646130636261663831376332316133396262316437633739383437646435633236333661 -30336366306564393538623431396665626537313130656334636234313464376564613434633831 -33633737613130643334376131356330646634333834303062613736393534313065623834346562 -35393564383962636133346461313131363864373334653264633561326136323361313936653734 -31383130663239333063623837373139633031363331663535633832653831303264336265666463 -39353434383866666439633936353462303231663936633862303961386630636535656331373535 -35366263646665623236656463653063383233306262396461363639303563383736323038663164 -36363161346262306362366236656433353337316437373631363832303437633933386538366430 -33313366616161646264333235623864626238646263636461393037373234333437363534363532 -32386363656664303138623134396338316638346531366538636239303638626462396132373437 -31653131313335306239393431353533633362303966353938623237356131386237616366346638 -66623434313831366333323265653131323233373862383530633538623965393765323034323934 -34326131303562646433343961626139356263396462626534336639623534663465613338636337 -66363137313033373765626136616131363832653063616131666538666263646133613562383830 -39336630636666386364666262623235386134353063323331376238616133336666306161383830 -36353131316263633933356336653166313334363365383562373233356461383533326661663331 -39353665363365333835383034393136353466323438633933363062393134613365633532613131 -38626530353431636363626131333633626139616465643963306262333639356431313362363332 -38386661343731393437393566613961383463646434653038323063396666653461663932376366 -39663738323537363630363666323062623339633266303862376435393762303363366162313565 -34616464613065383639633865373764363230306437303236616261333766363738343131623765 -61373962343236333361396635363562343565386266383063633331366131306262643130653037 -66383562326438383562656535373835353335316639663166343163623365613263343364383435 -32336162356561313737333665383732643565393030643132333934373339643535383033313263 -37333365386663353437636236303339633631613266343238636638613634336233353462653335 -32316538646339663435363962626537373632303631653339306633336266623264396665376165 -61623963366336306230333937636466383035383262356664323361326234343561336338616237 -30373461343465646366373564363838326266326566356166333935356261633066613438613331 -31363232653831636634643765323036663266643862363431373465313465316630313261353538 -31356233363435323937393439333838373462313033336338356666343432656162626461643238 -66386464316262303433363231376535363437653562326264313135643737383462656365666361 -64366234633535333434373163333164643666653638386639616436373739353431313730346461 -64366665336561313830393036616239376234343239383833376138323261633831303735303330 -61643462353839633934326639663839386565353736356535383836626231323430366136626535 -65366332383438343235623034636234613566653137386163626634653065626163376139313938 -33646366626234663934666235393661663435336334333362626633353730633538346231643034 -32303964363134336163356537663535306235363664623938323339643663336365373035393235 -36313731376534356166333266383163663264646634396334303166343637626233333162326536 -38343430396136663231343834373535336632666532313037373336383233306634306566396230 -35653264643339613634343538336439356539346462663336316361663435376332323330373461 -34313537646234383536633239363734356564336334633434383333393733323466336231666362 -65353562623565656462316462643466386432303063363461373836316236616433646334666561 -323965343133626434643938396633643338 +61623264646363313062633131306234666436616566383936616431653033303531333738666639 +6137653535623535333435383862306361376564396562370a366166373232343137363662356463 +34383636393830386465323534373534336462333937316530666139633835356635356562353134 +3234333736333831390a663033313531363838303566666530373432346536306137393561393734 +32613234373363333233333630666464386437333337623434356161303834656662366661343363 +62326164363764323365643166636664343032613835656663363636383963663138633837646466 +33373838343439663830626432353332666138356564383864616632353063376634393032613231 +38336233396263316563363332316131323439363664646237383731363930613563343763653537 +66383137353633653931616564616365366564626431626439383661666535663430353463346232 +31613536343566373437353738323133646439373465376632656530393033373037383864663937 +66623563393138653437353437373138386365653433313166353231653530613935333038653830 +61306239356433346438663239646162633838623036653439376362336636633862383266633239 +33363666383934633665303537396663363339323761356439636331656163363436333865306338 +63656166343835646262393634613865623936633566356531366663326431353836363238656631 +31333862346266653933663236626234663865373936623334323433643661343634653334316662 +36313262626230356531393661303834653263666138613435333538373330633432366338363131 +33336566633030346136613566353366653333666661336463336333333634643433393333353061 +65653236653362636564653932306131346532343738333361646563623865373538636662643932 +37373961313935373964376336333337396135623764376563623431326266633434336665303864 +34383836333762336665313635366166316339396437656330636432353064343836616362326432 +34353532626362636661363631666335316564636237646336323666636661336532313266616264 +37353637626636613161396430623139323662303862393439643235653833386166363332616438 +62653439363861626437663736313436386138363466333566333335323265333930366337386537 +63353931353165666337666330636363386463616463376336323834343666393331653863633430 +64626636373363626335303234306662323335363130623763333835373438373733353136306463 +31646363663463623635363537636338376131623766386339623763376532343733613061343736 +31653764383737646132353537633631643265336539316332636465353638346163613036653038 +64653238363661303032666330623334376130383365386334313137376339623164313538643637 +32323539346664663237306630346365646364663231633162393265376433313633336661326137 +35366662386235616531323264326632353635646337303830663364643336653039643865313036 +36343634613563353965643330306134393664336238653361616631623837313764653835333464 +31303835653265343466303363623331376631383064643336306166386632353566633231303031 +64646338333961373237323563633462363236626134366430323334373864633731323838383562 +65356137323234653932373438306335383666386433386563343136343934623936653565663135 +61353366393735663064383234343435633738623233643535393337326531356131643131646562 +34623862626430343464663230323561313736646135323339656562323332306265323765626130 +31333531626236393165663236393464303338623937646331663563636336316166303462396562 +66643638383432333035373431393463343831643731636133343538346431613236663266643639 +39346332303537393031353231626433393165386437343361663335646165623165336337643237 +30643466666462373937346162383032386361383439613332653162613765326237643038613665 +38633134653934346464346233323563623139386235343766386661643861313638643936636439 +34393039626163336636323862643237363633373339353263303035386636393232613536633038 +32656335396564623133373439333065633638373032323161383436363966386535393135623931 +62313838353034343033653130633666336433656565373836336331363339636330663836343835 +64656461376235323133316135396464353239316438386466323964326139316564313938333363 +66636337613362633639623265336434313938366666626434393532373534303865376632313830 +32353861306165383133633132623939386338343364623132386135316361336238616432383662 +31663763306431623932323930373637363633346139663539666236363032386535363932393264 +63306437616635343263643162393462653835643038373961336531313635663732343062613164 +63316463376239383634373461343533393730613235633765356166313131613230326562303863 +38626365383035363130326365353366316635323832333630343934346632643566373062313963 +38356165646438383936336431326566386564306636386432643537666434613434343235323666 +32366432393663333632383333333837646237643730383438336364376235353463656238393431 +34656561613566383761386233366637343230613634333062636239626639343132353837656363 +63373264646631336664303662386531386635303861333662313633613933353063363832623462 +35656536616333333861383930623237363062363335636231383033316465323339396530353166 +61613935366233326532366135623939353135323336346630303933633731316461626463643936 +64393430386430343362346334633036316464656561356132376365323463316631336530346663 +65373432666436323364316633623734353464393036383065643832653838323730643163393033 +37383639343061616563623365383564336132356162373937346338356562313262366261646434 +65656631326334336230333862303766633363653863666330373530343132336262653763336331 +31303535393231373833633631323265383435666665353461306638633031376339613230343966 +31306134383164333763656262636537343563386336393734626139646136643635313038663830 +65376366656465653165663762313738303438346136646638633962646466626339653566343530 +33353061643730663138383662663233383864626631626238306266653734306161383431653530 +38353262386439663331633465313262386630363465646661643366336438356163393564653565 +65346637346533323338383233313434346361383139666363336435633535326434373438366533 +64303737336631643735376130653031303533646464313562623036643762653937613735316162 +61396336376534393738323830333864383533343834616432373731633431316662656137363030 +36313566633863383162643432396235306661393563303138386339343462636566323135313631 +32336365393662633932383665623561373164353963646464323163303039333035366562363634 +34643731343931656239326165323962613630636132353334643866393933653631393134326635 +61353538633337343935396566396437663137326161323032336665356531373433643231326164 +38663463633863643636336337316162666339343630373366396634666363306137323161626561 +33336332383330383761623636366464353163386633356132656364373962316437626664333439 +38393137356364383535383231613431343261613036666238323431663532663333336563306239 +31313931623665623661323433346138383430366433623738356366373337383263316435393330 +30356131333132343333623732383263353330346635613833626562613536376232386663663265 +39636239663139393761303363313862333834336265616330353933333935616637646639326461 +34323231616662306366616665346239313839616435393738303833653138353135353161393830 +34653163386161653536666330353431356133623639653539316166313661343136643565393735 +33343966613534653034333261383136323135613032613063653363303437633832653834393063 +63623738333361636638646234363665616563633534626638613938613933343638386165346537 +61316261663039633462333637636561656166663430353037336530663036353564353530323663 +61386164636461363831303231353733646431313334323761633835373832333663306336633836 +63363838613434303066333732333237343264363238313962393230633165396135643431626664 +35316663333439326437343331303639616365633938393039633362303135393230313261376531 +62343533383034363331343661333036646530366665336431303561653138626262336239303864 +30643131356538316434313665353466383539383034623830363264343736396130623265306564 +30666535393839306333616134323333326535336564313735323864346139393762336265623137 +33653734393464353833333939363766656436393639626161383666613263643064323933663834 +63663761356233633134646561353631396364343761386631323764643631663564653265303330 +38333466666634383666326132356132303363666136666132373161383863653434333633386238 +36333361383663396238643433383338646461386363396563643133303166356538666435646639 +65353034373263316139363464343434326362366531666233323366383331353131383634396538 +65313631363564303133396462353934623939663739343431346465386430353030363235343032 +33653065643334663737643961396530316336633562323733626261376462303366313462353464 +38666235366365633833336630316564643132633839313465636164393439626635653739346166 +61343765653037656533313663333139663364666239626263393261353732363639623966623961 +62643266313734363064333063633030383865653665313832623535636666623364333635643238 +64623233393962313032343938666363333533653331303334643032636561303030633066636634 +35363864613430356264633936663833373739643562343631623336316263373939353563393634 +35376466376161383563646430363432626639363436633365323137346338306161636230323934 +38383238646366343766333032633038663037386339333038636136343732613838306130303539 +61303963333035366330646636336530396331333739306666396333333839613536343337323230 +31326461623731653461376132356165343130333235336130323361616333333762623131393265 +36636335313539613565326537373565313036306465326631326332373364313565333834373232 +36346166373433313033363533346565316535666538363538303134616365326336613461633931 +39333633383939623633386263346637386465326139363336663738393538393039376338366461 +64336138643166663362376339366537653463386265316434346532663633643765663339333062 +34303739366634383330356161333031313465323235666437363136643964623431336133633031 +62373462623531373665653137383833643332366562396134386536666666356139663631323965 +33633266353062363339613139666534393737393765383830643731616366316164626335373564 +38613533356661626163646138316163343938666366353964623131383063353534326637323162 +66633139633861623765316631323933363662383234616238336333383135326166656530376331 +30613534613636333533356666333864326438646462383862616338323864336136323566393231 +64323339386363623063373237346362366665666662306266323338653561396535323766316233 +30383036326331323563663533333166366130326262393732343135643463643064313364393530 +39326332346635343333376636316363393230336563333261616263343833386334376636623233 +65396330613837636139636132303530316236666132646266383466306663313038343833373734 +35376339666664393533666134353330626163306432363634653364343934343336306264646439 +66383138626232343639623033383565626232323830626362313733666663633037343737623333 +34653665666262303236616534343436333334393837326661383932623430303038623538313463 +38373233373730633937306638333966653433626666373565623866646665643231323065383230 +38353961396438373236393038626237346162653966383364626366666335656465346336323830 +63343937363732326239396664663963633733643036396164343038613136373037383664646130 +36386564333734643336303661336230363865323936343732646564336136653732363334316135 +38383935396161653132396661373636353761616661616635303465653266623337303534353038 +61333937393534336533363933383461303539303964353164376134653134356439356462376161 +62356333363238376139356231373835386139363637336566356132363932313639643334396334 +36326630663532313536393139386336303833653833323532653230613166376233633739623738 +35336138343434343064616335373836363032376537386439323165336365626230316435623766 +33653434633766323864343031346565323936373133396436623036353563653236393230653065 +63616336316339393034643063376137663565396137356461303061626336343437316462653437 +64383765376439616232663936616564366136666139343663336634366530303561303163373339 +66616233613532636138613836636666323237646566356538376566626639356436376230306130 +64623430613962333537366235616631323833626163383138393662623539643864346436346561 +64326636396235613534666534306639363864303539623563333934353766306130356564333538 +65386338616639663338636337303038316633383866346362633636653162353433366131333866 +38643037646531643633333334626163353833623833616338373863373533316561313361616462 +36323533343932376633653138363162646362313332353065633561666664663436376230376432 +31373461613033306434313136373532303666306130353064326436373961633534656462643866 +65623238396163646336343461303137366135306263313035663461653465346638383835666362 +30306431396136616334666631646662386533343238323962353837306139316335386234366333 +63343564386630356566363234636466303162643438653561323263336464633964616162616366 +30376532313739306339336366306262663230366337313662313036303436666563326236333961 +61373231653433613861633363333633626366643133633933333363636635656530643464653834 +61306633333032316531396165366462386230336330376239653436313836643435316533613331 +66623261396262316133326233316361656634333936353531623964313235333739376137633961 +31656631643966393164323463373832363538653235333165333061653163333436633335633632 +31613930333061653331303863303233376431306361613230383763623231636330343566323237 +65306430366133393332386631356135663134306264633536636134623230386635313231343661 +31383638616565363364373561613162393133363538626332363964663139336466336538333139 +61613939653866333037393564383464663331306439643163343464373766313139656264316163 +35383461663231613539613462336162353635333030323663333139653337663932633035666336 +65376264306639316137383730626561396365316661396564623335313865313263646536613233 +39313365333736363861666363383537376666346533383865636535343764326635343061366535 +33323336303861393862623832353936383537363238623932643035323863303865383233633432 +39366637656264656463393664336565366465333766643437623164636565346364623730633234 +66663432383765643161356533633564626463383237373330663836346232636635373330363161 +36303039393035396364666366373664623031363836646233616565346634356130646639313432 +33323736373133383666613565356133343266343432633737313030663466636135326364623639 +33633337383762333634613637383731613031353834663262313230303166376361373931623836 +33663232633661373663376163303131373363313036666262613866633237373261393130626364 +63343535396462316536356334356463323466656633373439656161356162386666386461336163 +33373233616539653634663136623630626137663832313361313663306438643737393262653862 +38313233396334353433313162316434653162653739663935396539326330383439366364343532 +38336266353964656163346537333166366431626239356465313634623035373861333663633862 +3164 diff --git a/group_vars/aurore/main.yml b/group_vars/aurore/main.yml new file mode 100644 index 0000000..7cf0189 --- /dev/null +++ b/group_vars/aurore/main.yml @@ -0,0 +1,4 @@ +--- +apartment_block: aurore +apartment_block_id: 0 +router_ip_suffix: 254 diff --git a/hosts b/hosts index 1f41aab..277bcc0 100644 --- a/hosts +++ b/hosts @@ -12,6 +12,8 @@ merlin.adm.auro.re [aurore_vm] +routeur-aurore.adm.auro.re +routeur-aurore-backup.adm.auro.re radius-aurore.adm.auro.re dhcp-aurore.adm.auro.re dns-aurore.adm.auro.re @@ -111,7 +113,6 @@ dhcp-edc-backup.adm.auro.re unifi-edc.adm.auro.re radius-edc.adm.auro.re radius-edc-backup.adm.auro.re -routeur-aurore.adm.auro.re ldap-replica-edc.adm.auro.re ldap-replica-edc-backup.adm.auro.re @@ -150,6 +151,11 @@ thor.adm.auro.re ############################################################################### # Groups by location +# -aurore services +[aurore:children] +aurore_vm + + # everything at ovh [ovh:children] ovh_pve diff --git a/network.yml b/network.yml index 43f2297..25e0920 100755 --- a/network.yml +++ b/network.yml @@ -29,6 +29,11 @@ - router - radvd +# No radvd here +- hosts: ~routeur-aurore.*\.adm\.auro\.re + roles: + - router + # Radius (backup only for now) - hosts: ~radius-(edc|fleming|pacaterie|gs).* diff --git a/roles/router/handlers/main.yml b/roles/router/handlers/main.yml index 11ba484..b095c21 100644 --- a/roles/router/handlers/main.yml +++ b/roles/router/handlers/main.yml @@ -2,6 +2,7 @@ systemd: state: restarted name: keepalived + enabled: yes - name: run aurore-firewall command: python3 main.py --force diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index d09a2c8..a686a6e 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -1,5 +1,16 @@ --- +# XXX: YES, this is ugly as fuck. +- name: set IP suffix (main) + set_fact: + router_hard_ip_suffix: 240 + when: "'backup' not in ansible_hostname" + +- name: set IP suffix (backup) + set_fact: + router_hard_ip_suffix: 140 + when: "'backup' in ansible_hostname" + - name: Enable IPv4 packet forwarding ansible.posix.sysctl: name: net.ipv4.ip_forward @@ -12,6 +23,13 @@ value: '1' sysctl_set: yes +- name: Configure /etc/network/interfaces for routeur-aurore* + template: + src: interfaces-aurore + dest: /etc/network/interfaces + mode: 0644 + when: "'routeur-aurore' in ansible_hostname" + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service @@ -25,12 +43,21 @@ password: "{{ vault_serviceuser_passwd }}" notify: run aurore-firewall -- name: Configure aurore-firewall +- name: Configure aurore-firewall for local router template: src: firewall_config.py dest: /var/local/re2o-services/aurore-firewall/firewall_config.py mode: 0644 notify: run aurore-firewall + when: "'routeur-aurore' not in ansible_hostname" + +- name: Configure aurore-firewall for routeur-aurore* + template: + src: firewall_config_aurore.py + dest: /var/local/re2o-services/aurore-firewall/firewall_config.py + mode: 0644 + notify: run aurore-firewall + when: "'routeur-aurore' in ansible_hostname" - name: Install keepalived apt: @@ -40,13 +67,21 @@ retries: 3 until: apt_result is succeeded -- name: Configure keepalived +- name: configure keepalived for local router template: src: keepalived.conf dest: /etc/keepalived/keepalived.conf mode: 0644 notify: restart keepalived + when: "'routeur-aurore' not in ansible_hostname" +- name: configure keepalived for routeur-aurore* + template: + src: keepalived-aurore.conf + dest: /etc/keepalived/keepalived.conf + mode: 0644 + notify: restart keepalived + when: "'routeur-aurore' in ansible_hostname" - name: Configure cron template: diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py new file mode 100644 index 0000000..c41fd92 --- /dev/null +++ b/roles/router/templates/firewall_config_aurore.py @@ -0,0 +1,49 @@ +# -*- mode: python; coding: utf-8 -*- +# Re2o est un logiciel d'administration développé initiallement au rezometz. Il +# se veut agnostique au réseau considéré, de manière à être installable en +# quelques clics. +# +# Copyright © 2017 Gabriel Détraz +# Copyright © 2017 Goulven Kermarec +# Copyright © 2017 Augustin Lemesle +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +### Give me a role + +role = ['routeur'] + +### Specify each interface role + +interfaces_type = { + 'routable' : ['ens21', 'ens22'], + 'sortie' : ['ens18', 'ens1'], + 'admin' : ['ens19', 'ens20', 'ens23'] +} + +### Specify nat settings: name, interfaces with range, and global range for nat +### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST +### contain /16 range + +nat = [ + { + 'name' : 'AdminVlans', + 'extra_nat' : { + '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', + '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', + '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}' + } + } +] diff --git a/roles/router/templates/interfaces-aurore b/roles/router/templates/interfaces-aurore new file mode 100644 index 0000000..440392f --- /dev/null +++ b/roles/router/templates/interfaces-aurore @@ -0,0 +1,84 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# VLAN 129: routage +auto ens18 +iface ens18 inet static + address 10.129.0.{{ router_hard_ip_suffix }}/16 + gateway 10.129.0.1 + +iface ens18 inet6 static + address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64 + + post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18 + post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18 + + post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18 + post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18 + + post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18 + post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18 + + post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18 + post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18 + + +# The primary network interface +allow-hotplug ens19 +iface ens19 inet static + address 10.128.0.{{ router_hard_ip_suffix }}/16 + gateway 10.128.0.254 + dns-search adm.auro.re + +iface ens19 inet6 static + address 2a09:6840:128::0:{{ router_hard_ip_suffix }}/64 + + # Ensures internet connectivity when running as keepalived backup. + gateway 2a09:6840:128::0:254 + +# VlAN 130: switches +auto ens20 +iface ens20 inet static + address 10.130.0.{{ router_hard_ip_suffix }}/16 + +iface ens20 inet6 static + address 2a09:6840:130::0:{{ router_hard_ip_suffix }}/64 + +# VLAN 111: IPs publiques serveurs +auto ens21 +iface ens21 inet static + address 45.66.111.{{ router_hard_ip_suffix }}/24 + + # Nécessaire pour contacter re2o et bootstrap le firewall. + # Ces directives sont _aussi_ set par aurore-firewall ! + up iptables -t nat -A POSTROUTING -s 10.129.0.{{ router_hard_ip_suffix }}/32 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + up iptables -t nat -A POSTROUTING -s 10.128.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + up iptables -t nat -A POSTROUTING -s 10.130.0.0/16 -j SNAT --to-source 45.66.111.{{ router_hard_ip_suffix }} + +iface ens21 inet6 static + address 2a09:6840:111::{{ router_hard_ip_suffix }}/48 + +# VLAN 110: IP publiques adhérents +auto ens22 +iface ens22 inet static + address 45.66.110.{{ router_hard_ip_suffix }}/24 + +iface ens22 inet6 static + address 2a09:6840:110::{{ router_hard_ip_suffix }}/48 + +# VLAN 131: onduleurs et PDU +auto ens23 +iface ens23 inet static + address 10.131.0.{{ router_hard_ip_suffix }}/16 + +iface ens23 inet6 static + address 2a09:6840:131::0:{{ router_hard_ip_suffix }}/64 + +auto ens1 +iface ens1 inet6 manual diff --git a/roles/router/templates/keepalived-aurore.conf b/roles/router/templates/keepalived-aurore.conf new file mode 100644 index 0000000..6687229 --- /dev/null +++ b/roles/router/templates/keepalived-aurore.conf @@ -0,0 +1,121 @@ +global_defs { + notification_email { + monitoring.aurore@lists.crans.org + } + notification_email_from routeur-aurore{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re + smtp_server smtp.crans.org +} + + +vrrp_instance VI_ROUT_aurore_IPv4 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens19 + + # Shared by MASTER and BACKUP + virtual_router_id 40 + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing + 10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global + + # Adm + 10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global + + # Switches + 10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global + + # IPs publiques serveurs + 45.66.111.254/24 brd 45.66.111.255 dev ens21 scope global + + # IPs publiques adhérents + 45.66.110.254/24 brd 45.66.110.255 dev ens22 scope global + + # VLAN 131: Onduleurs et PDUs + 10.131.0.254/16 brd 10.131.255.255 dev ens23 scope global + } + + + virtual_routes { + # IPv4 gateway: yggdrasil + src 10.129.0.254 to 0.0.0.0/0 via 10.129.0.1 dev ens18 + } +} + +vrrp_instance VI_ROUT_aurore_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens19 + + # Shared by MASTER and BACKUP + virtual_router_id 60 + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Hello zayo + 2001:1b48:2:103::d7:2/126 dev ens1 scope global + + # Routing + 2a09:6840:129::254/64 dev ens18 scope global + + # Adm + 2a09:6840:128::254/64 dev ens19 scope global + + # Switches + 2a09:6840:130::254/64 dev ens20 scope global + + # IPs publiques serveurs + 2a09:6840:111::254/64 dev ens21 scope global + + # IPs publiques adhérents + 2a09:6840:110::254/64 dev ens22 scope global + + # VLAN 131: Onduleurs et PDUs + 2a09:6840:131::254/64 dev ens23 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src 2001:1b48:2:103::d7:2/126 to ::/0 via 2001:1b48:2:103::d7:1 dev ens1 + } +} + From 5c4619138973e366ede21b54d018ea525da06b9d Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Fri, 4 Sep 2020 09:56:02 +0200 Subject: [PATCH 236/297] Register camelot and gitea, make camelot accessible for everyone --- hosts | 2 ++ roles/ldap-client/tasks/1_group_security.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/hosts b/hosts index 277bcc0..d7eaa31 100644 --- a/hosts +++ b/hosts @@ -19,6 +19,8 @@ dhcp-aurore.adm.auro.re dns-aurore.adm.auro.re docker-worker1-aurore.adm.auro.re proxy-backup.adm.auro.re +camelot.adm.auro.re +gitea.adm.auro.re ############################################################################### diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap-client/tasks/1_group_security.yml index 8477ac4..06664e6 100644 --- a/roles/ldap-client/tasks/1_group_security.yml +++ b/roles/ldap-client/tasks/1_group_security.yml @@ -1,6 +1,7 @@ --- # Filter SSH on groups - name: Filter SSH on groups + when: ansible_facts['hostname'] != "camelot" # Camelot is accessible for everyone lineinfile: dest: /etc/ssh/sshd_config regexp: ^AllowGroups From 276a780c6545d883200aea43e9fcb485c22918da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 8 Sep 2020 22:32:49 +0200 Subject: [PATCH 237/297] hosts: add viviane and nextcloud --- hosts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index d7eaa31..c8f971e 100644 --- a/hosts +++ b/hosts @@ -8,6 +8,8 @@ ############################################################################### # Aurore : main services +viviane.adm.auro.re + [aurore_pve] merlin.adm.auro.re @@ -21,7 +23,7 @@ docker-worker1-aurore.adm.auro.re proxy-backup.adm.auro.re camelot.adm.auro.re gitea.adm.auro.re - +nextcloud.adm.auro.re ############################################################################### # OVH From 53842e4c2f617eb127890dda00558e5a023113eb Mon Sep 17 00:00:00 2001 From: chirac Date: Wed, 9 Sep 2020 23:16:35 +0200 Subject: [PATCH 238/297] Add ipv6 Radius AURORE address --- roles/radius/templates/proxy.conf.j2 | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/roles/radius/templates/proxy.conf.j2 b/roles/radius/templates/proxy.conf.j2 index 36a7acc..737d4c2 100644 --- a/roles/radius/templates/proxy.conf.j2 +++ b/roles/radius/templates/proxy.conf.j2 @@ -33,21 +33,22 @@ home_server radius_aurore_v4 { num_answers_to_alive = 3 } -#home_server _v6 { -# type = auth -# ipaddr = -# port = 1812 -# secret = -# require_message_authenticator =yes -# response_window = 20 -# zombie_period = 40 -# revive_interval = 120 -# status_check = status-server -# check_interval = 30 -# num_answers_to_alive = 3 -#} +home_server radius_aurore_v6 { + type = auth + ipaddr = 2a09:6840:128::251 + port = 1812 + secret = {{ radius_secret_aurore }} + require_message_authenticator =yes + response_window = 20 + zombie_period = 40 + revive_interval = 120 + status_check = status-server + check_interval = 30 + num_answers_to_alive = 3 +} home_server_pool aurore_central_radius_servers { type = fail-over home_server = radius_aurore_v4 + home_server = radius_aurore_v6 } From 26743b464d45639bd04eca96c279005819a98bb6 Mon Sep 17 00:00:00 2001 From: chirac Date: Wed, 9 Sep 2020 23:17:15 +0200 Subject: [PATCH 239/297] Add Radius-aurore.adm.auro.re to ansible managed radius servers --- group_vars/all/vars.yml | 1 + group_vars/all/vault.yml | 338 +++++++++--------- network.yml | 2 +- nuke-radius-dbs.yml | 2 +- roles/radius/tasks/main.yml | 26 +- .../radius/templates/clients-federez.conf.j2 | 22 ++ roles/radius/templates/proxy-federez.conf.j2 | 87 +++++ 7 files changed, 305 insertions(+), 173 deletions(-) create mode 100644 roles/radius/templates/clients-federez.conf.j2 create mode 100644 roles/radius/templates/proxy-federez.conf.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 2b53213..b2ae5d8 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -72,6 +72,7 @@ re2o_aes_key: "{{ vault_re2o_aes_key }}" radius_secret_aurore: "{{ vault_radius_secrets.aurore }}" radius_secret_wifi: "{{ vault_radius_secrets.wifi }}" radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}" +radius_secret_federez: "{{ vault_radius_secrets.federez }}" radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index c9330fd..52a14ab 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,170 +1,170 @@ $ANSIBLE_VAULT;1.1;AES256 -61623264646363313062633131306234666436616566383936616431653033303531333738666639 -6137653535623535333435383862306361376564396562370a366166373232343137363662356463 -34383636393830386465323534373534336462333937316530666139633835356635356562353134 -3234333736333831390a663033313531363838303566666530373432346536306137393561393734 -32613234373363333233333630666464386437333337623434356161303834656662366661343363 -62326164363764323365643166636664343032613835656663363636383963663138633837646466 -33373838343439663830626432353332666138356564383864616632353063376634393032613231 -38336233396263316563363332316131323439363664646237383731363930613563343763653537 -66383137353633653931616564616365366564626431626439383661666535663430353463346232 -31613536343566373437353738323133646439373465376632656530393033373037383864663937 -66623563393138653437353437373138386365653433313166353231653530613935333038653830 -61306239356433346438663239646162633838623036653439376362336636633862383266633239 -33363666383934633665303537396663363339323761356439636331656163363436333865306338 -63656166343835646262393634613865623936633566356531366663326431353836363238656631 -31333862346266653933663236626234663865373936623334323433643661343634653334316662 -36313262626230356531393661303834653263666138613435333538373330633432366338363131 -33336566633030346136613566353366653333666661336463336333333634643433393333353061 -65653236653362636564653932306131346532343738333361646563623865373538636662643932 -37373961313935373964376336333337396135623764376563623431326266633434336665303864 -34383836333762336665313635366166316339396437656330636432353064343836616362326432 -34353532626362636661363631666335316564636237646336323666636661336532313266616264 -37353637626636613161396430623139323662303862393439643235653833386166363332616438 -62653439363861626437663736313436386138363466333566333335323265333930366337386537 -63353931353165666337666330636363386463616463376336323834343666393331653863633430 -64626636373363626335303234306662323335363130623763333835373438373733353136306463 -31646363663463623635363537636338376131623766386339623763376532343733613061343736 -31653764383737646132353537633631643265336539316332636465353638346163613036653038 -64653238363661303032666330623334376130383365386334313137376339623164313538643637 -32323539346664663237306630346365646364663231633162393265376433313633336661326137 -35366662386235616531323264326632353635646337303830663364643336653039643865313036 -36343634613563353965643330306134393664336238653361616631623837313764653835333464 -31303835653265343466303363623331376631383064643336306166386632353566633231303031 -64646338333961373237323563633462363236626134366430323334373864633731323838383562 -65356137323234653932373438306335383666386433386563343136343934623936653565663135 -61353366393735663064383234343435633738623233643535393337326531356131643131646562 -34623862626430343464663230323561313736646135323339656562323332306265323765626130 -31333531626236393165663236393464303338623937646331663563636336316166303462396562 -66643638383432333035373431393463343831643731636133343538346431613236663266643639 -39346332303537393031353231626433393165386437343361663335646165623165336337643237 -30643466666462373937346162383032386361383439613332653162613765326237643038613665 -38633134653934346464346233323563623139386235343766386661643861313638643936636439 -34393039626163336636323862643237363633373339353263303035386636393232613536633038 -32656335396564623133373439333065633638373032323161383436363966386535393135623931 -62313838353034343033653130633666336433656565373836336331363339636330663836343835 -64656461376235323133316135396464353239316438386466323964326139316564313938333363 -66636337613362633639623265336434313938366666626434393532373534303865376632313830 -32353861306165383133633132623939386338343364623132386135316361336238616432383662 -31663763306431623932323930373637363633346139663539666236363032386535363932393264 -63306437616635343263643162393462653835643038373961336531313635663732343062613164 -63316463376239383634373461343533393730613235633765356166313131613230326562303863 -38626365383035363130326365353366316635323832333630343934346632643566373062313963 -38356165646438383936336431326566386564306636386432643537666434613434343235323666 -32366432393663333632383333333837646237643730383438336364376235353463656238393431 -34656561613566383761386233366637343230613634333062636239626639343132353837656363 -63373264646631336664303662386531386635303861333662313633613933353063363832623462 -35656536616333333861383930623237363062363335636231383033316465323339396530353166 -61613935366233326532366135623939353135323336346630303933633731316461626463643936 -64393430386430343362346334633036316464656561356132376365323463316631336530346663 -65373432666436323364316633623734353464393036383065643832653838323730643163393033 -37383639343061616563623365383564336132356162373937346338356562313262366261646434 -65656631326334336230333862303766633363653863666330373530343132336262653763336331 -31303535393231373833633631323265383435666665353461306638633031376339613230343966 -31306134383164333763656262636537343563386336393734626139646136643635313038663830 -65376366656465653165663762313738303438346136646638633962646466626339653566343530 -33353061643730663138383662663233383864626631626238306266653734306161383431653530 -38353262386439663331633465313262386630363465646661643366336438356163393564653565 -65346637346533323338383233313434346361383139666363336435633535326434373438366533 -64303737336631643735376130653031303533646464313562623036643762653937613735316162 -61396336376534393738323830333864383533343834616432373731633431316662656137363030 -36313566633863383162643432396235306661393563303138386339343462636566323135313631 -32336365393662633932383665623561373164353963646464323163303039333035366562363634 -34643731343931656239326165323962613630636132353334643866393933653631393134326635 -61353538633337343935396566396437663137326161323032336665356531373433643231326164 -38663463633863643636336337316162666339343630373366396634666363306137323161626561 -33336332383330383761623636366464353163386633356132656364373962316437626664333439 -38393137356364383535383231613431343261613036666238323431663532663333336563306239 -31313931623665623661323433346138383430366433623738356366373337383263316435393330 -30356131333132343333623732383263353330346635613833626562613536376232386663663265 -39636239663139393761303363313862333834336265616330353933333935616637646639326461 -34323231616662306366616665346239313839616435393738303833653138353135353161393830 -34653163386161653536666330353431356133623639653539316166313661343136643565393735 -33343966613534653034333261383136323135613032613063653363303437633832653834393063 -63623738333361636638646234363665616563633534626638613938613933343638386165346537 -61316261663039633462333637636561656166663430353037336530663036353564353530323663 -61386164636461363831303231353733646431313334323761633835373832333663306336633836 -63363838613434303066333732333237343264363238313962393230633165396135643431626664 -35316663333439326437343331303639616365633938393039633362303135393230313261376531 -62343533383034363331343661333036646530366665336431303561653138626262336239303864 -30643131356538316434313665353466383539383034623830363264343736396130623265306564 -30666535393839306333616134323333326535336564313735323864346139393762336265623137 -33653734393464353833333939363766656436393639626161383666613263643064323933663834 -63663761356233633134646561353631396364343761386631323764643631663564653265303330 -38333466666634383666326132356132303363666136666132373161383863653434333633386238 -36333361383663396238643433383338646461386363396563643133303166356538666435646639 -65353034373263316139363464343434326362366531666233323366383331353131383634396538 -65313631363564303133396462353934623939663739343431346465386430353030363235343032 -33653065643334663737643961396530316336633562323733626261376462303366313462353464 -38666235366365633833336630316564643132633839313465636164393439626635653739346166 -61343765653037656533313663333139663364666239626263393261353732363639623966623961 -62643266313734363064333063633030383865653665313832623535636666623364333635643238 -64623233393962313032343938666363333533653331303334643032636561303030633066636634 -35363864613430356264633936663833373739643562343631623336316263373939353563393634 -35376466376161383563646430363432626639363436633365323137346338306161636230323934 -38383238646366343766333032633038663037386339333038636136343732613838306130303539 -61303963333035366330646636336530396331333739306666396333333839613536343337323230 -31326461623731653461376132356165343130333235336130323361616333333762623131393265 -36636335313539613565326537373565313036306465326631326332373364313565333834373232 -36346166373433313033363533346565316535666538363538303134616365326336613461633931 -39333633383939623633386263346637386465326139363336663738393538393039376338366461 -64336138643166663362376339366537653463386265316434346532663633643765663339333062 -34303739366634383330356161333031313465323235666437363136643964623431336133633031 -62373462623531373665653137383833643332366562396134386536666666356139663631323965 -33633266353062363339613139666534393737393765383830643731616366316164626335373564 -38613533356661626163646138316163343938666366353964623131383063353534326637323162 -66633139633861623765316631323933363662383234616238336333383135326166656530376331 -30613534613636333533356666333864326438646462383862616338323864336136323566393231 -64323339386363623063373237346362366665666662306266323338653561396535323766316233 -30383036326331323563663533333166366130326262393732343135643463643064313364393530 -39326332346635343333376636316363393230336563333261616263343833386334376636623233 -65396330613837636139636132303530316236666132646266383466306663313038343833373734 -35376339666664393533666134353330626163306432363634653364343934343336306264646439 -66383138626232343639623033383565626232323830626362313733666663633037343737623333 -34653665666262303236616534343436333334393837326661383932623430303038623538313463 -38373233373730633937306638333966653433626666373565623866646665643231323065383230 -38353961396438373236393038626237346162653966383364626366666335656465346336323830 -63343937363732326239396664663963633733643036396164343038613136373037383664646130 -36386564333734643336303661336230363865323936343732646564336136653732363334316135 -38383935396161653132396661373636353761616661616635303465653266623337303534353038 -61333937393534336533363933383461303539303964353164376134653134356439356462376161 -62356333363238376139356231373835386139363637336566356132363932313639643334396334 -36326630663532313536393139386336303833653833323532653230613166376233633739623738 -35336138343434343064616335373836363032376537386439323165336365626230316435623766 -33653434633766323864343031346565323936373133396436623036353563653236393230653065 -63616336316339393034643063376137663565396137356461303061626336343437316462653437 -64383765376439616232663936616564366136666139343663336634366530303561303163373339 -66616233613532636138613836636666323237646566356538376566626639356436376230306130 -64623430613962333537366235616631323833626163383138393662623539643864346436346561 -64326636396235613534666534306639363864303539623563333934353766306130356564333538 -65386338616639663338636337303038316633383866346362633636653162353433366131333866 -38643037646531643633333334626163353833623833616338373863373533316561313361616462 -36323533343932376633653138363162646362313332353065633561666664663436376230376432 -31373461613033306434313136373532303666306130353064326436373961633534656462643866 -65623238396163646336343461303137366135306263313035663461653465346638383835666362 -30306431396136616334666631646662386533343238323962353837306139316335386234366333 -63343564386630356566363234636466303162643438653561323263336464633964616162616366 -30376532313739306339336366306262663230366337313662313036303436666563326236333961 -61373231653433613861633363333633626366643133633933333363636635656530643464653834 -61306633333032316531396165366462386230336330376239653436313836643435316533613331 -66623261396262316133326233316361656634333936353531623964313235333739376137633961 -31656631643966393164323463373832363538653235333165333061653163333436633335633632 -31613930333061653331303863303233376431306361613230383763623231636330343566323237 -65306430366133393332386631356135663134306264633536636134623230386635313231343661 -31383638616565363364373561613162393133363538626332363964663139336466336538333139 -61613939653866333037393564383464663331306439643163343464373766313139656264316163 -35383461663231613539613462336162353635333030323663333139653337663932633035666336 -65376264306639316137383730626561396365316661396564623335313865313263646536613233 -39313365333736363861666363383537376666346533383865636535343764326635343061366535 -33323336303861393862623832353936383537363238623932643035323863303865383233633432 -39366637656264656463393664336565366465333766643437623164636565346364623730633234 -66663432383765643161356533633564626463383237373330663836346232636635373330363161 -36303039393035396364666366373664623031363836646233616565346634356130646639313432 -33323736373133383666613565356133343266343432633737313030663466636135326364623639 -33633337383762333634613637383731613031353834663262313230303166376361373931623836 -33663232633661373663376163303131373363313036666262613866633237373261393130626364 -63343535396462316536356334356463323466656633373439656161356162386666386461336163 -33373233616539653634663136623630626137663832313361313663306438643737393262653862 -38313233396334353433313162316434653162653739663935396539326330383439366364343532 -38336266353964656163346537333166366431626239356465313634623035373861333663633862 -3164 +61333538366635353537346231363235653162356330396434383631656465616330363136306563 +3861333166386536633437386335613461646466346239360a643139303037613937373631313661 +62613337366365393964376630323261373331373533663539666663373937383263343939633635 +3062316564303439310a636231303565366438346665646238383533373736373631666162636537 +66336335353033643634636133313333666230363362366166653663343964306231616433643165 +61356563346162666536613338323266373362373537653364653762346466333862393865666638 +30303134353936323065636233616235623537353830663061343937623261326632326563653539 +62656261316231373665663639636362306339323637393032326337303136653530616236623263 +38363734376566333861653637386564643832623564386335633162376532383937333261306664 +63623538373534353963323137323131343434346464333532346234336464326564353462313436 +39303166623731323961323330633164643564306631316130313735633263353564313037613530 +64623138316532633064623532313366316565633533373562336461303033353363646536663334 +35376234333466326139303931373031653638623733383737666338366339646464363430616464 +32396533346333326633306564353364356563373130373661646332313132346538623066353261 +65633563386237633264386336313738616435666239363038396562386530316266643364643865 +63656539303534373734383865396637356565376537336437383134303462643762383138633535 +37663661343633656161343132626233643239346464613933613563643437313537643934343135 +35636538383438356338303162366164346163326536616238643739666533613363633562643831 +37666564383239663433643737346532623239373830356661306466373861626262396332613234 +38616166373666663032303136336431303536346466326337353864383330346337626563303665 +66326134363636623166313039613365626161396662313165653662623530326331646566623331 +39383063313530643731386237396539656435373363656235323332343563336561663338663863 +34313236353664343233326630646234393134653166333064643361663164616336653766303336 +38646565393462356364316436643632613538613932313039666533356262356135633832376462 +34356538303439383334336638373361396638373363613633633036376262636533353030633739 +66663564323130346663373430323362383636646262376464313565323266613464646638626536 +65316166653033323963663366646163346666623432313039356262373164343038356334393264 +32666136356566313438616264626163363464636336316539353137353938653235356665656333 +32343431383663663035663763636564363137396639363466616538666461306365353238313032 +63313834666334633432393162306131633764663838373930383362623266656661316439383436 +30343864656366303335666464623662656332623466383761633832323463363836336634323161 +63313534373536623765373436306135353334333031376136613938636464353534376139363161 +66643530313032333831306366393231363239643932613736346364393233316437373534643339 +66333032373430663239383933383838633039326438323162653236333333336162613730623266 +33396166373233623931396430666639333165396364333063666633383764373364643931646437 +62303263626662386666646462633738386565346534313334633235383364656666326632323761 +66373239383232633739353836636438623863346530626262363030353438386439613031346132 +62653565313739636162326261303038303365663332396539386430303631346633656335303366 +36383630656438326530353634346531386466643763326131343862623133346566616364386331 +37613038343265386338323234626162313763623764373364613439373266323039363539353039 +66653635316364633736633561353730343636396566373164363166346437383463643133326539 +65313436666337366634636236663866346461343261656435336239393232316538303866386531 +39383562663932313135636535626234626266656661306564333530353532623630656564663831 +63653666373765653365393933646137303734383066633136376366303365663633363863333130 +36386634353839613038666331376534633463353935356532623635666336396638373439316139 +33653233396136343838306434373061343936656137316231303464663133303961353333303261 +63373361336638316233656434653165633030623661353237383233346134646561363931653262 +32623830366333386433653332636333646139666233663863353731333162313837663539626466 +35353533386135663335323162333731646562393066643938383830333336323164373836643464 +66363234323739643033366566633537643566316439333633386233663165663064323864333037 +31336365303633383639343233373838626238656337333865646164666462383364643434393436 +38666436393734616262633565303238383636366233383935623936346461633339326431396636 +64623639396265613637303965373231323161316430656461326437356332633465656434643139 +61633466323363303032373563633434366430366434366234373633373639316365623336653164 +64326462656632376439343733326463653166343936643439386334653363343830616638636365 +35623562653938663430333931396134333035386562303430373536316432376364663663626338 +31356130633332336562343364363766363461396632373033393961333438663835383261373863 +64663636363234396164323138653439633532316530386133633162613464356161303765373835 +34366462306534396632653161313138386261373637613865333036653262346431323863313465 +62623137376636383465386539656530303164313765616361656266363231343066616239666462 +65653839326562386563396138653033313934336337303038306432336238303838313833383562 +32656565383861343562396531373737626165616233666636326234653038643137366134366534 +34383364346461636537643936326230636530316431663161373331333463393566383065313361 +63636564663761643737656335376537336164633538616536376330663763636439373231316231 +61396263326134373630623830313233373934336366393934376262356438316537646463643861 +35383761326438363264666363646533303236633536326333326162653162303239303437303664 +30396430663366306334663364323035646438306362396339303566356531646130303233353036 +35356437363132333965316661323761373332333939646131346639313138393462633765343064 +65646335343730616164363433386565386164313564393261336362303966393930613833636361 +33636532656439643235613566356336373232343432383430383166393362303863306332323930 +65343530393262313065356337393136326162396234646139333036353865323030336262663637 +31633063663866316237316563333130393863666662663663303066396130616262616535613837 +63313139376631316432623863333535666139376531386138653166363365663532323464393539 +32616662306330653533326235383635616164626165306633313266346130336532633234353634 +61346466613264346633313539336463303362613532643163393263323939303561316331646163 +37353233636461376631333535616233653061376139326232323533303438363935373635326338 +65646561363433316465616430303261326634343339396466316137623330386334396466353431 +38363630303933323134336362376139643732633964616236353539376331323034396366306162 +66316261306566313433306661373333323639303836393137306438343830356162313763373064 +62396537363164306162323535336338363132626662316235333639373533386561643034616262 +62363436643963663432333536373139616565326463633235353966636330363432633438633435 +63366438333937653461346134393837316264323766393664363466646164623563643039303861 +36333330656539366534616532393233303231313635623631363930653062346439613339383639 +34316264313130663531376230633637323962653933633335333536613464373262356632616663 +37346130663438616535366633613465396462616332626664616134653065643934356134306138 +62343035303438666461343239373435363435363230343564353565396666613734633931663733 +63633932396337313962396131626364323836356538393536303364626230613365343233343731 +62653764633831646234656532336139643263343833316437336565313031346638313766633836 +62633636663630613531646161643965353235323335636535633364313038613031316666666539 +39383465333464646639666666333661623565663362346238363737666162353338363431333830 +62616336613333383137643163643730646131353734633462623866373436626430646235376437 +65396134643863336264333863643862393532353962633238373861656332636439346365646235 +32303237323635613632646266313134656361353962663862363163356436373631343166343963 +64643836306561386664663832656564383239376466646362333863666335313337336338346365 +65386230303639656561376130336139386464363866346434646538636563303136346664633562 +30336161386464386330626539393839326332303336663233663666333331626332333131376666 +66326161643631616430623662383032373334633437613165316664613634623364303130636332 +31316639666663643333646436343265353365623434623538643264313961623663636430336566 +66326435323936316666613138633037393231316661663132393332656366366337613234393739 +35656437353466316135663364333461643235333635646566666331653666323834323166353931 +64653137366439393935633739306232616533643131393565623862623032333532373862643564 +61396636616637353831396536313634393330623836343134313164656166363435336137343934 +66313833626263323437663939663036633566613939653037356664646630663263376362336364 +64343831336430656532363331393938663534336237323838356337393362613235386333393635 +39656432356433366130326261363834323937356566643364313037303436646437326233343663 +33656163336163333036636337633636613337356363653932326365386466656139646665636434 +36343437646562643932623938316563343963323732353236383237343934373438643762333739 +32393762636434396237346334303661623835323664306637303761303464623165633331386636 +35373538373834393833626663643363346565643134616163613462376432663430643835303666 +39343738323461346239626638346438303939633836636163633139386463643365323134323830 +32386133363431303839386365636532353564346134306361626562303165363737346532323366 +32656530353364303331626463613361336635376564373730306363366133363038613962303638 +32383464383630303437393233623431316463303138383235353137316631343664633362393932 +62633337356265363962633537323233396433636232313261616664316634343337343830383366 +62313963663562343133633263303933393561346365396133396166373762366338666665353066 +35306461323361643735393935343333646637336335313738373532323034363637393933636534 +30313836363261636439663638643766373833313565313563383965323365316461323139666464 +39383461393737623833366238356136306439623262643431353232363639633932316134343432 +61643632623731653862366664663334613862643961313330613765343666623938343531393930 +36366335393863626335666234316334303939366636323534386633623031373337353563303766 +36636562333638666466376336663236633738326261626263653139646465616134333632343362 +31306530343131346533643862333736343034653732323161356635653966303362633465363030 +63616433663538383031323161643963336462646662366362386331353433663465363263373761 +66666630646366646563396363346362313737343364373933303763316532326135393631346136 +62303866616563313035313362613462363931333539613464396334386636323364303431633935 +66653662633463613838613234316563653964613738353034396136643865373931333339376138 +66623465313261626362353930336630303063623038306366643265333137383237653262616335 +64646634663866623539383638333565663664313535323765643564313536653064353438346330 +63623032666432666666383535396166366661303335386630323734616163636163316232363031 +38663464633837653861626332616132383332626163666130626139323239633863663161313665 +61663962663332313464383730316163656361396664393965383636366665386132303234393464 +35346130653165656264396563363533306632373032313333366132363066323333313966633766 +66353534643435663531656339646138336365636665353165326439666261613131353937396338 +31613662316333393862373864393832616335306636396531313134636135333365396137346262 +63366330626362336263616435616434623131326136616566396462343763373937623764663965 +63356363363063313764646637666466353236303233323530306237363664366265386133333634 +66643365666336646535653163643563363932636534313836343832626166666365313765646137 +34636535653436346235613161363933643864643932336365653533633731663137313465323330 +64333763626631636432636565386461396238633339623664653162366564303563336539393462 +65386539643836626338353561396164643935333563663831643861383934636430613335343139 +33326133346237386362633534356238616631356263653532613061633430643831613838653637 +37366432393364343735656563616531366662383630313537326165663066313165333639623836 +37383264656334393432303234306333373135643961616562393732326436666635346333653737 +63633531336465663036616334393562363163343633633737313161396165643030313065626163 +65363464353564653434386161646165613064656465373832386634303266636336393232303738 +37373332343464366536666662323931666363323561613637393064343562653962633765643861 +34343965373534356234356633646630363735333362643237383065386263666539653330613862 +37643766353133383266636461356563356663363931313136373738626631666136643336306337 +36633966663966653638326230623265393837393763396566626466343064336634316162306236 +66343563393166316462373063333764393939656433663131633636396265363533323239313830 +38396661646464613064356238663739306361313232313964663065303039303363356533326463 +32316139356564643435313739333838346534323933326164663762636666613366613539333939 +30663338386339653333396261643035643465323563396334643535383266306530366261613536 +66356663636239346466373065333136663363636161323539653263336531613636643364353463 +36323437616361313765303261623864383330333131336663383633396632373431366434343135 +35643763336434363331656436333036623631306365623335653036333364356134366332396532 +37666632396161326530646136613232616538396232333239613134646463363030623133626335 +37383033653232653963366262303831653530363431626531313236326636363736343964653364 +32633963663332376564376230623262333565666336613331303661666139306636326235363961 +61373338303935366436383964333031353033316135663461623436633264376230373932303130 +62333637633438356337623362376364646332343431613966306261376465643462626530643764 +62396661353365656661306439346464363730343766366238356330303030363538633032613331 +64323632376363356535623464393665636237656235336238373966613031663565656539643066 +34626139383064316365396636376638643133653965373138393339396263303833313433343432 +39663864666532633866623466613332636563353337323532343863393538633739363363333038 +36393962633638613437616634323835613366393530663432313062396637636334323764383239 +64393132393138396234336534306232393436373264383264633734306365623661313462383533 +31316232666635326539383763303239616564386131303232313266363730636337626465643266 +64396364653963353838303233353936313636356235343561373830363961376334 diff --git a/network.yml b/network.yml index 25e0920..fe69d7f 100755 --- a/network.yml +++ b/network.yml @@ -36,7 +36,7 @@ # Radius (backup only for now) -- hosts: ~radius-(edc|fleming|pacaterie|gs).* +- hosts: radius-*.adm.auro.re roles: - radius diff --git a/nuke-radius-dbs.yml b/nuke-radius-dbs.yml index b23f08f..4af58c2 100755 --- a/nuke-radius-dbs.yml +++ b/nuke-radius-dbs.yml @@ -1,6 +1,6 @@ #!/usr/bin/env ansible-playbook --- -- hosts: ~radius-(edc|fleming|pacaterie|gs).* +- hosts: radius-*.adm.auro.re roles: - radius vars: diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index e7943f0..1d419a2 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -70,11 +70,33 @@ src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" loop: - - clients.conf - sites-enabled/default - sites-enabled/inner-tunnel - - proxy.conf +- name: Install Basic Clients/Proxy Files freeradius + template: + src: "{{ item }}.j2" + dest: "/etc/freeradius/3.0/{{ item }}" + loop: + - clients.conf + - proxy.conf + when: "'aurore_vm' not in group_names" + +- name: Install Clients FedeRez Radius-Aurore + template: + src: proxy-federez.conf.j2 + dest: /etc/freeradius/3.0/proxy.conf + mode: 0640 + owner: freerad + when: "'aurore_vm' in group_names" + +- name: Install Proxy FedeRez Radius-Aurore + template: + src: clients-federez.conf.j2 + dest: /etc/freeradius/3.0/clients.conf + mode: 0640 + owner: freerad + when: "'aurore_vm' in group_names" - name: Install radius requirements (except freeradius-python3) shell: diff --git a/roles/radius/templates/clients-federez.conf.j2 b/roles/radius/templates/clients-federez.conf.j2 new file mode 100644 index 0000000..2a71e05 --- /dev/null +++ b/roles/radius/templates/clients-federez.conf.j2 @@ -0,0 +1,22 @@ +client radius-aurore { + ipaddr = 10.128.0.0 + netmask = 16 + secret = {{ radius_secret_aurore }} + require_message_authenticator = no + nastype = other + virtual_server = radius-wifi +} + +# Parangon (federez) +client parangon { + ipaddr = 185.230.78.47 + secret = {{ radius_secret_federez }} + virtual_server = radius-wifi +} + +# Dodecagon (federez) +client dodecagon { + ipaddr = 195.154.165.76 + secret = {{ radius_secret_federez }} + virtual_server = radius-wifi +} diff --git a/roles/radius/templates/proxy-federez.conf.j2 b/roles/radius/templates/proxy-federez.conf.j2 new file mode 100644 index 0000000..d3b9efe --- /dev/null +++ b/roles/radius/templates/proxy-federez.conf.j2 @@ -0,0 +1,87 @@ +# -*- mode: conf-unix; coding: utf-8 -*- +proxy server { + default_fallback = no +} + + +realm LOCAL { + +} + +realm NULL { + +} + +#Proxy FedeRez ##### + +realm AUROREFEDEREZ { + auth_pool = federez_radius_servers +# nostrip +} + +home_server parangon_v4 { + type = auth + ipaddr = 185.230.78.47 + port = 1812 + secret = {{ radius_secret_federez }} + require_message_authenticator =yes + response_window = 20 + zombie_period = 40 + revive_interval = 120 + status_check = status-server + check_interval = 30 + num_answers_to_alive = 3 +} + +home_server parangon_v6 { + type = auth + ipaddr = 2a0c:700:0:23:67:e5ff:fee9:5 + port = 1812 + secret = {{ radius_secret_federez }} + require_message_authenticator =yes + response_window = 20 + zombie_period = 40 + revive_interval = 120 + status_check = status-server + check_interval = 30 + num_answers_to_alive = 3 +} + +home_server dodecagon_v4 { + type = auth + ipaddr = 195.154.165.76 + port = 1812 + secret = {{ radius_secret_federez }} + require_message_authenticator =yes + response_window = 20 + zombie_period = 40 + revive_interval = 120 + status_check = status-server + check_interval = 30 + num_answers_to_alive = 3 +} + +home_server dodecagon_v6 { + type = auth + ipaddr = 2001:bc8:273e::1 + port = 1812 + secret = {{ radius_secret_federez }} + require_message_authenticator =yes + response_window = 20 + zombie_period = 40 + revive_interval = 120 + status_check = status-server + check_interval = 30 + num_answers_to_alive = 3 +} + +home_server_pool federez_radius_servers { + type = fail-over + home_server = parangon_v4 + home_server = dodecagon_v4 + home_server = dodecagon_v6 + home_server = parangon_v6 +} + + + From 9b07fc9001be5c5e631727f8e08c748ad1bdf5bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Fri, 11 Sep 2020 15:05:57 +0200 Subject: [PATCH 240/297] dhcp: manage dhcp-aurore --- group_vars/all/vars.yml | 5 +- group_vars/aurore/main.yml | 1 + network.yml | 11 +--- roles/isc-dhcp-server/handlers/main.yml | 10 ++++ roles/isc-dhcp-server/tasks/main.yml | 51 ++++++++++++++++--- .../templates/default/isc-dhcp-server.j2 | 6 +++ .../templates/dhcp/dhcpd-aurore.conf.j2 | 36 +++++++++++++ 7 files changed, 101 insertions(+), 19 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b2ae5d8..6c1d978 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -78,10 +78,13 @@ radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}" radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" +# DHCP +dhcp_failover_enabled: true apartment_block_dhcp: "{{ apartment_block }}" - # Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28). # However, we ALWAYS keep the trailing 0 to have byte alignment. ipv6_base_prefix: "2a09:6840" + +is_aurore_host: "{{ 'aurore_vm' in group_names }}" diff --git a/group_vars/aurore/main.yml b/group_vars/aurore/main.yml index 7cf0189..4111f79 100644 --- a/group_vars/aurore/main.yml +++ b/group_vars/aurore/main.yml @@ -2,3 +2,4 @@ apartment_block: aurore apartment_block_id: 0 router_ip_suffix: 254 +dhcp_failover_enabled: false diff --git a/network.yml b/network.yml index fe69d7f..a65c87b 100755 --- a/network.yml +++ b/network.yml @@ -1,17 +1,8 @@ #!/usr/bin/env ansible-playbook --- # Set up DHCP servers. -- hosts: dhcp-*.adm.auro.re, !dhcp-aurore*.adm.auro.re - vars: - service_repo: https://gitlab.federez.net/re2o/dhcp.git - service_name: dhcp - service_version: master - service_config: - hostname: re2o.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" +- hosts: dhcp-*.adm.auro.re roles: - - re2o-service - isc-dhcp-server diff --git a/roles/isc-dhcp-server/handlers/main.yml b/roles/isc-dhcp-server/handlers/main.yml index 2df3eac..840463c 100644 --- a/roles/isc-dhcp-server/handlers/main.yml +++ b/roles/isc-dhcp-server/handlers/main.yml @@ -1,4 +1,14 @@ +- name: force run dhcp re2o-service + shell: /var/local/re2o-services/dhcp/main.py --force + become_user: re2o-services + - name: restart dhcpd systemd: state: restarted name: isc-dhcp-server + +- name: restart rsyslog + systemd: + name: rsyslog + state: restarted + diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 13ba3b7..877c3e5 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -1,4 +1,24 @@ --- +- name: Install dhcp (re2o-service) + import_role: + name: re2o-service + vars: + service_repo: https://gitlab.federez.net/re2o/dhcp.git + service_name: dhcp + service_version: master + service_config: + hostname: re2o.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" + +- name: Ensure appropriate permissions on dhcp re2o service + file: + path: /var/local/re2o-services/dhcp/ + state: directory + owner: re2o-services + group: nogroup + recurse: yes + - name: Install isc-dhcp-server apt: update_cache: true @@ -21,6 +41,7 @@ lineinfile: path: /etc/rsyslog.conf line: "local7.* /var/log/dhcp/dhcpd.log" + notify: restart rsyslog - name: Configure dhcp log rotation template: @@ -38,14 +59,9 @@ day: "*" weekday: "*" month: "*" - user: root + user: re2o-services job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py" -- name: restart rsyslog - systemd: - name: rsyslog - state: restarted - - name: Configure /etc/default/isc-dhcp-server template: src: default/isc-dhcp-server.j2 @@ -58,12 +74,31 @@ src: dhcp/dhcp-failover.conf.j2 dest: /etc/dhcp/dhcp-failover.conf mode: 0600 - when: dhcp_failover is defined + when: dhcp_failover_enabled notify: restart dhcpd -- name: Configure dhcpd.conf +- name: Configure dhcpd.conf (regular service) template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 notify: restart dhcpd + when: not is_aurore_host + +- name: Configure dhcpd.conf (aurore service) + template: + src: dhcp/dhcpd-aurore.conf.j2 + dest: /etc/dhcp/dhcpd.conf + mode: 0600 + notify: restart dhcpd + when: is_aurore_host + +- name: force run dhcp re2o-service + shell: /var/local/re2o-services/dhcp/main.py --force + become_user: re2o-services + +- name: Ensure dhcpd is running + service: + name: isc-dhcp-server + state: started + enabled: true diff --git a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 index 83f7cae..c7f6a53 100644 --- a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 +++ b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 @@ -14,5 +14,11 @@ # On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". + +{% if is_aurore_host %} +INTERFACESv4="ens19" +INTERFACESv6="" +{% else %} INTERFACESv4="ens19 ens20 ens21" INTERFACESv6="" +{% endif %} diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 new file mode 100644 index 0000000..d2e6b54 --- /dev/null +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 @@ -0,0 +1,36 @@ +# {{ ansible_managed }} + +default-lease-time 86400; +max-lease-time 86400; + +# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). +option interface-mtu {{ mtu }}; +option root-path "/"; + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# Aurore topology +subnet 45.66.110.0 netmask 255.255.255.0 { + interface "ens19"; + option subnet-mask 255.255.255.0; + option broadcast-address 45.66.110.255; + option routers 45.66.110.{{ router_ip_suffix }}; + option domain-name-servers 45.66.110.{{ dns_host_suffix_main }}, {{ backup_dns_servers|join(', ') }}; + option domain-name "adh.auro.re"; + option domain-search "adh.auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.adh.auro.re.list"; + + deny unknown-clients; +} From f05a6507f0599b13802b028916b7c6f7ce0cd640 Mon Sep 17 00:00:00 2001 From: chirac Date: Sat, 12 Sep 2020 12:13:36 +0200 Subject: [PATCH 241/297] Add pendragon + re2o-* vm -> aurore_vm --- hosts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hosts b/hosts index c8f971e..b22488d 100644 --- a/hosts +++ b/hosts @@ -24,6 +24,10 @@ proxy-backup.adm.auro.re camelot.adm.auro.re gitea.adm.auro.re nextcloud.adm.auro.re +re2o-server.adm.auro.re +re2o-ldap.adm.auro.re +re2o-db.adm.auro.re +pendragon.adm.auro.re ############################################################################### # OVH @@ -41,15 +45,12 @@ proxy.adm.auro.re matrix-services.adm.auro.re [ovh_vm] -re2o-server.adm.auro.re -re2o-ldap.adm.auro.re -re2o-db.adm.auro.re serge.adm.auro.re passbolt.adm.auro.re vpn-ovh.adm.auro.re docker-ovh.adm.auro.re switchs-manager.adm.auro.re -radius-aurore.adm.auro.re + [ovh_testing_vm] #re2o-test.adm.auro.re From c07bf24062f2ef0f73f3e351715d1cca65f2c3f7 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sat, 12 Sep 2020 14:50:13 +0200 Subject: [PATCH 242/297] Add dhcp-aurore-backup --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index b22488d..60ea156 100644 --- a/hosts +++ b/hosts @@ -18,6 +18,7 @@ routeur-aurore.adm.auro.re routeur-aurore-backup.adm.auro.re radius-aurore.adm.auro.re dhcp-aurore.adm.auro.re +dhcp-aurore-backup.adm.auro.re dns-aurore.adm.auro.re docker-worker1-aurore.adm.auro.re proxy-backup.adm.auro.re From 6dd6168d2ad755b206aa20638420046749615379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 12 Sep 2020 16:03:33 +0200 Subject: [PATCH 243/297] dhcp: upgrade role for dhcp-aurore-backup --- group_vars/aurore/main.yml | 3 + roles/isc-dhcp-server/tasks/main.yml | 15 +++-- .../templates/dhcp/aurore-subnets.conf.j2 | 12 ++++ .../templates/dhcp/dhcpd-aurore.conf.j2 | 36 ------------ .../templates/dhcp/dhcpd.conf.j2 | 57 +------------------ .../templates/dhcp/regular-subnets.conf.j2 | 53 +++++++++++++++++ 6 files changed, 81 insertions(+), 95 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/dhcp/aurore-subnets.conf.j2 delete mode 100644 roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 create mode 100644 roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 diff --git a/group_vars/aurore/main.yml b/group_vars/aurore/main.yml index 4111f79..e49d40d 100644 --- a/group_vars/aurore/main.yml +++ b/group_vars/aurore/main.yml @@ -2,4 +2,7 @@ apartment_block: aurore apartment_block_id: 0 router_ip_suffix: 254 + +# We have two -aurore DHCP servers, but no failover peer functionality is needed +# because they only give out IPs assigned by re2o. dhcp_failover_enabled: false diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 877c3e5..2d54921 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -77,18 +77,25 @@ when: dhcp_failover_enabled notify: restart dhcpd -- name: Configure dhcpd.conf (regular service) +- name: Configure dhcpd.conf template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 notify: restart dhcpd + +- name: Configure subnets.conf (regular service) + template: + src: dhcp/regular-subnets.conf.j2 + dest: /etc/dhcp/subnets.conf + mode: 0600 + notify: restart dhcpd when: not is_aurore_host -- name: Configure dhcpd.conf (aurore service) +- name: Configure subnets.conf (aurore service) template: - src: dhcp/dhcpd-aurore.conf.j2 - dest: /etc/dhcp/dhcpd.conf + src: dhcp/aurore-subnets.conf.j2 + dest: /etc/dhcp/subnets.conf mode: 0600 notify: restart dhcpd when: is_aurore_host diff --git a/roles/isc-dhcp-server/templates/dhcp/aurore-subnets.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/aurore-subnets.conf.j2 new file mode 100644 index 0000000..1a0e09e --- /dev/null +++ b/roles/isc-dhcp-server/templates/dhcp/aurore-subnets.conf.j2 @@ -0,0 +1,12 @@ +subnet 45.66.110.0 netmask 255.255.255.0 { + interface "ens19"; + option subnet-mask 255.255.255.0; + option broadcast-address 45.66.110.255; + option routers 45.66.110.{{ router_ip_suffix }}; + option domain-name-servers 45.66.110.{{ dns_host_suffix_main }}, {{ backup_dns_servers|join(', ') }}; + option domain-name "adh.auro.re"; + option domain-search "adh.auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.adh.auro.re.list"; + + deny unknown-clients; +} diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 deleted file mode 100644 index d2e6b54..0000000 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd-aurore.conf.j2 +++ /dev/null @@ -1,36 +0,0 @@ -# {{ ansible_managed }} - -default-lease-time 86400; -max-lease-time 86400; - -# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). -option interface-mtu {{ mtu }}; -option root-path "/"; - -# The ddns-updates-style parameter controls whether or not the server will -# attempt to do a DNS update when a lease is confirmed. We default to the -# behavior of the version 2 packages ('none', since DHCP v2 didn't -# have support for DDNS.) -ddns-update-style none; - -# If this DHCP server is the official DHCP server for the local -# network, the authoritative directive should be uncommented. -authoritative; - -# Use this to send dhcp log messages to a different log file (you also -# have to hack syslog.conf to complete the redirection). -log-facility local7; - -# Aurore topology -subnet 45.66.110.0 netmask 255.255.255.0 { - interface "ens19"; - option subnet-mask 255.255.255.0; - option broadcast-address 45.66.110.255; - option routers 45.66.110.{{ router_ip_suffix }}; - option domain-name-servers 45.66.110.{{ dns_host_suffix_main }}, {{ backup_dns_servers|join(', ') }}; - option domain-name "adh.auro.re"; - option domain-search "adh.auro.re"; - include "/var/local/re2o-services/dhcp/generated/dhcp.adh.auro.re.list"; - - deny unknown-clients; -} diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index cde8d25..84c86fd 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -18,61 +18,8 @@ authoritative; log-facility local7; -{% if dhcp_failover is defined %} +{% if dhcp_failover_enabled %} include "/etc/dhcp/dhcp-failover.conf"; {% endif %} -# Bornes WiFi -subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { - interface "ens19"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.ap }}.255.255; - option routers 10.{{ subnet_ids.ap }}.0.250; - option domain-name "borne.auro.re"; - option domain-search "borne.auro.re"; - - option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; - - deny unknown-clients; -} - -# Users filaire -subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { - interface "ens20"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; - option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }}; - option domain-name "fil.{{ apartment_block_dhcp }}.auro.re"; - option domain-search "auro.re"; - - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - - include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list"; - - deny unknown-clients; -} - - -# Users WiFi -subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { - interface "ens21"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; - option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }}; - option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re"; - option domain-search "auro.re"; - - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - - include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list"; - - pool { - range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; - -{% if dhcp_failover is defined %} - failover peer "dhcp-failover"; -{% endif %} - } -} - +include "/etc/dhcp/subnets.conf"; diff --git a/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 new file mode 100644 index 0000000..c18eed2 --- /dev/null +++ b/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 @@ -0,0 +1,53 @@ +# Bornes WiFi +subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { + interface "ens19"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.ap }}.255.255; + option routers 10.{{ subnet_ids.ap }}.0.250; + option domain-name "borne.auro.re"; + option domain-search "borne.auro.re"; + + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; + + deny unknown-clients; +} + +# Users filaire +subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { + interface "ens20"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; + option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }}; + option domain-name "fil.{{ apartment_block_dhcp }}.auro.re"; + option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list"; + + deny unknown-clients; +} + + +# Users WiFi +subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { + interface "ens21"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; + option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }}; + option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re"; + option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list"; + + pool { + range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; + +{% if dhcp_failover is defined %} + failover peer "dhcp-failover"; +{% endif %} + } +} From 91157d80c15290cac532de57d6346b28f7c7cad0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 13 Sep 2020 17:54:46 +0200 Subject: [PATCH 244/297] dhcp: run re2o service as root in cron / directly --- roles/isc-dhcp-server/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 2d54921..93b347e 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -59,7 +59,7 @@ day: "*" weekday: "*" month: "*" - user: re2o-services + user: root job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py" - name: Configure /etc/default/isc-dhcp-server @@ -102,7 +102,6 @@ - name: force run dhcp re2o-service shell: /var/local/re2o-services/dhcp/main.py --force - become_user: re2o-services - name: Ensure dhcpd is running service: From b7978f4ec32d93320e4b938671d5d9131c5f34c9 Mon Sep 17 00:00:00 2001 From: chirac Date: Tue, 15 Sep 2020 19:37:59 +0200 Subject: [PATCH 245/297] Add services-bdd-local --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index 60ea156..0c9a074 100644 --- a/hosts +++ b/hosts @@ -29,6 +29,7 @@ re2o-server.adm.auro.re re2o-ldap.adm.auro.re re2o-db.adm.auro.re pendragon.adm.auro.re +services-bdd-local.adm.auro.re ############################################################################### # OVH From 57df3002a31979f6f464fd3b6e8258e23d4f8baa Mon Sep 17 00:00:00 2001 From: chirac Date: Wed, 16 Sep 2020 21:02:05 +0200 Subject: [PATCH 246/297] Fix proxy-backup -> proxy-local --- hosts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index 0c9a074..6c2061a 100644 --- a/hosts +++ b/hosts @@ -21,7 +21,7 @@ dhcp-aurore.adm.auro.re dhcp-aurore-backup.adm.auro.re dns-aurore.adm.auro.re docker-worker1-aurore.adm.auro.re -proxy-backup.adm.auro.re +proxy-local.adm.auro.re camelot.adm.auro.re gitea.adm.auro.re nextcloud.adm.auro.re @@ -31,6 +31,7 @@ re2o-db.adm.auro.re pendragon.adm.auro.re services-bdd-local.adm.auro.re + ############################################################################### # OVH From dac049f1251af8cff79c932f80e75b52b04901b6 Mon Sep 17 00:00:00 2001 From: chirac Date: Wed, 16 Sep 2020 21:02:44 +0200 Subject: [PATCH 247/297] =?UTF-8?q?Tous=20les=20cron=20dhcp=20sont=20d?= =?UTF-8?q?=C3=A9cal=C3=A9s=20de=202=20minutes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/isc-dhcp-server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 93b347e..e198163 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -54,7 +54,7 @@ # Do not change this name or idempotence *might* be lost. name: dhcp-re2o-service cron_file: re2o-services - minute: "*" + minute: "*/2" hour: "*" day: "*" weekday: "*" From 773f39cede164046033edf9ea54bd50603fd37d8 Mon Sep 17 00:00:00 2001 From: chirac Date: Wed, 16 Sep 2020 21:04:10 +0200 Subject: [PATCH 248/297] Fichier inutile --- roles/isc-dhcp-server/templates/cron.d/re2o-services | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 roles/isc-dhcp-server/templates/cron.d/re2o-services diff --git a/roles/isc-dhcp-server/templates/cron.d/re2o-services b/roles/isc-dhcp-server/templates/cron.d/re2o-services deleted file mode 100644 index abc05dd..0000000 --- a/roles/isc-dhcp-server/templates/cron.d/re2o-services +++ /dev/null @@ -1,4 +0,0 @@ -# Régénération des services re2o - -# Régénération du dhcp -* * * * * root /usr/bin/python3 /var/local/re2o-services/dhcp/main.py From bba144ef146309f4472a9eea2c3de6dc302091dc Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Sat, 19 Sep 2020 14:01:30 +0200 Subject: [PATCH 249/297] =?UTF-8?q?Inverse=20les=20op=C3=A9rations=20de=20?= =?UTF-8?q?lecture/ecriture=20par=20defaut=20->=20rw?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ce fix corrige le problème des opérations d'écritures dans la bdd master remote, qui marchaient mal, désormais les lignes de logs historiques sont correctement écrites. Il semblerait que django avait du mal à savoir que ces opérations reversion sont bien des opérations d'écriture. --- roles/radius/templates/local_routers.py.j2 | 4 ++-- roles/radius/templates/settings_local.py.j2 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/radius/templates/local_routers.py.j2 b/roles/radius/templates/local_routers.py.j2 index ce42020..0367f2c 100644 --- a/roles/radius/templates/local_routers.py.j2 +++ b/roles/radius/templates/local_routers.py.j2 @@ -7,13 +7,13 @@ class DbRouter(object): """ Attempts to read remote models go to local database. """ - return 'default' + return 'local' def db_for_write(self, model, **hints): """ Attempts to write remote models go to the remote database. """ - return 'master' + return 'default' def allow_relation(self, obj1, obj2, **hints): """ diff --git a/roles/radius/templates/settings_local.py.j2 b/roles/radius/templates/settings_local.py.j2 index 01d9043..0e47e36 100644 --- a/roles/radius/templates/settings_local.py.j2 +++ b/roles/radius/templates/settings_local.py.j2 @@ -51,7 +51,7 @@ TIME_ZONE = 'Europe/Paris' # The storage systems parameters to use DATABASES = { - 'master': { + 'default': { 'ENGINE': 'django.db.backends.postgresql_psycopg2', 'NAME': 're2o', 'USER': 're2o', @@ -62,7 +62,7 @@ DATABASES = { 'COLLATION': 'utf8_general_ci' } }, - 'default': { + 'local': { 'ENGINE': 'django.db.backends.postgresql_psycopg2', 'NAME': 're2o', 'USER': 're2o_ro', From ba2baa3020e0fac433ed03d5c6b46891b4776eae Mon Sep 17 00:00:00 2001 From: chirac Date: Sun, 27 Sep 2020 13:55:56 +0200 Subject: [PATCH 250/297] Return routes now handled by keepalived --- roles/router/templates/keepalived-aurore.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/router/templates/keepalived-aurore.conf b/roles/router/templates/keepalived-aurore.conf index 6687229..cd22a5b 100644 --- a/roles/router/templates/keepalived-aurore.conf +++ b/roles/router/templates/keepalived-aurore.conf @@ -116,6 +116,16 @@ vrrp_instance VI_ROUT_aurore_IPv6 { # For IPv6, the master router is routeur-aurore, NOT yggdrasil, # because yggdrasil doesn't support BGPv6 announcements. src 2001:1b48:2:103::d7:2/126 to ::/0 via 2001:1b48:2:103::d7:1 dev ens1 + + # Routes return for ipv6 connectivity + 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18 + 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18 + 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18 + 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18 + 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18 + 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18 + 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18 + 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18 } } From 8adf6b810504ba73f2b21d632317b439a81cd5e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 28 Sep 2020 18:15:03 +0200 Subject: [PATCH 251/297] add ipv6-edge-router role --- network.yml | 2 +- roles/ipv6-edge-router/frr-apt-key.asc | 186 +++++++++++++++++++ roles/ipv6-edge-router/handlers/main.yml | 5 + roles/ipv6-edge-router/tasks/main.yml | 38 ++++ roles/ipv6-edge-router/templates/daemons.j2 | 67 +++++++ roles/ipv6-edge-router/templates/frr.conf.j2 | 24 +++ roles/router/templates/interfaces-aurore | 18 +- 7 files changed, 331 insertions(+), 9 deletions(-) create mode 100644 roles/ipv6-edge-router/frr-apt-key.asc create mode 100644 roles/ipv6-edge-router/handlers/main.yml create mode 100644 roles/ipv6-edge-router/tasks/main.yml create mode 100644 roles/ipv6-edge-router/templates/daemons.j2 create mode 100644 roles/ipv6-edge-router/templates/frr.conf.j2 diff --git a/network.yml b/network.yml index a65c87b..aa42e72 100755 --- a/network.yml +++ b/network.yml @@ -24,7 +24,7 @@ - hosts: ~routeur-aurore.*\.adm\.auro\.re roles: - router - + - ipv6-edge-router # Radius (backup only for now) - hosts: radius-*.adm.auro.re diff --git a/roles/ipv6-edge-router/frr-apt-key.asc b/roles/ipv6-edge-router/frr-apt-key.asc new file mode 100644 index 0000000..3c311f8 --- /dev/null +++ b/roles/ipv6-edge-router/frr-apt-key.asc @@ -0,0 +1,186 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFvRo7oBEADH/lEeQBaRW4Lpmzhpn7W53hhMUefgj1bJ7ISpMC3qOlgSIeof +sQjZ5Hr0RHxz5bRVRtcOhPhKRvL0wCmTpROvKBVyrOHDn4AAh+D7bqhzrEZezJwu +on2fBRA5prT97r99WKpIPjyqeKHWY3GsbkKMYAcFMGNwYZudEm9bqFaZ9F1CX96i +VHTArZiZZgPPycOW6fZzrdPDa5/07WA4tJ4PXnMFEd3bLpRDW/t46XqBeNOitBcN +TrRY7LY/rLnfAUfTWlQVm1wb5gl1E0e4LDlaAysqZCVDriAUwNzk9aRnLQw14h18 +af3sIi649fQ/uv/JwQ9hc1os/gu23N4wKSwSvQGYo3V6oqbxkhIQ5TR0MgXIxfF9 +LoSFgnrXvUpUc+V4qXJJV+hLbTEoAKrHaON0f7BQHAiTsKB1R7FLVCMFIRtuZ1RD +iUCL9jFFXmAikHsTUFE2EOCW7+kqRSQ5ICu3IqMbXXA1dHz4tN2ji5LPZ4OKh/1O +zZQCBev4IZ3KWibFZwNxDwWFSoFQeuNKnVujsfR31SuFRWmASqZGGpN/Jr+zVNsb +iUXUBrnSj8PXYs1zSLrfVVlaga6EI29o5ozUweZDvn5VnRycHaTVjVEmYynnf0ss +axkRKDgP4e0czNTbH9Rze+AL/Xfc5F0CVQ3jGZQwLgspqpj2UNicZhTzQwARAQAB +tCtEYXZpZCBMYW1wYXJ0ZXIgPGVxdWlub3gtZGViaWFuQGRpYWMyNC5uZXQ+iQJO +BBMBCAA4FiEEPZlorJrnvhFpKI3bH9WDmJX1f9oFAlvRo7oCGwEFCwkIBwIGFQgJ +CgsCBBYCAwECHgECF4AACgkQH9WDmJX1f9pNHg//VS3bICTNEjjmXRtHdsKyRs2s +Nl6BefYDuOPy6NWIra9oLZzo1G15Zt8wH1LLHIBND1d8QILa1739coQhfNJeeuyp +sYclgSoX85UqpLeHE0Ws/o1vjNmAlQX7qDR5q1iOxUfxLjyXAR7qaqOCBR0uGjxP +ZCI88ctu0bt9iI2rzmKwgyORDWwvKOmHovHxB8stPwdToyQK/eij94CVlf086pOz +eIrEjC54jE4pq7nae8w7RsWs5OmgBkrZoXIuLBfHa1ynbUjhE3okPiZDnZr9bPTH +FpJ4DnsQGhZGjFIiNVi5zbV+MxjavkfbshpzE1TK9EhNf1DdI8A+XzpiTfA5ifDL +sm/KnA9Z+4T2EswthB6YV1lcnacSGOrEI1CQUTHPSFwZc1WUDkX5aqwib8fCT6U7 +oEngVBwN+guj5l2ba50pt1bct86c8Rv0cnaeKt6boe9sLeHbAur/R7Smdp0yIwAa +pq52eSQvrxkV2sKlvOrBLX0v4hOut4LQKzresM0smjARYamh3ksj7oAaHJx1+RMZ +AK7i2AjcMR4BvALTerVd2oM4SNghSFubJTVoMUarzeM3XQ6mFGbdwsqo6ziPlr2r +vtX7syFclRXaeJw4VAQqXlBqbpZevld7A9/3G9CyuRSoQxgPv9p6fx3aE7R65O9U +YsBsMtj2oxhKnkNjoky5AQ0EW9Gj4AEIALrNBXS0J+LAtQjWfJUwp9KsXCYx/1fL +YDENUdkbwfCTDHPZFgZf0jvPFuQkvFl7SnoyjwbnDlFCn2kYeZJ1vS3ZidUwZbcE +QCrARSKBzovsHDdafQwuUi21GAGuBOmIUSY5RihozjLgZ/5h2/vbqmCucfoYsctb +tl3jpT8HTo6DJ4oQWSsHF5e4G8U5DCpCINbJnpqtfIFbm3yYGHm9Yzny4E2aMnzG +lHErxxAoYufGLh6Hfs1JeJSsWL07334NZMU/zgzUs9dBbhbJ0/QBnRVuU+YHje+x +9Ir+szHjKwHo29K6g3BV2BTjWpoW7IQG2d6baN1VgWepwpLnbzAG5wMAEQEAAYkD +bAQYAQgAIBYhBD2ZaKya574RaSiN2x/Vg5iV9X/aBQJb0aPgAhsCAUAJEB/Vg5iV +9X/awHQgBBkBCAAdFiEEN1UvZYKIwg4j4yPMVBjykdDUoaoFAlvRo+AACgkQVBjy +kdDUoarcggf/S3Vd9BqByRkCyuPLwgKWLt3KsIuKOKG9+lzoAy2VsKOomistO3g0 +itefSRUOGgSArVG/rarR0Dzva3LI7sFF9vS4XKlARSPJV0rY13buSR/LnagqmWUf +mQJTnh+MSWS6P37Burw0DqWioPd7VJQ67BfdrGUUeP8bChIPByo+ssi1qu2MFmLj +toYiLSYW0gRSKtn8+oz5hk1lzuQBBTZ14ykqwZH9L1kCo+3Q7O7e1dztJ6NX6jEm +QeHwLq27RqoUG15HR7CQvupa5CLbJ0Vja2tSkUnYb/ph8z7H9rkHz4qjKQWI1QoC +jLkiyrdDeWqVWfpwGhoAryBlWKn51T9j6NecEAC5WojJF6xqYFiiT/V7ekmMKZ0l +PA/IwW12U+ZP2EFVbqXjwBj3Mqx4NshNdRiWsl24ulIuNpmi6I3MJzx/1sfafGHl +mq7n2zv0Cky37M28tYoDOt5fzSLYn9cgo/OzhS3D05ARbHP+ofcXDz+So+mj8wQb +uW2sh9ToaiYOMzGqyMR0DFO6++FdIYzphN0sPyJBdfGeePNajV6+xhdS4zktWEGq +QaF2XukTGxodJ3J3poeCarfK9ubmkemLRJ1Q+ynlx5KNzvt4Ut1pEO+OXkYOxGfI +8gUuj3BXICVP3UVpB7RaqW5obz8zqQkskRqIBBrLoX+Dl+l4sID20BmW028xurkf +ef3lNfLGTat4RleypLrcVZ4CMvAM/KOLInrXEoFqIKLiwnlAp6RK3mRL1IURyOtO +WENn6w0DuD3yyQVglQfNft6TqaMjVxFjh2fDgWvISMe7x4Jp+EWljwBnpi+TtnG/ +P99J2sGb9Hwu6gC45mQ1Ufoe+suYuehSxAWNz00GzBS9XU1xRs00xLCjPNPhSjHO +MqmGdm3cSeFdcmp7JRM05RtDOeBYAZuDV/HZNQu4XG2gHUv1xbuIqwKqN4vRMrI2 +8fWRdN2sPNlULTjeeMpxy01lfwilvVkXRJKyCPCx9MWZfJ0qbFeEC/cDOonx34lK +mBW0B2Otoah+Em6d5bkBDQRb0aQLAQgAxXl4JTeK5v3xU8CxMG8IRLVrfT2XTWN+ +RvfnIoPPpvs1M9XXNnw2jVKaMJq/s9gKxpl3QaqcxR+zf+7L49ooAUoFodPg2Fbg +HoNLZYukSLyPyL4LgE/X1ZQpx78m51Yn+vzej0Va/dqa77W90GlDM4CIE/ikFFpn +oPO3c1SaqJv+bk3XNoP2l35ttsk3Y9if3r2LJRyn/ovVXZgQD+Ulb+klYugOBiKl +ezuq/v2tnySQJ7ouXuWyoQrcuTUS05GbFdhlbr4xJHE2HLxmqn1aSV7TQb8Uk9zQ +0SmSTinnlSlAgoDeq1veDLeMnYo6No2V2IOcXOLv9hOa3sNV+FnsaQARAQABiQI2 +BBgBCAAgFiEEPZlorJrnvhFpKI3bH9WDmJX1f9oFAlvRpAsCGwwACgkQH9WDmJX1 +f9p6+Q/+N97F+PW383hTi84JMyiQsX0mJrvDjt5hkkdN+7u0tUNL0l3AACQ7b85/ +ofJsGnfh8kYlB2nCP+gaNQU03qqbcyMLHsuwB+ULG0izbREb7aK02RBluFpIbgdV +rFrgrUkLiSsuQLdReQYRTP1tU0peosBPxhhb1alAGhkPebWx+MLlbtiyg/j4pu8+ +oFirrJ5WEltamGt8OSbdLGNS22PuwxV8VDo/Xbi57P1VBglCpgG1nWDEN8+i5nHh +8OKWZmvRhih1F89BR7U14OET+EENrZd8YRF2KOvOAM0eR1aIK/AilbINVZV0girt +B/rYFhwi9i7Fyo3gEtPRRZpzcQ7V0VZiBlpEAbjgqwe1XDVNJYquM7E4S2jBidR6 +XJaYQImiwzMcyFopZZgD0F46xSI3O8zZp21g7Dq4pv6wRXGU+L639u+X5INDtJ7s +kykwrYzmeGg/Mp0Mseiqq7iIJXrbP4dL1+Ck9alSGCe0p5vd3CIeBR3pFeSDG6yI +2DiRzDfzbkIuUdIOAjXWjIl+XWfsFc/Znnux3UcAGec4Nhe3JvKEy5keDpXZGSaZ +JaFJ3WJl8uQfJjO8n8M+P2lxmrpaErqkMk0+SC3DcSSZFEDigD6flMvfdVnOqdLa +R1K6skDZkO+PQYqSydf9erO6+YgEjJB0/uCMXgHDVsmO3uKLOTg= +=IWDv +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFyFXCQBEADengbfRCSixqjsBj7hnRsjDMihbgfolZe4asVd/JNh4xWqs5+z +Q+vZUNwluJa6hYrgFW66xPfQeAbo11pS9r2RNkemLWi+8gf2vUwGlp8ZPXb/hYsR +7URWJo+4GvfqH5RiTdLlJbPQnLSlCAMhwaAl1ko+p2zY/ImiAL+yaO8YYYN4sG31 ++67gG3t7AnbH+QjeoEU8heg+fYBiQXSmJ3nTvmYB0lgY/Cybh2Fge90JIZWoeWGp +fX1zhpCoJGXIW2GyOFQRMYQCbKqtrmicDkgQTocItDfUSwGBr4EFHM+mO0DwfZ8R +Lq+hzkLdAyJwWGNmiHbk8zFIBnktenmgslkoawvNOkGIz7mL0wqkkw6FYCojSnuj +ndlYg/XAKrr5RpSDwxwvzWhjyuA+0g2nXBFKWQ/SVZH5niXHTgXBjKfbXjF85eOu +bVx+82T7KV+aSAr7d0vAbSQO/XK6YrcXTJXZZbjIo/1eauT/FPQCBAejgOAle9wq +aN04IE5+XPnRkqe5jodDyf3c8hHRL0xWthtj0kupV/7VWNKBLlMESPVfSKN9kjkR +aTO6dH8jM0K1QWo5/mzEHNv4O2j8kyHDKJdRi+8bJSRKpToFmaLSe5gSA8vp/Fwg +rY/eLT/5GQ0XOkqtonLYkHbLu9m8H8IrYRgCBVuLCa3cEbYc0mktmm3ExQARAQAB +tDVGUlJvdXRpbmcgRGViaWFuIFJlcG9zaXRvcnkgPGRldkBsaXN0cy5mcnJvdXRp +bmcub3JnPokCTgQTAQgAOBYhBEpWx3OLs/gVlagF0qgydpkI8T7RBQJchVwkAhsB +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKgydpkI8T7Rj20P/3Or3Vi/k6jj +qb9hQKJgmX0taDG+FF1+X1WgmYOdW01jGK5jj1k3nKYQf4VGzR+eyUBTN54IpFsm +aW5DwKoMLcaMQ7OAbl+AtpW700Q5hAtz4aWB5Stl7wyjVl600INES5DOuIuEmqB5 +60uUePNqF/+XKUgDgbQFc3E/Tb+c+Z7ADIhbIYPLUcSwJtRLhbnPGjt+pTLmPCO1 +i/NPRjzwzFgyHJaHqlGFNUUFfqHqGWXLxlO0A9m+r1gOiAevV3ZTzC2izkjOhJHT +5XWFW7pS9jD78XgSN310glGYmWHZ0hxDgNR4V0oxOZCma1TDjfWVnUfK5pkm/78i +qRHc8tjt+tor47iOsml4J95Qr5Qxvf+iDgThXcYMAVDRULITmiqZqA1pkheCBugl +vQ7tvdjXf61ZxOZnDaqtLAHaSB/EynHaBaCzI2obQDHSgC1AU74f9SSN0j4HD01V +McFh9H0YZeR0eo4I16HHYUcExQNWJGfeuAC1XBGiNixHXy4c1PdxPFGPDnFtH3sX +2I5X4sKRVhZEbhRe111B93OFdkvWXmSyK6afu6qJBqB52zEe7F6UcNLP7ZnzafJV +bTCSZeF3Nzt58byiO5jt7nj1wKxv9HpQVy2P7V0CXJB4EK42tGhejjEOY8FevWKF +0OHX9RWKktlKAsLYFNPbHGPSo/ULj+sFuQINBFyI47kBEADLx3nZ+mFReBN4/E4C +Gl+B8bKPJ+gaFSdcw8GWV2NFMlJvOqg7Fa4djrqGaOA2YomnNpddS62jAUNdlgDJ +qRlZVK+Mqctdqgz7Gsuj4l7G/XjnUpQzPaEjxMXzCdFbP19lHa6GvyTgf1TewaNv +uLBe+oaObdgiAXCUyS3RUtLc9L7KU2+BlnX2JKeQK5K7sRromFfPc27qN+hsWgpy +xPvWYMGMHA0RjRwXOitjszXVZGUEPxwhX1kFOuFKnIcKG2jSbX/KLtcV1DNZro8s +Q9hb2UZWZxrwVIIh8FTL8esf0zM64HLo1sZ6yUaVzzeETuWZFMMKaF1dn+KtmKkL +KjgplRzJSE4QDP+48F6l9RCnrpIg33/rfN/M5Lbx5g2fhfT84+wQD6cKHypYfFng +GJbmpUCgITcxGFmpetCTpYkxsVMzikudFe2YSJ7TO0aVBgiHfBoXU9g5AXuDYVKi +8ZpaWcRSu4O0H58Kh/hk/8yiVa8e1nTMjsZuXMle8N52rF2G7vrMhva7uccgbbY+ +ZlOtWpZ7MJzIn/vKeWxXNDcvG7CVHn4BiSLXRcrNgw/I4UjhqpeRdx0l+j36HdDN +0yaSZu6uP9SnsB5wkm1jN3uoNMFAdvpIqoaK9+2b5xKxLsNtE/R3anX9TlfFmeom +k0JxrTsNqpRxBw5GylM96Bd9BQARAQABiQRsBBgBCAAgFiEESlbHc4uz+BWVqAXS +qDJ2mQjxPtEFAlyI47kCGwICQAkQqDJ2mQjxPtHBdCAEGQEIAB0WIQSnzWQmxSYW +E+lH68yjyrYexHux0AUCXIjjuQAKCRCjyrYexHux0J+TD/40x0L8vzP+k29NEreT +N+k6889rCWMKAwmKWpgUN39nv9hZbSOFWDQs5Ttp+Rc+v7L5Pj4avJPzGnQieTMw +7wKOu8ZUisBVzYfYsxlXlKsOLZrVlQpFJhWNFOBq0axYlP6vrslXkMPk+IPz8/FV +USVByUHNNlIPmJU0WOIoLt+0YkqN1c1UCui/H6Z6IFpFIG8WLpgAtyKvqu8kdnEw +JEqpp4dO/ainnF8fL8VuV1+cdbxRO0IsOJBqQ+M8LFI2ANJscW+l6sg9RX2ZSExQ +Bm6dtPnsfP483SwH62PbaMP4lQ+Zpjl6ngoxv+S0RIDoW5Zl3zGe721NiLmz6Llz +0Ghe3Jgnf1JHOlR893Hi8UkvvTbBLkR4fbvmbgHvhcNWCL2hGCsxDV002hI4OlYp +px1gJ/HoU7lrrKQCzwTTxfQ1JiTMa+eiwY8xQGEfqUY83pWkx3wGUBa+W3GNlxD9 ++pZIzmxtD4uylA9lwnw/GXV4RauDuHMwWuqAGtDEr9Y8nYHuxl5/KdYOCf98sOzv +XU8btnxuGHrWb5OgRD21NeHa4zwYXIuYOQtYai6IboKdH70l8b3VX+xtu9Fwf/V4 +5EsipWedfA2S3CtKjP6Pv5C6NAVoAnXinqr1VAXMJT5PvXmx1mLP7Xms8o7O7xda +rsERKxVtt+JjArArk/gpFXImPLArD/42ZChEpJgbjabTrd6saI4BOsKSARX36Cxe +cjJuWNvddpsb9WgYXbXCSK5hOybFYLlbRmdFmz1VzVy5au+Bsbmy+jKqzgAM1sui +wE6WyVIOdN3hTZ9W20Fb4pa6MWd8dpWBwi7g40oRvaoPpspcimpa6OCNktij9zrZ +/hN49JYbLjA7V+rE+zWWz2m3Ecwn2A5LZdKbrI06uKFltTRUhMZ3HhwhKrNui/iN +YpwDn662jJaTxJ8x/WQJP6ILKVi3wk0eGFBSapEUv+D51y1v0dRh/QOO98RnLQ/p +T/4y7BPxEWLLNr53rPHOjd2ClhDNZ8+dFzYrOCs+1f+mpWf7yF9wHBs2hOhSZAMx +34HshZVLGBtdfD/cb1MA5MnBdfJHHFjL6EiJOP30YKJsTEGgqpAyMtyZt5/MKEfj +r0OV/La7s38fpcPlZplF2/eqgxt7WiQu5I6BUXJcSlGTe97Rq5Ba/tSHzUnK1FNr +v/hfBSgtxmX2qT5ojMu+UiKtvJDeUAGFLAJcaaEv92frhLWHcXXpayUuk/wdU9Qg +y8F+yFtYGY2lj0h9WCeKbYUAm1p7skW5v2nsMw6I3QOPFzQBzm1rFQ1vFJMaqFFC +qvHJALsI0SmaI7ruXYrm7CNv6qJKo3URYGq27Tm9lhut8iWKsa1/NWW5LZxzt2mO +egKcOCfAMg== +=Lt8H +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFyVPosBEADMyAbmmfo6x7e/dly+yQk1BuWUDbvMHFX9coCSItNxVvvIVzYJ +Bw9pp4kJsTeqTI1cNQcCCjaeWbWevINCD5yFGN25xNPz2s1lgHCpJQzs/1qMKuE8 +vrHkEpJZTrdPSl8J8VdjQDCIh0NrLss1VzoPpFbm7lIkuN/6tl87hsyUyedd/0bY +KkNVZfOW4UAjJFWQakofhTVifHqozb6wu+SYtPFnP/yBJdsYwrKlyyhR8hIIjyAK +sxpKz6Dym6tHoDNLIcPy1Q3uNUaYdN2pXXRqzLTIKq7M7RhgY1W7QO7VFtkaG74j +tmjbJYsX6nBGSlGE5cmlSz8N+D+uR/0NPMvgKOwI38joIT5/Sii/jgZUuX4Mz9Zk +7Rh/C+P906dJpjbCbEPYSxVnZC4fHJZ0ezSEgrFKZ4QGoViNJEcc6jwNkgTM7jdz +0e/xMKu4Ed30jLO7TvnwmcGWF/m2DZIgIMu9rhNHUaKeGRKo+Daf/x1naRbht/a/ +uSyukGJA5koipy8XxmJorx7MdIa9ekYPJaHM3eOcE1fxn7IcOwoqn0piB4lllq2r +akLif195eFIcdI/cRfCX2fgQxBbgAAolUCqguJfus7cQCkn9Fr0cDgq7c0s0dQEw +0kofqGUq6/fpdqxadRdPlYXS3BIvrWA99zOVCzxaccvKaMZxaKauc/rKbQARAQAB +tDNKYWZhciBBbC1HaGFyYWliZWggKGxhdW5jaHBhZCkgPHRvLmphZmFyQGdtYWls +LmNvbT6JAk4EEwEKADgWIQSpD8NtlClAl5jpwth03u1DqxlNvwUCXJU+iwIbAwUL +CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB03u1DqxlNv7w7D/90u8bETWZmzRZ7 +sRBfyN30YhXgvEJQCSKFgH1H5BS9H2W+VYQ8nmXpoVpsU5wLVosJ55WpO9oF7+6R ++wO2r3lo+vkqFzscYLfNd/KTo6r7kl7VTTN9bBCMgl7eFtmqSO90o5UCrNBHk2Ax +fTBJX9TLGa4SLPhiTlz51XdyYls3yG/3yQ6de6K+jPjrQsP2VbBSHP9OA+MKRTr6 +ONDTyJJ7TEAuoX7W1NLMQYS0kdA1jjGvTKeyHkb8QqFDTM7RyRdczKBEwOXSi7DW +8v3Ink+7CgKGGLnOo3lXlm7q516Z9JMJ5BJtFkTx6Bo9iSAK4jSBiC5Zlta6CtP7 +lLwq/eOut/y9VoDXsdVkQl3UdTrB5b/4MZHL4Z6ykN1dv56XzjdnIl/nM7azwrTW +N9tBDhjrYvKvscSI2l8TGdAseb4ftovHwIBFjNIlI6TYVEUR93ZEGPZCmuYeVSJe +MWStJuLDa+bbbr2/OLvHsjyWB0/5LJNsHHfMCKLZTP8jeNVcHAJi7P+iNPPLp57C +N2NEmyuJwgxFN/5cHlZzkg0QQgSaTm/tsft0jFJh4s0kO6L5NZ9ACP2JC9wfaBmt +QFwdl+Tc5/Jf6pTnnMzeHuSiVWvG4jB3EVr47dWD7p5ekP+O0cG0Rnm2rf66M+fo +z88Ga0gduOhxfdRn1qT3smK3hgyv2bkCDQRclT6LARAA8xTr8yu7ab6f4NAeMnTL +4mjjYoYVXBMd4qT/cdtkSFoCdOl+MwcEZmDrq1HzT5CVXo9hPEcI7iuyXiejoMhB +GFfvdY0Pcg5yMoUL57kE3XBoz9C8TEal1loSfTJ4IRou2VpY2sruaKgxO7PvmyQM +D8mk4Sgyewn6VkcQx4dGwQrN2VU8mwFqp4GnEm7DgVJKqFRD43hCFoncNYaSOc52 +vf/EEU6VYxPWi01nZoRiNp8tXt+dYk5yb6fEhDsH9YYk51bgiiiGNoQw/zC1w2ek +zPqJH/Y0BzoODbJ59vqc2jCuzGII4tFkijYbBTcCk1b7/yvQgwLdBpOTrrHcNolh +plr7zHcB8TOc3aYrJ8TkwgP80uK85vlAIzB9AkZ/9Gn2K08b5eVC9cvMm0idwFkg +0fHY+v2aDesA4lv1UtTsQVmrqnx1zaCjwH9tu73GTGXX40guYpbatPu3HDog/QkV +fykVI5B2+vMixFCzudMKg80K+H7QI3uc1efqEmMRKjQU2rKXTNo/lASWjQMNfbWt +JvEsLuLPc909OFhBfoX6GR7pmbKn3MCrTpLVeUkmp0EjcqYaDZXHnzKZQjjNjOKm +6J69G3Ro6Abs7tRpnqOLTLZ5DKWBYidc3/fp/BF+CpeHdZlstLUazQ56ti9GshPf +W4+6TRg2gt1leeXRU18jQz0AEQEAAYkCNgQYAQoAIBYhBKkPw22UKUCXmOnC2HTe +7UOrGU2/BQJclT6LAhsMAAoJEHTe7UOrGU2/kToP/il4dvWMMJS4pgXuDPcwTaYc +e8T9a8Uf0B2BOOKJgLZk2kvI21bwHnGxXc3zuUHCzZ81Y89/IpX+s37J+frvLbqd +xOfE39+5plK9BDn7G9UsTzg7mXuGWpMQA6Mvki4LslY/qCfUqzVeFPNZquH4Emxr +z1u0SldhaqctrkKwW1teTTmqbCtGrRpb0v8x42TBw+WvBJopelpgtdy3TnRbKk86 +NkiiPFVRnfC0RjyMlLxa095t5s8irrqjnAAKMvwKiuzt97CQ/U68WbsOYLyv42PT +ClfbbFJw6ghTZ7SRxiGwUVz7EwQ31MsiffmyJKRca81yqSQfrPS4MkEXChZBt8wF +C1IhG9I9zbHKt9saXWPYCbL8Zs2x3c1md62dl4mrH/VwLV9T+7PaJCM8qrFtkWlu +cYntgBhLW1KY9dWkCtZ7ML70n8FyIyHMD35mZb3lw+c1dBusuwGwZLSksH9ucOQz +Zh3+rlZ8PkYXXosKTkp9qBDVoSgNU5AH8F+K/Uw1uVm+JqqFP/ieQQydS8wAVYAv +ax/ZP+wTHhLvmHUoI70K51osk+sLcFh+h9L6sK+kq9i2mrJs/d2Sk6jau96RJCFe +pHI+29yZoK5ZpOkvFAFvbNXMFd2sn5O60y9LAvr9u2QRNlTvmQ7B1o2/US62SoD4 +HGxIKIAggOUujclydhvu +=+/L/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/roles/ipv6-edge-router/handlers/main.yml b/roles/ipv6-edge-router/handlers/main.yml new file mode 100644 index 0000000..604d632 --- /dev/null +++ b/roles/ipv6-edge-router/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart frr + service: + name: frr + state: restarted diff --git a/roles/ipv6-edge-router/tasks/main.yml b/roles/ipv6-edge-router/tasks/main.yml new file mode 100644 index 0000000..40c945d --- /dev/null +++ b/roles/ipv6-edge-router/tasks/main.yml @@ -0,0 +1,38 @@ +--- + +- name: install GPG + apt: + name: gnupg + +- name: Add FRR repo key + apt_key: + data: "{{ lookup('file', 'frr-apt-key.asc') }}" + state: present + +- name: Add FRR apt repository + apt_repository: + repo: deb https://deb.frrouting.org/frr buster frr-stable + state: present + notify: restart frr + +- name: Install frr + apt: + name: frr + +- name: setup frr daemons + template: + src: daemons.j2 + dest: /etc/frr/daemons + notify: restart frr + +- name: setup frr.conf + template: + src: frr.conf.j2 + dest: /etc/frr/frr.conf + notify: restart frr + +- name: enable+start frr + service: + name: frr + state: started + enabled: yes diff --git a/roles/ipv6-edge-router/templates/daemons.j2 b/roles/ipv6-edge-router/templates/daemons.j2 new file mode 100644 index 0000000..9cef233 --- /dev/null +++ b/roles/ipv6-edge-router/templates/daemons.j2 @@ -0,0 +1,67 @@ +# This file tells the frr package which daemons to start. +# +# Sample configurations for these daemons can be found in +# /usr/share/doc/frr/examples/. +# +# ATTENTION: +# +# When activation a daemon at the first time, a config file, even if it is +# empty, has to be present *and* be owned by the user and group "frr", else +# the daemon will not be started by /etc/init.d/frr. The permissions should +# be u=rw,g=r,o=. +# When using "vtysh" such a config file is also needed. It should be owned by +# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too. +# +# The watchfrr and zebra daemons are always started. +# +{% if 'backup' in inventory_hostname %} +bgpd=no +{% else %} +bgpd=yes +{% endif %} +ospfd=no +ospf6d=no +ripd=no +ripngd=no +isisd=no +pimd=no +ldpd=no +nhrpd=no +eigrpd=no +babeld=no +sharpd=no +pbrd=no +bfdd=no + +# +# If this option is set the /etc/init.d/frr script automatically loads +# the config via "vtysh -b" when the servers are started. +# Check /etc/pam.d/frr if you intend to use "vtysh"! +# +vtysh_enable=yes +zebra_options=" -A 127.0.0.1 -s 90000000" +bgpd_options=" -A 127.0.0.1" +ospfd_options=" -A 127.0.0.1" +ospf6d_options=" -A ::1" +ripd_options=" -A 127.0.0.1" +ripngd_options=" -A ::1" +isisd_options=" -A 127.0.0.1" +pimd_options=" -A 127.0.0.1" +ldpd_options=" -A 127.0.0.1" +nhrpd_options=" -A 127.0.0.1" +eigrpd_options=" -A 127.0.0.1" +babeld_options=" -A 127.0.0.1" +sharpd_options=" -A 127.0.0.1" +pbrd_options=" -A 127.0.0.1" +staticd_options="-A 127.0.0.1" +bfdd_options=" -A 127.0.0.1" + +# The list of daemons to watch is automatically generated by the init script. +#watchfrr_options="" + +# for debugging purposes, you can specify a "wrap" command to start instead +# of starting the daemon directly, e.g. to use valgrind on ospfd: +# ospfd_wrap="/usr/bin/valgrind" +# or you can use "all_wrap" for all daemons, e.g. to use perf record: +# all_wrap="/usr/bin/perf record --call-graph -" +# the normal daemon command is added to this at the end. diff --git a/roles/ipv6-edge-router/templates/frr.conf.j2 b/roles/ipv6-edge-router/templates/frr.conf.j2 new file mode 100644 index 0000000..1f06f2f --- /dev/null +++ b/roles/ipv6-edge-router/templates/frr.conf.j2 @@ -0,0 +1,24 @@ +log syslog informational +log stdout + +hostname routeur-aurore +password Tux +enable password Tux + +interface lo +line vty + + +# Aurore AS. +router bgp 43619 + #no synchronization + bgp router-id 45.66.111.254 + + # Remote-AS: Zayo. + neighbor 2001:1b48:2:103::d7:1 remote-as 8218 + address-family ipv6 + network 2a09:6840::/29 + neighbor 2001:1b48:2:103::d7:1 activate + exit-address-family +! + diff --git a/roles/router/templates/interfaces-aurore b/roles/router/templates/interfaces-aurore index 440392f..401e5aa 100644 --- a/roles/router/templates/interfaces-aurore +++ b/roles/router/templates/interfaces-aurore @@ -16,17 +16,19 @@ iface ens18 inet static iface ens18 inet6 static address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64 - post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18 - post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18 + # Now managed by keepalived. + # + # post-up ip route add 2a09:6840:10::/64 via 2a09:6840:129::1:254 dev ens18 + # post-up ip route add 2a09:6840:11::/64 via 2a09:6840:129::1:254 dev ens18 - post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18 - post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18 + # post-up ip route add 2a09:6840:20::/64 via 2a09:6840:129::2:254 dev ens18 + # post-up ip route add 2a09:6840:21::/64 via 2a09:6840:129::2:254 dev ens18 - post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18 - post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18 + # post-up ip route add 2a09:6840:40::/64 via 2a09:6840:129::4:254 dev ens18 + # post-up ip route add 2a09:6840:41::/64 via 2a09:6840:129::4:254 dev ens18 - post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18 - post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18 + # post-up ip route add 2a09:6840:50::/64 via 2a09:6840:129::5:254 dev ens18 + # post-up ip route add 2a09:6840:51::/64 via 2a09:6840:129::5:254 dev ens18 # The primary network interface From 0d7bfbd8725cb65ed5b23daa8ea944305d9b5bba Mon Sep 17 00:00:00 2001 From: chirac Date: Sat, 17 Oct 2020 19:48:17 +0200 Subject: [PATCH 252/297] Create group for non pve physical server --- hosts | 6 +++++- roles/ldap-client/templates/nslcd.conf.j2 | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 6c2061a..7f11a74 100644 --- a/hosts +++ b/hosts @@ -30,6 +30,7 @@ re2o-ldap.adm.auro.re re2o-db.adm.auro.re pendragon.adm.auro.re services-bdd-local.adm.auro.re +backup.adm.auro.re ############################################################################### @@ -108,8 +109,12 @@ routeur-pacaterie-backup.adm.auro.re ############################################################################### # Emilie du Chatelet +[edc_server] +perceval.adm.auro.re + [edc_pve] chapalux.adm.auro.re +escalope.adm.auro.re [edc_vm] routeur-edc.adm.auro.re @@ -129,7 +134,6 @@ ldap-replica-edc-backup.adm.auro.re # George Sand [gs_pve] -perceval.adm.auro.re lancelot.adm.auro.re odin.adm.auro.re diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index 1cb7856..00a3f2e 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -15,7 +15,7 @@ uri ldap://{{ uri }} uri ldap://{{ uri }} {% endfor %} {% endif %} -{% if 'edc_vm' in group_names or 'edc_pve' in group_names %} +{% if 'edc_vm' in group_names or 'edc_pve' in group_names or 'edc_server' in group_names %} {% for uri in groups['ldap_replica_edc'] %} uri ldap://{{ uri }} {% endfor %} From 68f7fd5b596849297306985b1bdd443cc50f4446 Mon Sep 17 00:00:00 2001 From: chirac Date: Sat, 17 Oct 2020 19:48:34 +0200 Subject: [PATCH 253/297] Isc-dhcp-server config for banni/accueil vlans --- group_vars/all/vars.yml | 3 +- .../templates/default/isc-dhcp-server.j2 | 2 +- .../templates/dhcp/regular-subnets.conf.j2 | 41 +++++++++++++++++++ 3 files changed, 44 insertions(+), 2 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 6c1d978..7a84123 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -57,7 +57,8 @@ subnet_ids: ap: "14{{ apartment_block_id }}" users_wired: "{{ apartment_block_id }}0" users_wifi: "{{ apartment_block_id }}1" - + users_banni: "{{ apartment_block_id }}2" + users_accueil: "{{ apartment_block_id }}3" # Keepalived keepalived_password: "{{ vault_keepalived_password[apartment_block] }}" diff --git a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 index c7f6a53..6a7c7f7 100644 --- a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 +++ b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 @@ -19,6 +19,6 @@ INTERFACESv4="ens19" INTERFACESv6="" {% else %} -INTERFACESv4="ens19 ens20 ens21" +INTERFACESv4="ens19 ens20 ens21 ens22 ens23" INTERFACESv6="" {% endif %} diff --git a/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 index c18eed2..43f49fa 100644 --- a/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 @@ -51,3 +51,44 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { {% endif %} } } + +# Banni +subnet 10.{{ subnet_ids.users_banni }}.0.0 netmask 255.255.0.0 { + interface "ens22"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_banni }}.255.255; + option routers 10.{{ subnet_ids.users_banni }}.0.{{ router_ip_suffix }}; + option domain-name "banni.{{ apartment_block_dhcp }}.auro.re"; + option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_backup }}; + + pool { + range 10.{{ subnet_ids.users_banni }}.1.0 10.{{ subnet_ids.users_banni }}.2.255; + +{% if dhcp_failover is defined %} + failover peer "dhcp-failover"; +{% endif %} + } +} + + +# Accueil +subnet 10.{{ subnet_ids.users_accueil }}.0.0 netmask 255.255.0.0 { + interface "ens23"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_accueil }}.255.255; + option routers 10.{{ subnet_ids.users_accueil }}.0.{{ router_ip_suffix }}; + option domain-name "accueil.{{ apartment_block_dhcp }}.auro.re"; + option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_backup }}; + + pool { + range 10.{{ subnet_ids.users_accueil }}.1.0 10.{{ subnet_ids.users_accueil }}.2.255; + +{% if dhcp_failover is defined %} + failover peer "dhcp-failover"; +{% endif %} + } +} From 3d64f22c39ac8b7829106c4ca44afe71783e90b0 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 24 Oct 2020 19:12:35 +0200 Subject: [PATCH 254/297] Modification du keepalive d'OpenSSHd. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Les serveurs OpenSSH détectent désormais la déconnexion du client et peuvent terminer la session. --- roles/basesecurity/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index be168f4..2db6b5b 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -35,7 +35,7 @@ - ["PermitRootLogin", "prohibit-password"] - ["AllowAgentForwarding", "no"] - ["X11Forwarding", "no"] - - ["TCPKeepAlive", "no"] + - ["TCPKeepAlive", "yes"] notify: Restart sshd service # See banned client with `fail2ban-client status sshd` From 16477042e8bb8d9232b2aa66290d01c876ad5f65 Mon Sep 17 00:00:00 2001 From: chirac Date: Mon, 2 Nov 2020 12:22:34 +0100 Subject: [PATCH 255/297] Remove ldap-replica-backup --- hosts | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/hosts b/hosts index 7f11a74..eb1a0fb 100644 --- a/hosts +++ b/hosts @@ -20,7 +20,6 @@ radius-aurore.adm.auro.re dhcp-aurore.adm.auro.re dhcp-aurore-backup.adm.auro.re dns-aurore.adm.auro.re -docker-worker1-aurore.adm.auro.re proxy-local.adm.auro.re camelot.adm.auro.re gitea.adm.auro.re @@ -31,6 +30,8 @@ re2o-db.adm.auro.re pendragon.adm.auro.re services-bdd-local.adm.auro.re backup.adm.auro.re +services-web.adm.auro.re +mail.adm.auro.re ############################################################################### @@ -69,7 +70,6 @@ marki.adm.auro.re [fleming_vm] ldap-replica-fleming.adm.auro.re -ldap-replica-fleming-backup.adm.auro.re dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re @@ -92,7 +92,6 @@ titan.adm.auro.re [pacaterie_vm] ldap-replica-pacaterie.adm.auro.re -ldap-replica-pacaterie-backup.adm.auro.re dhcp-pacaterie.adm.auro.re dhcp-pacaterie-backup.adm.auro.re dns-pacaterie.adm.auro.re @@ -127,7 +126,6 @@ unifi-edc.adm.auro.re radius-edc.adm.auro.re radius-edc-backup.adm.auro.re ldap-replica-edc.adm.auro.re -ldap-replica-edc-backup.adm.auro.re ############################################################################### @@ -149,7 +147,6 @@ radius-gs.adm.auro.re radius-gs-backup.adm.auro.re prometheus-gs.adm.auro.re ldap-replica-gs.adm.auro.re -ldap-replica-gs-backup.adm.auro.re ############################################################################### # Les Rives @@ -237,16 +234,12 @@ ldap_replica_gs [ldap_replica_fleming] ldap-replica-fleming.adm.auro.re -ldap-replica-fleming-backup.adm.auro.re [ldap_replica_pacaterie] ldap-replica-pacaterie.adm.auro.re -ldap-replica-pacaterie-backup.adm.auro.re [ldap_replica_edc] ldap-replica-edc.adm.auro.re -ldap-replica-edc-backup.adm.auro.re [ldap_replica_gs] ldap-replica-gs.adm.auro.re -ldap-replica-gs-backup.adm.auro.re From 4a43c0f0db973437aafaeb974aa026acd957f5e8 Mon Sep 17 00:00:00 2001 From: chirac Date: Mon, 2 Nov 2020 17:25:26 +0100 Subject: [PATCH 256/297] Update re2o ip --- group_vars/all/vars.yml | 2 +- roles/radius/tasks/main.yml | 2 +- roles/radius/templates/settings_local.py.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 7a84123..90615a1 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -5,7 +5,7 @@ ansible_python_interpreter: /usr/bin/python3 # LDAP binding # You can hash LDAP passwords with `slappasswd` tool ldap_base: 'dc=auro,dc=re' -ldap_master_ipv4: '10.128.0.11' +ldap_master_ipv4: '10.128.0.21' ldap_master_uri: "ldap://re2o-ldap.adm.auro.re" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 1d419a2..672bc6d 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -179,7 +179,7 @@ state: dump target: /tmp/re2o-schema.sql target_opts: '-s' - login_host: 10.128.0.12 + login_host: 10.128.0.22 login_user: replication login_password: "{{ radius_pg_replication_password }}" diff --git a/roles/radius/templates/settings_local.py.j2 b/roles/radius/templates/settings_local.py.j2 index 0e47e36..fb1ac29 100644 --- a/roles/radius/templates/settings_local.py.j2 +++ b/roles/radius/templates/settings_local.py.j2 @@ -75,7 +75,7 @@ DATABASES = { }, 'ldap': { 'ENGINE': 'ldapdb.backends.ldap', - 'NAME': 'ldap://10.128.0.11/', + 'NAME': 'ldap://10.128.0.21/', 'USER': 'cn=admin,dc=auro,dc=re', 'TLS': False, 'PASSWORD': '{{ ldap_admin_password }}', From a213e18d9ccde7fcee345bbe48e1c55e7b2b45e6 Mon Sep 17 00:00:00 2001 From: chirac Date: Mon, 2 Nov 2020 17:25:38 +0100 Subject: [PATCH 257/297] Update Ldap priority --- roles/ldap-client/tasks/install_ldap.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ldap-client/tasks/install_ldap.yml b/roles/ldap-client/tasks/install_ldap.yml index 2f81e11..3afc484 100644 --- a/roles/ldap-client/tasks/install_ldap.yml +++ b/roles/ldap-client/tasks/install_ldap.yml @@ -26,7 +26,7 @@ lineinfile: dest: /etc/nsswitch.conf regexp: "^{{ item }}:" - line: "{{ item }}: files ldap" + line: "{{ item }}: files ldap systemd" loop: - passwd - group From 518560b392b391f2b0a91a0e840233f966f565e5 Mon Sep 17 00:00:00 2001 From: chirac Date: Tue, 3 Nov 2020 14:21:26 +0100 Subject: [PATCH 258/297] Add new ldap replica at ovh --- hosts | 6 +++++- roles/ldap-client/templates/nslcd.conf.j2 | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index eb1a0fb..68e744a 100644 --- a/hosts +++ b/hosts @@ -55,7 +55,7 @@ passbolt.adm.auro.re vpn-ovh.adm.auro.re docker-ovh.adm.auro.re switchs-manager.adm.auro.re - +ldap-replica-ovh.adm.auro.re [ovh_testing_vm] #re2o-test.adm.auro.re @@ -231,6 +231,7 @@ ldap_replica_fleming ldap_replica_pacaterie ldap_replica_edc ldap_replica_gs +ldap_replica_ovh [ldap_replica_fleming] ldap-replica-fleming.adm.auro.re @@ -243,3 +244,6 @@ ldap-replica-edc.adm.auro.re [ldap_replica_gs] ldap-replica-gs.adm.auro.re + +[ldap_replica_ovh] +ldap-replica-ovh.adm.auro.re diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index 00a3f2e..e1e362b 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -25,6 +25,11 @@ uri ldap://{{ uri }} uri ldap://{{ uri }} {% endfor %} {% endif %} +{% if 'ovh_vm' in group_names or 'ovh_container' in group_names or 'ovh_pve' in group_names %} +{% for uri in groups['ldap_replica_ovh'] %} +uri ldap://{{ uri }} +{% endfor %} +{% endif %} uri {{ ldap_master_uri }} # The search base that will be used for all queries. From 2a6c005190cbb335aafa45de8687f39b7aacf6c1 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 3 Nov 2020 23:19:19 +0100 Subject: [PATCH 259/297] Replace ansible_header by ansible_managed --- roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 | 2 +- roles/certbot/templates/letsencrypt/rfc2136.ini.j2 | 2 +- .../templates/nginx/sites-available/redirect.j2 | 2 +- .../templates/nginx/sites-available/reverseproxy.j2 | 2 +- .../nginx/sites-available/reverseproxy_redirect_dname.j2 | 2 +- .../templates/nginx/snippets/options-proxypass.conf.j2 | 2 +- .../templates/nginx/snippets/options-ssl.conf.j2 | 2 +- roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index 837a60a..b063634 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -1,4 +1,4 @@ -{{ ansible_header | comment(decoration='# ') }} +# {{ ansible_managed }} # Pour appliquer cette conf et générer la conf de renewal : # certbot --config wildcard.ini certonly diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 index a41a547..342195d 100644 --- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -1,4 +1,4 @@ -{{ ansible_header | comment(decoration='# ') }} +# {{ ansible_managed }} dns_rfc2136_server = {{ dns_masters_ipv4 | first }} dns_rfc2136_port = 53 diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 index 9cdb545..28e9b7d 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 @@ -1,4 +1,4 @@ -{{ ansible_header | comment }} +# {{ ansible_managed }} {% for site in nginx.redirect_sites %} # Redirect http://{{ site.from }} to http://{{ site.to }} diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 0898da0..d29d13c 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -1,4 +1,4 @@ -{{ ansible_header | comment }} +# {{ ansible_managed }} # Automatic Connection header for WebSocket support # See http://nginx.org/en/docs/http/websocket.html diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 index 988b6d1..bac615d 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -1,4 +1,4 @@ -{{ ansible_header | comment }} +# {{ ansible_managed }} {% for dname in nginx.redirect_dnames %} {% for site in nginx.reverseproxy_sites %} diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 index 0b864a6..9515d81 100644 --- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 @@ -1,4 +1,4 @@ -{{ ansible_header | comment }} +# {{ ansible_managed }} proxy_redirect off; proxy_set_header Host $host; diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 index 1a9273a..fee51c6 100644 --- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 @@ -1,4 +1,4 @@ -{{ ansible_header | comment }} +# {{ ansible_managed }} ssl_certificate {{ nginx.ssl.cert }}; ssl_certificate_key {{ nginx.ssl.cert_key }}; diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 index 82373d0..fd749ad 100755 --- a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 +++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 @@ -1,3 +1,3 @@ #!/usr/bin/tail +14 -{{ ansible_header | comment }} +{{ ansible_managed }} > NGINX a été déployé sur cette machine. Voir /etc/nginx/. From 3c405db661317c7b4021863faca993527d312908 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 3 Nov 2020 23:29:53 +0100 Subject: [PATCH 260/297] Add Drone --- hosts | 1 + roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 | 2 +- services_web.yml | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index 68e744a..a44c837 100644 --- a/hosts +++ b/hosts @@ -23,6 +23,7 @@ dns-aurore.adm.auro.re proxy-local.adm.auro.re camelot.adm.auro.re gitea.adm.auro.re +drone.adm.auro.re nextcloud.adm.auro.re re2o-server.adm.auro.re re2o-ldap.adm.auro.re diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 index fd749ad..fdff0b8 100755 --- a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 +++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 @@ -1,3 +1,3 @@ #!/usr/bin/tail +14 -{{ ansible_managed }} +# {{ ansible_managed }} > NGINX a été déployé sur cette machine. Voir /etc/nginx/. diff --git a/services_web.yml b/services_web.yml index 2d75448..cb0a583 100755 --- a/services_web.yml +++ b/services_web.yml @@ -38,6 +38,8 @@ - {from: wiki.auro.re, to: 10.128.0.51} - {from: www.auro.re, to: 10.128.0.52} + - {from: drone.auro.re, to: "10.128.0.60:8000"} + - {from: re2o-test.auro.re, to: 10.128.0.100} - {from: riot.auro.re, to: "10.128.0.150:8080"} From b87fe7d063d7a4fdc74008d912c76ba9369445a7 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 01:44:49 +0100 Subject: [PATCH 261/297] Deploy docker for Gitea and Drone --- services_web.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services_web.yml b/services_web.yml index cb0a583..86ff78c 100755 --- a/services_web.yml +++ b/services_web.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re +- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re roles: - docker @@ -38,7 +38,7 @@ - {from: wiki.auro.re, to: 10.128.0.51} - {from: www.auro.re, to: 10.128.0.52} - - {from: drone.auro.re, to: "10.128.0.60:8000"} + - {from: drone.auro.re, to: "10.128.0.64:8000"} - {from: re2o-test.auro.re, to: 10.128.0.100} From 0daaf14f62400324e803bb8e12416b48fcd2be29 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 17:02:27 +0100 Subject: [PATCH 262/297] dns masters ipv4 is a list (warning: RP is broken) --- services_web.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services_web.yml b/services_web.yml index 86ff78c..f368d9f 100755 --- a/services_web.yml +++ b/services_web.yml @@ -19,7 +19,8 @@ mail: tech.aurore@lists.crans.org certname: auro.re domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net" - dns_masters_ipv4: 92.222.211.196 + dns_masters_ipv4: + - "92.222.211.196" nginx: ssl: cert: /etc/letsencrypt/live/auro.re/fullchain.pem From d60b75109a3be05500b675b0088ddefd67376f7e Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 18:50:10 +0100 Subject: [PATCH 263/297] Upgrade python, ansiblelint and yamllint --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e11bdbf..44b8430 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,5 @@ --- -image: python:3.6 +image: python:3.9 stages: - lint @@ -7,12 +7,12 @@ stages: yamllint: stage: lint script: - - pip install yamllint==1.15.0 + - pip install yamllint==1.25.0 - yamllint -c .yamllint.yml . ansible-lint: stage: lint script: - - pip install ansible-lint==4.0.0 + - pip install ansible-lint==4.3.7 - ansible-lint *.yml ... From 9b8dee098e3ecd2b72eb93cee57f84bd3ad2a0b8 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 19:31:50 +0100 Subject: [PATCH 264/297] Always set file permissions --- roles/baseconfig/tasks/apt-listchanges.yml | 1 + roles/baseconfig/tasks/main.yml | 1 + roles/basesecurity/tasks/main.yml | 1 + roles/certbot/tasks/main.yml | 1 + roles/ipv6-edge-router/tasks/main.yml | 4 +++- roles/ldap-replica/tasks/main.yml | 1 + roles/nginx-reverseproxy/tasks/main.yml | 5 +++++ roles/prometheus/tasks/main.yml | 4 ++++ roles/radius/tasks/main.yml | 10 +++++++--- 9 files changed, 24 insertions(+), 4 deletions(-) diff --git a/roles/baseconfig/tasks/apt-listchanges.yml b/roles/baseconfig/tasks/apt-listchanges.yml index ec68e1f..b4d6214 100644 --- a/roles/baseconfig/tasks/apt-listchanges.yml +++ b/roles/baseconfig/tasks/apt-listchanges.yml @@ -19,6 +19,7 @@ option: "{{ item.option }}" value: "{{ item.value }}" state: present + mode: 0644 loop: - option: confirm value: "true" diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index e4d2db1..d73cf07 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -77,6 +77,7 @@ copy: src: "skel/dot_{{ item }}" dest: "/etc/skel/.{{ item }}" + mode: 0644 loop: - zshrc - zshrc.local diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index 2db6b5b..a0c15b6 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -54,6 +54,7 @@ option: "{{ item.option }}" value: "{{ item.value }}" state: present + mode: 0644 notify: Restart fail2ban service loop: - section: sshd diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 66cae27..d6314ac 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -26,6 +26,7 @@ file: path: /etc/letsencrypt/conf.d state: directory + mode: 0755 - name: Add Certbot configuration template: diff --git a/roles/ipv6-edge-router/tasks/main.yml b/roles/ipv6-edge-router/tasks/main.yml index 40c945d..5978303 100644 --- a/roles/ipv6-edge-router/tasks/main.yml +++ b/roles/ipv6-edge-router/tasks/main.yml @@ -18,17 +18,19 @@ - name: Install frr apt: name: frr - + - name: setup frr daemons template: src: daemons.j2 dest: /etc/frr/daemons + mode: 0644 notify: restart frr - name: setup frr.conf template: src: frr.conf.j2 dest: /etc/frr/frr.conf + mode: 0644 notify: restart frr - name: enable+start frr diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap-replica/tasks/main.yml index 914ce4e..cb79bd4 100644 --- a/roles/ldap-replica/tasks/main.yml +++ b/roles/ldap-replica/tasks/main.yml @@ -40,6 +40,7 @@ file: path: "{{ item }}" state: directory + mode: 0755 loop: - /etc/ldap/slapd.d - /var/lib/ldap diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index b1e3945..4ccaa2a 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -11,6 +11,7 @@ template: src: "nginx/snippets/{{ item }}.j2" dest: "/etc/nginx/snippets/{{ item }}" + mode: 0644 loop: - options-ssl.conf - options-proxypass.conf @@ -19,11 +20,13 @@ template: src: letsencrypt/dhparam.j2 dest: /etc/letsencrypt/dhparam + mode: 0644 - name: Copy reverse proxy sites template: src: "nginx/sites-available/{{ item }}.j2" dest: "/etc/nginx/sites-available/{{ item }}" + mode: 0644 loop: - reverseproxy - reverseproxy_redirect_dname @@ -35,6 +38,7 @@ src: "/etc/nginx/sites-available/{{ item }}" dest: "/etc/nginx/sites-enabled/{{ item }}" state: link + mode: 0644 loop: - reverseproxy - reverseproxy_redirect_dname @@ -45,6 +49,7 @@ template: src: www/html/50x.html.j2 dest: /var/www/html/50x.html + mode: 0644 - name: Indicate role in motd template: diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 62dde31..211aee3 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -13,12 +13,14 @@ template: src: prometheus/prometheus.yml.j2 dest: /etc/prometheus/prometheus.yml + mode: 0644 notify: Restart Prometheus - name: Configure Prometheus alert rules template: src: "prometheus/{{ item }}.j2" dest: "/etc/prometheus/{{ item }}" + mode: 0644 notify: Restart Prometheus loop: - alert.rules.yml @@ -45,12 +47,14 @@ copy: content: "{{ prometheus_targets | to_nice_json }}" dest: /etc/prometheus/targets.json + mode: 0644 # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus Ubiquity Unifi SNMP devices copy: content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" dest: /etc/prometheus/targets_unifi_snmp.json + mode: 0644 - name: Activate prometheus service systemd: diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 672bc6d..b840b39 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -5,11 +5,11 @@ - "deb" - "deb-src" - - name: Ensure /var/www exists file: name: "/var/www" - state: directory + state: directory + mode: 0755 - name: Clone re2o repo git: @@ -22,11 +22,11 @@ template: src: "{{ item }}.j2" dest: "/var/www/re2o/re2o/{{ item }}" + mode: 0644 loop: - settings_local.py - local_routers.py - # What follows is a hideous abomination. # Blame freeradius-python3 on backports. @@ -41,6 +41,7 @@ template: src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst + mode: 0644 - name: reinstall broken package (this might fail too, for different reasons) apt: @@ -69,6 +70,7 @@ template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" + mode: 0640 loop: - sites-enabled/default - sites-enabled/inner-tunnel @@ -77,6 +79,7 @@ template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" + mode: 0640 loop: - clients.conf - proxy.conf @@ -113,6 +116,7 @@ template: src: "freeradius-logrotate.j2" dest: "/etc/logrotate.d/freeradius" + mode: 0644 # Database setup From 4c8e05e08f6367ad4b5f3ca4fe293b0e24d3c871 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 19:36:40 +0100 Subject: [PATCH 265/297] Use underscore instead of dashes --- base.yml | 3 +-- ldap_replica.yml | 2 +- matrix.yml | 10 +++++----- monitoring.yml | 2 +- network.yml | 4 ++-- nuke-radius-dbs.yml => nuke_radius_dbs.yml | 0 .../frr-apt-key.asc | 0 .../handlers/main.yml | 0 .../tasks/main.yml | 0 .../templates/daemons.j2 | 0 .../templates/frr.conf.j2 | 0 .../handlers/main.yml | 0 .../tasks/main.yml | 0 .../templates/default/isc-dhcp-server.j2 | 0 .../templates/dhcp/aurore-subnets.conf.j2 | 0 .../templates/dhcp/dhcp-failover.conf.j2 | 0 .../templates/dhcp/dhcpd.conf.j2 | 0 .../templates/dhcp/regular-subnets.conf.j2 | 0 .../templates/logrotate.d/dhcp.j2 | 0 .../{isc-dhcp-server => isc_dhcp_server}/vars/main.yml | 0 roles/{ldap-client => ldap_client}/handlers/main.yml | 0 .../tasks/1_group_security.yml | 0 .../tasks/2_userland_scripts.yml | 0 .../tasks/install_ldap.yml | 0 roles/{ldap-client => ldap_client}/tasks/main.yml | 0 roles/{ldap-client => ldap_client}/templates/chsh.j2 | 0 .../templates/nslcd.conf.j2 | 0 roles/{ldap-client => ldap_client}/templates/passwd.j2 | 0 roles/{ldap-replica => ldap_replica}/tasks/main.yml | 0 .../templates/schema.ldiff.j2 | 0 .../defaults/main.yml | 0 .../tasks/main.yml | 0 .../tasks/service_user.yml | 0 .../templates/config.yaml.j2 | 0 .../templates/systemd/appservice.service.j2 | 0 .../defaults/main.yml | 0 .../tasks/main.yml | 0 .../tasks/service_user.yml | 0 .../templates/config.yaml.j2 | 0 .../templates/systemd/appservice.service.j2 | 0 .../files/rest_auth_provider.py | 0 .../handlers/main.yml | 0 .../{matrix-synapse => matrix_synapse}/tasks/main.yml | 0 .../templates/matrix-synapse/conf.d/database.yaml.j2 | 0 .../conf.d/enable_group_creation.yaml.j2 | 0 .../templates/matrix-synapse/conf.d/listeners.yaml.j2 | 0 .../templates/matrix-synapse/conf.d/no_tls.yaml.j2 | 0 .../matrix-synapse/conf.d/password_providers.yaml.j2 | 0 .../matrix-synapse/conf.d/server_name.yaml.j2 | 0 .../conf.d/trusted_third_party_id_servers.yaml.j2 | 0 .../handlers/main.yml | 0 .../tasks/main.yml | 0 .../templates/letsencrypt/dhparam.j2 | 0 .../templates/nginx/sites-available/redirect.j2 | 0 .../templates/nginx/sites-available/reverseproxy.j2 | 0 .../sites-available/reverseproxy_redirect_dname.j2 | 0 .../templates/nginx/snippets/options-proxypass.conf.j2 | 0 .../templates/nginx/snippets/options-ssl.conf.j2 | 0 .../templates/update-motd.d/05-service.j2 | 0 .../templates/www/html/50x.html.j2 | 0 .../handlers/main.yml | 0 .../tasks/main.yml | 0 roles/{re2o-service => re2o_service}/defaults/main.yml | 0 roles/{re2o-service => re2o_service}/tasks/main.yml | 0 .../tasks/service_user.yml | 0 .../templates/update-motd.d/05-service.j2 | 0 .../tasks/main.yml | 0 .../templates/update-motd.d/05-service.j2 | 0 services_web.yml | 2 +- 69 files changed, 11 insertions(+), 12 deletions(-) rename nuke-radius-dbs.yml => nuke_radius_dbs.yml (100%) rename roles/{ipv6-edge-router => ipv6_edge_router}/frr-apt-key.asc (100%) rename roles/{ipv6-edge-router => ipv6_edge_router}/handlers/main.yml (100%) rename roles/{ipv6-edge-router => ipv6_edge_router}/tasks/main.yml (100%) rename roles/{ipv6-edge-router => ipv6_edge_router}/templates/daemons.j2 (100%) rename roles/{ipv6-edge-router => ipv6_edge_router}/templates/frr.conf.j2 (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/handlers/main.yml (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/tasks/main.yml (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/templates/default/isc-dhcp-server.j2 (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/templates/dhcp/aurore-subnets.conf.j2 (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/templates/dhcp/dhcp-failover.conf.j2 (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/templates/dhcp/dhcpd.conf.j2 (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/templates/dhcp/regular-subnets.conf.j2 (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/templates/logrotate.d/dhcp.j2 (100%) rename roles/{isc-dhcp-server => isc_dhcp_server}/vars/main.yml (100%) rename roles/{ldap-client => ldap_client}/handlers/main.yml (100%) rename roles/{ldap-client => ldap_client}/tasks/1_group_security.yml (100%) rename roles/{ldap-client => ldap_client}/tasks/2_userland_scripts.yml (100%) rename roles/{ldap-client => ldap_client}/tasks/install_ldap.yml (100%) rename roles/{ldap-client => ldap_client}/tasks/main.yml (100%) rename roles/{ldap-client => ldap_client}/templates/chsh.j2 (100%) rename roles/{ldap-client => ldap_client}/templates/nslcd.conf.j2 (100%) rename roles/{ldap-client => ldap_client}/templates/passwd.j2 (100%) rename roles/{ldap-replica => ldap_replica}/tasks/main.yml (100%) rename roles/{ldap-replica => ldap_replica}/templates/schema.ldiff.j2 (100%) rename roles/{matrix-appservice-irc => matrix_appservice_irc}/defaults/main.yml (100%) rename roles/{matrix-appservice-irc => matrix_appservice_irc}/tasks/main.yml (100%) rename roles/{matrix-appservice-irc => matrix_appservice_irc}/tasks/service_user.yml (100%) rename roles/{matrix-appservice-irc => matrix_appservice_irc}/templates/config.yaml.j2 (100%) rename roles/{matrix-appservice-irc => matrix_appservice_irc}/templates/systemd/appservice.service.j2 (100%) rename roles/{matrix-appservice-webhooks => matrix_appservice_webhooks}/defaults/main.yml (100%) rename roles/{matrix-appservice-webhooks => matrix_appservice_webhooks}/tasks/main.yml (100%) rename roles/{matrix-appservice-webhooks => matrix_appservice_webhooks}/tasks/service_user.yml (100%) rename roles/{matrix-appservice-webhooks => matrix_appservice_webhooks}/templates/config.yaml.j2 (100%) rename roles/{matrix-appservice-webhooks => matrix_appservice_webhooks}/templates/systemd/appservice.service.j2 (100%) rename roles/{matrix-synapse => matrix_synapse}/files/rest_auth_provider.py (100%) rename roles/{matrix-synapse => matrix_synapse}/handlers/main.yml (100%) rename roles/{matrix-synapse => matrix_synapse}/tasks/main.yml (100%) rename roles/{matrix-synapse => matrix_synapse}/templates/matrix-synapse/conf.d/database.yaml.j2 (100%) rename roles/{matrix-synapse => matrix_synapse}/templates/matrix-synapse/conf.d/enable_group_creation.yaml.j2 (100%) rename roles/{matrix-synapse => matrix_synapse}/templates/matrix-synapse/conf.d/listeners.yaml.j2 (100%) rename roles/{matrix-synapse => matrix_synapse}/templates/matrix-synapse/conf.d/no_tls.yaml.j2 (100%) rename roles/{matrix-synapse => matrix_synapse}/templates/matrix-synapse/conf.d/password_providers.yaml.j2 (100%) rename roles/{matrix-synapse => matrix_synapse}/templates/matrix-synapse/conf.d/server_name.yaml.j2 (100%) rename roles/{matrix-synapse => matrix_synapse}/templates/matrix-synapse/conf.d/trusted_third_party_id_servers.yaml.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/handlers/main.yml (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/tasks/main.yml (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/letsencrypt/dhparam.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/nginx/sites-available/redirect.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/nginx/sites-available/reverseproxy.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/nginx/snippets/options-proxypass.conf.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/nginx/snippets/options-ssl.conf.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/update-motd.d/05-service.j2 (100%) rename roles/{nginx-reverseproxy => nginx_reverseproxy}/templates/www/html/50x.html.j2 (100%) rename roles/{prometheus-node => prometheus_node}/handlers/main.yml (100%) rename roles/{prometheus-node => prometheus_node}/tasks/main.yml (100%) rename roles/{re2o-service => re2o_service}/defaults/main.yml (100%) rename roles/{re2o-service => re2o_service}/tasks/main.yml (100%) rename roles/{re2o-service => re2o_service}/tasks/service_user.yml (100%) rename roles/{re2o-service => re2o_service}/templates/update-motd.d/05-service.j2 (100%) rename roles/{unifi-controller => unifi_controller}/tasks/main.yml (100%) rename roles/{unifi-controller => unifi_controller}/templates/update-motd.d/05-service.j2 (100%) diff --git a/base.yml b/base.yml index 2e26b95..5aee2d2 100755 --- a/base.yml +++ b/base.yml @@ -9,5 +9,4 @@ # Plug LDAP on all servers - hosts: all,!unifi roles: - - ldap-client - + - ldap_client diff --git a/ldap_replica.yml b/ldap_replica.yml index 1686293..b921957 100755 --- a/ldap_replica.yml +++ b/ldap_replica.yml @@ -4,4 +4,4 @@ # DON'T DO THIS AS IT RECREATES THE REPLICA - hosts: ldap_replica roles: - - ldap-replica + - ldap_replica diff --git a/matrix.yml b/matrix.yml index b25fc0d..be54c53 100755 --- a/matrix.yml +++ b/matrix.yml @@ -6,13 +6,13 @@ mxisd_releases: https://github.com/kamax-matrix/mxisd/releases mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb" roles: - - debian-backports + - debian_backports - nodejs - - matrix-synapse - - matrix-appservice-irc - - matrix-appservice-webhooks + - matrix_synapse + - matrix_appservice_irc + - matrix_appservice_webhooks # Install Matrix services - hosts: matrix-services.adm.auro.re roles: - - debian-backports + - debian_backports diff --git a/monitoring.yml b/monitoring.yml index 616e380..c0c58c8 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -59,4 +59,4 @@ # Monitor all hosts - hosts: all,!unifi,!ovh roles: - - prometheus-node + - prometheus_node diff --git a/network.yml b/network.yml index aa42e72..6d0af03 100755 --- a/network.yml +++ b/network.yml @@ -3,7 +3,7 @@ # Set up DHCP servers. - hosts: dhcp-*.adm.auro.re roles: - - isc-dhcp-server + - isc_dhcp_server # Deploy unbound DNS server (recursive). @@ -24,7 +24,7 @@ - hosts: ~routeur-aurore.*\.adm\.auro\.re roles: - router - - ipv6-edge-router + - ipv6_edge_router # Radius (backup only for now) - hosts: radius-*.adm.auro.re diff --git a/nuke-radius-dbs.yml b/nuke_radius_dbs.yml similarity index 100% rename from nuke-radius-dbs.yml rename to nuke_radius_dbs.yml diff --git a/roles/ipv6-edge-router/frr-apt-key.asc b/roles/ipv6_edge_router/frr-apt-key.asc similarity index 100% rename from roles/ipv6-edge-router/frr-apt-key.asc rename to roles/ipv6_edge_router/frr-apt-key.asc diff --git a/roles/ipv6-edge-router/handlers/main.yml b/roles/ipv6_edge_router/handlers/main.yml similarity index 100% rename from roles/ipv6-edge-router/handlers/main.yml rename to roles/ipv6_edge_router/handlers/main.yml diff --git a/roles/ipv6-edge-router/tasks/main.yml b/roles/ipv6_edge_router/tasks/main.yml similarity index 100% rename from roles/ipv6-edge-router/tasks/main.yml rename to roles/ipv6_edge_router/tasks/main.yml diff --git a/roles/ipv6-edge-router/templates/daemons.j2 b/roles/ipv6_edge_router/templates/daemons.j2 similarity index 100% rename from roles/ipv6-edge-router/templates/daemons.j2 rename to roles/ipv6_edge_router/templates/daemons.j2 diff --git a/roles/ipv6-edge-router/templates/frr.conf.j2 b/roles/ipv6_edge_router/templates/frr.conf.j2 similarity index 100% rename from roles/ipv6-edge-router/templates/frr.conf.j2 rename to roles/ipv6_edge_router/templates/frr.conf.j2 diff --git a/roles/isc-dhcp-server/handlers/main.yml b/roles/isc_dhcp_server/handlers/main.yml similarity index 100% rename from roles/isc-dhcp-server/handlers/main.yml rename to roles/isc_dhcp_server/handlers/main.yml diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml similarity index 100% rename from roles/isc-dhcp-server/tasks/main.yml rename to roles/isc_dhcp_server/tasks/main.yml diff --git a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 b/roles/isc_dhcp_server/templates/default/isc-dhcp-server.j2 similarity index 100% rename from roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 rename to roles/isc_dhcp_server/templates/default/isc-dhcp-server.j2 diff --git a/roles/isc-dhcp-server/templates/dhcp/aurore-subnets.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/aurore-subnets.conf.j2 similarity index 100% rename from roles/isc-dhcp-server/templates/dhcp/aurore-subnets.conf.j2 rename to roles/isc_dhcp_server/templates/dhcp/aurore-subnets.conf.j2 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/dhcp-failover.conf.j2 similarity index 100% rename from roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 rename to roles/isc_dhcp_server/templates/dhcp/dhcp-failover.conf.j2 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/dhcpd.conf.j2 similarity index 100% rename from roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 rename to roles/isc_dhcp_server/templates/dhcp/dhcpd.conf.j2 diff --git a/roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/regular-subnets.conf.j2 similarity index 100% rename from roles/isc-dhcp-server/templates/dhcp/regular-subnets.conf.j2 rename to roles/isc_dhcp_server/templates/dhcp/regular-subnets.conf.j2 diff --git a/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 b/roles/isc_dhcp_server/templates/logrotate.d/dhcp.j2 similarity index 100% rename from roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 rename to roles/isc_dhcp_server/templates/logrotate.d/dhcp.j2 diff --git a/roles/isc-dhcp-server/vars/main.yml b/roles/isc_dhcp_server/vars/main.yml similarity index 100% rename from roles/isc-dhcp-server/vars/main.yml rename to roles/isc_dhcp_server/vars/main.yml diff --git a/roles/ldap-client/handlers/main.yml b/roles/ldap_client/handlers/main.yml similarity index 100% rename from roles/ldap-client/handlers/main.yml rename to roles/ldap_client/handlers/main.yml diff --git a/roles/ldap-client/tasks/1_group_security.yml b/roles/ldap_client/tasks/1_group_security.yml similarity index 100% rename from roles/ldap-client/tasks/1_group_security.yml rename to roles/ldap_client/tasks/1_group_security.yml diff --git a/roles/ldap-client/tasks/2_userland_scripts.yml b/roles/ldap_client/tasks/2_userland_scripts.yml similarity index 100% rename from roles/ldap-client/tasks/2_userland_scripts.yml rename to roles/ldap_client/tasks/2_userland_scripts.yml diff --git a/roles/ldap-client/tasks/install_ldap.yml b/roles/ldap_client/tasks/install_ldap.yml similarity index 100% rename from roles/ldap-client/tasks/install_ldap.yml rename to roles/ldap_client/tasks/install_ldap.yml diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap_client/tasks/main.yml similarity index 100% rename from roles/ldap-client/tasks/main.yml rename to roles/ldap_client/tasks/main.yml diff --git a/roles/ldap-client/templates/chsh.j2 b/roles/ldap_client/templates/chsh.j2 similarity index 100% rename from roles/ldap-client/templates/chsh.j2 rename to roles/ldap_client/templates/chsh.j2 diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap_client/templates/nslcd.conf.j2 similarity index 100% rename from roles/ldap-client/templates/nslcd.conf.j2 rename to roles/ldap_client/templates/nslcd.conf.j2 diff --git a/roles/ldap-client/templates/passwd.j2 b/roles/ldap_client/templates/passwd.j2 similarity index 100% rename from roles/ldap-client/templates/passwd.j2 rename to roles/ldap_client/templates/passwd.j2 diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap_replica/tasks/main.yml similarity index 100% rename from roles/ldap-replica/tasks/main.yml rename to roles/ldap_replica/tasks/main.yml diff --git a/roles/ldap-replica/templates/schema.ldiff.j2 b/roles/ldap_replica/templates/schema.ldiff.j2 similarity index 100% rename from roles/ldap-replica/templates/schema.ldiff.j2 rename to roles/ldap_replica/templates/schema.ldiff.j2 diff --git a/roles/matrix-appservice-irc/defaults/main.yml b/roles/matrix_appservice_irc/defaults/main.yml similarity index 100% rename from roles/matrix-appservice-irc/defaults/main.yml rename to roles/matrix_appservice_irc/defaults/main.yml diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix_appservice_irc/tasks/main.yml similarity index 100% rename from roles/matrix-appservice-irc/tasks/main.yml rename to roles/matrix_appservice_irc/tasks/main.yml diff --git a/roles/matrix-appservice-irc/tasks/service_user.yml b/roles/matrix_appservice_irc/tasks/service_user.yml similarity index 100% rename from roles/matrix-appservice-irc/tasks/service_user.yml rename to roles/matrix_appservice_irc/tasks/service_user.yml diff --git a/roles/matrix-appservice-irc/templates/config.yaml.j2 b/roles/matrix_appservice_irc/templates/config.yaml.j2 similarity index 100% rename from roles/matrix-appservice-irc/templates/config.yaml.j2 rename to roles/matrix_appservice_irc/templates/config.yaml.j2 diff --git a/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 b/roles/matrix_appservice_irc/templates/systemd/appservice.service.j2 similarity index 100% rename from roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 rename to roles/matrix_appservice_irc/templates/systemd/appservice.service.j2 diff --git a/roles/matrix-appservice-webhooks/defaults/main.yml b/roles/matrix_appservice_webhooks/defaults/main.yml similarity index 100% rename from roles/matrix-appservice-webhooks/defaults/main.yml rename to roles/matrix_appservice_webhooks/defaults/main.yml diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix_appservice_webhooks/tasks/main.yml similarity index 100% rename from roles/matrix-appservice-webhooks/tasks/main.yml rename to roles/matrix_appservice_webhooks/tasks/main.yml diff --git a/roles/matrix-appservice-webhooks/tasks/service_user.yml b/roles/matrix_appservice_webhooks/tasks/service_user.yml similarity index 100% rename from roles/matrix-appservice-webhooks/tasks/service_user.yml rename to roles/matrix_appservice_webhooks/tasks/service_user.yml diff --git a/roles/matrix-appservice-webhooks/templates/config.yaml.j2 b/roles/matrix_appservice_webhooks/templates/config.yaml.j2 similarity index 100% rename from roles/matrix-appservice-webhooks/templates/config.yaml.j2 rename to roles/matrix_appservice_webhooks/templates/config.yaml.j2 diff --git a/roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 b/roles/matrix_appservice_webhooks/templates/systemd/appservice.service.j2 similarity index 100% rename from roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 rename to roles/matrix_appservice_webhooks/templates/systemd/appservice.service.j2 diff --git a/roles/matrix-synapse/files/rest_auth_provider.py b/roles/matrix_synapse/files/rest_auth_provider.py similarity index 100% rename from roles/matrix-synapse/files/rest_auth_provider.py rename to roles/matrix_synapse/files/rest_auth_provider.py diff --git a/roles/matrix-synapse/handlers/main.yml b/roles/matrix_synapse/handlers/main.yml similarity index 100% rename from roles/matrix-synapse/handlers/main.yml rename to roles/matrix_synapse/handlers/main.yml diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix_synapse/tasks/main.yml similarity index 100% rename from roles/matrix-synapse/tasks/main.yml rename to roles/matrix_synapse/tasks/main.yml diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/database.yaml.j2 b/roles/matrix_synapse/templates/matrix-synapse/conf.d/database.yaml.j2 similarity index 100% rename from roles/matrix-synapse/templates/matrix-synapse/conf.d/database.yaml.j2 rename to roles/matrix_synapse/templates/matrix-synapse/conf.d/database.yaml.j2 diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/enable_group_creation.yaml.j2 b/roles/matrix_synapse/templates/matrix-synapse/conf.d/enable_group_creation.yaml.j2 similarity index 100% rename from roles/matrix-synapse/templates/matrix-synapse/conf.d/enable_group_creation.yaml.j2 rename to roles/matrix_synapse/templates/matrix-synapse/conf.d/enable_group_creation.yaml.j2 diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 b/roles/matrix_synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 similarity index 100% rename from roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 rename to roles/matrix_synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/no_tls.yaml.j2 b/roles/matrix_synapse/templates/matrix-synapse/conf.d/no_tls.yaml.j2 similarity index 100% rename from roles/matrix-synapse/templates/matrix-synapse/conf.d/no_tls.yaml.j2 rename to roles/matrix_synapse/templates/matrix-synapse/conf.d/no_tls.yaml.j2 diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 b/roles/matrix_synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 similarity index 100% rename from roles/matrix-synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 rename to roles/matrix_synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2 diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/server_name.yaml.j2 b/roles/matrix_synapse/templates/matrix-synapse/conf.d/server_name.yaml.j2 similarity index 100% rename from roles/matrix-synapse/templates/matrix-synapse/conf.d/server_name.yaml.j2 rename to roles/matrix_synapse/templates/matrix-synapse/conf.d/server_name.yaml.j2 diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/trusted_third_party_id_servers.yaml.j2 b/roles/matrix_synapse/templates/matrix-synapse/conf.d/trusted_third_party_id_servers.yaml.j2 similarity index 100% rename from roles/matrix-synapse/templates/matrix-synapse/conf.d/trusted_third_party_id_servers.yaml.j2 rename to roles/matrix_synapse/templates/matrix-synapse/conf.d/trusted_third_party_id_servers.yaml.j2 diff --git a/roles/nginx-reverseproxy/handlers/main.yml b/roles/nginx_reverseproxy/handlers/main.yml similarity index 100% rename from roles/nginx-reverseproxy/handlers/main.yml rename to roles/nginx_reverseproxy/handlers/main.yml diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx_reverseproxy/tasks/main.yml similarity index 100% rename from roles/nginx-reverseproxy/tasks/main.yml rename to roles/nginx_reverseproxy/tasks/main.yml diff --git a/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/nginx_reverseproxy/templates/letsencrypt/dhparam.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 rename to roles/nginx_reverseproxy/templates/letsencrypt/dhparam.j2 diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 rename to roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 rename to roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 rename to roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 rename to roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 rename to roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 rename to roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2 diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx_reverseproxy/templates/www/html/50x.html.j2 similarity index 100% rename from roles/nginx-reverseproxy/templates/www/html/50x.html.j2 rename to roles/nginx_reverseproxy/templates/www/html/50x.html.j2 diff --git a/roles/prometheus-node/handlers/main.yml b/roles/prometheus_node/handlers/main.yml similarity index 100% rename from roles/prometheus-node/handlers/main.yml rename to roles/prometheus_node/handlers/main.yml diff --git a/roles/prometheus-node/tasks/main.yml b/roles/prometheus_node/tasks/main.yml similarity index 100% rename from roles/prometheus-node/tasks/main.yml rename to roles/prometheus_node/tasks/main.yml diff --git a/roles/re2o-service/defaults/main.yml b/roles/re2o_service/defaults/main.yml similarity index 100% rename from roles/re2o-service/defaults/main.yml rename to roles/re2o_service/defaults/main.yml diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o_service/tasks/main.yml similarity index 100% rename from roles/re2o-service/tasks/main.yml rename to roles/re2o_service/tasks/main.yml diff --git a/roles/re2o-service/tasks/service_user.yml b/roles/re2o_service/tasks/service_user.yml similarity index 100% rename from roles/re2o-service/tasks/service_user.yml rename to roles/re2o_service/tasks/service_user.yml diff --git a/roles/re2o-service/templates/update-motd.d/05-service.j2 b/roles/re2o_service/templates/update-motd.d/05-service.j2 similarity index 100% rename from roles/re2o-service/templates/update-motd.d/05-service.j2 rename to roles/re2o_service/templates/update-motd.d/05-service.j2 diff --git a/roles/unifi-controller/tasks/main.yml b/roles/unifi_controller/tasks/main.yml similarity index 100% rename from roles/unifi-controller/tasks/main.yml rename to roles/unifi_controller/tasks/main.yml diff --git a/roles/unifi-controller/templates/update-motd.d/05-service.j2 b/roles/unifi_controller/templates/update-motd.d/05-service.j2 similarity index 100% rename from roles/unifi-controller/templates/update-motd.d/05-service.j2 rename to roles/unifi_controller/templates/update-motd.d/05-service.j2 diff --git a/services_web.yml b/services_web.yml index f368d9f..5fc935e 100755 --- a/services_web.yml +++ b/services_web.yml @@ -54,4 +54,4 @@ - {from: auro.re, to: www.auro.re} roles: - certbot - - nginx-reverseproxy + - nginx_reverseproxy From 0f9169284f9696e54976843c129030f3af8834f7 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 19:49:49 +0100 Subject: [PATCH 266/297] Use command instead of shell --- roles/isc_dhcp_server/handlers/main.yml | 2 +- roles/isc_dhcp_server/tasks/main.yml | 3 ++- roles/radius/tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/isc_dhcp_server/handlers/main.yml b/roles/isc_dhcp_server/handlers/main.yml index 840463c..7df6d92 100644 --- a/roles/isc_dhcp_server/handlers/main.yml +++ b/roles/isc_dhcp_server/handlers/main.yml @@ -1,5 +1,5 @@ - name: force run dhcp re2o-service - shell: /var/local/re2o-services/dhcp/main.py --force + command: /var/local/re2o-services/dhcp/main.py --force become_user: re2o-services - name: restart dhcpd diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml index e198163..3a0fe8a 100644 --- a/roles/isc_dhcp_server/tasks/main.yml +++ b/roles/isc_dhcp_server/tasks/main.yml @@ -18,6 +18,7 @@ owner: re2o-services group: nogroup recurse: yes + mode: u=rwX,g=rX,o=rX - name: Install isc-dhcp-server apt: @@ -101,7 +102,7 @@ when: is_aurore_host - name: force run dhcp re2o-service - shell: /var/local/re2o-services/dhcp/main.py --force + command: /var/local/re2o-services/dhcp/main.py --force - name: Ensure dhcpd is running service: diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index b840b39..a5875b3 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -102,7 +102,7 @@ when: "'aurore_vm' in group_names" - name: Install radius requirements (except freeradius-python3) - shell: + command: cmd: "{{ item }}" chdir: /var/www/re2o/ loop: From 9505e87113a9637c118ac33b9e9a8d9cf28ecb00 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 19:58:54 +0100 Subject: [PATCH 267/297] Use true instead of yes --- group_vars/all/vault.yml | 1 + group_vars/edc/ldap_local_replica.yml | 1 - roles/ipv6_edge_router/tasks/main.yml | 3 +-- roles/isc_dhcp_server/handlers/main.yml | 2 +- roles/isc_dhcp_server/tasks/main.yml | 2 +- roles/radius/tasks/main.yml | 17 +++++++++-------- roles/radvd/handlers/main.yml | 3 ++- roles/radvd/tasks/main.yml | 3 --- roles/router/handlers/main.yml | 3 ++- roles/router/tasks/main.yml | 4 ++-- roles/unbound/handlers/main.yml | 1 + 11 files changed, 20 insertions(+), 20 deletions(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 52a14ab..8fa4cbb 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,3 +1,4 @@ +--- $ANSIBLE_VAULT;1.1;AES256 61333538366635353537346231363235653162356330396434383631656465616330363136306563 3861333166386536633437386335613461646466346239360a643139303037613937373631313661 diff --git a/group_vars/edc/ldap_local_replica.yml b/group_vars/edc/ldap_local_replica.yml index bad6801..63cfeb4 100644 --- a/group_vars/edc/ldap_local_replica.yml +++ b/group_vars/edc/ldap_local_replica.yml @@ -1,4 +1,3 @@ --- ldap_local_replica_uri: - 'ldap://ldap-replica-edc.adm.auro.re' - diff --git a/roles/ipv6_edge_router/tasks/main.yml b/roles/ipv6_edge_router/tasks/main.yml index 5978303..8ec1353 100644 --- a/roles/ipv6_edge_router/tasks/main.yml +++ b/roles/ipv6_edge_router/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: install GPG apt: name: gnupg @@ -37,4 +36,4 @@ service: name: frr state: started - enabled: yes + enabled: true diff --git a/roles/isc_dhcp_server/handlers/main.yml b/roles/isc_dhcp_server/handlers/main.yml index 7df6d92..fd4dd48 100644 --- a/roles/isc_dhcp_server/handlers/main.yml +++ b/roles/isc_dhcp_server/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: force run dhcp re2o-service command: /var/local/re2o-services/dhcp/main.py --force become_user: re2o-services @@ -11,4 +12,3 @@ systemd: name: rsyslog state: restarted - diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml index 3a0fe8a..f3ffe54 100644 --- a/roles/isc_dhcp_server/tasks/main.yml +++ b/roles/isc_dhcp_server/tasks/main.yml @@ -17,7 +17,7 @@ state: directory owner: re2o-services group: nogroup - recurse: yes + recurse: true mode: u=rwX,g=rX,o=rX - name: Install isc-dhcp-server diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index a5875b3..71389d0 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: Add backports repositories apt_repository: repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free" @@ -34,8 +35,8 @@ apt: name: freeradius-python3 default_release: buster-backports - update_cache: yes - ignore_errors: yes + update_cache: true + ignore_errors: true - name: fix freeradius-python3 postinstall script template: @@ -47,15 +48,15 @@ apt: name: freeradius-python3 default_release: buster-backports - force: yes - ignore_errors: yes + force: true + ignore_errors: true - name: Setup radius symlinks file: src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" dest: "/etc/freeradius/3.0/{{ item.filename }}" state: link - force: yes + force: true loop: - local_prefix: "" filename: auth.py @@ -158,7 +159,7 @@ state: absent become_user: postgres when: nuke_radius|default(false) - ignore_errors: yes + ignore_errors: true - name: Nuking - Destroy old local DB if it exists community.general.postgresql_db: @@ -255,6 +256,6 @@ - name: Restart freeradius, ensure enabled systemd: name: freeradius - enabled: yes + enabled: true state: restarted - daemon_reload: yes + daemon_reload: true diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml index f2ce52c..6ed4ca7 100644 --- a/roles/radvd/handlers/main.yml +++ b/roles/radvd/handlers/main.yml @@ -1,5 +1,6 @@ +--- - name: restart radvd systemd: state: restarted name: radvd - enabled: yes + enabled: true diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml index 75c72c1..47b1f9d 100644 --- a/roles/radvd/tasks/main.yml +++ b/roles/radvd/tasks/main.yml @@ -1,6 +1,4 @@ --- - - # Warning: radvd installation seems to fail if the configuration # file doesn't already exist when the package is installed, # so the order is important. @@ -19,4 +17,3 @@ name: radvd state: present notify: restart radvd - diff --git a/roles/router/handlers/main.yml b/roles/router/handlers/main.yml index b095c21..0583512 100644 --- a/roles/router/handlers/main.yml +++ b/roles/router/handlers/main.yml @@ -1,8 +1,9 @@ +--- - name: restart keepalived systemd: state: restarted name: keepalived - enabled: yes + enabled: true - name: run aurore-firewall command: python3 main.py --force diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index a686a6e..317261e 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -15,13 +15,13 @@ ansible.posix.sysctl: name: net.ipv4.ip_forward value: '1' - sysctl_set: yes + sysctl_set: true - name: Enable IPv6 packet forwarding ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding value: '1' - sysctl_set: yes + sysctl_set: true - name: Configure /etc/network/interfaces for routeur-aurore* template: diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index a619b94..c9d2d42 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: restart unbound systemd: state: restarted From 3aa43cd19847ea0f7f2e06daf0ae8866882b21ee Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:06:45 +0100 Subject: [PATCH 268/297] Enlarge max line length, some URLs didn't fit --- .yamllint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.yamllint.yml b/.yamllint.yml index bcc5101..3a7ea3d 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -3,5 +3,6 @@ extends: default rules: line-length: + max: 120 level: warning ... From c11b3bc20f75e9e870b972e1625c2325bf2e01bf Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:08:51 +0100 Subject: [PATCH 269/297] Comments must start by a space --- group_vars/all/vars.yml | 2 +- network.yml | 28 ++++++++++++++-------------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 90615a1..599e834 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -48,7 +48,7 @@ dns_host_suffix_main: 253 dns_host_suffix_backup: 153 backup_dns_servers: - - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) # Finally raised! mtu: 1500 diff --git a/network.yml b/network.yml index 6d0af03..a491c79 100755 --- a/network.yml +++ b/network.yml @@ -47,19 +47,19 @@ # Deploy Unifi Controller -#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re -# roles: -# - unifi-controller +# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re +# roles: +# - unifi-controller # Deploy Re2o switch service -#- hosts: switchs-manager.adm.auro.re -# vars: -# service_repo: https://gitlab.federez.net/re2o/switchs.git -# service_name: switchs -# service_version: master -# service_config: -# hostname: re2o-server.adm.auro.re -# username: service-user -# password: "{{ vault_serviceuser_passwd }}" -# roles: -# - re2o-service +# - hosts: switchs-manager.adm.auro.re +# vars: +# service_repo: https://gitlab.federez.net/re2o/switchs.git +# service_name: switchs +# service_version: master +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service From 26a84ab001828a35367ed61c2ac35f5f962c3b17 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:10:47 +0100 Subject: [PATCH 270/297] A comma must be followed by at most one space --- services_web.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/services_web.yml b/services_web.yml index 5fc935e..1d6f9ef 100755 --- a/services_web.yml +++ b/services_web.yml @@ -32,26 +32,26 @@ - fede-aurore.net reverseproxy_sites: - - {from: re2o.auro.re, to: 10.128.0.10} - - {from: intranet.auro.re, to: 10.128.0.10} + - {from: re2o.auro.re, to: 10.128.0.10} + - {from: intranet.auro.re, to: 10.128.0.10} - - {from: phabricator.auro.re, to: 10.128.0.50} - - {from: wiki.auro.re, to: 10.128.0.51} - - {from: www.auro.re, to: 10.128.0.52} + - {from: phabricator.auro.re, to: 10.128.0.50} + - {from: wiki.auro.re, to: 10.128.0.51} + - {from: www.auro.re, to: 10.128.0.52} - - {from: drone.auro.re, to: "10.128.0.64:8000"} + - {from: drone.auro.re, to: "10.128.0.64:8000"} - - {from: re2o-test.auro.re, to: 10.128.0.100} + - {from: re2o-test.auro.re, to: 10.128.0.100} - - {from: riot.auro.re, to: "10.128.0.150:8080"} - - {from: codimd.auro.re, to: "10.128.0.150:8081"} - - {from: grafana.auro.re, to: "10.128.0.150:8082"} - - {from: privatebin.auro.re, to: "10.128.0.150:8083"} - - {from: pad.auro.re, to: "10.128.0.150:8084"} - - {from: cas.auro.re, to: "10.128.0.150:8085"} + - {from: riot.auro.re, to: "10.128.0.150:8080"} + - {from: codimd.auro.re, to: "10.128.0.150:8081"} + - {from: grafana.auro.re, to: "10.128.0.150:8082"} + - {from: privatebin.auro.re, to: "10.128.0.150:8083"} + - {from: pad.auro.re, to: "10.128.0.150:8084"} + - {from: cas.auro.re, to: "10.128.0.150:8085"} redirect_sites: - - {from: auro.re, to: www.auro.re} + - {from: auro.re, to: www.auro.re} roles: - certbot - nginx_reverseproxy From 26427665f3632ee154c4677e5e0247e785932878 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:11:31 +0100 Subject: [PATCH 271/297] Fix indentation --- roles/radius/tasks/main.yml | 2 +- roles/router/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 71389d0..22cbf40 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -249,7 +249,7 @@ dbname: re2o db: re2o publications: - - re2o_pub + - re2o_pub become_user: postgres diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 317261e..2014572 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -3,12 +3,12 @@ # XXX: YES, this is ugly as fuck. - name: set IP suffix (main) set_fact: - router_hard_ip_suffix: 240 + router_hard_ip_suffix: 240 when: "'backup' not in ansible_hostname" - name: set IP suffix (backup) set_fact: - router_hard_ip_suffix: 140 + router_hard_ip_suffix: 140 when: "'backup' in ansible_hostname" - name: Enable IPv4 packet forwarding From 1332a8f514cb8f34eecbb273fc78ce82ba0b00ee Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:13:32 +0100 Subject: [PATCH 272/297] Use Alpine Linux to reduce test image size --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 44b8430..6d28f6f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,5 @@ --- -image: python:3.9 +image: python:3.9-alpine stages: - lint From 2eea740a666e8ed338315283de4df2c39cad177a Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:15:24 +0100 Subject: [PATCH 273/297] Prepare transition to Gitea, set up Drone CI --- .drone.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .drone.yml diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..d9eadcd --- /dev/null +++ b/.drone.yml @@ -0,0 +1,18 @@ +--- +kind: pipeline +type: docker +name: check + +steps: + - name: yamllint + image: python:3.9-alpine + commands: + - pip install yamllint==1.25.0 + - yamllint -c .yamllint.yml . + + - name: ansible-lint + image: python:3.9-alpine + commands: + - pip install ansible-lint==4.3.7 + - ansible-lint *.yml +... From 0e0da24cb1b3ca73717abdb0f11fde1100d0f984 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:17:37 +0100 Subject: [PATCH 274/297] Prepare transition to Gitea, set up Drone CI --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index d9eadcd..55a921d 100644 --- a/.drone.yml +++ b/.drone.yml @@ -13,6 +13,6 @@ steps: - name: ansible-lint image: python:3.9-alpine commands: - - pip install ansible-lint==4.3.7 - - ansible-lint *.yml + - pip install ansible-lint==4.3.7 + - ansible-lint *.yml ... From ae1510ccbb59579112a5158892452bf44c454807 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 20:18:36 +0100 Subject: [PATCH 275/297] Add missing dependencies in the CI --- .drone.yml | 1 + .gitlab-ci.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.drone.yml b/.drone.yml index 55a921d..416e400 100644 --- a/.drone.yml +++ b/.drone.yml @@ -13,6 +13,7 @@ steps: - name: ansible-lint image: python:3.9-alpine commands: + - apk add --no-cache gcc libc-dev libffi-dev openssl-dev - pip install ansible-lint==4.3.7 - ansible-lint *.yml ... diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6d28f6f..c62f35b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,6 +13,7 @@ yamllint: ansible-lint: stage: lint script: + - apk add gcc libc-dev libffi-dev openssl-dev - pip install ansible-lint==4.3.7 - ansible-lint *.yml ... From f9b7e052b91f53a152df7e73a36f80cde02c89be Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 22:38:54 +0100 Subject: [PATCH 276/297] Store reverse proxy data in proxy host vars --- group_vars/all/vault.yml | 1 - host_vars/proxy-local.adm.auro.re.yml | 42 ++++++++++++++ host_vars/proxy.adm.auro.re.yml | 58 +++++++++++++++++++ .../letsencrypt/conf.d/certname.ini.j2 | 4 +- services_web.yml | 40 ------------- 5 files changed, 102 insertions(+), 43 deletions(-) create mode 100644 host_vars/proxy-local.adm.auro.re.yml create mode 100644 host_vars/proxy.adm.auro.re.yml diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 8fa4cbb..52a14ab 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,4 +1,3 @@ ---- $ANSIBLE_VAULT;1.1;AES256 61333538366635353537346231363235653162356330396434383631656465616330363136306563 3861333166386536633437386335613461646466346239360a643139303037613937373631313661 diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml new file mode 100644 index 0000000..1c05d6a --- /dev/null +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -0,0 +1,42 @@ +--- +certbot: + domains: + - bbb.auro.re + - drone.auro.re + - gitea.auro.re + - intranet.auro.re + - nextcloud.auro.re + - re2o.auro.re + - re2o-server.auro.re + - re2o-test.auro.re + + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + dns_masters_ipv4: + - "92.222.211.196" + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: + - aurores.net + - fede-aurore.net + + redirect_sites: {} + + reverseproxy_sites: + - from: re2o.auro.re + to: 10.128.0.10 + - from: intranet.auro.re + to: 10.128.0.10 + + - from: drone.auro.re + to: "10.128.0.64:8000" + + - from: re2o-test.auro.re + to: 10.128.0.100 diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml new file mode 100644 index 0000000..00da9b1 --- /dev/null +++ b/host_vars/proxy.adm.auro.re.yml @@ -0,0 +1,58 @@ +--- +certbot: + domains: + - auro.re + - cas.auro.re + - codimd.auro.re + - grafana.auro.re + - pad.auro.re + - passbolt.auro.re + - phabricator.auro.re + - privatebin.auro.re + - riot.auro.re + - sharelatex.auro.re + - wiki.auro.re + - www.auro.re + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + dns_masters_ipv4: + - "92.222.211.196" + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: + - aurores.net + - fede-aurore.net + + redirect_sites: + - from: auro.re + to: www.auro.re + + reverseproxy_sites: + - from: phabricator.auro.re + to: 10.128.0.50 + + - from: wiki.auro.re + to: 10.128.0.51 + + - from: www.auro.re + to: 10.128.0.52 + + - from: riot.auro.re + to: "10.128.0.150:8080" + - from: codimd.auro.re + to: "10.128.0.150:8081" + - from: grafana.auro.re + to: "10.128.0.150:8082" + - from: privatebin.auro.re + to: "10.128.0.150:8083" + - from: pad.auro.re + to: "10.128.0.150:8084" + - from: cas.auro.re + to: "10.128.0.150:8085" diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index b063634..6683792 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} # Pour appliquer cette conf et générer la conf de renewal : -# certbot --config wildcard.ini certonly +# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 @@ -22,4 +22,4 @@ dns-rfc2136-propagation-seconds = 30 # Wildcard the domain cert-name = {{ certbot.certname }} -domains = {{ certbot.domains }} +domains = {{ ", ".join(certbot.domains) }} diff --git a/services_web.yml b/services_web.yml index 1d6f9ef..c62329a 100755 --- a/services_web.yml +++ b/services_web.yml @@ -12,46 +12,6 @@ # Deploy reverse proxy - hosts: proxy*.adm.auro.re - vars: - certbot: - dns_rfc2136_name: certbot_challenge. - dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" - mail: tech.aurore@lists.crans.org - certname: auro.re - domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net" - dns_masters_ipv4: - - "92.222.211.196" - nginx: - ssl: - cert: /etc/letsencrypt/live/auro.re/fullchain.pem - cert_key: /etc/letsencrypt/live/auro.re/privkey.pem - trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem - - redirect_dnames: - - aurores.net - - fede-aurore.net - - reverseproxy_sites: - - {from: re2o.auro.re, to: 10.128.0.10} - - {from: intranet.auro.re, to: 10.128.0.10} - - - {from: phabricator.auro.re, to: 10.128.0.50} - - {from: wiki.auro.re, to: 10.128.0.51} - - {from: www.auro.re, to: 10.128.0.52} - - - {from: drone.auro.re, to: "10.128.0.64:8000"} - - - {from: re2o-test.auro.re, to: 10.128.0.100} - - - {from: riot.auro.re, to: "10.128.0.150:8080"} - - {from: codimd.auro.re, to: "10.128.0.150:8081"} - - {from: grafana.auro.re, to: "10.128.0.150:8082"} - - {from: privatebin.auro.re, to: "10.128.0.150:8083"} - - {from: pad.auro.re, to: "10.128.0.150:8084"} - - {from: cas.auro.re, to: "10.128.0.150:8085"} - - redirect_sites: - - {from: auro.re, to: www.auro.re} roles: - certbot - nginx_reverseproxy From ac7696c81f08b7b0964bbf018199237c9ccb0235 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:07:51 +0100 Subject: [PATCH 277/297] User cerbot-nginx to create certificates --- roles/certbot/tasks/main.yml | 39 +++++++++++-------- .../letsencrypt/conf.d/certname.ini.j2 | 8 ++-- .../templates/letsencrypt/rfc2136.ini.j2 | 7 ---- 3 files changed, 26 insertions(+), 28 deletions(-) delete mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2 diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index d6314ac..0f61e91 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,26 +1,18 @@ --- -- name: Install certbot and RFC2136 plugin +- name: Install certbot and nginx plugin apt: update_cache: true name: - certbot - - python3-certbot-dns-rfc2136 - state: present - register: apt_result + - python3-certbot-nginx + register: pkg_result retries: 3 - until: apt_result is succeeded + until: pkg_result is succeeded -- name: Lookup DNS masters IPv4 - set_fact: - dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}" - cacheable: true - -- name: Add DNS credentials - template: - src: letsencrypt/rfc2136.ini.j2 - dest: /etc/letsencrypt/rfc2136.ini - mode: 0600 - owner: root +- name: Check if certificate already exists. + stat: + path: "/etc/letsencrypt/live/{{ certbot.certname }}/cert.pem" + register: letsencrypt_cert - name: Create /etc/letsencrypt/conf.d file: @@ -33,3 +25,18 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 + +- name: Stop services to allow certbot to generate a cert. + service: + name: nginx + state: stopped + +- name: Generate new certificate if one doesn't exist. + shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + when: letsencrypt_cert.stat.exists == False + +- name: Restart services to allow certbot to generate a cert. + service: + name: nginx + state: started + diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index 6683792..c23d930 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} # Pour appliquer cette conf et générer la conf de renewal : -# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly +# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 @@ -15,10 +15,8 @@ email = {{ certbot.mail }} # Uncomment to use a text interface instead of ncurses text = True -# Use DNS-01 challenge -authenticator = dns-rfc2136 -dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini -dns-rfc2136-propagation-seconds = 30 +# Use nginx challenge +authenticator = nginx # Wildcard the domain cert-name = {{ certbot.certname }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 deleted file mode 100644 index 342195d..0000000 --- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# {{ ansible_managed }} - -dns_rfc2136_server = {{ dns_masters_ipv4 | first }} -dns_rfc2136_port = 53 -dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} -dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} -dns_rfc2136_algorithm = HMAC-SHA512 From 9de65d25746e55d613797f081d6f452dbfe70c35 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:26:49 +0100 Subject: [PATCH 278/297] Register missing services in reverse proxy config --- host_vars/proxy-local.adm.auro.re.yml | 15 ++++++++++++--- host_vars/proxy.adm.auro.re.yml | 3 +++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml index 1c05d6a..c858c5a 100644 --- a/host_vars/proxy-local.adm.auro.re.yml +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -31,12 +31,21 @@ nginx: reverseproxy_sites: - from: re2o.auro.re - to: 10.128.0.10 + to: 10.128.0.20 - from: intranet.auro.re - to: 10.128.0.10 + to: 10.128.0.20 + + - from: bbb.auro.re + to: 10.128.0.54 + + - from: nextcloud.auro.re + to: "10.128.0.58:8080" + + - from: gitea.auro.re + to: "10.128.0.60:3000" - from: drone.auro.re to: "10.128.0.64:8000" - from: re2o-test.auro.re - to: 10.128.0.100 + to: 10.128.0.80 diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index 00da9b1..8323cc0 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -44,6 +44,9 @@ nginx: - from: www.auro.re to: 10.128.0.52 + - from: passbolt.auro.re + to: 10.128.0.53 + - from: riot.auro.re to: "10.128.0.150:8080" - from: codimd.auro.re From 03d48a2d8213f1f64465bedbac1852a01689c227 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:49:35 +0100 Subject: [PATCH 279/297] Add possibility to configure port forwarding, like SSH for Gitea --- host_vars/proxy-local.adm.auro.re.yml | 5 +++++ host_vars/proxy.adm.auro.re.yml | 2 ++ roles/nginx_reverseproxy/tasks/main.yml | 15 +++++++++++++++ .../nginx/modules-available/60-forward.conf.j2 | 14 ++++++++++++++ 4 files changed, 36 insertions(+) create mode 100644 roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml index c858c5a..b92c1ac 100644 --- a/host_vars/proxy-local.adm.auro.re.yml +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -27,6 +27,11 @@ nginx: - aurores.net - fede-aurore.net + redirect_tcp: + - name: Gitea + port: 2222 + destination: "10.128.0.60:2222" + redirect_sites: {} reverseproxy_sites: diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index 8323cc0..f4b710e 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -30,6 +30,8 @@ nginx: - aurores.net - fede-aurore.net + redirect_tcp: {} + redirect_sites: - from: auro.re to: www.auro.re diff --git a/roles/nginx_reverseproxy/tasks/main.yml b/roles/nginx_reverseproxy/tasks/main.yml index 4ccaa2a..497048d 100644 --- a/roles/nginx_reverseproxy/tasks/main.yml +++ b/roles/nginx_reverseproxy/tasks/main.yml @@ -45,6 +45,21 @@ - redirect notify: Reload nginx +- name: Copy forward modules + template: + src: "nginx/modules-available/60-forward.conf.j2" + dest: "/etc/nginx/modules-available/60-forward.conf" + mode: 0644 + notify: Reload nginx + +- name: Activate modules + file: + src: "/etc/nginx/modules-available/60-forward.conf" + dest: "/etc/nginx/modules-enabled/60-forward.conf" + state: link + mode: 0644 + notify: Reload nginx + - name: Copy 50x error page template: src: www/html/50x.html.j2 diff --git a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 b/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 new file mode 100644 index 0000000..9a86a5d --- /dev/null +++ b/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 @@ -0,0 +1,14 @@ +# {{ ansible_managed }} + +{% for site in nginx.redirect_tcp %} +# Forward port {{ site.port }} to {{ site.name }} +stream { + server { + listen {{ site.port }}; + listen [::]:{{ site.port }}; + + proxy_pass {{ site.destination }}; + } +} + +{% endfor %} From b1f56938e68080d670e285deda5278370ed04058 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:51:10 +0100 Subject: [PATCH 280/297] Remove inexistant docker host --- services_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services_web.yml b/services_web.yml index c62329a..0fa16fa 100755 --- a/services_web.yml +++ b/services_web.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re +- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re roles: - docker From 24ab53675a2f099685fdeca4b31c507417c560fa Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:58:27 +0100 Subject: [PATCH 281/297] Automatically renew certificates if a new domain was added --- roles/certbot/tasks/main.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 0f61e91..f29d557 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -9,11 +9,6 @@ retries: 3 until: pkg_result is succeeded -- name: Check if certificate already exists. - stat: - path: "/etc/letsencrypt/live/{{ certbot.certname }}/cert.pem" - register: letsencrypt_cert - - name: Create /etc/letsencrypt/conf.d file: path: /etc/letsencrypt/conf.d @@ -25,18 +20,20 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 + register: certbot_config - name: Stop services to allow certbot to generate a cert. service: name: nginx state: stopped + when: certbot_config.changed -- name: Generate new certificate if one doesn't exist. +- name: Generate new certificate if the configuration changed shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" - when: letsencrypt_cert.stat.exists == False + when: certbot_config.changed - name: Restart services to allow certbot to generate a cert. service: name: nginx state: started - + when: certbot_config.changed From 7e48cbc3be80efe546fbf423c2ed7191acdda0d1 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Thu, 5 Nov 2020 00:23:29 +0100 Subject: [PATCH 282/297] Remove obsolete certbot configuration --- host_vars/proxy-local.adm.auro.re.yml | 4 ---- host_vars/proxy.adm.auro.re.yml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml index b92c1ac..fc86d7f 100644 --- a/host_vars/proxy-local.adm.auro.re.yml +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -10,12 +10,8 @@ certbot: - re2o-server.auro.re - re2o-test.auro.re - dns_rfc2136_name: certbot_challenge. - dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" mail: tech.aurore@lists.crans.org certname: auro.re - dns_masters_ipv4: - - "92.222.211.196" nginx: ssl: diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index f4b710e..32663d1 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -13,12 +13,8 @@ certbot: - sharelatex.auro.re - wiki.auro.re - www.auro.re - dns_rfc2136_name: certbot_challenge. - dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" mail: tech.aurore@lists.crans.org certname: auro.re - dns_masters_ipv4: - - "92.222.211.196" nginx: ssl: From 2cd029d6a514f79b604016f0ce7eaebdc92d9fff Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Fri, 6 Nov 2020 01:00:21 +0100 Subject: [PATCH 283/297] Redirect HTTP requests that are directly made to the IP address to auro.re --- host_vars/proxy-local.adm.auro.re.yml | 4 +++- host_vars/proxy.adm.auro.re.yml | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml index fc86d7f..903b389 100644 --- a/host_vars/proxy-local.adm.auro.re.yml +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -28,7 +28,9 @@ nginx: port: 2222 destination: "10.128.0.60:2222" - redirect_sites: {} + redirect_sites: + - from: 45.66.111.61 + to: auro.re reverseproxy_sites: - from: re2o.auro.re diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index 32663d1..c49b40e 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -29,8 +29,10 @@ nginx: redirect_tcp: {} redirect_sites: - - from: auro.re - to: www.auro.re + - from: www.auro.re + to: auro.re + - from: 92.222.211.195 + to: auro.re reverseproxy_sites: - from: phabricator.auro.re From c46a08858d654764bb4d60bd884272e1fd33e049 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Fri, 6 Nov 2020 01:09:04 +0100 Subject: [PATCH 284/297] Rename proxy -> proxy-ovh, proxy-local -> proxy --- .../{proxy.adm.auro.re.yml => proxy-ovh.adm.auro.re.yml} | 0 host_vars/{proxy-local.adm.auro.re.yml => proxy.adm.auro.re} | 0 hosts | 4 ++-- 3 files changed, 2 insertions(+), 2 deletions(-) rename host_vars/{proxy.adm.auro.re.yml => proxy-ovh.adm.auro.re.yml} (100%) rename host_vars/{proxy-local.adm.auro.re.yml => proxy.adm.auro.re} (100%) diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml similarity index 100% rename from host_vars/proxy.adm.auro.re.yml rename to host_vars/proxy-ovh.adm.auro.re.yml diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy.adm.auro.re similarity index 100% rename from host_vars/proxy-local.adm.auro.re.yml rename to host_vars/proxy.adm.auro.re diff --git a/hosts b/hosts index a44c837..e64513a 100644 --- a/hosts +++ b/hosts @@ -20,7 +20,7 @@ radius-aurore.adm.auro.re dhcp-aurore.adm.auro.re dhcp-aurore-backup.adm.auro.re dns-aurore.adm.auro.re -proxy-local.adm.auro.re +proxy.adm.auro.re camelot.adm.auro.re gitea.adm.auro.re drone.adm.auro.re @@ -47,7 +47,7 @@ services-bdd.adm.auro.re phabricator.adm.auro.re wiki.adm.auro.re www.adm.auro.re -proxy.adm.auro.re +proxy-ovh.adm.auro.re matrix-services.adm.auro.re [ovh_vm] From 5b56f9cfc9888ba4b7ad41fbd39581e9babea755 Mon Sep 17 00:00:00 2001 From: chirac Date: Sun, 8 Nov 2020 18:13:21 +0100 Subject: [PATCH 285/297] Revert "Use command instead of shell" This reverts commit 0f9169284f9696e54976843c129030f3af8834f7. --- roles/isc_dhcp_server/handlers/main.yml | 2 +- roles/isc_dhcp_server/tasks/main.yml | 5 ++--- roles/radius/tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/roles/isc_dhcp_server/handlers/main.yml b/roles/isc_dhcp_server/handlers/main.yml index fd4dd48..05b48c6 100644 --- a/roles/isc_dhcp_server/handlers/main.yml +++ b/roles/isc_dhcp_server/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: force run dhcp re2o-service - command: /var/local/re2o-services/dhcp/main.py --force + shell: /var/local/re2o-services/dhcp/main.py --force become_user: re2o-services - name: restart dhcpd diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml index f3ffe54..e198163 100644 --- a/roles/isc_dhcp_server/tasks/main.yml +++ b/roles/isc_dhcp_server/tasks/main.yml @@ -17,8 +17,7 @@ state: directory owner: re2o-services group: nogroup - recurse: true - mode: u=rwX,g=rX,o=rX + recurse: yes - name: Install isc-dhcp-server apt: @@ -102,7 +101,7 @@ when: is_aurore_host - name: force run dhcp re2o-service - command: /var/local/re2o-services/dhcp/main.py --force + shell: /var/local/re2o-services/dhcp/main.py --force - name: Ensure dhcpd is running service: diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 22cbf40..4d9a748 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -103,7 +103,7 @@ when: "'aurore_vm' in group_names" - name: Install radius requirements (except freeradius-python3) - command: + shell: cmd: "{{ item }}" chdir: /var/www/re2o/ loop: From 8bf080dbf77cee98bd97a281eb1258ffb3d194b7 Mon Sep 17 00:00:00 2001 From: chirac Date: Sun, 8 Nov 2020 18:50:38 +0100 Subject: [PATCH 286/297] Fix radius permission bug --- roles/radius/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 4d9a748..941f7c9 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -72,6 +72,7 @@ src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" mode: 0640 + owner: freerad loop: - sites-enabled/default - sites-enabled/inner-tunnel @@ -81,6 +82,7 @@ src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" mode: 0640 + owner: freerad loop: - clients.conf - proxy.conf From 88ffd2297fbcaa76004a0b23e9c41da9f5b23e07 Mon Sep 17 00:00:00 2001 From: Paul Ziolkowski Date: Sun, 8 Nov 2020 18:52:03 +0100 Subject: [PATCH 287/297] Add residence les rives --- group_vars/all/vault.yml | 342 ++++++++++++----------- group_vars/rives/main.yml | 7 + group_vars/rives/sudo_location_group.yml | 3 + hosts | 9 +- 4 files changed, 190 insertions(+), 171 deletions(-) create mode 100644 group_vars/rives/main.yml create mode 100644 group_vars/rives/sudo_location_group.yml diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 52a14ab..b813ba3 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,170 +1,174 @@ $ANSIBLE_VAULT;1.1;AES256 -61333538366635353537346231363235653162356330396434383631656465616330363136306563 -3861333166386536633437386335613461646466346239360a643139303037613937373631313661 -62613337366365393964376630323261373331373533663539666663373937383263343939633635 -3062316564303439310a636231303565366438346665646238383533373736373631666162636537 -66336335353033643634636133313333666230363362366166653663343964306231616433643165 -61356563346162666536613338323266373362373537653364653762346466333862393865666638 -30303134353936323065636233616235623537353830663061343937623261326632326563653539 -62656261316231373665663639636362306339323637393032326337303136653530616236623263 -38363734376566333861653637386564643832623564386335633162376532383937333261306664 -63623538373534353963323137323131343434346464333532346234336464326564353462313436 -39303166623731323961323330633164643564306631316130313735633263353564313037613530 -64623138316532633064623532313366316565633533373562336461303033353363646536663334 -35376234333466326139303931373031653638623733383737666338366339646464363430616464 -32396533346333326633306564353364356563373130373661646332313132346538623066353261 -65633563386237633264386336313738616435666239363038396562386530316266643364643865 -63656539303534373734383865396637356565376537336437383134303462643762383138633535 -37663661343633656161343132626233643239346464613933613563643437313537643934343135 -35636538383438356338303162366164346163326536616238643739666533613363633562643831 -37666564383239663433643737346532623239373830356661306466373861626262396332613234 -38616166373666663032303136336431303536346466326337353864383330346337626563303665 -66326134363636623166313039613365626161396662313165653662623530326331646566623331 -39383063313530643731386237396539656435373363656235323332343563336561663338663863 -34313236353664343233326630646234393134653166333064643361663164616336653766303336 -38646565393462356364316436643632613538613932313039666533356262356135633832376462 -34356538303439383334336638373361396638373363613633633036376262636533353030633739 -66663564323130346663373430323362383636646262376464313565323266613464646638626536 -65316166653033323963663366646163346666623432313039356262373164343038356334393264 -32666136356566313438616264626163363464636336316539353137353938653235356665656333 -32343431383663663035663763636564363137396639363466616538666461306365353238313032 -63313834666334633432393162306131633764663838373930383362623266656661316439383436 -30343864656366303335666464623662656332623466383761633832323463363836336634323161 -63313534373536623765373436306135353334333031376136613938636464353534376139363161 -66643530313032333831306366393231363239643932613736346364393233316437373534643339 -66333032373430663239383933383838633039326438323162653236333333336162613730623266 -33396166373233623931396430666639333165396364333063666633383764373364643931646437 -62303263626662386666646462633738386565346534313334633235383364656666326632323761 -66373239383232633739353836636438623863346530626262363030353438386439613031346132 -62653565313739636162326261303038303365663332396539386430303631346633656335303366 -36383630656438326530353634346531386466643763326131343862623133346566616364386331 -37613038343265386338323234626162313763623764373364613439373266323039363539353039 -66653635316364633736633561353730343636396566373164363166346437383463643133326539 -65313436666337366634636236663866346461343261656435336239393232316538303866386531 -39383562663932313135636535626234626266656661306564333530353532623630656564663831 -63653666373765653365393933646137303734383066633136376366303365663633363863333130 -36386634353839613038666331376534633463353935356532623635666336396638373439316139 -33653233396136343838306434373061343936656137316231303464663133303961353333303261 -63373361336638316233656434653165633030623661353237383233346134646561363931653262 -32623830366333386433653332636333646139666233663863353731333162313837663539626466 -35353533386135663335323162333731646562393066643938383830333336323164373836643464 -66363234323739643033366566633537643566316439333633386233663165663064323864333037 -31336365303633383639343233373838626238656337333865646164666462383364643434393436 -38666436393734616262633565303238383636366233383935623936346461633339326431396636 -64623639396265613637303965373231323161316430656461326437356332633465656434643139 -61633466323363303032373563633434366430366434366234373633373639316365623336653164 -64326462656632376439343733326463653166343936643439386334653363343830616638636365 -35623562653938663430333931396134333035386562303430373536316432376364663663626338 -31356130633332336562343364363766363461396632373033393961333438663835383261373863 -64663636363234396164323138653439633532316530386133633162613464356161303765373835 -34366462306534396632653161313138386261373637613865333036653262346431323863313465 -62623137376636383465386539656530303164313765616361656266363231343066616239666462 -65653839326562386563396138653033313934336337303038306432336238303838313833383562 -32656565383861343562396531373737626165616233666636326234653038643137366134366534 -34383364346461636537643936326230636530316431663161373331333463393566383065313361 -63636564663761643737656335376537336164633538616536376330663763636439373231316231 -61396263326134373630623830313233373934336366393934376262356438316537646463643861 -35383761326438363264666363646533303236633536326333326162653162303239303437303664 -30396430663366306334663364323035646438306362396339303566356531646130303233353036 -35356437363132333965316661323761373332333939646131346639313138393462633765343064 -65646335343730616164363433386565386164313564393261336362303966393930613833636361 -33636532656439643235613566356336373232343432383430383166393362303863306332323930 -65343530393262313065356337393136326162396234646139333036353865323030336262663637 -31633063663866316237316563333130393863666662663663303066396130616262616535613837 -63313139376631316432623863333535666139376531386138653166363365663532323464393539 -32616662306330653533326235383635616164626165306633313266346130336532633234353634 -61346466613264346633313539336463303362613532643163393263323939303561316331646163 -37353233636461376631333535616233653061376139326232323533303438363935373635326338 -65646561363433316465616430303261326634343339396466316137623330386334396466353431 -38363630303933323134336362376139643732633964616236353539376331323034396366306162 -66316261306566313433306661373333323639303836393137306438343830356162313763373064 -62396537363164306162323535336338363132626662316235333639373533386561643034616262 -62363436643963663432333536373139616565326463633235353966636330363432633438633435 -63366438333937653461346134393837316264323766393664363466646164623563643039303861 -36333330656539366534616532393233303231313635623631363930653062346439613339383639 -34316264313130663531376230633637323962653933633335333536613464373262356632616663 -37346130663438616535366633613465396462616332626664616134653065643934356134306138 -62343035303438666461343239373435363435363230343564353565396666613734633931663733 -63633932396337313962396131626364323836356538393536303364626230613365343233343731 -62653764633831646234656532336139643263343833316437336565313031346638313766633836 -62633636663630613531646161643965353235323335636535633364313038613031316666666539 -39383465333464646639666666333661623565663362346238363737666162353338363431333830 -62616336613333383137643163643730646131353734633462623866373436626430646235376437 -65396134643863336264333863643862393532353962633238373861656332636439346365646235 -32303237323635613632646266313134656361353962663862363163356436373631343166343963 -64643836306561386664663832656564383239376466646362333863666335313337336338346365 -65386230303639656561376130336139386464363866346434646538636563303136346664633562 -30336161386464386330626539393839326332303336663233663666333331626332333131376666 -66326161643631616430623662383032373334633437613165316664613634623364303130636332 -31316639666663643333646436343265353365623434623538643264313961623663636430336566 -66326435323936316666613138633037393231316661663132393332656366366337613234393739 -35656437353466316135663364333461643235333635646566666331653666323834323166353931 -64653137366439393935633739306232616533643131393565623862623032333532373862643564 -61396636616637353831396536313634393330623836343134313164656166363435336137343934 -66313833626263323437663939663036633566613939653037356664646630663263376362336364 -64343831336430656532363331393938663534336237323838356337393362613235386333393635 -39656432356433366130326261363834323937356566643364313037303436646437326233343663 -33656163336163333036636337633636613337356363653932326365386466656139646665636434 -36343437646562643932623938316563343963323732353236383237343934373438643762333739 -32393762636434396237346334303661623835323664306637303761303464623165633331386636 -35373538373834393833626663643363346565643134616163613462376432663430643835303666 -39343738323461346239626638346438303939633836636163633139386463643365323134323830 -32386133363431303839386365636532353564346134306361626562303165363737346532323366 -32656530353364303331626463613361336635376564373730306363366133363038613962303638 -32383464383630303437393233623431316463303138383235353137316631343664633362393932 -62633337356265363962633537323233396433636232313261616664316634343337343830383366 -62313963663562343133633263303933393561346365396133396166373762366338666665353066 -35306461323361643735393935343333646637336335313738373532323034363637393933636534 -30313836363261636439663638643766373833313565313563383965323365316461323139666464 -39383461393737623833366238356136306439623262643431353232363639633932316134343432 -61643632623731653862366664663334613862643961313330613765343666623938343531393930 -36366335393863626335666234316334303939366636323534386633623031373337353563303766 -36636562333638666466376336663236633738326261626263653139646465616134333632343362 -31306530343131346533643862333736343034653732323161356635653966303362633465363030 -63616433663538383031323161643963336462646662366362386331353433663465363263373761 -66666630646366646563396363346362313737343364373933303763316532326135393631346136 -62303866616563313035313362613462363931333539613464396334386636323364303431633935 -66653662633463613838613234316563653964613738353034396136643865373931333339376138 -66623465313261626362353930336630303063623038306366643265333137383237653262616335 -64646634663866623539383638333565663664313535323765643564313536653064353438346330 -63623032666432666666383535396166366661303335386630323734616163636163316232363031 -38663464633837653861626332616132383332626163666130626139323239633863663161313665 -61663962663332313464383730316163656361396664393965383636366665386132303234393464 -35346130653165656264396563363533306632373032313333366132363066323333313966633766 -66353534643435663531656339646138336365636665353165326439666261613131353937396338 -31613662316333393862373864393832616335306636396531313134636135333365396137346262 -63366330626362336263616435616434623131326136616566396462343763373937623764663965 -63356363363063313764646637666466353236303233323530306237363664366265386133333634 -66643365666336646535653163643563363932636534313836343832626166666365313765646137 -34636535653436346235613161363933643864643932336365653533633731663137313465323330 -64333763626631636432636565386461396238633339623664653162366564303563336539393462 -65386539643836626338353561396164643935333563663831643861383934636430613335343139 -33326133346237386362633534356238616631356263653532613061633430643831613838653637 -37366432393364343735656563616531366662383630313537326165663066313165333639623836 -37383264656334393432303234306333373135643961616562393732326436666635346333653737 -63633531336465663036616334393562363163343633633737313161396165643030313065626163 -65363464353564653434386161646165613064656465373832386634303266636336393232303738 -37373332343464366536666662323931666363323561613637393064343562653962633765643861 -34343965373534356234356633646630363735333362643237383065386263666539653330613862 -37643766353133383266636461356563356663363931313136373738626631666136643336306337 -36633966663966653638326230623265393837393763396566626466343064336634316162306236 -66343563393166316462373063333764393939656433663131633636396265363533323239313830 -38396661646464613064356238663739306361313232313964663065303039303363356533326463 -32316139356564643435313739333838346534323933326164663762636666613366613539333939 -30663338386339653333396261643035643465323563396334643535383266306530366261613536 -66356663636239346466373065333136663363636161323539653263336531613636643364353463 -36323437616361313765303261623864383330333131336663383633396632373431366434343135 -35643763336434363331656436333036623631306365623335653036333364356134366332396532 -37666632396161326530646136613232616538396232333239613134646463363030623133626335 -37383033653232653963366262303831653530363431626531313236326636363736343964653364 -32633963663332376564376230623262333565666336613331303661666139306636326235363961 -61373338303935366436383964333031353033316135663461623436633264376230373932303130 -62333637633438356337623362376364646332343431613966306261376465643462626530643764 -62396661353365656661306439346464363730343766366238356330303030363538633032613331 -64323632376363356535623464393665636237656235336238373966613031663565656539643066 -34626139383064316365396636376638643133653965373138393339396263303833313433343432 -39663864666532633866623466613332636563353337323532343863393538633739363363333038 -36393962633638613437616634323835613366393530663432313062396637636334323764383239 -64393132393138396234336534306232393436373264383264633734306365623661313462383533 -31316232666635326539383763303239616564386131303232313266363730636337626465643266 -64396364653963353838303233353936313636356235343561373830363961376334 +34336231623938346631313932323131336439623837626366646338396137633436646365386639 +6332383765386235396331373836366230663563376665380a616436373136633933376435653230 +64333963663436393265666434653164643164616134353665306462326666623530383838343135 +3531343533656332350a343432336636316131386132306238653736633966363235623833343638 +38643061383963396466346536343061653034333037393664356661376565643765306462626231 +39326233363962373839303464333833306532343834306232653731326135653934643836323639 +36343937626536346331613263663865346634666534646266623061303639626636393230616261 +32336366356439353738633234326138656464656630303362623664616634306230623538373965 +32346439306337623737616666353830626630373562366436653131393532313035303836326430 +64613235646366616533313065396663366434363832333535336631323366336437396664303834 +30336466313064636565326564356435306136396363373464326534303366323262303732626661 +38326663313332633530353739346538343434316133343066313530366637376135323564306537 +65626261303231656432333364333965663065346436626631666466643934623064333163626339 +32633565303734303862326365336339346133393431636266303530626564326361653230626536 +32313231373037633134623761663832393666353732613965613436323939343233613433343538 +37326438383130303861316663396333376662386337353964633930353536653437653061356635 +35646232343535313130646237643835376162623639333961323964353830653366626438346237 +36343663346332656537363434396633336161373730663364306239306432343930643230656465 +37633537616232656661313764626232303535383563353861396431643735326162383866626231 +61383165613332666537656137636430323332326335323763303537386662646263353539613964 +37323966306364306436653033393931663239383435613836356164633135306233356364313036 +39356661613434633930633066646437636535313565356366303732613731333062643231313035 +65333461396131663764626665393562623030343561313136363964393664376136303839333664 +65313465623331333538393734373264313562643232666130303930333662616465656432363039 +66616530336666343861336434633063343561323931323931346132376263376565313366306639 +64646465303432333136353661323936633965666364356633653861363139616562653834313861 +63306133613066373462383236613939316130623937643939323134343936356638376335323836 +39383334656236633037633230313138326238303863623231353465346661663162623138353461 +33343738613137366364633730346261366564646161373837613865393233663431636361663962 +38313230363737306265636435353533666262333666383639343364633464396566333433333538 +39643934646537653234336361613664333434623739353831316531313666396638333136343638 +33653034366362363562633462303165626333306664326366353334363964663936616430643662 +30616334326638323133366632663237356238353934323361376237613632396134663536336364 +39363439326335363437373939353564646663616464663763353931323233316135656634343137 +34396130386134386331643534353461663963323435656337653032376565313635623231343135 +34303130316239303065386134663332393938636332363665643832326439653733633231346537 +63383634333034323434376237663932613638363835393837613632663265616363303233653539 +61333765313463616665613136303533343230303735626437343635303934613365326166333966 +66613538393466666630363333643730653239393435616634303430396635383631613439623433 +36646431393865666162373232343335356366366633633264326639643434396234313863333163 +63396534623931633833656565396635333133376165613031663831633564663061656131303564 +61303132666264636139313738643161313134643733633366376538366135663135333333333564 +64366262353837363061653663616265393264373230346330636465336439623063636639356136 +65383638643961326661396336373163643832366561363764626461623662333436373136616437 +30316537653432356133616338353165633462643634323563306366343965326635363863316232 +61633135643861333635383464383937306236626632366235363433313335663431366531356337 +37303465323638383930336138356665343966336137356137656564303733373565366162343330 +38326366653733376138356339313564616165626235356363343430353239616339656239323964 +31643734653263653461333135386261646265323134633334376262323330396634643764323635 +30336262323035613338333166353364333836623865393132613338393237363734616330366463 +64646163303337323531636532383438356237306337656439663565643032633462316366663164 +33613039326337353531303831313136653539353261373930613030383134653261363833653439 +31343662623035393238646263633066653362323434306137633339393330376462356139333362 +35363436356530363134663064653031376561343732346262383333353733363136396262643135 +31326566303535343833326562376464643632363434323839366366626134303830323563633237 +37313964353033316163303738636632346137353437333463303135323631383132623133663130 +32373163393861366137303138363134653534613236636439623731393837306130626638343134 +39313532386338343662333134353761653162663665396664366239633536613132313735373334 +37613161383633653861376433633632333163653439633938386137313632396137616337373465 +65383238396439666537313833663364333731613434333739393161363437306665363834653761 +34303464386633633163353636643964393233383232623765373239376633393139326630653765 +62646439646534376234323661383063656463313437323231333165626163626262626562376338 +62646362346261313738323830613037663035666361386139666432613230346334323063326239 +65303065343061613736343663363630336333623439383032313137616131623933323636306331 +34636130626338303039356137353532346562363531623936316162336663306437386532363236 +36333661316161613237343032623764396435346632363963643438316430666539393566353939 +33333234313839636537366465356364303438313830663261373563346538626432313139303030 +33333066626463663663643833323764643737386162663766356665643064313263376434353038 +37643630643737663566653562353261333734636262626437393239383063613661643166626630 +31313564346239396561326162333534376264616435313762623032636432363832383630343964 +30343663643935633465393465626131633931623930653962303830333065363435383237653566 +65646632376330306437663334313932653230653562356338663366616463303466366263366137 +64633934626339633235386630396561376130373763313137386531356637633863393035306634 +65353432323235363135633832373032623837376333346131303162303464616234313062316563 +64646634633963663032613533636665333335656539323238623362306363313835626632306236 +30663637356463363530316434316639326639633539333335633330333834643035353932313638 +64356565653065666131373538356462306633343161376537323762313666373235353236313963 +65613561633266306632616538616461626532666435663038646138386430376164663766363138 +35316262393065653739323035666531333330326235386133383834383865356635666537333533 +31376138353231313262646334386566376264323066373934666363313431643738383064666437 +36656437313039656666373530346534393735353163646635663839326366643333393665626464 +36616637303631653661373433653865323634363065303433386534363064356564636465366265 +31333064383233636538393032376234663663353162343530376631356533653231303730396465 +33366162376464633633313664303939306330613865663431653037303061633130626635653638 +66626264363333376463386666313663333964333137333231303361616533393236373861656534 +32326335306566623332396638383133353434363565316432353963353062313662326361336537 +34396632656234333263663831326566353434316234613365316132363730643665373761666562 +31393565653663653731633333633730326265376135666162656132623238333765333363653130 +61353632313532616266363139336162336565356365316531336364623930636430353831623233 +61616131313438306633333066613764313161333934316139633738623164623564646365663566 +66356464376133363137313036623930373362306166623838373131313330393837396261656561 +66396233313530643164353264656563383632363139333262626532376562613630643437666266 +66656335656634613138316138643666623430363833663035616138336461303035633731636262 +36393939333765346239666433323032323361343934656463396365333366623337316663396263 +36616431626633663963636135643833666234613830366434636532373031343263316436306162 +39356365376561643665323866656465313434623138326238353662653735613565623264333336 +61393763363862613766653064636130323732663466366133666361636339356464313037353462 +63633936653235656538383433393065393162643034393538666433616131343462346235393164 +39353663373338626665663563663162633430343330373430376336326432346233663365376533 +32656465343538643137326366653232343530363834383831386634366262303333636261353863 +32633437343432653936643766363338636535613532323362656435613363393238626466303861 +38633861333638613466306338613932353964393365356637306261626535323732316362623731 +33313963623439613939333639346461663338373334396165636231666266613065323731373964 +64313133383435333935376531313432663766633133633863356563663535333263636237386136 +61653963633166383135333436646465383536373039383538326366636634313061613730653962 +37623962643866396637336231363038373465393637356463656566666661313130313863383233 +37343636346535363832626365396262303862393535336565393635663637323730373564336634 +37363036323733306535336366373630356531353737303165376530656433626634343365626239 +64346136363030663862313431653761666432393933366665346361626361623039326434633835 +32666538653037613361343536383634643762356234366433663639653461303933306434333864 +37386436393465323139306161333738383265323436376536656264356230303163326134323864 +63396331666431666464656161633466333764653631623131646566303366333030653834333335 +31323365353239366232643863386365633861376235643034303563613363663661616564363663 +63326562613365653539383336383339646164623864323830653434623365393432666466323134 +33626330373361393734656632393232363866613863373135636537613934343065306265623964 +34643765636165393336356630353663343065333431656164363638646233663762346536343362 +65653364343537383336373933313464663464653465383830363631316336303464313731356230 +34336130323766386465373162346535396565346630353734303937396130656132376331326563 +36386339383338346533646331666262396432336434646333653664326635386238333763626637 +31363464306465666339316436323265623437636533643431363161323139653065323534636533 +64386334353439373133313937343234373963353331646233346432646430636530663336316134 +66303337313034396232643531643262343036313762633165353665653938313665386363353865 +66333166303636626565613136653365313763303263313239333033353638616566656134396131 +38356434343931303134303362313363343634613361353538636634336332373132356165326163 +30386130326239366532363962316435663862393836326439623862366166376234343439306465 +36346639623939353232366333643963646336383833386565643435393734653936313638663930 +32323065343737663564333961373034393261613862333431663562353964666561643831316432 +35313832356639333937333266306166656538643065386639346337306134613536356137316331 +38376434666332366531393639303561663934353130333161636530383932653236313530616531 +61656664626663373164343863333039356362343034326131376666623264663732303734366363 +30306430353732616131346637626332656434393163313661356465393263393235396662623962 +62643538623331646265643561623366383937313136383939366164613235666234663137653432 +34316138643139336331356663333632656539653632626136613431393736613630353237356164 +33623632643335663163656236633134343464353837346237316162346634633336663564656531 +39373730346130363963376463326238366235613539613466653139306237343164336462353236 +39323361636333353661633863663162633563343937366461346338363061623730633537626562 +30353938383664333861366431343033313961376436363065373430353736343563313531386663 +37313534303564333237616331396437376436383833373936376664666366373235613533663239 +64653863613531356666646233393533646131333961343730663461346235633961306263343831 +64386332653330323937643266373437633465363933653833343930616134626566363339366362 +36356163333730656233653431326430326566386264343330666131393166323537623137396237 +65386234653231666631366533383762643830333261363532666138386263643662633932626335 +66303363613035643931393933303035323566373634663037313338616132373162366334373962 +33666463613435396331326565353433336361303562326562663035313639333232333430373266 +65383235356132353838636565636436356361653831356430663935613766613237366564316566 +37396130393363386566306162346466326165353863636633306335383265306139396339383866 +34326335323962633032386162623033353036643437313832323166363764653339343638343964 +66626662326234306362656162336538353131366337643761643930306163333661653062663832 +61303963623433313565633235306132366663336662616232613339366363373934613631623431 +34323736383366333032343364373533363761323338346163323836653235653136646162306166 +65333734623663346233343961396566313838653036396430396134393839326535363237363638 +38333232333863396334366561303136333863356666656335633630616531363766343535616533 +35656166303837653365303436623431613931336331356531666665346562613263363666626238 +62626236323863383366643162356462306163653032626130333863656337623136646439316337 +33306432663134383038646133346131333732633932383239643733643138303434646565663266 +34616265383733343963323538656138656331396438616133393063356638633965323363653066 +65353837333363613762333839313631373137363064383830353565333832356162323862393030 +35373038613133643466636537626437393837633865363566343565626633376262373766613738 +39343334336238363131373762646564653839623531323066356430326263376534373664363331 +64373735383933303638303661333964333464306338613363326261623438336530636262373766 +35346339643939666162386232666236326131366366303432393838326239313730323431376231 +39363032616666393431326533643865643937363937356431623763363037373333653266376561 +63323462363063343234373534663063353865363037383932386231313338343239653131633561 +34623439396232633265616438623562666333303932396366663330326565363736633461333463 +66346537323061306662323062393061353565393165363532306439343262343632616465363364 +30376331346430313536313963333136663833323064633631653935326366633862336163316538 +33383434336666303434363236396662366664393637656462363331356631613332353766636663 +62323264336235306532343065323834313730353237616463373766303439663533336366363565 +35646461636263646633343634323735383235376330616334373937646165623639363663353361 +65613034353736633332663333616564356265323731613537393430633137333337643663323137 +31623732663331653935316337306433333633353565343265666333363864346562363961333439 +30656136636661396335623566386362333861616663393738626632633537613564636261383138 +3233 diff --git a/group_vars/rives/main.yml b/group_vars/rives/main.yml new file mode 100644 index 0000000..034b19c --- /dev/null +++ b/group_vars/rives/main.yml @@ -0,0 +1,7 @@ +--- +apartment_block: rives +apartment_block_id: 3 + +router_ip_suffix: 254 + +mtu: 1500 diff --git a/group_vars/rives/sudo_location_group.yml b/group_vars/rives/sudo_location_group.yml new file mode 100644 index 0000000..081a6bf --- /dev/null +++ b/group_vars/rives/sudo_location_group.yml @@ -0,0 +1,3 @@ +--- +# Users in that group will be able to `sudo` +sudo_group_location: 'sudorives' diff --git a/hosts b/hosts index e64513a..208271e 100644 --- a/hosts +++ b/hosts @@ -154,8 +154,11 @@ ldap-replica-gs.adm.auro.re [rives_pve] thor.adm.auro.re - - +[rives_vm] +dhcp-rives-backup.adm.auro.re +unifi-rives.adm.auro.re +dns-rives-backup.adm.auro.re +radius-rives-backup.adm.auro.re ############################################################################### @@ -197,6 +200,7 @@ gs_vm # everything at Les Rives [rives:children] rives_pve +rives_vm ############################################################################### @@ -213,6 +217,7 @@ fleming_vm pacaterie_vm edc_vm gs_vm +rives_vm # every PVE [pve:children] From b232d6b40b0a46e68ece7fe62ffce448efa2820b Mon Sep 17 00:00:00 2001 From: Paul Ziolkowski Date: Mon, 9 Nov 2020 18:10:29 +0100 Subject: [PATCH 288/297] Renommage re2o_service en re2o-service --- roles/{re2o_service => re2o-service}/defaults/main.yml | 0 roles/{re2o_service => re2o-service}/tasks/main.yml | 0 roles/{re2o_service => re2o-service}/tasks/service_user.yml | 0 .../templates/update-motd.d/05-service.j2 | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename roles/{re2o_service => re2o-service}/defaults/main.yml (100%) rename roles/{re2o_service => re2o-service}/tasks/main.yml (100%) rename roles/{re2o_service => re2o-service}/tasks/service_user.yml (100%) rename roles/{re2o_service => re2o-service}/templates/update-motd.d/05-service.j2 (100%) diff --git a/roles/re2o_service/defaults/main.yml b/roles/re2o-service/defaults/main.yml similarity index 100% rename from roles/re2o_service/defaults/main.yml rename to roles/re2o-service/defaults/main.yml diff --git a/roles/re2o_service/tasks/main.yml b/roles/re2o-service/tasks/main.yml similarity index 100% rename from roles/re2o_service/tasks/main.yml rename to roles/re2o-service/tasks/main.yml diff --git a/roles/re2o_service/tasks/service_user.yml b/roles/re2o-service/tasks/service_user.yml similarity index 100% rename from roles/re2o_service/tasks/service_user.yml rename to roles/re2o-service/tasks/service_user.yml diff --git a/roles/re2o_service/templates/update-motd.d/05-service.j2 b/roles/re2o-service/templates/update-motd.d/05-service.j2 similarity index 100% rename from roles/re2o_service/templates/update-motd.d/05-service.j2 rename to roles/re2o-service/templates/update-motd.d/05-service.j2 From d6590ea1a8c9bb6375d668e8e1dc4ea4f52a68a3 Mon Sep 17 00:00:00 2001 From: Paul Ziolkowski Date: Mon, 9 Nov 2020 18:15:29 +0100 Subject: [PATCH 289/297] Add rives --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index a491c79..e64d8ff 100755 --- a/network.yml +++ b/network.yml @@ -15,7 +15,7 @@ # Déploiement du service re2o aurore-firewall et keepalived # radvd: IPv6 SLAAC (/64 subnets, private IPs). # Must NOT be on routeur-aurore-*, or will with DHCPv6! -- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re +- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re roles: - router - radvd From 37e3fe2231730e1cae1992e348ccea079c9c576d Mon Sep 17 00:00:00 2001 From: Paul Ziolkowski Date: Mon, 9 Nov 2020 18:53:36 +0100 Subject: [PATCH 290/297] Add ldap replica rives --- hosts | 11 +++++++---- roles/ldap_client/templates/nslcd.conf.j2 | 5 +++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/hosts b/hosts index 208271e..05f2108 100644 --- a/hosts +++ b/hosts @@ -159,10 +159,8 @@ dhcp-rives-backup.adm.auro.re unifi-rives.adm.auro.re dns-rives-backup.adm.auro.re radius-rives-backup.adm.auro.re - - -############################################################################### -# Groups by location +routeur-rives-backup.adm.auro.re +ldap-replica-rives.adm.auro.re # -aurore services [aurore:children] @@ -238,6 +236,7 @@ ldap_replica_pacaterie ldap_replica_edc ldap_replica_gs ldap_replica_ovh +ldap_replica_rives [ldap_replica_fleming] ldap-replica-fleming.adm.auro.re @@ -253,3 +252,7 @@ ldap-replica-gs.adm.auro.re [ldap_replica_ovh] ldap-replica-ovh.adm.auro.re + +[ldap_replica_rives] +ldap-replica-rives.adm.auro.re + diff --git a/roles/ldap_client/templates/nslcd.conf.j2 b/roles/ldap_client/templates/nslcd.conf.j2 index e1e362b..e5b8841 100644 --- a/roles/ldap_client/templates/nslcd.conf.j2 +++ b/roles/ldap_client/templates/nslcd.conf.j2 @@ -10,6 +10,11 @@ gid nslcd uri ldap://{{ uri }} {% endfor %} {% endif %} +{% if 'rives_vm' in group_names or 'rives_pve' in group_names %} +{% for uri in groups['ldap_replica_rives'] %} +uri ldap://{{ uri }} +{% endfor %} +{% endif %} {% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %} {% for uri in groups['ldap_replica_pacaterie'] %} uri ldap://{{ uri }} From 33b96f2176060e7463eab80c6cc53feedd7c8fb4 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 10 Nov 2020 01:23:34 +0100 Subject: [PATCH 291/297] Add ghostream --- hosts | 1 + services_web.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index 05f2108..d054f64 100644 --- a/hosts +++ b/hosts @@ -25,6 +25,7 @@ camelot.adm.auro.re gitea.adm.auro.re drone.adm.auro.re nextcloud.adm.auro.re +stream.adm.auro.re re2o-server.adm.auro.re re2o-ldap.adm.auro.re re2o-db.adm.auro.re diff --git a/services_web.yml b/services_web.yml index 0fa16fa..1582304 100755 --- a/services_web.yml +++ b/services_web.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re +- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re roles: - docker From f27eee1c359da8c701b0ef6fafb94e89bdfd5c30 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 15 Dec 2020 16:59:36 +0100 Subject: [PATCH 292/297] Add litl --- host_vars/proxy.adm.auro.re | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/host_vars/proxy.adm.auro.re b/host_vars/proxy.adm.auro.re index 903b389..3622264 100644 --- a/host_vars/proxy.adm.auro.re +++ b/host_vars/proxy.adm.auro.re @@ -5,8 +5,10 @@ certbot: - drone.auro.re - gitea.auro.re - intranet.auro.re + - litl.auro.re - nextcloud.auro.re - re2o.auro.re + - vote.auro.re - re2o-server.auro.re - re2o-test.auro.re @@ -50,5 +52,8 @@ nginx: - from: drone.auro.re to: "10.128.0.64:8000" + - from: litl.auro.re + to: 10.128.0.35 + - from: re2o-test.auro.re to: 10.128.0.80 From 24fb0dbe6946b24949b7df855035951717b4cec2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 15 Dec 2020 17:00:15 +0100 Subject: [PATCH 293/297] Missing yml extension to reverse proxy config file --- host_vars/{proxy.adm.auro.re => proxy.adm.auro.re.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename host_vars/{proxy.adm.auro.re => proxy.adm.auro.re.yml} (100%) diff --git a/host_vars/proxy.adm.auro.re b/host_vars/proxy.adm.auro.re.yml similarity index 100% rename from host_vars/proxy.adm.auro.re rename to host_vars/proxy.adm.auro.re.yml From 20bdf234957d0bd31a34a881602beeca3dd55355 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Thu, 24 Dec 2020 01:46:16 +0100 Subject: [PATCH 294/297] Register WikiJS Signed-off-by: Yohann D'ANELLO --- host_vars/proxy.adm.auro.re.yml | 4 ++++ hosts | 1 + services_web.yml | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index 3622264..b8fb2c3 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -11,6 +11,7 @@ certbot: - vote.auro.re - re2o-server.auro.re - re2o-test.auro.re + - wikijs.auro.re mail: tech.aurore@lists.crans.org certname: auro.re @@ -57,3 +58,6 @@ nginx: - from: re2o-test.auro.re to: 10.128.0.80 + + - from: wikijs.auro.re + to: "10.128.0.66:3000" diff --git a/hosts b/hosts index d054f64..7920433 100644 --- a/hosts +++ b/hosts @@ -34,6 +34,7 @@ services-bdd-local.adm.auro.re backup.adm.auro.re services-web.adm.auro.re mail.adm.auro.re +wikijs.adm.auro.re ############################################################################### diff --git a/services_web.yml b/services_web.yml index 1582304..6bc6a6d 100755 --- a/services_web.yml +++ b/services_web.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re +- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re roles: - docker From 21f19dc655a58c701c2bb19b5073105e88016ad8 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Thu, 31 Dec 2020 16:39:27 +0100 Subject: [PATCH 295/297] Add status.auro.re Signed-off-by: Yohann D'ANELLO --- host_vars/proxy-ovh.adm.auro.re.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index c49b40e..3b427e8 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -11,6 +11,7 @@ certbot: - privatebin.auro.re - riot.auro.re - sharelatex.auro.re + - status.auro.re - wiki.auro.re - www.auro.re mail: tech.aurore@lists.crans.org @@ -59,3 +60,5 @@ nginx: to: "10.128.0.150:8084" - from: cas.auro.re to: "10.128.0.150:8085" + - from: status.auro.re + to: "10.128.0.150:8086" From 50fa96f31a7638835ad612aa34319d90e99ff9a1 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 17 Jan 2021 12:01:22 +0100 Subject: [PATCH 296/297] Sort APT packages Signed-off-by: Yohann D'ANELLO --- roles/baseconfig/tasks/main.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index d73cf07..7e850e5 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -4,26 +4,26 @@ when: ansible_os_family == "Debian" apt: name: - - sudo - - molly-guard # prevent reboot - - ntp # network time sync - - apt # better than apt-get - - nano # for vulcain - - vim # better than nano - - emacs-nox # for maman - - htop # better than top - - zsh # to be able to ssh @erdnaxe - - fish # to motivate @edpibu - - oidentd # postgresql identification - - aptitude # nice to have for Ansible - acl # advanced ACL - - iotop # monitor i/o - - tree # create a graphical tree of files + - apt # better than apt-get + - aptitude # nice to have for Ansible - bash-completion # because bash + - emacs-nox # for maman + - fish # to motivate @edpibu - git # code versioning - less # i like cats - - screen # Vulcain asked for this - lsb-release + - htop # better than top + - iotop # monitor i/o + - oidentd # postgresql identification + - molly-guard # prevent reboot + - nano # for vulcain + - ntp # network time sync + - screen # Vulcain asked for this + - sudo + - tree # create a graphical tree of files + - vim # better than nano + - zsh # to be able to ssh @erdnaxe update_cache: true register: apt_result retries: 3 From 2472ce5db0e40fa4df067a05af44d489b80a9868 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 17 Jan 2021 12:02:53 +0100 Subject: [PATCH 297/297] Install curl and net-tools by default Signed-off-by: Yohann D'ANELLO --- roles/baseconfig/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 7e850e5..eb62226 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -8,6 +8,7 @@ - apt # better than apt-get - aptitude # nice to have for Ansible - bash-completion # because bash + - curl # Better that wget - emacs-nox # for maman - fish # to motivate @edpibu - git # code versioning @@ -18,6 +19,7 @@ - oidentd # postgresql identification - molly-guard # prevent reboot - nano # for vulcain + - net-tools - ntp # network time sync - screen # Vulcain asked for this - sudo