aurore/ansible
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: aurore:master
Branches Tags
aurore:master
aurore:use_python3
aurore:mail_server
..
compare: aurore:use_python3
Branches Tags
aurore:master
aurore:use_python3
aurore:mail_server

1 commit
master ... use_python

Author SHA1 Message Date
Alexandre Iooss
c8c7fcbcfd Use Python 3 2019-03-10 13:22:32 +01:00
181 changed files with 1092 additions and 6734 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.ansible-lint
View file

@ -1,2 +0,0 @@
skip_list:
- '301'

19
.drone.yml
View file

@ -1,19 +0,0 @@
---
kind: pipeline
type: docker
name: check
steps:
- name: yamllint
image: python:3.9-alpine
commands:
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
- name: ansible-lint
image: python:3.9-alpine
commands:
- apk add --no-cache gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
...

2
.gitignore vendored
View file

@ -1,3 +1 @@
*.retry *.retry
tmp
ldap-password.txt

17
.gitlab-ci.yml
View file

@ -1,19 +1,6 @@
--- ---
image: python:3.9-alpine image: quay.io/ansible/molecule:2.19
stages:
- lint
yamllint: yamllint:
stage: lint script: yamllint -c .yamllint.yml .
script:
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
ansible-lint:
stage: lint
script:
- apk add gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
... ...

1
.yamllint.yml
View file

@ -3,6 +3,5 @@ extends: default
rules: rules:
line-length: line-length:
max: 120
level: warning level: warning
... ...

159
README.md
View file

@ -1,140 +1,49 @@
# Recettes Ansible d'Aurore # Playbook et rôles Ansible d'Aurore
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore. ## Exécution d'un playbook
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
## Ansible 101 Pour appliquer le playbook `base.yml` :
```bash
Si vous n'avez jamais touché à Ansible avant, voilà une rapide introduction. ansible-playbook --ask-vault-pass base.yml
**Inventory** : c'est le fichier `hosts` d'inventaire.
Il contient la définition de chaque machine et le regroupement.
Quand on regroupe avec un `:children` en réalité on groupe des groupes.
Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine
avec ce hostname, car c'est ce qu'Ansible fera.
**Playbook** : c'est une politique de déploiement.
Il contient les associations des rôles avec les machines.
L'idée au Crans est de regrouper par thème. Exemple, le playbook `monitoring.yml`
va contenir toutes les définitions machines-rôles qui touchent au monitoring.
Cela permet de déployer manuellement tout le monitoring sans toucher au reste.
**Rôle** : un playbook donne des rôles à des machines. Ces rôles sont tous dans
le dossier `roles/`. Un rôle installe un service précis sur un serveur.
Il est préférable d'être atomique sur les rôles plutôt d'en coder un énorme
qui sera difficilement maintenable.
*Exemples de rôle* : activer les backports pour ma version de Debian, installer NodeJS,
déployer un serveur prometheus, déployer une node prometheus…
**Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
action. Elle est associée à un module Ansible.
*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans
un fichier avec le module `lineinfile`, copier une template avec le module `template`
Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante,
récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions…
N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules
d'Ansible !
### Gestion des groupes de machines
Pour la liste complète, je vous invite à lire le fichier `hosts`.
* pour tester les versions de Debian,
```YAML
ansible_lsb.codename == 'stretch'
```
* pour tester si c'est un CPU Intel x86_64,
```YAML
ansible_processor[0].find('Intel') != -1
and ansible_architecture == 'x86_64'
```
Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
les machines pertinentes directement dans les playbooks.
### Lister tout ce que sait Ansible sur un hôte
Lors du lancement d'Ansible, il collecte un ensemble de faits sur les serveurs
qui peuvent ensuite être utilisés dans des variables.
Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
on peut exécuter le module `setup` manuellement.
```
ansible proxy.adm.auro.re -m setup --ask-vault-pass
``` ```
## Exécution d'Ansible Il est souhaitable de faire un test avant avec `--check` si on a des doutes !
### Configurer la connexion au vlan adm ## FAQ
Envoyer son agent SSH peut être dangereux ### Mettre sa clé SSH sur une machine
([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
On va utiliser plutôt `ProxyJump`. ```
ssh-copy-id -i ~/.ssh/id_rsa_aurore.pub virtu.fede-aurore.net
```
### Automatiquement ajouter fingerprint ECDSA (dangereux !)
Il faut changer la variable d'environnement suivante :
`ANSIBLE_HOST_KEY_CHECKING=0`.
### Configurer la connexion au bastion
Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
On va utiliser plutôt ProxyJump.
Dans la configuration SSH : Dans la configuration SSH :
``` ```
# Use a proxy jump server to log on all Aurore inventory # Use a key to log on all Aurore servers
# and use a bastion
Host 10.128.0.* *.adm.auro.re Host 10.128.0.* *.adm.auro.re
ProxyJump passerelle.auro.re IdentityFile ~/.ssh/id_rsa_aurore
ProxyJump proxy.auro.re
``` ```
Il faut sa clé SSH configurée sur le serveur que l'on déploit. Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées
```bash vers les serveurs puis détruites à la fin de l'exécution.
ssh-copy-id proxy.adm.auro.re Il faut donc éviter de lancer une connexion SSH persistante pendant l'exécution
d'Ansible.
### Lister tout ce que sait Ansible sur un hôte
``` ```
ansible -i hosts ldap-replica-fleming1.adm.auro.re -m setup --ask-vault-pass
### Lancer Ansible
Il faut `python3-netaddr` sur sa machine.
Pour tester le playbook `base.yml` :
```bash
ansible-playbook --ask-vault-pass base.yml --check
``` ```
Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.
### Ajouter tous les empruntes de serveur
```bash
#!/bin/bash
for ip in `cat hosts|grep .adm.auro.re`; do
ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
done
```
### Passage à Ansible 2.10 (release: 30 juillet)
Installez la version de développement d'ansible pour faire fonctionner les
playbooks de ce repo, ainsi que les collections suivantes :
```bash
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
```
Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
workaround est le suivant :
`$ export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
Notez l'espace au début pour ne pas log la commande dans votre historique
shell.

21
ansible.cfg
View file

@ -1,25 +1,19 @@
# Ansible configuration # Aurore Ansible configuration
[defaults] [defaults]
# Do not create .retry files # Use Aurore inventory
retry_files_enabled = False
# Use inventory
inventory = ./hosts inventory = ./hosts
# Custom header in templates # Custom header in templates
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid} ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
# Do not create retry files
retry_files_enabled = False
# Do not use cows (with cowsay) # Do not use cows (with cowsay)
nocows = 1 nocows = 1
# Do more parallelism
forks = 15
# Some SSH connection will take time
timeout = 60
[privilege_escalation] [privilege_escalation]
# Use sudo to get priviledge access # Use sudo to get priviledge access
@ -33,6 +27,3 @@ become_ask_pass = True
# TO know what changed # TO know what changed
always = yes always = yes
[ssh_connection]
pipelining = True

9
base.yml Executable file → Normal file
View file

@ -1,12 +1,5 @@
#!/usr/bin/env ansible-playbook
--- ---
# Put a common configuration on all servers # Put a common configuration on all servers
- hosts: all,!unifi - hosts: all
roles: roles:
- baseconfig - baseconfig
- basesecurity
# Plug LDAP on all servers
- hosts: all,!unifi
roles:
- ldap_client

6
codimd.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Install CodiMD on CodiMD containers
- hosts: codimd.adm.auro.re
roles:
- debian-backports
- codimd

20
copy-keys.sh
View file

@ -1,20 +0,0 @@
#!/bin/bash
set -e
# Grab valid unique hostnames from the Ansible inventory.
HOSTS=$(grep -ve '^[#\[]' hosts \
| grep -F adm.auro.re \
| sort -u)
# Ask password
read -s -p "Hello adventurer, what is your LDAP password? " passwd
echo
for host in $HOSTS; do
echo "[+] Handling host $host"
# sshpass can be used for non-interactive password authentication.
# place your password in ldap-password.txt.
SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host"
done

6
dokuwiki.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Install DokuWiki on the wiki TEST container
# When it will be operational, horus-wikitest will replace horus-wiki
- hosts: horus-wikitest
roles:
- dokuwiki

6
etherpad.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Install EtherPad on EtherPad containers
- hosts: pad.adm.auro.re
roles:
- debian-backports
- etherpad

66
group_vars/all/vars.yml
View file

@ -1,19 +1,20 @@
--- ---
# Use Python 3 # Use Python 3
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: '/usr/bin/env python3'
# LDAP binding # LDAP binding
# You can hash LDAP passwords with `slappasswd` tool # You can hash LDAP passwords with `slappasswd` tool
ldap_base: 'dc=auro,dc=re' ldap_base: 'dc=auro,dc=re'
ldap_master_ipv4: '10.128.0.21' ldap_master_ipv4: '10.128.0.11'
ldap_master_uri: "ldap://re2o-ldap.adm.auro.re" ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
ldap_codimd_bind_dn: "cn=codimd,ou=service-users,{{ ldap_base }}"
ldap_codimd_password: "{{ vault_ldap_codimd_password }}"
ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}" ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}"
ldap_matrix_password: "{{ vault_ldap_matrix_password }}" ldap_matrix_password: "{{ vault_ldap_matrix_password }}"
ldap_replica_password: "{{ vault_ldap_replica_password }}" ldap_replica_password: "{{ vault_ldap_replica_password }}"
ldap_admin_password: "{{ vault_ldap_admin_password }}"
ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}" ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
# Databases # Databases
@ -32,60 +33,3 @@ ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
# Monitoring # Monitoring
monitoring_mail: 'monitoring.aurore@lists.crans.org' monitoring_mail: 'monitoring.aurore@lists.crans.org'
# Matrix
matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}"
matrix_discord_client_id: "559305991494303747"
matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}"
###
# DNS
###
# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque
# résidence.
dns_host_suffix_main: 253
dns_host_suffix_backup: 153
backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
# Finally raised!
mtu: 1500
subnet_ids:
ap: "14{{ apartment_block_id }}"
users_wired: "{{ apartment_block_id }}0"
users_wifi: "{{ apartment_block_id }}1"
users_banni: "{{ apartment_block_id }}2"
users_accueil: "{{ apartment_block_id }}3"
# Keepalived
keepalived_password: "{{ vault_keepalived_password[apartment_block] }}"
# Re2o config
re2o_secret_key: "{{ vault_re2o_secret_key }}"
re2o_db_password: "{{ vault_re2o_db_password }}"
re2o_aes_key: "{{ vault_re2o_aes_key }}"
# Radius
radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
radius_secret_federez: "{{ vault_radius_secrets.federez }}"
radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}"
radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
# DHCP
dhcp_failover_enabled: true
apartment_block_dhcp: "{{ apartment_block }}"
# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
# However, we ALWAYS keep the trailing 0 to have byte alignment.
ipv6_base_prefix: "2a09:6840"
is_aurore_host: "{{ 'aurore_vm' in group_names }}"

278
group_vars/all/vault.yml
View file

@ -1,174 +1,106 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
34336231623938346631313932323131336439623837626366646338396137633436646365386639 38616339383037366465353638383665643938633061323863386539323861633135363964303364
6332383765386235396331373836366230663563376665380a616436373136633933376435653230 6335326537383039316566623031306136633364336337320a343434623066313535363430303866
64333963663436393265666434653164643164616134353665306462326666623530383838343135 61613635663336376530333463363037316230323339393463393465313366643438316565306564
3531343533656332350a343432336636316131386132306238653736633966363235623833343638 3263613463653764330a363330623331323762306330336465633538353637373838396231643762
38643061383963396466346536343061653034333037393664356661376565643765306462626231 35353137306132653861343736323934326161663436653737333462333938393330393861363764
39326233363962373839303464333833306532343834306232653731326135653934643836323639 38333837353564396563623039636438663662626330323632383234333662613835633138326161
36343937626536346331613263663865346634666534646266623061303639626636393230616261 33626537633863393864373937306332386131626562323762616439643830626339633833313638
32336366356439353738633234326138656464656630303362623664616634306230623538373965 65363930353162323635356430313030303734386339393730383135323937623939393233663335
32346439306337623737616666353830626630373562366436653131393532313035303836326430 39316564396463643134636363326262343538666234333837373164646434643232623666636162
64613235646366616533313065396663366434363832333535336631323366336437396664303834 61616637396561323166313131393163353166353764396564373330326262346666373034663465
30336466313064636565326564356435306136396363373464326534303366323262303732626661 35326563306538653562333864383662336338656566313432633831313363663131393930336234
38326663313332633530353739346538343434316133343066313530366637376135323564306537 61336230643539303532656437616638323266623434393863623661366237386537386232383332
65626261303231656432333364333965663065346436626631666466643934623064333163626339 38643433626466343633626665386633663964306566643436363839363462326632393863616230
32633565303734303862326365336339346133393431636266303530626564326361653230626536 62386662386363613737613839386436383734623461386363313832636661636334633132363433
32313231373037633134623761663832393666353732613965613436323939343233613433343538 30383135646465353232623936366337663130376232343231376565313563303534313462336462
37326438383130303861316663396333376662386337353964633930353536653437653061356635 39353861663230623536613735663865373238303832306636323532393734303538383837336237
35646232343535313130646237643835376162623639333961323964353830653366626438346237 36613732623539616237663962666263393138303064646335623336343432323266663335363061
36343663346332656537363434396633336161373730663364306239306432343930643230656465 36306361653035653334343031303663373334613365393635616362343461616535343964306666
37633537616232656661313764626232303535383563353861396431643735326162383866626231 36663030373133346663663839373363663163653961323533356361373533643636626339356332
61383165613332666537656137636430323332326335323763303537386662646263353539613964 34663063326363646638646330626666633564373763326636363764653831336134393131653864
37323966306364306436653033393931663239383435613836356164633135306233356364313036 62353163613534386364323430346435316339363338666563366262336536373162346265353165
39356661613434633930633066646437636535313565356366303732613731333062643231313035 66363834306536383465376339323462303265373263333065623837656133623035366366396335
65333461396131663764626665393562623030343561313136363964393664376136303839333664 34313566326565333930386336353333396237633333613336666566393465616563393563633335
65313465623331333538393734373264313562643232666130303930333662616465656432363039 33313232646466313333633564653535343564626566353863613964303732616436626535656135
66616530336666343861336434633063343561323931323931346132376263376565313366306639 39313632346530636639333435643034666138633831313864316266376330336334333263356132
64646465303432333136353661323936633965666364356633653861363139616562653834313861 30613865336164353433383232316637663131653231393235343262666636623461653332323664
63306133613066373462383236613939316130623937643939323134343936356638376335323836 63323637396132666333633863393131363935626435313366646563366366356265346130373162
39383334656236633037633230313138326238303863623231353465346661663162623138353461 66306261303539323763336130616165323863646466643336316437663266303730313433343932
33343738613137366364633730346261366564646161373837613865393233663431636361663962 39643639376531303839636632333063323837306638373863663132386533353735343234666139
38313230363737306265636435353533666262333666383639343364633464396566333433333538 33633462346438356338613830313533306263383263383036363566323437356235386636333432
39643934646537653234336361613664333434623739353831316531313666396638333136343638 31383462626338346339353536653437623731643036363366666437316362356266396634383865
33653034366362363562633462303165626333306664326366353334363964663936616430643662 65663332383837373334393863386531663831643366613131663666303436306336313935643065
30616334326638323133366632663237356238353934323361376237613632396134663536336364 61336661313562326465393936643130393465346636363234386436616165613436393436623664
39363439326335363437373939353564646663616464663763353931323233316135656634343137 33396165376363316334613737613261396633306233643337393936393465313763343439646136
34396130386134386331643534353461663963323435656337653032376565313635623231343135 38643135346234653234316536363964303331303932656134323165333239623362333931323334
34303130316239303065386134663332393938636332363665643832326439653733633231346537 62323634373764663464343031626432653131306664336130396265363964663866663538376239
63383634333034323434376237663932613638363835393837613632663265616363303233653539 33653430366265623733376536613632646662646632653132336537383336303335623966396131
61333765313463616665613136303533343230303735626437343635303934613365326166333966 62303136613934656664386162373433323962336134663435373730366632666135663030653133
66613538393466666630363333643730653239393435616634303430396635383631613439623433 38613632623765616465383266356238313333336434376238396339343031323465343833323665
36646431393865666162373232343335356366366633633264326639643434396234313863333163 61666366326363303832663164363838353739653534313235336530396330346466656432386636
63396534623931633833656565396635333133376165613031663831633564663061656131303564 36613239613239613835633265363064316134346464616338333532376132373637356665346230
61303132666264636139313738643161313134643733633366376538366135663135333333333564 38343461613335663061393037643466383664323263336364356364363262346236326161653362
64366262353837363061653663616265393264373230346330636465336439623063636639356136 63653963303139616430333738373038333661333562376130363061366338346430303231363138
65383638643961326661396336373163643832366561363764626461623662333436373136616437 66373866303331333035316533373336376466346630326166373734353834306237383462356430
30316537653432356133616338353165633462643634323563306366343965326635363863316232 33633332366636613534313933323065633736656432656236653930623663616133336435313337
61633135643861333635383464383937306236626632366235363433313335663431366531356337 36623031663333386362306138343231363130626131323735316562363730656230376132303439
37303465323638383930336138356665343966336137356137656564303733373565366162343330 36323932666362613237666164653037353631353730346466303764326162366266376130316166
38326366653733376138356339313564616165626235356363343430353239616339656239323964 32363739373437333731643936366334376463383664373139363465666538666331636535626462
31643734653263653461333135386261646265323134633334376262323330396634643764323635 32323834616338376264393461626665393635336638383333653466336332316364363330333738
30336262323035613338333166353364333836623865393132613338393237363734616330366463 61303161303564383563653039653263343161336362373563616237373865653965343639343465
64646163303337323531636532383438356237306337656439663565643032633462316366663164 35363536613233313534633665373264303139393731626339646466663431363361373938623334
33613039326337353531303831313136653539353261373930613030383134653261363833653439 38613766643861326538663563656662383665376137393333616566646136336339306333653066
31343662623035393238646263633066653362323434306137633339393330376462356139333362 34373864353230343032386236386165616462316562363062613330636264303632396339646632
35363436356530363134663064653031376561343732346262383333353733363136396262643135 37316630303536316436356138626533653865366137666131363064643964333838633266366365
31326566303535343833326562376464643632363434323839366366626134303830323563633237 64663661333764616635383263376662616239323930643261613161313265633236623834376263
37313964353033316163303738636632346137353437333463303135323631383132623133663130 31623565633964376632346533373037333166346332313266316138613665353530336562643739
32373163393861366137303138363134653534613236636439623731393837306130626638343134 32393161396338353630363838643130323431343339376431373165313238383064616335323064
39313532386338343662333134353761653162663665396664366239633536613132313735373334 36313366633161303635383062656538343538363039343931623736623766343762343563646134
37613161383633653861376433633632333163653439633938386137313632396137616337373465 33626264643639333364343131636163646361626130646237326435373731613237663736393439
65383238396439666537313833663364333731613434333739393161363437306665363834653761 37376639333930396337333938373866383133613730613162356364323265373431633836653838
34303464386633633163353636643964393233383232623765373239376633393139326630653765 34323532613437313064383035313030306636346435396666653933626232313638656531366234
62646439646534376234323661383063656463313437323231333165626163626262626562376338 34313837623136656361393230653637633535333063333662363137323962353232386366656264
62646362346261313738323830613037663035666361386139666432613230346334323063326239 30303164363531343261626262653962383664313131333535313038343461303464326464373337
65303065343061613736343663363630336333623439383032313137616131623933323636306331 34646537353031386265313066313136613533663335306636346237613264313061666233376131
34636130626338303039356137353532346562363531623936316162336663306437386532363236 62346537666362373539626334376630633539343932623133653431393731356266623730353036
36333661316161613237343032623764396435346632363963643438316430666539393566353939 64626133623638303132356639663538363537623739386166333337333431363939666362663137
33333234313839636537366465356364303438313830663261373563346538626432313139303030 62303664306663376136353235613031623435393065376635353032666136396332613861376630
33333066626463663663643833323764643737386162663766356665643064313263376434353038 65633061623466313838383664613839663033333736396536333863636435306263666466313265
37643630643737663566653562353261333734636262626437393239383063613661643166626630 62633539623037616535333164316538616439333838633730313066366232616566646435376530
31313564346239396561326162333534376264616435313762623032636432363832383630343964 66316164323737396230373339333936313532343266303765356530633534643439626236313136
30343663643935633465393465626131633931623930653962303830333065363435383237653566 65373833633461393734353737363566353634353764333961643033393932353236633336393436
65646632376330306437663334313932653230653562356338663366616463303466366263366137 61333537666263666238303736316462356138396232373839343434643730643766333535643565
64633934626339633235386630396561376130373763313137386531356637633863393035306634 38333163353634633637393766346261613931663134363230353633336533643339353832653632
65353432323235363135633832373032623837376333346131303162303464616234313062316563 64343438353266343937373138643635616331336164316166343536643434616665326331353161
64646634633963663032613533636665333335656539323238623362306363313835626632306236 39303732663037653634303263386134366536333830363366663639383033323832653364393766
30663637356463363530316434316639326639633539333335633330333834643035353932313638 30333438313361613764633239373036336230353333343262613761323930656265313031323065
64356565653065666131373538356462306633343161376537323762313666373235353236313963 39666562393565326139373061313061396265386239343462346535623766313364343136343038
65613561633266306632616538616461626532666435663038646138386430376164663766363138 39373462663434633731636662653966383233396163643137373530303134633465643130383265
35316262393065653739323035666531333330326235386133383834383865356635666537333533 61376538626365396236643139336366643966306131393635623438393932313164623766353233
31376138353231313262646334386566376264323066373934666363313431643738383064666437 61643732303837366139356236353937303036343232363537623231303661653035383831343830
36656437313039656666373530346534393735353163646635663839326366643333393665626464 64663763383563303461633335313663643161336435343735333536393661663235636665383662
36616637303631653661373433653865323634363065303433386534363064356564636465366265 37393139333361323136366564383132633830386335376137396563343937306431653665316161
31333064383233636538393032376234663663353162343530376631356533653231303730396465 38323137643437383636373033326236613936396564626466386432393733633361623032326135
33366162376464633633313664303939306330613865663431653037303061633130626635653638 61346166393964313637356330653339646365326365326130386537343535353038643538393336
66626264363333376463386666313663333964333137333231303361616533393236373861656534 66366335316538393333613631346365393038623261303536363732383637643430346632343139
32326335306566623332396638383133353434363565316432353963353062313662326361336537 61643265333466323666633834333462613161653165663432613934353036343937343939303033
34396632656234333263663831326566353434316234613365316132363730643665373761666562 35636134343761666534656636383632363562633634383364323039613431666239346136616231
31393565653663653731633333633730326265376135666162656132623238333765333363653130 37383838316338666462376133613632663633663935643563346333356464663434393734366433
61353632313532616266363139336162336565356365316531336364623930636430353831623233 37376539366139396536323535316539643261636533303065326164643132313439313632306664
61616131313438306633333066613764313161333934316139633738623164623564646365663566 33386136393734613739396336396635353439393531393363326137363562646363333762386135
66356464376133363137313036623930373362306166623838373131313330393837396261656561 32376162373766393763343634326434323034336533336166666635636135393066353238626161
66396233313530643164353264656563383632363139333262626532376562613630643437666266 37376132306339626263313663376638633337656162333431313439643930303332666138643962
66656335656634613138316138643666623430363833663035616138336461303035633731636262 37313331616563643638343464653535653038613136313637336534636537343763376634626538
36393939333765346239666433323032323361343934656463396365333366623337316663396263 64633133656237346461346330333061636663336262646264326237373736366337663331323764
36616431626633663963636135643833666234613830366434636532373031343263316436306162 65353931373266336232366434356631383338386537616535656664323334363963666631363331
39356365376561643665323866656465313434623138326238353662653735613565623264333336 37653666316236613931386161346439663935656466396137643765626632643263323163623138
61393763363862613766653064636130323732663466366133666361636339356464313037353462 34326363373633303365353530383633623936313436616635353733643837656233613635383966
63633936653235656538383433393065393162643034393538666433616131343462346235393164 37356665626530626532356632323338623062386332616332643061623031366366613433383734
39353663373338626665663563663162633430343330373430376336326432346233663365376533 33623732636637363237336439373432616332643638303131363332393230663565323139303163
32656465343538643137326366653232343530363834383831386634366262303333636261353863 36643134363861383834656539626166386164326236336266633435626163383437366338353930
32633437343432653936643766363338636535613532323362656435613363393238626466303861 33373932333832373237343532623537363931366636346132616162343839303965386337316164
38633861333638613466306338613932353964393365356637306261626535323732316362623731 61656233616633323933306165643666306661366632613933383932616664613663663234653431
33313963623439613939333639346461663338373334396165636231666266613065323731373964 30306163346630653239323966396638643162303766363131646430303366303435343866353639
64313133383435333935376531313432663766633133633863356563663535333263636237386136 66373465393764396335346131346331353561643434633364656530626238326333333731383361
61653963633166383135333436646465383536373039383538326366636634313061613730653962 35653232373235383633616634643966636336333461663237653764626534346336
37623962643866396637336231363038373465393637356463656566666661313130313863383233
37343636346535363832626365396262303862393535336565393635663637323730373564336634
37363036323733306535336366373630356531353737303165376530656433626634343365626239
64346136363030663862313431653761666432393933366665346361626361623039326434633835
32666538653037613361343536383634643762356234366433663639653461303933306434333864
37386436393465323139306161333738383265323436376536656264356230303163326134323864
63396331666431666464656161633466333764653631623131646566303366333030653834333335
31323365353239366232643863386365633861376235643034303563613363663661616564363663
63326562613365653539383336383339646164623864323830653434623365393432666466323134
33626330373361393734656632393232363866613863373135636537613934343065306265623964
34643765636165393336356630353663343065333431656164363638646233663762346536343362
65653364343537383336373933313464663464653465383830363631316336303464313731356230
34336130323766386465373162346535396565346630353734303937396130656132376331326563
36386339383338346533646331666262396432336434646333653664326635386238333763626637
31363464306465666339316436323265623437636533643431363161323139653065323534636533
64386334353439373133313937343234373963353331646233346432646430636530663336316134
66303337313034396232643531643262343036313762633165353665653938313665386363353865
66333166303636626565613136653365313763303263313239333033353638616566656134396131
38356434343931303134303362313363343634613361353538636634336332373132356165326163
30386130326239366532363962316435663862393836326439623862366166376234343439306465
36346639623939353232366333643963646336383833386565643435393734653936313638663930
32323065343737663564333961373034393261613862333431663562353964666561643831316432
35313832356639333937333266306166656538643065386639346337306134613536356137316331
38376434666332366531393639303561663934353130333161636530383932653236313530616531
61656664626663373164343863333039356362343034326131376666623264663732303734366363
30306430353732616131346637626332656434393163313661356465393263393235396662623962
62643538623331646265643561623366383937313136383939366164613235666234663137653432
34316138643139336331356663333632656539653632626136613431393736613630353237356164
33623632643335663163656236633134343464353837346237316162346634633336663564656531
39373730346130363963376463326238366235613539613466653139306237343164336462353236
39323361636333353661633863663162633563343937366461346338363061623730633537626562
30353938383664333861366431343033313961376436363065373430353736343563313531386663
37313534303564333237616331396437376436383833373936376664666366373235613533663239
64653863613531356666646233393533646131333961343730663461346235633961306263343831
64386332653330323937643266373437633465363933653833343930616134626566363339366362
36356163333730656233653431326430326566386264343330666131393166323537623137396237
65386234653231666631366533383762643830333261363532666138386263643662633932626335
66303363613035643931393933303035323566373634663037313338616132373162366334373962
33666463613435396331326565353433336361303562326562663035313639333232333430373266
65383235356132353838636565636436356361653831356430663935613766613237366564316566
37396130393363386566306162346466326165353863636633306335383265306139396339383866
34326335323962633032386162623033353036643437313832323166363764653339343638343964
66626662326234306362656162336538353131366337643761643930306163333661653062663832
61303963623433313565633235306132366663336662616232613339366363373934613631623431
34323736383366333032343364373533363761323338346163323836653235653136646162306166
65333734623663346233343961396566313838653036396430396134393839326535363237363638
38333232333863396334366561303136333863356666656335633630616531363766343535616533
35656166303837653365303436623431613931336331356531666665346562613263363666626238
62626236323863383366643162356462306163653032626130333863656337623136646439316337
33306432663134383038646133346131333732633932383239643733643138303434646565663266
34616265383733343963323538656138656331396438616133393063356638633965323363653066
65353837333363613762333839313631373137363064383830353565333832356162323862393030
35373038613133643466636537626437393837633865363566343565626633376262373766613738
39343334336238363131373762646564653839623531323066356430326263376534373664363331
64373735383933303638303661333964333464306338613363326261623438336530636262373766
35346339643939666162386232666236326131366366303432393838326239313730323431376231
39363032616666393431326533643865643937363937356431623763363037373333653266376561
63323462363063343234373534663063353865363037383932386231313338343239653131633561
34623439396232633265616438623562666333303932396366663330326565363736633461333463
66346537323061306662323062393061353565393165363532306439343262343632616465363364
30376331346430313536313963333136663833323064633631653935326366633862336163316538
33383434336666303434363236396662366664393637656462363331356631613332353766636663
62323264336235306532343065323834313730353237616463373766303439663533336366363565
35646461636263646633343634323735383235376330616334373937646165623639363663353361
65613034353736633332663333616564356265323731613537393430633137333337643663323137
31623732663331653935316337306433333633353565343265666333363864346562363961333439
30656136636661396335623566386362333861616663393738626632633537613564636261383138
3233

8
group_vars/aurore/main.yml
View file

@ -1,8 +0,0 @@
---
apartment_block: aurore
apartment_block_id: 0
router_ip_suffix: 254
# We have two -aurore DHCP servers, but no failover peer functionality is needed
# because they only give out IPs assigned by re2o.
dhcp_failover_enabled: false

3
group_vars/edc/ldap_local_replica.yml
View file

@ -1,3 +0,0 @@
---
ldap_local_replica_uri:
- 'ldap://ldap-replica-edc.adm.auro.re'

7
group_vars/edc/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: edc
apartment_block_id: 4
router_ip_suffix: 254
mtu: 1500

3
group_vars/edc/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudoedc'

7
group_vars/fleming/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: fleming
apartment_block_id: 1
router_ip_suffix: 254
mtu: 1500

3
group_vars/fleming/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudofleming'

7
group_vars/gs/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: gs
apartment_block_dhcp: sand
apartment_block_id: 5
router_ip_suffix: 254

3
group_vars/gs/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudogeorgesand'

7
group_vars/pacaterie/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: pacaterie
apartment_block_id: 2
router_ip_suffix: 254
mtu: 1500

3
group_vars/pacaterie/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudopacaterie'

7
group_vars/rives/main.yml
View file

@ -1,7 +0,0 @@
---
apartment_block: rives
apartment_block_id: 3
router_ip_suffix: 254
mtu: 1500

3
group_vars/rives/sudo_location_group.yml
View file

@ -1,3 +0,0 @@
---
# Users in that group will be able to `sudo`
sudo_group_location: 'sudorives'

64
host_vars/proxy-ovh.adm.auro.re.yml
View file

@ -1,64 +0,0 @@
---
certbot:
domains:
- auro.re
- cas.auro.re
- codimd.auro.re
- grafana.auro.re
- pad.auro.re
- passbolt.auro.re
- phabricator.auro.re
- privatebin.auro.re
- riot.auro.re
- sharelatex.auro.re
- status.auro.re
- wiki.auro.re
- www.auro.re
mail: tech.aurore@lists.crans.org
certname: auro.re
nginx:
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
redirect_tcp: {}
redirect_sites:
- from: www.auro.re
to: auro.re
- from: 92.222.211.195
to: auro.re
reverseproxy_sites:
- from: phabricator.auro.re
to: 10.128.0.50
- from: wiki.auro.re
to: 10.128.0.51
- from: www.auro.re
to: 10.128.0.52
- from: passbolt.auro.re
to: 10.128.0.53
- from: riot.auro.re
to: "10.128.0.150:8080"
- from: codimd.auro.re
to: "10.128.0.150:8081"
- from: grafana.auro.re
to: "10.128.0.150:8082"
- from: privatebin.auro.re
to: "10.128.0.150:8083"
- from: pad.auro.re
to: "10.128.0.150:8084"
- from: cas.auro.re
to: "10.128.0.150:8085"
- from: status.auro.re
to: "10.128.0.150:8086"

63
host_vars/proxy.adm.auro.re.yml
View file

@ -1,63 +0,0 @@
---
certbot:
domains:
- bbb.auro.re
- drone.auro.re
- gitea.auro.re
- intranet.auro.re
- litl.auro.re
- nextcloud.auro.re
- re2o.auro.re
- vote.auro.re
- re2o-server.auro.re
- re2o-test.auro.re
- wikijs.auro.re
mail: tech.aurore@lists.crans.org
certname: auro.re
nginx:
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
redirect_tcp:
- name: Gitea
port: 2222
destination: "10.128.0.60:2222"
redirect_sites:
- from: 45.66.111.61
to: auro.re
reverseproxy_sites:
- from: re2o.auro.re
to: 10.128.0.20
- from: intranet.auro.re
to: 10.128.0.20
- from: bbb.auro.re
to: 10.128.0.54
- from: nextcloud.auro.re
to: "10.128.0.58:8080"
- from: gitea.auro.re
to: "10.128.0.60:3000"
- from: drone.auro.re
to: "10.128.0.64:8000"
- from: litl.auro.re
to: 10.128.0.35
- from: re2o-test.auro.re
to: 10.128.0.80
- from: wikijs.auro.re
to: "10.128.0.66:3000"

268
hosts
View file

@ -1,260 +1,70 @@
# Aurore servers inventory # Aurore servers inventory
# How to name your server ? # How to name your server ?
# > We name servers according to location, then type, then function. # > We name servers according to location, then type.
# > Then we regroup everything in global geographic, type and function groups. # > So all containers at OVH are in ovh-container.
# > Then we regroup everything in global geographic and type groups.
[ovh-pve]
horus ansible_host=10.128.0.1
############################################################################### [ovh-container]
# Aurore : main services riot.adm.auro.re
viviane.adm.auro.re
[aurore_pve]
merlin.adm.auro.re
[aurore_vm]
routeur-aurore.adm.auro.re
routeur-aurore-backup.adm.auro.re
radius-aurore.adm.auro.re
dhcp-aurore.adm.auro.re
dhcp-aurore-backup.adm.auro.re
dns-aurore.adm.auro.re
proxy.adm.auro.re
camelot.adm.auro.re
gitea.adm.auro.re
drone.adm.auro.re
nextcloud.adm.auro.re
stream.adm.auro.re
re2o-server.adm.auro.re
re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
pendragon.adm.auro.re
services-bdd-local.adm.auro.re
backup.adm.auro.re
services-web.adm.auro.re
mail.adm.auro.re
wikijs.adm.auro.re
###############################################################################
# OVH
[ovh_pve]
horus.adm.auro.re
[ovh_container]
synapse.adm.auro.re synapse.adm.auro.re
codimd.adm.auro.re
services-bdd.adm.auro.re services-bdd.adm.auro.re
phabricator.adm.auro.re phabricator.adm.auro.re
wiki.adm.auro.re wiki.adm.auro.re
www.adm.auro.re www.adm.auro.re
proxy-ovh.adm.auro.re pad.adm.auro.re
matrix-services.adm.auro.re proxy.adm.auro.re
[ovh_vm] [ovh-vm]
re2o-server.adm.auro.re
re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
serge.adm.auro.re serge.adm.auro.re
passbolt.adm.auro.re
vpn-ovh.adm.auro.re
docker-ovh.adm.auro.re
switchs-manager.adm.auro.re
ldap-replica-ovh.adm.auro.re
[ovh_testing_vm] [ovh-testing-vm]
#re2o-test.adm.auro.re re2o-test.adm.auro.re
[fleming-pve]
#freya.adm.auro.re
#odin.adm.auro.re
############################################################################### [fleming-vm-ldap-replica]
# Les Jardins de Fleming #ldap-replica-fleming1.adm.auro.re
#ldap-replica-fleming2.adm.auro.re
[fleming_pve]
freya.adm.auro.re
marki.adm.auro.re
[fleming_vm]
ldap-replica-fleming.adm.auro.re
dhcp-fleming.adm.auro.re
dhcp-fleming-backup.adm.auro.re
dns-fleming.adm.auro.re
dns-fleming-backup.adm.auro.re
prometheus-fleming.adm.auro.re
#prometheus-fleming-fo.adm.auro.re
radius-fleming.adm.auro.re
radius-fleming-backup.adm.auro.re
unifi-fleming.adm.auro.re
routeur-fleming.adm.auro.re
routeur-fleming-backup.adm.auro.re
###############################################################################
# Pacaterie
[pacaterie_pve]
mordred.adm.auro.re
titan.adm.auro.re
[pacaterie_vm]
ldap-replica-pacaterie.adm.auro.re
dhcp-pacaterie.adm.auro.re
dhcp-pacaterie-backup.adm.auro.re
dns-pacaterie.adm.auro.re
dns-pacaterie-backup.adm.auro.re
prometheus-pacaterie.adm.auro.re
#prometheus-pacaterie-fo.adm.auro.re
radius-pacaterie.adm.auro.re
radius-pacaterie-backup.adm.auro.re
unifi-pacaterie.adm.auro.re
routeur-pacaterie.adm.auro.re
routeur-pacaterie-backup.adm.auro.re
###############################################################################
# Emilie du Chatelet
[edc_server]
perceval.adm.auro.re
[edc_pve]
chapalux.adm.auro.re
escalope.adm.auro.re
[edc_vm]
routeur-edc.adm.auro.re
routeur-edc-backup.adm.auro.re
dns-edc.adm.auro.re
dns-edc-backup.adm.auro.re
dhcp-edc.adm.auro.re
dhcp-edc-backup.adm.auro.re
unifi-edc.adm.auro.re
radius-edc.adm.auro.re
radius-edc-backup.adm.auro.re
ldap-replica-edc.adm.auro.re
###############################################################################
# George Sand
[gs_pve]
lancelot.adm.auro.re
odin.adm.auro.re
[gs_vm]
dhcp-gs.adm.auro.re
dhcp-gs-backup.adm.auro.re
dns-gs.adm.auro.re
dns-gs-backup.adm.auro.re
routeur-gs.adm.auro.re
routeur-gs-backup.adm.auro.re
unifi-gs.adm.auro.re
radius-gs.adm.auro.re
radius-gs-backup.adm.auro.re
prometheus-gs.adm.auro.re
ldap-replica-gs.adm.auro.re
###############################################################################
# Les Rives
[rives_pve]
thor.adm.auro.re
[rives_vm]
dhcp-rives-backup.adm.auro.re
unifi-rives.adm.auro.re
dns-rives-backup.adm.auro.re
radius-rives-backup.adm.auro.re
routeur-rives-backup.adm.auro.re
ldap-replica-rives.adm.auro.re
# -aurore services
[aurore:children]
aurore_vm
# everything at ovh # everything at ovh
[ovh:children] [ovh:children]
ovh_pve ovh-pve
ovh_container ovh-container
ovh_vm ovh-vm
# everything at ovh-testing
[ovh-testing:children]
ovh-testing-vm
# everything at fleming # everything at fleming
[fleming:children] [fleming:children]
fleming_pve fleming-pve
fleming_vm fleming-vm-ldap-replica
#fleming_unifi
# everything at pacaterie
[pacaterie:children]
pacaterie_pve
pacaterie_vm
#pacaterie_unifi
# everything at edc
[edc:children]
edc_pve
edc_vm
# everything at georgesand
[gs:children]
gs_pve
gs_vm
# everything at Les Rives
[rives:children]
rives_pve
rives_vm
###############################################################################
# Groups by type
# every LXC container # every LXC container
[container:children] [container:children]
ovh_container ovh-container
# every virtual machine # every virtual machine
[vm:children] [vm:children]
ovh_vm ovh-vm
fleming_vm fleming-vm-ldap-replica
pacaterie_vm
edc_vm
gs_vm
rives_vm
# every PVE # every PVE
[pve:children] [pve:children]
ovh_pve ovh-pve
fleming_pve fleming-pve
pacaterie_pve
edc_pve
gs_pve
rives_pve
###############################################################################
# Groups by service
[ldap_replica:children]
ldap_replica_fleming
ldap_replica_pacaterie
ldap_replica_edc
ldap_replica_gs
ldap_replica_ovh
ldap_replica_rives
[ldap_replica_fleming]
ldap-replica-fleming.adm.auro.re
[ldap_replica_pacaterie]
ldap-replica-pacaterie.adm.auro.re
[ldap_replica_edc]
ldap-replica-edc.adm.auro.re
[ldap_replica_gs]
ldap-replica-gs.adm.auro.re
[ldap_replica_ovh]
ldap-replica-ovh.adm.auro.re
[ldap_replica_rives]
ldap-replica-rives.adm.auro.re
# every LDAP replica
[ldap-replica:children]
fleming-vm-ldap-replica

11
ldap.yml Normal file
View file

@ -0,0 +1,11 @@
---
# Plug LDAP on all servers
- hosts: all
roles:
- ldap-client
# Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA
# - hosts: ldap-replica
# roles:
# - ldap-replica

7
ldap_replica.yml
View file

@ -1,7 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica
roles:
- ldap_replica

19
matrix.yml Executable file → Normal file
View file

@ -1,18 +1,15 @@
#!/usr/bin/env ansible-playbook
--- ---
# Install Matrix Synapse on corresponding containers # Install Matrix Synapse on corresponding containers
- hosts: synapse.adm.auro.re - hosts: synapse.adm.auro.re
vars: vars:
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases mxisd_version: 1.3.1
mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb" synapse_rest_auth_url: https://raw.githubusercontent.com/kamax-matrix/matrix-synapse-rest-auth/master/rest_auth_provider.py
roles: roles:
- debian_backports - debian-backports
- nodejs - matrix-synapse
- matrix_synapse - matrix-mxisd
- matrix_appservice_irc
- matrix_appservice_webhooks
# Install Matrix services # Install Matrix Riot on corresponding containers
- hosts: matrix-services.adm.auro.re - hosts: riot.adm.auro.re
roles: roles:
- debian_backports - matrix-riot

62
monitoring.yml
View file

@ -1,62 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_targets:
- targets: |
{{ groups['fleming_physical'] + groups['fleming_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['fleming_unifi'] | list | sort }}"
roles:
- prometheus
- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_targets:
- targets: |
{{ groups['pacaterie_physical'] + groups['pacaterie_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
roles:
- prometheus
- hosts: prometheus-edc.adm.auro.re,prometheus-edc-fo.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_targets:
- targets: |
{{ groups['edc_physical'] + groups['edc_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['edc_unifi'] | list | sort }}"
roles:
- prometheus
- hosts: prometheus-georgesand.adm.auro.re,prometheus-georgesand-fo.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
# Prometheus targets.json
prometheus_targets:
- targets: |
{{ groups['georgesand_physical'] + groups['georgesand_vm'] | list | sort }}
prometheus_unifi_snmp_targets:
- targets: "{{ groups['georgesand_unifi'] | list | sort }}"
roles:
- prometheus
# Monitor all hosts
- hosts: all,!unifi,!ovh
roles:
- prometheus_node

65
network.yml
View file

@ -1,65 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re
roles:
- isc_dhcp_server
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
roles:
- unbound
# Déploiement du service re2o aurore-firewall et keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
roles:
- router
- radvd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
roles:
- router
- ipv6_edge_router
# Radius (backup only for now)
- hosts: radius-*.adm.auro.re
roles:
- radius
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service

34
nginx-reverse-proxy.yml Normal file
View file

@ -0,0 +1,34 @@
---
# Install NGINX with reverse proxy conf
- hosts: proxy.adm.auro.re
vars:
reversed_proxy_subdomains:
- name: re2o
from: re2o.auro.re
to: re2o-server.adm.auro.re
- name: intranet
from: intranet.auro.re
to: re2o-server.adm.auro.re
- name: pad
from: pad.auro.re
to: pad.adm.auro.re:9001
- name: phabricator
from: phabricator.auro.re
to: phabricator.adm.auro.re
- name: wiki
from: wiki.auro.re
to: wiki.adm.auro.re
- name: www
from: www.auro.re
to: www.adm.auro.re
- name: re2o-test
from: re2o-test.auro.re
to: re2o-test.adm.auro.re
- name: riot
from: riot.auro.re
to: riot.adm.auro.re
- name: codimd
from: codimd.auro.re
to: codimd.adm.auro.re:8080
roles:
- nginx-reverse-proxy

7
nuke_radius_dbs.yml
View file

@ -1,7 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: radius-*.adm.auro.re
roles:
- radius
vars:
nuke_radius: true

432
proxmox.yml
View file

@ -1,432 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# This is a special playbook to create a new VM !
- hosts: proxy.adm.auro.re # Host with python-proxmoxer and python-requests
become: false # We do not need root as we use Proxmox API
vars:
vm_definitions:
# Réseau Pacaterie
- name: ldap-replica-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau Fleming
- name: ldap-replica-fleming1
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau EdC
- name: ldap-replica-edc1
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
# Réseau George Sand
- name: ldap-replica-gs1
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-gs
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
vars_prompt:
- name: "password"
prompt: "Enter LDAP password for your user"
private: true
tasks:
- name: Define a virtual machine in Proxmox
proxmox_kvm:
api_user: "{{ ansible_user_id }}@pam"
api_password: "{{ password }}"
api_host: "{{ item.virtu }}.adm.auro.re"
name: "{{ item.name }}"
node: "{{ item.virtu }}"
scsihw: virtio-scsi-pci
scsi: '{"scsi0":"{{ item.virtu }}:{{ item.disksize }},format=raw"}'
sata: '{"sata0":"local:iso/{{ item.installiso }},media=cdrom"}'
net: '{"net0":"virtio,bridge=vmbr2"}' # Adm only by default
cores: "{{ item.cores }}"
memory: "{{ item.memory }}"
balloon: "{{ item.memory // 2 }}"
bios: seabios # Ansible module doesn't support UEFI boot disk
loop:
# Réseau Fleming
- name: ldap-replica-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-fleming
virtu: freya
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: ldap-replica-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: routeur-fleming-fo
virtu: marki
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
# Réseau Pacaterie
- name: ldap-replica-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-pacaterie
virtu: mordred
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: ldap-replica-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: routeur-pacaterie-fo
virtu: titan
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
# Réseau EDC
- name: ldap-replica-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-edc
virtu: chapalux
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
# Réseau George Sand
- name: ldap-replica-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dhcp-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: dns-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: prometheus-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: radius-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso
- name: unifi-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-9.9.0-amd64-netinst.iso
- name: routeur-georgesand
virtu: perceval
cores: 2 # 2 mimimum, 10 maximum
memory: 1024 # M
disksize: 16 # G
installiso: debian-10.0.0-amd64-netinst.iso

3
roles/baseconfig/files/update-motd.d/00-logo
View file

@ -1,5 +1,6 @@
#!/bin/sh #!/bin/sh
# {{ ansible_managed }} # /etc/update-motd.d/00-logo
# Deployed with Aurore Ansible !
# Pretty uptime # Pretty uptime
upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)" upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)"

3
roles/baseconfig/files/update-motd.d/10-uname
View file

@ -1,3 +0,0 @@
#!/bin/sh
# {{ ansible_managed }}
uname -snrvm

29
roles/baseconfig/tasks/apt-listchanges.yml
View file

@ -6,27 +6,14 @@
name: apt-listchanges name: apt-listchanges
state: present state: present
update_cache: true update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
# Send email when there is something new # Send email when there is something new
- name: Configure apt-listchanges - name: Configure apt-listchanges
ini_file: lineinfile:
path: /etc/apt/listchanges.conf dest: /etc/apt/listchanges.conf
no_extra_spaces: true regexp: "^{{ item.key }}="
section: apt line: "{{ item.value }}"
option: "{{ item.option }}" with_dict:
value: "{{ item.value }}" confirm: 'confirm=true'
state: present email_address: "email_address={{ monitoring_mail }}"
mode: 0644 which: 'which=both'
loop:
- option: confirm
value: "true"
- option: email_address
value: "{{ monitoring_mail }}"
- option: which
value: both
...

80
roles/baseconfig/tasks/main.yml
View file

@ -3,48 +3,29 @@
- name: Install basic tools - name: Install basic tools
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
apt: apt:
name: name: "{{ packages }}"
- acl # advanced ACL state: present
- apt # better than apt-get
- aptitude # nice to have for Ansible
- bash-completion # because bash
- curl # Better that wget
- emacs-nox # for maman
- fish # to motivate @edpibu
- git # code versioning
- less # i like cats
- lsb-release
- htop # better than top
- iotop # monitor i/o
- oidentd # postgresql identification
- molly-guard # prevent reboot
- nano # for vulcain
- net-tools
- ntp # network time sync
- screen # Vulcain asked for this
- sudo
- tree # create a graphical tree of files
- vim # better than nano
- zsh # to be able to ssh @erdnaxe
update_cache: true update_cache: true
register: apt_result vars:
retries: 3 packages:
until: apt_result is succeeded - bash-completion # for bash users
- zsh # alternative shell
- sudo # to gain root access
- git # code versioning
- nano # basic text editor
- vim # like nano but more powerful and complex
- htop # better than top
- less # i like cats
- tree # create a graphical tree of files
- ipython # better Python shell
- acl # for Ansible become support
# Pimp my server # Pimp my server
- name: Customize motd - name: Customize motd
copy: copy:
src: "update-motd.d/{{ item }}" src: 'update-motd.d/00-logo'
dest: "/etc/update-motd.d/{{ item }}" dest: '/etc/update-motd.d/00-logo'
mode: 0755 mode: 0755
loop:
- 00-logo
- 10-uname
- name: Remove Debian warranty motd
file:
path: /etc/motd
state: absent
# Configure APT mirrors on Debian Stretch # Configure APT mirrors on Debian Stretch
- name: Configure APT mirrors - name: Configure APT mirrors
@ -52,8 +33,8 @@
- ansible_distribution == 'Debian' - ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch' - ansible_distribution_release == 'stretch'
template: template:
src: apt/sources.list.j2 src: 'apt/sources.list.j2'
dest: /etc/apt/sources.list dest: '/etc/apt/sources.list'
mode: 0644 mode: 0644
# Patriotisme # Patriotisme
@ -69,7 +50,11 @@
question: locales/default_environment_locale question: locales/default_environment_locale
value: fr_FR.UTF-8 value: fr_FR.UTF-8
vtype: select vtype: select
notify: Reconfigure locales notify:
- Reconfigure locales
# Molly-Guard : prevent accidental shutdowns
- include_tasks: molly-guard.yml
# APT-List Changes : send email with changelog # APT-List Changes : send email with changelog
- include_tasks: apt-listchanges.yml - include_tasks: apt-listchanges.yml
@ -77,15 +62,8 @@
# User skeleton # User skeleton
- name: Configure user skeleton - name: Configure user skeleton
copy: copy:
src: "skel/dot_{{ item }}" src: skel/{{ item.key }}
dest: "/etc/skel/.{{ item }}" dest: /etc/skel/{{ item.value }}
mode: 0644 with_dict:
loop: dot_zshrc: .zshrc
- zshrc dot_zshrc.local: .zshrc.local
- zshrc.local
- name: Configure resolvconf
template:
src: resolv.conf
dest: /etc/resolv.conf
mode: 0644

15
roles/baseconfig/tasks/molly-guard.yml Normal file
View file

@ -0,0 +1,15 @@
---
# Install molly-guard
- name: Install molly-guard
when: ansible_os_family == "Debian"
apt:
name: molly-guard
state: present
update_cache: true
# Always ask for hostname
- name: Configure molly-guard
lineinfile:
dest: /etc/molly-guard/rc
regexp: '^#*\s*ALWAYS_QUERY_HOSTNAME.*$'
line: 'ALWAYS_QUERY_HOSTNAME=true'

4
roles/baseconfig/templates/resolv.conf
View file

@ -1,4 +0,0 @@
domain adm.auro.re
nameserver 10.128.0.253
nameserver 2a09:6840:128::253
nameserver 80.67.169.12

10
roles/basesecurity/handlers/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Restart sshd service
service:
name: sshd
state: restarted
- name: Restart fail2ban service
service:
name: fail2ban
state: restarted

87
roles/basesecurity/tasks/main.yml
View file

@ -1,87 +0,0 @@
---
- name: Configure sysctl
template:
src: sysctl.d/local.conf.j2
dest: /etc/sysctl.d/local.conf
mode: 0644
# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
file:
path: "{{ item }}"
mode: u-s,g-s
loop:
- /usr/lib/openssh/sshkeysign # Not used
- /usr/bin/gpasswd # No group auth
- /usr/bin/passwd # Only root should change passwd
- /usr/bin/expiry # With re2o
- /usr/bin/newgrp # No group auth
- /usr/bin/chage # With re2o
- /usr/bin/chsh # With re2o
- /usr/bin/chfn # With re2o
- /bin/mount # Only root should mount
- /bin/umount # Only root should umount
ignore_errors: true # Sometimes file won't exist
# Only SSH keys to log on root
- name: Prohibit root SSH with password
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^{{ item.0 }}'
insertafter: '^#{{ item.0 }}'
line: '{{ item.0 }} {{ item.1 }}'
loop:
- ["PermitRootLogin", "prohibit-password"]
- ["AllowAgentForwarding", "no"]
- ["X11Forwarding", "no"]
- ["TCPKeepAlive", "yes"]
notify: Restart sshd service
# See banned client with `fail2ban-client status sshd`
- name: Install fail2ban
apt:
name: fail2ban
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure fail2ban
ini_file:
path: /etc/fail2ban/jail.d/local.conf
section: "{{ item.section }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
mode: 0644
notify: Restart fail2ban service
loop:
- section: sshd
option: ignoreip
value: 10.128.0.254 # Whitelist bastion
- section: sshd
option: enabled
value: "true"
- section: sshd
option: bantime
value: 600
- section: sshd
option: findtime
value: 600
- section: sshd
option: maxretry
value: 5
# See altered packages and configurations with `debsums -ca`
- name: Install debsums
apt:
name: debsums
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

13
roles/basesecurity/templates/sysctl.d/local.conf.j2
View file

@ -1,13 +0,0 @@
# {{ ansible_managed }}
# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
# Disable core dump of setuid executables
# So an user can't read privileged information in memory
fs.suid_dumpable = 0
# Obfuscate kernel memory addresses
kernel.kptr_restrict = 1
# Restrict dmesg access
# This can leak specific harware failures to exploit
kernel.dmesg_restrict = 1

39
roles/certbot/tasks/main.yml
View file

@ -1,39 +0,0 @@
---
- name: Install certbot and nginx plugin
apt:
update_cache: true
name:
- certbot
- python3-certbot-nginx
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Create /etc/letsencrypt/conf.d
file:
path: /etc/letsencrypt/conf.d
state: directory
mode: 0755
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
mode: 0644
register: certbot_config
- name: Stop services to allow certbot to generate a cert.
service:
name: nginx
state: stopped
when: certbot_config.changed
- name: Generate new certificate if the configuration changed
shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
when: certbot_config.changed
- name: Restart services to allow certbot to generate a cert.
service:
name: nginx
state: started
when: certbot_config.changed

23
roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
View file

@ -1,23 +0,0 @@
# {{ ansible_managed }}
# Pour appliquer cette conf et générer la conf de renewal :
# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = {{ certbot.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
# Use nginx challenge
authenticator = nginx
# Wildcard the domain
cert-name = {{ certbot.certname }}
domains = {{ ", ".join(certbot.domains) }}

13
roles/codimd/handlers/main.yml Normal file
View file

@ -0,0 +1,13 @@
---
# Build front-end bundle
# This can take very long and requires > 2GB of RAM
- name: Build front-end for CodiMD
command: NODE_ENV="production" yarn run build
args:
chdir: /var/local/codimd/codimd
become: true
become_user: codimd
# Reload systemd daemons when a service file changes
- name: Reload systemd daemons
command: systemctl daemon-reload

28
roles/codimd/tasks/0_apt_dependencies.yml Normal file
View file

@ -0,0 +1,28 @@
---
# For NodeJS package
- name: Configure NodeJS pin
when:
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: apt/nodejs.j2
dest: /etc/apt/preferences.d/nodejs
mode: 0644
# TODO
# apt-transport-https
# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
# echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
# Install CodiMD dependencies
- name: Install required packages
apt:
name: "{{ item }}"
state: present
update_cache: true
with_items:
- git
- nodejs
- npm
- build-essential
- yarn

26
roles/codimd/tasks/1_user_group.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Security #1
- name: Create CodiMD system group
group:
name: codimd
system: yes
state: present
# Security #2
- name: Create CodiMD user
user:
name: codimd
group: codimd
home: /var/local/codimd
comment: CodiMD
system: yes
state: present
# Security #3
- name: Secure CodiMD home directory
file:
path: /var/local/codimd
state: directory
owner: codimd
group: codimd
mode: 0750

59
roles/codimd/tasks/main.yml Normal file
View file

@ -0,0 +1,59 @@
---
# Install APT dependencies
- include_tasks: 0_apt_dependencies.yml
# Create CodiMD user and group
- include_tasks: 1_user_group.yml
# Download CodiMD
- name: Clone CodiMD project
git:
repo: https://github.com/hackmdio/codimd.git
dest: /var/local/codimd/codimd
version: 1.3.0
become: true
become_user: codimd
notify: Build front-end for CodiMD
# Setup dependencies and configs
- name: Install CodiMD depedencies
command: NODE_ENV="production" bin/setup
args:
chdir: /var/local/codimd/codimd
become: true
become_user: codimd
# Connection to database
- name: Connect CodiMD to PostgreSQL db
template:
src: sequelizerc.j2
dest: /var/local/codimd/codimd/.sequelizerc
owner: codimd
group: codimd
mode: 0600
# Configure
- name: Configure CodiMD
template:
src: config.json.j2
dest: /var/local/codimd/codimd/config.json
owner: codimd
group: codimd
mode: 0600
# Service file
- name: Install CodiMD systemd unit
template:
src: 'systemd/codimd.service.j2'
dest: '/etc/systemd/system/codimd.service'
owner: root
group: root
mode: 0644
notify: Reload systemd daemons
# Run
- name: Ensure that CodiMD is started
service:
name: codimd
state: started
enabled: true

0
roles/nodejs/templates/apt/nodejs.j2 → roles/codimd/templates/apt/nodejs.j2
View file

39
roles/codimd/templates/config.json.j2 Normal file
View file

@ -0,0 +1,39 @@
{
"production": {
"domain": "codimd.auro.re",
"debug": false,
"port": 8080,
"useSSL": false,
"protocolUseSSL": true,
"useCDN": false,
"csp": {
"enable": true,
"directives": {
},
"upgradeInsecureRequests": "auto",
"addDefaults": true
},
"db": {
"username": "codimd",
"password": "{{ postgresql_codimd_passwd }}",
"database": "codimd",
"host": "{{ postgresql_services_url }}",
"port": "5432",
"dialect": "postgres"
},
"email": false,
"ldap": {
"url": "{{ ldap_master_uri }}",
"bindDn": "{{ ldap_codimd_bind_dn }}",
"bindCredentials": "{{ ldap_codimd_password }}",
"searchBase": "cn=Utilisateurs,dc=auro,dc=re",
"searchFilter": "(uid={% raw %}{{username}}{% endraw %})",
"searchAttributes": ["uid", "givenName", "mail"],
"usernameField": "uid",
"useridField": "uid",
"providerName": "Compte Aurore"
},
"allowFreeURL": true
}
}

8
roles/codimd/templates/sequelizerc.j2 Normal file
View file

@ -0,0 +1,8 @@
var path = require('path');
module.exports = {
'config': path.resolve('config.json'),
'migrations-path': path.resolve('lib', 'migrations'),
'models-path': path.resolve('lib', 'models'),
'url': 'postgres://codimd:{{ postgresql_codimd_passwd }}@{{ postgresql_services_url }}:5432/codimd'
}

11
roles/matrix_appservice_irc/templates/systemd/appservice.service.j2 → roles/codimd/templates/systemd/codimd.service.j2
View file

@ -1,17 +1,18 @@
# {{ ansible_managed }} # {{ ansible_managed }}
[Unit] [Unit]
Description=A bridge between Matrix and IRC Description=CodiMD
After=syslog.target network-online.target mysql.service postgresql.service After=syslog.target network-online.target mysql.service postgresql.service
Conflicts=shutdown.target Conflicts=shutdown.target
[Service] [Service]
Type=simple Type=simple
User={{ service_user }} User=codimd
WorkingDirectory={{ service_path }} Group=codimd
ExecStart=/usr/bin/nodejs ./app.js -c config.yaml -f irc-registration.yaml -p 9999 WorkingDirectory=/var/local/codimd/codimd
Environment="NODE_ENV=production"
ExecStart=/usr/bin/nodejs /var/local/codimd/codimd/app.js
Restart=always Restart=always
RestartSec=3
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

58
roles/docker/tasks/main.yml
View file

@ -1,58 +0,0 @@
---
# Install HTTPS support for APT
- name: Install apt-transport-https
apt:
update_cache: true
name:
- apt-transport-https
- ca-certificates
- curl
- gnupg2
- software-properties-common
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
# Add the key
- name: Configure the apt key
apt_key:
url: https://download.docker.com/linux/debian/gpg
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
state: present
register: apt_key_result
retries: 3
until: apt_key_result is succeeded
# Add the repository into source list
- name: Configure docker repository
apt_repository:
repo: "{{ item }}"
state: present
loop:
- deb https://download.docker.com/linux/debian buster stable
- name: Install docker
apt:
update_cache: true
name:
- docker-ce
- docker-ce-cli
- containerd.io
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
# Compose need to be updated to use new Docker features
- name: Install Docker Compose
get_url:
url: https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64
dest: /usr/local/bin/docker-compose
mode: "0755"
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-docker
mode: 0755

3
roles/docker/templates/update-motd.d/05-service.j2
View file

@ -1,3 +0,0 @@
#!/bin/sh
# {{ ansible_managed }}
echo "> Les recettes Docker-compose se trouvent dans /var/local/ansible-docker"

6
roles/dokuwiki/tasks/main.yml
View file

@ -22,9 +22,5 @@
# Install # Install
- name: Install DokuWiki - name: Install DokuWiki
apt: apt:
update_cache: true
name: dokuwiki name: dokuwiki
state: present update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded

4
roles/etherpad/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
# Reload systemd daemons when a service file changes
- name: Reload systemd daemons
command: systemctl daemon-reload

14
roles/nodejs/tasks/main.yml → roles/etherpad/tasks/0_apt_dependencies.yml
View file

@ -1,4 +1,5 @@
--- ---
# For NodeJS package
- name: Configure NodeJS pin - name: Configure NodeJS pin
when: when:
- ansible_distribution == 'Debian' - ansible_distribution == 'Debian'
@ -8,14 +9,15 @@
dest: /etc/apt/preferences.d/nodejs dest: /etc/apt/preferences.d/nodejs
mode: 0644 mode: 0644
# Install EtherPad dependencies
- name: Install required packages - name: Install required packages
apt: apt:
name: "{{ item }}"
state: present
update_cache: true update_cache: true
name: with_items:
- build-essential
- curl
- git
- nodejs - nodejs
- npm - npm
- build-essential # To build npm packages
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

26
roles/etherpad/tasks/1_user_group.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Security #1
- name: Create EtherPad system group
group:
name: etherpad
system: yes
state: present
# Security #2
- name: Create EtherPad user
user:
name: etherpad
group: etherpad
home: /var/local/etherpad
comment: EtherPad
system: yes
state: present
# Security #3
- name: Secure Etherpad home directory
file:
path: /var/local/etherpad
state: directory
owner: etherpad
group: etherpad
mode: 0750

59
roles/etherpad/tasks/main.yml Normal file
View file

@ -0,0 +1,59 @@
---
# Install APT dependencies
- include_tasks: 0_apt_dependencies.yml
# Create EtherPad user and group
- include_tasks: 1_user_group.yml
# Download EtherPad
- name: Clone EtherPad project
git:
repo: https://github.com/ether/etherpad-lite.git
dest: /var/local/etherpad/etherpad-lite
version: master
become: true
become_user: etherpad
# Installation script
# TODO: move this in a handler
- name: Install Etherpad dependencies
command: bin/installDeps.sh
args:
chdir: /var/local/etherpad/etherpad-lite
become: true
become_user: etherpad
# Configuration
- name: Configure EtherPad
lineinfile:
dest: /var/local/etherpad/etherpad-lite/settings.json
regexp: '^\s*"{{ item.key }}"'
line: "{{ item.value }}"
with_dict:
title: " \"title\": \"Etherpad Aurore\","
dbType: " \"dbType\" : \"postgres\","
defaultPadText: " \"defaultPadText\" : \"Bienvenue sur l'EtherPad d'Aurore !\\n\\nCe pad est synchronisé avec les autres utilisateur·rice·s présent·e·s sur cette page.\\n\","
lang: " \"lang\": \"fr-fr\""
# Service file
- name: Install EtherPad systemd unit
template:
src: systemd/etherpad-lite.service.j2
dest: /etc/systemd/system/etherpad-lite.service
owner: root
group: root
mode: 0644
notify: Reload systemd daemons
# Run
- name: Ensure that EtherPad is started
service:
name: etherpad-lite
state: started
enabled: True
# La configuration de la clé `dbSettings` n'est pas encore automatisé !
# TODO-list
# * Configure admin user, logs
# Plugins : https://framacloud.org/fr/cultiver-son-jardin/etherpad.html#concernant-framapad

5
roles/etherpad/templates/apt/nodejs.j2 Normal file
View file

@ -0,0 +1,5 @@
# {{ ansible_managed }}
Package: node* libuv1*
Pin: release a=stretch-backports
Pin-Priority: 600

17
roles/etherpad/templates/systemd/etherpad-lite.service.j2 Normal file
View file

@ -0,0 +1,17 @@
# {{ ansible_managed }}
[Unit]
Description=Etherpad-lite, the collaborative editor.
After=syslog.target network-online.target mysql.service postgresql.service
Conflicts=shutdown.target
[Service]
Type=simple
User=etherpad
Group=etherpad
WorkingDirectory=/var/local/etherpad/etherpad-lite
ExecStart=/usr/bin/nodejs /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js
Restart=always
[Install]
WantedBy=multi-user.target

186
roles/ipv6_edge_router/frr-apt-key.asc
View file

@ -1,186 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFvRo7oBEADH/lEeQBaRW4Lpmzhpn7W53hhMUefgj1bJ7ISpMC3qOlgSIeof
sQjZ5Hr0RHxz5bRVRtcOhPhKRvL0wCmTpROvKBVyrOHDn4AAh+D7bqhzrEZezJwu
on2fBRA5prT97r99WKpIPjyqeKHWY3GsbkKMYAcFMGNwYZudEm9bqFaZ9F1CX96i
VHTArZiZZgPPycOW6fZzrdPDa5/07WA4tJ4PXnMFEd3bLpRDW/t46XqBeNOitBcN
TrRY7LY/rLnfAUfTWlQVm1wb5gl1E0e4LDlaAysqZCVDriAUwNzk9aRnLQw14h18
af3sIi649fQ/uv/JwQ9hc1os/gu23N4wKSwSvQGYo3V6oqbxkhIQ5TR0MgXIxfF9
LoSFgnrXvUpUc+V4qXJJV+hLbTEoAKrHaON0f7BQHAiTsKB1R7FLVCMFIRtuZ1RD
iUCL9jFFXmAikHsTUFE2EOCW7+kqRSQ5ICu3IqMbXXA1dHz4tN2ji5LPZ4OKh/1O
zZQCBev4IZ3KWibFZwNxDwWFSoFQeuNKnVujsfR31SuFRWmASqZGGpN/Jr+zVNsb
iUXUBrnSj8PXYs1zSLrfVVlaga6EI29o5ozUweZDvn5VnRycHaTVjVEmYynnf0ss
axkRKDgP4e0czNTbH9Rze+AL/Xfc5F0CVQ3jGZQwLgspqpj2UNicZhTzQwARAQAB
tCtEYXZpZCBMYW1wYXJ0ZXIgPGVxdWlub3gtZGViaWFuQGRpYWMyNC5uZXQ+iQJO
BBMBCAA4FiEEPZlorJrnvhFpKI3bH9WDmJX1f9oFAlvRo7oCGwEFCwkIBwIGFQgJ
CgsCBBYCAwECHgECF4AACgkQH9WDmJX1f9pNHg//VS3bICTNEjjmXRtHdsKyRs2s
Nl6BefYDuOPy6NWIra9oLZzo1G15Zt8wH1LLHIBND1d8QILa1739coQhfNJeeuyp
sYclgSoX85UqpLeHE0Ws/o1vjNmAlQX7qDR5q1iOxUfxLjyXAR7qaqOCBR0uGjxP
ZCI88ctu0bt9iI2rzmKwgyORDWwvKOmHovHxB8stPwdToyQK/eij94CVlf086pOz
eIrEjC54jE4pq7nae8w7RsWs5OmgBkrZoXIuLBfHa1ynbUjhE3okPiZDnZr9bPTH
FpJ4DnsQGhZGjFIiNVi5zbV+MxjavkfbshpzE1TK9EhNf1DdI8A+XzpiTfA5ifDL
sm/KnA9Z+4T2EswthB6YV1lcnacSGOrEI1CQUTHPSFwZc1WUDkX5aqwib8fCT6U7
oEngVBwN+guj5l2ba50pt1bct86c8Rv0cnaeKt6boe9sLeHbAur/R7Smdp0yIwAa
pq52eSQvrxkV2sKlvOrBLX0v4hOut4LQKzresM0smjARYamh3ksj7oAaHJx1+RMZ
AK7i2AjcMR4BvALTerVd2oM4SNghSFubJTVoMUarzeM3XQ6mFGbdwsqo6ziPlr2r
vtX7syFclRXaeJw4VAQqXlBqbpZevld7A9/3G9CyuRSoQxgPv9p6fx3aE7R65O9U
YsBsMtj2oxhKnkNjoky5AQ0EW9Gj4AEIALrNBXS0J+LAtQjWfJUwp9KsXCYx/1fL
YDENUdkbwfCTDHPZFgZf0jvPFuQkvFl7SnoyjwbnDlFCn2kYeZJ1vS3ZidUwZbcE
QCrARSKBzovsHDdafQwuUi21GAGuBOmIUSY5RihozjLgZ/5h2/vbqmCucfoYsctb
tl3jpT8HTo6DJ4oQWSsHF5e4G8U5DCpCINbJnpqtfIFbm3yYGHm9Yzny4E2aMnzG
lHErxxAoYufGLh6Hfs1JeJSsWL07334NZMU/zgzUs9dBbhbJ0/QBnRVuU+YHje+x
9Ir+szHjKwHo29K6g3BV2BTjWpoW7IQG2d6baN1VgWepwpLnbzAG5wMAEQEAAYkD
bAQYAQgAIBYhBD2ZaKya574RaSiN2x/Vg5iV9X/aBQJb0aPgAhsCAUAJEB/Vg5iV
9X/awHQgBBkBCAAdFiEEN1UvZYKIwg4j4yPMVBjykdDUoaoFAlvRo+AACgkQVBjy
kdDUoarcggf/S3Vd9BqByRkCyuPLwgKWLt3KsIuKOKG9+lzoAy2VsKOomistO3g0
itefSRUOGgSArVG/rarR0Dzva3LI7sFF9vS4XKlARSPJV0rY13buSR/LnagqmWUf
mQJTnh+MSWS6P37Burw0DqWioPd7VJQ67BfdrGUUeP8bChIPByo+ssi1qu2MFmLj
toYiLSYW0gRSKtn8+oz5hk1lzuQBBTZ14ykqwZH9L1kCo+3Q7O7e1dztJ6NX6jEm
QeHwLq27RqoUG15HR7CQvupa5CLbJ0Vja2tSkUnYb/ph8z7H9rkHz4qjKQWI1QoC
jLkiyrdDeWqVWfpwGhoAryBlWKn51T9j6NecEAC5WojJF6xqYFiiT/V7ekmMKZ0l
PA/IwW12U+ZP2EFVbqXjwBj3Mqx4NshNdRiWsl24ulIuNpmi6I3MJzx/1sfafGHl
mq7n2zv0Cky37M28tYoDOt5fzSLYn9cgo/OzhS3D05ARbHP+ofcXDz+So+mj8wQb
uW2sh9ToaiYOMzGqyMR0DFO6++FdIYzphN0sPyJBdfGeePNajV6+xhdS4zktWEGq
QaF2XukTGxodJ3J3poeCarfK9ubmkemLRJ1Q+ynlx5KNzvt4Ut1pEO+OXkYOxGfI
8gUuj3BXICVP3UVpB7RaqW5obz8zqQkskRqIBBrLoX+Dl+l4sID20BmW028xurkf
ef3lNfLGTat4RleypLrcVZ4CMvAM/KOLInrXEoFqIKLiwnlAp6RK3mRL1IURyOtO
WENn6w0DuD3yyQVglQfNft6TqaMjVxFjh2fDgWvISMe7x4Jp+EWljwBnpi+TtnG/
P99J2sGb9Hwu6gC45mQ1Ufoe+suYuehSxAWNz00GzBS9XU1xRs00xLCjPNPhSjHO
MqmGdm3cSeFdcmp7JRM05RtDOeBYAZuDV/HZNQu4XG2gHUv1xbuIqwKqN4vRMrI2
8fWRdN2sPNlULTjeeMpxy01lfwilvVkXRJKyCPCx9MWZfJ0qbFeEC/cDOonx34lK
mBW0B2Otoah+Em6d5bkBDQRb0aQLAQgAxXl4JTeK5v3xU8CxMG8IRLVrfT2XTWN+
RvfnIoPPpvs1M9XXNnw2jVKaMJq/s9gKxpl3QaqcxR+zf+7L49ooAUoFodPg2Fbg
HoNLZYukSLyPyL4LgE/X1ZQpx78m51Yn+vzej0Va/dqa77W90GlDM4CIE/ikFFpn
oPO3c1SaqJv+bk3XNoP2l35ttsk3Y9if3r2LJRyn/ovVXZgQD+Ulb+klYugOBiKl
ezuq/v2tnySQJ7ouXuWyoQrcuTUS05GbFdhlbr4xJHE2HLxmqn1aSV7TQb8Uk9zQ
0SmSTinnlSlAgoDeq1veDLeMnYo6No2V2IOcXOLv9hOa3sNV+FnsaQARAQABiQI2
BBgBCAAgFiEEPZlorJrnvhFpKI3bH9WDmJX1f9oFAlvRpAsCGwwACgkQH9WDmJX1
f9p6+Q/+N97F+PW383hTi84JMyiQsX0mJrvDjt5hkkdN+7u0tUNL0l3AACQ7b85/
ofJsGnfh8kYlB2nCP+gaNQU03qqbcyMLHsuwB+ULG0izbREb7aK02RBluFpIbgdV
rFrgrUkLiSsuQLdReQYRTP1tU0peosBPxhhb1alAGhkPebWx+MLlbtiyg/j4pu8+
oFirrJ5WEltamGt8OSbdLGNS22PuwxV8VDo/Xbi57P1VBglCpgG1nWDEN8+i5nHh
8OKWZmvRhih1F89BR7U14OET+EENrZd8YRF2KOvOAM0eR1aIK/AilbINVZV0girt
B/rYFhwi9i7Fyo3gEtPRRZpzcQ7V0VZiBlpEAbjgqwe1XDVNJYquM7E4S2jBidR6
XJaYQImiwzMcyFopZZgD0F46xSI3O8zZp21g7Dq4pv6wRXGU+L639u+X5INDtJ7s
kykwrYzmeGg/Mp0Mseiqq7iIJXrbP4dL1+Ck9alSGCe0p5vd3CIeBR3pFeSDG6yI
2DiRzDfzbkIuUdIOAjXWjIl+XWfsFc/Znnux3UcAGec4Nhe3JvKEy5keDpXZGSaZ
JaFJ3WJl8uQfJjO8n8M+P2lxmrpaErqkMk0+SC3DcSSZFEDigD6flMvfdVnOqdLa
R1K6skDZkO+PQYqSydf9erO6+YgEjJB0/uCMXgHDVsmO3uKLOTg=
=IWDv
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFyFXCQBEADengbfRCSixqjsBj7hnRsjDMihbgfolZe4asVd/JNh4xWqs5+z
Q+vZUNwluJa6hYrgFW66xPfQeAbo11pS9r2RNkemLWi+8gf2vUwGlp8ZPXb/hYsR
7URWJo+4GvfqH5RiTdLlJbPQnLSlCAMhwaAl1ko+p2zY/ImiAL+yaO8YYYN4sG31
+67gG3t7AnbH+QjeoEU8heg+fYBiQXSmJ3nTvmYB0lgY/Cybh2Fge90JIZWoeWGp
fX1zhpCoJGXIW2GyOFQRMYQCbKqtrmicDkgQTocItDfUSwGBr4EFHM+mO0DwfZ8R
Lq+hzkLdAyJwWGNmiHbk8zFIBnktenmgslkoawvNOkGIz7mL0wqkkw6FYCojSnuj
ndlYg/XAKrr5RpSDwxwvzWhjyuA+0g2nXBFKWQ/SVZH5niXHTgXBjKfbXjF85eOu
bVx+82T7KV+aSAr7d0vAbSQO/XK6YrcXTJXZZbjIo/1eauT/FPQCBAejgOAle9wq
aN04IE5+XPnRkqe5jodDyf3c8hHRL0xWthtj0kupV/7VWNKBLlMESPVfSKN9kjkR
aTO6dH8jM0K1QWo5/mzEHNv4O2j8kyHDKJdRi+8bJSRKpToFmaLSe5gSA8vp/Fwg
rY/eLT/5GQ0XOkqtonLYkHbLu9m8H8IrYRgCBVuLCa3cEbYc0mktmm3ExQARAQAB
tDVGUlJvdXRpbmcgRGViaWFuIFJlcG9zaXRvcnkgPGRldkBsaXN0cy5mcnJvdXRp
bmcub3JnPokCTgQTAQgAOBYhBEpWx3OLs/gVlagF0qgydpkI8T7RBQJchVwkAhsB
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKgydpkI8T7Rj20P/3Or3Vi/k6jj
qb9hQKJgmX0taDG+FF1+X1WgmYOdW01jGK5jj1k3nKYQf4VGzR+eyUBTN54IpFsm
aW5DwKoMLcaMQ7OAbl+AtpW700Q5hAtz4aWB5Stl7wyjVl600INES5DOuIuEmqB5
60uUePNqF/+XKUgDgbQFc3E/Tb+c+Z7ADIhbIYPLUcSwJtRLhbnPGjt+pTLmPCO1
i/NPRjzwzFgyHJaHqlGFNUUFfqHqGWXLxlO0A9m+r1gOiAevV3ZTzC2izkjOhJHT
5XWFW7pS9jD78XgSN310glGYmWHZ0hxDgNR4V0oxOZCma1TDjfWVnUfK5pkm/78i
qRHc8tjt+tor47iOsml4J95Qr5Qxvf+iDgThXcYMAVDRULITmiqZqA1pkheCBugl
vQ7tvdjXf61ZxOZnDaqtLAHaSB/EynHaBaCzI2obQDHSgC1AU74f9SSN0j4HD01V
McFh9H0YZeR0eo4I16HHYUcExQNWJGfeuAC1XBGiNixHXy4c1PdxPFGPDnFtH3sX
2I5X4sKRVhZEbhRe111B93OFdkvWXmSyK6afu6qJBqB52zEe7F6UcNLP7ZnzafJV
bTCSZeF3Nzt58byiO5jt7nj1wKxv9HpQVy2P7V0CXJB4EK42tGhejjEOY8FevWKF
0OHX9RWKktlKAsLYFNPbHGPSo/ULj+sFuQINBFyI47kBEADLx3nZ+mFReBN4/E4C
Gl+B8bKPJ+gaFSdcw8GWV2NFMlJvOqg7Fa4djrqGaOA2YomnNpddS62jAUNdlgDJ
qRlZVK+Mqctdqgz7Gsuj4l7G/XjnUpQzPaEjxMXzCdFbP19lHa6GvyTgf1TewaNv
uLBe+oaObdgiAXCUyS3RUtLc9L7KU2+BlnX2JKeQK5K7sRromFfPc27qN+hsWgpy
xPvWYMGMHA0RjRwXOitjszXVZGUEPxwhX1kFOuFKnIcKG2jSbX/KLtcV1DNZro8s
Q9hb2UZWZxrwVIIh8FTL8esf0zM64HLo1sZ6yUaVzzeETuWZFMMKaF1dn+KtmKkL
KjgplRzJSE4QDP+48F6l9RCnrpIg33/rfN/M5Lbx5g2fhfT84+wQD6cKHypYfFng
GJbmpUCgITcxGFmpetCTpYkxsVMzikudFe2YSJ7TO0aVBgiHfBoXU9g5AXuDYVKi
8ZpaWcRSu4O0H58Kh/hk/8yiVa8e1nTMjsZuXMle8N52rF2G7vrMhva7uccgbbY+
ZlOtWpZ7MJzIn/vKeWxXNDcvG7CVHn4BiSLXRcrNgw/I4UjhqpeRdx0l+j36HdDN
0yaSZu6uP9SnsB5wkm1jN3uoNMFAdvpIqoaK9+2b5xKxLsNtE/R3anX9TlfFmeom
k0JxrTsNqpRxBw5GylM96Bd9BQARAQABiQRsBBgBCAAgFiEESlbHc4uz+BWVqAXS
qDJ2mQjxPtEFAlyI47kCGwICQAkQqDJ2mQjxPtHBdCAEGQEIAB0WIQSnzWQmxSYW
E+lH68yjyrYexHux0AUCXIjjuQAKCRCjyrYexHux0J+TD/40x0L8vzP+k29NEreT
N+k6889rCWMKAwmKWpgUN39nv9hZbSOFWDQs5Ttp+Rc+v7L5Pj4avJPzGnQieTMw
7wKOu8ZUisBVzYfYsxlXlKsOLZrVlQpFJhWNFOBq0axYlP6vrslXkMPk+IPz8/FV
USVByUHNNlIPmJU0WOIoLt+0YkqN1c1UCui/H6Z6IFpFIG8WLpgAtyKvqu8kdnEw
JEqpp4dO/ainnF8fL8VuV1+cdbxRO0IsOJBqQ+M8LFI2ANJscW+l6sg9RX2ZSExQ
Bm6dtPnsfP483SwH62PbaMP4lQ+Zpjl6ngoxv+S0RIDoW5Zl3zGe721NiLmz6Llz
0Ghe3Jgnf1JHOlR893Hi8UkvvTbBLkR4fbvmbgHvhcNWCL2hGCsxDV002hI4OlYp
px1gJ/HoU7lrrKQCzwTTxfQ1JiTMa+eiwY8xQGEfqUY83pWkx3wGUBa+W3GNlxD9
+pZIzmxtD4uylA9lwnw/GXV4RauDuHMwWuqAGtDEr9Y8nYHuxl5/KdYOCf98sOzv
XU8btnxuGHrWb5OgRD21NeHa4zwYXIuYOQtYai6IboKdH70l8b3VX+xtu9Fwf/V4
5EsipWedfA2S3CtKjP6Pv5C6NAVoAnXinqr1VAXMJT5PvXmx1mLP7Xms8o7O7xda
rsERKxVtt+JjArArk/gpFXImPLArD/42ZChEpJgbjabTrd6saI4BOsKSARX36Cxe
cjJuWNvddpsb9WgYXbXCSK5hOybFYLlbRmdFmz1VzVy5au+Bsbmy+jKqzgAM1sui
wE6WyVIOdN3hTZ9W20Fb4pa6MWd8dpWBwi7g40oRvaoPpspcimpa6OCNktij9zrZ
/hN49JYbLjA7V+rE+zWWz2m3Ecwn2A5LZdKbrI06uKFltTRUhMZ3HhwhKrNui/iN
YpwDn662jJaTxJ8x/WQJP6ILKVi3wk0eGFBSapEUv+D51y1v0dRh/QOO98RnLQ/p
T/4y7BPxEWLLNr53rPHOjd2ClhDNZ8+dFzYrOCs+1f+mpWf7yF9wHBs2hOhSZAMx
34HshZVLGBtdfD/cb1MA5MnBdfJHHFjL6EiJOP30YKJsTEGgqpAyMtyZt5/MKEfj
r0OV/La7s38fpcPlZplF2/eqgxt7WiQu5I6BUXJcSlGTe97Rq5Ba/tSHzUnK1FNr
v/hfBSgtxmX2qT5ojMu+UiKtvJDeUAGFLAJcaaEv92frhLWHcXXpayUuk/wdU9Qg
y8F+yFtYGY2lj0h9WCeKbYUAm1p7skW5v2nsMw6I3QOPFzQBzm1rFQ1vFJMaqFFC
qvHJALsI0SmaI7ruXYrm7CNv6qJKo3URYGq27Tm9lhut8iWKsa1/NWW5LZxzt2mO
egKcOCfAMg==
=Lt8H
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFyVPosBEADMyAbmmfo6x7e/dly+yQk1BuWUDbvMHFX9coCSItNxVvvIVzYJ
Bw9pp4kJsTeqTI1cNQcCCjaeWbWevINCD5yFGN25xNPz2s1lgHCpJQzs/1qMKuE8
vrHkEpJZTrdPSl8J8VdjQDCIh0NrLss1VzoPpFbm7lIkuN/6tl87hsyUyedd/0bY
KkNVZfOW4UAjJFWQakofhTVifHqozb6wu+SYtPFnP/yBJdsYwrKlyyhR8hIIjyAK
sxpKz6Dym6tHoDNLIcPy1Q3uNUaYdN2pXXRqzLTIKq7M7RhgY1W7QO7VFtkaG74j
tmjbJYsX6nBGSlGE5cmlSz8N+D+uR/0NPMvgKOwI38joIT5/Sii/jgZUuX4Mz9Zk
7Rh/C+P906dJpjbCbEPYSxVnZC4fHJZ0ezSEgrFKZ4QGoViNJEcc6jwNkgTM7jdz
0e/xMKu4Ed30jLO7TvnwmcGWF/m2DZIgIMu9rhNHUaKeGRKo+Daf/x1naRbht/a/
uSyukGJA5koipy8XxmJorx7MdIa9ekYPJaHM3eOcE1fxn7IcOwoqn0piB4lllq2r
akLif195eFIcdI/cRfCX2fgQxBbgAAolUCqguJfus7cQCkn9Fr0cDgq7c0s0dQEw
0kofqGUq6/fpdqxadRdPlYXS3BIvrWA99zOVCzxaccvKaMZxaKauc/rKbQARAQAB
tDNKYWZhciBBbC1HaGFyYWliZWggKGxhdW5jaHBhZCkgPHRvLmphZmFyQGdtYWls
LmNvbT6JAk4EEwEKADgWIQSpD8NtlClAl5jpwth03u1DqxlNvwUCXJU+iwIbAwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB03u1DqxlNv7w7D/90u8bETWZmzRZ7
sRBfyN30YhXgvEJQCSKFgH1H5BS9H2W+VYQ8nmXpoVpsU5wLVosJ55WpO9oF7+6R
+wO2r3lo+vkqFzscYLfNd/KTo6r7kl7VTTN9bBCMgl7eFtmqSO90o5UCrNBHk2Ax
fTBJX9TLGa4SLPhiTlz51XdyYls3yG/3yQ6de6K+jPjrQsP2VbBSHP9OA+MKRTr6
ONDTyJJ7TEAuoX7W1NLMQYS0kdA1jjGvTKeyHkb8QqFDTM7RyRdczKBEwOXSi7DW
8v3Ink+7CgKGGLnOo3lXlm7q516Z9JMJ5BJtFkTx6Bo9iSAK4jSBiC5Zlta6CtP7
lLwq/eOut/y9VoDXsdVkQl3UdTrB5b/4MZHL4Z6ykN1dv56XzjdnIl/nM7azwrTW
N9tBDhjrYvKvscSI2l8TGdAseb4ftovHwIBFjNIlI6TYVEUR93ZEGPZCmuYeVSJe
MWStJuLDa+bbbr2/OLvHsjyWB0/5LJNsHHfMCKLZTP8jeNVcHAJi7P+iNPPLp57C
N2NEmyuJwgxFN/5cHlZzkg0QQgSaTm/tsft0jFJh4s0kO6L5NZ9ACP2JC9wfaBmt
QFwdl+Tc5/Jf6pTnnMzeHuSiVWvG4jB3EVr47dWD7p5ekP+O0cG0Rnm2rf66M+fo
z88Ga0gduOhxfdRn1qT3smK3hgyv2bkCDQRclT6LARAA8xTr8yu7ab6f4NAeMnTL
4mjjYoYVXBMd4qT/cdtkSFoCdOl+MwcEZmDrq1HzT5CVXo9hPEcI7iuyXiejoMhB
GFfvdY0Pcg5yMoUL57kE3XBoz9C8TEal1loSfTJ4IRou2VpY2sruaKgxO7PvmyQM
D8mk4Sgyewn6VkcQx4dGwQrN2VU8mwFqp4GnEm7DgVJKqFRD43hCFoncNYaSOc52
vf/EEU6VYxPWi01nZoRiNp8tXt+dYk5yb6fEhDsH9YYk51bgiiiGNoQw/zC1w2ek
zPqJH/Y0BzoODbJ59vqc2jCuzGII4tFkijYbBTcCk1b7/yvQgwLdBpOTrrHcNolh
plr7zHcB8TOc3aYrJ8TkwgP80uK85vlAIzB9AkZ/9Gn2K08b5eVC9cvMm0idwFkg
0fHY+v2aDesA4lv1UtTsQVmrqnx1zaCjwH9tu73GTGXX40guYpbatPu3HDog/QkV
fykVI5B2+vMixFCzudMKg80K+H7QI3uc1efqEmMRKjQU2rKXTNo/lASWjQMNfbWt
JvEsLuLPc909OFhBfoX6GR7pmbKn3MCrTpLVeUkmp0EjcqYaDZXHnzKZQjjNjOKm
6J69G3Ro6Abs7tRpnqOLTLZ5DKWBYidc3/fp/BF+CpeHdZlstLUazQ56ti9GshPf
W4+6TRg2gt1leeXRU18jQz0AEQEAAYkCNgQYAQoAIBYhBKkPw22UKUCXmOnC2HTe
7UOrGU2/BQJclT6LAhsMAAoJEHTe7UOrGU2/kToP/il4dvWMMJS4pgXuDPcwTaYc
e8T9a8Uf0B2BOOKJgLZk2kvI21bwHnGxXc3zuUHCzZ81Y89/IpX+s37J+frvLbqd
xOfE39+5plK9BDn7G9UsTzg7mXuGWpMQA6Mvki4LslY/qCfUqzVeFPNZquH4Emxr
z1u0SldhaqctrkKwW1teTTmqbCtGrRpb0v8x42TBw+WvBJopelpgtdy3TnRbKk86
NkiiPFVRnfC0RjyMlLxa095t5s8irrqjnAAKMvwKiuzt97CQ/U68WbsOYLyv42PT
ClfbbFJw6ghTZ7SRxiGwUVz7EwQ31MsiffmyJKRca81yqSQfrPS4MkEXChZBt8wF
C1IhG9I9zbHKt9saXWPYCbL8Zs2x3c1md62dl4mrH/VwLV9T+7PaJCM8qrFtkWlu
cYntgBhLW1KY9dWkCtZ7ML70n8FyIyHMD35mZb3lw+c1dBusuwGwZLSksH9ucOQz
Zh3+rlZ8PkYXXosKTkp9qBDVoSgNU5AH8F+K/Uw1uVm+JqqFP/ieQQydS8wAVYAv
ax/ZP+wTHhLvmHUoI70K51osk+sLcFh+h9L6sK+kq9i2mrJs/d2Sk6jau96RJCFe
pHI+29yZoK5ZpOkvFAFvbNXMFd2sn5O60y9LAvr9u2QRNlTvmQ7B1o2/US62SoD4
HGxIKIAggOUujclydhvu
=+/L/
-----END PGP PUBLIC KEY BLOCK-----

5
roles/ipv6_edge_router/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: restart frr
service:
name: frr
state: restarted

39
roles/ipv6_edge_router/tasks/main.yml
View file

@ -1,39 +0,0 @@
---
- name: install GPG
apt:
name: gnupg
- name: Add FRR repo key
apt_key:
data: "{{ lookup('file', 'frr-apt-key.asc') }}"
state: present
- name: Add FRR apt repository
apt_repository:
repo: deb https://deb.frrouting.org/frr buster frr-stable
state: present
notify: restart frr
- name: Install frr
apt:
name: frr
- name: setup frr daemons
template:
src: daemons.j2
dest: /etc/frr/daemons
mode: 0644
notify: restart frr
- name: setup frr.conf
template:
src: frr.conf.j2
dest: /etc/frr/frr.conf
mode: 0644
notify: restart frr
- name: enable+start frr
service:
name: frr
state: started
enabled: true

67
roles/ipv6_edge_router/templates/daemons.j2
View file

@ -1,67 +0,0 @@
# This file tells the frr package which daemons to start.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/frr/examples/.
#
# ATTENTION:
#
# When activation a daemon at the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "frr", else
# the daemon will not be started by /etc/init.d/frr. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
#
# The watchfrr and zebra daemons are always started.
#
{% if 'backup' in inventory_hostname %}
bgpd=no
{% else %}
bgpd=yes
{% endif %}
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=no
#
# If this option is set the /etc/init.d/frr script automatically loads
# the config via "vtysh -b" when the servers are started.
# Check /etc/pam.d/frr if you intend to use "vtysh"!
#
vtysh_enable=yes
zebra_options=" -A 127.0.0.1 -s 90000000"
bgpd_options=" -A 127.0.0.1"
ospfd_options=" -A 127.0.0.1"
ospf6d_options=" -A ::1"
ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
ldpd_options=" -A 127.0.0.1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"
babeld_options=" -A 127.0.0.1"
sharpd_options=" -A 127.0.0.1"
pbrd_options=" -A 127.0.0.1"
staticd_options="-A 127.0.0.1"
bfdd_options=" -A 127.0.0.1"
# The list of daemons to watch is automatically generated by the init script.
#watchfrr_options=""
# for debugging purposes, you can specify a "wrap" command to start instead
# of starting the daemon directly, e.g. to use valgrind on ospfd:
# ospfd_wrap="/usr/bin/valgrind"
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
# all_wrap="/usr/bin/perf record --call-graph -"
# the normal daemon command is added to this at the end.

24
roles/ipv6_edge_router/templates/frr.conf.j2
View file

@ -1,24 +0,0 @@
log syslog informational
log stdout
hostname routeur-aurore
password Tux
enable password Tux
interface lo
line vty
# Aurore AS.
router bgp 43619
#no synchronization
bgp router-id 45.66.111.254
# Remote-AS: Zayo.
neighbor 2001:1b48:2:103::d7:1 remote-as 8218
address-family ipv6
network 2a09:6840::/29
neighbor 2001:1b48:2:103::d7:1 activate
exit-address-family
!

14
roles/isc_dhcp_server/handlers/main.yml
View file

@ -1,14 +0,0 @@
---
- name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force
become_user: re2o-services
- name: restart dhcpd
systemd:
state: restarted
name: isc-dhcp-server
- name: restart rsyslog
systemd:
name: rsyslog
state: restarted

110
roles/isc_dhcp_server/tasks/main.yml
View file

@ -1,110 +0,0 @@
---
- name: Install dhcp (re2o-service)
import_role:
name: re2o-service
vars:
service_repo: https://gitlab.federez.net/re2o/dhcp.git
service_name: dhcp
service_version: master
service_config:
hostname: re2o.auro.re
username: service-user
password: "{{ vault_serviceuser_passwd }}"
- name: Ensure appropriate permissions on dhcp re2o service
file:
path: /var/local/re2o-services/dhcp/
state: directory
owner: re2o-services
group: nogroup
recurse: yes
- name: Install isc-dhcp-server
apt:
update_cache: true
name: isc-dhcp-server
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
notify: restart dhcpd
- name: Ensure dhcp log directory exists
file:
path: /var/log/dhcp
owner: root
group: root
mode: u=rwx,g=rx,a=rx
state: directory
- name: Ensure rsyslog knows where to send dhcp logs
lineinfile:
path: /etc/rsyslog.conf
line: "local7.* /var/log/dhcp/dhcpd.log"
notify: restart rsyslog
- name: Configure dhcp log rotation
template:
src: logrotate.d/dhcp.j2
dest: /etc/logrotate.d/dhcp
mode: 0644
- name: set up cron to reload dhcp re2o service
cron:
# Do not change this name or idempotence *might* be lost.
name: dhcp-re2o-service
cron_file: re2o-services
minute: "*/2"
hour: "*"
day: "*"
weekday: "*"
month: "*"
user: root
job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py"
- name: Configure /etc/default/isc-dhcp-server
template:
src: default/isc-dhcp-server.j2
dest: /etc/default/isc-dhcp-server
mode: 0644
notify: restart dhcpd
- name: Configure dhcp-failover.conf
template:
src: dhcp/dhcp-failover.conf.j2
dest: /etc/dhcp/dhcp-failover.conf
mode: 0600
when: dhcp_failover_enabled
notify: restart dhcpd
- name: Configure dhcpd.conf
template:
src: dhcp/dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf
mode: 0600
notify: restart dhcpd
- name: Configure subnets.conf (regular service)
template:
src: dhcp/regular-subnets.conf.j2
dest: /etc/dhcp/subnets.conf
mode: 0600
notify: restart dhcpd
when: not is_aurore_host
- name: Configure subnets.conf (aurore service)
template:
src: dhcp/aurore-subnets.conf.j2
dest: /etc/dhcp/subnets.conf
mode: 0600
notify: restart dhcpd
when: is_aurore_host
- name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force
- name: Ensure dhcpd is running
service:
name: isc-dhcp-server
state: started
enabled: true

24
roles/isc_dhcp_server/templates/default/isc-dhcp-server.j2
View file

@ -1,24 +0,0 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
{% if is_aurore_host %}
INTERFACESv4="ens19"
INTERFACESv6=""
{% else %}
INTERFACESv4="ens19 ens20 ens21 ens22 ens23"
INTERFACESv6=""
{% endif %}

12
roles/isc_dhcp_server/templates/dhcp/aurore-subnets.conf.j2
View file

@ -1,12 +0,0 @@
subnet 45.66.110.0 netmask 255.255.255.0 {
interface "ens19";
option subnet-mask 255.255.255.0;
option broadcast-address 45.66.110.255;
option routers 45.66.110.{{ router_ip_suffix }};
option domain-name-servers 45.66.110.{{ dns_host_suffix_main }}, {{ backup_dns_servers|join(', ') }};
option domain-name "adh.auro.re";
option domain-search "adh.auro.re";
include "/var/local/re2o-services/dhcp/generated/dhcp.adh.auro.re.list";
deny unknown-clients;
}

31
roles/isc_dhcp_server/templates/dhcp/dhcp-failover.conf.j2
View file

@ -1,31 +0,0 @@
failover peer "dhcp-failover" {
{% if inventory_hostname == dhcp_failover.primary_host %}
primary;
# MCLT = Maximum Client Lead Time.
# Must be specified on the primary, forbidden on the secondary.
mclt 3600;
# Address or DNS name on which this node listens for connections
# from its failover peer.
address {{ dhcp_failover.primary_host }};
peer address {{ dhcp_failover.secondary_host }};
# Load balancing.
split 128;
{% endif %}
{% if inventory_hostname == dhcp_failover.secondary_host %}
secondary;
# Address and peer address are reversed on the secondary node.
address {{ dhcp_failover.secondary_host }};
peer address {{ dhcp_failover.primary_host }};
{% endif %}
# The following options can be shared between primary and
# secondary failover peers.
port 647;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}

25
roles/isc_dhcp_server/templates/dhcp/dhcpd.conf.j2
View file

@ -1,25 +0,0 @@
default-lease-time 86400;
max-lease-time 86400;
# Option definitions common to all supported networks.
option interface-mtu {{ mtu }};
option root-path "/";
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
log-facility local7;
{% if dhcp_failover_enabled %}
include "/etc/dhcp/dhcp-failover.conf";
{% endif %}
include "/etc/dhcp/subnets.conf";

94
roles/isc_dhcp_server/templates/dhcp/regular-subnets.conf.j2
View file

@ -1,94 +0,0 @@
# Bornes WiFi
subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 {
interface "ens19";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.ap }}.255.255;
option routers 10.{{ subnet_ids.ap }}.0.250;
option domain-name "borne.auro.re";
option domain-search "borne.auro.re";
option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list";
deny unknown-clients;
}
# Users filaire
subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 {
interface "ens20";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255;
option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }};
option domain-name "fil.{{ apartment_block_dhcp }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list";
deny unknown-clients;
}
# Users WiFi
subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 {
interface "ens21";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255;
option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }};
option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list";
pool {
range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255;
{% if dhcp_failover is defined %}
failover peer "dhcp-failover";
{% endif %}
}
}
# Banni
subnet 10.{{ subnet_ids.users_banni }}.0.0 netmask 255.255.0.0 {
interface "ens22";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_banni }}.255.255;
option routers 10.{{ subnet_ids.users_banni }}.0.{{ router_ip_suffix }};
option domain-name "banni.{{ apartment_block_dhcp }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_backup }};
pool {
range 10.{{ subnet_ids.users_banni }}.1.0 10.{{ subnet_ids.users_banni }}.2.255;
{% if dhcp_failover is defined %}
failover peer "dhcp-failover";
{% endif %}
}
}
# Accueil
subnet 10.{{ subnet_ids.users_accueil }}.0.0 netmask 255.255.0.0 {
interface "ens23";
option subnet-mask 255.255.0.0;
option broadcast-address 10.{{ subnet_ids.users_accueil }}.255.255;
option routers 10.{{ subnet_ids.users_accueil }}.0.{{ router_ip_suffix }};
option domain-name "accueil.{{ apartment_block_dhcp }}.auro.re";
option domain-search "auro.re";
option domain-name-servers 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_backup }};
pool {
range 10.{{ subnet_ids.users_accueil }}.1.0 10.{{ subnet_ids.users_accueil }}.2.255;
{% if dhcp_failover is defined %}
failover peer "dhcp-failover";
{% endif %}
}
}

11
roles/isc_dhcp_server/templates/logrotate.d/dhcp.j2
View file

@ -1,11 +0,0 @@
/var/log/dhcp/dhcpd.log {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
copytruncate
}

4
roles/isc_dhcp_server/vars/main.yml
View file

@ -1,4 +0,0 @@
---
dhcp_failover:
primary_host: dhcp-{{ apartment_block }}.adm.auro.re
secondary_host: dhcp-{{ apartment_block }}-backup.adm.auro.re

2
roles/ldap_client/handlers/main.yml → roles/ldap-client/handlers/main.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Reconfigure libnss-ldapd package - name: Reconfigure libnss-ldapd package
command: dpkg-reconfigure libnss-ldapd -f noninteractive command: 'dpkg-reconfigure libnss-ldapd -f noninteractive'
- name: Restart nslcd service - name: Restart nslcd service
service: service:

40
roles/ldap-client/tasks/0_install_ldap.yml Normal file
View file

@ -0,0 +1,40 @@
---
# Install LDAP client packages
- name: Install LDAP client packages
apt:
name: "{{ item }}"
state: present
update_cache: true
with_items:
- nslcd
- libnss-ldapd
- libpam-ldapd
# Reduce LDAP load
# For the moment it is broken on Stretch when using PHP7.3
# - name: Install LDAP cache package
# apt:
# name: nscd
# state: present
# update_cache: true
# Configure /etc/nslcd.conf
- name: Configure nslcd LDAP credentials
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
mode: 0600
notify: Restart nslcd service
# Configure /etc/nsswitch.conf
- name: Configure NSS to use LDAP
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item.key }}:"
line: "{{ item.value }}"
with_dict:
passwd: 'passwd: files ldap'
group: 'group: files ldap'
shadow: 'shadow: files ldap'
sudoers: 'sudoers: files ldap'
notify: Restart nslcd service

20
roles/ldap-client/tasks/1_group_security.yml Normal file
View file

@ -0,0 +1,20 @@
---
# Filter SSH on groups
- name: Filter SSH on groups
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^AllowGroups'
line: "AllowGroups root sudoldap aurore ssh"
# To gain root access with ldap rights
- name: Install SUDO package
package:
name: sudo
state: present
# Set sudo group
- name: Configure sudoers
lineinfile:
dest: /etc/sudoers
regexp: "^%{{ sudo_group }}"
line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"

4
roles/ldap_client/tasks/2_userland_scripts.yml → roles/ldap-client/tasks/2_userland_scripts.yml
View file

@ -3,9 +3,9 @@
- name: Copy passwd and chsh scripts - name: Copy passwd and chsh scripts
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: /usr/local/bin/{{ item }} dest: "/usr/local/bin/{{ item }}"
mode: 0755 mode: 0755
loop: with_items:
- chsh - chsh
- passwd - passwd

2
roles/ldap_client/tasks/main.yml → roles/ldap-client/tasks/main.yml
View file

@ -1,6 +1,6 @@
--- ---
# Install and configure main LDAP tools # Install and configure main LDAP tools
- include_tasks: install_ldap.yml - include_tasks: 0_install_ldap.yml
# Filter who can access server and sudo on groups # Filter who can access server and sudo on groups
- include_tasks: 1_group_security.yml - include_tasks: 1_group_security.yml

0
roles/ldap_client/templates/chsh.j2 → roles/ldap-client/templates/chsh.j2
View file

38
roles/ldap-client/templates/nslcd.conf.j2 Normal file
View file

@ -0,0 +1,38 @@
# {{ ansible_managed }}
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
{% if ldap_local_replica_uri is defined %}
{% for uri in ldap_local_replica_uri %}
uri {{ uri }}
{% endfor %}
{% endif %}
uri {{ ldap_master_uri }}
# The search base that will be used for all queries.
base {{ ldap_base }}
base passwd cn=Utilisateurs,{{ ldap_base }}
base shadow cn=Utilisateurs,{{ ldap_base }}
base group ou=posix,ou=groups,{{ ldap_base }}
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn {{ ldap_nslcd_bind_dn }}
bindpw {{ ldap_nslcd_passwd }}
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub

0
roles/ldap_client/templates/passwd.j2 → roles/ldap-client/templates/passwd.j2
View file

30
roles/ldap_replica/tasks/main.yml → roles/ldap-replica/tasks/main.yml
View file

@ -5,9 +5,6 @@
name: slapd name: slapd
state: present state: present
update_cache: true update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
# What is written after is really not a nice way to install a schema # What is written after is really not a nice way to install a schema
# because the LDAP is being flushed away always... # because the LDAP is being flushed away always...
@ -28,27 +25,22 @@
# Cry a bit # Cry a bit
- name: Remove old data - name: Remove old data
file: file: path={{ item }} state=absent
path: "{{ item }}" with_items:
state: absent
loop:
- /etc/ldap/slapd.d - /etc/ldap/slapd.d
- /var/lib/ldap - /var/lib/ldap
# Cry a lot # Cry a lot
- name: Recreate structure - name: Recreate structure
file: file: path={{ item }} state=directory
path: "{{ item }}" with_items:
state: directory
mode: 0755
loop:
- /etc/ldap/slapd.d - /etc/ldap/slapd.d
- /var/lib/ldap - /var/lib/ldap
# Install schema as root # Install schema as root
# We can't do a `become_user` here # We can't do a `become_user` here
- name: Install LDAP schema - name: Install LDAP schema
command: slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d command: 'slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d'
# then fix permissions # then fix permissions
- name: Fix permissions - name: Fix permissions
@ -56,13 +48,11 @@
path: "{{ item }}" path: "{{ item }}"
owner: openldap owner: openldap
group: openldap group: openldap
recurse: true recurse: yes
loop: with_items:
- /var/lib/ldap - '/var/lib/ldap'
- /etc/ldap/slapd.d - '/etc/ldap/slapd.d'
# Save the day # Save the day
- name: Start LDAP server - name: Start LDAP server
service: service: name=slapd state=started
name: slapd
state: started

0
roles/ldap_replica/templates/schema.ldiff.j2 → roles/ldap-replica/templates/schema.ldiff.j2
View file

37
roles/ldap_client/tasks/1_group_security.yml
View file

@ -1,37 +0,0 @@
---
# Filter SSH on groups
- name: Filter SSH on groups
when: ansible_facts['hostname'] != "camelot" # Camelot is accessible for everyone
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^AllowGroups
line: AllowGroups root sudoldap aurore ssh
state: present
# To gain root access with ldap rights
- name: Install SUDO package
package:
name: sudo
state: present
register: package_result
retries: 3
until: package_result is succeeded
# Set sudo group
- name: Configure sudoers sudo group
lineinfile:
dest: /etc/sudoers
regexp: ^%{{ sudo_group }}
line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"
state: present
validate: /usr/sbin/visudo -cf %s
# Set sudo location group
- name: Configure sudoers sudo location group
lineinfile:
dest: /etc/sudoers
regexp: ^%{{ sudo_group_location }}
line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL"
state: present
validate: /usr/sbin/visudo -cf %s
when: sudo_group_location is defined

34
roles/ldap_client/tasks/install_ldap.yml
View file

@ -1,34 +0,0 @@
---
# Install LDAP client packages
- name: Install LDAP client packages
apt:
update_cache: true
name:
- nslcd
- libnss-ldapd
- libpam-ldapd
- nscd # local cache
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
# Configure /etc/nslcd.conf
- name: Configure nslcd LDAP credentials
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
mode: 0600
notify: Restart nslcd service
# Configure /etc/nsswitch.conf
- name: Configure NSS to use LDAP
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item }}:"
line: "{{ item }}: files ldap systemd"
loop:
- passwd
- group
- shadow
notify: Restart nslcd service

62
roles/ldap_client/templates/nslcd.conf.j2
View file

@ -1,62 +0,0 @@
# {{ ansible_managed }}
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
{% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %}
{% for uri in groups['ldap_replica_fleming'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'rives_vm' in group_names or 'rives_pve' in group_names %}
{% for uri in groups['ldap_replica_rives'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %}
{% for uri in groups['ldap_replica_pacaterie'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'edc_vm' in group_names or 'edc_pve' in group_names or 'edc_server' in group_names %}
{% for uri in groups['ldap_replica_edc'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'gs_vm' in group_names or 'gs_pve' in group_names %}
{% for uri in groups['ldap_replica_gs'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
{% if 'ovh_vm' in group_names or 'ovh_container' in group_names or 'ovh_pve' in group_names %}
{% for uri in groups['ldap_replica_ovh'] %}
uri ldap://{{ uri }}
{% endfor %}
{% endif %}
uri {{ ldap_master_uri }}
# The search base that will be used for all queries.
base {{ ldap_base }}
base passwd cn=Utilisateurs,{{ ldap_base }}
base shadow cn=Utilisateurs,{{ ldap_base }}
base group ou=posix,ou=groups,{{ ldap_base }}
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn {{ ldap_nslcd_bind_dn }}
bindpw {{ ldap_nslcd_passwd }}
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub

6
roles/matrix-mxisd/handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Restart mxisd when configuration changes
- name: Restart mxisd service
service:
name: mxisd
state: restarted

12
roles/matrix-mxisd/tasks/main.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Install mxisd
apt:
deb: https://github.com/kamax-matrix/mxisd/releases/download/v{{ mxisd_version }}/mxisd_{{ mxisd_version }}_all.deb
- name: Configure mxisd
template:
src: mxisd/mxisd.yaml.j2
dest: /etc/mxisd/mxisd.yaml
mode: 0600
owner: mxisd
notify: Restart mxisd service

89
roles/matrix-mxisd/templates/mxisd/mxisd.yaml.j2 Normal file
View file

@ -0,0 +1,89 @@
# {{ ansible_managed }}
#######################
# Matrix config items #
#######################
# Matrix domain, same as 'server_name' in synapse configuration.
matrix:
domain: 'auro.re'
################
# Signing keys #
################
# Absolute path for the Identity Server signing keys database.
# /!\ THIS MUST **NOT** BE YOUR HOMESERVER KEYS FILE /!\
# If this path does not exist, it will be auto-generated.
key:
path: '/var/lib/mxisd/keys'
# Path to the SQLite DB file for mxisd internal storage
# /!\ THIS MUST **NOT** BE YOUR HOMESERVER DATABASE /!\
storage:
provider:
sqlite:
database: '/var/lib/mxisd/store.db'
###################
# Identity Stores #
###################
ldap:
enabled: true
connection:
host: '{{ ldap_master_ipv4 }}'
port: 389
bindDn: '{{ ldap_matrix_bind_dn }}'
bindPassword: '{{ ldap_matrix_password }}'
baseDNs:
- '{{ ldap_user_tree }}'
attribute:
uid:
type: 'uid'
value: 'uid'
name: 'uid'
#################################################
# Notifications for invites/addition to profile #
#################################################
# This is mandatory to deal with anything e-mail related.
#
# For an introduction to sessions, invites and 3PIDs in general,
# see https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/session/session.md#3pid-sessions
#
# If you would like to change the content of the notifications,
# see https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md
#
#### E-mail connector
threepid:
medium:
email:
identity:
# The e-mail to send as.
from: "matrix@auro.re"
connectors:
smtp:
# SMTP host
host: "smtp.crans.org"
# SMTP port
port: 587
# STARTLS mode for the connection.
# SSL/TLS is currently not supported. See https://github.com/kamax-matrix/mxisd/issues/125
#
# Possible values:
# 0 Disable any kind of TLS entirely
# 1 Enable STARTLS if supported by server (default)
# 2 Force STARTLS and fail if not available
#
tls: 1
# Login for SMTP
login: "matrix@auro.re"
# Password for the account
password: ""

6
roles/matrix-riot/handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
# Reload the NGINX service
- name: Reload NGINX service
service:
name: nginx
state: reloaded

51
roles/matrix-riot/tasks/main.yml Normal file
View file

@ -0,0 +1,51 @@
---
# Install HTTPS support for APT
- name: Install apt-transport-https
apt:
name: apt-transport-https
update_cache: true
# Add the repository into source list
- name: Configure riot repository
apt_repository:
repo: "deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main"
# Add the key
- name: Configure the apt key
apt_key:
url: https://riot.im/packages/debian/repo-key.asc
id: E019645248E8F4A1
# Install riot
- name: Install riot-web
apt:
name: riot-web
update_cache: true
# Install nginx
- name: Install nginx
apt:
name: nginx
# Configure nginx
- name: Configure nginx
template:
src: nginx-riot.j2
dest: /etc/nginx/sites-available/riot
mode: 0644
notify: Reload NGINX service
# Desactive useless nginx sites
- name: Deactivate the default NGINX site
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: Reload NGINX service
# Activate sites
- name: Activate sites
file:
src: /etc/nginx/sites-available/riot
dest: /etc/nginx/sites-enabled/riot
state: link
notify: Reload NGINX service

20
roles/matrix-riot/templates/nginx-riot.j2 Normal file
View file

@ -0,0 +1,20 @@
# {{ ansible_managed }}
server {
listen 80;
listen [::]:80;
root /opt/Riot/resources/webapp/;
index index.html;
access_log /var/log/nginx/riot-access.log;
error_log /var/log/nginx/riot-errors.log;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN" always;
location / {
try_files $uri $uri/ =404;
}
}

0
roles/matrix_synapse/handlers/main.yml → roles/matrix-synapse/handlers/main.yml
View file

15
roles/matrix_synapse/tasks/main.yml → roles/matrix-synapse/tasks/main.yml
View file

@ -1,15 +1,9 @@
--- ---
- name: Install matrix-synapse - name: Install matrix-synapse
apt: apt:
name: matrix-synapse
update_cache: true update_cache: true
name:
- matrix-synapse-py3
- matrix-synapse-ldap3
state: present
default_release: stretch-backports default_release: stretch-backports
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure matrix-synapse - name: Configure matrix-synapse
template: template:
@ -26,3 +20,10 @@
- server_name.yaml - server_name.yaml
- trusted_third_party_id_servers.yaml - trusted_third_party_id_servers.yaml
notify: Restart matrix-synapse service notify: Restart matrix-synapse service
- name: Install rest auth provider
get_url:
url: "{{ synapse_rest_auth_url }}"
dest: /usr/local/lib/python3.5/dist-packages/rest_auth_provider.py
mode: 0755
notify: Restart matrix-synapse service

Some files were not shown because too many files have changed in this diff Show more