Install curl and net-tools by default

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

.ansible-lint

@@ -0,0 +1,2 @@
+skip_list:
+  - '301'

.drone.yml

@@ -0,0 +1,19 @@
+---
+kind: pipeline
+type: docker
+name: check
+
+steps:
+  - name: yamllint
+    image: python:3.9-alpine
+    commands:
+      - pip install yamllint==1.25.0
+      - yamllint -c .yamllint.yml .
+
+  - name: ansible-lint
+    image: python:3.9-alpine
+    commands:
+      - apk add --no-cache gcc libc-dev libffi-dev openssl-dev
+      - pip install ansible-lint==4.3.7
+      - ansible-lint *.yml
+...

.gitignore

@@ -1 +1,3 @@
 *.retry
+tmp
+ldap-password.txt

.gitlab-ci.yml

@@ -1,6 +1,19 @@
 ---
-image: quay.io/ansible/molecule:2.19
+image: python:3.9-alpine
+
+stages:
+  - lint
 
 yamllint:
-  script: yamllint -c .yamllint.yml .
+  stage: lint
+  script:
+    - pip install yamllint==1.25.0
+    - yamllint -c .yamllint.yml .
+
+ansible-lint:
+  stage: lint
+  script:
+    - apk add gcc libc-dev libffi-dev openssl-dev
+    - pip install ansible-lint==4.3.7
+    - ansible-lint *.yml
 ...

.yamllint.yml

@@ -3,5 +3,6 @@ extends: default
 
 rules:
   line-length:
+    max: 120
     level: warning
 ...

README.md

@@ -1,49 +1,140 @@
-# Playbook et rôles Ansible d'Aurore
+# Recettes Ansible d'Aurore
 
-## Exécution d'un playbook
+Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
+Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
 
-Pour appliquer le playbook `base.yml` :
+## Ansible 101
-```bash
+
-ansible-playbook --ask-vault-pass base.yml
+Si vous n'avez jamais touché à Ansible avant, voilà une rapide introduction.
+
+**Inventory** : c'est le fichier `hosts` d'inventaire.
+Il contient la définition de chaque machine et le regroupement.
+
+Quand on regroupe avec un `:children` en réalité on groupe des groupes.
+
+Chaque machine est annoncée avec son hostname. Il faut pouvoir SSH sur cette machine
+avec ce hostname, car c'est ce qu'Ansible fera.
+
+**Playbook** : c'est une politique de déploiement.
+Il contient les associations des rôles avec les machines.
+
+L'idée au Crans est de regrouper par thème. Exemple, le playbook `monitoring.yml`
+va contenir toutes les définitions machines-rôles qui touchent au monitoring.
+Cela permet de déployer manuellement tout le monitoring sans toucher au reste.
+
+**Rôle** : un playbook donne des rôles à des machines. Ces rôles sont tous dans
+le dossier `roles/`. Un rôle installe un service précis sur un serveur.
+
+Il est préférable d'être atomique sur les rôles plutôt d'en coder un énorme
+qui sera difficilement maintenable.
+
+*Exemples de rôle* : activer les backports pour ma version de Debian, installer NodeJS,
+déployer un serveur prometheus, déployer une node prometheus…
+
+**Tâche** : un rôle est composé de tâches. Une tâche effectue une et une seule
+action. Elle est associée à un module Ansible.
+
+*Exemples de tâche* : installer un paquet avec le module `apt`, ajouter une ligne dans
+un fichier avec le module `lineinfile`, copier une template avec le module `template`…
+
+Une tâche peut avoir des paramètres supplémentaires pour la réessayer quand elle plante,
+récupérer son résultat dans une varible, mettre une boucle dessus, mettre des conditions…
+
+N'oubliez pas d'aller lire l'excellent documentation de RedHat sur tous les modules
+d'Ansible !
+
+### Gestion des groupes de machines
+
+Pour la liste complète, je vous invite à lire le fichier `hosts`.
+
+  * pour tester les versions de Debian,
+
+    ```YAML
+    ansible_lsb.codename == 'stretch'
     ```
 
-Il est souhaitable de faire un test avant avec `--check` si on a des doutes !
+  * pour tester si c'est un CPU Intel x86_64,
 
-## FAQ
+    ```YAML
-
+    ansible_processor[0].find('Intel') != -1
-### Mettre sa clé SSH sur une machine
+    and ansible_architecture == 'x86_64'
-
-```
-ssh-copy-id -i ~/.ssh/id_rsa_aurore.pub virtu.fede-aurore.net
     ```
 
-### Automatiquement ajouter fingerprint ECDSA (dangereux !)
+Pour les fonctions (`proxy-server`, `dhcp-dynamique`…) il a été choisi
-
+de ne pas faire de groupe particulier mais plutôt de sélectionner/enlever
-Il faut changer la variable d'environnement suivante :
+les machines pertinentes directement dans les playbooks.
-`ANSIBLE_HOST_KEY_CHECKING=0`.
-
-### Configurer la connexion au bastion
-
-Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
-
-On va utiliser plutôt ProxyJump.
-Dans la configuration SSH :
-
-```
-# Use a key to log on all Aurore servers
-# and use a bastion
-Host 10.128.0.* *.adm.auro.re
-    IdentityFile ~/.ssh/id_rsa_aurore
-    ProxyJump proxy.auro.re
-```
-
-Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées
-vers les serveurs puis détruites à la fin de l'exécution.
-Il faut donc éviter de lancer une connexion SSH persistante pendant l'exécution
-d'Ansible.
 
 ### Lister tout ce que sait Ansible sur un hôte
 
+Lors du lancement d'Ansible, il collecte un ensemble de faits sur les serveurs
+qui peuvent ensuite être utilisés dans des variables.
+Pour lister tous les faits qu'Ansible collecte nativement d'un serveur
+on peut exécuter le module `setup` manuellement.
+
 ```
-ansible -i hosts ldap-replica-fleming1.adm.auro.re -m setup --ask-vault-pass
+ansible proxy.adm.auro.re -m setup --ask-vault-pass
 ```
+
+## Exécution d'Ansible
+
+### Configurer la connexion au vlan adm
+
+Envoyer son agent SSH peut être dangereux
+([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
+
+On va utiliser plutôt `ProxyJump`.
+Dans la configuration SSH :
+
+```
+# Use a proxy jump server to log on all Aurore inventory
+Host 10.128.0.* *.adm.auro.re
+    ProxyJump passerelle.auro.re
+```
+
+Il faut sa clé SSH configurée sur le serveur que l'on déploit.
+```bash
+ssh-copy-id proxy.adm.auro.re
+```
+
+### Lancer Ansible
+
+Il faut `python3-netaddr` sur sa machine.
+
+Pour tester le playbook `base.yml` :
+```bash
+ansible-playbook --ask-vault-pass base.yml --check
+```
+
+Vous pouvez ensuite enlever `--check` si vous voulez appliquer les changements !
+
+Si vous avez des soucis de fingerprint ECDSA, vous pouvez ignorer une
+première fois (dangereux !) : `ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook...`.
+
+### Ajouter tous les empruntes de serveur
+
+```bash
+#!/bin/bash
+for ip in `cat hosts|grep .adm.auro.re`; do
+    ssh-copy-id -i ~/.ssh/id_rsa.pub $ip
+done
+```
+
+
+### Passage à Ansible 2.10 (release: 30 juillet)
+
+Installez la version de développement d'ansible pour faire fonctionner les
+playbooks de ce repo, ainsi que les collections suivantes :
+
+```bash
+ansible-galaxy collection install community.general
+ansible-galaxy collection install ansible.posix
+```
+
+
+Si vous n'arrivez pas à entrer votre _become password_ (bug dans ansible?), un
+workaround est le suivant :
+
+`$  export ANSIBLE_BECOME_PASS='<votre mot de passe LDAP>'`
+
+Notez l'espace au début pour ne pas log la commande dans votre historique
+shell.

ansible.cfg

@@ -1,19 +1,25 @@
-# Aurore Ansible configuration
+# Ansible configuration
 
 [defaults]
 
-# Use Aurore inventory
+# Do not create .retry files
+retry_files_enabled = False
+
+# Use inventory
 inventory = ./hosts
 
 # Custom header in templates
-ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
-
-# Do not create retry files
-retry_files_enabled = False
 
 # Do not use cows (with cowsay)
 nocows = 1
 
+# Do more parallelism
+forks = 15
+
+# Some SSH connection will take time
+timeout = 60
+
 [privilege_escalation]
 
 # Use sudo to get priviledge access
@@ -27,3 +33,6 @@ become_ask_pass = True
 # TO know what changed
 always = yes
 
+
+[ssh_connection]
+pipelining = True

base.yml

@@ -1,5 +1,12 @@
+#!/usr/bin/env ansible-playbook
 ---
 # Put a common configuration on all servers
-- hosts: all
+- hosts: all,!unifi
   roles:
     - baseconfig
+    - basesecurity
+
+# Plug LDAP on all servers
+- hosts: all,!unifi
+  roles:
+    - ldap_client

codimd.yml

@@ -1,6 +0,0 @@
----
-# Install CodiMD on CodiMD containers
-- hosts: codimd.adm.auro.re
-  roles:
-    - debian-backports
-    - codimd

copy-keys.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+# Grab valid unique hostnames from the Ansible inventory.
+HOSTS=$(grep -ve '^[#\[]' hosts \
+| grep -F adm.auro.re \
+| sort -u)
+
+# Ask password
+read -s -p "Hello adventurer, what is your LDAP password? " passwd
+echo
+
+for host in $HOSTS; do
+  echo "[+] Handling host $host"
+
+  # sshpass can be used for non-interactive password authentication.
+  # place your password in ldap-password.txt.
+  SSHPASS=${passwd} sshpass -v -e ssh-copy-id -i ~/.ssh/id_rsa "$host"
+done
+

dokuwiki.yml

@@ -1,6 +0,0 @@
----
-# Install DokuWiki on the wiki TEST container
-# When it will be operational, horus-wikitest will replace horus-wiki
-- hosts: horus-wikitest
-  roles:
-   - dokuwiki

etherpad.yml

@@ -1,6 +0,0 @@
----
-# Install EtherPad on EtherPad containers
-- hosts: pad.adm.auro.re
-  roles:
-   - debian-backports
-   - etherpad

group_vars/all/vars.yml

@@ -1,17 +1,19 @@
 ---
+# Use Python 3
+ansible_python_interpreter: /usr/bin/python3
+
 # LDAP binding
 # You can hash LDAP passwords with `slappasswd` tool
 ldap_base: 'dc=auro,dc=re'
-ldap_master_ipv4: '10.128.0.11'
+ldap_master_ipv4: '10.128.0.21'
-ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
+ldap_master_uri: "ldap://re2o-ldap.adm.auro.re"
 ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
 ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
 ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
-ldap_codimd_bind_dn: "cn=codimd,ou=service-users,{{ ldap_base }}"
-ldap_codimd_password: "{{ vault_ldap_codimd_password }}"
 ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}"
 ldap_matrix_password: "{{ vault_ldap_matrix_password }}"
 ldap_replica_password: "{{ vault_ldap_replica_password }}"
+ldap_admin_password: "{{ vault_ldap_admin_password }}"
 ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
 
 # Databases
@@ -30,3 +32,60 @@ ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
 
 # Monitoring
 monitoring_mail: 'monitoring.aurore@lists.crans.org'
+
+# Matrix
+matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}"
+matrix_discord_client_id: "559305991494303747"
+matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}"
+
+###
+# DNS
+###
+
+# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque
+# résidence.
+dns_host_suffix_main: 253
+dns_host_suffix_backup: 153
+
+backup_dns_servers:
+  - "80.67.169.12"  # French Data Network (FDN) (ns0.fdn.fr)
+
+# Finally raised!
+mtu: 1500
+
+subnet_ids:
+  ap: "14{{ apartment_block_id }}"
+  users_wired: "{{ apartment_block_id }}0"
+  users_wifi: "{{ apartment_block_id }}1"
+  users_banni: "{{ apartment_block_id }}2"
+  users_accueil: "{{ apartment_block_id }}3"
+
+# Keepalived
+keepalived_password: "{{ vault_keepalived_password[apartment_block] }}"
+
+
+# Re2o config
+re2o_secret_key: "{{ vault_re2o_secret_key }}"
+re2o_db_password: "{{ vault_re2o_db_password }}"
+re2o_aes_key: "{{ vault_re2o_aes_key }}"
+
+# Radius
+radius_secret_aurore: "{{ vault_radius_secrets.aurore }}"
+radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
+radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
+radius_secret_federez: "{{ vault_radius_secrets.federez }}"
+
+radius_pg_replication_password: "{{ vault_re2o_db_user_passwords.replication }}"
+radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
+
+
+# DHCP
+dhcp_failover_enabled: true
+apartment_block_dhcp: "{{ apartment_block }}"
+
+
+# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
+# However, we ALWAYS keep the trailing 0 to have byte alignment.
+ipv6_base_prefix: "2a09:6840"
+
+is_aurore_host: "{{ 'aurore_vm' in group_names }}"

group_vars/all/vault.yml

@@ -1,106 +1,174 @@
 $ANSIBLE_VAULT;1.1;AES256
-38616339383037366465353638383665643938633061323863386539323861633135363964303364
+34336231623938346631313932323131336439623837626366646338396137633436646365386639
-6335326537383039316566623031306136633364336337320a343434623066313535363430303866
+6332383765386235396331373836366230663563376665380a616436373136633933376435653230
-61613635663336376530333463363037316230323339393463393465313366643438316565306564
+64333963663436393265666434653164643164616134353665306462326666623530383838343135
-3263613463653764330a363330623331323762306330336465633538353637373838396231643762
+3531343533656332350a343432336636316131386132306238653736633966363235623833343638
-35353137306132653861343736323934326161663436653737333462333938393330393861363764
+38643061383963396466346536343061653034333037393664356661376565643765306462626231
-38333837353564396563623039636438663662626330323632383234333662613835633138326161
+39326233363962373839303464333833306532343834306232653731326135653934643836323639
-33626537633863393864373937306332386131626562323762616439643830626339633833313638
+36343937626536346331613263663865346634666534646266623061303639626636393230616261
-65363930353162323635356430313030303734386339393730383135323937623939393233663335
+32336366356439353738633234326138656464656630303362623664616634306230623538373965
-39316564396463643134636363326262343538666234333837373164646434643232623666636162
+32346439306337623737616666353830626630373562366436653131393532313035303836326430
-61616637396561323166313131393163353166353764396564373330326262346666373034663465
+64613235646366616533313065396663366434363832333535336631323366336437396664303834
-35326563306538653562333864383662336338656566313432633831313363663131393930336234
+30336466313064636565326564356435306136396363373464326534303366323262303732626661
-61336230643539303532656437616638323266623434393863623661366237386537386232383332
+38326663313332633530353739346538343434316133343066313530366637376135323564306537
-38643433626466343633626665386633663964306566643436363839363462326632393863616230
+65626261303231656432333364333965663065346436626631666466643934623064333163626339
-62386662386363613737613839386436383734623461386363313832636661636334633132363433
+32633565303734303862326365336339346133393431636266303530626564326361653230626536
-30383135646465353232623936366337663130376232343231376565313563303534313462336462
+32313231373037633134623761663832393666353732613965613436323939343233613433343538
-39353861663230623536613735663865373238303832306636323532393734303538383837336237
+37326438383130303861316663396333376662386337353964633930353536653437653061356635
-36613732623539616237663962666263393138303064646335623336343432323266663335363061
+35646232343535313130646237643835376162623639333961323964353830653366626438346237
-36306361653035653334343031303663373334613365393635616362343461616535343964306666
+36343663346332656537363434396633336161373730663364306239306432343930643230656465
-36663030373133346663663839373363663163653961323533356361373533643636626339356332
+37633537616232656661313764626232303535383563353861396431643735326162383866626231
-34663063326363646638646330626666633564373763326636363764653831336134393131653864
+61383165613332666537656137636430323332326335323763303537386662646263353539613964
-62353163613534386364323430346435316339363338666563366262336536373162346265353165
+37323966306364306436653033393931663239383435613836356164633135306233356364313036
-66363834306536383465376339323462303265373263333065623837656133623035366366396335
+39356661613434633930633066646437636535313565356366303732613731333062643231313035
-34313566326565333930386336353333396237633333613336666566393465616563393563633335
+65333461396131663764626665393562623030343561313136363964393664376136303839333664
-33313232646466313333633564653535343564626566353863613964303732616436626535656135
+65313465623331333538393734373264313562643232666130303930333662616465656432363039
-39313632346530636639333435643034666138633831313864316266376330336334333263356132
+66616530336666343861336434633063343561323931323931346132376263376565313366306639
-30613865336164353433383232316637663131653231393235343262666636623461653332323664
+64646465303432333136353661323936633965666364356633653861363139616562653834313861
-63323637396132666333633863393131363935626435313366646563366366356265346130373162
+63306133613066373462383236613939316130623937643939323134343936356638376335323836
-66306261303539323763336130616165323863646466643336316437663266303730313433343932
+39383334656236633037633230313138326238303863623231353465346661663162623138353461
-39643639376531303839636632333063323837306638373863663132386533353735343234666139
+33343738613137366364633730346261366564646161373837613865393233663431636361663962
-33633462346438356338613830313533306263383263383036363566323437356235386636333432
+38313230363737306265636435353533666262333666383639343364633464396566333433333538
-31383462626338346339353536653437623731643036363366666437316362356266396634383865
+39643934646537653234336361613664333434623739353831316531313666396638333136343638
-65663332383837373334393863386531663831643366613131663666303436306336313935643065
+33653034366362363562633462303165626333306664326366353334363964663936616430643662
-61336661313562326465393936643130393465346636363234386436616165613436393436623664
+30616334326638323133366632663237356238353934323361376237613632396134663536336364
-33396165376363316334613737613261396633306233643337393936393465313763343439646136
+39363439326335363437373939353564646663616464663763353931323233316135656634343137
-38643135346234653234316536363964303331303932656134323165333239623362333931323334
+34396130386134386331643534353461663963323435656337653032376565313635623231343135
-62323634373764663464343031626432653131306664336130396265363964663866663538376239
+34303130316239303065386134663332393938636332363665643832326439653733633231346537
-33653430366265623733376536613632646662646632653132336537383336303335623966396131
+63383634333034323434376237663932613638363835393837613632663265616363303233653539
-62303136613934656664386162373433323962336134663435373730366632666135663030653133
+61333765313463616665613136303533343230303735626437343635303934613365326166333966
-38613632623765616465383266356238313333336434376238396339343031323465343833323665
+66613538393466666630363333643730653239393435616634303430396635383631613439623433
-61666366326363303832663164363838353739653534313235336530396330346466656432386636
+36646431393865666162373232343335356366366633633264326639643434396234313863333163
-36613239613239613835633265363064316134346464616338333532376132373637356665346230
+63396534623931633833656565396635333133376165613031663831633564663061656131303564
-38343461613335663061393037643466383664323263336364356364363262346236326161653362
+61303132666264636139313738643161313134643733633366376538366135663135333333333564
-63653963303139616430333738373038333661333562376130363061366338346430303231363138
+64366262353837363061653663616265393264373230346330636465336439623063636639356136
-66373866303331333035316533373336376466346630326166373734353834306237383462356430
+65383638643961326661396336373163643832366561363764626461623662333436373136616437
-33633332366636613534313933323065633736656432656236653930623663616133336435313337
+30316537653432356133616338353165633462643634323563306366343965326635363863316232
-36623031663333386362306138343231363130626131323735316562363730656230376132303439
+61633135643861333635383464383937306236626632366235363433313335663431366531356337
-36323932666362613237666164653037353631353730346466303764326162366266376130316166
+37303465323638383930336138356665343966336137356137656564303733373565366162343330
-32363739373437333731643936366334376463383664373139363465666538666331636535626462
+38326366653733376138356339313564616165626235356363343430353239616339656239323964
-32323834616338376264393461626665393635336638383333653466336332316364363330333738
+31643734653263653461333135386261646265323134633334376262323330396634643764323635
-61303161303564383563653039653263343161336362373563616237373865653965343639343465
+30336262323035613338333166353364333836623865393132613338393237363734616330366463
-35363536613233313534633665373264303139393731626339646466663431363361373938623334
+64646163303337323531636532383438356237306337656439663565643032633462316366663164
-38613766643861326538663563656662383665376137393333616566646136336339306333653066
+33613039326337353531303831313136653539353261373930613030383134653261363833653439
-34373864353230343032386236386165616462316562363062613330636264303632396339646632
+31343662623035393238646263633066653362323434306137633339393330376462356139333362
-37316630303536316436356138626533653865366137666131363064643964333838633266366365
+35363436356530363134663064653031376561343732346262383333353733363136396262643135
-64663661333764616635383263376662616239323930643261613161313265633236623834376263
+31326566303535343833326562376464643632363434323839366366626134303830323563633237
-31623565633964376632346533373037333166346332313266316138613665353530336562643739
+37313964353033316163303738636632346137353437333463303135323631383132623133663130
-32393161396338353630363838643130323431343339376431373165313238383064616335323064
+32373163393861366137303138363134653534613236636439623731393837306130626638343134
-36313366633161303635383062656538343538363039343931623736623766343762343563646134
+39313532386338343662333134353761653162663665396664366239633536613132313735373334
-33626264643639333364343131636163646361626130646237326435373731613237663736393439
+37613161383633653861376433633632333163653439633938386137313632396137616337373465
-37376639333930396337333938373866383133613730613162356364323265373431633836653838
+65383238396439666537313833663364333731613434333739393161363437306665363834653761
-34323532613437313064383035313030306636346435396666653933626232313638656531366234
+34303464386633633163353636643964393233383232623765373239376633393139326630653765
-34313837623136656361393230653637633535333063333662363137323962353232386366656264
+62646439646534376234323661383063656463313437323231333165626163626262626562376338
-30303164363531343261626262653962383664313131333535313038343461303464326464373337
+62646362346261313738323830613037663035666361386139666432613230346334323063326239
-34646537353031386265313066313136613533663335306636346237613264313061666233376131
+65303065343061613736343663363630336333623439383032313137616131623933323636306331
-62346537666362373539626334376630633539343932623133653431393731356266623730353036
+34636130626338303039356137353532346562363531623936316162336663306437386532363236
-64626133623638303132356639663538363537623739386166333337333431363939666362663137
+36333661316161613237343032623764396435346632363963643438316430666539393566353939
-62303664306663376136353235613031623435393065376635353032666136396332613861376630
+33333234313839636537366465356364303438313830663261373563346538626432313139303030
-65633061623466313838383664613839663033333736396536333863636435306263666466313265
+33333066626463663663643833323764643737386162663766356665643064313263376434353038
-62633539623037616535333164316538616439333838633730313066366232616566646435376530
+37643630643737663566653562353261333734636262626437393239383063613661643166626630
-66316164323737396230373339333936313532343266303765356530633534643439626236313136
+31313564346239396561326162333534376264616435313762623032636432363832383630343964
-65373833633461393734353737363566353634353764333961643033393932353236633336393436
+30343663643935633465393465626131633931623930653962303830333065363435383237653566
-61333537666263666238303736316462356138396232373839343434643730643766333535643565
+65646632376330306437663334313932653230653562356338663366616463303466366263366137
-38333163353634633637393766346261613931663134363230353633336533643339353832653632
+64633934626339633235386630396561376130373763313137386531356637633863393035306634
-64343438353266343937373138643635616331336164316166343536643434616665326331353161
+65353432323235363135633832373032623837376333346131303162303464616234313062316563
-39303732663037653634303263386134366536333830363366663639383033323832653364393766
+64646634633963663032613533636665333335656539323238623362306363313835626632306236
-30333438313361613764633239373036336230353333343262613761323930656265313031323065
+30663637356463363530316434316639326639633539333335633330333834643035353932313638
-39666562393565326139373061313061396265386239343462346535623766313364343136343038
+64356565653065666131373538356462306633343161376537323762313666373235353236313963
-39373462663434633731636662653966383233396163643137373530303134633465643130383265
+65613561633266306632616538616461626532666435663038646138386430376164663766363138
-61376538626365396236643139336366643966306131393635623438393932313164623766353233
+35316262393065653739323035666531333330326235386133383834383865356635666537333533
-61643732303837366139356236353937303036343232363537623231303661653035383831343830
+31376138353231313262646334386566376264323066373934666363313431643738383064666437
-64663763383563303461633335313663643161336435343735333536393661663235636665383662
+36656437313039656666373530346534393735353163646635663839326366643333393665626464
-37393139333361323136366564383132633830386335376137396563343937306431653665316161
+36616637303631653661373433653865323634363065303433386534363064356564636465366265
-38323137643437383636373033326236613936396564626466386432393733633361623032326135
+31333064383233636538393032376234663663353162343530376631356533653231303730396465
-61346166393964313637356330653339646365326365326130386537343535353038643538393336
+33366162376464633633313664303939306330613865663431653037303061633130626635653638
-66366335316538393333613631346365393038623261303536363732383637643430346632343139
+66626264363333376463386666313663333964333137333231303361616533393236373861656534
-61643265333466323666633834333462613161653165663432613934353036343937343939303033
+32326335306566623332396638383133353434363565316432353963353062313662326361336537
-35636134343761666534656636383632363562633634383364323039613431666239346136616231
+34396632656234333263663831326566353434316234613365316132363730643665373761666562
-37383838316338666462376133613632663633663935643563346333356464663434393734366433
+31393565653663653731633333633730326265376135666162656132623238333765333363653130
-37376539366139396536323535316539643261636533303065326164643132313439313632306664
+61353632313532616266363139336162336565356365316531336364623930636430353831623233
-33386136393734613739396336396635353439393531393363326137363562646363333762386135
+61616131313438306633333066613764313161333934316139633738623164623564646365663566
-32376162373766393763343634326434323034336533336166666635636135393066353238626161
+66356464376133363137313036623930373362306166623838373131313330393837396261656561
-37376132306339626263313663376638633337656162333431313439643930303332666138643962
+66396233313530643164353264656563383632363139333262626532376562613630643437666266
-37313331616563643638343464653535653038613136313637336534636537343763376634626538
+66656335656634613138316138643666623430363833663035616138336461303035633731636262
-64633133656237346461346330333061636663336262646264326237373736366337663331323764
+36393939333765346239666433323032323361343934656463396365333366623337316663396263
-65353931373266336232366434356631383338386537616535656664323334363963666631363331
+36616431626633663963636135643833666234613830366434636532373031343263316436306162
-37653666316236613931386161346439663935656466396137643765626632643263323163623138
+39356365376561643665323866656465313434623138326238353662653735613565623264333336
-34326363373633303365353530383633623936313436616635353733643837656233613635383966
+61393763363862613766653064636130323732663466366133666361636339356464313037353462
-37356665626530626532356632323338623062386332616332643061623031366366613433383734
+63633936653235656538383433393065393162643034393538666433616131343462346235393164
-33623732636637363237336439373432616332643638303131363332393230663565323139303163
+39353663373338626665663563663162633430343330373430376336326432346233663365376533
-36643134363861383834656539626166386164326236336266633435626163383437366338353930
+32656465343538643137326366653232343530363834383831386634366262303333636261353863
-33373932333832373237343532623537363931366636346132616162343839303965386337316164
+32633437343432653936643766363338636535613532323362656435613363393238626466303861
-61656233616633323933306165643666306661366632613933383932616664613663663234653431
+38633861333638613466306338613932353964393365356637306261626535323732316362623731
-30306163346630653239323966396638643162303766363131646430303366303435343866353639
+33313963623439613939333639346461663338373334396165636231666266613065323731373964
-66373465393764396335346131346331353561643434633364656530626238326333333731383361
+64313133383435333935376531313432663766633133633863356563663535333263636237386136
-35653232373235383633616634643966636336333461663237653764626534346336
+61653963633166383135333436646465383536373039383538326366636634313061613730653962
+37623962643866396637336231363038373465393637356463656566666661313130313863383233
+37343636346535363832626365396262303862393535336565393635663637323730373564336634
+37363036323733306535336366373630356531353737303165376530656433626634343365626239
+64346136363030663862313431653761666432393933366665346361626361623039326434633835
+32666538653037613361343536383634643762356234366433663639653461303933306434333864
+37386436393465323139306161333738383265323436376536656264356230303163326134323864
+63396331666431666464656161633466333764653631623131646566303366333030653834333335
+31323365353239366232643863386365633861376235643034303563613363663661616564363663
+63326562613365653539383336383339646164623864323830653434623365393432666466323134
+33626330373361393734656632393232363866613863373135636537613934343065306265623964
+34643765636165393336356630353663343065333431656164363638646233663762346536343362
+65653364343537383336373933313464663464653465383830363631316336303464313731356230
+34336130323766386465373162346535396565346630353734303937396130656132376331326563
+36386339383338346533646331666262396432336434646333653664326635386238333763626637
+31363464306465666339316436323265623437636533643431363161323139653065323534636533
+64386334353439373133313937343234373963353331646233346432646430636530663336316134
+66303337313034396232643531643262343036313762633165353665653938313665386363353865
+66333166303636626565613136653365313763303263313239333033353638616566656134396131
+38356434343931303134303362313363343634613361353538636634336332373132356165326163
+30386130326239366532363962316435663862393836326439623862366166376234343439306465
+36346639623939353232366333643963646336383833386565643435393734653936313638663930
+32323065343737663564333961373034393261613862333431663562353964666561643831316432
+35313832356639333937333266306166656538643065386639346337306134613536356137316331
+38376434666332366531393639303561663934353130333161636530383932653236313530616531
+61656664626663373164343863333039356362343034326131376666623264663732303734366363
+30306430353732616131346637626332656434393163313661356465393263393235396662623962
+62643538623331646265643561623366383937313136383939366164613235666234663137653432
+34316138643139336331356663333632656539653632626136613431393736613630353237356164
+33623632643335663163656236633134343464353837346237316162346634633336663564656531
+39373730346130363963376463326238366235613539613466653139306237343164336462353236
+39323361636333353661633863663162633563343937366461346338363061623730633537626562
+30353938383664333861366431343033313961376436363065373430353736343563313531386663
+37313534303564333237616331396437376436383833373936376664666366373235613533663239
+64653863613531356666646233393533646131333961343730663461346235633961306263343831
+64386332653330323937643266373437633465363933653833343930616134626566363339366362
+36356163333730656233653431326430326566386264343330666131393166323537623137396237
+65386234653231666631366533383762643830333261363532666138386263643662633932626335
+66303363613035643931393933303035323566373634663037313338616132373162366334373962
+33666463613435396331326565353433336361303562326562663035313639333232333430373266
+65383235356132353838636565636436356361653831356430663935613766613237366564316566
+37396130393363386566306162346466326165353863636633306335383265306139396339383866
+34326335323962633032386162623033353036643437313832323166363764653339343638343964
+66626662326234306362656162336538353131366337643761643930306163333661653062663832
+61303963623433313565633235306132366663336662616232613339366363373934613631623431
+34323736383366333032343364373533363761323338346163323836653235653136646162306166
+65333734623663346233343961396566313838653036396430396134393839326535363237363638
+38333232333863396334366561303136333863356666656335633630616531363766343535616533
+35656166303837653365303436623431613931336331356531666665346562613263363666626238
+62626236323863383366643162356462306163653032626130333863656337623136646439316337
+33306432663134383038646133346131333732633932383239643733643138303434646565663266
+34616265383733343963323538656138656331396438616133393063356638633965323363653066
+65353837333363613762333839313631373137363064383830353565333832356162323862393030
+35373038613133643466636537626437393837633865363566343565626633376262373766613738
+39343334336238363131373762646564653839623531323066356430326263376534373664363331
+64373735383933303638303661333964333464306338613363326261623438336530636262373766
+35346339643939666162386232666236326131366366303432393838326239313730323431376231
+39363032616666393431326533643865643937363937356431623763363037373333653266376561
+63323462363063343234373534663063353865363037383932386231313338343239653131633561
+34623439396232633265616438623562666333303932396366663330326565363736633461333463
+66346537323061306662323062393061353565393165363532306439343262343632616465363364
+30376331346430313536313963333136663833323064633631653935326366633862336163316538
+33383434336666303434363236396662366664393637656462363331356631613332353766636663
+62323264336235306532343065323834313730353237616463373766303439663533336366363565
+35646461636263646633343634323735383235376330616334373937646165623639363663353361
+65613034353736633332663333616564356265323731613537393430633137333337643663323137
+31623732663331653935316337306433333633353565343265666333363864346562363961333439
+30656136636661396335623566386362333861616663393738626632633537613564636261383138
+3233

group_vars/aurore/main.yml

@@ -0,0 +1,8 @@
+---
+apartment_block: aurore
+apartment_block_id: 0
+router_ip_suffix: 254
+
+# We have two -aurore DHCP servers, but no failover peer functionality is needed
+# because they only give out IPs assigned by re2o.
+dhcp_failover_enabled: false

group_vars/edc/ldap_local_replica.yml

@@ -0,0 +1,3 @@
+---
+ldap_local_replica_uri:
+  - 'ldap://ldap-replica-edc.adm.auro.re'

group_vars/edc/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: edc
+apartment_block_id: 4
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/edc/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudoedc'

group_vars/fleming/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: fleming
+apartment_block_id: 1
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/fleming/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudofleming'

group_vars/gs/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: gs
+apartment_block_dhcp: sand
+
+apartment_block_id: 5
+
+router_ip_suffix: 254

group_vars/gs/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudogeorgesand'

group_vars/pacaterie/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: pacaterie
+apartment_block_id: 2
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/pacaterie/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudopacaterie'

group_vars/rives/main.yml

@@ -0,0 +1,7 @@
+---
+apartment_block: rives
+apartment_block_id: 3 
+
+router_ip_suffix: 254
+
+mtu: 1500

group_vars/rives/sudo_location_group.yml

@@ -0,0 +1,3 @@
+---
+# Users in that group will be able to `sudo`
+sudo_group_location: 'sudorives'

host_vars/proxy-ovh.adm.auro.re.yml

@@ -0,0 +1,64 @@
+---
+certbot:
+  domains:
+    - auro.re
+    - cas.auro.re
+    - codimd.auro.re
+    - grafana.auro.re
+    - pad.auro.re
+    - passbolt.auro.re
+    - phabricator.auro.re
+    - privatebin.auro.re
+    - riot.auro.re
+    - sharelatex.auro.re
+    - status.auro.re
+    - wiki.auro.re
+    - www.auro.re
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  redirect_tcp: {}
+
+  redirect_sites:
+    - from: www.auro.re
+      to: auro.re
+    - from: 92.222.211.195
+      to: auro.re
+
+  reverseproxy_sites:
+    - from: phabricator.auro.re
+      to: 10.128.0.50
+
+    - from: wiki.auro.re
+      to: 10.128.0.51
+
+    - from: www.auro.re
+      to: 10.128.0.52
+
+    - from: passbolt.auro.re
+      to: 10.128.0.53
+
+    - from: riot.auro.re
+      to: "10.128.0.150:8080"
+    - from: codimd.auro.re
+      to: "10.128.0.150:8081"
+    - from: grafana.auro.re
+      to: "10.128.0.150:8082"
+    - from: privatebin.auro.re
+      to: "10.128.0.150:8083"
+    - from: pad.auro.re
+      to: "10.128.0.150:8084"
+    - from: cas.auro.re
+      to: "10.128.0.150:8085"
+    - from: status.auro.re
+      to: "10.128.0.150:8086"

host_vars/proxy.adm.auro.re.yml

@@ -0,0 +1,63 @@
+---
+certbot:
+  domains:
+    - bbb.auro.re
+    - drone.auro.re
+    - gitea.auro.re
+    - intranet.auro.re
+    - litl.auro.re
+    - nextcloud.auro.re
+    - re2o.auro.re
+    - vote.auro.re
+    - re2o-server.auro.re
+    - re2o-test.auro.re
+    - wikijs.auro.re
+
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  redirect_tcp:
+    - name: Gitea
+      port: 2222
+      destination: "10.128.0.60:2222"
+
+  redirect_sites:
+    - from: 45.66.111.61
+      to: auro.re
+
+  reverseproxy_sites:
+    - from: re2o.auro.re
+      to: 10.128.0.20
+    - from: intranet.auro.re
+      to: 10.128.0.20
+
+    - from: bbb.auro.re
+      to: 10.128.0.54
+
+    - from: nextcloud.auro.re
+      to: "10.128.0.58:8080"
+
+    - from: gitea.auro.re
+      to: "10.128.0.60:3000"
+
+    - from: drone.auro.re
+      to: "10.128.0.64:8000"
+
+    - from: litl.auro.re
+      to: 10.128.0.35
+
+    - from: re2o-test.auro.re
+      to: 10.128.0.80
+
+    - from: wikijs.auro.re
+      to: "10.128.0.66:3000"

hosts

@@ -1,70 +1,260 @@
 # Aurore servers inventory
 
 # How to name your server ?
-# > We name servers according to location, then type.
+# > We name servers according to location, then type, then function.
-# > So all containers at OVH are in ovh-container.
+# > Then we regroup everything in global geographic, type and function groups.
-# > Then we regroup everything in global geographic and type groups.
 
-[ovh-pve]
-horus               ansible_host=10.128.0.1
 
-[ovh-container]
+###############################################################################
-riot.adm.auro.re
+# Aurore : main services
+
+viviane.adm.auro.re
+
+[aurore_pve]
+merlin.adm.auro.re
+
+[aurore_vm]
+routeur-aurore.adm.auro.re
+routeur-aurore-backup.adm.auro.re
+radius-aurore.adm.auro.re
+dhcp-aurore.adm.auro.re
+dhcp-aurore-backup.adm.auro.re
+dns-aurore.adm.auro.re
+proxy.adm.auro.re
+camelot.adm.auro.re
+gitea.adm.auro.re
+drone.adm.auro.re
+nextcloud.adm.auro.re
+stream.adm.auro.re
+re2o-server.adm.auro.re
+re2o-ldap.adm.auro.re
+re2o-db.adm.auro.re
+pendragon.adm.auro.re
+services-bdd-local.adm.auro.re
+backup.adm.auro.re
+services-web.adm.auro.re
+mail.adm.auro.re
+wikijs.adm.auro.re
+
+
+###############################################################################
+# OVH
+
+[ovh_pve]
+horus.adm.auro.re
+
+[ovh_container]
 synapse.adm.auro.re
-codimd.adm.auro.re
 services-bdd.adm.auro.re
 phabricator.adm.auro.re
 wiki.adm.auro.re
 www.adm.auro.re
-pad.adm.auro.re
+proxy-ovh.adm.auro.re
-proxy.adm.auro.re
+matrix-services.adm.auro.re
 
-[ovh-vm]
+[ovh_vm]
-re2o-server.adm.auro.re
-re2o-ldap.adm.auro.re
-re2o-db.adm.auro.re
 serge.adm.auro.re
+passbolt.adm.auro.re
+vpn-ovh.adm.auro.re
+docker-ovh.adm.auro.re
+switchs-manager.adm.auro.re
+ldap-replica-ovh.adm.auro.re
 
-[ovh-testing-vm]
+[ovh_testing_vm]
-re2o-test.adm.auro.re
+#re2o-test.adm.auro.re
 
-[fleming-pve]
-#freya.adm.auro.re
-#odin.adm.auro.re
 
-[fleming-vm-ldap-replica]
+###############################################################################
-#ldap-replica-fleming1.adm.auro.re
+# Les Jardins de Fleming
-#ldap-replica-fleming2.adm.auro.re
+
+[fleming_pve]
+freya.adm.auro.re
+marki.adm.auro.re
+
+[fleming_vm]
+ldap-replica-fleming.adm.auro.re
+dhcp-fleming.adm.auro.re
+dhcp-fleming-backup.adm.auro.re
+dns-fleming.adm.auro.re
+dns-fleming-backup.adm.auro.re
+prometheus-fleming.adm.auro.re
+#prometheus-fleming-fo.adm.auro.re
+radius-fleming.adm.auro.re
+radius-fleming-backup.adm.auro.re
+unifi-fleming.adm.auro.re
+routeur-fleming.adm.auro.re
+routeur-fleming-backup.adm.auro.re
+
+
+###############################################################################
+# Pacaterie
+
+[pacaterie_pve]
+mordred.adm.auro.re
+titan.adm.auro.re
+
+[pacaterie_vm]
+ldap-replica-pacaterie.adm.auro.re
+dhcp-pacaterie.adm.auro.re
+dhcp-pacaterie-backup.adm.auro.re
+dns-pacaterie.adm.auro.re
+dns-pacaterie-backup.adm.auro.re
+prometheus-pacaterie.adm.auro.re
+#prometheus-pacaterie-fo.adm.auro.re
+radius-pacaterie.adm.auro.re
+radius-pacaterie-backup.adm.auro.re
+unifi-pacaterie.adm.auro.re
+routeur-pacaterie.adm.auro.re
+routeur-pacaterie-backup.adm.auro.re
+
+
+###############################################################################
+# Emilie du Chatelet
+
+[edc_server]
+perceval.adm.auro.re
+
+[edc_pve]
+chapalux.adm.auro.re
+escalope.adm.auro.re
+
+[edc_vm]
+routeur-edc.adm.auro.re
+routeur-edc-backup.adm.auro.re
+dns-edc.adm.auro.re
+dns-edc-backup.adm.auro.re
+dhcp-edc.adm.auro.re
+dhcp-edc-backup.adm.auro.re
+unifi-edc.adm.auro.re
+radius-edc.adm.auro.re
+radius-edc-backup.adm.auro.re
+ldap-replica-edc.adm.auro.re
+
+
+###############################################################################
+# George Sand
+
+[gs_pve]
+lancelot.adm.auro.re
+odin.adm.auro.re
+
+[gs_vm]
+dhcp-gs.adm.auro.re
+dhcp-gs-backup.adm.auro.re
+dns-gs.adm.auro.re
+dns-gs-backup.adm.auro.re
+routeur-gs.adm.auro.re
+routeur-gs-backup.adm.auro.re
+unifi-gs.adm.auro.re
+radius-gs.adm.auro.re
+radius-gs-backup.adm.auro.re
+prometheus-gs.adm.auro.re
+ldap-replica-gs.adm.auro.re
+
+###############################################################################
+# Les Rives
+[rives_pve]
+thor.adm.auro.re
+
+[rives_vm]
+dhcp-rives-backup.adm.auro.re
+unifi-rives.adm.auro.re
+dns-rives-backup.adm.auro.re
+radius-rives-backup.adm.auro.re
+routeur-rives-backup.adm.auro.re
+ldap-replica-rives.adm.auro.re
+
+# -aurore services
+[aurore:children]
+aurore_vm
+
 
 # everything at ovh
 [ovh:children]
-ovh-pve
+ovh_pve
-ovh-container
+ovh_container
-ovh-vm
+ovh_vm
-
-# everything at ovh-testing
-[ovh-testing:children]
-ovh-testing-vm
 
 # everything at fleming
 [fleming:children]
-fleming-pve
+fleming_pve
-fleming-vm-ldap-replica
+fleming_vm
+#fleming_unifi
+
+# everything at pacaterie
+[pacaterie:children]
+pacaterie_pve
+pacaterie_vm
+#pacaterie_unifi
+
+# everything at edc
+[edc:children]
+edc_pve
+edc_vm
+
+# everything at georgesand
+[gs:children]
+gs_pve
+gs_vm
+
+# everything at Les Rives
+[rives:children]
+rives_pve
+rives_vm
+
+
+###############################################################################
+# Groups by type
 
 # every LXC container
 [container:children]
-ovh-container
+ovh_container
 
 # every virtual machine
 [vm:children]
-ovh-vm
+ovh_vm
-fleming-vm-ldap-replica
+fleming_vm
+pacaterie_vm
+edc_vm
+gs_vm
+rives_vm
 
 # every PVE
 [pve:children]
-ovh-pve
+ovh_pve
-fleming-pve
+fleming_pve
+pacaterie_pve
+edc_pve
+gs_pve
+rives_pve
+
+
+###############################################################################
+# Groups by service
+
+[ldap_replica:children]
+ldap_replica_fleming
+ldap_replica_pacaterie
+ldap_replica_edc
+ldap_replica_gs
+ldap_replica_ovh
+ldap_replica_rives
+
+[ldap_replica_fleming]
+ldap-replica-fleming.adm.auro.re
+
+[ldap_replica_pacaterie]
+ldap-replica-pacaterie.adm.auro.re
+
+[ldap_replica_edc]
+ldap-replica-edc.adm.auro.re
+
+[ldap_replica_gs]
+ldap-replica-gs.adm.auro.re
+
+[ldap_replica_ovh]
+ldap-replica-ovh.adm.auro.re
+
+[ldap_replica_rives]
+ldap-replica-rives.adm.auro.re
 
-# every LDAP replica
-[ldap-replica:children]
-fleming-vm-ldap-replica

ldap.yml

@@ -1,11 +0,0 @@
----
-# Plug LDAP on all servers
-- hosts: all
-  roles:
-    - ldap-client
-
-# Clone LDAP on local geographic location
-# DON'T DO THIS AS IT RECREATES THE REPLICA
-# - hosts: ldap-replica
-#   roles:
-#     - ldap-replica

ldap_replica.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+# Clone LDAP on local geographic location
+# DON'T DO THIS AS IT RECREATES THE REPLICA
+- hosts: ldap_replica
+  roles:
+    - ldap_replica

matrix.yml

@@ -1,15 +1,18 @@
+#!/usr/bin/env ansible-playbook
 ---
 # Install Matrix Synapse on corresponding containers
 - hosts: synapse.adm.auro.re
   vars:
-    mxisd_version: 1.3.1
+    mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
-    synapse_rest_auth_url: https://raw.githubusercontent.com/kamax-matrix/matrix-synapse-rest-auth/master/rest_auth_provider.py
+    mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb"
   roles:
-    - debian-backports
+    - debian_backports
-    - matrix-synapse
+    - nodejs
-    - matrix-mxisd
+    - matrix_synapse
+    - matrix_appservice_irc
+    - matrix_appservice_webhooks
 
-# Install Matrix Riot on corresponding containers
+# Install Matrix services
-- hosts: riot.adm.auro.re
+- hosts: matrix-services.adm.auro.re
   roles:
-    - matrix-riot
+    - debian_backports

monitoring.yml

@@ -0,0 +1,62 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - targets: |
+          {{ groups['fleming_physical'] + groups['fleming_vm'] | list | sort }}
+    prometheus_unifi_snmp_targets:
+      - targets: "{{ groups['fleming_unifi'] | list | sort }}"
+  roles:
+    - prometheus
+
+- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - targets: |
+          {{ groups['pacaterie_physical'] + groups['pacaterie_vm'] | list | sort }}
+    prometheus_unifi_snmp_targets:
+      - targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
+  roles:
+    - prometheus
+
+- hosts: prometheus-edc.adm.auro.re,prometheus-edc-fo.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - targets: |
+          {{ groups['edc_physical'] + groups['edc_vm'] | list | sort }}
+    prometheus_unifi_snmp_targets:
+      - targets: "{{ groups['edc_unifi'] | list | sort }}"
+  roles:
+    - prometheus
+
+- hosts: prometheus-georgesand.adm.auro.re,prometheus-georgesand-fo.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - targets: |
+          {{ groups['georgesand_physical'] + groups['georgesand_vm'] | list | sort }}
+    prometheus_unifi_snmp_targets:
+      - targets: "{{ groups['georgesand_unifi'] | list | sort }}"
+  roles:
+    - prometheus
+
+# Monitor all hosts
+- hosts: all,!unifi,!ovh
+  roles:
+    - prometheus_node

network.yml

@@ -0,0 +1,65 @@
+#!/usr/bin/env ansible-playbook
+---
+# Set up DHCP servers.
+- hosts: dhcp-*.adm.auro.re
+  roles:
+    - isc_dhcp_server
+
+
+# Deploy unbound DNS server (recursive).
+- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
+  roles:
+    - unbound
+
+
+# Déploiement du service re2o aurore-firewall et keepalived
+# radvd: IPv6 SLAAC (/64 subnets, private IPs).
+#   Must NOT be on routeur-aurore-*, or will with DHCPv6!
+- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
+  roles:
+    - router
+    - radvd
+
+# No radvd here
+- hosts: ~routeur-aurore.*\.adm\.auro\.re
+  roles:
+    - router
+    - ipv6_edge_router
+
+# Radius (backup only for now)
+- hosts: radius-*.adm.auro.re
+  roles:
+    - radius
+
+
+# WIP: Deploy authoritative DNS servers
+# - hosts: authoritative_dns
+#   vars:
+#     service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
+#     service_name: dns
+#     service_version: crans
+#     service_config:
+#       hostname: re2o-server.adm.auro.re
+#       username: service-user
+#       password: "{{ vault_serviceuser_passwd }}"
+#   roles:
+#     - re2o-service
+
+
+# Deploy Unifi Controller
+# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
+#   roles:
+#     - unifi-controller
+
+# Deploy Re2o switch service
+# - hosts: switchs-manager.adm.auro.re
+#   vars:
+#     service_repo: https://gitlab.federez.net/re2o/switchs.git
+#     service_name: switchs
+#     service_version: master
+#     service_config:
+#       hostname: re2o-server.adm.auro.re
+#       username: service-user
+#       password: "{{ vault_serviceuser_passwd }}"
+#   roles:
+#     - re2o-service

nginx-reverse-proxy.yml

@@ -1,34 +0,0 @@
----
-# Install NGINX with reverse proxy conf
-- hosts: proxy.adm.auro.re
-  vars:
-    reversed_proxy_subdomains:
-      - name: re2o
-        from: re2o.auro.re
-        to: re2o-server.adm.auro.re
-      - name: intranet
-        from: intranet.auro.re
-        to: re2o-server.adm.auro.re
-      - name: pad
-        from: pad.auro.re
-        to: pad.adm.auro.re:9001
-      - name: phabricator
-        from: phabricator.auro.re
-        to: phabricator.adm.auro.re
-      - name: wiki
-        from: wiki.auro.re
-        to: wiki.adm.auro.re
-      - name: www
-        from: www.auro.re
-        to: www.adm.auro.re
-      - name: re2o-test
-        from: re2o-test.auro.re
-        to: re2o-test.adm.auro.re
-      - name: riot
-        from: riot.auro.re
-        to: riot.adm.auro.re
-      - name: codimd
-        from: codimd.auro.re
-        to: codimd.adm.auro.re:8080
-  roles:
-    - nginx-reverse-proxy

nuke_radius_dbs.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: radius-*.adm.auro.re
+  roles:
+    - radius
+  vars:
+    nuke_radius: true

proxmox.yml

@@ -0,0 +1,432 @@
+#!/usr/bin/env ansible-playbook
+---
+# This is a special playbook to create a new VM !
+- hosts: proxy.adm.auro.re  # Host with python-proxmoxer and python-requests
+  become: false  # We do not need root as we use Proxmox API
+
+  vars:
+    vm_definitions:
+
+      # Réseau Pacaterie
+      - name: ldap-replica-pacaterie
+        virtu: mordred
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dhcp-pacaterie
+        virtu: mordred
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dns-pacaterie
+        virtu: mordred
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: prometheus-pacaterie
+        virtu: mordred
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: radius-pacaterie
+        virtu: mordred
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: unifi-pacaterie
+        virtu: mordred
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-9.9.0-amd64-netinst.iso
+
+      # Réseau Fleming
+      - name: ldap-replica-fleming1
+        virtu: freya
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dhcp-fleming
+        virtu: freya
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dns-fleming
+        virtu: freya
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: prometheus-fleming
+        virtu: freya
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: radius-fleming
+        virtu: freya
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: unifi-fleming
+        virtu: freya
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-9.9.0-amd64-netinst.iso
+
+      # Réseau EdC
+      - name: ldap-replica-edc1
+        virtu: chapalux
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dhcp-edc
+        virtu: chapalux
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dns-edc
+        virtu: chapalux
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: prometheus-edc
+        virtu: chapalux
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: radius-edc
+        virtu: chapalux
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: unifi-edc
+        virtu: chapalux
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-9.9.0-amd64-netinst.iso
+
+      # Réseau George Sand
+      - name: ldap-replica-gs1
+        virtu: perceval
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dhcp-gs
+        virtu: perceval
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: dns-gs
+        virtu: perceval
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: prometheus-gs
+        virtu: perceval
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: radius-gs
+        virtu: perceval
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-10.0.0-amd64-netinst.iso
+      - name: unifi-gs
+        virtu: perceval
+        cores: 2  # 2 mimimum, 10 maximum
+        memory: 1024  # M
+        disksize: 16  # G
+        installiso: debian-9.9.0-amd64-netinst.iso
+
+  vars_prompt:
+    - name: "password"
+      prompt: "Enter LDAP password for your user"
+      private: true
+
+  tasks:
+    - name: Define a virtual machine in Proxmox
+      proxmox_kvm:
+        api_user: "{{ ansible_user_id }}@pam"
+        api_password: "{{ password }}"
+        api_host: "{{ item.virtu }}.adm.auro.re"
+        name: "{{ item.name }}"
+        node: "{{ item.virtu }}"
+        scsihw: virtio-scsi-pci
+        scsi: '{"scsi0":"{{ item.virtu }}:{{ item.disksize }},format=raw"}'
+        sata: '{"sata0":"local:iso/{{ item.installiso }},media=cdrom"}'
+        net: '{"net0":"virtio,bridge=vmbr2"}'  # Adm only by default
+        cores: "{{ item.cores }}"
+        memory: "{{ item.memory }}"
+        balloon: "{{ item.memory // 2 }}"
+        bios: seabios  # Ansible module doesn't support UEFI boot disk
+      loop:
+        # Réseau Fleming
+        - name: ldap-replica-fleming
+          virtu: freya
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dhcp-fleming
+          virtu: freya
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dns-fleming
+          virtu: freya
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: prometheus-fleming
+          virtu: freya
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: radius-fleming
+          virtu: freya
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: unifi-fleming
+          virtu: freya
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-9.9.0-amd64-netinst.iso
+        - name: routeur-fleming
+          virtu: freya
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+
+        - name: ldap-replica-fleming-fo
+          virtu: marki
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dhcp-fleming-fo
+          virtu: marki
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dns-fleming-fo
+          virtu: marki
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: prometheus-fleming-fo
+          virtu: marki
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: radius-fleming-fo
+          virtu: marki
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: routeur-fleming-fo
+          virtu: marki
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+
+        # Réseau Pacaterie
+        - name: ldap-replica-pacaterie
+          virtu: mordred
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dhcp-pacaterie
+          virtu: mordred
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dns-pacaterie
+          virtu: mordred
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: prometheus-pacaterie
+          virtu: mordred
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: radius-pacaterie
+          virtu: mordred
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: unifi-pacaterie
+          virtu: mordred
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-9.9.0-amd64-netinst.iso
+        - name: routeur-pacaterie
+          virtu: mordred
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+
+        - name: ldap-replica-pacaterie-fo
+          virtu: titan
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dhcp-pacaterie-fo
+          virtu: titan
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dns-pacaterie-fo
+          virtu: titan
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: prometheus-pacaterie-fo
+          virtu: titan
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: radius-pacaterie-fo
+          virtu: titan
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: routeur-pacaterie-fo
+          virtu: titan
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+
+        # Réseau EDC
+        - name: ldap-replica-edc
+          virtu: chapalux
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dhcp-edc
+          virtu: chapalux
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dns-edc
+          virtu: chapalux
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: prometheus-edc
+          virtu: chapalux
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: radius-edc
+          virtu: chapalux
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: unifi-edc
+          virtu: chapalux
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-9.9.0-amd64-netinst.iso
+        - name: routeur-edc
+          virtu: chapalux
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+
+        # Réseau George Sand
+        - name: ldap-replica-georgesand
+          virtu: perceval
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dhcp-georgesand
+          virtu: perceval
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: dns-georgesand
+          virtu: perceval
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: prometheus-georgesand
+          virtu: perceval
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: radius-georgesand
+          virtu: perceval
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso
+        - name: unifi-georgesand
+          virtu: perceval
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-9.9.0-amd64-netinst.iso
+        - name: routeur-georgesand
+          virtu: perceval
+          cores: 2  # 2 mimimum, 10 maximum
+          memory: 1024  # M
+          disksize: 16  # G
+          installiso: debian-10.0.0-amd64-netinst.iso

roles/baseconfig/files/update-motd.d/00-logo

@@ -1,6 +1,5 @@
 #!/bin/sh
-# /etc/update-motd.d/00-logo
+# {{ ansible_managed }}
-# Deployed with Aurore Ansible !
 
 # Pretty uptime
 upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)"

roles/baseconfig/files/update-motd.d/10-uname

@@ -0,0 +1,3 @@
+#!/bin/sh
+# {{ ansible_managed }}
+uname -snrvm

roles/baseconfig/tasks/apt-listchanges.yml

@@ -6,14 +6,27 @@
     name: apt-listchanges
     state: present
     update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
 
 # Send email when there is something new
 - name: Configure apt-listchanges
-  lineinfile:
+  ini_file:
-    dest: /etc/apt/listchanges.conf
+    path: /etc/apt/listchanges.conf
-    regexp: "^{{ item.key }}="
+    no_extra_spaces: true
-    line: "{{ item.value }}"
+    section: apt
-  with_dict:
+    option: "{{ item.option }}"
-    confirm: 'confirm=true'
+    value: "{{ item.value }}"
-    email_address: "email_address={{ monitoring_mail }}"
+    state: present
-    which: 'which=both'
+    mode: 0644
+  loop:
+    - option: confirm
+      value: "true"
+
+    - option: email_address
+      value: "{{ monitoring_mail }}"
+
+    - option: which
+      value: both
+...

roles/baseconfig/tasks/main.yml

@@ -3,29 +3,48 @@
 - name: Install basic tools
   when: ansible_os_family == "Debian"
   apt:
-    name: "{{ packages }}"
+    name:
-    state: present
+      - acl  # advanced ACL
-    update_cache: true
+      - apt  # better than apt-get
-  vars:
+      - aptitude  # nice to have for Ansible
-    packages:
+      - bash-completion  # because bash
-      - bash-completion   # for bash users
+      - curl  # Better that wget
-      - zsh               # alternative shell
+      - emacs-nox  # for maman
-      - sudo              # to gain root access
+      - fish  # to motivate @edpibu
       - git  # code versioning
-      - nano              # basic text editor
-      - vim               # like nano but more powerful and complex
-      - htop              # better than top
       - less  # i like cats
+      - lsb-release
+      - htop  # better than top
+      - iotop  # monitor i/o
+      - oidentd  # postgresql identification
+      - molly-guard  # prevent reboot
+      - nano  # for vulcain
+      - net-tools
+      - ntp  # network time sync
+      - screen  # Vulcain asked for this
+      - sudo
       - tree  # create a graphical tree of files
-      - ipython           # better Python shell
+      - vim  # better than nano
-      - acl               # for Ansible become support
+      - zsh  # to be able to ssh @erdnaxe
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
 
 # Pimp my server
 - name: Customize motd
   copy:
-    src: 'update-motd.d/00-logo'
+    src: "update-motd.d/{{ item }}"
-    dest: '/etc/update-motd.d/00-logo'
+    dest: "/etc/update-motd.d/{{ item }}"
     mode: 0755
+  loop:
+    - 00-logo
+    - 10-uname
+
+- name: Remove Debian warranty motd
+  file:
+    path: /etc/motd
+    state: absent
 
 # Configure APT mirrors on Debian Stretch
 - name: Configure APT mirrors
@@ -33,8 +52,8 @@
     - ansible_distribution == 'Debian'
     - ansible_distribution_release == 'stretch'
   template:
-    src: 'apt/sources.list.j2'
+    src: apt/sources.list.j2
-    dest: '/etc/apt/sources.list'
+    dest: /etc/apt/sources.list
     mode: 0644
 
 # Patriotisme
@@ -50,11 +69,7 @@
     question: locales/default_environment_locale
     value: fr_FR.UTF-8
     vtype: select
-  notify:
+  notify: Reconfigure locales
-    - Reconfigure locales
-
-# Molly-Guard : prevent accidental shutdowns
-- include_tasks: molly-guard.yml
 
 # APT-List Changes : send email with changelog
 - include_tasks: apt-listchanges.yml
@@ -62,8 +77,15 @@
 # User skeleton
 - name: Configure user skeleton
   copy:
-    src: skel/{{ item.key }}
+    src: "skel/dot_{{ item }}"
-    dest: /etc/skel/{{ item.value }}
+    dest: "/etc/skel/.{{ item }}"
-  with_dict:
+    mode: 0644
-    dot_zshrc: .zshrc
+  loop:
-    dot_zshrc.local: .zshrc.local
+    - zshrc
+    - zshrc.local
+
+- name: Configure resolvconf
+  template:
+    src: resolv.conf
+    dest: /etc/resolv.conf
+    mode: 0644

roles/baseconfig/tasks/molly-guard.yml

@@ -1,15 +0,0 @@
----
-# Install molly-guard
-- name: Install molly-guard
-  when: ansible_os_family == "Debian"
-  apt:
-    name: molly-guard
-    state: present
-    update_cache: true
-
-# Always ask for hostname
-- name: Configure molly-guard
-  lineinfile:
-    dest: /etc/molly-guard/rc
-    regexp: '^#*\s*ALWAYS_QUERY_HOSTNAME.*$'
-    line: 'ALWAYS_QUERY_HOSTNAME=true'

roles/baseconfig/templates/resolv.conf

@@ -0,0 +1,4 @@
+domain adm.auro.re
+nameserver 10.128.0.253
+nameserver 2a09:6840:128::253
+nameserver 80.67.169.12

roles/basesecurity/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart sshd service
+  service:
+    name: sshd
+    state: restarted
+
+- name: Restart fail2ban service
+  service:
+    name: fail2ban
+    state: restarted

roles/basesecurity/tasks/main.yml

@@ -0,0 +1,87 @@
+---
+- name: Configure sysctl
+  template:
+    src: sysctl.d/local.conf.j2
+    dest: /etc/sysctl.d/local.conf
+    mode: 0644
+
+# Use this command to list setuid or setgid executables
+# find / -type f -perm /6000 -ls 2>/dev/null
+- name: Desactivate setuid/setgid on unused binaries
+  file:
+    path: "{{ item }}"
+    mode: u-s,g-s
+  loop:
+    - /usr/lib/openssh/sshkeysign  # Not used
+    - /usr/bin/gpasswd  # No group auth
+    - /usr/bin/passwd  # Only root should change passwd
+    - /usr/bin/expiry  # With re2o
+    - /usr/bin/newgrp  # No group auth
+    - /usr/bin/chage  # With re2o
+    - /usr/bin/chsh  # With re2o
+    - /usr/bin/chfn  # With re2o
+    - /bin/mount  # Only root should mount
+    - /bin/umount  # Only root should umount
+  ignore_errors: true  # Sometimes file won't exist
+
+# Only SSH keys to log on root
+- name: Prohibit root SSH with password
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^{{ item.0 }}'
+    insertafter: '^#{{ item.0 }}'
+    line: '{{ item.0 }} {{ item.1 }}'
+  loop:
+    - ["PermitRootLogin", "prohibit-password"]
+    - ["AllowAgentForwarding", "no"]
+    - ["X11Forwarding", "no"]
+    - ["TCPKeepAlive", "yes"]
+  notify: Restart sshd service
+
+# See banned client with `fail2ban-client status sshd`
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure fail2ban
+  ini_file:
+    path: /etc/fail2ban/jail.d/local.conf
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    state: present
+    mode: 0644
+  notify: Restart fail2ban service
+  loop:
+    - section: sshd
+      option: ignoreip
+      value: 10.128.0.254  # Whitelist bastion
+
+    - section: sshd
+      option: enabled
+      value: "true"
+
+    - section: sshd
+      option: bantime
+      value: 600
+
+    - section: sshd
+      option: findtime
+      value: 600
+
+    - section: sshd
+      option: maxretry
+      value: 5
+
+# See altered packages and configurations with `debsums -ca`
+- name: Install debsums
+  apt:
+    name: debsums
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded

roles/basesecurity/templates/sysctl.d/local.conf.j2

@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
+
+# Disable core dump of setuid executables
+# So an user can't read privileged information in memory
+fs.suid_dumpable = 0
+
+# Obfuscate kernel memory addresses
+kernel.kptr_restrict = 1
+
+# Restrict dmesg access
+# This can leak specific harware failures to exploit
+kernel.dmesg_restrict = 1

roles/certbot/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Install certbot and nginx plugin
+  apt:
+    update_cache: true
+    name:
+      - certbot
+      - python3-certbot-nginx
+  register: pkg_result
+  retries: 3
+  until: pkg_result is succeeded
+
+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+    mode: 0755
+
+- name: Add Certbot configuration
+  template:
+    src: "letsencrypt/conf.d/certname.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+    mode: 0644
+  register: certbot_config
+
+- name: Stop services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: stopped
+  when: certbot_config.changed
+
+- name: Generate new certificate if the configuration changed
+  shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+  when: certbot_config.changed
+
+- name: Restart services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: started
+  when: certbot_config.changed

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+
+# Pour appliquer cette conf et générer la conf de renewal :
+# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = {{ certbot.mail }}
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Use nginx challenge
+authenticator = nginx
+
+# Wildcard the domain
+cert-name = {{ certbot.certname }}
+domains = {{ ", ".join(certbot.domains) }}

roles/codimd/handlers/main.yml

@@ -1,13 +0,0 @@
----
-# Build front-end bundle
-# This can take very long and requires > 2GB of RAM
-- name: Build front-end for CodiMD
-  command: NODE_ENV="production" yarn run build
-  args:
-    chdir: /var/local/codimd/codimd
-  become: true
-  become_user: codimd
-
-# Reload systemd daemons when a service file changes
-- name: Reload systemd daemons
-  command: systemctl daemon-reload

roles/codimd/tasks/0_apt_dependencies.yml

@@ -1,28 +0,0 @@
----
-# For NodeJS package
-- name: Configure NodeJS pin
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_release == 'stretch'
-  template:
-    src: apt/nodejs.j2
-    dest: /etc/apt/preferences.d/nodejs
-    mode: 0644
-
-# TODO
-# apt-transport-https
-# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
-# echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
-
-# Install CodiMD dependencies
-- name: Install required packages
-  apt:
-    name: "{{ item }}"
-    state: present
-    update_cache: true
-  with_items:
-    - git
-    - nodejs
-    - npm
-    - build-essential
-    - yarn

roles/codimd/tasks/1_user_group.yml

@@ -1,26 +0,0 @@
----
-# Security #1
-- name: Create CodiMD system group
-  group:
-    name: codimd
-    system: yes
-    state: present
-
-# Security #2
-- name: Create CodiMD user
-  user:
-    name: codimd
-    group: codimd
-    home: /var/local/codimd
-    comment: CodiMD
-    system: yes
-    state: present
-
-# Security #3
-- name: Secure CodiMD home directory
-  file:
-    path: /var/local/codimd
-    state: directory
-    owner: codimd
-    group: codimd
-    mode: 0750

roles/codimd/tasks/main.yml

@@ -1,59 +0,0 @@
----
-# Install APT dependencies
-- include_tasks: 0_apt_dependencies.yml
-
-# Create CodiMD user and group
-- include_tasks: 1_user_group.yml
-
-# Download CodiMD
-- name: Clone CodiMD project
-  git:
-    repo: https://github.com/hackmdio/codimd.git
-    dest: /var/local/codimd/codimd
-    version: 1.3.0
-  become: true
-  become_user: codimd
-  notify: Build front-end for CodiMD
-
-# Setup dependencies and configs
-- name: Install CodiMD depedencies
-  command: NODE_ENV="production" bin/setup
-  args:
-    chdir: /var/local/codimd/codimd
-  become: true
-  become_user: codimd
-
-# Connection to database
-- name: Connect CodiMD to PostgreSQL db
-  template:
-    src: sequelizerc.j2
-    dest: /var/local/codimd/codimd/.sequelizerc
-    owner: codimd
-    group: codimd
-    mode: 0600
-
-# Configure
-- name: Configure CodiMD
-  template:
-    src: config.json.j2
-    dest: /var/local/codimd/codimd/config.json
-    owner: codimd
-    group: codimd
-    mode: 0600
-
-# Service file
-- name: Install CodiMD systemd unit
-  template:
-    src: 'systemd/codimd.service.j2'
-    dest: '/etc/systemd/system/codimd.service'
-    owner: root
-    group: root
-    mode: 0644
-  notify: Reload systemd daemons
-
-# Run
-- name: Ensure that CodiMD is started
-  service:
-    name: codimd
-    state: started
-    enabled: true

roles/codimd/templates/config.json.j2

@@ -1,39 +0,0 @@
-{
-    "production": {
-        "domain": "codimd.auro.re",
-        "debug": false,
-        "port": 8080,
-        "useSSL": false,
-        "protocolUseSSL": true,
-        "useCDN": false,
-        "csp": {
-            "enable": true,
-            "directives": {
-            },
-            "upgradeInsecureRequests": "auto",
-            "addDefaults": true
-        },
-        "db": {
-            "username": "codimd",
-            "password": "{{ postgresql_codimd_passwd }}",
-            "database": "codimd",
-            "host": "{{ postgresql_services_url }}",
-            "port": "5432",
-            "dialect": "postgres"
-        },
-        "email": false,
-        "ldap": {
-            "url": "{{ ldap_master_uri }}",
-            "bindDn": "{{ ldap_codimd_bind_dn }}",
-            "bindCredentials": "{{ ldap_codimd_password }}",
-            "searchBase": "cn=Utilisateurs,dc=auro,dc=re",
-            "searchFilter": "(uid={% raw %}{{username}}{% endraw %})",
-            "searchAttributes": ["uid", "givenName", "mail"],
-            "usernameField": "uid",
-            "useridField": "uid",
-            "providerName": "Compte Aurore"
-        },
-        "allowFreeURL": true
-    }
-}
-

roles/codimd/templates/sequelizerc.j2

@@ -1,8 +0,0 @@
-var path = require('path');
-
-module.exports = {
-    'config':          path.resolve('config.json'),
-    'migrations-path': path.resolve('lib', 'migrations'),
-    'models-path':     path.resolve('lib', 'models'),
-    'url':             'postgres://codimd:{{ postgresql_codimd_passwd }}@{{ postgresql_services_url }}:5432/codimd'
-}

roles/docker/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+# Install HTTPS support for APT
+- name: Install apt-transport-https
+  apt:
+    update_cache: true
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - gnupg2
+      - software-properties-common
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Add the key
+- name: Configure the apt key
+  apt_key:
+    url: https://download.docker.com/linux/debian/gpg
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+    state: present
+  register: apt_key_result
+  retries: 3
+  until: apt_key_result is succeeded
+
+# Add the repository into source list
+- name: Configure docker repository
+  apt_repository:
+    repo: "{{ item }}"
+    state: present
+  loop:
+    - deb https://download.docker.com/linux/debian buster stable
+
+- name: Install docker
+  apt:
+    update_cache: true
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Compose need to be updated to use new Docker features
+- name: Install Docker Compose
+  get_url:
+    url: https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64
+    dest: /usr/local/bin/docker-compose
+    mode: "0755"
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-docker
+    mode: 0755

roles/docker/templates/update-motd.d/05-service.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+# {{ ansible_managed }}
+echo "> Les recettes Docker-compose se trouvent dans /var/local/ansible-docker"

roles/dokuwiki/tasks/main.yml

@@ -22,5 +22,9 @@
 # Install
 - name: Install DokuWiki
   apt:
-    name: dokuwiki
     update_cache: true
+    name: dokuwiki
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded

roles/etherpad/handlers/main.yml

@@ -1,4 +0,0 @@
----
-# Reload systemd daemons when a service file changes
-- name: Reload systemd daemons
-  command: systemctl daemon-reload

roles/etherpad/tasks/1_user_group.yml

@@ -1,26 +0,0 @@
----
-# Security #1
-- name: Create EtherPad system group
-  group:
-    name: etherpad
-    system: yes
-    state: present
-
-# Security #2
-- name: Create EtherPad user
-  user:
-    name: etherpad
-    group: etherpad
-    home: /var/local/etherpad
-    comment: EtherPad
-    system: yes
-    state: present
-
-# Security #3
-- name: Secure Etherpad home directory
-  file:
-    path: /var/local/etherpad
-    state: directory
-    owner: etherpad
-    group: etherpad
-    mode: 0750

roles/etherpad/tasks/main.yml

@@ -1,59 +0,0 @@
----
-# Install APT dependencies
-- include_tasks: 0_apt_dependencies.yml
-
-# Create EtherPad user and group
-- include_tasks: 1_user_group.yml
-
-# Download EtherPad
-- name: Clone EtherPad project
-  git:
-    repo: https://github.com/ether/etherpad-lite.git
-    dest: /var/local/etherpad/etherpad-lite
-    version: master
-  become: true
-  become_user: etherpad
-
-# Installation script
-# TODO: move this in a handler
-- name: Install Etherpad dependencies
-  command: bin/installDeps.sh
-  args:
-    chdir: /var/local/etherpad/etherpad-lite
-  become: true
-  become_user: etherpad
-
-# Configuration
-- name: Configure EtherPad
-  lineinfile:
-    dest: /var/local/etherpad/etherpad-lite/settings.json
-    regexp: '^\s*"{{ item.key }}"'
-    line: "{{ item.value }}"
-  with_dict:
-    title: "  \"title\": \"Etherpad Aurore\","
-    dbType: "  \"dbType\" : \"postgres\","
-    defaultPadText: "  \"defaultPadText\" : \"Bienvenue sur l'EtherPad d'Aurore !\\n\\nCe pad est synchronisé avec les autres utilisateur·rice·s présent·e·s sur cette page.\\n\","
-    lang: "    \"lang\": \"fr-fr\""
-
-# Service file
-- name: Install EtherPad systemd unit
-  template:
-    src: systemd/etherpad-lite.service.j2
-    dest: /etc/systemd/system/etherpad-lite.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: Reload systemd daemons
-
-# Run
-- name: Ensure that EtherPad is started
-  service:
-    name: etherpad-lite
-    state: started
-    enabled: True
-
-# La configuration de la clé `dbSettings` n'est pas encore automatisé !
-
-# TODO-list
-#  * Configure admin user, logs
-# Plugins : https://framacloud.org/fr/cultiver-son-jardin/etherpad.html#concernant-framapad

roles/etherpad/templates/apt/nodejs.j2

@@ -1,5 +0,0 @@
-# {{ ansible_managed }}
-
-Package: node* libuv1*
-Pin: release a=stretch-backports
-Pin-Priority: 600

roles/etherpad/templates/systemd/etherpad-lite.service.j2

@@ -1,17 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Description=Etherpad-lite, the collaborative editor.
-After=syslog.target network-online.target mysql.service postgresql.service
-Conflicts=shutdown.target
-
-[Service]
-Type=simple
-User=etherpad
-Group=etherpad
-WorkingDirectory=/var/local/etherpad/etherpad-lite
-ExecStart=/usr/bin/nodejs /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js
-Restart=always
-
-[Install]
-WantedBy=multi-user.target

roles/ipv6_edge_router/frr-apt-key.asc

@@ -0,0 +1,186 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFvRo7oBEADH/lEeQBaRW4Lpmzhpn7W53hhMUefgj1bJ7ISpMC3qOlgSIeof
+sQjZ5Hr0RHxz5bRVRtcOhPhKRvL0wCmTpROvKBVyrOHDn4AAh+D7bqhzrEZezJwu
+on2fBRA5prT97r99WKpIPjyqeKHWY3GsbkKMYAcFMGNwYZudEm9bqFaZ9F1CX96i
+VHTArZiZZgPPycOW6fZzrdPDa5/07WA4tJ4PXnMFEd3bLpRDW/t46XqBeNOitBcN
+TrRY7LY/rLnfAUfTWlQVm1wb5gl1E0e4LDlaAysqZCVDriAUwNzk9aRnLQw14h18
+af3sIi649fQ/uv/JwQ9hc1os/gu23N4wKSwSvQGYo3V6oqbxkhIQ5TR0MgXIxfF9
+LoSFgnrXvUpUc+V4qXJJV+hLbTEoAKrHaON0f7BQHAiTsKB1R7FLVCMFIRtuZ1RD
+iUCL9jFFXmAikHsTUFE2EOCW7+kqRSQ5ICu3IqMbXXA1dHz4tN2ji5LPZ4OKh/1O
+zZQCBev4IZ3KWibFZwNxDwWFSoFQeuNKnVujsfR31SuFRWmASqZGGpN/Jr+zVNsb
+iUXUBrnSj8PXYs1zSLrfVVlaga6EI29o5ozUweZDvn5VnRycHaTVjVEmYynnf0ss
+axkRKDgP4e0czNTbH9Rze+AL/Xfc5F0CVQ3jGZQwLgspqpj2UNicZhTzQwARAQAB
+tCtEYXZpZCBMYW1wYXJ0ZXIgPGVxdWlub3gtZGViaWFuQGRpYWMyNC5uZXQ+iQJO
+BBMBCAA4FiEEPZlorJrnvhFpKI3bH9WDmJX1f9oFAlvRo7oCGwEFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQH9WDmJX1f9pNHg//VS3bICTNEjjmXRtHdsKyRs2s
+Nl6BefYDuOPy6NWIra9oLZzo1G15Zt8wH1LLHIBND1d8QILa1739coQhfNJeeuyp
+sYclgSoX85UqpLeHE0Ws/o1vjNmAlQX7qDR5q1iOxUfxLjyXAR7qaqOCBR0uGjxP
+ZCI88ctu0bt9iI2rzmKwgyORDWwvKOmHovHxB8stPwdToyQK/eij94CVlf086pOz
+eIrEjC54jE4pq7nae8w7RsWs5OmgBkrZoXIuLBfHa1ynbUjhE3okPiZDnZr9bPTH
+FpJ4DnsQGhZGjFIiNVi5zbV+MxjavkfbshpzE1TK9EhNf1DdI8A+XzpiTfA5ifDL
+sm/KnA9Z+4T2EswthB6YV1lcnacSGOrEI1CQUTHPSFwZc1WUDkX5aqwib8fCT6U7
+oEngVBwN+guj5l2ba50pt1bct86c8Rv0cnaeKt6boe9sLeHbAur/R7Smdp0yIwAa
+pq52eSQvrxkV2sKlvOrBLX0v4hOut4LQKzresM0smjARYamh3ksj7oAaHJx1+RMZ
+AK7i2AjcMR4BvALTerVd2oM4SNghSFubJTVoMUarzeM3XQ6mFGbdwsqo6ziPlr2r
+vtX7syFclRXaeJw4VAQqXlBqbpZevld7A9/3G9CyuRSoQxgPv9p6fx3aE7R65O9U
+YsBsMtj2oxhKnkNjoky5AQ0EW9Gj4AEIALrNBXS0J+LAtQjWfJUwp9KsXCYx/1fL
+YDENUdkbwfCTDHPZFgZf0jvPFuQkvFl7SnoyjwbnDlFCn2kYeZJ1vS3ZidUwZbcE
+QCrARSKBzovsHDdafQwuUi21GAGuBOmIUSY5RihozjLgZ/5h2/vbqmCucfoYsctb
+tl3jpT8HTo6DJ4oQWSsHF5e4G8U5DCpCINbJnpqtfIFbm3yYGHm9Yzny4E2aMnzG
+lHErxxAoYufGLh6Hfs1JeJSsWL07334NZMU/zgzUs9dBbhbJ0/QBnRVuU+YHje+x
+9Ir+szHjKwHo29K6g3BV2BTjWpoW7IQG2d6baN1VgWepwpLnbzAG5wMAEQEAAYkD
+bAQYAQgAIBYhBD2ZaKya574RaSiN2x/Vg5iV9X/aBQJb0aPgAhsCAUAJEB/Vg5iV
+9X/awHQgBBkBCAAdFiEEN1UvZYKIwg4j4yPMVBjykdDUoaoFAlvRo+AACgkQVBjy
+kdDUoarcggf/S3Vd9BqByRkCyuPLwgKWLt3KsIuKOKG9+lzoAy2VsKOomistO3g0
+itefSRUOGgSArVG/rarR0Dzva3LI7sFF9vS4XKlARSPJV0rY13buSR/LnagqmWUf
+mQJTnh+MSWS6P37Burw0DqWioPd7VJQ67BfdrGUUeP8bChIPByo+ssi1qu2MFmLj
+toYiLSYW0gRSKtn8+oz5hk1lzuQBBTZ14ykqwZH9L1kCo+3Q7O7e1dztJ6NX6jEm
+QeHwLq27RqoUG15HR7CQvupa5CLbJ0Vja2tSkUnYb/ph8z7H9rkHz4qjKQWI1QoC
+jLkiyrdDeWqVWfpwGhoAryBlWKn51T9j6NecEAC5WojJF6xqYFiiT/V7ekmMKZ0l
+PA/IwW12U+ZP2EFVbqXjwBj3Mqx4NshNdRiWsl24ulIuNpmi6I3MJzx/1sfafGHl
+mq7n2zv0Cky37M28tYoDOt5fzSLYn9cgo/OzhS3D05ARbHP+ofcXDz+So+mj8wQb
+uW2sh9ToaiYOMzGqyMR0DFO6++FdIYzphN0sPyJBdfGeePNajV6+xhdS4zktWEGq
+QaF2XukTGxodJ3J3poeCarfK9ubmkemLRJ1Q+ynlx5KNzvt4Ut1pEO+OXkYOxGfI
+8gUuj3BXICVP3UVpB7RaqW5obz8zqQkskRqIBBrLoX+Dl+l4sID20BmW028xurkf
+ef3lNfLGTat4RleypLrcVZ4CMvAM/KOLInrXEoFqIKLiwnlAp6RK3mRL1IURyOtO
+WENn6w0DuD3yyQVglQfNft6TqaMjVxFjh2fDgWvISMe7x4Jp+EWljwBnpi+TtnG/
+P99J2sGb9Hwu6gC45mQ1Ufoe+suYuehSxAWNz00GzBS9XU1xRs00xLCjPNPhSjHO
+MqmGdm3cSeFdcmp7JRM05RtDOeBYAZuDV/HZNQu4XG2gHUv1xbuIqwKqN4vRMrI2
+8fWRdN2sPNlULTjeeMpxy01lfwilvVkXRJKyCPCx9MWZfJ0qbFeEC/cDOonx34lK
+mBW0B2Otoah+Em6d5bkBDQRb0aQLAQgAxXl4JTeK5v3xU8CxMG8IRLVrfT2XTWN+
+RvfnIoPPpvs1M9XXNnw2jVKaMJq/s9gKxpl3QaqcxR+zf+7L49ooAUoFodPg2Fbg
+HoNLZYukSLyPyL4LgE/X1ZQpx78m51Yn+vzej0Va/dqa77W90GlDM4CIE/ikFFpn
+oPO3c1SaqJv+bk3XNoP2l35ttsk3Y9if3r2LJRyn/ovVXZgQD+Ulb+klYugOBiKl
+ezuq/v2tnySQJ7ouXuWyoQrcuTUS05GbFdhlbr4xJHE2HLxmqn1aSV7TQb8Uk9zQ
+0SmSTinnlSlAgoDeq1veDLeMnYo6No2V2IOcXOLv9hOa3sNV+FnsaQARAQABiQI2
+BBgBCAAgFiEEPZlorJrnvhFpKI3bH9WDmJX1f9oFAlvRpAsCGwwACgkQH9WDmJX1
+f9p6+Q/+N97F+PW383hTi84JMyiQsX0mJrvDjt5hkkdN+7u0tUNL0l3AACQ7b85/
+ofJsGnfh8kYlB2nCP+gaNQU03qqbcyMLHsuwB+ULG0izbREb7aK02RBluFpIbgdV
+rFrgrUkLiSsuQLdReQYRTP1tU0peosBPxhhb1alAGhkPebWx+MLlbtiyg/j4pu8+
+oFirrJ5WEltamGt8OSbdLGNS22PuwxV8VDo/Xbi57P1VBglCpgG1nWDEN8+i5nHh
+8OKWZmvRhih1F89BR7U14OET+EENrZd8YRF2KOvOAM0eR1aIK/AilbINVZV0girt
+B/rYFhwi9i7Fyo3gEtPRRZpzcQ7V0VZiBlpEAbjgqwe1XDVNJYquM7E4S2jBidR6
+XJaYQImiwzMcyFopZZgD0F46xSI3O8zZp21g7Dq4pv6wRXGU+L639u+X5INDtJ7s
+kykwrYzmeGg/Mp0Mseiqq7iIJXrbP4dL1+Ck9alSGCe0p5vd3CIeBR3pFeSDG6yI
+2DiRzDfzbkIuUdIOAjXWjIl+XWfsFc/Znnux3UcAGec4Nhe3JvKEy5keDpXZGSaZ
+JaFJ3WJl8uQfJjO8n8M+P2lxmrpaErqkMk0+SC3DcSSZFEDigD6flMvfdVnOqdLa
+R1K6skDZkO+PQYqSydf9erO6+YgEjJB0/uCMXgHDVsmO3uKLOTg=
+=IWDv
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFyFXCQBEADengbfRCSixqjsBj7hnRsjDMihbgfolZe4asVd/JNh4xWqs5+z
+Q+vZUNwluJa6hYrgFW66xPfQeAbo11pS9r2RNkemLWi+8gf2vUwGlp8ZPXb/hYsR
+7URWJo+4GvfqH5RiTdLlJbPQnLSlCAMhwaAl1ko+p2zY/ImiAL+yaO8YYYN4sG31
++67gG3t7AnbH+QjeoEU8heg+fYBiQXSmJ3nTvmYB0lgY/Cybh2Fge90JIZWoeWGp
+fX1zhpCoJGXIW2GyOFQRMYQCbKqtrmicDkgQTocItDfUSwGBr4EFHM+mO0DwfZ8R
+Lq+hzkLdAyJwWGNmiHbk8zFIBnktenmgslkoawvNOkGIz7mL0wqkkw6FYCojSnuj
+ndlYg/XAKrr5RpSDwxwvzWhjyuA+0g2nXBFKWQ/SVZH5niXHTgXBjKfbXjF85eOu
+bVx+82T7KV+aSAr7d0vAbSQO/XK6YrcXTJXZZbjIo/1eauT/FPQCBAejgOAle9wq
+aN04IE5+XPnRkqe5jodDyf3c8hHRL0xWthtj0kupV/7VWNKBLlMESPVfSKN9kjkR
+aTO6dH8jM0K1QWo5/mzEHNv4O2j8kyHDKJdRi+8bJSRKpToFmaLSe5gSA8vp/Fwg
+rY/eLT/5GQ0XOkqtonLYkHbLu9m8H8IrYRgCBVuLCa3cEbYc0mktmm3ExQARAQAB
+tDVGUlJvdXRpbmcgRGViaWFuIFJlcG9zaXRvcnkgPGRldkBsaXN0cy5mcnJvdXRp
+bmcub3JnPokCTgQTAQgAOBYhBEpWx3OLs/gVlagF0qgydpkI8T7RBQJchVwkAhsB
+BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKgydpkI8T7Rj20P/3Or3Vi/k6jj
+qb9hQKJgmX0taDG+FF1+X1WgmYOdW01jGK5jj1k3nKYQf4VGzR+eyUBTN54IpFsm
+aW5DwKoMLcaMQ7OAbl+AtpW700Q5hAtz4aWB5Stl7wyjVl600INES5DOuIuEmqB5
+60uUePNqF/+XKUgDgbQFc3E/Tb+c+Z7ADIhbIYPLUcSwJtRLhbnPGjt+pTLmPCO1
+i/NPRjzwzFgyHJaHqlGFNUUFfqHqGWXLxlO0A9m+r1gOiAevV3ZTzC2izkjOhJHT
+5XWFW7pS9jD78XgSN310glGYmWHZ0hxDgNR4V0oxOZCma1TDjfWVnUfK5pkm/78i
+qRHc8tjt+tor47iOsml4J95Qr5Qxvf+iDgThXcYMAVDRULITmiqZqA1pkheCBugl
+vQ7tvdjXf61ZxOZnDaqtLAHaSB/EynHaBaCzI2obQDHSgC1AU74f9SSN0j4HD01V
+McFh9H0YZeR0eo4I16HHYUcExQNWJGfeuAC1XBGiNixHXy4c1PdxPFGPDnFtH3sX
+2I5X4sKRVhZEbhRe111B93OFdkvWXmSyK6afu6qJBqB52zEe7F6UcNLP7ZnzafJV
+bTCSZeF3Nzt58byiO5jt7nj1wKxv9HpQVy2P7V0CXJB4EK42tGhejjEOY8FevWKF
+0OHX9RWKktlKAsLYFNPbHGPSo/ULj+sFuQINBFyI47kBEADLx3nZ+mFReBN4/E4C
+Gl+B8bKPJ+gaFSdcw8GWV2NFMlJvOqg7Fa4djrqGaOA2YomnNpddS62jAUNdlgDJ
+qRlZVK+Mqctdqgz7Gsuj4l7G/XjnUpQzPaEjxMXzCdFbP19lHa6GvyTgf1TewaNv
+uLBe+oaObdgiAXCUyS3RUtLc9L7KU2+BlnX2JKeQK5K7sRromFfPc27qN+hsWgpy
+xPvWYMGMHA0RjRwXOitjszXVZGUEPxwhX1kFOuFKnIcKG2jSbX/KLtcV1DNZro8s
+Q9hb2UZWZxrwVIIh8FTL8esf0zM64HLo1sZ6yUaVzzeETuWZFMMKaF1dn+KtmKkL
+KjgplRzJSE4QDP+48F6l9RCnrpIg33/rfN/M5Lbx5g2fhfT84+wQD6cKHypYfFng
+GJbmpUCgITcxGFmpetCTpYkxsVMzikudFe2YSJ7TO0aVBgiHfBoXU9g5AXuDYVKi
+8ZpaWcRSu4O0H58Kh/hk/8yiVa8e1nTMjsZuXMle8N52rF2G7vrMhva7uccgbbY+
+ZlOtWpZ7MJzIn/vKeWxXNDcvG7CVHn4BiSLXRcrNgw/I4UjhqpeRdx0l+j36HdDN
+0yaSZu6uP9SnsB5wkm1jN3uoNMFAdvpIqoaK9+2b5xKxLsNtE/R3anX9TlfFmeom
+k0JxrTsNqpRxBw5GylM96Bd9BQARAQABiQRsBBgBCAAgFiEESlbHc4uz+BWVqAXS
+qDJ2mQjxPtEFAlyI47kCGwICQAkQqDJ2mQjxPtHBdCAEGQEIAB0WIQSnzWQmxSYW
+E+lH68yjyrYexHux0AUCXIjjuQAKCRCjyrYexHux0J+TD/40x0L8vzP+k29NEreT
+N+k6889rCWMKAwmKWpgUN39nv9hZbSOFWDQs5Ttp+Rc+v7L5Pj4avJPzGnQieTMw
+7wKOu8ZUisBVzYfYsxlXlKsOLZrVlQpFJhWNFOBq0axYlP6vrslXkMPk+IPz8/FV
+USVByUHNNlIPmJU0WOIoLt+0YkqN1c1UCui/H6Z6IFpFIG8WLpgAtyKvqu8kdnEw
+JEqpp4dO/ainnF8fL8VuV1+cdbxRO0IsOJBqQ+M8LFI2ANJscW+l6sg9RX2ZSExQ
+Bm6dtPnsfP483SwH62PbaMP4lQ+Zpjl6ngoxv+S0RIDoW5Zl3zGe721NiLmz6Llz
+0Ghe3Jgnf1JHOlR893Hi8UkvvTbBLkR4fbvmbgHvhcNWCL2hGCsxDV002hI4OlYp
+px1gJ/HoU7lrrKQCzwTTxfQ1JiTMa+eiwY8xQGEfqUY83pWkx3wGUBa+W3GNlxD9
++pZIzmxtD4uylA9lwnw/GXV4RauDuHMwWuqAGtDEr9Y8nYHuxl5/KdYOCf98sOzv
+XU8btnxuGHrWb5OgRD21NeHa4zwYXIuYOQtYai6IboKdH70l8b3VX+xtu9Fwf/V4
+5EsipWedfA2S3CtKjP6Pv5C6NAVoAnXinqr1VAXMJT5PvXmx1mLP7Xms8o7O7xda
+rsERKxVtt+JjArArk/gpFXImPLArD/42ZChEpJgbjabTrd6saI4BOsKSARX36Cxe
+cjJuWNvddpsb9WgYXbXCSK5hOybFYLlbRmdFmz1VzVy5au+Bsbmy+jKqzgAM1sui
+wE6WyVIOdN3hTZ9W20Fb4pa6MWd8dpWBwi7g40oRvaoPpspcimpa6OCNktij9zrZ
+/hN49JYbLjA7V+rE+zWWz2m3Ecwn2A5LZdKbrI06uKFltTRUhMZ3HhwhKrNui/iN
+YpwDn662jJaTxJ8x/WQJP6ILKVi3wk0eGFBSapEUv+D51y1v0dRh/QOO98RnLQ/p
+T/4y7BPxEWLLNr53rPHOjd2ClhDNZ8+dFzYrOCs+1f+mpWf7yF9wHBs2hOhSZAMx
+34HshZVLGBtdfD/cb1MA5MnBdfJHHFjL6EiJOP30YKJsTEGgqpAyMtyZt5/MKEfj
+r0OV/La7s38fpcPlZplF2/eqgxt7WiQu5I6BUXJcSlGTe97Rq5Ba/tSHzUnK1FNr
+v/hfBSgtxmX2qT5ojMu+UiKtvJDeUAGFLAJcaaEv92frhLWHcXXpayUuk/wdU9Qg
+y8F+yFtYGY2lj0h9WCeKbYUAm1p7skW5v2nsMw6I3QOPFzQBzm1rFQ1vFJMaqFFC
+qvHJALsI0SmaI7ruXYrm7CNv6qJKo3URYGq27Tm9lhut8iWKsa1/NWW5LZxzt2mO
+egKcOCfAMg==
+=Lt8H
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFyVPosBEADMyAbmmfo6x7e/dly+yQk1BuWUDbvMHFX9coCSItNxVvvIVzYJ
+Bw9pp4kJsTeqTI1cNQcCCjaeWbWevINCD5yFGN25xNPz2s1lgHCpJQzs/1qMKuE8
+vrHkEpJZTrdPSl8J8VdjQDCIh0NrLss1VzoPpFbm7lIkuN/6tl87hsyUyedd/0bY
+KkNVZfOW4UAjJFWQakofhTVifHqozb6wu+SYtPFnP/yBJdsYwrKlyyhR8hIIjyAK
+sxpKz6Dym6tHoDNLIcPy1Q3uNUaYdN2pXXRqzLTIKq7M7RhgY1W7QO7VFtkaG74j
+tmjbJYsX6nBGSlGE5cmlSz8N+D+uR/0NPMvgKOwI38joIT5/Sii/jgZUuX4Mz9Zk
+7Rh/C+P906dJpjbCbEPYSxVnZC4fHJZ0ezSEgrFKZ4QGoViNJEcc6jwNkgTM7jdz
+0e/xMKu4Ed30jLO7TvnwmcGWF/m2DZIgIMu9rhNHUaKeGRKo+Daf/x1naRbht/a/
+uSyukGJA5koipy8XxmJorx7MdIa9ekYPJaHM3eOcE1fxn7IcOwoqn0piB4lllq2r
+akLif195eFIcdI/cRfCX2fgQxBbgAAolUCqguJfus7cQCkn9Fr0cDgq7c0s0dQEw
+0kofqGUq6/fpdqxadRdPlYXS3BIvrWA99zOVCzxaccvKaMZxaKauc/rKbQARAQAB
+tDNKYWZhciBBbC1HaGFyYWliZWggKGxhdW5jaHBhZCkgPHRvLmphZmFyQGdtYWls
+LmNvbT6JAk4EEwEKADgWIQSpD8NtlClAl5jpwth03u1DqxlNvwUCXJU+iwIbAwUL
+CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB03u1DqxlNv7w7D/90u8bETWZmzRZ7
+sRBfyN30YhXgvEJQCSKFgH1H5BS9H2W+VYQ8nmXpoVpsU5wLVosJ55WpO9oF7+6R
++wO2r3lo+vkqFzscYLfNd/KTo6r7kl7VTTN9bBCMgl7eFtmqSO90o5UCrNBHk2Ax
+fTBJX9TLGa4SLPhiTlz51XdyYls3yG/3yQ6de6K+jPjrQsP2VbBSHP9OA+MKRTr6
+ONDTyJJ7TEAuoX7W1NLMQYS0kdA1jjGvTKeyHkb8QqFDTM7RyRdczKBEwOXSi7DW
+8v3Ink+7CgKGGLnOo3lXlm7q516Z9JMJ5BJtFkTx6Bo9iSAK4jSBiC5Zlta6CtP7
+lLwq/eOut/y9VoDXsdVkQl3UdTrB5b/4MZHL4Z6ykN1dv56XzjdnIl/nM7azwrTW
+N9tBDhjrYvKvscSI2l8TGdAseb4ftovHwIBFjNIlI6TYVEUR93ZEGPZCmuYeVSJe
+MWStJuLDa+bbbr2/OLvHsjyWB0/5LJNsHHfMCKLZTP8jeNVcHAJi7P+iNPPLp57C
+N2NEmyuJwgxFN/5cHlZzkg0QQgSaTm/tsft0jFJh4s0kO6L5NZ9ACP2JC9wfaBmt
+QFwdl+Tc5/Jf6pTnnMzeHuSiVWvG4jB3EVr47dWD7p5ekP+O0cG0Rnm2rf66M+fo
+z88Ga0gduOhxfdRn1qT3smK3hgyv2bkCDQRclT6LARAA8xTr8yu7ab6f4NAeMnTL
+4mjjYoYVXBMd4qT/cdtkSFoCdOl+MwcEZmDrq1HzT5CVXo9hPEcI7iuyXiejoMhB
+GFfvdY0Pcg5yMoUL57kE3XBoz9C8TEal1loSfTJ4IRou2VpY2sruaKgxO7PvmyQM
+D8mk4Sgyewn6VkcQx4dGwQrN2VU8mwFqp4GnEm7DgVJKqFRD43hCFoncNYaSOc52
+vf/EEU6VYxPWi01nZoRiNp8tXt+dYk5yb6fEhDsH9YYk51bgiiiGNoQw/zC1w2ek
+zPqJH/Y0BzoODbJ59vqc2jCuzGII4tFkijYbBTcCk1b7/yvQgwLdBpOTrrHcNolh
+plr7zHcB8TOc3aYrJ8TkwgP80uK85vlAIzB9AkZ/9Gn2K08b5eVC9cvMm0idwFkg
+0fHY+v2aDesA4lv1UtTsQVmrqnx1zaCjwH9tu73GTGXX40guYpbatPu3HDog/QkV
+fykVI5B2+vMixFCzudMKg80K+H7QI3uc1efqEmMRKjQU2rKXTNo/lASWjQMNfbWt
+JvEsLuLPc909OFhBfoX6GR7pmbKn3MCrTpLVeUkmp0EjcqYaDZXHnzKZQjjNjOKm
+6J69G3Ro6Abs7tRpnqOLTLZ5DKWBYidc3/fp/BF+CpeHdZlstLUazQ56ti9GshPf
+W4+6TRg2gt1leeXRU18jQz0AEQEAAYkCNgQYAQoAIBYhBKkPw22UKUCXmOnC2HTe
+7UOrGU2/BQJclT6LAhsMAAoJEHTe7UOrGU2/kToP/il4dvWMMJS4pgXuDPcwTaYc
+e8T9a8Uf0B2BOOKJgLZk2kvI21bwHnGxXc3zuUHCzZ81Y89/IpX+s37J+frvLbqd
+xOfE39+5plK9BDn7G9UsTzg7mXuGWpMQA6Mvki4LslY/qCfUqzVeFPNZquH4Emxr
+z1u0SldhaqctrkKwW1teTTmqbCtGrRpb0v8x42TBw+WvBJopelpgtdy3TnRbKk86
+NkiiPFVRnfC0RjyMlLxa095t5s8irrqjnAAKMvwKiuzt97CQ/U68WbsOYLyv42PT
+ClfbbFJw6ghTZ7SRxiGwUVz7EwQ31MsiffmyJKRca81yqSQfrPS4MkEXChZBt8wF
+C1IhG9I9zbHKt9saXWPYCbL8Zs2x3c1md62dl4mrH/VwLV9T+7PaJCM8qrFtkWlu
+cYntgBhLW1KY9dWkCtZ7ML70n8FyIyHMD35mZb3lw+c1dBusuwGwZLSksH9ucOQz
+Zh3+rlZ8PkYXXosKTkp9qBDVoSgNU5AH8F+K/Uw1uVm+JqqFP/ieQQydS8wAVYAv
+ax/ZP+wTHhLvmHUoI70K51osk+sLcFh+h9L6sK+kq9i2mrJs/d2Sk6jau96RJCFe
+pHI+29yZoK5ZpOkvFAFvbNXMFd2sn5O60y9LAvr9u2QRNlTvmQ7B1o2/US62SoD4
+HGxIKIAggOUujclydhvu
+=+/L/
+-----END PGP PUBLIC KEY BLOCK-----

roles/ipv6_edge_router/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart frr
+  service:
+    name: frr
+    state: restarted

roles/ipv6_edge_router/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: install GPG
+  apt:
+    name: gnupg
+
+- name: Add FRR repo key
+  apt_key:
+    data: "{{ lookup('file', 'frr-apt-key.asc') }}"
+    state: present
+
+- name: Add FRR apt repository
+  apt_repository:
+    repo: deb https://deb.frrouting.org/frr buster frr-stable
+    state: present
+  notify: restart frr
+
+- name: Install frr
+  apt:
+    name: frr
+
+- name: setup frr daemons
+  template:
+    src: daemons.j2
+    dest: /etc/frr/daemons
+    mode: 0644
+  notify: restart frr
+
+- name: setup frr.conf
+  template:
+    src: frr.conf.j2
+    dest: /etc/frr/frr.conf
+    mode: 0644
+  notify: restart frr
+
+- name: enable+start frr
+  service:
+    name: frr
+    state: started
+    enabled: true

roles/ipv6_edge_router/templates/daemons.j2

@@ -0,0 +1,67 @@
+# This file tells the frr package which daemons to start.
+#
+# Sample configurations for these daemons can be found in
+# /usr/share/doc/frr/examples/.
+#
+# ATTENTION:
+#
+# When activation a daemon at the first time, a config file, even if it is
+# empty, has to be present *and* be owned by the user and group "frr", else
+# the daemon will not be started by /etc/init.d/frr. The permissions should
+# be u=rw,g=r,o=.
+# When using "vtysh" such a config file is also needed. It should be owned by
+# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
+#
+# The watchfrr and zebra daemons are always started.
+#
+{% if 'backup' in inventory_hostname %}
+bgpd=no
+{% else %}
+bgpd=yes
+{% endif %}
+ospfd=no
+ospf6d=no
+ripd=no
+ripngd=no
+isisd=no
+pimd=no
+ldpd=no
+nhrpd=no
+eigrpd=no
+babeld=no
+sharpd=no
+pbrd=no
+bfdd=no
+
+#
+# If this option is set the /etc/init.d/frr script automatically loads
+# the config via "vtysh -b" when the servers are started.
+# Check /etc/pam.d/frr if you intend to use "vtysh"!
+#
+vtysh_enable=yes
+zebra_options="  -A 127.0.0.1 -s 90000000"
+bgpd_options="   -A 127.0.0.1"
+ospfd_options="  -A 127.0.0.1"
+ospf6d_options=" -A ::1"
+ripd_options="   -A 127.0.0.1"
+ripngd_options=" -A ::1"
+isisd_options="  -A 127.0.0.1"
+pimd_options="   -A 127.0.0.1"
+ldpd_options="   -A 127.0.0.1"
+nhrpd_options="  -A 127.0.0.1"
+eigrpd_options=" -A 127.0.0.1"
+babeld_options=" -A 127.0.0.1"
+sharpd_options=" -A 127.0.0.1"
+pbrd_options="   -A 127.0.0.1"
+staticd_options="-A 127.0.0.1"
+bfdd_options="   -A 127.0.0.1"
+
+# The list of daemons to watch is automatically generated by the init script.
+#watchfrr_options=""
+
+# for debugging purposes, you can specify a "wrap" command to start instead
+# of starting the daemon directly, e.g. to use valgrind on ospfd:
+#   ospfd_wrap="/usr/bin/valgrind"
+# or you can use "all_wrap" for all daemons, e.g. to use perf record:
+#   all_wrap="/usr/bin/perf record --call-graph -"
+# the normal daemon command is added to this at the end.

roles/ipv6_edge_router/templates/frr.conf.j2

@@ -0,0 +1,24 @@
+log syslog informational
+log stdout
+
+hostname routeur-aurore
+password Tux
+enable password Tux
+
+interface lo
+line vty
+
+
+# Aurore AS.
+router bgp 43619
+  #no synchronization
+  bgp router-id 45.66.111.254
+
+  # Remote-AS: Zayo.
+  neighbor 2001:1b48:2:103::d7:1 remote-as 8218
+  address-family ipv6
+    network 2a09:6840::/29
+    neighbor 2001:1b48:2:103::d7:1 activate
+  exit-address-family
+!
+

roles/isc_dhcp_server/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: force run dhcp re2o-service
+  shell: /var/local/re2o-services/dhcp/main.py --force
+  become_user: re2o-services
+
+- name: restart dhcpd
+  systemd:
+    state: restarted
+    name: isc-dhcp-server
+
+- name: restart rsyslog
+  systemd:
+    name: rsyslog
+    state: restarted

roles/isc_dhcp_server/tasks/main.yml

@@ -0,0 +1,110 @@
+---
+- name: Install dhcp (re2o-service)
+  import_role:
+    name: re2o-service
+  vars:
+    service_repo: https://gitlab.federez.net/re2o/dhcp.git
+    service_name: dhcp
+    service_version: master
+    service_config:
+      hostname: re2o.auro.re
+      username: service-user
+      password: "{{ vault_serviceuser_passwd }}"
+
+- name: Ensure appropriate permissions on dhcp re2o service
+  file:
+    path: /var/local/re2o-services/dhcp/
+    state: directory
+    owner: re2o-services
+    group: nogroup
+    recurse: yes
+
+- name: Install isc-dhcp-server
+  apt:
+    update_cache: true
+    name: isc-dhcp-server
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+  notify: restart dhcpd
+
+- name: Ensure dhcp log directory exists
+  file:
+    path: /var/log/dhcp
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,a=rx
+    state: directory
+
+- name: Ensure rsyslog knows where to send dhcp logs
+  lineinfile:
+    path: /etc/rsyslog.conf
+    line: "local7.* /var/log/dhcp/dhcpd.log"
+  notify: restart rsyslog
+
+- name: Configure dhcp log rotation
+  template:
+    src: logrotate.d/dhcp.j2
+    dest: /etc/logrotate.d/dhcp
+    mode: 0644
+
+- name: set up cron to reload dhcp re2o service
+  cron:
+    # Do not change this name or idempotence *might* be lost.
+    name: dhcp-re2o-service
+    cron_file: re2o-services
+    minute: "*/2"
+    hour: "*"
+    day: "*"
+    weekday: "*"
+    month: "*"
+    user: root
+    job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py"
+
+- name: Configure /etc/default/isc-dhcp-server
+  template:
+    src: default/isc-dhcp-server.j2
+    dest: /etc/default/isc-dhcp-server
+    mode: 0644
+  notify: restart dhcpd
+
+- name: Configure dhcp-failover.conf
+  template:
+    src: dhcp/dhcp-failover.conf.j2
+    dest: /etc/dhcp/dhcp-failover.conf
+    mode: 0600
+  when: dhcp_failover_enabled
+  notify: restart dhcpd
+
+- name: Configure dhcpd.conf
+  template:
+    src: dhcp/dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+    mode: 0600
+  notify: restart dhcpd
+
+- name: Configure subnets.conf (regular service)
+  template:
+    src: dhcp/regular-subnets.conf.j2
+    dest: /etc/dhcp/subnets.conf
+    mode: 0600
+  notify: restart dhcpd
+  when: not is_aurore_host
+
+- name: Configure subnets.conf (aurore service)
+  template:
+    src: dhcp/aurore-subnets.conf.j2
+    dest: /etc/dhcp/subnets.conf
+    mode: 0600
+  notify: restart dhcpd
+  when: is_aurore_host
+
+- name: force run dhcp re2o-service
+  shell: /var/local/re2o-services/dhcp/main.py --force
+
+- name: Ensure dhcpd is running
+  service:
+    name: isc-dhcp-server
+    state: started
+    enabled: true

roles/isc_dhcp_server/templates/default/isc-dhcp-server.j2

@@ -0,0 +1,24 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+
+{% if is_aurore_host %}
+INTERFACESv4="ens19"
+INTERFACESv6=""
+{% else %}
+INTERFACESv4="ens19 ens20 ens21 ens22 ens23"
+INTERFACESv6=""
+{% endif %}

roles/isc_dhcp_server/templates/dhcp/aurore-subnets.conf.j2

@@ -0,0 +1,12 @@
+subnet 45.66.110.0 netmask 255.255.255.0 {
+       interface "ens19";
+       option subnet-mask 255.255.255.0;
+       option broadcast-address 45.66.110.255;
+       option routers 45.66.110.{{ router_ip_suffix }};
+       option domain-name-servers 45.66.110.{{ dns_host_suffix_main }}, {{ backup_dns_servers|join(', ') }};
+       option domain-name "adh.auro.re";
+       option domain-search "adh.auro.re";
+       include "/var/local/re2o-services/dhcp/generated/dhcp.adh.auro.re.list";
+
+       deny unknown-clients;
+}

roles/isc_dhcp_server/templates/dhcp/dhcp-failover.conf.j2

@@ -0,0 +1,31 @@
+failover peer "dhcp-failover" {
+{% if inventory_hostname == dhcp_failover.primary_host %}
+                primary;
+
+                # MCLT = Maximum Client Lead Time.
+                # Must be specified on the primary, forbidden on the secondary.
+                mclt 3600;
+
+                # Address or DNS name on which this node listens for connections
+                # from its failover peer.
+                address {{ dhcp_failover.primary_host }};
+                peer address {{ dhcp_failover.secondary_host }};
+
+                # Load balancing.
+                split 128;
+{% endif %}
+{% if inventory_hostname == dhcp_failover.secondary_host %}
+                secondary;
+                # Address and peer address are reversed on the secondary node.
+                address {{ dhcp_failover.secondary_host }};
+                peer address {{ dhcp_failover.primary_host }};
+{% endif %}
+
+                # The following options can be shared between primary and
+                # secondary failover peers.
+                port 647;
+                peer port 647;
+                max-response-delay 30;
+                max-unacked-updates 10;
+                load balance max seconds 3;
+}

roles/isc_dhcp_server/templates/dhcp/dhcpd.conf.j2

@@ -0,0 +1,25 @@
+default-lease-time 86400;
+max-lease-time 86400;
+
+# Option definitions common to all supported networks.
+
+option interface-mtu {{ mtu }};
+option root-path "/";
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+log-facility local7;
+
+{% if dhcp_failover_enabled %}
+include "/etc/dhcp/dhcp-failover.conf";
+{% endif %}
+
+include "/etc/dhcp/subnets.conf";

roles/isc_dhcp_server/templates/dhcp/regular-subnets.conf.j2

@@ -0,0 +1,94 @@
+# Bornes WiFi
+subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 {
+       interface "ens19";
+       option subnet-mask 255.255.0.0;
+       option broadcast-address 10.{{ subnet_ids.ap }}.255.255;
+       option routers 10.{{ subnet_ids.ap }}.0.250;
+       option domain-name "borne.auro.re";
+       option domain-search "borne.auro.re";
+
+       option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
+       include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list";
+
+       deny unknown-clients;
+}
+
+# Users filaire
+subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 {
+       interface "ens20";
+       option subnet-mask 255.255.0.0;
+       option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255;
+       option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }};
+       option domain-name "fil.{{ apartment_block_dhcp }}.auro.re";
+       option domain-search "auro.re";
+
+       option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
+
+       include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list";
+
+       deny unknown-clients;
+}
+
+
+# Users WiFi
+subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 {
+       interface "ens21";
+       option subnet-mask 255.255.0.0;
+       option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255;
+       option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }};
+       option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re";
+       option domain-search "auro.re";
+
+       option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }};
+
+       include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list";
+
+       pool {
+            range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255;
+
+{% if dhcp_failover is defined %}
+            failover peer "dhcp-failover";
+{% endif %}
+       }
+}
+
+# Banni
+subnet 10.{{ subnet_ids.users_banni }}.0.0 netmask 255.255.0.0 {
+       interface "ens22";
+       option subnet-mask 255.255.0.0;
+       option broadcast-address 10.{{ subnet_ids.users_banni }}.255.255;
+       option routers 10.{{ subnet_ids.users_banni }}.0.{{ router_ip_suffix }};
+       option domain-name "banni.{{ apartment_block_dhcp }}.auro.re";
+       option domain-search "auro.re";
+
+       option domain-name-servers 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_backup }};
+
+       pool {
+            range 10.{{ subnet_ids.users_banni }}.1.0 10.{{ subnet_ids.users_banni }}.2.255;
+
+{% if dhcp_failover is defined %}
+            failover peer "dhcp-failover";
+{% endif %}
+       }
+}
+
+
+# Accueil
+subnet 10.{{ subnet_ids.users_accueil }}.0.0 netmask 255.255.0.0 {
+       interface "ens23";
+       option subnet-mask 255.255.0.0;
+       option broadcast-address 10.{{ subnet_ids.users_accueil }}.255.255;
+       option routers 10.{{ subnet_ids.users_accueil }}.0.{{ router_ip_suffix }};
+       option domain-name "accueil.{{ apartment_block_dhcp }}.auro.re";
+       option domain-search "auro.re";
+
+       option domain-name-servers 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_backup }};
+
+       pool {
+            range 10.{{ subnet_ids.users_accueil }}.1.0 10.{{ subnet_ids.users_accueil }}.2.255;
+
+{% if dhcp_failover is defined %}
+            failover peer "dhcp-failover";
+{% endif %}
+       }
+}

roles/isc_dhcp_server/templates/logrotate.d/dhcp.j2

@@ -0,0 +1,11 @@
+/var/log/dhcp/dhcpd.log {
+    # common options
+    daily
+    rotate 365
+    missingok
+    compress
+    delaycompress
+    notifempty
+
+    copytruncate
+}

roles/isc_dhcp_server/vars/main.yml

@@ -0,0 +1,4 @@
+---
+dhcp_failover:
+  primary_host: dhcp-{{ apartment_block }}.adm.auro.re
+  secondary_host: dhcp-{{ apartment_block }}-backup.adm.auro.re

roles/ldap-client/tasks/0_install_ldap.yml

@@ -1,40 +0,0 @@
----
-# Install LDAP client packages
-- name: Install LDAP client packages
-  apt:
-    name: "{{ item }}"
-    state: present
-    update_cache: true
-  with_items:
-    - nslcd
-    - libnss-ldapd
-    - libpam-ldapd
-
-# Reduce LDAP load
-# For the moment it is broken on Stretch when using PHP7.3
-# - name: Install LDAP cache package
-#   apt:
-#     name: nscd
-#     state: present
-#     update_cache: true
-
-# Configure /etc/nslcd.conf
-- name: Configure nslcd LDAP credentials
-  template:
-    src: nslcd.conf.j2
-    dest: /etc/nslcd.conf
-    mode: 0600
-  notify: Restart nslcd service
-
-# Configure /etc/nsswitch.conf
-- name: Configure NSS to use LDAP
-  lineinfile:
-    dest: /etc/nsswitch.conf
-    regexp: "^{{ item.key }}:"
-    line: "{{ item.value }}"
-  with_dict:
-    passwd: 'passwd:         files ldap'
-    group: 'group:          files ldap'
-    shadow: 'shadow:         files ldap'
-    sudoers: 'sudoers:        files ldap'
-  notify: Restart nslcd service

roles/ldap-client/tasks/1_group_security.yml

@@ -1,20 +0,0 @@
----
-# Filter SSH on groups
-- name: Filter SSH on groups
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: '^AllowGroups'
-    line: "AllowGroups root sudoldap aurore ssh"
-
-# To gain root access with ldap rights
-- name: Install SUDO package
-  package:
-    name: sudo
-    state: present
-
-# Set sudo group
-- name: Configure sudoers
-  lineinfile:
-    dest: /etc/sudoers
-    regexp: "^%{{ sudo_group }}"
-    line: "%{{ sudo_group }}	ALL=(ALL:ALL) ALL"

roles/ldap-client/templates/nslcd.conf.j2

@@ -1,38 +0,0 @@
-# {{ ansible_managed }}
-
-# The user and group nslcd should run as.
-uid nslcd
-gid nslcd
-
-# The location at which the LDAP server(s) should be reachable.
-{% if ldap_local_replica_uri is defined %}
-{% for uri in ldap_local_replica_uri %}
-uri {{ uri }}
-{% endfor %}
-{% endif %}
-uri {{ ldap_master_uri }}
-
-# The search base that will be used for all queries.
-base {{ ldap_base }}
-base passwd cn=Utilisateurs,{{ ldap_base }}
-base shadow cn=Utilisateurs,{{ ldap_base }}
-base group ou=posix,ou=groups,{{ ldap_base }}
-
-# The LDAP protocol version to use.
-ldap_version 3
-
-# The DN to bind with for normal lookups.
-binddn {{ ldap_nslcd_bind_dn }}
-bindpw {{ ldap_nslcd_passwd }}
-
-# The DN used for password modifications by root.
-#rootpwmoddn cn=admin,dc=example,dc=com
-
-# SSL options
-#ssl off
-#tls_reqcert never
-tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-
-# The search scope.
-#scope sub
-

roles/ldap_client/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Reconfigure libnss-ldapd package
-  command: 'dpkg-reconfigure libnss-ldapd -f noninteractive'
+  command: dpkg-reconfigure libnss-ldapd -f noninteractive
 
 - name: Restart nslcd service
   service:

roles/ldap_client/tasks/1_group_security.yml

@@ -0,0 +1,37 @@
+---
+# Filter SSH on groups
+- name: Filter SSH on groups
+  when: ansible_facts['hostname'] != "camelot"  # Camelot is accessible for everyone
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: ^AllowGroups
+    line: AllowGroups root sudoldap aurore ssh
+    state: present
+
+# To gain root access with ldap rights
+- name: Install SUDO package
+  package:
+    name: sudo
+    state: present
+  register: package_result
+  retries: 3
+  until: package_result is succeeded
+
+# Set sudo group
+- name: Configure sudoers sudo group
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: ^%{{ sudo_group }}
+    line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"
+    state: present
+    validate: /usr/sbin/visudo -cf %s
+
+# Set sudo location group
+- name: Configure sudoers sudo location group
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: ^%{{ sudo_group_location }}
+    line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL"
+    state: present
+    validate: /usr/sbin/visudo -cf %s
+  when: sudo_group_location is defined

roles/ldap_client/tasks/2_userland_scripts.yml

@@ -3,9 +3,9 @@
 - name: Copy passwd and chsh scripts
   template:
     src: "{{ item }}.j2"
-    dest: "/usr/local/bin/{{ item }}"
+    dest: /usr/local/bin/{{ item }}
     mode: 0755
-  with_items:
+  loop:
     - chsh
     - passwd
 

roles/ldap_client/tasks/install_ldap.yml

@@ -0,0 +1,34 @@
+---
+# Install LDAP client packages
+- name: Install LDAP client packages
+  apt:
+    update_cache: true
+    name:
+      - nslcd
+      - libnss-ldapd
+      - libpam-ldapd
+      - nscd  # local cache
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Configure /etc/nslcd.conf
+- name: Configure nslcd LDAP credentials
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+# Configure /etc/nsswitch.conf
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}:"
+    line: "{{ item }}:         files ldap systemd"
+  loop:
+    - passwd
+    - group
+    - shadow
+  notify: Restart nslcd service

roles/ldap_client/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 # Install and configure main LDAP tools
-- include_tasks: 0_install_ldap.yml
+- include_tasks: install_ldap.yml
 
 # Filter who can access server and sudo on groups
 - include_tasks: 1_group_security.yml

roles/ldap_client/templates/nslcd.conf.j2

@@ -0,0 +1,62 @@
+# {{ ansible_managed }}
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %}
+{% for uri in groups['ldap_replica_fleming'] %}
+uri ldap://{{ uri }}
+{% endfor %}
+{% endif %}
+{% if 'rives_vm' in group_names or 'rives_pve' in group_names %}
+{% for uri in groups['ldap_replica_rives'] %}
+uri ldap://{{ uri }}
+{% endfor %}
+{% endif %}
+{% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %}
+{% for uri in groups['ldap_replica_pacaterie'] %}
+uri ldap://{{ uri }}
+{% endfor %}
+{% endif %}
+{% if 'edc_vm' in group_names or 'edc_pve' in group_names or 'edc_server' in group_names %}
+{% for uri in groups['ldap_replica_edc'] %}
+uri ldap://{{ uri }}
+{% endfor %}
+{% endif %}
+{% if 'gs_vm' in group_names or 'gs_pve' in group_names %}
+{% for uri in groups['ldap_replica_gs'] %}
+uri ldap://{{ uri }}
+{% endfor %}
+{% endif %}
+{% if 'ovh_vm' in group_names or 'ovh_container' in group_names or 'ovh_pve' in group_names %}
+{% for uri in groups['ldap_replica_ovh'] %}
+uri ldap://{{ uri }}
+{% endfor %}
+{% endif %}
+uri {{ ldap_master_uri }}
+
+# The search base that will be used for all queries.
+base {{ ldap_base }}
+base passwd cn=Utilisateurs,{{ ldap_base }}
+base shadow cn=Utilisateurs,{{ ldap_base }}
+base group ou=posix,ou=groups,{{ ldap_base }}
+
+# The LDAP protocol version to use.
+ldap_version 3
+
+# The DN to bind with for normal lookups.
+binddn {{ ldap_nslcd_bind_dn }}
+bindpw {{ ldap_nslcd_passwd }}
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+#tls_reqcert never
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub

roles/ldap_replica/tasks/main.yml

@@ -5,6 +5,9 @@
     name: slapd
     state: present
     update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
 
 # What is written after is really not a nice way to install a schema
 # because the LDAP is being flushed away always...
@@ -25,22 +28,27 @@
 
 # Cry a bit
 - name: Remove old data
-  file: path={{ item }} state=absent
+  file:
-  with_items:
+    path: "{{ item }}"
+    state: absent
+  loop:
     - /etc/ldap/slapd.d
     - /var/lib/ldap
 
 # Cry a lot
 - name: Recreate structure
-  file: path={{ item }} state=directory
+  file:
-  with_items:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+  loop:
     - /etc/ldap/slapd.d
     - /var/lib/ldap
 
 # Install schema as root
 # We can't do a `become_user` here
 - name: Install LDAP schema
-  command: 'slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d'
+  command: slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d
 
 # then fix permissions
 - name: Fix permissions
@@ -48,11 +56,13 @@
     path: "{{ item }}"
     owner: openldap
     group: openldap
-    recurse: yes
+    recurse: true
-  with_items:
+  loop:
-    - '/var/lib/ldap'
+    - /var/lib/ldap
-    - '/etc/ldap/slapd.d'
+    - /etc/ldap/slapd.d
 
 # Save the day
 - name: Start LDAP server
-  service: name=slapd state=started
+  service:
+    name: slapd
+    state: started

roles/matrix-mxisd/handlers/main.yml

@@ -1,6 +0,0 @@
----
-# Restart mxisd when configuration changes
-- name: Restart mxisd service
-  service:
-    name: mxisd
-    state: restarted

roles/matrix-mxisd/tasks/main.yml

@@ -1,12 +0,0 @@
----
-- name: Install mxisd
-  apt:
-    deb: https://github.com/kamax-matrix/mxisd/releases/download/v{{ mxisd_version }}/mxisd_{{ mxisd_version }}_all.deb
-
-- name: Configure mxisd
-  template:
-    src: mxisd/mxisd.yaml.j2
-    dest: /etc/mxisd/mxisd.yaml
-    mode: 0600
-    owner: mxisd
-  notify: Restart mxisd service

roles/matrix-mxisd/templates/mxisd/mxisd.yaml.j2

@@ -1,89 +0,0 @@
-# {{ ansible_managed }}
-
-#######################
-# Matrix config items #
-#######################
-# Matrix domain, same as 'server_name' in synapse configuration.
-matrix:
-  domain: 'auro.re'
-
-
-################
-# Signing keys #
-################
-# Absolute path for the Identity Server signing keys database.
-# /!\ THIS MUST **NOT** BE YOUR HOMESERVER KEYS FILE /!\
-# If this path does not exist, it will be auto-generated.
-key:
-  path: '/var/lib/mxisd/keys'
-
-
-# Path to the SQLite DB file for mxisd internal storage
-# /!\ THIS MUST **NOT** BE YOUR HOMESERVER DATABASE /!\
-storage:
-  provider:
-    sqlite:
-      database: '/var/lib/mxisd/store.db'
-
-
-###################
-# Identity Stores #
-###################
-ldap:
-  enabled: true
-  connection:
-    host: '{{ ldap_master_ipv4 }}'
-    port: 389
-    bindDn: '{{ ldap_matrix_bind_dn }}'
-    bindPassword: '{{ ldap_matrix_password }}'
-    baseDNs:
-      - '{{ ldap_user_tree }}'
-  attribute:
-    uid:
-      type: 'uid'
-      value: 'uid'
-    name: 'uid'
-
-
-#################################################
-# Notifications for invites/addition to profile #
-#################################################
-# This is mandatory to deal with anything e-mail related.
-#
-# For an introduction to sessions, invites and 3PIDs in general,
-# see https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/session/session.md#3pid-sessions
-#
-# If you would like to change the content of the notifications,
-# see https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md
-#
-#### E-mail connector
-threepid:
-  medium:
-    email:
-      identity:
-        # The e-mail to send as.
-        from: "matrix@auro.re"
-
-      connectors:
-        smtp:
-          # SMTP host
-          host: "smtp.crans.org"
-
-          # SMTP port
-          port: 587
-
-          # STARTLS mode for the connection.
-          # SSL/TLS is currently not supported. See https://github.com/kamax-matrix/mxisd/issues/125
-          #
-          # Possible values:
-          #  0    Disable any kind of TLS entirely
-          #  1    Enable STARTLS if supported by server (default)
-          #  2    Force STARTLS and fail if not available
-          #
-          tls: 1
-
-          # Login for SMTP
-          login: "matrix@auro.re"
-
-          # Password for the account
-          password: ""

roles/matrix-riot/handlers/main.yml

@@ -1,6 +0,0 @@
----
-# Reload the NGINX service
-- name: Reload NGINX service
-  service:
-    name: nginx
-    state: reloaded

roles/matrix-riot/tasks/main.yml

@@ -1,51 +0,0 @@
----
-# Install HTTPS support for APT
-- name: Install apt-transport-https
-  apt:
-    name: apt-transport-https
-    update_cache: true
-
-# Add the repository into source list
-- name: Configure riot repository
-  apt_repository:
-    repo: "deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main"
-
-# Add the key
-- name: Configure the apt key
-  apt_key:
-    url: https://riot.im/packages/debian/repo-key.asc
-    id: E019645248E8F4A1
-
-# Install riot
-- name: Install riot-web
-  apt:
-    name: riot-web
-    update_cache: true
-
-# Install nginx
-- name: Install nginx
-  apt:
-    name: nginx
-
-# Configure nginx
-- name: Configure nginx
-  template:
-    src: nginx-riot.j2
-    dest: /etc/nginx/sites-available/riot
-    mode: 0644
-  notify: Reload NGINX service
-
-# Desactive useless nginx sites
-- name: Deactivate the default NGINX site
-  file:
-    path: /etc/nginx/sites-enabled/default
-    state: absent
-  notify: Reload NGINX service
-
-# Activate sites
-- name: Activate sites
-  file:
-    src: /etc/nginx/sites-available/riot
-    dest: /etc/nginx/sites-enabled/riot
-    state: link
-  notify: Reload NGINX service

roles/matrix-riot/templates/nginx-riot.j2

@@ -1,20 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-        listen 80;
-        listen [::]:80;
-
-        root /opt/Riot/resources/webapp/;
-        index index.html;
-
-        access_log /var/log/nginx/riot-access.log;
-        error_log /var/log/nginx/riot-errors.log;
-
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Frame-Options "SAMEORIGIN" always;
-
-        location / {
-                try_files $uri $uri/ =404;
-        }
-}

roles/matrix-synapse/templates/matrix-synapse/conf.d/password_providers.yaml.j2

@@ -1,5 +0,0 @@
-# {{ ansible_managed }}
-password_providers:
-  - module: "rest_auth_provider.RestAuthProvider"
-    config:
-      endpoint: "http://127.0.0.1:8090"

roles/matrix_appservice_irc/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+# service_name is the name of the project on GitHub
+service_name: matrix-appservice-irc
+
+# URL to clone
+service_repo: https://github.com/matrix-org/matrix-appservice-irc.git
+
+# name of the service user
+# It means that you will have to `sudo -u THISUSER zsh` to debug
+service_user: "{{ service_name }}"
+service_homedir: "/var/local/{{ service_name }}"
+
+# service_path is where the project is cloned
+# It can't be the home directory because of user hidden files.
+service_path: "{{ service_homedir }}/{{ service_name }}"

roles/matrix_appservice_irc/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+# Create service user
+- include_tasks: service_user.yml
+
+- name: "Clone {{ service_name }} project"
+  git:
+    repo: "{{ service_repo }}"
+    dest: "{{ service_path }}"
+    version: 0.11.2
+  become: true
+  become_user: "{{ service_user }}"
+
+# Setup dependencies
+- name: "Install {{ service_name }} dependencies"
+  npm:
+    path: "{{ service_path }}"
+    production: true
+  become: true
+  become_user: "{{ service_user }}"
+  register: npm_result
+  retries: 3
+  until: npm_result is succeeded
+
+- name: "Configure {{ service_name }}"
+  template:
+    src: config.yaml.j2
+    dest: "{{ service_path }}/config.yaml"
+    owner: "{{ service_user }}"
+    group: nogroup
+    mode: 0600
+
+# Service file
+- name: "Install {{ service_name }} systemd unit"
+  template:
+    src: systemd/appservice.service.j2
+    dest: "/etc/systemd/system/{{ service_name }}.service"
+    owner: root
+    group: root
+    mode: 0644
+
+# TODO generate registration
+# node app.js -r -f irc-registration.yaml \
+# -u "http://localhost:9999" -c config.yaml -l ircbot
+
+- name: Copy appservice registration file
+  copy:
+    src: "{{ service_path }}/irc-registration.yaml"
+    dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml"
+    owner: matrix-synapse
+    group: nogroup
+    mode: 0600
+    remote_src: true
+
+# Run
+- name: "Ensure that {{ service_name }} is started"
+  systemd:
+    name: "{{ service_name }}"
+    state: started
+    enabled: true
+    daemon_reload: true

roles/matrix_appservice_irc/tasks/service_user.yml

@@ -0,0 +1,19 @@
+---
+# Having a custom group is useless so use nogroup
+- name: "Create {{ service_user }} user"
+  user:
+    name: "{{ service_user }}"
+    group: nogroup
+    home: "{{ service_homedir }}"
+    system: true
+    shell: /bin/false
+    state: present
+
+# Only service user should be able to go there
+- name: "Secure {{ service_user }} home directory"
+  file:
+    path: "{{ service_homedir }}"
+    state: directory
+    owner: "{{ service_user }}"
+    group: nogroup
+    mode: 0700

roles/matrix_appservice_irc/templates/config.yaml.j2

@@ -0,0 +1,431 @@
+# {{ ansible_managed }}
+
+homeserver:
+  # The URL to the home server for client-server API calls, also used to form the
+  # media URLs as displayed in bridged IRC channels:
+  url: "http://auro.re"
+  #
+  # The URL of the homeserver hosting media files. This is only used to transform
+  # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
+  # default, this is the homeserver URL, specified above.
+  #
+  media_url: "https://auro.re"
+
+  # Drop Matrix messages which are older than this number of seconds, according to
+  # the event's origin_server_ts.
+  # If the bridge is down for a while, the homeserver will attempt to send all missed
+  # events on reconnection. These events may be hours old, which can be confusing to
+  # IRC users if they are then bridged. This option allows these old messages to be
+  # dropped.
+  # CAUTION: This is a very coarse heuristic. Federated homeservers may have different
+  # clock times and hence produce different origin_server_ts values, which may be old
+  # enough to cause *all* events from the homeserver to be dropped.
+  # Default: 0 (don't ever drop)
+  dropMatrixMessagesAfterSecs: 300 # 5 minutes
+
+  # The 'domain' part for user IDs on this home server. Usually (but not always)
+  # is the "domain name" part of the HS URL.
+  domain: "auro.re"
+
+  # Should presence be enabled for matrix clients on this bridge. If disabled on the
+  # homeserver then it should also be disabled here to avoid excess traffic.
+  # Default: true
+  enablePresence: true
+
+# Configuration specific to the IRC service
+ircService:
+  servers:
+    # The address of the server to connect to.
+    irc.crans.org:
+      # A human-readable short name. This is used to label IRC status rooms
+      # where matrix users control their connections.
+      # E.g. 'ExampleNet IRC Bridge status'.
+      # It is also used in the Third Party Lookup API as the instance `desc`
+      # property, where each server is an instance.
+      name: "Crans IRC Bridge status"
+
+      additionalAddresses: [ ]
+      #
+      # [DEPRECATED] Use `name`, above, instead.
+      # A human-readable description string
+      # description: "Example.com IRC network"
+
+      # An ID for uniquely identifying this server amongst other servers being bridged.
+      networkId: "crans"
+
+      # URL to an icon used as the network icon whenever this network appear in
+      # a network list. (Like in the riot room directory, for instance.)
+      # icon: https://example.com/images/hash.png
+
+      # The port to connect to. Optional.
+      port: 6697
+      # Whether to use SSL or not. Default: false.
+      ssl: true
+      # Whether or not IRC server is using a self-signed cert or not providing CA Chain
+      sslselfsign: true
+      # Should the connection attempt to identify via SASL (if a server or user password is given)
+      # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS.
+      sasl: false
+      # Whether to allow expired certs when connecting to the IRC server.
+      # Usually this should be off. Default: false.
+      allowExpiredCerts: false
+      # A specific CA to trust instead of the default CAs. Optional.
+      #ca: |
+      #  -----BEGIN CERTIFICATE-----
+      #  ...
+      #  -----END CERTIFICATE-----
+
+      #
+      # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
+      # password: 'pa$$w0rd'
+      #
+      # Whether or not to send connection/error notices to real Matrix users. Default: true.
+      sendConnectionMessages: true
+
+      quitDebounce:
+        # Whether parts due to net-splits are debounced for delayMs, to allow
+        # time for the netsplit to resolve itself. A netsplit is detected as being
+        # a QUIT rate higher than quitsPerSecond. Default: false.
+        enabled: false
+        # The maximum number of quits per second acceptable above which a netsplit is
+        # considered ongoing. Default: 5.
+        quitsPerSecond: 5
+        # The time window in which to wait before bridging a QUIT to Matrix that occurred during
+        # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS
+        # is not sent many requests to leave rooms all at once if a netsplit occurs and many
+        # people to not rejoin.
+        # If the user with the same IRC nick as the one who sent the quit rejoins a channel
+        # they are considered back online and the quit is not bridged, so long as the rejoin
+        # occurs before the randomly-jittered timeout is not reached.
+        # Default: 3600000, = 1h
+        delayMinMs: 3600000 # 1h
+        # Default: 7200000, = 2h
+        delayMaxMs: 7200000 # 2h
+
+      # A map for conversion of IRC user modes to Matrix power levels. This enables bridging
+      # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
+      # been given multiple modes, the one that maps to the highest power level will be used.
+      modePowerMap:
+        o: 50
+
+      botConfig:
+        # Enable the presence of the bot in IRC channels. The bot serves as the entity
+        # which maps from IRC -> Matrix. You can disable the bot entirely which
+        # means IRC -> Matrix chat will be shared by active "M-Nick" connections
+        # in the room. If there are no users in the room (or if there are users
+        # but their connections are not on IRC) then nothing will be bridged to
+        # Matrix. If you're concerned about the bot being treated as a "logger"
+        # entity, then you may want to disable the bot. If you want IRC->Matrix
+        # but don't want to have TCP connections to IRC unless a Matrix user speaks
+        # (because your client connection limit is low), then you may want to keep
+        # the bot enabled. Default: true.
+        # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned
+        #     on, else there will be no users and no bot in a channel (meaning no
+        #     messages to Matrix!) until a Matrix user speaks which makes a client
+        #     join the target IRC channel.
+        # NBB: The bridge bot IRC client will still join the target IRC network so
+        #      it can service bridge-specific queries from the IRC-side e.g. so
+        #      real IRC clients have a way to change their Matrix display name.
+        #      See https://github.com/matrix-org/matrix-appservice-irc/issues/55
+        enabled: false
+        # The nickname to give the AS bot.
+        nick: "AuroreBot"
+        # The password to give to NickServ or IRC Server for this nick. Optional.
+        # password: "helloworld"
+        #
+        # Join channels even if there are no Matrix users on the other side of
+        # the bridge. Set to false to prevent the bot from joining channels which have no
+        # real matrix users in them, even if there is a mapping for the channel.
+        # Default: true
+        joinChannelsIfNoUsers: true
+
+      # Configuration for PMs / private 1:1 communications between users.
+      privateMessages:
+        # Enable the ability for PMs to be sent to/from IRC/Matrix.
+        # Default: true.
+        enabled: true
+        # Prevent Matrix users from sending PMs to the following IRC nicks.
+        # Optional. Default: [].
+        # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
+
+        # Should created Matrix PM rooms be federated? If false, only users on the
+        # HS attached to this AS will be able to interact with this room.
+        # Optional. Default: true.
+        federate: true
+
+      # Configuration for mappings not explicitly listed in the 'mappings'
+      # section.
+      dynamicChannels:
+        # Enable the ability for Matrix users to join *any* channel on this IRC
+        # network.
+        # Default: false.
+        enabled: true
+        # Should the AS create a room alias for the new Matrix room? The form of
+        # the alias can be modified via 'aliasTemplate'. Default: true.
+        createAlias: true
+        # Should the AS publish the new Matrix room to the public room list so
+        # anyone can see it? Default: true.
+        published: true
+        # What should the join_rule be for the new Matrix room? If 'public',
+        # anyone can join the room. If 'invite', only users with an invite can
+        # join the room. Note that if an IRC channel has +k or +i set on it,
+        # join_rules will be set to 'invite' until these modes are removed.
+        # Default: "public".
+        joinRule: public
+        # This will set the m.room.related_groups state event in newly created rooms
+        # with the given groupId. This means flares will show up on IRC users in those rooms.
+        # This should be set to the same thing as namespaces.users.group_id in irc_registration.
+        # This does not alter existing rooms.
+        # Leaving this option empty will not set the event.
+        groupId: +myircnetwork:localhost
+        # Should created Matrix rooms be federated? If false, only users on the
+        # HS attached to this AS will be able to interact with this room.
+        # Default: true.
+        federate: true
+        # The room alias template to apply when creating new aliases. This only
+        # applies if createAlias is 'true'. The following variables are exposed:
+        # $SERVER => The IRC server address (e.g. "irc.example.com")
+        # $CHANNEL => The IRC channel (e.g. "#python")
+        # This MUST have $CHANNEL somewhere in it.
+        # Default: '#irc_$SERVER_$CHANNEL'
+        aliasTemplate: "#irc_crans_$CHANNEL"
+        # A list of user IDs which the AS bot will send invites to in response
+        # to a !join. Only applies if joinRule is 'invite'. Default: []
+        # whitelist:
+        #   - "@foo:example.com"
+        #   - "@bar:example.com"
+        #
+        # Prevent the given list of channels from being mapped under any
+        # circumstances.
+        # exclude: ["#foo", "#bar"]
+
+      # Configuration for controlling how Matrix and IRC membership lists are
+      # synced.
+      membershipLists:
+        # Enable the syncing of membership lists between IRC and Matrix. This
+        # can have a significant effect on performance on startup as the lists are
+        # synced. This must be enabled for anything else in this section to take
+        # effect. Default: false.
+        enabled: true
+
+        # Syncing membership lists at startup can result in hundreds of members to
+        # process all at once. This timer drip feeds membership entries at the
+        # specified rate. Default: 10000. (10s)
+        floodDelayMs: 10000
+
+        global:
+          ircToMatrix:
+            # Get a snapshot of all real IRC users on a channel (via NAMES) and
+            # join their virtual matrix clients to the room.
+            initial: true
+            # Make virtual matrix clients join and leave rooms as their real IRC
+            # counterparts join/part channels. Default: false.
+            incremental: true
+
+          matrixToIrc:
+            # Get a snapshot of all real Matrix users in the room and join all of
+            # them to the mapped IRC channel on startup. Default: false.
+            initial: true
+            # Make virtual IRC clients join and leave channels as their real Matrix
+            # counterparts join/leave rooms. Make sure your 'maxClients' value is
+            # high enough! Default: false.
+            incremental: true
+
+      # Configuration for virtual matrix users. The following variables are
+      # exposed:
+      # $NICK => The IRC nick
+      # $SERVER => The IRC server address (e.g. "irc.example.com")
+      matrixClients:
+        # The user ID template to use when creating virtual matrix users. This
+        # MUST have $NICK somewhere in it.
+        # Optional. Default: "@$SERVER_$NICK".
+        # Example: "@irc.example.com_Alice:example.com"
+        userTemplate: "@irc_$NICK"
+        # The display name to use for created matrix clients. This should have
+        # $NICK somewhere in it if it is specified. Can also use $SERVER to
+        # insert the IRC domain.
+        # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
+        displayName: "$NICK (IRC)"
+        # Number of tries a client can attempt to join a room before the request
+        # is discarded. You can also use -1 to never retry or 0 to never give up.
+        # Optional. Default: -1
+        joinAttempts: -1
+
+      # Configuration for virtual IRC users. The following variables are exposed:
+      # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
+      # $USERID => The user ID
+      # $DISPLAY => The display name of this user, with excluded characters
+      #             (e.g. space) removed. If the user has no display name, this
+      #             falls back to $LOCALPART.
+      ircClients:
+        # The template to apply to every IRC client nick. This MUST have either
+        # $DISPLAY or $USERID or $LOCALPART somewhere in it.
+        # Optional. Default: "M-$DISPLAY". Example: "M-Alice".
+        nickTemplate: "$DISPLAY[m]"
+        # True to allow virtual IRC clients to change their nick on this server
+        # by issuing !nick <server> <nick> commands to the IRC AS bot.
+        # This is completely freeform: it will NOT follow the nickTemplate.
+        allowNickChanges: true
+        # The max number of IRC clients that will connect. If the limit is
+        # reached, the client that spoke the longest time ago will be
+        # disconnected and replaced.
+        # Optional. Default: 30.
+        maxClients: 30
+        # IPv6 configuration.
+        ipv6:
+          # Optional. Set to true to force IPv6 for outgoing connections.
+          only: false
+          # Optional. The IPv6 prefix to use for generating unique addresses for each
+          # connected user. If not specified, all users will connect from the same
+          # (default) address. This may require additional OS-specific work to allow
+          # for the node process to bind to multiple different source addresses
+          # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
+          # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
+          # prefix: "2001:0db8:85a3::"  # modify appropriately
+        #
+        # The maximum amount of time in seconds that the client can exist
+        # without sending another message before being disconnected. Use 0 to
+        # not apply an idle timeout. This value is ignored if this IRC server is
+        # mirroring matrix membership lists to IRC. Default: 172800 (48 hours)
+        idleTimeout: 10800
+        # The number of millseconds to wait between consecutive reconnections if a
+        # client gets disconnected. Setting to 0 will cause the scheduling to be
+        # disabled, i.e. it will be scheduled immediately (with jitter.
+        # Otherwise, the scheduling interval will be used such that one client
+        # reconnect for this server will be handled every reconnectIntervalMs ms using
+        # a FIFO queue.
+        # Default: 5000 (5 seconds)
+        reconnectIntervalMs: 5000
+        # The number of concurrent reconnects if a user has been disconnected unexpectedly
+        # (e.g. a netsplit). You should set this to a reasonably high number so that
+        # bridges are not waiting an eternity to reconnect all its clients if
+        # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs
+        # setting above which is for connecting on restart of the bridge. Set to 0 to
+        # immediately try to reconnect all users.
+        # Default: 50
+        concurrentReconnectLimit: 50
+        # The number of lines to allow being sent by the IRC client that has received
+        # a large block of text to send from matrix. If the number of lines that would
+        # be sent is > lineLimit, the text will instead be uploaded to matrix and the
+        # resulting URI is treated as a file. As such, a link will be sent to the IRC
+        # side instead of potentially spamming IRC and getting the IRC client kicked.
+        # Default: 3.
+        lineLimit: 3
+        # A list of user modes to set on every IRC client. For example, "RiG" would set
+        # +R, +i and +G on every IRC connection when they have successfully connected.
+        # User modes vary wildly depending on the IRC network you're connecting to,
+        # so check before setting this value. Some modes may not work as intended
+        # through the bridge e.g. caller ID as there is no way to /ACCEPT.
+        # Default: "" (no user modes)
+        # userModes: "R"
+
+  # Configuration for an ident server. If you are running a public bridge it is
+  # advised you setup an ident server so IRC mods can ban specific matrix users
+  # rather than the application service itself.
+  ident:
+    # True to listen for Ident requests and respond with the
+    # matrix user's user_id (converted to ASCII, respecting RFC 1413).
+    # Default: false.
+    enabled: false
+    # The port to listen on for incoming ident requests.
+    # Ports below 1024 require root to listen on, and you may not want this to
+    # run as root. Instead, you can get something like an Apache to yank up
+    # incoming requests to 113 to a high numbered port. Set the port to listen
+    # on instead of 113 here.
+    # Default: 113.
+    port: 1113
+    # The address to listen on for incoming ident requests.
+    # Default: 0.0.0.0
+    address: "::"
+
+  # Configuration for logging. Optional. Default: console debug level logging
+  # only.
+  logging:
+    # Level to log on console/logfile. One of error|warn|info|debug
+    level: "info"
+    # The file location to log to. This is relative to the project directory.
+    logfile: "debug.log"
+    # The file location to log errors to. This is relative to the project
+    # directory.
+    errfile: "errors.log"
+    # Whether to log to the console or not.
+    toConsole: true
+    # The max number of files to keep. Files will be overwritten eventually due
+    # to rotations.
+    maxFiles: 5
+
+  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
+  #   $ npm install prom-client@6.3.0
+  # Metrics will then be available via GET /metrics on the bridge listening port (-p).
+  metrics:
+    # Whether to actually enable the metric endpoint. Default: false
+    enabled: false
+    # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
+    # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
+    remoteUserAgeBuckets:
+      - "1h"
+      - "1d"
+      - "1w"
+
+  # The nedb database URI to connect to. This is the name of the directory to
+  # dump .db files to. This is relative to the project directory.
+  # Required.
+  databaseUri: "nedb://data"
+
+  # Configuration options for the debug HTTP API. To access this API, you must
+  # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests.
+  #
+  # The debug API exposes the following endpoints:
+  #
+  #   GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID.
+  #
+  #   POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection.
+  #                                      Format: new line delimited commands as per IRC protocol.
+  #
+  debugApi:
+    # True to enable the HTTP API endpoint. Default: false.
+    enabled: false
+    # The port to host the HTTP API.
+    port: 11100
+
+  # Configuration for the provisioning API.
+  #
+  # GET /_matrix/provision/link
+  # GET /_matrix/provision/unlink
+  # GET /_matrix/provision/listlinks
+  #
+  provisioning:
+    # True to enable the provisioning HTTP endpoint. Default: false.
+    enabled: false
+    # The number of seconds to wait before giving up on getting a response from
+    # an IRC channel operator. If the channel operator does not respond within the
+    # allotted time period, the provisioning request will fail.
+    # Default: 300 seconds (5 mins)
+    requestTimeoutSeconds: 300
+
+  # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
+  # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
+  # the database.
+  #
+  # To generate a .pem file:
+  # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
+  #
+  # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
+  # for storage in the database. Passwords are stored by using the admin room command
+  # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
+  # the Matrix user, this password will be sent as the server password (PASS command).
+  passwordEncryptionKeyPath: "passkey.pem"
+
+  # Config for Matrix -> IRC bridging
+  matrixHandler:
+    # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies).
+    eventCacheSize: 4096
+
+# Options here are generally only applicable to large-scale bridges and may have
+# consequences greater than other options in this configuration file.
+advanced:
+  # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited
+  # however for large bridges it is important to rate limit the bridge to avoid
+  # accidentally overloading the homeserver. Defaults to 1000, which should be
+  # enough for the vast majority of use cases.
+  maxHttpSockets: 1000