kes tu es borné⋅e toi !

2022-03-14 10:55:44 +01:00 · 2022-03-14 10:55:44 +01:00 · 09820c3b08
parent ab78352554
commit 09820c3b08
20 changed files with 1 additions and 435 deletions
--- a/group_vars/cachan/borg.yml
+++ b/group_vars/cachan/borg.yml
@ -1,20 +0,0 @@
 ---
 glob_borg:
  to_exclude:
    - /var/lib/lxcfs
  to_backup:
    - /etc
    - /var
  path: /backup/borg
  remote:
    - borg@zephir.cachan-adm.crans.org:/backup/borg/{{ ansible_hostname }}
  retention:
    - ["daily", 4]
    - ["monthly", 6]
  consistency_check:
    - disabled
  extra_init:
    - make-parent-dirs
  encryption_passphrase: "{{ vault.borgbackup_passwd }}"
  ssh_privkey: "{{ vault.borgbackup_ssh_privkey }}"
  ssh_options: ""
--- a/group_vars/cachan/home_nounou.yml
+++ b/group_vars/cachan/home_nounou.yml
@ -1,10 +0,0 @@
 ---
 glob_home_nounou:
  mounts:
    - ip: "{{ query('ldap', 'ip', 'charybde', 'cachan-adm') | ipv4 | first }}"
      mountpoint: /pool/home
      target: /home_nounou
      name: home_nounou
      owner: root
      group: _user
      mode: '0750'
--- a/group_vars/cachan/network_interfaces.yml
+++ b/group_vars/cachan/network_interfaces.yml
@ -1,11 +0,0 @@
 ---
 glob_network_interfaces:
  vlan:
    - name: cachan_adm
      id: 10
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adm') | ipv4 | first }}"
      extra:
        - "post-up /sbin/ip route add 172.16.10.0/24 via {{ query('ldap', 'ip', 'terenez', 'cachan-adm') | ipv4 | first }}"
    - name: infra
      id: 11
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}"
--- a/group_vars/cachan/ntp.yml
+++ b/group_vars/cachan/ntp.yml
@ -1,4 +0,0 @@
 ---
 loc_ntp_client:
  servers:
    - ntp.cachan-adm.crans.org
--- a/group_vars/cachan/prometheus_node_exporter.yaml
+++ b/group_vars/cachan/prometheus_node_exporter.yaml
@ -1,3 +0,0 @@
 ---
 glob_prometheus_node_exporter:
  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'cachan-adm') | ipv4 | first }}"
--- a/group_vars/mirror_backend.yml
+++ b/group_vars/mirror_backend.yml
@ -6,7 +6,7 @@ glob_ftpsync:
    info:
      maintainer: Les Nounous <contact@crans.org>
      country: FR
-      location: Cachan, Île-de-France
+      location: Gif-sur-Yvette, Île-de-France
  targets:
    - name: main
      dest: debian
--- a/group_vars/vsftpd_cameras.yml
+++ b/group_vars/vsftpd_cameras.yml
@ -1,6 +0,0 @@
 ---
 glob_vsftpd_cameras:
  local: yes
  write: yes
  userlist:
    - cameras
--- a/host_vars/charybde.cachan-adm.crans.org.yml
+++ b/host_vars/charybde.cachan-adm.crans.org.yml
@ -1,11 +0,0 @@
 ---
 debian_mirror: 'file:/pool/mirror/pub/debian'
 interfaces:
  cachan_adm: eth0.10
  infra: eth0.111
 loc_ntp_server:
  open:
    - 172.17.10.0/24
    - 172.16.32.0/22
--- a/host_vars/codichotomie.adm.crans.org.yml
+++ b/host_vars/codichotomie.adm.crans.org.yml
@ -1,4 +0,0 @@
 ---
 interfaces:
  adm: eth0
  srv_nat: eth1
--- a/host_vars/omnomnom.cachan-adm.crans.org.yml
+++ b/host_vars/omnomnom.cachan-adm.crans.org.yml
@ -1,3 +0,0 @@
 ---
 interfaces:
  cachan_adm: eno1.10
--- a/host_vars/zamok-tmtc.adm.crans.org.yml
+++ b/host_vars/zamok-tmtc.adm.crans.org.yml
@ -1,4 +0,0 @@
 ---
 interfaces:
  adm: eth0
  san: eth1
--- a/host_vars/zephir.cachan-adm.crans.org.yml
+++ b/host_vars/zephir.cachan-adm.crans.org.yml
@ -1,7 +0,0 @@
 ---
 interfaces:
  cachan_adm: eno1
 loc_borg:
  remote:
    - /backup/borg/{{ ansible_hostname }}
--- a/122
+++ b/122
@ -10,8 +10,6 @@ hodaur.adm.crans.org
 cameron.adm.crans.org
 [backups]
 zephir.cachan-adm.crans.org
 omnomnom.cachan-adm.crans.org
 [baie]
 cameron.adm.crans.org
@ -149,7 +147,6 @@ thelounge
 wiki
 [ntp_server]
 charybde.cachan-adm.crans.org
 eclat.adm.crans.org
 [opendkim:children]
@ -263,18 +260,9 @@ sputnik.adm.crans.org
 [wireguard]
 boeing.adm.crans.org
 charybde.cachan-adm.crans.org
 sputnik.adm.crans.org
 vol447.adm.crans.org
 [cachan:children]
 cachan_physical
 [cachan_physical]
 charybde.cachan-adm.crans.org
 omnomnom.cachan-adm.crans.org
 zephir.cachan-adm.crans.org
 [crans_routeurs:children]
 routeurs_vm
@ -287,7 +275,6 @@ zbee.adm.crans.org
 [crans_physical:children]
 backups
 baie
 cachan_physical
 virtu
 [crans_vm]
@ -344,115 +331,6 @@ sputnik.adm.crans.org
 crans_physical
 crans_vm
 [crans_unifi]
 0g-2.infra.crans.org
 0g-3.infra.crans.org
 0g-4.infra.crans.org
 0h-2.infra.crans.org
 0h-3.infra.crans.org
 0m-2.infra.crans.org
 1g-1.infra.crans.org
 1g-3.infra.crans.org
 1g-4.infra.crans.org
 1g-5.infra.crans.org
 1h-2.infra.crans.org
 1h-3.infra.crans.org
 1i-2.infra.crans.org
 1i-3.infra.crans.org
 1j-2.infra.crans.org
 1j-3.infra.crans.org
 1m-1.infra.crans.org
 1m-2.infra.crans.org
 1m-5.infra.crans.org
 2a-1.infra.crans.org
 2b-3.infra.crans.org
 2c-2.infra.crans.org
 2c-3.infra.crans.org
 2g-1.infra.crans.org
 2g-3.infra.crans.org
 2g-5.infra.crans.org
 2h-2.infra.crans.org
 2h-3.infra.crans.org
 2i-2.infra.crans.org
 2i-3.infra.crans.org
 2j-2.infra.crans.org
 2j-3.infra.crans.org
 2m-2.infra.crans.org
 3a-2.infra.crans.org
 3b-3.infra.crans.org
 3c-2.infra.crans.org
 3c-3.infra.crans.org
 3g-1.infra.crans.org
 3g-5.infra.crans.org
 3h-2.infra.crans.org
 3h-3.infra.crans.org
 3i-2.infra.crans.org
 3i-3.infra.crans.org
 3j-2.infra.crans.org
 3m-2.infra.crans.org
 3m-4.infra.crans.org
 3m-5.infra.crans.org
 4a-1.infra.crans.org
 4a-2.infra.crans.org
 4a-3.infra.crans.org
 4b-1.infra.crans.org
 4c-2.infra.crans.org
 4c-3.infra.crans.org
 4g-1.infra.crans.org
 4g-3.infra.crans.org
 4g-5.infra.crans.org
 4h-2.infra.crans.org
 4h-3.infra.crans.org
 4i-2.infra.crans.org
 4i-3.infra.crans.org
 4j-1.infra.crans.org
 4j-2.infra.crans.org
 4j-3.infra.crans.org
 4m-2.infra.crans.org
 4m-4.infra.crans.org
 5a-1.infra.crans.org
 5b-1.infra.crans.org
 5c-1.infra.crans.org
 5g-1.infra.crans.org
 5g-3.infra.crans.org
 5m-4.infra.crans.org
 6a-1.infra.crans.org
 6a-2.infra.crans.org
 6c-1.infra.crans.org
 adonis.infra.crans.org # 5a
 atlas.infra.crans.org # 1a
 baba-au-rhum.infra.crans.org # 3b
 bacchus.infra.crans.org # 1b
 baucis.infra.crans.org # 2b
 bellerophon.infra.crans.org # 2b
 benedict-cumberbatch.infra.crans.org # 1b
 benthesicyme.infra.crans.org # 4b
 boree.infra.crans.org # 6b
 branchos.infra.crans.org # 3b
 calypso.infra.crans.org # 4c
 chaos.infra.crans.org # 1c
 chronos.infra.crans.org # 2c
 crios.infra.crans.org # 3c
 gaia.infra.crans.org # 0g
 hades.infra.crans.org # 4h
 hephaistos.infra.crans.org # 1h
 hermes.infra.crans.org # 3h
 hypnos.infra.crans.org # 2h
 iaso.infra.crans.org # 1i
 idothee.infra.crans.org # 3i
 idyie.infra.crans.org # 0i
 ino.infra.crans.org # 2i
 ioke.infra.crans.org # 4i
 jaipudidees.infra.crans.org # 2j
 jaipudpapier.infra.crans.org # 3j
 japavolonte.infra.crans.org # 1j
 jesuischarlie.infra.crans.org # 0j
 jveuxduwifi.infra.crans.org # 0j
 mania.infra.crans.org # 2m
 marquis.infra.crans.org # manoir
 mercure.infra.crans.org # 3m
 #5m-5.infra.crans.org Déplacée au 2b
 [ilo_snmp]
 ilo-daniel.adm.crans.org
 ilo-ft.adm.crans.org
--- a/re2o.yml
+++ b/re2o.yml
@ -1,44 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # THIS FILE SHOULD BE UPDATED TO NEW INFRA AND THE MERGED TO plays/
 # Deploy services config on all servers
 - hosts: server
  vars:
    re2o:
      server: re2o.adm.crans.org
      service_user: "{{ vault.re2o_service_user }}"
      service_password: "{{ vault.re2o_service_password }}"
    mail_server: smtp.adm.crans.org
  roles:
    - re2o-services
 # Deploy re2o dns service on dns server
 - hosts: silice.adm.crans.org
  roles:
    - re2o-dns
 # Deploy re2o notif-users service on zamok
 - hosts: zamok.adm.crans.org
  roles:
    - re2o-notif-users
 # Deploy re2o firewall on servers
 - hosts: zamok.adm.crans.org
  roles:
    - re2o-firewall
 # Re2o firewall specific configuration for ipv6-zayo
 - hosts: ipv6-zayo.adm.crans.org
  roles:
    - re2o-firewall-ipv6-zayo
 # Re2o firewall specific configuration for zamok
 - hosts: zamok.adm.crans.org
  roles:
    - re2o-firewall-zamok
 # Deploy re2o mail-server on MTA and MDA
 - hosts: titanic.adm.crans.org,sputnik.adm.crans.org
  roles:
    - re2o-mail-server
--- a/roles/logall-cachan/tasks/main.yml
+++ b/roles/logall-cachan/tasks/main.yml
@ -1,24 +0,0 @@
 ---
 - name: Deploy firewall rsyslog
  template:
    src: rsyslog.d/10-firewall.conf.j2
    dest: /etc/rsyslog.d/10-firewall.conf
    mode: 0644
    owner: root
    group: root
 - name: Create firewall log directory
  file:
    path: /var/log/firewall
    mode: 0755
    owner: root
    group: root
    state: directory
 - name: Deploy firewall logrotate
  template:
    src: logrotate.d/firewall.j2
    dest: /etc/logrotate.d/firewall
    mode: 0644
    owner: root
    group: root
--- a/roles/logall-cachan/templates/logrotate.d/firewall.j2
+++ b/roles/logall-cachan/templates/logrotate.d/firewall.j2
@ -1,28 +0,0 @@
 {{ ansible_header | comment }}
 /var/log/firewall/trace.log
 /var/log/firewall/filtre.log
 /var/log/firewall/iptables.err
 /var/log/firewall/iptables.log {
    rotate 1
        weekly
        missingok
        notifempty
        compress
        postrotate
        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
    endscript
 }
 /var/log/firewall/logall.log {
    daily
        compress
        compresscmd /bin/bzip2
        uncompresscmd /bin/bunzip2
        compressext .bz2
        rotate 365
        notifempty
        sharedscripts
        postrotate
        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
    endscript
 }
--- a/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
+++ b/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
@ -1,32 +0,0 @@
 {{ ansible_header | comment }}
 #$ModLoad imklog #Déjà présent dans rsyslog.conf
 # Messages du firewall (ie de sa génération)
 if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
 if $programname == 'firewall' then /var/log/firewall/iptables.log
 # kernel (facility = 0):
 # Discard broadcast (sinon trop de spam)
 # Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu
 # (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux
 # pas essayer)
 if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
 # LOG_ALL pour … je sais plus à quoi ça sert …
 if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
 &   ~
 # LOG_MAC_IP pour l'association mac_ip en ipv6
 if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
 # TRACE
 if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
 &   ~
 # filtre.log était parsé par un script pour gérer les déconnexions
 #if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
 #&   ~
 if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~
--- a/roles/unifi-controller/tasks/main.yml
+++ b/roles/unifi-controller/tasks/main.yml
@ -1,47 +0,0 @@
 ---
 # Install HTTPS support for APT
 - name: Install apt-transport-https
  apt:
    update_cache: true
    name:
      - apt-transport-https
      - gpg
      - dirmngr
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 # Add the key
 - name: Configure the apt key
  apt_key:
    keyserver: keyserver.ubuntu.com
    id: 06E85760C0A52C50
    state: present
  register: apt_key_result
  retries: 3
  until: apt_key_result is succeeded
  loop:
 # Add the repository into source list
 - name: Configure unifi repository
  apt_repository:
    repo: "{{ item }}"
    state: present
  loop:
    - deb http://www.ui.com/downloads/unifi/debian stable ubiquiti
 - name: Install unifi
  apt:
    update_cache: true
    name: unifi
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Indicate role in motd
  template:
    src: update-motd.d/05-service.j2
    dest: /etc/update-motd.d/05-unifi-controller
    mode: 0755
--- a/roles/unifi-controller/templates/update-motd.d/05-service.j2
+++ b/roles/unifi-controller/templates/update-motd.d/05-service.j2
@ -1,3 +0,0 @@
 #!/usr/bin/tail +14
 {{ ansible_header | comment }}
 > Le contrôleur Unifi a été déployé sur cette machine.
--- a/upgrade.yml
+++ b/upgrade.yml
@ -1,51 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 # This is a special playbook to upgrade a server, be careful!
 - hosts: server,test_vm
  tasks:
    - name: Upgrade
      apt:
        upgrade: dist
        update_cache: true
      register: apt_result
      retries: 3
      until: apt_result is succeeded
    - name: Clean unwanted olderstuff
      apt:
        autoremove: true
        purge: true
      register: apt_result
      retries: 3
      until: apt_result is succeeded
 - hosts: owncloud-srv.adm.crans.org
  become_user: www-data
  become: true
  vars:
    # Owncloud command line interface
    occ_bin: '/var/www/owncloud/occ'
  tasks:
    - name: Upgrade owncloud
      command: "{{ occ_bin }} upgrade"
      register: upgrade_owncloud
      failed_when:
        # occ return code is 3 when ownCloud is already latest version
        - upgrade_owncloud.rc != 0
        - upgrade_owncloud.rc != 3
      changed_when:
        - upgrade_owncloud.rc != 3
    - name: Upgrade owncloud output
      debug:
        msg:
          - "stdout: {{ upgrade_owncloud.stdout_lines }}"
          - "stderr: {{ upgrade_owncloud.stderr_lines }}"
      when: not ansible_check_mode
    - name: Disable maintenance mode
      command: "{{ occ_bin }} maintenance:mode --off"
      when:
        - not ansible_check_mode
        # Maintenance mode has not been enabled.
        - upgrade_owncloud.rc != 3