crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'newinfra' into 'interfaces' 

# Conflicts:
#   lookup_plugins/ldap.py
certbot_on_virtu
_benjamin 2020-08-23 19:57:41 +02:00
parent a65076dc28 54b67cacf7
commit 22dee4e764
40 changed files with 370 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
group_vars/dhcp.yml
View File

@ -16,7 +16,28 @@ dhcp:
domain_name: "adh-nat.crans.org"
domain_search: "adh-nat.crans.org"
options: []
lease_file: "/tmp/dhcp.list"
lease_file: "/tmp/adh-nat-dhcp.list"
- network: "185.230.78.0/24"
deny_unknown: True
vlan: "adh"
default_lease_time: "600"
max_lease_time: "7200"
routers: "185.230.78.99"
dns: ["185.230.78.99"]
domain_name: "adh.crans.org"
domain_search: "adh.crans.org"
options: []
lease_file: "/tmp/adh-dhcp.list"
- network: "172.16.32.0/22"
deny_unknown: True
vlan: "infra"
default_lease_time: "600"
max_lease_time: "7200"
dns: ["172.16.32.99"]
domain_name: "infra.crans.org"
domain_search: "infra.crans.org"
options: []
lease_file: "/tmp/infra-dhcp.list"
re2o:
server: re2o.adm.crans.org

12
group_vars/keepalived.yml
View File

@ -8,17 +8,23 @@ glob_keepalived:
dhcp:
password: "plopisverysecure"
id: 60
ipv6: no
ipv6: yes
notify: /usr/scripts/notify-dhcp
zones:
- vlan: adh-nat
- vlan: adh
ipv4: 185.230.78.99/24
brd: true
ipv6: 2a0c:700:12::ff:fe00:9912/48
- vlan: adh_nat
ipv4: 100.64.0.99/16
brd: true
ipv6: 2a0c:700:13::ff:fe00:9913/48
radius:
password: 'plopisverysecure'
id: 61
ipv6: no
ipv6: yes
zones:
- vlan: infra
ipv4: 172.16.32.99/22
brd: true
ipv6: fd00::11:0:ff:fe00:9911/64

3
group_vars/slapd.yml → group_vars/ldap_server.yml
View File

@ -3,4 +3,5 @@
glob_slapd:
master_ip: 172.16.10.1
replication_credentials: "{{ vault_ldap_replication_credentials }}"
private_key: "{{ vault_ldap_private_key }}"
certificate: "{{ vault_ldap_certificate }}"

3
host_vars/gulp.adm.crans.org.yml
View File

@ -7,6 +7,9 @@ interfaces:
wifi_new: ens1f0.22
zayo: ens1f0.26
firewall:
version: gulp
loc_keepalived:
instances:
- name: router

2
host_vars/routeur-daniel.adm.crans.org.yml
View File

@ -7,6 +7,8 @@ interfaces:
adh: ens22
adh_nat: ens23
firewall:
version: HEAD
loc_keepalived:
instances:

2
host_vars/routeur-sam.adm.crans.org.yml
View File

@ -8,6 +8,8 @@ interfaces:
adh_nat: ens23
srv_old: ens1
firewall:
version: HEAD
loc_keepalived:
instances:

6
hosts
View File

@ -44,7 +44,7 @@ sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
[slapd]
[ldap_server]
tealc.adm.crans.org
sam.adm.crans.org
daniel.adm.crans.org
@ -58,7 +58,6 @@ routeur-daniel.adm.crans.org
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
[crans_routeurs:children]
dhcp
keepalived
@ -69,6 +68,7 @@ tealc.adm.crans.org
sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
gulp.adm.crans.org
[crans_vm]
voyager.adm.crans.org
@ -79,6 +79,8 @@ belenios # on changera plus tard
re2o-ldap.adm.crans.org
gitlab-ci.adm.crans.org
hodaur.adm.crans.org
monitoring.adm.crans.org
boeing.adm.crans.org
[ovh_physical]
sputnik.adm.crans.org

16
lookup_plugins/ldap.py
View File

@ -103,10 +103,18 @@ class LookupModule(LookupBase):
query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
result = self.base.result(query_id)
result = result[1][0][1]
return {
'network': result['ipNetworkNumber'][0].decode('utf-8'),
'netmask': result['ipNetmaskNumber'][0].decode('utf-8'),
}
return str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))
elif terms[0] == 'zones':
query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, "objectClass=ipNetwork")
result = self.base.result(query_id)
res = []
for _, network in result[1]:
network = network['cn'][0].decode('utf-8')
if network == 'srv':
res.append('crans.org')
else:
res.append(f"{network}.crans.org")
result = res
elif terms[0] == 'vlanid':
network = terms[1]
query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")

8
lookup_plugins/re2oapi.py
View File

@ -638,6 +638,14 @@ class LookupModule(LookupBase):
def _getreverse(self, api_client):
display.v("Getting dns reverse zones")
return [
'76.230.185.in-addr.arpa',
'77.230.185.in-addr.arpa',
'78.230.185.in-addr.arpa',
'79.230.185.in-addr.arpa',
'0.0.7.0.c.0.a.2.ip6.arpa',
]
zones, res = None, None
if self._is_cached('dnsreverse'):

14
plays/dns.yml
View File

@ -1,8 +1,9 @@
#!/usr/bin/env ansible-playbook
---
# Deploy recursive DNS cache server
- hosts: odlyd.adm.crans.org
roles: ["bind-recursive"]
- hosts: routeur-sam.adm.crans.org,routeur-daniel.adm.crans.org
roles:
- bind-recursive
# Deploy authoritative DNS server
- hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org
@ -10,11 +11,12 @@
certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
zones: "{{ lookup('re2oapi', 'dnszones') }}"
masters: "{{ query('ldap', 'role', 'dns-primary') }}"
slaves: "{{ query('ldap', 'role', 'dns-secondary') }}"
zones: "{{ (lookup('re2oapi', 'dnszones') + query('ldap', 'zones')) | unique }}"
reverse: "{{ lookup('re2oapi', 'dnsreverse') }}"
roles: ["bind-authoritative"]
roles:
- bind-authoritative
- hosts: silice.adm.crans.org
vars:

20
plays/firewall.yml
View File

@ -4,11 +4,31 @@
- hosts: crans_routeurs
roles:
- sysctl-forwarding
- logall
- nftables
- hosts: routeur-sam.adm.crans.org
roles:
- arp-proxy
- hosts: crans_routeurs
vars:
subnets:
- name: infra
prefix: fd00:0:0:11::/64
dns:
- fd00::11:0:ff:fe00:9911
- name: adh
prefix: 2a0c:700:12::/64
dns:
- 2a0c:700:12::ff:fe00:9912
- name: adh_nat
prefix: 2a0c:700:13::/64
dns:
- 2a0c:700:13::ff:fe00:9913
roles:
- radvd
# Deploy firewall
- hosts: crans_routeurs
vars:

7
plays/monitoring.yml
View File

@ -1,7 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Prometheus and Grafana on monitoring server
- hosts: fyre.adm.crans.org
- hosts: monitoring.adm.crans.org
vars:
# Prometheus targets.json
prometheus:
@ -72,11 +72,6 @@
adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}"
roles: ["prometheus-apache-exporter"]
# Configure HP RAID monitoring
# You can list SCSI drives with `lsscsi -g`
- hosts: fyre.adm.crans.org,gateau.adm.crans.org
roles: ["smartd-hp-smartarray"]
# Monitor mailq with a special text exporter
- hosts: redisdead.adm.crans.org
roles: ["prometheus-node-exporter-postfix"]

6
plays/root.yml
View File

@ -31,7 +31,7 @@
- qemu-guest-agent
- serial-tty
- hosts: slapd
- hosts: ldap_server
vars:
slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
ldap:
@ -46,3 +46,7 @@
roles:
- ldap-client
- home-nounous
- hosts: server,!virtu
roles:
- openssh

10
roles/bind-authoritative/tasks/main.yml
View File

@ -7,17 +7,9 @@
retries: 3
until: apt_result is succeeded
- name: Lookup DNS servers
set_fact:
masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
masters_ipv6: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}"
slaves_ipv4: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
slaves_ipv6: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}"
cacheable: true
- name: Is this the master?
set_fact:
is_master: "{{ ansible_all_ipv4_addresses | intersect(masters_ipv4) | length > 0 }}"
is_master: "{{ ansible_hostname in query('ldap', 'role', 'dns-primary') }}"
cacheable: true
- name: Deploy Bind9 configuration

34
roles/bind-authoritative/templates/bind/named.conf.local.j2
View File

@ -27,11 +27,10 @@ zone "_acme-challenge.crans.org" {
{% else %}
type slave;
masters {
{% for ip in masters_ipv4 %}
{% for host in bind.masters %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 %}
{{ ip }};
{% endfor %}
};
notify no;
@ -50,11 +49,10 @@ zone "_acme-challenge.adm.crans.org" {
{% else %}
type slave;
masters {
{% for ip in masters_ipv4 %}
{% for host in bind.masters %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 %}
{{ ip }};
{% endfor %}
};
notify no;
@ -72,11 +70,10 @@ zone "_acme-challenge.crans.fr" {
{% else %}
type slave;
masters {
{% for ip in masters_ipv4 %}
{% for host in bind.masters %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 %}
{{ ip }};
{% endfor %}
};
notify no;
@ -94,11 +91,10 @@ zone "_acme-challenge.crans.eu" {
{% else %}
type slave;
masters {
{% for ip in masters_ipv4 %}
{% for host in bind.masters %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 %}
{{ ip }};
{% endfor %}
};
notify no;
@ -118,11 +114,10 @@ zone "{{ zone }}" {
type slave;
file "bak.{{ zone }}";
masters {
{% for ip in masters_ipv4 %}
{{ ip }};
{% endfor %}
{% for ip in masters_ipv6 %}
{% for host in bind.masters %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor -%}
{% endfor %}
};
notify no;
@ -143,11 +138,10 @@ zone "{{ zone }}" {
type slave;
file "bak.{{ zone }}";
masters {
{% for ip in masters_ipv4 %}
{{ ip }};
{% endfor %}
{% for ip in masters_ipv6 %}
{% for host in bind.masters %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor -%}
{% endfor %}
};
notify no;

10
roles/bind-authoritative/templates/bind/named.conf.options.j2
View File

@ -32,20 +32,18 @@ options {
{% if is_master %}
allow-transfer {
{% for ip in slaves_ipv4 %}
{% for host in bind.slaves %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor %}
{% for ip in slaves_ipv6 %}
{{ ip }};
{% endfor %}
};
also-notify {
{% for ip in slaves_ipv4 %}
{% for host in bind.slaves %}
{% for ip in query('ldap', 'ip', host, 'adm') %}
{{ ip }};
{% endfor %}
{% for ip in slaves_ipv6 %}
{{ ip }};
{% endfor %}
};
{% else %}

5
roles/bind-recursive/handlers/main.yml 100644
View File

@ -0,0 +1,5 @@
---
- name: Reload bind9
systemd:
name: bind9
state: reloaded

14
roles/bind-recursive/tasks/main.yml
View File

@ -6,3 +6,17 @@
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Deploy Bind9 configuration
template:
src: bind/{{ item }}.j2
dest: /etc/bind/{{ item }}
mode: 0644
loop:
- named.conf
- named.conf.acl
# - named.conf.options
- named.conf.local
- named.conf.default-zones
- db.infra
notify: Reload bind9

24
roles/bind-recursive/templates/bind/db.infra.j2 100644
View File

@ -0,0 +1,24 @@
{{ ansible_header | comment(decoration='; ') }}
$TTL 0
@ IN SOA silice.crans.org root.crans.org (
0 ; serial
3600 ; refresh (1hr)
1800 ; retry (30mn)
604800 ; expire (7dy)
0 ; TTL (0s)
)
@ IN NS passerelle.infra.crans.org
passerelle.infra.crans.org IN A {{ (query('ldap', 'ip', 'passerelle', 'infra') | ipv4)[0] }}
* IN CNAME crans.org
*.org IN CNAME crans.org
*.fr IN CNAME crans.org
*.com IN CNAME crans.org
intranet.crans.org IN A 172.16.32.156 ; (query('ldap', 'ip', 'intranet', 'infra') | ipv4)[0]
intranet.infra.crans.org IN A 172.16.32.156
unifi.infra.crans.org IN A {{ (query('ldap', 'ip', 'unifi', 'infra') | ipv4)[0] }}

31
roles/bind-recursive/templates/bind/named.conf.acl.j2 100644
View File

@ -0,0 +1,31 @@
{{ ansible_header | comment(decoration='// ') }}
acl "srv" {
{{ query('ldap', 'network', 'srv') }};
2a0c:700:{{ query('ldap', 'vlanid', 'srv') }}::/48;
};
acl "srv-nat" {
{{ query('ldap', 'network', 'srv-nat') }};
2a0c:700:{{ query('ldap', 'vlanid', 'srv-nat') }}::/48;
};
acl "adm" {
{{ query('ldap', 'network', 'adm') }};
fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64;
};
acl "infra" {
{{ query('ldap', 'network', 'infra') }};
fd00:0:0:{{ query('ldap', 'vlanid', 'infra') }}::/64;
};
acl "adh" {
{{ query('ldap', 'network', 'adh') }};
2a0c:700:{{ query('ldap', 'vlanid', 'adh') }}::/48;
};
acl "adh-nat" {
{{ query('ldap', 'network', 'adh-nat') }};
2a0c:700:{{ query('ldap', 'vlanid', 'adh-nat') }}::/48;
};

34
roles/bind-recursive/templates/bind/named.conf.default-zones.j2 100644
View File

@ -0,0 +1,34 @@
{{ ansible_header | comment(decoration='// ') }}
view "default" {
match-clients { any; };
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
};

14
roles/bind-recursive/templates/bind/named.conf.j2 100644
View File

@ -0,0 +1,14 @@
{{ ansible_header | comment(decoration='// ') }}
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.acl";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

15
roles/bind-recursive/templates/bind/named.conf.local.j2 100644
View File

@ -0,0 +1,15 @@
{{ ansible_header | comment(decoration='// ') }}
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
view "infra" {
match-clients { infra; };
recursion no;
zone "." {
type master;
file "/etc/bind/db.infra";
};
};

26
roles/bind-recursive/templates/bind/named.conf.options.j2 100644
View File

@ -0,0 +1,26 @@
{{ ansible_header | comment(decoration='// ') }}
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};

12
roles/dns/tasks/main.yml
View File

@ -1,4 +1,16 @@
---
- name: Install dns dependencies
apt:
update_cache: true
install_recommends: false
name:
- python3-iso8601
- python3-jinja2
- python3-ldap
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create dns directory
file:
path: /var/local/dns

1
roles/firewall/tasks/main.yml
View File

@ -31,6 +31,7 @@
- name: Clone firewall repository
git:
repo: 'http://gitlab.adm.crans.org/nounous/firewall.git'
version: "{{ firewall.version }}"
dest: /var/local/firewall
umask: '002'

2
roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
View File

@ -45,7 +45,9 @@ subnet {{ subnet.network | ipaddr('network') }} netmask {{ subnet.network | ipad
{% endif %}
option subnet-mask {{ subnet.network | ipaddr('netmask') }};
option broadcast-address {{ subnet.network | ipaddr('broadcast') }};
{% if subnet.routers is defined %}
option routers {{ subnet.routers }};
{% endif %}
option domain-name-servers {{ subnet.dns | join(", ") }};
option domain-name "{{ subnet.domain_name }}";
option domain-search "{{ subnet.domain_search }}";

8
roles/keepalived/templates/keepalived/keepalived.conf.j2
View File

@ -26,11 +26,11 @@ vrrp_instance {{ instance.tag }}4 {
virtual_ipaddress {
{% for zone in keepalived.pool[instance.name].zones %}
{% if zone.brd %}
{% if zone.brd %}
{{ zone.ipv4 }} brd {{ zone.ipv4 | ipaddr('broadcast') }} dev {{ interfaces[zone.vlan] }} scope global
{% else %}
{% else %}
{{ zone.ipv4 }} dev {{ interfaces[zone.vlan] }} scope global
{% endif %}
{% endif %}
{% endfor %}
}
}
@ -41,7 +41,7 @@ vrrp_instance {{ instance.tag }}6 {
priority {{ instance.priority }}
smtp_alert
interface {{ keepalived.pool[instance.name].administration }}
interface {{ interfaces.adm }}
virtual_router_id {{ keepalived.pool[instance.name].id }}
advert_int 2
authentication {

15
roles/nftables/tasks/main.yml 100644
View File

@ -0,0 +1,15 @@
---
- name: Install nftables
apt:
name: nftables
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Enable and start nftables
systemd:
name: nftables
enabled: true
state: started

4
roles/openssh/tasks/main.yml
View File

@ -2,8 +2,8 @@
- name: Filter SSH on groups
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^AllowGroups
line: "AllowGroups {{ ssh_allow_groups }}"
regexp: ^#?PermitRootLogin
line: "PermitRootLogin yes"
state: present
notify: Restart sshd service

10
roles/quagga/templates/quagga/bgpd.conf.j2
View File

@ -5,12 +5,12 @@ router bgp {{ bgp.as }}
bgp router-id {{ bgp.router_id_v4 }}
network {{ bgp.network_v4 }}
neighbor {{ bgp.neighbor_v4 }} remote-as {{ bgp.remote_as }}
!
router bgp {{ bgp.as }}
no synchronization
bgp router-id {{ bgp.router_id_v6 }}
network {{ bgp.network_v6 }}
neighbor {{ bgp.neighbor_v6 }} remote-as {{ bgp.remote_as }}
!
address-family ipv6
network {{ bgp.network_v6 }}
neighbor {{ bgp.neighbor_v6 }} activate
exit-address-family
!
log file /var/log/quagga/bgpd.log
log stdout

3
roles/quagga/templates/quagga/zebra.conf.j2
View File

@ -8,7 +8,4 @@ log file /var/log/quagga/zebra.log
interface lo
!Table Zayo
table 26
line vty

5
roles/radvd/handlers/main.yml 100644
View File

@ -0,0 +1,5 @@
---
- name: Restart radvd service
service:
name: radvd
state: restarted

18
roles/radvd/tasks/main.yml 100644
View File

@ -0,0 +1,18 @@
---
- name: Install radvd
apt:
name: radvd
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Deploy radvd configuration
template:
src: radvd.conf.j2
dest: /etc/radvd.conf
mode: 0644
owner: root
group: root
notify: Restart radvd service

19
roles/radvd/templates/radvd.conf.j2 100644
View File

@ -0,0 +1,19 @@
{% for subnet in subnets %}
interface {{ interfaces[subnet.name] }} {
AdvSendAdvert on;
AdvDefaultPreference high;
MaxRtrAdvInterval 30;
prefix {{ subnet.prefix }} {
AdvRouterAddr on;
};
# La zone DNS
DNSSL {{ subnet.name | replace('_', '-') }}.crans.org {};
# Les DNS récursifs
{% for dns in subnet.dns %}
RDNSS {{ dns }} {};
{% endfor %}
};
{% endfor %}

2
roles/slapd/templates/ldap/ldap.key.j2
View File

@ -1 +1 @@
{{ ldap.private_key }}
{{ slapd.private_key }}

2
roles/slapd/templates/ldap/ldap.pem.j2
View File

@ -1 +1 @@
{{ ldap.certificate }}
{{ slapd.certificate }}

5
roles/smartd-hp-smartarray/handlers/main.yml
View File

@ -1,5 +0,0 @@
---
- name: Restart smartd
service:
name: smartd
state: restarted

23
roles/smartd-hp-smartarray/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
- name: Install smartd
apt:
update_cache: true
name: smartmontools
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Disable smartd autodiscovery
lineinfile:
path: /etc/smartd.conf
regexp: '(?i)^(DEVICESCAN.*)'
line: '#\1'
backrefs: true
notify: Restart smartd
- name: Monitor local HP SmartArray
lineinfile:
path: /etc/smartd.conf
regexp: '^/dev/sg0'
line: /dev/sg0 -a -d cciss,0 -m root
notify: Restart smartd

10
roles/wireguard/templates/wireguard/sputnik.conf.j2
View File

@ -9,20 +9,20 @@ PostUp = /sbin/ip link set sputnik alias adm
[Peer]
PublicKey = {{ wireguard.peer_public_key }}
AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, 10.231.136.0/24, 2a0c:700:0:2::/64
Endpoint = 138.231.136.131:51820
AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0] }}:51820
{% else %}
[Interface]
Address = 172.31.0.1/30, fd0c:700:0:8::1/64
ListenPort = 51820
PrivateKey = {{ wireguard.private_key }}
PostUp = ifup {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
# PostUp = ifup {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
[Peer]
PublicKey = {{ wireguard.peer_public_key }}
AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
Endpoint = 46.105.102.188:51820
Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
{% endif %}