Merge branch 'newinfra' into 'interfaces'

# Conflicts: # lookup_plugins/ldap.py
2020-08-23 19:57:41 +02:00 · 2020-08-23 19:57:41 +02:00 · 22dee4e764
parent a65076dc28 54b67cacf7
commit 22dee4e764
40 changed files with 370 additions and 108 deletions
--- a/group_vars/dhcp.yml
+++ b/group_vars/dhcp.yml
@ -16,7 +16,28 @@ dhcp:
      domain_name: "adh-nat.crans.org"
      domain_search: "adh-nat.crans.org"
      options: []
-      lease_file: "/tmp/dhcp.list"
+      lease_file: "/tmp/adh-nat-dhcp.list"
    - network: "185.230.78.0/24"
      deny_unknown: True
      vlan: "adh"
      default_lease_time: "600"
      max_lease_time: "7200"
      routers: "185.230.78.99"
      dns: ["185.230.78.99"]
      domain_name: "adh.crans.org"
      domain_search: "adh.crans.org"
      options: []
      lease_file: "/tmp/adh-dhcp.list"
    - network: "172.16.32.0/22"
      deny_unknown: True
      vlan: "infra"
      default_lease_time: "600"
      max_lease_time: "7200"
      dns: ["172.16.32.99"]
      domain_name: "infra.crans.org"
      domain_search: "infra.crans.org"
      options: []
      lease_file: "/tmp/infra-dhcp.list"
 re2o:
  server: re2o.adm.crans.org
--- a/group_vars/keepalived.yml
+++ b/group_vars/keepalived.yml
@ -8,17 +8,23 @@ glob_keepalived:
    dhcp:
      password: "plopisverysecure"
      id: 60
-      ipv6: no
+      ipv6: yes
      notify: /usr/scripts/notify-dhcp
      zones:
-        - vlan: adh-nat
+        - vlan: adh
          ipv4: 185.230.78.99/24
          brd: true
          ipv6: 2a0c:700:12::ff:fe00:9912/48
        - vlan: adh_nat
          ipv4: 100.64.0.99/16
          brd: true
          ipv6: 2a0c:700:13::ff:fe00:9913/48
    radius:
      password: 'plopisverysecure'
      id: 61
-      ipv6: no
+      ipv6: yes
      zones:
        - vlan: infra
          ipv4: 172.16.32.99/22
          brd: true
          ipv6: fd00::11:0:ff:fe00:9911/64
--- a/group_vars/ldap_server.yml
+++ b/group_vars/ldap_server.yml
@ -3,4 +3,5 @@
 glob_slapd:
  master_ip: 172.16.10.1
  replication_credentials: "{{ vault_ldap_replication_credentials }}"
-
+  private_key: "{{ vault_ldap_private_key }}"
  certificate: "{{ vault_ldap_certificate }}"
--- a/host_vars/gulp.adm.crans.org.yml
+++ b/host_vars/gulp.adm.crans.org.yml
@ -7,6 +7,9 @@ interfaces:
  wifi_new: ens1f0.22
  zayo: ens1f0.26
 firewall:
  version: gulp
 loc_keepalived:
  instances:
    - name: router
--- a/host_vars/routeur-daniel.adm.crans.org.yml
+++ b/host_vars/routeur-daniel.adm.crans.org.yml
@ -7,6 +7,8 @@ interfaces:
  adh: ens22
  adh_nat: ens23
 firewall:
  version: HEAD
 loc_keepalived:
  instances:
--- a/host_vars/routeur-sam.adm.crans.org.yml
+++ b/host_vars/routeur-sam.adm.crans.org.yml
@ -8,6 +8,8 @@ interfaces:
  adh_nat: ens23
  srv_old: ens1
 firewall:
  version: HEAD
 loc_keepalived:
  instances:
--- a/6
+++ b/6
@ -44,7 +44,7 @@ sam.adm.crans.org
 daniel.adm.crans.org
 jack.adm.crans.org
-[slapd]
+[ldap_server]
 tealc.adm.crans.org
 sam.adm.crans.org
 daniel.adm.crans.org
@ -58,7 +58,6 @@ routeur-daniel.adm.crans.org
 routeur-sam.adm.crans.org
 routeur-daniel.adm.crans.org
 [crans_routeurs:children]
 dhcp
 keepalived
@ -69,6 +68,7 @@ tealc.adm.crans.org
 sam.adm.crans.org
 daniel.adm.crans.org
 jack.adm.crans.org
 gulp.adm.crans.org
 [crans_vm]
 voyager.adm.crans.org
@ -79,6 +79,8 @@ belenios # on changera plus tard
 re2o-ldap.adm.crans.org
 gitlab-ci.adm.crans.org
 hodaur.adm.crans.org
 monitoring.adm.crans.org
 boeing.adm.crans.org
 [ovh_physical]
 sputnik.adm.crans.org
--- a/lookup_plugins/ldap.py
+++ b/lookup_plugins/ldap.py
@ -103,10 +103,18 @@ class LookupModule(LookupBase):
            query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
            result = self.base.result(query_id)
            result = result[1][0][1]
-            return {
+            return str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))
-                'network': result['ipNetworkNumber'][0].decode('utf-8'),
+        elif terms[0] == 'zones':
-                'netmask': result['ipNetmaskNumber'][0].decode('utf-8'),
+            query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, "objectClass=ipNetwork")
-            }
+            result = self.base.result(query_id)
            res = []
            for _, network in result[1]:
                network = network['cn'][0].decode('utf-8')
                if network == 'srv':
                    res.append('crans.org')
                else:
                    res.append(f"{network}.crans.org")
            result = res
        elif terms[0] == 'vlanid':
            network = terms[1]
            query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
--- a/lookup_plugins/re2oapi.py
+++ b/lookup_plugins/re2oapi.py
@ -638,6 +638,14 @@ class LookupModule(LookupBase):
    def _getreverse(self, api_client):
        display.v("Getting dns reverse zones")
        return [
            '76.230.185.in-addr.arpa',
            '77.230.185.in-addr.arpa',
            '78.230.185.in-addr.arpa',
            '79.230.185.in-addr.arpa',
            '0.0.7.0.c.0.a.2.ip6.arpa',
        ]
        zones, res = None, None
        if self._is_cached('dnsreverse'):
--- a/plays/dns.yml
+++ b/plays/dns.yml
@ -1,8 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy recursive DNS cache server
- hosts: odlyd.adm.crans.org
+- hosts: routeur-sam.adm.crans.org,routeur-daniel.adm.crans.org
-  roles: ["bind-recursive"]
+  roles:
    - bind-recursive
 # Deploy authoritative DNS server
 - hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org
@ -10,11 +11,12 @@
    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
    certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
    bind:
-      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+      masters: "{{ query('ldap', 'role', 'dns-primary') }}"
-      slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
+      slaves: "{{ query('ldap', 'role', 'dns-secondary') }}"
-      zones: "{{ lookup('re2oapi', 'dnszones') }}"
+      zones: "{{ (lookup('re2oapi', 'dnszones') + query('ldap', 'zones')) | unique }}"
      reverse: "{{ lookup('re2oapi', 'dnsreverse') }}"
-  roles: ["bind-authoritative"]
+  roles:
    - bind-authoritative
 - hosts: silice.adm.crans.org
  vars:
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@ -4,11 +4,31 @@
 - hosts: crans_routeurs
  roles:
    - sysctl-forwarding
    - logall
    - nftables
 - hosts: routeur-sam.adm.crans.org
  roles:
    - arp-proxy
 - hosts: crans_routeurs
  vars:
    subnets:
      - name: infra
        prefix: fd00:0:0:11::/64
        dns:
          - fd00::11:0:ff:fe00:9911
      - name: adh
        prefix: 2a0c:700:12::/64
        dns:
          - 2a0c:700:12::ff:fe00:9912
      - name: adh_nat
        prefix: 2a0c:700:13::/64
        dns:
          - 2a0c:700:13::ff:fe00:9913
  roles:
    - radvd
 # Deploy firewall
 - hosts: crans_routeurs
  vars:
--- a/plays/monitoring.yml
+++ b/plays/monitoring.yml
@ -1,7 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Prometheus and Grafana on monitoring server
- hosts: fyre.adm.crans.org
+- hosts: monitoring.adm.crans.org
  vars:
    # Prometheus targets.json
    prometheus:
@ -72,11 +72,6 @@
    adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}"
  roles: ["prometheus-apache-exporter"]
 # Configure HP RAID monitoring
 # You can list SCSI drives with `lsscsi -g`
 - hosts: fyre.adm.crans.org,gateau.adm.crans.org
  roles: ["smartd-hp-smartarray"]
 # Monitor mailq with a special text exporter
 - hosts: redisdead.adm.crans.org
  roles: ["prometheus-node-exporter-postfix"]
--- a/plays/root.yml
+++ b/plays/root.yml
@ -31,7 +31,7 @@
    - qemu-guest-agent
    - serial-tty
- hosts: slapd
+- hosts: ldap_server
  vars:
    slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
    ldap:
@ -46,3 +46,7 @@
  roles:
    - ldap-client
    - home-nounous
 - hosts: server,!virtu
  roles:
    - openssh
--- a/roles/bind-authoritative/tasks/main.yml
+++ b/roles/bind-authoritative/tasks/main.yml
@ -7,17 +7,9 @@
  retries: 3
  until: apt_result is succeeded
 - name: Lookup DNS servers
  set_fact:
    masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
    masters_ipv6: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}"
    slaves_ipv4: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
    slaves_ipv6: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}"
    cacheable: true
 - name: Is this the master?
  set_fact:
-    is_master: "{{ ansible_all_ipv4_addresses | intersect(masters_ipv4) | length > 0 }}"
+    is_master: "{{ ansible_hostname in query('ldap', 'role', 'dns-primary') }}"
    cacheable: true
 - name: Deploy Bind9 configuration
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@ -27,11 +27,10 @@ zone "_acme-challenge.crans.org" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% for ip in masters_ipv6 %}
 		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@ -50,11 +49,10 @@ zone "_acme-challenge.adm.crans.org" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% for ip in masters_ipv6 %}
 		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@ -72,11 +70,10 @@ zone "_acme-challenge.crans.fr" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% for ip in masters_ipv6 %}
 		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@ -94,11 +91,10 @@ zone "_acme-challenge.crans.eu" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% for ip in masters_ipv6 %}
 		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@ -118,11 +114,10 @@ zone "{{ zone }}" {
 	type slave;
 	file "bak.{{ zone }}";
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
-		{{ ip }};
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 {% endfor %}
 {% for ip in masters_ipv6 %}
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
@ -143,11 +138,10 @@ zone "{{ zone }}" {
 	type slave;
 	file "bak.{{ zone }}";
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
-		{{ ip }};
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 {% endfor %}
 {% for ip in masters_ipv6 %}
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
--- a/roles/bind-authoritative/templates/bind/named.conf.options.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.options.j2
@ -32,20 +32,18 @@ options {
 {% if is_master %}
 	allow-transfer {
-{% for ip in slaves_ipv4 %}
+{% for host in bind.slaves %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor %}
 {% for ip in slaves_ipv6 %}
 		{{ ip }};
 {% endfor %}
 	};
 	also-notify {
-{% for ip in slaves_ipv4 %}
+{% for host in bind.slaves %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor %}
 {% for ip in slaves_ipv6 %}
 		{{ ip }};
 {% endfor %}
 	};
 {% else %}
--- a/roles/bind-recursive/handlers/main.yml
+++ b/roles/bind-recursive/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Reload bind9
  systemd:
    name: bind9
    state: reloaded
--- a/roles/bind-recursive/tasks/main.yml
+++ b/roles/bind-recursive/tasks/main.yml
@ -6,3 +6,17 @@
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Deploy Bind9 configuration
  template:
    src: bind/{{ item }}.j2
    dest: /etc/bind/{{ item }}
    mode: 0644
  loop:
    - named.conf
    - named.conf.acl
    # - named.conf.options
    - named.conf.local
    - named.conf.default-zones
    - db.infra
  notify: Reload bind9
--- a/roles/bind-recursive/templates/bind/db.infra.j2
+++ b/roles/bind-recursive/templates/bind/db.infra.j2
@ -0,0 +1,24 @@
 {{ ansible_header | comment(decoration='; ') }}
 $TTL 0
@ IN SOA silice.crans.org root.crans.org (
 	0 ; serial
 	3600 ; refresh (1hr)
 	1800 ; retry (30mn)
 	604800 ; expire (7dy)
 	0 ; TTL (0s)
 	)
@ IN NS passerelle.infra.crans.org
 passerelle.infra.crans.org IN A {{ (query('ldap', 'ip', 'passerelle', 'infra') | ipv4)[0] }}
 * IN CNAME crans.org
 *.org IN CNAME crans.org
 *.fr IN CNAME crans.org
 *.com IN CNAME crans.org
 intranet.crans.org IN A 172.16.32.156 ; (query('ldap', 'ip', 'intranet', 'infra') | ipv4)[0]
 intranet.infra.crans.org IN A 172.16.32.156
 unifi.infra.crans.org IN A {{ (query('ldap', 'ip', 'unifi', 'infra') | ipv4)[0] }}
--- a/roles/bind-recursive/templates/bind/named.conf.acl.j2
+++ b/roles/bind-recursive/templates/bind/named.conf.acl.j2
@ -0,0 +1,31 @@
 {{ ansible_header | comment(decoration='// ') }}
 acl "srv" {
 	{{ query('ldap', 'network', 'srv') }};
 	2a0c:700:{{ query('ldap', 'vlanid', 'srv') }}::/48;
 };
 acl "srv-nat" {
 	{{ query('ldap', 'network', 'srv-nat') }};
 	2a0c:700:{{ query('ldap', 'vlanid', 'srv-nat') }}::/48;
 };
 acl "adm" {
 	{{ query('ldap', 'network', 'adm') }};
 	fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64;
 };
 acl "infra" {
 	{{ query('ldap', 'network', 'infra') }};
 	fd00:0:0:{{ query('ldap', 'vlanid', 'infra') }}::/64;
 };
 acl "adh" {
 	{{ query('ldap', 'network', 'adh') }};
 	2a0c:700:{{ query('ldap', 'vlanid', 'adh') }}::/48;
 };
 acl "adh-nat" {
 	{{ query('ldap', 'network', 'adh-nat') }};
 	2a0c:700:{{ query('ldap', 'vlanid', 'adh-nat') }}::/48;
 };
--- a/roles/bind-recursive/templates/bind/named.conf.default-zones.j2
+++ b/roles/bind-recursive/templates/bind/named.conf.default-zones.j2
@ -0,0 +1,34 @@
 {{ ansible_header | comment(decoration='// ') }}
 view "default" {
 	match-clients { any; };
 	// prime the server with knowledge of the root servers
 	zone "." {
 		type hint;
 		file "/usr/share/dns/root.hints";
 	};
 	// be authoritative for the localhost forward and reverse zones, and for
 	// broadcast zones as per RFC 1912
 	zone "localhost" {
 		type master;
 		file "/etc/bind/db.local";
 	};
 	zone "127.in-addr.arpa" {
 		type master;
 		file "/etc/bind/db.127";
 	};
 	zone "0.in-addr.arpa" {
 		type master;
 		file "/etc/bind/db.0";
 	};
 	zone "255.in-addr.arpa" {
 		type master;
 		file "/etc/bind/db.255";
 	};
 };
--- a/roles/bind-recursive/templates/bind/named.conf.j2
+++ b/roles/bind-recursive/templates/bind/named.conf.j2
@ -0,0 +1,14 @@
 {{ ansible_header | comment(decoration='// ') }}
 // This is the primary configuration file for the BIND DNS server named.
 //
 // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
 // structure of BIND configuration files in Debian, *BEFORE* you customize
 // this configuration file.
 //
 // If you are just adding zones, please do that in /etc/bind/named.conf.local
 include "/etc/bind/named.conf.acl";
 include "/etc/bind/named.conf.options";
 include "/etc/bind/named.conf.local";
 include "/etc/bind/named.conf.default-zones";
--- a/roles/bind-recursive/templates/bind/named.conf.local.j2
+++ b/roles/bind-recursive/templates/bind/named.conf.local.j2
@ -0,0 +1,15 @@
 {{ ansible_header | comment(decoration='// ') }}
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 view "infra" {
 	match-clients { infra; };
 	recursion no;
 	zone "." {
 		type master;
 		file "/etc/bind/db.infra";
 	};
 };
--- a/roles/bind-recursive/templates/bind/named.conf.options.j2
+++ b/roles/bind-recursive/templates/bind/named.conf.options.j2
@ -0,0 +1,26 @@
 {{ ansible_header | comment(decoration='// ') }}
 options {
 	directory "/var/cache/bind";
 	// If there is a firewall between you and nameservers you want
 	// to talk to, you may need to fix the firewall to allow multiple
 	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
 	// If your ISP provided one or more IP addresses for stable
 	// nameservers, you probably want to use them as forwarders.
 	// Uncomment the following block, and insert the addresses replacing
 	// the all-0's placeholder.
 	// forwarders {
 	// 	0.0.0.0;
 	// };
 	//========================================================================
 	// If BIND logs error messages about the root key being expired,
 	// you will need to update your keys.  See https://www.isc.org/bind-keys
 	//========================================================================
 	dnssec-validation auto;
 	listen-on-v6 { any; };
 };
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -1,4 +1,16 @@
 ---
 - name: Install dns dependencies
  apt:
    update_cache: true
    install_recommends: false
    name:
      - python3-iso8601
      - python3-jinja2
      - python3-ldap
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Create dns directory
  file:
    path: /var/local/dns
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@ -31,6 +31,7 @@
 - name: Clone firewall repository
  git:
    repo: 'http://gitlab.adm.crans.org/nounous/firewall.git'
    version: "{{ firewall.version }}"
    dest: /var/local/firewall
    umask: '002'
--- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
+++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
@ -45,7 +45,9 @@ subnet {{ subnet.network | ipaddr('network') }} netmask {{ subnet.network | ipad
 {% endif %}
       option subnet-mask {{ subnet.network | ipaddr('netmask') }};
       option broadcast-address {{ subnet.network | ipaddr('broadcast') }};
 {% if subnet.routers is defined %}
       option routers {{ subnet.routers }};
 {% endif %}
       option domain-name-servers {{ subnet.dns | join(", ") }};
       option domain-name "{{ subnet.domain_name }}";
       option domain-search "{{ subnet.domain_search }}";
--- a/roles/keepalived/templates/keepalived/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2
@ -41,7 +41,7 @@ vrrp_instance {{ instance.tag }}6 {
  priority {{ instance.priority }}
  smtp_alert
-  interface {{ keepalived.pool[instance.name].administration }}
+  interface {{ interfaces.adm }}
  virtual_router_id {{ keepalived.pool[instance.name].id }}
  advert_int 2
  authentication {
--- a/roles/nftables/tasks/main.yml
+++ b/roles/nftables/tasks/main.yml
@ -0,0 +1,15 @@
 ---
 - name: Install nftables
  apt:
    name: nftables
    state: present
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Enable and start nftables
  systemd:
    name: nftables
    enabled: true
    state: started
--- a/roles/openssh/tasks/main.yml
+++ b/roles/openssh/tasks/main.yml
@ -2,8 +2,8 @@
 - name: Filter SSH on groups
  lineinfile:
    dest: /etc/ssh/sshd_config
-    regexp: ^AllowGroups
+    regexp: ^#?PermitRootLogin
-    line: "AllowGroups {{ ssh_allow_groups }}"
+    line: "PermitRootLogin yes"
    state: present
  notify: Restart sshd service
--- a/roles/quagga/templates/quagga/bgpd.conf.j2
+++ b/roles/quagga/templates/quagga/bgpd.conf.j2
@ -5,12 +5,12 @@ router bgp {{ bgp.as }}
 bgp router-id {{ bgp.router_id_v4 }}
 network {{ bgp.network_v4 }}
 neighbor {{ bgp.neighbor_v4 }} remote-as {{ bgp.remote_as }}
 !
 router bgp {{ bgp.as }}
 no synchronization
 bgp router-id {{ bgp.router_id_v6 }}
 network {{ bgp.network_v6 }}
 neighbor {{ bgp.neighbor_v6 }} remote-as {{ bgp.remote_as }}
 !
 address-family ipv6
 network {{ bgp.network_v6 }}
 neighbor {{ bgp.neighbor_v6 }} activate
 exit-address-family
 !
 log file /var/log/quagga/bgpd.log
 log stdout
--- a/roles/quagga/templates/quagga/zebra.conf.j2
+++ b/roles/quagga/templates/quagga/zebra.conf.j2
@ -8,7 +8,4 @@ log file /var/log/quagga/zebra.log
 interface lo
 !Table Zayo
 table 26
 line vty
--- a/roles/radvd/handlers/main.yml
+++ b/roles/radvd/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Restart radvd service
  service:
    name: radvd
    state: restarted
--- a/roles/radvd/tasks/main.yml
+++ b/roles/radvd/tasks/main.yml
@ -0,0 +1,18 @@
 ---
 - name: Install radvd
  apt:
    name: radvd
    state: present
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Deploy radvd configuration
  template:
    src: radvd.conf.j2
    dest: /etc/radvd.conf
    mode: 0644
    owner: root
    group: root
  notify: Restart radvd service
--- a/roles/radvd/templates/radvd.conf.j2
+++ b/roles/radvd/templates/radvd.conf.j2
@ -0,0 +1,19 @@
 {% for subnet in subnets %}
 interface {{ interfaces[subnet.name] }} {
 	AdvSendAdvert on;
 	AdvDefaultPreference high;
 	MaxRtrAdvInterval 30;
 	prefix {{ subnet.prefix }} {
 		AdvRouterAddr on;
 	};
 	# La zone DNS
 	DNSSL {{ subnet.name | replace('_', '-') }}.crans.org {};
 	# Les DNS récursifs
 {% for dns in subnet.dns %}
 	RDNSS {{ dns }} {};
 {% endfor %}
 };
 {% endfor %}
--- a/roles/slapd/templates/ldap/ldap.key.j2
+++ b/roles/slapd/templates/ldap/ldap.key.j2
@ -1 +1 @@
-{{ ldap.private_key }}
+{{ slapd.private_key }}
--- a/roles/slapd/templates/ldap/ldap.pem.j2
+++ b/roles/slapd/templates/ldap/ldap.pem.j2
@ -1 +1 @@
-{{ ldap.certificate }}
+{{ slapd.certificate }}
--- a/roles/smartd-hp-smartarray/handlers/main.yml
+++ b/roles/smartd-hp-smartarray/handlers/main.yml
@ -1,5 +0,0 @@
 ---
 - name: Restart smartd
  service:
    name: smartd
    state: restarted
--- a/roles/smartd-hp-smartarray/tasks/main.yml
+++ b/roles/smartd-hp-smartarray/tasks/main.yml
@ -1,23 +0,0 @@
 ---
 - name: Install smartd
  apt:
    update_cache: true
    name: smartmontools
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Disable smartd autodiscovery
  lineinfile:
    path: /etc/smartd.conf
    regexp: '(?i)^(DEVICESCAN.*)'
    line: '#\1'
    backrefs: true
  notify: Restart smartd
 - name: Monitor local HP SmartArray
  lineinfile:
    path: /etc/smartd.conf
    regexp: '^/dev/sg0'
    line: /dev/sg0 -a -d cciss,0 -m root
  notify: Restart smartd
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@ -9,20 +9,20 @@ PostUp = /sbin/ip link set sputnik alias adm
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, 10.231.136.0/24, 2a0c:700:0:2::/64
+AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
-Endpoint = 138.231.136.131:51820
+Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0] }}:51820
 {% else %}
 [Interface]
 Address = 172.31.0.1/30, fd0c:700:0:8::1/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}
-PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
+# PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
-PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
 AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
-Endpoint = 46.105.102.188:51820
+Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
 {% endif %}
`@ -1 +1 @@`
	`{{ ldap.private_key }}`	`{{ slapd.private_key }}`
`@ -1 +1 @@`
	`{{ ldap.certificate }}`	`{{ slapd.certificate }}`