From 76421036b2fc160d1d71f92775400f1ffd60eaac Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sun, 19 Jul 2020 14:57:32 +0200 Subject: [PATCH 01/36] [home-nounous] added home-nounous role --- roles/home-nounous/tasks/main.yml | 13 +++++++++++++ .../templates/systemd/system/home.mount.j2 | 14 ++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 roles/home-nounous/tasks/main.yml create mode 100644 roles/home-nounous/templates/systemd/system/home.mount.j2 diff --git a/roles/home-nounous/tasks/main.yml b/roles/home-nounous/tasks/main.yml new file mode 100644 index 00000000..41e03224 --- /dev/null +++ b/roles/home-nounous/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Deploy nfs systemd mount + template: + src: systemd/system/home.mount.j2 + dest: /etc/systemd/system/home.mount + mode: 0755 + +- name: Load and activate nfs systemd mount + systemd: + name: home.mount + daemon_reload: true + enabled: true + state: started diff --git a/roles/home-nounous/templates/systemd/system/home.mount.j2 b/roles/home-nounous/templates/systemd/system/home.mount.j2 new file mode 100644 index 00000000..8f9babaf --- /dev/null +++ b/roles/home-nounous/templates/systemd/system/home.mount.j2 @@ -0,0 +1,14 @@ +{{ ansible_header | comment }} +[Unit] +Description=Mount home +Wants=network-online.target +After=network-online.target + +[Mount] +What=tealc.adm.crans.org:/pool/home +Where=/home +Type=nfs +Options=rw,nosuid + +[Install] +WantedBy=multi-user.target From 391d855fa7c697d241c11f33388903609c3f84ec Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sun, 19 Jul 2020 15:30:38 +0200 Subject: [PATCH 02/36] [ldap-client] use nounous ldap --- roles/ldap-client/tasks/main.yml | 34 +++++++++++--------- roles/ldap-client/templates/bin/chsh.j2 | 4 --- roles/ldap-client/templates/bin/chsh.ldap.j2 | 4 --- roles/ldap-client/templates/bin/passwd.j2 | 3 -- roles/ldap-client/templates/nslcd.conf.j2 | 30 +++++++---------- 5 files changed, 31 insertions(+), 44 deletions(-) delete mode 100644 roles/ldap-client/templates/bin/chsh.j2 delete mode 100644 roles/ldap-client/templates/bin/chsh.ldap.j2 delete mode 100644 roles/ldap-client/templates/bin/passwd.j2 diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml index 8195e6f1..f03a809f 100644 --- a/roles/ldap-client/tasks/main.yml +++ b/roles/ldap-client/tasks/main.yml @@ -4,17 +4,14 @@ apt: update_cache: true name: - - nslcd - libnss-ldapd - - libpam-ldapd - - nscd # local cache state: present register: apt_result retries: 3 until: apt_result is succeeded # Configure /etc/nslcd.conf -- name: Configure nslcd LDAP credentials +- name: Configure nslcd template: src: nslcd.conf.j2 dest: /etc/nslcd.conf @@ -26,20 +23,27 @@ lineinfile: dest: /etc/nsswitch.conf regexp: "^{{ item }}:" - line: "{{ item }}: files ldap" + line: "{{ item }}: files systemd ldap" loop: - passwd - group - - shadow notify: Restart nslcd service -# Disable passwd and chsh -- name: Copy passwd and chsh scripts - template: - src: "bin/{{ item }}.j2" - dest: "/usr/local/bin/{{ item }}" - mode: 0755 +- name: Configure NSS to use LDAP + lineinfile: + dest: /etc/nsswitch.conf + regexp: "^{{ item }}:" + line: "{{ item }}: files ldap" loop: - - chsh - - chsh.ldap - - passwd + - shadow + - networks + notify: Restart nslcd service + +- name: Configure NSS to use LDAP + lineinfile: + dest: /etc/nsswitch.conf + regexp: "^{{ item }}:" + line: "{{ item }}: files dns ldap" + loop: + - hosts + notify: Restart nslcd service diff --git a/roles/ldap-client/templates/bin/chsh.j2 b/roles/ldap-client/templates/bin/chsh.j2 deleted file mode 100644 index 37462f78..00000000 --- a/roles/ldap-client/templates/bin/chsh.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -{{ ansible_header | comment }} -echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}" - diff --git a/roles/ldap-client/templates/bin/chsh.ldap.j2 b/roles/ldap-client/templates/bin/chsh.ldap.j2 deleted file mode 100644 index 175fdfc1..00000000 --- a/roles/ldap-client/templates/bin/chsh.ldap.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -{{ ansible_header | comment }} -echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}" -echo "De toutes façons la vraie commande aurait pas marché, on installe pas nslcd-utils sur les serveurs normalement." diff --git a/roles/ldap-client/templates/bin/passwd.j2 b/roles/ldap-client/templates/bin/passwd.j2 deleted file mode 100644 index 40b04126..00000000 --- a/roles/ldap-client/templates/bin/passwd.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -{{ ansible_header | comment }} -echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}" diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index e634dd23..f55c1a67 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -1,35 +1,30 @@ {{ ansible_header | comment }} +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. -{% if ldap_local_replica_uri is defined %} -{% for uri in ldap_local_replica_uri %} -uri {{ uri }} +{% if ldap.local %} +uri ldapi:/// +{% else %} +{% for server in ldap.servers %} +uri ldaps://{{ server }}/ {% endfor %} {% endif %} -uri {{ ldap_master_uri }} # The search base that will be used for all queries. -base {{ ldap_base }} -base passwd {{ ldap_user_tree }} -base shadow {{ ldap_user_tree }} -base group ou=posix,ou=groups,{{ ldap_base }} +base dc=crans,dc=org # The LDAP protocol version to use. -ldap_version 3 - -# Time limit to wait for an answer -timelimit 5 - -# Time limit to wait for a bind -bind_timelimit 5 +#ldap_version 3 # The DN to bind with for normal lookups. -binddn {{ ldap_nslcd_bind_dn }} -bindpw {{ ldap_nslcd_passwd }} +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com @@ -41,4 +36,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub - From 2310a08594f88bc5541688ddada90d95d6a37205 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sun, 19 Jul 2020 18:04:59 +0200 Subject: [PATCH 03/36] [home-nounous] install nfs-common --- roles/home-nounous/tasks/main.yml | 10 ++++++++++ .../templates/systemd/system/home.mount.j2 | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/home-nounous/tasks/main.yml b/roles/home-nounous/tasks/main.yml index 41e03224..25c533e0 100644 --- a/roles/home-nounous/tasks/main.yml +++ b/roles/home-nounous/tasks/main.yml @@ -1,4 +1,14 @@ --- +- name: Install NFS client + apt: + update_cache: true + name: + - nfs-common + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + - name: Deploy nfs systemd mount template: src: systemd/system/home.mount.j2 diff --git a/roles/home-nounous/templates/systemd/system/home.mount.j2 b/roles/home-nounous/templates/systemd/system/home.mount.j2 index 8f9babaf..d0464e90 100644 --- a/roles/home-nounous/templates/systemd/system/home.mount.j2 +++ b/roles/home-nounous/templates/systemd/system/home.mount.j2 @@ -5,7 +5,7 @@ Wants=network-online.target After=network-online.target [Mount] -What=tealc.adm.crans.org:/pool/home +What=172.16.1.1:/pool/home Where=/home Type=nfs Options=rw,nosuid From 52e237b0cf71de6feb07b251a01235241bf07f6c Mon Sep 17 00:00:00 2001 From: Maxime Bombar Date: Mon, 27 Jul 2020 23:08:27 +0200 Subject: [PATCH 04/36] [New-infra] Deploy ldap and nfs with base system. --- base.yml | 59 ++++-- group_vars/crans_vm/vars.yml | 4 + hosts | 220 +++------------------- plays/nfs.yml | 10 +- roles/ldap-client/templates/nslcd.conf.j2 | 2 +- 5 files changed, 74 insertions(+), 221 deletions(-) create mode 100644 group_vars/crans_vm/vars.yml diff --git a/base.yml b/base.yml index 4b1b5008..f1d27d16 100755 --- a/base.yml +++ b/base.yml @@ -1,13 +1,20 @@ #!/usr/bin/env ansible-playbook --- # Set variable adm_iface for all servers -- import_playbook: plays/get_adm_iface.yml +# - hosts: server +# tasks: +# - name: Register adm interface in adm_iface variable +# shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" +# register: adm_iface +# check_mode: false +# changed_when: true +# args: +# executable: /bin/bash # Common CRANS configuration for all servers - hosts: server vars: - # Debian mirror on adm - debian_mirror: http://mirror.adm.crans.org/debian + debian_mirror: http://mirror.crans.org/debian # tmp debian_components: main non-free # LDAP binding @@ -30,23 +37,47 @@ # Will be in /usr/scripts/ crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git" - # NTP servers - ntp_servers: - - charybde.adm.crans.org - - silice.adm.crans.org + # # NTP servers + # ntp_servers: + # - charybde.adm.crans.org + # - silice.adm.crans.org roles: - common-tools - debian-apt-sources - ldap-client - openssh - sudo - - ntp-client - - crans-scripts + # - ntp-client + # - crans-scripts - root-config -- import_playbook: plays/mail.yml +# Deploy LDAP replica +- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org + roles: [] # TODO + +- hosts: otis.adm.crans.org + roles: + - ansible + +# Tools for members +- hosts: zamok.adm.crans.org + roles: + - zamok-tools + +# - import_playbook: plays/mail.yml - import_playbook: plays/nfs.yml -- import_playbook: plays/logs.yml -- import_playbook: plays/backup.yml -- import_playbook: plays/network-interfaces.yml -- import_playbook: plays/monitoring.yml +# - import_playbook: plays/logs.yml +# - import_playbook: plays/backup.yml +# - import_playbook: plays/network-interfaces.yml +# - import_playbook: plays/monitoring.yml +# - import_playbook: plays/generate_documentation.yml + +# Services that only apply to a subset of server +- import_playbook: plays/tv.yml +- import_playbook: plays/mailman.yml +- import_playbook: plays/dhcp.yml +- import_playbook: plays/dns.yml +- import_playbook: plays/wireguard.yml +- import_playbook: plays/mirror.yml +- import_playbook: plays/owncloud.yml +- import_playbook: plays/reverse-proxy.yml diff --git a/group_vars/crans_vm/vars.yml b/group_vars/crans_vm/vars.yml new file mode 100644 index 00000000..6c6608cb --- /dev/null +++ b/group_vars/crans_vm/vars.yml @@ -0,0 +1,4 @@ +ldap: + local: False + servers: ["172.16.1.1"] + base: "dc=crans,dc=org" diff --git a/hosts b/hosts index 9a3ce0e9..1c74dfbe 100644 --- a/hosts +++ b/hosts @@ -4,208 +4,35 @@ # > We name servers according to location, then type. # > Then we regroup everything in global geographic and type groups. -[horde] -horde-srv.adm.crans.org - -[framadate] -voyager.adm.crans.org - -[dhcp] -dhcp.adm.crans.org -odlyd.adm.crans.org - -[keepalived] -gulp.adm.crans.org -odlyd.adm.crans.org -eap.adm.crans.org -radius.adm.crans.org -frontdaur.adm.crans.org -bakdaur.adm.crans.org - -[test_vm] -re2o-test.adm.crans.org +# [horde] +# horde-srv.adm.crans.org +# +# [framadate] +# voyager.adm.crans.org +# +# [dhcp] +# dhcp.adm.crans.org +# odlyd.adm.crans.org +# +# [keepalived] +# gulp.adm.crans.org +# odlyd.adm.crans.org +# eap.adm.crans.org +# radius.adm.crans.org +# frontdaur.adm.crans.org +# bakdaur.adm.crans.org +# +# [test_vm] +# re2o-test.adm.crans.org [crans_physical] -charybde.adm.crans.org -cochon.adm.crans.org -ft.adm.crans.org -fyre.adm.crans.org -fz.adm.crans.org -gateau.adm.crans.org -gulp.adm.crans.org -odlyd.adm.crans.org -omnomnom.adm.crans.org -stitch.adm.crans.org -thot.adm.crans.org -vo.adm.crans.org -zamok.adm.crans.org -zbee.adm.crans.org -zephir.adm.crans.org +tealc +daniel [crans_vm] -alice.adm.crans.org -bakdaur.adm.crans.org -boeing.adm.crans.org -cas-srv.adm.crans.org -#civet.adm.crans.org -#cups.adm.crans.org -dhcp.adm.crans.org -eap.adm.crans.org -ethercalc-srv.adm.crans.org -frontdaur.adm.crans.org -gitzly.adm.crans.org -horde-srv.adm.crans.org -ipv6-zayo.adm.crans.org -irc.adm.crans.org -jitsi.adm.crans.org -kenobi.adm.crans.org -kiwi.adm.crans.org -lutim.adm.crans.org -#mediadrop-srv.adm.crans.org -mailman.adm.crans.org -nem.adm.crans.org -#news.adm.crans.org -otis.adm.crans.org -owl.adm.crans.org -owncloud-srv.adm.crans.org -radius.adm.crans.org -re2o-bcfg2.adm.crans.org -re2o-ldap.adm.crans.org -re2o-srv.adm.crans.org -redisdead.adm.crans.org -roundcube-srv.adm.crans.org -routeur.adm.crans.org -silice.adm.crans.org -titanic.adm.crans.org -tracker.adm.crans.org -unifi.adm.crans.org -voyager.adm.crans.org -xmpp.adm.crans.org -ytrap-llatsni.adm.crans.org -sitesweb.adm.crans.org - -[crans_unifi] -0g-2.borne.crans.org -0g-3.borne.crans.org -0g-4.borne.crans.org -0h-2.borne.crans.org -0h-3.borne.crans.org -0m-2.borne.crans.org -1g-1.borne.crans.org -1g-3.borne.crans.org -1g-4.borne.crans.org -1g-5.borne.crans.org -1h-2.borne.crans.org -1h-3.borne.crans.org -1i-2.borne.crans.org -1i-3.borne.crans.org -1j-2.borne.crans.org -1j-3.borne.crans.org -1m-1.borne.crans.org -1m-2.borne.crans.org -1m-5.borne.crans.org -2a-1.borne.crans.org -2b-3.borne.crans.org -2c-2.borne.crans.org -2c-3.borne.crans.org -2g-1.borne.crans.org -2g-3.borne.crans.org -2g-5.borne.crans.org -2h-2.borne.crans.org -2h-3.borne.crans.org -2i-2.borne.crans.org -2i-3.borne.crans.org -2j-2.borne.crans.org -2j-3.borne.crans.org -2m-2.borne.crans.org -3a-2.borne.crans.org -3b-3.borne.crans.org -3c-2.borne.crans.org -3c-3.borne.crans.org -3g-1.borne.crans.org -3g-5.borne.crans.org -3h-2.borne.crans.org -3h-3.borne.crans.org -3i-2.borne.crans.org -3i-3.borne.crans.org -3j-2.borne.crans.org -3m-2.borne.crans.org -3m-4.borne.crans.org -3m-5.borne.crans.org -4a-1.borne.crans.org -4a-2.borne.crans.org -4a-3.borne.crans.org -4b-1.borne.crans.org -4c-2.borne.crans.org -4c-3.borne.crans.org -4g-1.borne.crans.org -4g-3.borne.crans.org -4g-5.borne.crans.org -4h-2.borne.crans.org -4h-3.borne.crans.org -4i-2.borne.crans.org -4i-3.borne.crans.org -4j-1.borne.crans.org -4j-2.borne.crans.org -4j-3.borne.crans.org -4m-2.borne.crans.org -4m-4.borne.crans.org -5a-1.borne.crans.org -5b-1.borne.crans.org -5c-1.borne.crans.org -5g-1.borne.crans.org -5g-3.borne.crans.org -5m-4.borne.crans.org -6a-1.borne.crans.org -6a-2.borne.crans.org -6c-1.borne.crans.org -adonis.borne.crans.org # 5a -atlas.borne.crans.org # 1a -baba-au-rhum.borne.crans.org # 3b -bacchus.borne.crans.org # 1b -baucis.borne.crans.org # 2b -bellerophon.borne.crans.org # 2b -benedict-cumberbatch.borne.crans.org # 1b -benthesicyme.borne.crans.org # 4b -boree.borne.crans.org # 6b -branchos.borne.crans.org # 3b -calypso.borne.crans.org # 4c -chaos.borne.crans.org # 1c -chronos.borne.crans.org # 2c -crios.borne.crans.org # 3c -gaia.borne.crans.org # 0g -hades.borne.crans.org # 4h -hephaistos.borne.crans.org # 1h -hermes.borne.crans.org # 3h -hypnos.borne.crans.org # 2h -iaso.borne.crans.org # 1i -idothee.borne.crans.org # 3i -idyie.borne.crans.org # 0i -ino.borne.crans.org # 2i -ioke.borne.crans.org # 4i -jaipudidees.borne.crans.org # 2j -jaipudpapier.borne.crans.org # 3j -japavolonte.borne.crans.org # 1j -jesuischarlie.borne.crans.org # 0j -jveuxduwifi.borne.crans.org # 0j -mania.borne.crans.org # 2m -marquis.borne.crans.org # manoir -mercure.borne.crans.org # 3m -#5m-5.borne.crans.org Déplacée au 2b - -# TODO Récupérer ces bornes -#kakia.borne.crans.org # kfet -#koios.borne.crans.org # kfet -#gym-1.borne.crans.org # gymnase -#gym-2.borne.crans.org # gymnase -#0d-1.borne.crans.org - -# TODO La fibre vers le resto U est coupée. -#rhea.borne.crans.org # resto-univ -#romulus.borne.crans.org # resto-univ +belenios # on changera plus tard [ovh_physical] -soyouz.adm.crans.org sputnik.adm.crans.org # every server at crans @@ -217,7 +44,6 @@ crans_vm [crans:children] crans_physical crans_vm -crans_unifi # everything at ovh [ovh:children] diff --git a/plays/nfs.yml b/plays/nfs.yml index 61ccb4da..e4f243ca 100755 --- a/plays/nfs.yml +++ b/plays/nfs.yml @@ -7,12 +7,4 @@ # Deploy NFS only on campus - hosts: crans_server - roles: ["nfs-common"] - -# Deploy autofs NFS -- hosts: crans_server,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org - roles: ["nfs-autofs"] - -# Deploy home permanent -- hosts: zamok.adm.crans.org,omnomnom.adm.crans.org,owl.adm.crans.org,owncloud-srv.adm.crans.org - roles: ["home-permanent"] + roles: ["home-nounous"] diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index f55c1a67..aa1db15f 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -17,7 +17,7 @@ uri ldaps://{{ server }}/ {% endif %} # The search base that will be used for all queries. -base dc=crans,dc=org +base {{ ldap.base }} # The LDAP protocol version to use. #ldap_version 3 From 7011f816efaad7690cb494e653829e19341f1bb6 Mon Sep 17 00:00:00 2001 From: Maxime Bombar Date: Mon, 27 Jul 2020 23:09:10 +0200 Subject: [PATCH 05/36] [ldap-client] host looks into ldap before making a dns request --- roles/ldap-client/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml index f03a809f..03e68841 100644 --- a/roles/ldap-client/tasks/main.yml +++ b/roles/ldap-client/tasks/main.yml @@ -43,7 +43,7 @@ lineinfile: dest: /etc/nsswitch.conf regexp: "^{{ item }}:" - line: "{{ item }}: files dns ldap" + line: "{{ item }}: files ldap dns" loop: - hosts notify: Restart nslcd service From f071959bd8a085cff0f793213027a76bd6933b66 Mon Sep 17 00:00:00 2001 From: Maxime Bombar Date: Tue, 28 Jul 2020 11:19:56 +0200 Subject: [PATCH 06/36] [New-infra] Restruture hosts file --- group_vars/crans_server/vars.yml | 9 +++++++++ group_vars/crans_vm/vars.yml | 4 ---- hosts | 8 ++++++-- 3 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 group_vars/crans_server/vars.yml delete mode 100644 group_vars/crans_vm/vars.yml diff --git a/group_vars/crans_server/vars.yml b/group_vars/crans_server/vars.yml new file mode 100644 index 00000000..75c8f4d8 --- /dev/null +++ b/group_vars/crans_server/vars.yml @@ -0,0 +1,9 @@ +ldap: + local: False + servers: ["172.16.1.1"] + base: "dc=crans,dc=org" + + +# Parameters for debian mirror +debian_mirror: http://mirror.adm.crans.org/debian +debian_components: main non_free diff --git a/group_vars/crans_vm/vars.yml b/group_vars/crans_vm/vars.yml deleted file mode 100644 index 6c6608cb..00000000 --- a/group_vars/crans_vm/vars.yml +++ /dev/null @@ -1,4 +0,0 @@ -ldap: - local: False - servers: ["172.16.1.1"] - base: "dc=crans,dc=org" diff --git a/hosts b/hosts index 1c74dfbe..4948050b 100644 --- a/hosts +++ b/hosts @@ -25,6 +25,9 @@ # [test_vm] # re2o-test.adm.crans.org +[crans_routeurs] +routeur-daniel + [crans_physical] tealc daniel @@ -39,11 +42,11 @@ sputnik.adm.crans.org [crans_server:children] crans_physical crans_vm +crans_routeurs # everything at crans [crans:children] -crans_physical -crans_vm +crans_server # everything at ovh [ovh:children] @@ -57,6 +60,7 @@ ovh_physical # every virtual machine [vm:children] crans_vm +crans_routeurs # every server [server:children] From ae189b7b775559d2c03412b3929cc33701915871 Mon Sep 17 00:00:00 2001 From: Maxime Bombar Date: Tue, 28 Jul 2020 11:20:15 +0200 Subject: [PATCH 07/36] [new-infra] base.yml --- base.yml | 44 +++++++++++++++----------------------------- 1 file changed, 15 insertions(+), 29 deletions(-) diff --git a/base.yml b/base.yml index f1d27d16..48ce4654 100755 --- a/base.yml +++ b/base.yml @@ -14,32 +14,18 @@ # Common CRANS configuration for all servers - hosts: server vars: - debian_mirror: http://mirror.crans.org/debian # tmp - debian_components: main non-free - - # LDAP binding - ldap_base: 'dc=crans,dc=org' - ldap_master_ipv4: '10.231.136.19' - ldap_local_replica_uri: - - "ldap://10.231.136.38" - - "ldap://10.231.136.4" - ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" - ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" - ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" - ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" - # Group permissions ssh_allow_groups: ssh nounou apprenti cableur root # Scripts will tell users to go there to manage their account intranet_url: 'https://intranet.crans.org/' - # Will be in /usr/scripts/ - crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git" + # # Will be in /usr/scripts/ + # crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git" - # # NTP servers - # ntp_servers: - # - charybde.adm.crans.org + # NTP servers + ntp_servers: + - charybde.adm.crans.org # - silice.adm.crans.org roles: - common-tools @@ -47,7 +33,7 @@ - ldap-client - openssh - sudo - # - ntp-client + - ntp-client # - crans-scripts - root-config @@ -62,7 +48,7 @@ # Tools for members - hosts: zamok.adm.crans.org roles: - - zamok-tools +# - zamok-tools # - import_playbook: plays/mail.yml - import_playbook: plays/nfs.yml @@ -73,11 +59,11 @@ # - import_playbook: plays/generate_documentation.yml # Services that only apply to a subset of server -- import_playbook: plays/tv.yml -- import_playbook: plays/mailman.yml -- import_playbook: plays/dhcp.yml -- import_playbook: plays/dns.yml -- import_playbook: plays/wireguard.yml -- import_playbook: plays/mirror.yml -- import_playbook: plays/owncloud.yml -- import_playbook: plays/reverse-proxy.yml +# - import_playbook: plays/tv.yml +# - import_playbook: plays/mailman.yml +# - import_playbook: plays/dhcp.yml +# - import_playbook: plays/dns.yml +# - import_playbook: plays/wireguard.yml +# - import_playbook: plays/mirror.yml +# - import_playbook: plays/owncloud.yml +# - import_playbook: plays/reverse-proxy.yml From 19685dc466fcf14936a3fe262f3f484804f01211 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Fri, 17 Jul 2020 22:32:14 +0200 Subject: [PATCH 08/36] [slapd] added slapd role --- ldap.yml | 11 ++ roles/slapd/handlers/main.yml | 6 + roles/slapd/tasks/main.yml | 30 ++++ roles/slapd/templates/ldap/slapd.conf.j2 | 195 +++++++++++++++++++++++ 4 files changed, 242 insertions(+) create mode 100755 ldap.yml create mode 100644 roles/slapd/handlers/main.yml create mode 100644 roles/slapd/tasks/main.yml create mode 100644 roles/slapd/templates/ldap/slapd.conf.j2 diff --git a/ldap.yml b/ldap.yml new file mode 100755 index 00000000..04c56eaf --- /dev/null +++ b/ldap.yml @@ -0,0 +1,11 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: daniel.adm.crans.org + vars: + ldap: + replica: true + master_ip: 172.16.1.1 # faire une query pour l'adresse de tealc sur le ldap + replica_rid: 2 + ip: 172.16.1.12 + roles: + - slapd diff --git a/roles/slapd/handlers/main.yml b/roles/slapd/handlers/main.yml new file mode 100644 index 00000000..c8b9f3c0 --- /dev/null +++ b/roles/slapd/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Restart slapd + service: + name: slapd.service + state: restarted diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml new file mode 100644 index 00000000..f1ff8b87 --- /dev/null +++ b/roles/slapd/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Install slapd + apt: + update_cache: true + name: + - slapd + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Remove slapd config directory + files: + path: /etc/ldap/slapd.d/ + state: absent + +- name: Deploy slapd configuration + template: + src: ldap/slapd.conf.j2 + dest: /etc/slapd/slapd.conf + mode: 0600 + owner: openldap + group: openldap + notify: Restart slapd + +- name: Deploy ldap services + lineinfile: + path: /etc/default/slapd + regexp: '^SLAPD_SERVICES=' + line: 'SLAPD_SERVICES="ldaps://{{ ldap.ip }}/ ldapi:///"' + notify: Restart slapd diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2 new file mode 100644 index 00000000..95f92a54 --- /dev/null +++ b/roles/slapd/templates/ldap/slapd.conf.j2 @@ -0,0 +1,195 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. + +####################################################################### +# Global Directives: + +# Schema and objectClass definitions +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/nis.schema +include /etc/ldap/schema/inetorgperson.schema + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile /var/run/slapd/slapd.pid + +# List of arguments that were passed to the server +argsfile /var/run/slapd/slapd.args + +# Read slapd.conf(5) for possible values +loglevel none + +# Where the dynamically loaded modules are stored +modulepath /usr/lib/ldap +moduleload back_mdb +{% if not ldap.replica %} +moduleload auditlog + +overlay auditlog +auditlog /var/log/openldap/auditlog.log + +moduleload syncprov +{% endif %} + +# TODO FAIRE LES CERTIFICATS +# TLS Certificates +#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3 +#TLSCACertificateFile /etc/ssl/certs/ServENS.crt +#TLSCertificateFile /etc/ldap/ldap.pem +#TLSCertificateKeyFile /etc/ldap/ldap.key + +# The maximum number of entries that is returned for a search operation +sizelimit 500 + +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +tool-threads 1 + +####################################################################### +# Specific Backend Directives for mdb: +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +backend mdb + +####################################################################### +# Specific Backend Directives for 'other': +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +#backend + +####################################################################### +# Specific Directives for database #1, of type mdb: +# Database specific directives apply to this databasse until another +# 'database' directive occurs +database mdb + +# The base of your directory in database #1 +suffix "dc=crans,dc=org" + +# rootdn directive for specifying a superuser on the database. This is needed +# for syncrepl. +rootdn "cn=admin,dc=crans,dc=org" + +# Where the database file are physically stored for database #1 +directory "/var/lib/ldap" + +# The dbconfig settings are used to generate a DB_CONFIG file the first +# time slapd starts. They do NOT override existing an existing DB_CONFIG +# file. You should therefore change these settings in DB_CONFIG directly +# or remove DB_CONFIG and restart slapd for changes to take effect. + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +#dbconfig set_cachesize 0 2097152 0 + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 for more +# information. + +# Number of objects that can be locked at the same time. +#dbconfig set_lk_max_objects 1500 +# Number of locks (both requested and granted) +#dbconfig set_lk_max_locks 1500 +# Number of lockers +#dbconfig set_lk_max_lockers 1500 + +# Indexing options for database #1 +index objectClass eq + +# Save the time that the entry gets modified, for database #1 +lastmod on + +# Checkpoint the BerkeleyDB database periodically in case of system +# failure and to speed slapd shutdown. +checkpoint 512 30 + +{% if ldap.replica %} +syncrepl + rid={{ ldap.replica_rid }} + provider=ldaps://{{ ldap.master_ip }}:636 + bindmethod=simple + binddn="cn=replicator,dc=crans,dc=org" + credentials=test1234 # TODO cranspasswords + searchbase="dc=crans,dc=org" + schemachecking=on + type=refreshOnly + interval=00:00:10:00 + scope=sub + tls_reqcert=allow +{% endif %} + +{% if ldap.replica %} +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword,shadowLastChange + by anonymous auth + by * none + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by * read +{% else %} +overlay syncprov + +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword,shadowLastChange + by anonymous auth + by self write + by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write + by dn="cn=replicator,dc=crans,dc=org" read + by * none + +access to attrs=loginShell,mail,telephoneNumber + by self write + by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write + by dn="cn=replicator,dc=crans,dc=org" read + by * read + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write + by dn="cn=replicator,dc=crans,dc=org" read + by * read +{% endif %} + + +####################################################################### +# Specific Directives for database #2, of type 'other' (can be mdb too): +# Database specific directives apply to this databasse until another +# 'database' directive occurs +#database + +# The base of your directory for database #2 +#suffix "dc=debian,dc=org" From 8bbec6135028b3ff10105d0727bc0239c02deb5a Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 28 Jul 2020 11:40:23 +0200 Subject: [PATCH 09/36] [slapd] Change replication settings --- roles/slapd/tasks/main.yml | 2 +- roles/slapd/templates/ldap/slapd.conf.j2 | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml index f1ff8b87..111d98ff 100644 --- a/roles/slapd/tasks/main.yml +++ b/roles/slapd/tasks/main.yml @@ -21,7 +21,7 @@ owner: openldap group: openldap notify: Restart slapd - + - name: Deploy ldap services lineinfile: path: /etc/default/slapd diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2 index 95f92a54..3e539f01 100644 --- a/roles/slapd/templates/ldap/slapd.conf.j2 +++ b/roles/slapd/templates/ldap/slapd.conf.j2 @@ -112,10 +112,12 @@ syncrepl binddn="cn=replicator,dc=crans,dc=org" credentials=test1234 # TODO cranspasswords searchbase="dc=crans,dc=org" - schemachecking=on - type=refreshOnly - interval=00:00:10:00 scope=sub + schemachecking=on + type=refreshAndPersist + timeout=0 + network-timeout=0 + retry="30 20 300 +" tls_reqcert=allow {% endif %} From 2d1a5211c123aa3e53a4774bd74746264bf8bc99 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 28 Jul 2020 11:46:04 +0200 Subject: [PATCH 10/36] [slapd] Use password from vault --- roles/slapd/templates/ldap/slapd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2 index 3e539f01..0db098b6 100644 --- a/roles/slapd/templates/ldap/slapd.conf.j2 +++ b/roles/slapd/templates/ldap/slapd.conf.j2 @@ -110,7 +110,7 @@ syncrepl provider=ldaps://{{ ldap.master_ip }}:636 bindmethod=simple binddn="cn=replicator,dc=crans,dc=org" - credentials=test1234 # TODO cranspasswords + credentials={{ ldap.replication_credentials }} searchbase="dc=crans,dc=org" scope=sub schemachecking=on From 9619f3433525acda03cb00d57605b6f33bfe32c6 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 28 Jul 2020 17:11:38 +0200 Subject: [PATCH 11/36] Use host_vars for daniel --- host_vars/daniel | 7 +++++++ ldap.yml | 8 +------- 2 files changed, 8 insertions(+), 7 deletions(-) create mode 100644 host_vars/daniel diff --git a/host_vars/daniel b/host_vars/daniel new file mode 100644 index 00000000..fb2e9883 --- /dev/null +++ b/host_vars/daniel @@ -0,0 +1,7 @@ +--- +ldap: + ip: 172.16.1.12 + replica: true + replica_rid: 2 + master_ip: 172.16.1.1 + replication_credentials: "{{ vault_ldap_replication_credentials }}" diff --git a/ldap.yml b/ldap.yml index 04c56eaf..5a4d03f4 100755 --- a/ldap.yml +++ b/ldap.yml @@ -1,11 +1,5 @@ #!/usr/bin/env ansible-playbook --- -- hosts: daniel.adm.crans.org - vars: - ldap: - replica: true - master_ip: 172.16.1.1 # faire une query pour l'adresse de tealc sur le ldap - replica_rid: 2 - ip: 172.16.1.12 +- hosts: daniel roles: - slapd From 70f180e9a96e4fdb15e5fe3b7d7522b8fe17a304 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 28 Jul 2020 17:12:40 +0200 Subject: [PATCH 12/36] [slapd] fix role --- roles/slapd/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml index 111d98ff..fb082ac1 100644 --- a/roles/slapd/tasks/main.yml +++ b/roles/slapd/tasks/main.yml @@ -9,14 +9,14 @@ until: apt_result is succeeded - name: Remove slapd config directory - files: + file: path: /etc/ldap/slapd.d/ state: absent - name: Deploy slapd configuration template: src: ldap/slapd.conf.j2 - dest: /etc/slapd/slapd.conf + dest: /etc/ldap/slapd.conf mode: 0600 owner: openldap group: openldap From e0e908fe13e0a79283879c2c9e70bc3c8da9b947 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Thu, 6 Aug 2020 14:34:15 +0200 Subject: [PATCH 13/36] [base] Nouveaux plans de vlans --- base.yml | 9 +++++---- host_vars/{daniel => daniel.adm.crans.org} | 4 ++-- hosts | 4 ++-- 3 files changed, 9 insertions(+), 8 deletions(-) rename host_vars/{daniel => daniel.adm.crans.org} (71%) diff --git a/base.yml b/base.yml index 48ce4654..f3fa47c9 100755 --- a/base.yml +++ b/base.yml @@ -31,15 +31,16 @@ - common-tools - debian-apt-sources - ldap-client - - openssh + # - openssh - sudo - ntp-client # - crans-scripts - root-config -# Deploy LDAP replica -- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org - roles: [] # TODO +# Deploy LDAP master and replica +- hosts: daniel.adm.crans.org + roles: + - slapd - hosts: otis.adm.crans.org roles: diff --git a/host_vars/daniel b/host_vars/daniel.adm.crans.org similarity index 71% rename from host_vars/daniel rename to host_vars/daniel.adm.crans.org index fb2e9883..2ecabb43 100644 --- a/host_vars/daniel +++ b/host_vars/daniel.adm.crans.org @@ -1,7 +1,7 @@ --- ldap: - ip: 172.16.1.12 + ip: 172.16.10.12 replica: true replica_rid: 2 - master_ip: 172.16.1.1 + master_ip: 172.16.10.1 replication_credentials: "{{ vault_ldap_replication_credentials }}" diff --git a/hosts b/hosts index 4948050b..6f299cc4 100644 --- a/hosts +++ b/hosts @@ -29,8 +29,8 @@ routeur-daniel [crans_physical] -tealc -daniel +tealc.adm.crans.org +daniel.adm.crans.org [crans_vm] belenios # on changera plus tard From 8f0f082139741ab4fc0756e769c1ebe85ab3fee2 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 15:54:17 +0200 Subject: [PATCH 14/36] [proxmox] Role for proxmox repositories --- roles/proxmox-apt-sources/tasks/main.yml | 5 +++++ .../templates/apt/sources.list.d/sources.list.j2 | 2 ++ 2 files changed, 7 insertions(+) create mode 100644 roles/proxmox-apt-sources/tasks/main.yml create mode 100644 roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 diff --git a/roles/proxmox-apt-sources/tasks/main.yml b/roles/proxmox-apt-sources/tasks/main.yml new file mode 100644 index 00000000..4d66e393 --- /dev/null +++ b/roles/proxmox-apt-sources/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Configure Proxmox repositories + template: + src: apt/sources.list.d/pve-entreprise.list.j2 + dest: /etc/apt/sources.list.d/pve-entreprise.list diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 new file mode 100644 index 00000000..f1a09d1d --- /dev/null +++ b/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 @@ -0,0 +1,2 @@ +{{ ansible_header | comment }} +deb http://download.proxmox.com/debian/pve {{ ansible_lsb.codename }} pve-no-subscription From aa552f55b6b922d982321845cad0b87e26d9ce43 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 15:58:46 +0200 Subject: [PATCH 15/36] [common-tools] Check-mode safe --- roles/common-tools/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/common-tools/tasks/main.yml b/roles/common-tools/tasks/main.yml index 7189b872..931348a7 100644 --- a/roles/common-tools/tasks/main.yml +++ b/roles/common-tools/tasks/main.yml @@ -53,6 +53,7 @@ owner: root group: utmp mode: '4755' + check_mode: no - name: Deploy screen tmpfile template: From 0b47e83b2858093c96bec641c3d531a04706c58f Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 15:59:15 +0200 Subject: [PATCH 16/36] [ntp-client] Check-mode safe --- roles/ntp-client/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ntp-client/tasks/main.yml b/roles/ntp-client/tasks/main.yml index c968990b..0bc25d21 100644 --- a/roles/ntp-client/tasks/main.yml +++ b/roles/ntp-client/tasks/main.yml @@ -12,6 +12,7 @@ path: /etc/default/ntp regexp: '^NTPD_OPTS' line: NTPD_OPTS='-g -x' + check_mode: no - name: Configure NTP template: From 34985f55587e1a523c7029ed1abef15417bd23e1 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:00:31 +0200 Subject: [PATCH 17/36] [slapd] Check-mode safe --- roles/slapd/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml index fb082ac1..d39f9502 100644 --- a/roles/slapd/tasks/main.yml +++ b/roles/slapd/tasks/main.yml @@ -28,3 +28,4 @@ regexp: '^SLAPD_SERVICES=' line: 'SLAPD_SERVICES="ldaps://{{ ldap.ip }}/ ldapi:///"' notify: Restart slapd + check_mode: no From 3c1a94822b4951910820fecc976c1096e8dc76f2 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:24:56 +0200 Subject: [PATCH 18/36] [slapd][unsafe] Rennomage variables et doc --- ...aniel.adm.crans.org => daniel.adm.crans.org.yml} | 0 roles/slapd/README.md | 13 +++++++++++++ roles/slapd/tasks/main.yml | 2 +- roles/slapd/templates/ldap/slapd.conf.j2 | 12 ++++++------ 4 files changed, 20 insertions(+), 7 deletions(-) rename host_vars/{daniel.adm.crans.org => daniel.adm.crans.org.yml} (100%) create mode 100644 roles/slapd/README.md diff --git a/host_vars/daniel.adm.crans.org b/host_vars/daniel.adm.crans.org.yml similarity index 100% rename from host_vars/daniel.adm.crans.org rename to host_vars/daniel.adm.crans.org.yml diff --git a/roles/slapd/README.md b/roles/slapd/README.md new file mode 100644 index 00000000..45b7b027 --- /dev/null +++ b/roles/slapd/README.md @@ -0,0 +1,13 @@ +# SLAPD + +Deploie un serveur ldap master ou replica + +## VARS + +slapd: + - ip : l'ip sur lequel il va installer le serveur ldap + - replica : s'il s'agit d'un master ou d'une replica + - replica_rid : le numéro de replica du serveur + - master_ip : l'ip du master + - replication_credentials : les credientials pour authentifier les replicas + auprès du master diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml index d39f9502..84599aa2 100644 --- a/roles/slapd/tasks/main.yml +++ b/roles/slapd/tasks/main.yml @@ -26,6 +26,6 @@ lineinfile: path: /etc/default/slapd regexp: '^SLAPD_SERVICES=' - line: 'SLAPD_SERVICES="ldaps://{{ ldap.ip }}/ ldapi:///"' + line: 'SLAPD_SERVICES="ldaps://{{ slapd.ip }}/ ldapi:///"' notify: Restart slapd check_mode: no diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2 index 0db098b6..762756b8 100644 --- a/roles/slapd/templates/ldap/slapd.conf.j2 +++ b/roles/slapd/templates/ldap/slapd.conf.j2 @@ -23,7 +23,7 @@ loglevel none # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_mdb -{% if not ldap.replica %} +{% if not slapd.replica %} moduleload auditlog overlay auditlog @@ -104,13 +104,13 @@ lastmod on # failure and to speed slapd shutdown. checkpoint 512 30 -{% if ldap.replica %} +{% if slapd.replica %} syncrepl - rid={{ ldap.replica_rid }} - provider=ldaps://{{ ldap.master_ip }}:636 + rid={{ slapd.replica_rid }} + provider=ldaps://{{ slapd.master_ip }}:636 bindmethod=simple binddn="cn=replicator,dc=crans,dc=org" - credentials={{ ldap.replication_credentials }} + credentials={{ slapd.replication_credentials }} searchbase="dc=crans,dc=org" scope=sub schemachecking=on @@ -121,7 +121,7 @@ syncrepl tls_reqcert=allow {% endif %} -{% if ldap.replica %} +{% if slapd.replica %} # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the From 194a7252281d8990a16711e44cf18f43cda9a8a0 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:27:16 +0200 Subject: [PATCH 19/36] [ldap][unsafe] Documentation --- roles/ldap-client/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 roles/ldap-client/README.md diff --git a/roles/ldap-client/README.md b/roles/ldap-client/README.md new file mode 100644 index 00000000..55811bae --- /dev/null +++ b/roles/ldap-client/README.md @@ -0,0 +1,10 @@ +# LDAP-CLIENT + +Configure un client ldap pour les utilisateurs + +## VARS + +ldap: + - local: si le serveur est installé en local + - servers: la liste des servers ldap a contacté + - base: le search term du ldap From e1d2528879f95ae9c765cf197361aa1233c7e5a5 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:28:17 +0200 Subject: [PATCH 20/36] [slapd][ldap] Configuration CRANS --- group_vars/all/vars.yaml | 57 +++++++++++++++++------------- group_vars/slapd.yml | 6 ++++ host_vars/daniel.adm.crans.org.yml | 7 ++-- 3 files changed, 42 insertions(+), 28 deletions(-) create mode 100644 group_vars/slapd.yml diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index 061428b9..328bc71d 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -16,28 +16,35 @@ ansible_header: | # Crans subnets adm_subnet: 10.231.136.0/24 -# Role rsync-client -to_backup: - - { - name: "var", - path: "/var", - auth_users: "backupcrans", - secrets_file: "/etc/rsyncd.secrets", - hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"], - } - - { - name: "slash", - path: "/", - auth_users: "backupcrans", - secrets_file: "/etc/rsyncd.secrets", - hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"], - } - -re2o: - server: re2o.adm.crans.org - service_user: "{{ vault_re2o_service_user }}" - service_password: "{{ vault_re2o_service_password }}" - - -# global server definitions -mail_server: smtp.adm.crans.org +# # Role rsync-client +# to_backup: +# - { +# name: "var", +# path: "/var", +# auth_users: "backupcrans", +# secrets_file: "/etc/rsyncd.secrets", +# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"], +# } +# - { +# name: "slash", +# path: "/", +# auth_users: "backupcrans", +# secrets_file: "/etc/rsyncd.secrets", +# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"], +# } +# +# re2o: +# server: re2o.adm.crans.org +# service_user: "{{ vault_re2o_service_user }}" +# service_password: "{{ vault_re2o_service_password }}" +# +# +# # global server definitions +# mail_server: smtp.adm.crans.org +glob_ldap: + servers: + - 172.16.10.1 + - 172.16.10.11 + - 172.16.10.12 + - 172.16.10.13 + base: 'dc=crans,dc=org' diff --git a/group_vars/slapd.yml b/group_vars/slapd.yml new file mode 100644 index 00000000..19292dcf --- /dev/null +++ b/group_vars/slapd.yml @@ -0,0 +1,6 @@ +--- + +glob_slapd: + master_ip: 172.16.10.1 + replication_credentials: "{{ vault_ldap_replication_credentials }}" + diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml index 2ecabb43..a7405b4d 100644 --- a/host_vars/daniel.adm.crans.org.yml +++ b/host_vars/daniel.adm.crans.org.yml @@ -1,7 +1,8 @@ --- -ldap: +loc_slapd: ip: 172.16.10.12 replica: true replica_rid: 2 - master_ip: 172.16.10.1 - replication_credentials: "{{ vault_ldap_replication_credentials }}" + +loc_ldap: + local: false From b6ec09061306f3f7915ad55f55839f4b5d1c31dd Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:30:03 +0200 Subject: [PATCH 21/36] [plays][safe] Playbook to run as root --- hosts | 6 ++++++ plays/root.yml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 plays/root.yml diff --git a/hosts b/hosts index 6f299cc4..61ce6616 100644 --- a/hosts +++ b/hosts @@ -25,6 +25,12 @@ # [test_vm] # re2o-test.adm.crans.org +[slapd] +tealc.adm.crans.org +sam.adm.crans.org +daniel.adm.crans.org +jack.adm.crans.org + [crans_routeurs] routeur-daniel diff --git a/plays/root.yml b/plays/root.yml new file mode 100644 index 00000000..2efca8d6 --- /dev/null +++ b/plays/root.yml @@ -0,0 +1,31 @@ +#!/usr/bin/env ansible-playbook +--- + +- hosts: server + vars: + # # Will be in /usr/scripts/ + # crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git" + + # NTP servers + ntp_servers: + - charybde.adm.crans.org + # - silice.adm.crans.org + roles: + - debian-apt-sources + - common-tools + - sudo + - ntp-client + # - crans-scripts + - root-config + +- hosts: slapd + vars: + slapd: '{{ glob_slapd | combine(loc_slapd) }}' + roles: + - slapd + +- hosts: server + vars: + ldap: '{{ glob_ldap | combine(loc_ldap) }}' + roles: + - ldap-client From 6879e2ce4674c76dfe8b4fb1b4647e37e6928095 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:30:33 +0200 Subject: [PATCH 22/36] [plays] base.yml shrinking --- base.yml | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/base.yml b/base.yml index f3fa47c9..88cc11b8 100755 --- a/base.yml +++ b/base.yml @@ -11,36 +11,6 @@ # args: # executable: /bin/bash -# Common CRANS configuration for all servers -- hosts: server - vars: - # Group permissions - ssh_allow_groups: ssh nounou apprenti cableur root - - # Scripts will tell users to go there to manage their account - intranet_url: 'https://intranet.crans.org/' - - # # Will be in /usr/scripts/ - # crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git" - - # NTP servers - ntp_servers: - - charybde.adm.crans.org - # - silice.adm.crans.org - roles: - - common-tools - - debian-apt-sources - - ldap-client - # - openssh - - sudo - - ntp-client - # - crans-scripts - - root-config - -# Deploy LDAP master and replica -- hosts: daniel.adm.crans.org - roles: - - slapd - hosts: otis.adm.crans.org roles: From 7024617206068c656707476e3258d29ee4ea1aaa Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:38:07 +0200 Subject: [PATCH 23/36] [home-nounous][unsafe] Documentation + rennomage variables --- roles/home-nounous/README.md | 8 ++++++++ roles/home-nounous/templates/systemd/system/home.mount.j2 | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 roles/home-nounous/README.md diff --git a/roles/home-nounous/README.md b/roles/home-nounous/README.md new file mode 100644 index 00000000..80dddb95 --- /dev/null +++ b/roles/home-nounous/README.md @@ -0,0 +1,8 @@ +# HOME-NOUNOUS + +Ce rôle permet d'exporter les homes vers les différents serveurs. + +## VARS + +home_nounous: + ip: l'ip du serveur nfs diff --git a/roles/home-nounous/templates/systemd/system/home.mount.j2 b/roles/home-nounous/templates/systemd/system/home.mount.j2 index d0464e90..b144343d 100644 --- a/roles/home-nounous/templates/systemd/system/home.mount.j2 +++ b/roles/home-nounous/templates/systemd/system/home.mount.j2 @@ -5,7 +5,7 @@ Wants=network-online.target After=network-online.target [Mount] -What=172.16.1.1:/pool/home +What={{ home_nounous.ip }}:/pool/home Where=/home Type=nfs Options=rw,nosuid From 07b05b99062311235c1a8118c494d6cb7b28f6fe Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 16:39:11 +0200 Subject: [PATCH 24/36] [home-nounous] Configuration crans --- group_vars/all/vars.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index 328bc71d..dba06cb7 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -48,3 +48,6 @@ glob_ldap: - 172.16.10.12 - 172.16.10.13 base: 'dc=crans,dc=org' + +home-nounous: + ip: 172.16.10.1 From 5c7569cce25bf5caf7df2c3dcc4abc2db2fd2ebe Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 17:00:03 +0200 Subject: [PATCH 25/36] [proxmox][safe] Configuration CRANS --- hosts | 5 +++++ plays/root.yml | 3 +++ .../{sources.list.j2 => pve-entreprise.list.j2} | 0 3 files changed, 8 insertions(+) mode change 100644 => 100755 plays/root.yml rename roles/proxmox-apt-sources/templates/apt/sources.list.d/{sources.list.j2 => pve-entreprise.list.j2} (100%) diff --git a/hosts b/hosts index 61ce6616..a7cd86a1 100644 --- a/hosts +++ b/hosts @@ -25,6 +25,11 @@ # [test_vm] # re2o-test.adm.crans.org +[virtu] +sam.adm.crans.org +daniel.adm.crans.org +jack.adm.crans.org + [slapd] tealc.adm.crans.org sam.adm.crans.org diff --git a/plays/root.yml b/plays/root.yml old mode 100644 new mode 100755 index 2efca8d6..ac0de129 --- a/plays/root.yml +++ b/plays/root.yml @@ -1,5 +1,8 @@ #!/usr/bin/env ansible-playbook --- +- hosts: virtu + roles: + - proxmox-apt-sources - hosts: server vars: diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2 similarity index 100% rename from roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 rename to roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2 From 2c72c8c6c950377cfae4171d4b27bb58bedcefe8 Mon Sep 17 00:00:00 2001 From: shirenn Date: Thu, 6 Aug 2020 19:36:34 +0200 Subject: [PATCH 26/36] [proxmox] tout pleins de nouveaux copains --- group_vars/all/vars.yaml | 2 +- host_vars/jack.adm.crans.org.yml | 8 ++++++++ host_vars/sam.adm.crans.org.yml | 8 ++++++++ hosts | 2 ++ plays/root.yml | 1 + roles/proxmox-apt-sources/tasks/main.yml | 4 ++-- .../{pve-entreprise.list.j2 => pve-enterprise.list.j2} | 0 7 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 host_vars/jack.adm.crans.org.yml create mode 100644 host_vars/sam.adm.crans.org.yml rename roles/proxmox-apt-sources/templates/apt/sources.list.d/{pve-entreprise.list.j2 => pve-enterprise.list.j2} (100%) diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index dba06cb7..b33dd868 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -49,5 +49,5 @@ glob_ldap: - 172.16.10.13 base: 'dc=crans,dc=org' -home-nounous: +home_nounous: ip: 172.16.10.1 diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml new file mode 100644 index 00000000..bfca9922 --- /dev/null +++ b/host_vars/jack.adm.crans.org.yml @@ -0,0 +1,8 @@ +--- +loc_slapd: + ip: 172.16.10.13 + replica: true + replica_rid: 3 + +loc_ldap: + local: false diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml new file mode 100644 index 00000000..5d5fde7e --- /dev/null +++ b/host_vars/sam.adm.crans.org.yml @@ -0,0 +1,8 @@ +--- +loc_slapd: + ip: 172.16.10.11 + replica: true + replica_rid: 1 + +loc_ldap: + local: false diff --git a/hosts b/hosts index a7cd86a1..7a3e9cc5 100644 --- a/hosts +++ b/hosts @@ -41,7 +41,9 @@ routeur-daniel [crans_physical] tealc.adm.crans.org +sam.adm.crans.org daniel.adm.crans.org +jack.adm.crans.org [crans_vm] belenios # on changera plus tard diff --git a/plays/root.yml b/plays/root.yml index ac0de129..06188c07 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -32,3 +32,4 @@ ldap: '{{ glob_ldap | combine(loc_ldap) }}' roles: - ldap-client + - home-nounous diff --git a/roles/proxmox-apt-sources/tasks/main.yml b/roles/proxmox-apt-sources/tasks/main.yml index 4d66e393..1774927c 100644 --- a/roles/proxmox-apt-sources/tasks/main.yml +++ b/roles/proxmox-apt-sources/tasks/main.yml @@ -1,5 +1,5 @@ --- - name: Configure Proxmox repositories template: - src: apt/sources.list.d/pve-entreprise.list.j2 - dest: /etc/apt/sources.list.d/pve-entreprise.list + src: apt/sources.list.d/pve-enterprise.list.j2 + dest: /etc/apt/sources.list.d/pve-enterprise.list diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 similarity index 100% rename from roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2 rename to roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 From 56acc3b293ebb47cf130258a7071eed7df8f0d2c Mon Sep 17 00:00:00 2001 From: shirenn Date: Fri, 7 Aug 2020 00:04:53 +0200 Subject: [PATCH 27/36] [ldap][slapd] Variable merge --- group_vars/all/vars.yaml | 1 + host_vars/daniel.adm.crans.org.yml | 3 --- host_vars/jack.adm.crans.org.yml | 3 --- host_vars/sam.adm.crans.org.yml | 3 --- plays/root.yml | 4 ++-- 5 files changed, 3 insertions(+), 11 deletions(-) diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index b33dd868..44aee993 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -48,6 +48,7 @@ glob_ldap: - 172.16.10.12 - 172.16.10.13 base: 'dc=crans,dc=org' + local: false # local configuration but default value home_nounous: ip: 172.16.10.1 diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml index a7405b4d..139b9bd1 100644 --- a/host_vars/daniel.adm.crans.org.yml +++ b/host_vars/daniel.adm.crans.org.yml @@ -3,6 +3,3 @@ loc_slapd: ip: 172.16.10.12 replica: true replica_rid: 2 - -loc_ldap: - local: false diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml index bfca9922..70c60054 100644 --- a/host_vars/jack.adm.crans.org.yml +++ b/host_vars/jack.adm.crans.org.yml @@ -3,6 +3,3 @@ loc_slapd: ip: 172.16.10.13 replica: true replica_rid: 3 - -loc_ldap: - local: false diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml index 5d5fde7e..9ed74927 100644 --- a/host_vars/sam.adm.crans.org.yml +++ b/host_vars/sam.adm.crans.org.yml @@ -3,6 +3,3 @@ loc_slapd: ip: 172.16.10.11 replica: true replica_rid: 1 - -loc_ldap: - local: false diff --git a/plays/root.yml b/plays/root.yml index 06188c07..e07668ed 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -23,13 +23,13 @@ - hosts: slapd vars: - slapd: '{{ glob_slapd | combine(loc_slapd) }}' + slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}' roles: - slapd - hosts: server vars: - ldap: '{{ glob_ldap | combine(loc_ldap) }}' + ldap: '{{ glob_ldap | combine(loc_ldap | default({})) }}' roles: - ldap-client - home-nounous From 7d8131555f18280ed9ed54043664108ea306d4d6 Mon Sep 17 00:00:00 2001 From: shirenn Date: Fri, 7 Aug 2020 00:08:09 +0200 Subject: [PATCH 28/36] coucou les copains (les routeurs) --- hosts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts b/hosts index 7a3e9cc5..ca40c986 100644 --- a/hosts +++ b/hosts @@ -46,6 +46,8 @@ daniel.adm.crans.org jack.adm.crans.org [crans_vm] +routeur-sam.adm.crans.org +routeur-daniel.adm.crans.org belenios # on changera plus tard [ovh_physical] From dc17f75f902af5f4320b11e51deda375a0058d36 Mon Sep 17 00:00:00 2001 From: shirenn Date: Fri, 7 Aug 2020 12:59:56 +0200 Subject: [PATCH 29/36] Merge Pollion cherry pick --- group_vars/dhcp.yml | 88 +++++----------------- group_vars/keepalived.yml | 53 ++----------- host_vars/routeur-daniel.adm.crans.org.yml | 15 ++++ host_vars/routeur-sam.adm.crans.org.yml | 15 ++++ hosts | 14 +++- roles/re2o-dhcp/tasks/main.yml | 4 +- 6 files changed, 68 insertions(+), 121 deletions(-) create mode 100644 host_vars/routeur-daniel.adm.crans.org.yml create mode 100644 host_vars/routeur-sam.adm.crans.org.yml diff --git a/group_vars/dhcp.yml b/group_vars/dhcp.yml index 5054673b..f8e16fa9 100644 --- a/group_vars/dhcp.yml +++ b/group_vars/dhcp.yml @@ -3,80 +3,26 @@ dhcp: authoritative: True global_options: - - { key: "interface-mtu", value: "1496" } + - { key: "interface-mtu", value: "1500" } global_parameters: [] subnets: - - network: "10.51.0.0/16" - deny_unknown: False - vlan: "accueil" + - network: "100.64.0.0/16" + deny_unknown: True + vlan: "adh-nat" default_lease_time: "600" max_lease_time: "7200" - routers: "10.51.0.10" - dns: ["10.51.0.152", "10.51.0.4"] - domain_name: "accueil.crans.org" - domain_search: "accueil.crans.org" - options: - - { key: "time-servers", value: "10.51.0.10" } - - { key: "ntp-servers", value: "10.51.0.10" } - - { key: "ip-forwarding", value: "off" } - range: ["10.51.1.0", "10.51.255.255"] + routers: "100.64.0.99" + dns: ["100.64.0.101", "100.64.0.102"] + domain_name: "adh-nat.crans.org" + domain_search: "adh-nat.crans.org" + options: [] + lease_file: "/tmp/dhcp.list" - - network: "10.231.148.0/24" - deny_unknown: False - vlan: "bornes" - default_lease_time: "8600" - routers: "10.231.148.254" - dns: ["10.231.148.152", "10.231.148.4"] - domain_name: "borne.crans.org" - domain_search: "borne.crans.org" - options: - - { key: "time-servers", value: "10.231.148.98" } - - { key: "ntp-servers", value: "10.231.148.98" } - - { key: "ip-forwarding", value: "off" } - lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.borne.crans.org.list" +re2o: + server: re2o.adm.crans.org + service_user: "ploptotoisverysecure" + service_password: "ploptotoisverysecure" + dhcp: + uri: "/tmp/re2o-dhcp.git" - - network: "185.230.78.0/24" - deny_unknown: True - vlan: "fil_pub" - default_lease_time: "86400" - routers: "185.230.78.254" - dns: ["185.230.78.152", "185.230.78.4"] - domain_name: "adh.crans.org" - domain_search: "adh.crans.org" - options: - - { key: "time-servers", value: "185.230.79.98" } - - { key: "ntp-servers", value: "185.230.79.98" } - - { key: "ip-forwarding", value: "off" } - - { key: "smtp-server", value: "185.230.79.39" } - lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.adh.crans.org.list" - - - network: "10.54.0.0/19" - deny_unknown: True - vlan: "fil_new" - default_lease_time: "86400" - routers: "10.54.0.254" - dns: ["10.54.0.152", "10.54.0.4"] - domain_name: "fil.crans.org" - domain_search: "fil.crans.org" - options: - - { key: "time-servers", value: "185.230.79.98" } - - { key: "ntp-servers", value: "185.230.79.98" } - - { key: "ip-forwarding", value: "off" } - - { key: "smtp-server", value: "185.230.79.39" } - lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.fil.crans.org.list" - - - network: "10.53.0.0/19" - deny_unknown: False # For Federez - vlan: "wifi_new" - default_lease_time: "86400" - routers: "10.53.0.254" - dns: ["10.53.0.152", "10.53.0.4"] - domain_name: "wifi.crans.org" - domain_search: "wifi.crans.org" - options: - - { key: "time-servers", value: "185.230.79.98" } - - { key: "ntp-servers", value: "185.230.79.98" } - - { key: "ip-forwarding", value: "off" } - - { key: "smtp-server", value: "185.230.79.39" } - lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.wifi.crans.org.list" - range: ["10.53.21.0", "10.53.25.254"] +mail_server: smtp.new-infra.adm.crans.org diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml index c507466e..e23f30b7 100644 --- a/group_vars/keepalived.yml +++ b/group_vars/keepalived.yml @@ -1,52 +1,11 @@ --- keepalived: - radius: - password: "{{ vault_keepalived_radius_password }}" - id: 52 - ipv6: yes - zones: - - vlan: adm - ipv4: 10.231.136.11/24 - brd: 10.231.136.255 - ipv6: 2a0c:700:0:2:ad:adff:fef0:f002/64 - - vlan: bornes - ipv4: 10.231.148.11/24 - brd: 10.231.148.255 - ipv6: fd01:240:fe3d:3:ad:adff:fef0:f003/64 - - vlan: switches - ipv4: 10.231.100.11/24 - brd: 10.231.100.255 - ipv6: fd01:240:fe3d:c804:ad:adff:fef0:f004/64 - router: - password: "{{ vault_keepalived_router_password }}" - id: 53 + dhcp: + password: "plopisverysecure" + id: 60 ipv6: no zones: - - vlan: adm - ipv4: 10.231.136.254/24 - brd: 10.231.136.255 - - vlan: fil_pub - ipv4: 185.230.78.254/24 - brd: 185.230.78.255 - - vlan: srv - ipv4: 185.230.79.254/24 - brd: 185.230.79.255 - - vlan: fil_new # Nat filaire - ipv4: 10.54.0.254/16 - brd: 10.54.255.255 - - vlan: wifi_new - ipv4: 10.53.0.254/16 - brd: 10.53.255.255 - - vlan: zayo - ipv4: 158.255.113.73/31 - proxy: - password: "{{ vault_keepalived_proxy_password }}" - id: 51 - ipv6: yes - zones: - - vlan: srv - ipv4: 185.230.79.194/32 - brd: 185.230.79.255 - ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00/64 - + - vlan: adh-nat + ipv4: 100.64.0.99/16 + brd: 100.64.255.255 diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml new file mode 100644 index 00000000..3b942bc7 --- /dev/null +++ b/host_vars/routeur-daniel.adm.crans.org.yml @@ -0,0 +1,15 @@ +--- +interfaces: + adm: ens18 + srv: ens19 + srv-nat: ens20 + infra: ens21 + adh: ens22 + adh-nat: ens23 + + +keepalived_instances: + - name: dhcp + tag: VI_DHCP + state: BACKUP + priority: 100 diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml new file mode 100644 index 00000000..bec03731 --- /dev/null +++ b/host_vars/routeur-sam.adm.crans.org.yml @@ -0,0 +1,15 @@ +--- +interfaces: + adm: ens18 + srv: ens19 + srv-nat: ens20 + infra: ens21 + adh: ens22 + adh-nat: ens23 + + +keepalived_instances: + - name: dhcp + tag: VI_DHCP + state: MASTER + priority: 150 diff --git a/hosts b/hosts index ca40c986..56fefdc0 100644 --- a/hosts +++ b/hosts @@ -36,8 +36,18 @@ sam.adm.crans.org daniel.adm.crans.org jack.adm.crans.org -[crans_routeurs] -routeur-daniel +[keepalived] +routeur-sam.adm.crans.org +routeur-daniel.adm.crans.org + +[dhcp] +routeur-sam.adm.crans.org +routeur-daniel.adm.crans.org + + +[crans_routeurs:children] +dhcp +keepalived [crans_physical] tealc.adm.crans.org diff --git a/roles/re2o-dhcp/tasks/main.yml b/roles/re2o-dhcp/tasks/main.yml index 16c83c42..cc11df72 100644 --- a/roles/re2o-dhcp/tasks/main.yml +++ b/roles/re2o-dhcp/tasks/main.yml @@ -15,10 +15,11 @@ etype: group permissions: rwx state: query + when: not ansible_check_mode - name: Clone re2o-dhcp repository git: - repo: 'http://gitlab.adm.crans.org/nounous/re2o-dhcp.git' + repo: "{{ re2o.dhcp.uri }}" dest: /var/local/re2o-services/dhcp version: crans umask: '002' @@ -30,6 +31,7 @@ owner: root group: root state: link + force: yes - name: Create generated directory file: From f93829267d4629445acca8f956f973632efcd88b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Fri, 7 Aug 2020 16:52:26 +0200 Subject: [PATCH 30/36] [qemu-guest-agent] Install qemu-guest-agent on VMs --- plays/root.yml | 4 ++++ roles/qemu-guest-agent/tasks/main.yml | 10 ++++++++++ 2 files changed, 14 insertions(+) create mode 100644 roles/qemu-guest-agent/tasks/main.yml diff --git a/plays/root.yml b/plays/root.yml index e07668ed..aa4b9b81 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -21,6 +21,10 @@ # - crans-scripts - root-config +- hosts: crans_vm + roles: + - qemu-guest-agent + - hosts: slapd vars: slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}' diff --git a/roles/qemu-guest-agent/tasks/main.yml b/roles/qemu-guest-agent/tasks/main.yml new file mode 100644 index 00000000..72a322aa --- /dev/null +++ b/roles/qemu-guest-agent/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- name: Install qemu guest agent + apt: + update_cache: true + install_recommends: false + name: + - qemu-guest-agent + register: apt_result + retries: 3 + until: apt_result is succeeded From ea0d140a6633e4f23321c2bf423634e154f6499e Mon Sep 17 00:00:00 2001 From: shirenn Date: Fri, 7 Aug 2020 17:30:20 +0200 Subject: [PATCH 31/36] [keepalived][unsafe] PEP CRANS + dhcp notify --- roles/keepalived/README.md | 38 +++++++++++++++++++ roles/keepalived/tasks/main.yml | 13 +++++++ roles/keepalived/templates/bin/notify-dhcp | 24 ++++++++++++ .../templates/keepalived/keepalived.conf.j2 | 36 ++++++++++-------- 4 files changed, 95 insertions(+), 16 deletions(-) create mode 100644 roles/keepalived/README.md create mode 100755 roles/keepalived/templates/bin/notify-dhcp diff --git a/roles/keepalived/README.md b/roles/keepalived/README.md new file mode 100644 index 00000000..884a783b --- /dev/null +++ b/roles/keepalived/README.md @@ -0,0 +1,38 @@ +# KEEPALIVED + +Ce rôle installe keepalived pour permettre la redondance de certain service +entre plusieurs services. +/!\ Ce rôle déploie un script pour relancer automatiquement le serveur dhcp /!\ + +## VARS + +keepalived: + - mail_destination: a qui envoyé les mails en cas de switching + - mail_source: qui envoie les mails + - smtp_server: le serveur smtp par qui passer pour envoyer les mails + - pool: Une liste de différentes instances installable sur la machine. Les + instances sont des dictionnaires comprenant les champs suivant : + - name: le nom de l'instance + - password: le mot de passe que vont utilisé les marchines d'une même + instance pour se synchroniser + - id: l'indentifiant qu'elles vont utiliser pour discuter + - ipv6: s'il est necessaire de configurer une instance supplémentaire pour + de l'ipv6 + - notify: le script a notifé en cas de switching (s'il n'est pas précisé + aucun script n'est utilisé) + - administration: le vlan d'administration sur lequel les machines d'une + même instances vont discuter + - zones: une liste de zone sur lequel vont parler les instances keepalived. + Chaque zone est un disctionnaire comprenant les champs suivants: + - vlan: le vlan sur lequel est installé la zone + - ipv4: l'ipv4 au format CIDR partagé par les machines + - brd: s'il faut préciser ou non l'interface de broadcast + - ipv6: une ipv6 (elle peut ne pas être précisé, si elle est présente mais + que l'instance ne précise pas ipv6, elle sera ignoré) + - instances: Une liste d'instance a déployer sur la machine. Les instances + sont des dictionnaires comprenant les champs suivants: + - name: le nom de linstance a deployer + - tag: le petit nom à lui donner + - state: l'état (entre BACKUP et MASTER) + - priority: la priorité (pour un MASTER on met par défaut 150 puis on reduit + de 50 par 50) diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml index 3eaa83ac..14fc00bd 100644 --- a/roles/keepalived/tasks/main.yml +++ b/roles/keepalived/tasks/main.yml @@ -13,3 +13,16 @@ dest: /etc/keepalived/keepalived.conf mode: 0644 notify: Reload keepalived.service + +- name: Create scripts directory + file: + path: /usr/scripts + state: directory + +- name: Deploy keepalived dhcp scripts + template: + src: bin/notify-dhcp + dest: /usr/scripts/notify-dhcp + mode: 0744 + when: not ansible_check_mode + notify: Reload keepalived.service diff --git a/roles/keepalived/templates/bin/notify-dhcp b/roles/keepalived/templates/bin/notify-dhcp new file mode 100755 index 00000000..a62ad14c --- /dev/null +++ b/roles/keepalived/templates/bin/notify-dhcp @@ -0,0 +1,24 @@ +#!/bin/bash + +TYPE=$1 +NAME=$2 +STATE=$3 + +case $STATE in + "MASTER") + logger -s '[DHCP-NOTIFY] Entering state MASTER, starting isc-dhcp-server.service' + systemctl start isc-dhcp-server.service + exit 0;; + "BACKUP") + logger -s '[DHCP-NOTIFY] Entering state BACKUP, stopping isc-dhcp-server.service' + systemctl stop isc-dhcp-server.service + exit 0;; + "FAULT") + logger -s '[DHCP-NOTIFY] Entering state FAULT, stopping isc-dhcp-server.service' + systemctl stop isc-dhcp-server.service + exit 0;; + *) + logger -s '[DHCP-NOTIFY] Entering UNKNOWN state, doing nothing' + exit 1;; +esac + diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2 index f0530d8f..97c93c53 100644 --- a/roles/keepalived/templates/keepalived/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2 @@ -1,31 +1,33 @@ {{ ansible_header | comment }} global_defs { - notification_email { - root@crans.org - } - notification_email_from keepalived@crans.org - smtp_server smtp.adm.crans.org + notification_email { {{ keepalived.mail_destination }} } + notification_email_from {{ keepalived.mail_source }} + smtp_server {{ keepalived.smtp_server }} } -{% for instance in keepalived_instances %} +{% for instance in keepalived.instances %} vrrp_instance {{ instance.tag }}4 { state {{ instance.state }} priority {{ instance.priority }} smtp_alert interface {{ interfaces.adm }} - virtual_router_id {{ keepalived[instance.name].id }} + virtual_router_id {{ keepalived.pool[instance.name].id }} advert_int 2 authentication { auth_type PASS - auth_pass {{ keepalived[instance.name].password }} + auth_pass {{ keepalived.pool[instance.name].password }} } +{% if keepalived.pool[instance.name].notify is defined %} + notify {{ keepalived.pool[instance.name].notify }} +{% endif %} + virtual_ipaddress { -{% for zone in keepalived[instance.name].zones %} - {% if zone.brd is defined %} - {{ zone.ipv4 }} brd {{ zone.brd }} dev {{ interfaces[zone.vlan] }} scope global +{% for zone in keepalived.pool[instance.name].zones %} + {% if zone.brd %} + {{ zone.ipv4 }} brd {{ zone.ipv4 | ipaddr('broadcast') }} dev {{ interfaces[zone.vlan] }} scope global {% else %} {{ zone.ipv4 }} dev {{ interfaces[zone.vlan] }} scope global {% endif %} @@ -33,23 +35,25 @@ vrrp_instance {{ instance.tag }}4 { } } -{% if keepalived[instance.name].ipv6 %} +{% if keepalived.pool[instance.name].ipv6 %} vrrp_instance {{ instance.tag }}6 { state {{ instance.state }} priority {{ instance.priority }} smtp_alert - interface {{ interfaces.adm }} - virtual_router_id {{ keepalived[instance.name].id }} + interface {{ keepalived.pool[instance.name].administration }} + virtual_router_id {{ keepalived.pool[instance.name].id }} advert_int 2 authentication { auth_type PASS - auth_pass {{ keepalived[instance.name].password }} + auth_pass {{ keepalived.pool[instance.name].password }} } virtual_ipaddress { -{% for zone in keepalived[instance.name].zones %} +{% for zone in keepalived.pool[instance.name].zones %} +{% if zone.ipv6 is defined %} {{ zone.ipv6 }} dev {{ interfaces[zone.vlan] }} scope global +{% endif %} {% endfor %} } } From dfa8f6059b8e436386d3a283143240d62b5c84b2 Mon Sep 17 00:00:00 2001 From: shirenn Date: Fri, 7 Aug 2020 17:31:02 +0200 Subject: [PATCH 32/36] [keepalived] Crans configuration --- group_vars/keepalived.yml | 23 +++++++++++++--------- host_vars/bakdaur.adm.crans.org.yml | 11 ++++++----- host_vars/eap.adm.crans.org.yml | 11 ++++++----- host_vars/frontdaur.adm.crans.org.yml | 11 ++++++----- host_vars/gulp.adm.crans.org.yml | 11 ++++++----- host_vars/odlyd.adm.crans.org.yml | 19 +++++++++--------- host_vars/radius.adm.crans.org.yml | 11 ++++++----- host_vars/routeur-daniel.adm.crans.org.yml | 11 ++++++----- host_vars/routeur-sam.adm.crans.org.yml | 11 ++++++----- plays/keepalived.yml | 2 ++ 10 files changed, 68 insertions(+), 53 deletions(-) diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml index e23f30b7..11fe3e00 100644 --- a/group_vars/keepalived.yml +++ b/group_vars/keepalived.yml @@ -1,11 +1,16 @@ --- -keepalived: - dhcp: - password: "plopisverysecure" - id: 60 - ipv6: no - zones: - - vlan: adh-nat - ipv4: 100.64.0.99/16 - brd: 100.64.255.255 +glob_keepalived: + mail_source: keepalived@crans.org + mail_destination: root@crans.org + smtp_server: smtp.adm.crans.org + pool: + dhcp: + password: "plopisverysecure" + id: 60 + ipv6: no + notify: /usr/scripts/notify-dhcp + zones: + - vlan: adh-nat + ipv4: 100.64.0.99/16 + brd: 100.64.255.255 diff --git a/host_vars/bakdaur.adm.crans.org.yml b/host_vars/bakdaur.adm.crans.org.yml index b81d2233..9ef2268d 100644 --- a/host_vars/bakdaur.adm.crans.org.yml +++ b/host_vars/bakdaur.adm.crans.org.yml @@ -3,8 +3,9 @@ interfaces: adm: eth0 srv: eth1 -keepalived_instances: - - name: proxy - tag: VI_DAUR - state: MASTER - priority: 150 +lco_keepalived: + instances: + - name: proxy + tag: VI_DAUR + state: MASTER + priority: 150 diff --git a/host_vars/eap.adm.crans.org.yml b/host_vars/eap.adm.crans.org.yml index 4e5e746f..31f6cfa6 100644 --- a/host_vars/eap.adm.crans.org.yml +++ b/host_vars/eap.adm.crans.org.yml @@ -5,8 +5,9 @@ interfaces: bornes: eth1 switches: eth2 -keepalived_instances: - - name: radius - tag: VI_RAD - state: BACKUP - priority: 100 +loc_keepalived: + instances: + - name: radius + tag: VI_RAD + state: BACKUP + priority: 100 diff --git a/host_vars/frontdaur.adm.crans.org.yml b/host_vars/frontdaur.adm.crans.org.yml index e2fd550b..69bfb5ea 100644 --- a/host_vars/frontdaur.adm.crans.org.yml +++ b/host_vars/frontdaur.adm.crans.org.yml @@ -3,8 +3,9 @@ interfaces: adm: eth1 srv: eth0 -keepalived_instances: - - name: proxy - tag: VI_DAUR - state: BACKUP - priority: 100 +loc_keepalived: + instances: + - name: proxy + tag: VI_DAUR + state: BACKUP + priority: 100 diff --git a/host_vars/gulp.adm.crans.org.yml b/host_vars/gulp.adm.crans.org.yml index 1d244937..6289c701 100644 --- a/host_vars/gulp.adm.crans.org.yml +++ b/host_vars/gulp.adm.crans.org.yml @@ -7,8 +7,9 @@ interfaces: wifi_new: ens1f0.22 zayo: ens1f0.26 -keepalived_instances: - - name: router - tag: VI_ROUT - state: MASTER - priority: 150 +loc_keepalived: + instances: + - name: router + tag: VI_ROUT + state: MASTER + priority: 150 diff --git a/host_vars/odlyd.adm.crans.org.yml b/host_vars/odlyd.adm.crans.org.yml index 2e0d7c1e..988fb0ca 100644 --- a/host_vars/odlyd.adm.crans.org.yml +++ b/host_vars/odlyd.adm.crans.org.yml @@ -10,12 +10,13 @@ interfaces: srv: ens1f0.24 zayo: ens1f0.26 -keepalived_instances: - - name: radius - tag: VI_RAD - state: BACKUP - priority: 50 - - name: router - tag: VI_ROUT - state: BACKUP - priority: 100 +loc_keepalived: + instances: + - name: radius + tag: VI_RAD + state: BACKUP + priority: 50 + - name: router + tag: VI_ROUT + state: BACKUP + priority: 100 diff --git a/host_vars/radius.adm.crans.org.yml b/host_vars/radius.adm.crans.org.yml index b4a3a4b0..da534c10 100644 --- a/host_vars/radius.adm.crans.org.yml +++ b/host_vars/radius.adm.crans.org.yml @@ -5,8 +5,9 @@ interfaces: bornes: eth1 switches: eth2 -keepalived_instances: - - name: radius - tag: VI_RAD - state: MASTER - priority: 150 +loc_keepalived: + instances: + - name: radius + tag: VI_RAD + state: MASTER + priority: 150 diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml index 3b942bc7..c3b93c47 100644 --- a/host_vars/routeur-daniel.adm.crans.org.yml +++ b/host_vars/routeur-daniel.adm.crans.org.yml @@ -8,8 +8,9 @@ interfaces: adh-nat: ens23 -keepalived_instances: - - name: dhcp - tag: VI_DHCP - state: BACKUP - priority: 100 +loc_keepalived: + instances: + - name: dhcp + tag: VI_DHCP + state: BACKUP + priority: 100 diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml index bec03731..0c4bc74b 100644 --- a/host_vars/routeur-sam.adm.crans.org.yml +++ b/host_vars/routeur-sam.adm.crans.org.yml @@ -8,8 +8,9 @@ interfaces: adh-nat: ens23 -keepalived_instances: - - name: dhcp - tag: VI_DHCP - state: MASTER - priority: 150 +loc_keepalived: + instances: + - name: dhcp + tag: VI_DHCP + state: MASTER + priority: 150 diff --git a/plays/keepalived.yml b/plays/keepalived.yml index dc2e7419..7b6a6634 100755 --- a/plays/keepalived.yml +++ b/plays/keepalived.yml @@ -1,5 +1,7 @@ #!/usr/bin/env ansible-playbook --- - hosts: keepalived + vars: + keepalived: "{{ glob_keepalived | combine(loc_keepalived) }}" roles: - keepalived From 1c47cce83dfc2d845623c54f402a250245bba2c8 Mon Sep 17 00:00:00 2001 From: pa Date: Fri, 7 Aug 2020 17:35:17 +0200 Subject: [PATCH 33/36] [keepalived] Typo bakdaur.adm.crans.org.yml --- host_vars/bakdaur.adm.crans.org.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/bakdaur.adm.crans.org.yml b/host_vars/bakdaur.adm.crans.org.yml index 9ef2268d..35863407 100644 --- a/host_vars/bakdaur.adm.crans.org.yml +++ b/host_vars/bakdaur.adm.crans.org.yml @@ -3,7 +3,7 @@ interfaces: adm: eth0 srv: eth1 -lco_keepalived: +loc_keepalived: instances: - name: proxy tag: VI_DAUR From 3587d0ab2d988af619e3e4c521092c247ca8dee7 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sat, 8 Aug 2020 14:56:55 +0200 Subject: [PATCH 34/36] Pollion you're drunk --- group_vars/crans_server/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/crans_server/vars.yml b/group_vars/crans_server/vars.yml index 75c8f4d8..136ce4ab 100644 --- a/group_vars/crans_server/vars.yml +++ b/group_vars/crans_server/vars.yml @@ -6,4 +6,4 @@ ldap: # Parameters for debian mirror debian_mirror: http://mirror.adm.crans.org/debian -debian_components: main non_free +debian_components: main non-free From dc35709d862bf63f67025958c1f12d4697d28861 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sat, 8 Aug 2020 14:57:43 +0200 Subject: [PATCH 35/36] [slapd] Deploy LDAP certificate --- plays/root.yml | 3 +++ roles/slapd/tasks/main.yml | 10 +++++++--- roles/slapd/templates/ldap/ldap.key.j2 | 1 + roles/slapd/templates/ldap/ldap.pem.j2 | 1 + roles/slapd/templates/ldap/slapd.conf.j2 | 5 ++--- 5 files changed, 14 insertions(+), 6 deletions(-) create mode 100644 roles/slapd/templates/ldap/ldap.key.j2 create mode 100644 roles/slapd/templates/ldap/ldap.pem.j2 diff --git a/plays/root.yml b/plays/root.yml index aa4b9b81..2e82cc8a 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -28,6 +28,9 @@ - hosts: slapd vars: slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}' + ldap: + private_key: "{{ vault_ldap_private_key }}" + certificate: "{{ vault_ldap_certificate }}" roles: - slapd diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml index 84599aa2..f377a77e 100644 --- a/roles/slapd/tasks/main.yml +++ b/roles/slapd/tasks/main.yml @@ -15,11 +15,15 @@ - name: Deploy slapd configuration template: - src: ldap/slapd.conf.j2 - dest: /etc/ldap/slapd.conf - mode: 0600 + src: "ldap/{{ item.dest }}.j2" + dest: "/etc/ldap/{{ item.dest }}" + mode: "{{ item.mode }}" owner: openldap group: openldap + loop: + - { dest: slapd.conf, mode: "0600" } + - { dest: ldap.key, mode: "0600" } + - { dest: ldap.pem, mode: "0644" } notify: Restart slapd - name: Deploy ldap services diff --git a/roles/slapd/templates/ldap/ldap.key.j2 b/roles/slapd/templates/ldap/ldap.key.j2 new file mode 100644 index 00000000..926db60f --- /dev/null +++ b/roles/slapd/templates/ldap/ldap.key.j2 @@ -0,0 +1 @@ +{{ ldap.private_key }} diff --git a/roles/slapd/templates/ldap/ldap.pem.j2 b/roles/slapd/templates/ldap/ldap.pem.j2 new file mode 100644 index 00000000..ed4f7a5c --- /dev/null +++ b/roles/slapd/templates/ldap/ldap.pem.j2 @@ -0,0 +1 @@ +{{ ldap.certificate }} diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2 index 762756b8..5c6cccab 100644 --- a/roles/slapd/templates/ldap/slapd.conf.j2 +++ b/roles/slapd/templates/ldap/slapd.conf.j2 @@ -35,9 +35,8 @@ moduleload syncprov # TODO FAIRE LES CERTIFICATS # TLS Certificates #TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3 -#TLSCACertificateFile /etc/ssl/certs/ServENS.crt -#TLSCertificateFile /etc/ldap/ldap.pem -#TLSCertificateKeyFile /etc/ldap/ldap.key +TLSCertificateFile /etc/ldap/ldap.pem +TLSCertificateKeyFile /etc/ldap/ldap.key # The maximum number of entries that is returned for a search operation sizelimit 500 From b14088da0b91284f68b3070c0f3f28a37798cf7c Mon Sep 17 00:00:00 2001 From: vulcain Date: Sat, 8 Aug 2020 15:19:16 +0200 Subject: [PATCH 36/36] patch source of python.nanorc --- roles/root-config/templates/nanorc.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/root-config/templates/nanorc.j2 b/roles/root-config/templates/nanorc.j2 index d6c3b174..0a24621d 100644 --- a/roles/root-config/templates/nanorc.j2 +++ b/roles/root-config/templates/nanorc.j2 @@ -285,7 +285,7 @@ include "/usr/share/nano/groff.nanorc" include "/usr/share/nano/perl.nanorc" ## Python -include "/usr/local/share/nano/python.nanorc" +include "/usr//share/nano/python.nanorc" ## Ruby include "/usr/share/nano/ruby.nanorc"