crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'newinfra' into 'nano' 

# Conflicts:
#   roles/root-config/templates/nanorc.j2
certbot_on_virtu
vulcain 2020-08-09 02:09:20 +02:00
parent 2cf9fe0743 45a84cf91d
commit 26ae5d595a
47 changed files with 754 additions and 487 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
base.yml
View File

@ -1,52 +1,40 @@
#!/usr/bin/env ansible-playbook
---
# Set variable adm_iface for all servers
- import_playbook: plays/get_adm_iface.yml
# - hosts: server
# tasks:
# - name: Register adm interface in adm_iface variable
# shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
# register: adm_iface
# check_mode: false
# changed_when: true
# args:
# executable: /bin/bash
# Common CRANS configuration for all servers
- hosts: server
vars:
# Debian mirror on adm
debian_mirror: http://mirror.adm.crans.org/debian
debian_components: main non-free
# LDAP binding
ldap_base: 'dc=crans,dc=org'
ldap_master_ipv4: '10.231.136.19'
ldap_local_replica_uri:
- "ldap://10.231.136.38"
- "ldap://10.231.136.4"
ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
# Group permissions
ssh_allow_groups: ssh nounou apprenti cableur root
# Scripts will tell users to go there to manage their account
intranet_url: 'https://intranet.crans.org/'
# Will be in /usr/scripts/
crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
# NTP servers
ntp_servers:
- charybde.adm.crans.org
- silice.adm.crans.org
- hosts: otis.adm.crans.org
roles:
- common-tools
- debian-apt-sources
- ldap-client
- openssh
- sudo
- ntp-client
- crans-scripts
- root-config
- ansible
- import_playbook: plays/mail.yml
# Tools for members
- hosts: zamok.adm.crans.org
roles:
# - zamok-tools
# - import_playbook: plays/mail.yml
- import_playbook: plays/nfs.yml
- import_playbook: plays/logs.yml
- import_playbook: plays/backup.yml
- import_playbook: plays/network-interfaces.yml
- import_playbook: plays/monitoring.yml
# - import_playbook: plays/logs.yml
# - import_playbook: plays/backup.yml
# - import_playbook: plays/network-interfaces.yml
# - import_playbook: plays/monitoring.yml
# - import_playbook: plays/generate_documentation.yml
# Services that only apply to a subset of server
# - import_playbook: plays/tv.yml
# - import_playbook: plays/mailman.yml
# - import_playbook: plays/dhcp.yml
# - import_playbook: plays/dns.yml
# - import_playbook: plays/wireguard.yml
# - import_playbook: plays/mirror.yml
# - import_playbook: plays/owncloud.yml
# - import_playbook: plays/reverse-proxy.yml

59
group_vars/all/vars.yaml
View File

@ -16,28 +16,39 @@ ansible_header: |
# Crans subnets
adm_subnet: 10.231.136.0/24
# Role rsync-client
to_backup:
- {
name: "var",
path: "/var",
auth_users: "backupcrans",
secrets_file: "/etc/rsyncd.secrets",
hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
}
- {
name: "slash",
path: "/",
auth_users: "backupcrans",
secrets_file: "/etc/rsyncd.secrets",
hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
}
# # Role rsync-client
# to_backup:
# - {
# name: "var",
# path: "/var",
# auth_users: "backupcrans",
# secrets_file: "/etc/rsyncd.secrets",
# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
# }
# - {
# name: "slash",
# path: "/",
# auth_users: "backupcrans",
# secrets_file: "/etc/rsyncd.secrets",
# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
# }
#
# re2o:
# server: re2o.adm.crans.org
# service_user: "{{ vault_re2o_service_user }}"
# service_password: "{{ vault_re2o_service_password }}"
#
#
# # global server definitions
# mail_server: smtp.adm.crans.org
glob_ldap:
servers:
- 172.16.10.1
- 172.16.10.11
- 172.16.10.12
- 172.16.10.13
base: 'dc=crans,dc=org'
local: false # local configuration but default value
re2o:
server: re2o.adm.crans.org
service_user: "{{ vault_re2o_service_user }}"
service_password: "{{ vault_re2o_service_password }}"
# global server definitions
mail_server: smtp.adm.crans.org
home_nounous:
ip: 172.16.10.1

9
group_vars/crans_server/vars.yml 100644
View File

@ -0,0 +1,9 @@
ldap:
local: False
servers: ["172.16.1.1"]
base: "dc=crans,dc=org"
# Parameters for debian mirror
debian_mirror: http://mirror.adm.crans.org/debian
debian_components: main non-free

88
group_vars/dhcp.yml
View File

@ -3,80 +3,26 @@
dhcp:
authoritative: True
global_options:
- { key: "interface-mtu", value: "1496" }
- { key: "interface-mtu", value: "1500" }
global_parameters: []
subnets:
- network: "10.51.0.0/16"
deny_unknown: False
vlan: "accueil"
- network: "100.64.0.0/16"
deny_unknown: True
vlan: "adh-nat"
default_lease_time: "600"
max_lease_time: "7200"
routers: "10.51.0.10"
dns: ["10.51.0.152", "10.51.0.4"]
domain_name: "accueil.crans.org"
domain_search: "accueil.crans.org"
options:
- { key: "time-servers", value: "10.51.0.10" }
- { key: "ntp-servers", value: "10.51.0.10" }
- { key: "ip-forwarding", value: "off" }
range: ["10.51.1.0", "10.51.255.255"]
routers: "100.64.0.99"
dns: ["100.64.0.101", "100.64.0.102"]
domain_name: "adh-nat.crans.org"
domain_search: "adh-nat.crans.org"
options: []
lease_file: "/tmp/dhcp.list"
- network: "10.231.148.0/24"
deny_unknown: False
vlan: "bornes"
default_lease_time: "8600"
routers: "10.231.148.254"
dns: ["10.231.148.152", "10.231.148.4"]
domain_name: "borne.crans.org"
domain_search: "borne.crans.org"
options:
- { key: "time-servers", value: "10.231.148.98" }
- { key: "ntp-servers", value: "10.231.148.98" }
- { key: "ip-forwarding", value: "off" }
lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.borne.crans.org.list"
re2o:
server: re2o.adm.crans.org
service_user: "ploptotoisverysecure"
service_password: "ploptotoisverysecure"
dhcp:
uri: "/tmp/re2o-dhcp.git"
- network: "185.230.78.0/24"
deny_unknown: True
vlan: "fil_pub"
default_lease_time: "86400"
routers: "185.230.78.254"
dns: ["185.230.78.152", "185.230.78.4"]
domain_name: "adh.crans.org"
domain_search: "adh.crans.org"
options:
- { key: "time-servers", value: "185.230.79.98" }
- { key: "ntp-servers", value: "185.230.79.98" }
- { key: "ip-forwarding", value: "off" }
- { key: "smtp-server", value: "185.230.79.39" }
lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.adh.crans.org.list"
- network: "10.54.0.0/19"
deny_unknown: True
vlan: "fil_new"
default_lease_time: "86400"
routers: "10.54.0.254"
dns: ["10.54.0.152", "10.54.0.4"]
domain_name: "fil.crans.org"
domain_search: "fil.crans.org"
options:
- { key: "time-servers", value: "185.230.79.98" }
- { key: "ntp-servers", value: "185.230.79.98" }
- { key: "ip-forwarding", value: "off" }
- { key: "smtp-server", value: "185.230.79.39" }
lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.fil.crans.org.list"
- network: "10.53.0.0/19"
deny_unknown: False # For Federez
vlan: "wifi_new"
default_lease_time: "86400"
routers: "10.53.0.254"
dns: ["10.53.0.152", "10.53.0.4"]
domain_name: "wifi.crans.org"
domain_search: "wifi.crans.org"
options:
- { key: "time-servers", value: "185.230.79.98" }
- { key: "ntp-servers", value: "185.230.79.98" }
- { key: "ip-forwarding", value: "off" }
- { key: "smtp-server", value: "185.230.79.39" }
lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.wifi.crans.org.list"
range: ["10.53.21.0", "10.53.25.254"]
mail_server: smtp.new-infra.adm.crans.org

64
group_vars/keepalived.yml
View File

@ -1,52 +1,16 @@
---
keepalived:
radius:
password: "{{ vault_keepalived_radius_password }}"
id: 52
ipv6: yes
zones:
- vlan: adm
ipv4: 10.231.136.11/24
brd: 10.231.136.255
ipv6: 2a0c:700:0:2:ad:adff:fef0:f002/64
- vlan: bornes
ipv4: 10.231.148.11/24
brd: 10.231.148.255
ipv6: fd01:240:fe3d:3:ad:adff:fef0:f003/64
- vlan: switches
ipv4: 10.231.100.11/24
brd: 10.231.100.255
ipv6: fd01:240:fe3d:c804:ad:adff:fef0:f004/64
router:
password: "{{ vault_keepalived_router_password }}"
id: 53
ipv6: no
zones:
- vlan: adm
ipv4: 10.231.136.254/24
brd: 10.231.136.255
- vlan: fil_pub
ipv4: 185.230.78.254/24
brd: 185.230.78.255
- vlan: srv
ipv4: 185.230.79.254/24
brd: 185.230.79.255
- vlan: fil_new # Nat filaire
ipv4: 10.54.0.254/16
brd: 10.54.255.255
- vlan: wifi_new
ipv4: 10.53.0.254/16
brd: 10.53.255.255
- vlan: zayo
ipv4: 158.255.113.73/31
proxy:
password: "{{ vault_keepalived_proxy_password }}"
id: 51
ipv6: yes
zones:
- vlan: srv
ipv4: 185.230.79.194/32
brd: 185.230.79.255
ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00/64
glob_keepalived:
mail_source: keepalived@crans.org
mail_destination: root@crans.org
smtp_server: smtp.adm.crans.org
pool:
dhcp:
password: "plopisverysecure"
id: 60
ipv6: no
notify: /usr/scripts/notify-dhcp
zones:
- vlan: adh-nat
ipv4: 100.64.0.99/16
brd: 100.64.255.255

6
group_vars/slapd.yml 100644
View File

@ -0,0 +1,6 @@
---
glob_slapd:
master_ip: 172.16.10.1
replication_credentials: "{{ vault_ldap_replication_credentials }}"

11
host_vars/bakdaur.adm.crans.org.yml
View File

@ -3,8 +3,9 @@ interfaces:
adm: eth0
srv: eth1
keepalived_instances:
- name: proxy
tag: VI_DAUR
state: MASTER
priority: 150
loc_keepalived:
instances:
- name: proxy
tag: VI_DAUR
state: MASTER
priority: 150

5
host_vars/daniel.adm.crans.org.yml 100644
View File

@ -0,0 +1,5 @@
---
loc_slapd:
ip: 172.16.10.12
replica: true
replica_rid: 2

11
host_vars/eap.adm.crans.org.yml
View File

@ -5,8 +5,9 @@ interfaces:
bornes: eth1
switches: eth2
keepalived_instances:
- name: radius
tag: VI_RAD
state: BACKUP
priority: 100
loc_keepalived:
instances:
- name: radius
tag: VI_RAD
state: BACKUP
priority: 100

11
host_vars/frontdaur.adm.crans.org.yml
View File

@ -3,8 +3,9 @@ interfaces:
adm: eth1
srv: eth0
keepalived_instances:
- name: proxy
tag: VI_DAUR
state: BACKUP
priority: 100
loc_keepalived:
instances:
- name: proxy
tag: VI_DAUR
state: BACKUP
priority: 100

11
host_vars/gulp.adm.crans.org.yml
View File

@ -7,8 +7,9 @@ interfaces:
wifi_new: ens1f0.22
zayo: ens1f0.26
keepalived_instances:
- name: router
tag: VI_ROUT
state: MASTER
priority: 150
loc_keepalived:
instances:
- name: router
tag: VI_ROUT
state: MASTER
priority: 150

5
host_vars/jack.adm.crans.org.yml 100644
View File

@ -0,0 +1,5 @@
---
loc_slapd:
ip: 172.16.10.13
replica: true
replica_rid: 3

19
host_vars/odlyd.adm.crans.org.yml
View File

@ -10,12 +10,13 @@ interfaces:
srv: ens1f0.24
zayo: ens1f0.26
keepalived_instances:
- name: radius
tag: VI_RAD
state: BACKUP
priority: 50
- name: router
tag: VI_ROUT
state: BACKUP
priority: 100
loc_keepalived:
instances:
- name: radius
tag: VI_RAD
state: BACKUP
priority: 50
- name: router
tag: VI_ROUT
state: BACKUP
priority: 100

11
host_vars/radius.adm.crans.org.yml
View File

@ -5,8 +5,9 @@ interfaces:
bornes: eth1
switches: eth2
keepalived_instances:
- name: radius
tag: VI_RAD
state: MASTER
priority: 150
loc_keepalived:
instances:
- name: radius
tag: VI_RAD
state: MASTER
priority: 150

16
host_vars/routeur-daniel.adm.crans.org.yml 100644
View File

@ -0,0 +1,16 @@
---
interfaces:
adm: ens18
srv: ens19
srv-nat: ens20
infra: ens21
adh: ens22
adh-nat: ens23
loc_keepalived:
instances:
- name: dhcp
tag: VI_DHCP
state: BACKUP
priority: 100

16
host_vars/routeur-sam.adm.crans.org.yml 100644
View File

@ -0,0 +1,16 @@
---
interfaces:
adm: ens18
srv: ens19
srv-nat: ens20
infra: ens21
adh: ens22
adh-nat: ens23
loc_keepalived:
instances:
- name: dhcp
tag: VI_DHCP
state: MASTER
priority: 150

5
host_vars/sam.adm.crans.org.yml 100644
View File

@ -0,0 +1,5 @@
---
loc_slapd:
ip: 172.16.10.11
replica: true
replica_rid: 1

243
hosts
View File

@ -4,220 +4,74 @@
# > We name servers according to location, then type.
# > Then we regroup everything in global geographic and type groups.
[horde]
horde-srv.adm.crans.org
# [horde]
# horde-srv.adm.crans.org
#
# [framadate]
# voyager.adm.crans.org
#
# [dhcp]
# dhcp.adm.crans.org
# odlyd.adm.crans.org
#
# [keepalived]
# gulp.adm.crans.org
# odlyd.adm.crans.org
# eap.adm.crans.org
# radius.adm.crans.org
# frontdaur.adm.crans.org
# bakdaur.adm.crans.org
#
# [test_vm]
# re2o-test.adm.crans.org
[framadate]
voyager.adm.crans.org
[virtu]
sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
[dhcp]
dhcp.adm.crans.org
odlyd.adm.crans.org
[slapd]
tealc.adm.crans.org
sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
[keepalived]
gulp.adm.crans.org
odlyd.adm.crans.org
eap.adm.crans.org
radius.adm.crans.org
frontdaur.adm.crans.org
bakdaur.adm.crans.org
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
[test_vm]
re2o-test.adm.crans.org
[dhcp]
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
[crans_routeurs:children]
dhcp
keepalived
[crans_physical]
charybde.adm.crans.org
cochon.adm.crans.org
ft.adm.crans.org
fyre.adm.crans.org
fz.adm.crans.org
gateau.adm.crans.org
gulp.adm.crans.org
odlyd.adm.crans.org
omnomnom.adm.crans.org
stitch.adm.crans.org
thot.adm.crans.org
vo.adm.crans.org
zamok.adm.crans.org
zbee.adm.crans.org
zephir.adm.crans.org
tealc.adm.crans.org
sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
[crans_vm]
alice.adm.crans.org
bakdaur.adm.crans.org
boeing.adm.crans.org
cas-srv.adm.crans.org
#civet.adm.crans.org
#cups.adm.crans.org
dhcp.adm.crans.org
eap.adm.crans.org
ethercalc-srv.adm.crans.org
frontdaur.adm.crans.org
gitzly.adm.crans.org
horde-srv.adm.crans.org
ipv6-zayo.adm.crans.org
irc.adm.crans.org
jitsi.adm.crans.org
kenobi.adm.crans.org
kiwi.adm.crans.org
lutim.adm.crans.org
#mediadrop-srv.adm.crans.org
mailman.adm.crans.org
nem.adm.crans.org
#news.adm.crans.org
otis.adm.crans.org
owl.adm.crans.org
owncloud-srv.adm.crans.org
radius.adm.crans.org
re2o-bcfg2.adm.crans.org
re2o-ldap.adm.crans.org
re2o-srv.adm.crans.org
redisdead.adm.crans.org
roundcube-srv.adm.crans.org
routeur.adm.crans.org
silice.adm.crans.org
titanic.adm.crans.org
tracker.adm.crans.org
unifi.adm.crans.org
voyager.adm.crans.org
xmpp.adm.crans.org
ytrap-llatsni.adm.crans.org
sitesweb.adm.crans.org
[crans_unifi]
0g-2.borne.crans.org
0g-3.borne.crans.org
0g-4.borne.crans.org
0h-2.borne.crans.org
0h-3.borne.crans.org
0m-2.borne.crans.org
1g-1.borne.crans.org
1g-3.borne.crans.org
1g-4.borne.crans.org
1g-5.borne.crans.org
1h-2.borne.crans.org
1h-3.borne.crans.org
1i-2.borne.crans.org
1i-3.borne.crans.org
1j-2.borne.crans.org
1j-3.borne.crans.org
1m-1.borne.crans.org
1m-2.borne.crans.org
1m-5.borne.crans.org
2a-1.borne.crans.org
2b-3.borne.crans.org
2c-2.borne.crans.org
2c-3.borne.crans.org
2g-1.borne.crans.org
2g-3.borne.crans.org
2g-5.borne.crans.org
2h-2.borne.crans.org
2h-3.borne.crans.org
2i-2.borne.crans.org
2i-3.borne.crans.org
2j-2.borne.crans.org
2j-3.borne.crans.org
2m-2.borne.crans.org
3a-2.borne.crans.org
3b-3.borne.crans.org
3c-2.borne.crans.org
3c-3.borne.crans.org
3g-1.borne.crans.org
3g-5.borne.crans.org
3h-2.borne.crans.org
3h-3.borne.crans.org
3i-2.borne.crans.org
3i-3.borne.crans.org
3j-2.borne.crans.org
3m-2.borne.crans.org
3m-4.borne.crans.org
3m-5.borne.crans.org
4a-1.borne.crans.org
4a-2.borne.crans.org
4a-3.borne.crans.org
4b-1.borne.crans.org
4c-2.borne.crans.org
4c-3.borne.crans.org
4g-1.borne.crans.org
4g-3.borne.crans.org
4g-5.borne.crans.org
4h-2.borne.crans.org
4h-3.borne.crans.org
4i-2.borne.crans.org
4i-3.borne.crans.org
4j-1.borne.crans.org
4j-2.borne.crans.org
4j-3.borne.crans.org
4m-2.borne.crans.org
4m-4.borne.crans.org
5a-1.borne.crans.org
5b-1.borne.crans.org
5c-1.borne.crans.org
5g-1.borne.crans.org
5g-3.borne.crans.org
5m-4.borne.crans.org
6a-1.borne.crans.org
6a-2.borne.crans.org
6c-1.borne.crans.org
adonis.borne.crans.org # 5a
atlas.borne.crans.org # 1a
baba-au-rhum.borne.crans.org # 3b
bacchus.borne.crans.org # 1b
baucis.borne.crans.org # 2b
bellerophon.borne.crans.org # 2b
benedict-cumberbatch.borne.crans.org # 1b
benthesicyme.borne.crans.org # 4b
boree.borne.crans.org # 6b
branchos.borne.crans.org # 3b
calypso.borne.crans.org # 4c
chaos.borne.crans.org # 1c
chronos.borne.crans.org # 2c
crios.borne.crans.org # 3c
gaia.borne.crans.org # 0g
hades.borne.crans.org # 4h
hephaistos.borne.crans.org # 1h
hermes.borne.crans.org # 3h
hypnos.borne.crans.org # 2h
iaso.borne.crans.org # 1i
idothee.borne.crans.org # 3i
idyie.borne.crans.org # 0i
ino.borne.crans.org # 2i
ioke.borne.crans.org # 4i
jaipudidees.borne.crans.org # 2j
jaipudpapier.borne.crans.org # 3j
japavolonte.borne.crans.org # 1j
jesuischarlie.borne.crans.org # 0j
jveuxduwifi.borne.crans.org # 0j
mania.borne.crans.org # 2m
marquis.borne.crans.org # manoir
mercure.borne.crans.org # 3m
#5m-5.borne.crans.org Déplacée au 2b
# TODO Récupérer ces bornes
#kakia.borne.crans.org # kfet
#koios.borne.crans.org # kfet
#gym-1.borne.crans.org # gymnase
#gym-2.borne.crans.org # gymnase
#0d-1.borne.crans.org
# TODO La fibre vers le resto U est coupée.
#rhea.borne.crans.org # resto-univ
#romulus.borne.crans.org # resto-univ
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
belenios # on changera plus tard
[ovh_physical]
soyouz.adm.crans.org
sputnik.adm.crans.org
# every server at crans
[crans_server:children]
crans_physical
crans_vm
crans_routeurs
# everything at crans
[crans:children]
crans_physical
crans_vm
crans_unifi
crans_server
# everything at ovh
[ovh:children]
@ -231,6 +85,7 @@ ovh_physical
# every virtual machine
[vm:children]
crans_vm
crans_routeurs
# every server
[server:children]

5
ldap.yml 100755
View File

@ -0,0 +1,5 @@
#!/usr/bin/env ansible-playbook
---
- hosts: daniel
roles:
- slapd

2
plays/keepalived.yml
View File

@ -1,5 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: keepalived
vars:
keepalived: "{{ glob_keepalived | combine(loc_keepalived) }}"
roles:
- keepalived

10
plays/nfs.yml
View File

@ -7,12 +7,4 @@
# Deploy NFS only on campus
- hosts: crans_server
roles: ["nfs-common"]
# Deploy autofs NFS
- hosts: crans_server,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
roles: ["nfs-autofs"]
# Deploy home permanent
- hosts: zamok.adm.crans.org,omnomnom.adm.crans.org,owl.adm.crans.org,owncloud-srv.adm.crans.org
roles: ["home-permanent"]
roles: ["home-nounous"]

42
plays/root.yml 100755
View File

@ -0,0 +1,42 @@
#!/usr/bin/env ansible-playbook
---
- hosts: virtu
roles:
- proxmox-apt-sources
- hosts: server
vars:
# # Will be in /usr/scripts/
# crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
# NTP servers
ntp_servers:
- charybde.adm.crans.org
# - silice.adm.crans.org
roles:
- debian-apt-sources
- common-tools
- sudo
- ntp-client
# - crans-scripts
- root-config
- hosts: crans_vm
roles:
- qemu-guest-agent
- hosts: slapd
vars:
slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
ldap:
private_key: "{{ vault_ldap_private_key }}"
certificate: "{{ vault_ldap_certificate }}"
roles:
- slapd
- hosts: server
vars:
ldap: '{{ glob_ldap | combine(loc_ldap | default({})) }}'
roles:
- ldap-client
- home-nounous

1
roles/common-tools/tasks/main.yml
View File

@ -53,6 +53,7 @@
owner: root
group: utmp
mode: '4755'
check_mode: no
- name: Deploy screen tmpfile
template:

8
roles/home-nounous/README.md 100644
View File

@ -0,0 +1,8 @@
# HOME-NOUNOUS
Ce rôle permet d'exporter les homes vers les différents serveurs.
## VARS
home_nounous:
ip: l'ip du serveur nfs

23
roles/home-nounous/tasks/main.yml 100644
View File

@ -0,0 +1,23 @@
---
- name: Install NFS client
apt:
update_cache: true
name:
- nfs-common
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Deploy nfs systemd mount
template:
src: systemd/system/home.mount.j2
dest: /etc/systemd/system/home.mount
mode: 0755
- name: Load and activate nfs systemd mount
systemd:
name: home.mount
daemon_reload: true
enabled: true
state: started

14
roles/home-nounous/templates/systemd/system/home.mount.j2 100644
View File

@ -0,0 +1,14 @@
{{ ansible_header | comment }}
[Unit]
Description=Mount home
Wants=network-online.target
After=network-online.target
[Mount]
What={{ home_nounous.ip }}:/pool/home
Where=/home
Type=nfs
Options=rw,nosuid
[Install]
WantedBy=multi-user.target

38
roles/keepalived/README.md 100644
View File

@ -0,0 +1,38 @@
# KEEPALIVED
Ce rôle installe keepalived pour permettre la redondance de certain service
entre plusieurs services.
/!\ Ce rôle déploie un script pour relancer automatiquement le serveur dhcp /!\
## VARS
keepalived:
- mail_destination: a qui envoyé les mails en cas de switching
- mail_source: qui envoie les mails
- smtp_server: le serveur smtp par qui passer pour envoyer les mails
- pool: Une liste de différentes instances installable sur la machine. Les
instances sont des dictionnaires comprenant les champs suivant :
- name: le nom de l'instance
- password: le mot de passe que vont utilisé les marchines d'une même
instance pour se synchroniser
- id: l'indentifiant qu'elles vont utiliser pour discuter
- ipv6: s'il est necessaire de configurer une instance supplémentaire pour
de l'ipv6
- notify: le script a notifé en cas de switching (s'il n'est pas précisé
aucun script n'est utilisé)
- administration: le vlan d'administration sur lequel les machines d'une
même instances vont discuter
- zones: une liste de zone sur lequel vont parler les instances keepalived.
Chaque zone est un disctionnaire comprenant les champs suivants:
- vlan: le vlan sur lequel est installé la zone
- ipv4: l'ipv4 au format CIDR partagé par les machines
- brd: s'il faut préciser ou non l'interface de broadcast
- ipv6: une ipv6 (elle peut ne pas être précisé, si elle est présente mais
que l'instance ne précise pas ipv6, elle sera ignoré)
- instances: Une liste d'instance a déployer sur la machine. Les instances
sont des dictionnaires comprenant les champs suivants:
- name: le nom de linstance a deployer
- tag: le petit nom à lui donner
- state: l'état (entre BACKUP et MASTER)
- priority: la priorité (pour un MASTER on met par défaut 150 puis on reduit
de 50 par 50)

13
roles/keepalived/tasks/main.yml
View File

@ -13,3 +13,16 @@
dest: /etc/keepalived/keepalived.conf
mode: 0644
notify: Reload keepalived.service
- name: Create scripts directory
file:
path: /usr/scripts
state: directory
- name: Deploy keepalived dhcp scripts
template:
src: bin/notify-dhcp
dest: /usr/scripts/notify-dhcp
mode: 0744
when: not ansible_check_mode
notify: Reload keepalived.service

24
roles/keepalived/templates/bin/notify-dhcp 100755
View File

@ -0,0 +1,24 @@
#!/bin/bash
TYPE=$1
NAME=$2
STATE=$3
case $STATE in
"MASTER")
logger -s '[DHCP-NOTIFY] Entering state MASTER, starting isc-dhcp-server.service'
systemctl start isc-dhcp-server.service
exit 0;;
"BACKUP")
logger -s '[DHCP-NOTIFY] Entering state BACKUP, stopping isc-dhcp-server.service'
systemctl stop isc-dhcp-server.service
exit 0;;
"FAULT")
logger -s '[DHCP-NOTIFY] Entering state FAULT, stopping isc-dhcp-server.service'
systemctl stop isc-dhcp-server.service
exit 0;;
*)
logger -s '[DHCP-NOTIFY] Entering UNKNOWN state, doing nothing'
exit 1;;
esac

36
roles/keepalived/templates/keepalived/keepalived.conf.j2
View File

@ -1,31 +1,33 @@
{{ ansible_header | comment }}
global_defs {
notification_email {
root@crans.org
}
notification_email_from keepalived@crans.org
smtp_server smtp.adm.crans.org
notification_email { {{ keepalived.mail_destination }} }
notification_email_from {{ keepalived.mail_source }}
smtp_server {{ keepalived.smtp_server }}
}
{% for instance in keepalived_instances %}
{% for instance in keepalived.instances %}
vrrp_instance {{ instance.tag }}4 {
state {{ instance.state }}
priority {{ instance.priority }}
smtp_alert
interface {{ interfaces.adm }}
virtual_router_id {{ keepalived[instance.name].id }}
virtual_router_id {{ keepalived.pool[instance.name].id }}
advert_int 2
authentication {
auth_type PASS
auth_pass {{ keepalived[instance.name].password }}
auth_pass {{ keepalived.pool[instance.name].password }}
}
{% if keepalived.pool[instance.name].notify is defined %}
notify {{ keepalived.pool[instance.name].notify }}
{% endif %}
virtual_ipaddress {
{% for zone in keepalived[instance.name].zones %}
{% if zone.brd is defined %}
{{ zone.ipv4 }} brd {{ zone.brd }} dev {{ interfaces[zone.vlan] }} scope global
{% for zone in keepalived.pool[instance.name].zones %}
{% if zone.brd %}
{{ zone.ipv4 }} brd {{ zone.ipv4 | ipaddr('broadcast') }} dev {{ interfaces[zone.vlan] }} scope global
{% else %}
{{ zone.ipv4 }} dev {{ interfaces[zone.vlan] }} scope global
{% endif %}
@ -33,23 +35,25 @@ vrrp_instance {{ instance.tag }}4 {
}
}
{% if keepalived[instance.name].ipv6 %}
{% if keepalived.pool[instance.name].ipv6 %}
vrrp_instance {{ instance.tag }}6 {
state {{ instance.state }}
priority {{ instance.priority }}
smtp_alert
interface {{ interfaces.adm }}
virtual_router_id {{ keepalived[instance.name].id }}
interface {{ keepalived.pool[instance.name].administration }}
virtual_router_id {{ keepalived.pool[instance.name].id }}
advert_int 2
authentication {
auth_type PASS
auth_pass {{ keepalived[instance.name].password }}
auth_pass {{ keepalived.pool[instance.name].password }}
}
virtual_ipaddress {
{% for zone in keepalived[instance.name].zones %}
{% for zone in keepalived.pool[instance.name].zones %}
{% if zone.ipv6 is defined %}
{{ zone.ipv6 }} dev {{ interfaces[zone.vlan] }} scope global
{% endif %}
{% endfor %}
}
}

10
roles/ldap-client/README.md 100644
View File

@ -0,0 +1,10 @@
# LDAP-CLIENT
Configure un client ldap pour les utilisateurs
## VARS
ldap:
- local: si le serveur est installé en local
- servers: la liste des servers ldap a contacté
- base: le search term du ldap

34
roles/ldap-client/tasks/main.yml
View File

@ -4,17 +4,14 @@
apt:
update_cache: true
name:
- nslcd
- libnss-ldapd
- libpam-ldapd
- nscd # local cache
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
# Configure /etc/nslcd.conf
- name: Configure nslcd LDAP credentials
- name: Configure nslcd
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
@ -26,20 +23,27 @@
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item }}:"
line: "{{ item }}: files ldap"
line: "{{ item }}: files systemd ldap"
loop:
- passwd
- group
- shadow
notify: Restart nslcd service
# Disable passwd and chsh
- name: Copy passwd and chsh scripts
template:
src: "bin/{{ item }}.j2"
dest: "/usr/local/bin/{{ item }}"
mode: 0755
- name: Configure NSS to use LDAP
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item }}:"
line: "{{ item }}: files ldap"
loop:
- chsh
- chsh.ldap
- passwd
- shadow
- networks
notify: Restart nslcd service
- name: Configure NSS to use LDAP
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item }}:"
line: "{{ item }}: files ldap dns"
loop:
- hosts
notify: Restart nslcd service

4
roles/ldap-client/templates/bin/chsh.j2
View File

@ -1,4 +0,0 @@
#!/bin/sh
{{ ansible_header | comment }}
echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"

4
roles/ldap-client/templates/bin/chsh.ldap.j2
View File

@ -1,4 +0,0 @@
#!/bin/sh
{{ ansible_header | comment }}
echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
echo "De toutes façons la vraie commande aurait pas marché, on installe pas nslcd-utils sur les serveurs normalement."

3
roles/ldap-client/templates/bin/passwd.j2
View File

@ -1,3 +0,0 @@
#!/bin/sh
{{ ansible_header | comment }}
echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"

30
roles/ldap-client/templates/nslcd.conf.j2
View File

@ -1,35 +1,30 @@
{{ ansible_header | comment }}
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
{% if ldap_local_replica_uri is defined %}
{% for uri in ldap_local_replica_uri %}
uri {{ uri }}
{% if ldap.local %}
uri ldapi:///
{% else %}
{% for server in ldap.servers %}
uri ldaps://{{ server }}/
{% endfor %}
{% endif %}
uri {{ ldap_master_uri }}
# The search base that will be used for all queries.
base {{ ldap_base }}
base passwd {{ ldap_user_tree }}
base shadow {{ ldap_user_tree }}
base group ou=posix,ou=groups,{{ ldap_base }}
base {{ ldap.base }}
# The LDAP protocol version to use.
ldap_version 3
# Time limit to wait for an answer
timelimit 5
# Time limit to wait for a bind
bind_timelimit 5
#ldap_version 3
# The DN to bind with for normal lookups.
binddn {{ ldap_nslcd_bind_dn }}
bindpw {{ ldap_nslcd_passwd }}
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
@ -41,4 +36,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub

1
roles/ntp-client/tasks/main.yml
View File

@ -12,6 +12,7 @@
path: /etc/default/ntp
regexp: '^NTPD_OPTS'
line: NTPD_OPTS='-g -x'
check_mode: no
- name: Configure NTP
template:

5
roles/proxmox-apt-sources/tasks/main.yml 100644
View File

@ -0,0 +1,5 @@
---
- name: Configure Proxmox repositories
template:
src: apt/sources.list.d/pve-enterprise.list.j2
dest: /etc/apt/sources.list.d/pve-enterprise.list

2
roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 100644
View File

@ -0,0 +1,2 @@
{{ ansible_header | comment }}
deb http://download.proxmox.com/debian/pve {{ ansible_lsb.codename }} pve-no-subscription

10
roles/qemu-guest-agent/tasks/main.yml 100644
View File

@ -0,0 +1,10 @@
---
- name: Install qemu guest agent
apt:
update_cache: true
install_recommends: false
name:
- qemu-guest-agent
register: apt_result
retries: 3
until: apt_result is succeeded

4
roles/re2o-dhcp/tasks/main.yml
View File

@ -15,10 +15,11 @@
etype: group
permissions: rwx
state: query
when: not ansible_check_mode
- name: Clone re2o-dhcp repository
git:
repo: 'http://gitlab.adm.crans.org/nounous/re2o-dhcp.git'
repo: "{{ re2o.dhcp.uri }}"
dest: /var/local/re2o-services/dhcp
version: crans
umask: '002'
@ -30,6 +31,7 @@
owner: root
group: root
state: link
force: yes
- name: Create generated directory
file:

13
roles/slapd/README.md 100644
View File

@ -0,0 +1,13 @@
# SLAPD
Deploie un serveur ldap master ou replica
## VARS
slapd:
- ip : l'ip sur lequel il va installer le serveur ldap
- replica : s'il s'agit d'un master ou d'une replica
- replica_rid : le numéro de replica du serveur
- master_ip : l'ip du master
- replication_credentials : les credientials pour authentifier les replicas
auprès du master

6
roles/slapd/handlers/main.yml 100644
View File

@ -0,0 +1,6 @@
---
- name: Restart slapd
service:
name: slapd.service
state: restarted

35
roles/slapd/tasks/main.yml 100644
View File

@ -0,0 +1,35 @@
---
- name: Install slapd
apt:
update_cache: true
name:
- slapd
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Remove slapd config directory
file:
path: /etc/ldap/slapd.d/
state: absent
- name: Deploy slapd configuration
template:
src: "ldap/{{ item.dest }}.j2"
dest: "/etc/ldap/{{ item.dest }}"
mode: "{{ item.mode }}"
owner: openldap
group: openldap
loop:
- { dest: slapd.conf, mode: "0600" }
- { dest: ldap.key, mode: "0600" }
- { dest: ldap.pem, mode: "0644" }
notify: Restart slapd
- name: Deploy ldap services
lineinfile:
path: /etc/default/slapd
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldaps://{{ slapd.ip }}/ ldapi:///"'
notify: Restart slapd
check_mode: no

1
roles/slapd/templates/ldap/ldap.key.j2 100644
View File

@ -0,0 +1 @@
{{ ldap.private_key }}

1
roles/slapd/templates/ldap/ldap.pem.j2 100644
View File

@ -0,0 +1 @@
{{ ldap.certificate }}

196
roles/slapd/templates/ldap/slapd.conf.j2 100644
View File

@ -0,0 +1,196 @@
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_mdb
{% if not slapd.replica %}
moduleload auditlog
overlay auditlog
auditlog /var/log/openldap/auditlog.log
moduleload syncprov
{% endif %}
# TODO FAIRE LES CERTIFICATS
# TLS Certificates
#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
TLSCertificateFile /etc/ldap/ldap.pem
TLSCertificateKeyFile /etc/ldap/ldap.key
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for mdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend mdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type mdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database mdb
# The base of your directory in database #1
suffix "dc=crans,dc=org"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=crans,dc=org"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
#dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
#dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
#dbconfig set_lk_max_locks 1500
# Number of lockers
#dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
{% if slapd.replica %}
syncrepl
rid={{ slapd.replica_rid }}
provider=ldaps://{{ slapd.master_ip }}:636
bindmethod=simple
binddn="cn=replicator,dc=crans,dc=org"
credentials={{ slapd.replication_credentials }}
searchbase="dc=crans,dc=org"
scope=sub
schemachecking=on
type=refreshAndPersist
timeout=0
network-timeout=0
retry="30 20 300 +"
tls_reqcert=allow
{% endif %}
{% if slapd.replica %}
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by anonymous auth
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by * read
{% else %}
overlay syncprov
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
by dn="cn=replicator,dc=crans,dc=org" read
by * none
access to attrs=loginShell,mail,telephoneNumber
by self write
by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
by dn="cn=replicator,dc=crans,dc=org" read
by * read
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
by dn="cn=replicator,dc=crans,dc=org" read
by * read
{% endif %}
#######################################################################
# Specific Directives for database #2, of type 'other' (can be mdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"