diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml index 3dd13db9..89ae3297 100644 --- a/group_vars/certbot.yml +++ b/group_vars/certbot.yml @@ -1,6 +1,6 @@ --- glob_certbot: - dns_rfc2136_server: '172.16.10.147' + dns_rfc2136_server: '185.230.79.9' dns_rfc2136_name: certbot_challenge. dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" mail: root@crans.org diff --git a/group_vars/horde.yml b/group_vars/horde.yml index 11ea1957..1e5ba890 100644 --- a/group_vars/horde.yml +++ b/group_vars/horde.yml @@ -1,9 +1,9 @@ glob_horde: secret: '{{ vault_horde_secret }}' imap: imap.adm.crans.org - smtp: smtp.crans.org + smtp: smtp.adm.crans.org maildomain: crans.org - db: thot.adm.crans.org + db: pgsql.adm.crans.org admins: - "'paulon'" - "'vulcain'" @@ -16,5 +16,5 @@ glob_horde: dest_hostname : webmail.crans.org admin_src_hostname : horde.adm.crans.org admin_dest_hostname : webmail.adm.crans.org - zone_ipv4 : 10.231.136.0/24 - zone_ipv6 : 2a0c:700:0:2::/64 + zone_ipv4 : 172.16.10.0/24 + zone_ipv6 : fd00:0:0:10::/64 diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml index a9d52d1a..342d671f 100644 --- a/group_vars/reverseproxy.yml +++ b/group_vars/reverseproxy.yml @@ -29,8 +29,6 @@ nginx: # - {from: roundcube.crans.org, to: 10.231.136.105} # - {from: phabricator.crans.org, to: 10.231.136.123} # - {from: trackerusercontent.crans.org, to: 10.231.136.123} - # - {from: webmail.crans.org, to: 10.231.136.107} - # - {from: horde.crans.org, to: 10.231.136.107} # - {from: owncloud.crans.org, to: 10.231.136.26} # - {from: ftps.crans.org, to: 10.231.136.98} # - {from: wiki.crans.org, to: 10.231.136.204} @@ -44,6 +42,8 @@ nginx: # - {from: autoconfig.crans.org, to: 10.231.136.46} # - {from: grafana.crans.org, to: "10.231.136.102:3000"} # - {from: webirc.crans.org, to: "10.231.136.1:9000"} + - {from: webmail.crans.org, to: 172.16.10.108} + - {from: horde.crans.org, to: 172.16.10.108} - {from: framadate.crans.org, to: 172.16.10.109} - {from: stream.crans.org, to: 172.16.10.118} - {from: cas.crans.org, to: 172.16.10.120} @@ -55,8 +55,8 @@ nginx: - {from: pad.crans.org, to: "172.16.10.130:9001"} - {from: zero.crans.org, to: 172.16.10.130} - {from: ethercalc.crans.org, to: "172.16.10.133:8000"} - - {from: belenios.crans.org, to: 172.16.10.111} - {from: roundcube.crans.org, to: 172.16.10.107} + # - {from: belenios.crans.org, to: 172.16.10.111} # - {from: mailman.crans.org, to: 10.231.136.180} # # # Zamok diff --git a/host_vars/hodaur.adm.crans.org.yml b/host_vars/hodaur.adm.crans.org.yml new file mode 100644 index 00000000..2aa4c194 --- /dev/null +++ b/host_vars/hodaur.adm.crans.org.yml @@ -0,0 +1,3 @@ +--- +loc_certbot: + domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" diff --git a/host_vars/horde-srv.adm.crans.org.yml b/host_vars/horde-srv.adm.crans.org.yml deleted file mode 100644 index 54e2e5fc..00000000 --- a/host_vars/horde-srv.adm.crans.org.yml +++ /dev/null @@ -1,2 +0,0 @@ -loc_horde: - ipv6: '[2a0c:700:0:2:5474:8dff:fe5d:e2be]' diff --git a/host_vars/horde.adm.crans.org.yml b/host_vars/horde.adm.crans.org.yml new file mode 100644 index 00000000..f0914f81 --- /dev/null +++ b/host_vars/horde.adm.crans.org.yml @@ -0,0 +1,3 @@ +loc_horde: + ipv6: 'fd00::10:400:ff:fe01:810' + ipv4: '172.16.10.108' diff --git a/host_vars/kiwi.adm.crans.org.yml b/host_vars/kiwi.adm.crans.org.yml index 54ee5385..fb1eb81f 100644 --- a/host_vars/kiwi.adm.crans.org.yml +++ b/host_vars/kiwi.adm.crans.org.yml @@ -30,3 +30,6 @@ to_backup: hosts_allow: ["soyouz.adm.crans.org", "10.231.136.108"], read_only: "yes", } + +moinmoin: + main: true diff --git a/host_vars/monitoring.adm.crans.org.yml b/host_vars/monitoring.adm.crans.org.yml new file mode 100644 index 00000000..ddb21e60 --- /dev/null +++ b/host_vars/monitoring.adm.crans.org.yml @@ -0,0 +1,3 @@ +interfaces: + adm: eth0 + srv_nat: eth1 diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml index 4e53d551..6b2473f1 100644 --- a/host_vars/sputnik.adm.crans.org.yml +++ b/host_vars/sputnik.adm.crans.org.yml @@ -22,3 +22,6 @@ to_backup: secrets_file: "/etc/rsyncd.secrets", hosts_allow: ["zephir.adm.crans.org", "10.231.136.6", "172.31.0.1"], } + +moinmoin: + main: false diff --git a/hosts b/hosts index 47b15016..280b1da7 100644 --- a/hosts +++ b/hosts @@ -28,13 +28,13 @@ gitzly.adm.crans.org [certbot:children] radius # We use certbot to manage LE certificates +reverseproxy [nginx_rtmp] fluxx.adm.crans.org [reverseproxy] hodaur.adm.crans.org -frontdaur.adm.crans.org [roundcube] roundcube-srv.adm.crans.org @@ -43,7 +43,7 @@ roundcube-srv.adm.crans.org ethercalc-srv.adm.crans.org [horde] -horde-srv.adm.crans.org +horde.adm.crans.org [radius] routeur-sam.adm.crans.org @@ -68,11 +68,11 @@ jack.adm.crans.org [keepalived] routeur-sam.adm.crans.org -routeur-daniel.adm.crans.org +#routeur-daniel.adm.crans.org [dhcp] routeur-sam.adm.crans.org -routeur-daniel.adm.crans.org +#routeur-daniel.adm.crans.org [crans_routeurs:children] dhcp @@ -84,30 +84,31 @@ tealc.adm.crans.org sam.adm.crans.org daniel.adm.crans.org jack.adm.crans.org -gulp.adm.crans.org +#gulp.adm.crans.org [crans_vm] voyager.adm.crans.org -silice.adm.crans.org +#silice.adm.crans.org routeur-sam.adm.crans.org -routeur-daniel.adm.crans.org -belenios # on changera plus tard -re2o-ldap.adm.crans.org +#routeur-daniel.adm.crans.org +#belenios.adm.crans.org +#re2o-ldap.adm.crans.org gitlab-ci.adm.crans.org gitzly.adm.crans.org hodaur.adm.crans.org monitoring.adm.crans.org -boeing.adm.crans.org +#boeing.adm.crans.org fluxx.adm.crans.org -unifi.adm.crans.org -pastemoisa.adm.crans.org -casouley.adm.crans.org +#unifi.adm.crans.org +#pastemoisa.adm.crans.org +#casouley.adm.crans.org kiwi.adm.crans.org tracker.adm.crans.org jitsi.adm.crans.org -ethercalc-srv.adm.crans.org +#ethercalc-srv.adm.crans.org kenobi.adm.crans.org roundcube.adm.crans.org +horde.adm.crans.org [ovh_physical] sputnik.adm.crans.org diff --git a/lookup_plugins/ldap.py b/lookup_plugins/ldap.py index 3174e79e..cdca475f 100644 --- a/lookup_plugins/ldap.py +++ b/lookup_plugins/ldap.py @@ -1,10 +1,18 @@ +""" +To use this lookup plugin, you need to pass ldap: +ssh -L 1636:172.16.10.1:636 172.16.10.1 +""" + import ipaddress from ansible.errors import AnsibleError, AnsibleParserError from ansible.plugins.lookup import LookupBase from ansible.utils.display import Display -import ldap +try: + import ldap +except ImportError: + raise AnsibleError("You need to install python3-ldap") display = Display() diff --git a/plays/horde.yml b/plays/horde.yml index bc775369..f1b8aa8d 100755 --- a/plays/horde.yml +++ b/plays/horde.yml @@ -2,5 +2,7 @@ --- # Moi j'aime le ocaml et lui il installe horde - hosts: horde + vars: + horde: '{{ glob_horde | default({}) | combine(loc_horde | default({})) }}' roles: - horde diff --git a/plays/monitoring.yml b/plays/monitoring.yml index 6d90a5bc..adb21a07 100755 --- a/plays/monitoring.yml +++ b/plays/monitoring.yml @@ -6,17 +6,17 @@ # Prometheus targets.json prometheus: node_targets: "{{ groups['server'] | list | sort }}" - ups_snmp_targets: - - pulsar.adm.crans.org # 0B - - quasar.adm.crans.org # 4J - unifi_snmp_targets: "{{ groups['crans_unifi'] | list | sort }}" + ups_snmp_targets: [] + # - pulsar.adm.crans.org # 0B + # - quasar.adm.crans.org # 4J + unifi_snmp_targets: [] # "{{ groups['crans_unifi'] | list | sort }}" blackbox_targets: - https://crans.org - https://www.crans.org - https://grafana.crans.org - https://wiki.crans.org - https://pad.crans.org - apache_targets: [zamok.adm.crans.org] + apache_targets: [] # [zamok.adm.crans.org] snmp_unifi_password: "{{ vault_snmp_unifi_password }}" @@ -26,38 +26,38 @@ ldap_passwd: "{{ vault_ldap_grafana_passwd }}" ldap_base: 'dc=crans,dc=org' - ldap_master_ipv4: '10.231.136.19' - ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" + ldap_master_ipv4: '172.16.10.1' + ldap_user_tree: "ou=users,{{ ldap_base }}" roles: - prometheus - prometheus-alertmanager - - prometheus-snmp-exporter + #- prometheus-snmp-exporter - prometheus-blackbox-exporter - ninjabot - grafana # Deploy backup Prometheus on backup server -- hosts: odlyd.adm.crans.org - vars: - # only critical infra - prometheus: - node_targets: - - odlyd.adm.crans.org # me, myself and I - - zamok.adm.crans.org # parce que WeeChat c'est critique - - thot.adm.crans.org # la bdd adh est critique... enfin a skip - - zbee.adm.crans.org # zbeu! la bay! - - stitch.adm.crans.org # last hope virtu - - redisdead.adm.crans.org # Postmen... youtu.be/vEkY6W-fEZQ?t=132 - ups_snmp_targets: - - pulsar.adm.crans.org # 0B - - quasar.adm.crans.org # 4J - - snmp_unifi_password: "{{ vault_snmp_unifi_password }}" - roles: - - prometheus - - prometheus-alertmanager - - prometheus-snmp-exporter - - ninjabot +#- hosts: odlyd.adm.crans.org +# vars: +# # only critical infra +# prometheus: +# node_targets: +# - odlyd.adm.crans.org # me, myself and I +# - zamok.adm.crans.org # parce que WeeChat c'est critique +# - thot.adm.crans.org # la bdd adh est critique... enfin a skip +# - zbee.adm.crans.org # zbeu! la bay! +# - stitch.adm.crans.org # last hope virtu +# - redisdead.adm.crans.org # Postmen... youtu.be/vEkY6W-fEZQ?t=132 +# ups_snmp_targets: +# - pulsar.adm.crans.org # 0B +# - quasar.adm.crans.org # 4J +# +# snmp_unifi_password: "{{ vault_snmp_unifi_password }}" +# roles: +# - prometheus +# - prometheus-alertmanager +# - prometheus-snmp-exporter +# - ninjabot # Monitor all hosts @@ -67,15 +67,15 @@ roles: ["prometheus-node-exporter"] # Export apache metrics -- hosts: zamok.adm.crans.org - vars: - adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}" - roles: ["prometheus-apache-exporter"] +#- hosts: zamok.adm.crans.org +# vars: +# adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}" +# roles: ["prometheus-apache-exporter"] # Monitor mailq with a special text exporter -- hosts: redisdead.adm.crans.org - roles: ["prometheus-node-exporter-postfix"] +#- hosts: redisdead.adm.crans.org +# roles: ["prometheus-node-exporter-postfix"] # Monitor logs with mtail -- hosts: thot.adm.crans.org - roles: ["mtail"] +#- hosts: thot.adm.crans.org +# roles: ["mtail"] diff --git a/plays/network-interfaces.yml b/plays/network-interfaces.yml index a557befd..bdba54eb 100755 --- a/plays/network-interfaces.yml +++ b/plays/network-interfaces.yml @@ -1,6 +1,6 @@ #!/usr/bin/env ansible-playbook --- -- hosts: voyager.adm.crans.org,boeing.adm.crans.org,fluxx.adm.crans.org,hodaur.adm.crans.org,unifi.adm.crans.org,kiwi.adm.crans.org,roundcube.adm.crans.org +- hosts: voyager.adm.crans.org,boeing.adm.crans.org,fluxx.adm.crans.org,hodaur.adm.crans.org,unifi.adm.crans.org,kiwi.adm.crans.org,roundcube.adm.crans.org,monitoring.adm.crans.org vars: vlan: - name: srv diff --git a/plays/reverse-proxy.yml b/plays/reverse-proxy.yml index b7a8d3ad..0e25fc50 100755 --- a/plays/reverse-proxy.yml +++ b/plays/reverse-proxy.yml @@ -1,6 +1,9 @@ #!/usr/bin/env ansible-playbook --- - hosts: reverseproxy + vars: + certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}' + mirror: '{{ glob_mirror.name }}' roles: - certbot - nginx-reverseproxy diff --git a/roles/common-tools/tasks/main.yml b/roles/common-tools/tasks/main.yml index 931348a7..87279c79 100644 --- a/roles/common-tools/tasks/main.yml +++ b/roles/common-tools/tasks/main.yml @@ -16,7 +16,6 @@ - htop # better than top - zsh # to be able to ssh @erdnaxe - fish # to motivate @edpibu - - oidentd # postgresql identification - aptitude # nice to have for Ansible - acl # advanced ACL - iotop # monitor i/o @@ -42,6 +41,7 @@ - doc-debian # graphical - debian-faq # graphical - os-prober # makes grub-install lag + - oidentd # kill the monster, https://youtu.be/yhNB0vO7FxI - python3-reportbug register: apt_result retries: 3 diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 6b290178..0ec974c3 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -1,15 +1,4 @@ --- -- name: Install APT HTTPS support - apt: - name: - - apt-transport-https - - gpg - state: present - update_cache: true - register: apt_result - retries: 3 - until: apt_result is succeeded - - name: Import Grafana GPG signing key apt_key: url: https://packages.grafana.com/gpg.key @@ -21,7 +10,7 @@ - name: Add Grafana repository apt_repository: - repo: deb https://packages.grafana.com/oss/deb stable main + repo: deb http://mirror.adm.crans.org/grafana/oss/deb stable main state: present update_cache: true diff --git a/roles/horde/README.md b/roles/horde/README.md index 874a42e6..133011b6 100644 --- a/roles/horde/README.md +++ b/roles/horde/README.md @@ -2,7 +2,7 @@ Ce rôle ansible deploie une instance du webmail horde. ## Variables - - glob_horde. : + - horde. : - secret : le secret de horde - imap : le serveur imap - smtp : le serveur smtp (il doit juste être contactable depuis le serveur diff --git a/roles/horde/tasks/main.yml b/roles/horde/tasks/main.yml index f08addf0..aa7dd9ac 100644 --- a/roles/horde/tasks/main.yml +++ b/roles/horde/tasks/main.yml @@ -3,9 +3,13 @@ - name: Install horde APT dependencies apt: update_cache: true - name: - - nginx - - php-horde-webmail + name: '{{ item }}' + loop: # Install dependencies in the right order. + - nginx + - php7.3-fpm + - php-horde-webmail + - php-pgsql + - oidentd register: apt_result retries: 3 until: apt_result is succeeded @@ -21,6 +25,23 @@ - horde/horde/conf.php - horde/imp/backends.php +- name: Enable horde plugins + template: + src: 'horde/{{ item }}/conf.php.j2' + dest: '/etc/horde/{{ item }}/conf.php' + owner: www-data + group: www-data + mode: 0640 + loop: + - gollem + - imp + - ingo + - kronolith + - mnemo + - nag + - trean + - turba + - name: Configure nginx site template: src: '{{ item }}.j2' diff --git a/roles/horde/templates/horde/gollem/conf.php.j2 b/roles/horde/templates/horde/gollem/conf.php.j2 new file mode 100644 index 00000000..abd03a53 --- /dev/null +++ b/roles/horde/templates/horde/gollem/conf.php.j2 @@ -0,0 +1,8 @@ +{{ ansible_header | comment(decoration='// ') }} + + false, 'name' => 'IMAP Cr@ns', - 'hostspec' => '{{ glob_horde.imap }}', + 'hostspec' => '{{ horde.imap }}', 'hordeauth' => true, 'protocol' => 'imap', 'port' => 143, 'secure' => 'tls', - 'maildomain' => '{{ glob_horde.maildomain }}', + 'maildomain' => '{{ horde.maildomain }}', 'smtp' => array( - 'host' => '{{ glob_horde.smtp }}', + 'host' => '{{ horde.smtp }}', 'port' => 25, ), 'cache' => false, diff --git a/roles/horde/templates/horde/imp/conf.php.j2 b/roles/horde/templates/horde/imp/conf.php.j2 new file mode 100644 index 00000000..31ee99c4 --- /dev/null +++ b/roles/horde/templates/horde/imp/conf.php.j2 @@ -0,0 +1,22 @@ +{{ ansible_header | comment(decoration='// ') }} + + /var/local/calendrier/bde.ics -0 * * * * /usr/bin/python /var/local/wiki/data/plugin/action/EventsCrans.py > /var/local/calendrier/crans.ics -0 * * * * /usr/bin/python /var/local/wiki/data/plugin/action/Sports.py > /var/local/calendrier/sports.ics - # Generate sitemap 5 5 * * * /usr/bin/wget "http://wiki.adm.crans.org/PageAccueil?action=sitemap" -O /var/local/moin_htdocs_crans/www-sitemap.xml # Cleanup 17 3 * * * www-data /usr/bin/find /var/local/wiki/data/cache/__session__ -mtime +30 -delete 27 3 * * * www-data /usr/bin/find /var/local/wiki/tickets -mtime +30 -delete +{% if not moinmoin.main %} + +# Sync main wiki to backup +02 02 * * * root rsync -a4 --exclude "attachments" rsync://kiwi.adm.crans.org/wiki /var/local/wiki +{% endif %} diff --git a/roles/moinmoin/templates/moin/mywiki.py.j2 b/roles/moinmoin/templates/moin/mywiki.py.j2 index a71d97df..f21a1d7f 100644 --- a/roles/moinmoin/templates/moin/mywiki.py.j2 +++ b/roles/moinmoin/templates/moin/mywiki.py.j2 @@ -48,10 +48,11 @@ class Config(FarmConfig): # This is checked by some rather critical and potentially harmful actions, # like despam or PackageInstaller action: - superuser= [u"PeBecue", u"Wiki20-100", u"WikiB2moo", u"WikiBoudy", u"Benjamin", u"WikiPollion", u"Fardale", u"WikiErdnaxe"] + # WikiShirenn is a giant avocado https://youtu.be/UJeH8gcjuj0 + superuser= [u"PeBecue", u"Wiki20-100", u"WikiB2moo", u"WikiBoudy", u"Benjamin", u"WikiPollion", u"Fardale", u"WikiErdnaxe", u"WikiShirenn"] # Custom logo - logo_string = u'Crans' + logo_string = u'Crans' # French by default language_default = 'fr' @@ -139,22 +140,42 @@ class Config(FarmConfig): auth = [ moin.MoinAuth(), +{% if moinmoin.main %} cas.CASAuth("https://cas.crans.org", fallback_url='https://wiki.crans.org/', ticket_path='/var/local/wiki/tickets/', assoc_path='/var/local/wiki/assowiki/', ), ip_range.IpRange( - local_nets=['185.230.76.0/22', '10.53.0.0/16', '10.54.0.0/16', '2a0c:700:0::/40'], + local_nets=[ + '185.230.76.0/22', # ENS + '185.230.79.0/23', # test pour zamok + '10.53.0.0/16', + '10.54.0.0/16', + '2a0c:700:0::/40', + '45.66.108.0/22', # IPv4 Aurore + '2a09:6840::/29' # IPv6 Aurore + ], actions=['newaccount'], actions_msg={'newaccount':"La création de comptes n'est autorisée que depuis le réseau du Cr@ns ou sur zamok."}, ), categorie_public.PublicCategories(pub_cats=[u'Cat\xe9goriePagePublique']), # Avec trusted à False, les acl de Known s'appliquent +{% endif %} ] # Force text editor as CKEditor is broken editor_force = True def ip_autorised_create_account(self,ip): +{% if moinmoin.main %} return ip.startswith('185.230.76.') or ip.startswith('185.230.77.') or ip.startswith('185.230.78.') or ip.startswith('185.230.79.') or ip.startswith('10.') or ip.startswith('2a0c:700:0:') +{% else %} + return False +{% endif %} +{% if not moinmoin.main %} + # Stop new accounts being created + actions_excluded = config.multiconfig.DefaultConfig.actions_excluded + [ + 'newaccount', 'recoverpass' + ] +{% endif %} diff --git a/roles/moinmoin/templates/nginx/sites-available/wiki.j2 b/roles/moinmoin/templates/nginx/sites-available/wiki.j2 index 40e68cbc..4c7482f0 100644 --- a/roles/moinmoin/templates/nginx/sites-available/wiki.j2 +++ b/roles/moinmoin/templates/nginx/sites-available/wiki.j2 @@ -3,7 +3,7 @@ server { listen 80; listen [::]:80; - server_name wiki.crans.org; + server_name wiki.adm.crans.org; access_log /var/log/nginx/wiki.log combined; error_log /var/log/nginx/wiki.error.log; @@ -25,10 +25,7 @@ server { include uwsgi_params; } - set_real_ip_from 10.231.136.0/24; - set_real_ip_from 2a0c:700:0::/48; - set_real_ip_from 185.230.76.0/22; #filaire publique - set_real_ip_from 10.53.0.0/16; #nat des machines wifi crans - set_real_ip_from 10.54.0.0/16; #nat des machines filaires crans + set_real_ip_from 172.16.10.0/24; + set_real_ip_from fd00:0:0:10::/64; real_ip_header X-Real-Ip; } diff --git a/roles/ninjabot/tasks/main.yml b/roles/ninjabot/tasks/main.yml index 768cad97..1ea0787a 100644 --- a/roles/ninjabot/tasks/main.yml +++ b/roles/ninjabot/tasks/main.yml @@ -17,18 +17,18 @@ retries: 3 until: apt_result is succeeded -- name: Deploy NinjaBot main systemd unit +- name: Clone NinjaBot code + git: + repo: https://gitlab.adm.crans.org/nounous/NinjaBot.git + dest: /var/local/ninjabot + version: master + +- name: Deploy NinjaBot systemd unit template: src: systemd/system/ninjabot.service.j2 dest: /etc/systemd/system/ninjabot.service mode: 0644 -- name: Deploy NinjaBot webhook systemd unit - template: - src: systemd/system/ninjabot-webhook.service.j2 - dest: /etc/systemd/system/ninjabot-webhook.service - mode: 0644 - - name: Load and activate NinjaBot service systemd: name: ninjabot @@ -36,13 +36,6 @@ enabled: true state: started -- name: Load and activate NinjaBot webook service - systemd: - name: ninjabot-webhook - daemon_reload: true - enabled: true - state: started - - name: Indicate NinjaBot in motd template: src: update-motd.d/05-service.j2 diff --git a/roles/ninjabot/templates/systemd/system/ninjabot-webhook.service.j2 b/roles/ninjabot/templates/systemd/system/ninjabot-webhook.service.j2 deleted file mode 100644 index 3fbf9b82..00000000 --- a/roles/ninjabot/templates/systemd/system/ninjabot-webhook.service.j2 +++ /dev/null @@ -1,15 +0,0 @@ -{{ ansible_header | comment }} -[Unit] -Description=NinjaBot WebHook server -After=network.target ninjabot.service - -[Service] -Type=simple -WorkingDirectory=/var/local/ninjabot -User=ninjabot -Group=nogroup -ExecStart=/usr/bin/python3 /var/local/ninjabot/main.py -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/ninjabot/templates/systemd/system/ninjabot.service.j2 b/roles/ninjabot/templates/systemd/system/ninjabot.service.j2 index 4a9886ca..8c88045b 100644 --- a/roles/ninjabot/templates/systemd/system/ninjabot.service.j2 +++ b/roles/ninjabot/templates/systemd/system/ninjabot.service.j2 @@ -6,9 +6,9 @@ After=network.target [Service] Type=simple WorkingDirectory=/var/local/ninjabot -User=ninjabot +User=nobody Group=nogroup -ExecStart=/usr/bin/python3 /var/local/ninjabot/ninjabot.py +ExecStart=/usr/bin/python3 /var/local/ninjabot/main.py Restart=always [Install] diff --git a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 index 28c27f27..1b61324d 100644 --- a/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 +++ b/roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 @@ -58,5 +58,5 @@ inhibit_rules: receivers: - name: 'webhook-ninjabot' webhook_configs: - - url: 'http://fyre.adm.crans.org:5000/' + - url: 'http://localhost:5000/' send_resolved: true diff --git a/roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 b/roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 index 819d243a..9610d2d4 100644 --- a/roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 +++ b/roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 @@ -4,7 +4,7 @@ # Due to shell scaping, to pass backslashes for regexes, you need to double # them (\\d for \d). If running under systemd, you need to double them again # (\\\\d to mean \d), and escape newlines too. -ARGS="--web.listen-address={{ adm_ipv4 }}:9100" +ARGS="--web.listen-address={{ query('ldap', 'ip', ansible_hostname, 10) | ipv4 | first }}:9100" # Prometheus-node-exporter supports the following options: # diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 884b859e..e3bfc5bc 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -11,12 +11,14 @@ template: src: prometheus/prometheus.yml.j2 dest: /etc/prometheus/prometheus.yml + mode: 0644 notify: Restart Prometheus - name: Configure Prometheus alert rules template: src: "prometheus/{{ item }}.j2" dest: "/etc/prometheus/{{ item }}" + mode: 0644 notify: Restart Prometheus loop: - alert.rules.yml @@ -27,18 +29,21 @@ copy: content: "{{ [{'targets': prometheus.node_targets}] | to_nice_json }}" dest: /etc/prometheus/targets.json + mode: 0644 # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus UPS SNMP devices copy: content: "{{ [{'targets': prometheus.ups_snmp_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_ups_snmp.json + mode: 0644 # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus Ubiquity Unifi SNMP devices copy: content: "{{ [{'targets': prometheus.unifi_snmp_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_unifi_snmp.json + mode: 0644 when: prometheus.unifi_snmp_targets is defined # We don't need to restart Prometheus when updating nodes @@ -46,6 +51,7 @@ copy: content: "{{ [{'targets': prometheus.apache_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_apache.json + mode: 0644 when: prometheus.apache_targets is defined # We don't need to restart Prometheus when updating nodes @@ -53,6 +59,7 @@ copy: content: "{{ [{'targets': prometheus.blackbox_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_blackbox.json + mode: 0644 when: prometheus.blackbox_targets is defined - name: Activate prometheus service diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 index f1a09d1d..739806d3 100644 --- a/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 +++ b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 @@ -1,2 +1,2 @@ {{ ansible_header | comment }} -deb http://download.proxmox.com/debian/pve {{ ansible_lsb.codename }} pve-no-subscription +deb http://mirror.adm.crans.org/proxmox/debian/pve {{ ansible_lsb.codename }} pve-no-subscription