crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'newinfra' into 'roundcube' 

# Conflicts:
#   group_vars/reverseproxy.yml
#   hosts
#   plays/network-interfaces.yml
certbot_on_virtu
_benjamin 2020-11-29 11:30:00 +01:00
parent da68de7d83 6326ee0918
commit 3edf1238f2
41 changed files with 293 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/certbot.yml
View File

@ -1,6 +1,6 @@
--- ---
glob_certbot: glob_certbot:
dns_rfc2136_server: '172.16.10.147' dns_rfc2136_server: '185.230.79.9'
dns_rfc2136_name: certbot_challenge. dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: root@crans.org mail: root@crans.org

8
group_vars/horde.yml
View File

@ -1,9 +1,9 @@
glob_horde: glob_horde:
secret: '{{ vault_horde_secret }}' secret: '{{ vault_horde_secret }}'
imap: imap.adm.crans.org imap: imap.adm.crans.org
smtp: smtp.crans.org smtp: smtp.adm.crans.org
maildomain: crans.org maildomain: crans.org
db: thot.adm.crans.org db: pgsql.adm.crans.org
admins: admins:
- "'paulon'" - "'paulon'"
- "'vulcain'" - "'vulcain'"
@ -16,5 +16,5 @@ glob_horde:
dest_hostname : webmail.crans.org dest_hostname : webmail.crans.org
admin_src_hostname : horde.adm.crans.org admin_src_hostname : horde.adm.crans.org
admin_dest_hostname : webmail.adm.crans.org admin_dest_hostname : webmail.adm.crans.org
zone_ipv4 : 10.231.136.0/24 zone_ipv4 : 172.16.10.0/24
zone_ipv6 : 2a0c:700:0:2::/64 zone_ipv6 : fd00:0:0:10::/64

6
group_vars/reverseproxy.yml
View File

@ -29,8 +29,6 @@ nginx:
# - {from: roundcube.crans.org, to: 10.231.136.105} # - {from: roundcube.crans.org, to: 10.231.136.105}
# - {from: phabricator.crans.org, to: 10.231.136.123} # - {from: phabricator.crans.org, to: 10.231.136.123}
# - {from: trackerusercontent.crans.org, to: 10.231.136.123} # - {from: trackerusercontent.crans.org, to: 10.231.136.123}
# - {from: webmail.crans.org, to: 10.231.136.107}
# - {from: horde.crans.org, to: 10.231.136.107}
# - {from: owncloud.crans.org, to: 10.231.136.26} # - {from: owncloud.crans.org, to: 10.231.136.26}
# - {from: ftps.crans.org, to: 10.231.136.98} # - {from: ftps.crans.org, to: 10.231.136.98}
# - {from: wiki.crans.org, to: 10.231.136.204} # - {from: wiki.crans.org, to: 10.231.136.204}
@ -44,6 +42,8 @@ nginx:
# - {from: autoconfig.crans.org, to: 10.231.136.46} # - {from: autoconfig.crans.org, to: 10.231.136.46}
# - {from: grafana.crans.org, to: "10.231.136.102:3000"} # - {from: grafana.crans.org, to: "10.231.136.102:3000"}
# - {from: webirc.crans.org, to: "10.231.136.1:9000"} # - {from: webirc.crans.org, to: "10.231.136.1:9000"}
- {from: webmail.crans.org, to: 172.16.10.108}
- {from: horde.crans.org, to: 172.16.10.108}
- {from: framadate.crans.org, to: 172.16.10.109} - {from: framadate.crans.org, to: 172.16.10.109}
- {from: stream.crans.org, to: 172.16.10.118} - {from: stream.crans.org, to: 172.16.10.118}
- {from: cas.crans.org, to: 172.16.10.120} - {from: cas.crans.org, to: 172.16.10.120}
@ -55,8 +55,8 @@ nginx:
- {from: pad.crans.org, to: "172.16.10.130:9001"} - {from: pad.crans.org, to: "172.16.10.130:9001"}
- {from: zero.crans.org, to: 172.16.10.130} - {from: zero.crans.org, to: 172.16.10.130}
- {from: ethercalc.crans.org, to: "172.16.10.133:8000"} - {from: ethercalc.crans.org, to: "172.16.10.133:8000"}
- {from: belenios.crans.org, to: 172.16.10.111}
- {from: roundcube.crans.org, to: 172.16.10.107} - {from: roundcube.crans.org, to: 172.16.10.107}
# - {from: belenios.crans.org, to: 172.16.10.111}
# - {from: mailman.crans.org, to: 10.231.136.180} # - {from: mailman.crans.org, to: 10.231.136.180}
# #
# # Zamok # # Zamok

3
host_vars/hodaur.adm.crans.org.yml 100644
View File

@ -0,0 +1,3 @@
---
loc_certbot:
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"

2
host_vars/horde-srv.adm.crans.org.yml
View File

@ -1,2 +0,0 @@
loc_horde:
ipv6: '[2a0c:700:0:2:5474:8dff:fe5d:e2be]'

3
host_vars/horde.adm.crans.org.yml 100644
View File

@ -0,0 +1,3 @@
loc_horde:
ipv6: 'fd00::10:400:ff:fe01:810'
ipv4: '172.16.10.108'

3
host_vars/kiwi.adm.crans.org.yml
View File

@ -30,3 +30,6 @@ to_backup:
hosts_allow: ["soyouz.adm.crans.org", "10.231.136.108"], hosts_allow: ["soyouz.adm.crans.org", "10.231.136.108"],
read_only: "yes", read_only: "yes",
} }
moinmoin:
main: true

3
host_vars/monitoring.adm.crans.org.yml 100644
View File

@ -0,0 +1,3 @@
interfaces:
adm: eth0
srv_nat: eth1

3
host_vars/sputnik.adm.crans.org.yml
View File

@ -22,3 +22,6 @@ to_backup:
secrets_file: "/etc/rsyncd.secrets", secrets_file: "/etc/rsyncd.secrets",
hosts_allow: ["zephir.adm.crans.org", "10.231.136.6", "172.31.0.1"], hosts_allow: ["zephir.adm.crans.org", "10.231.136.6", "172.31.0.1"],
} }
moinmoin:
main: false

29
hosts
View File

@ -28,13 +28,13 @@ gitzly.adm.crans.org
[certbot:children] [certbot:children]
radius # We use certbot to manage LE certificates radius # We use certbot to manage LE certificates
reverseproxy
[nginx_rtmp] [nginx_rtmp]
fluxx.adm.crans.org fluxx.adm.crans.org
[reverseproxy] [reverseproxy]
hodaur.adm.crans.org hodaur.adm.crans.org
frontdaur.adm.crans.org
[roundcube] [roundcube]
roundcube-srv.adm.crans.org roundcube-srv.adm.crans.org
@ -43,7 +43,7 @@ roundcube-srv.adm.crans.org
ethercalc-srv.adm.crans.org ethercalc-srv.adm.crans.org
[horde] [horde]
horde-srv.adm.crans.org horde.adm.crans.org
[radius] [radius]
routeur-sam.adm.crans.org routeur-sam.adm.crans.org
@ -68,11 +68,11 @@ jack.adm.crans.org
[keepalived] [keepalived]
routeur-sam.adm.crans.org routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org #routeur-daniel.adm.crans.org
[dhcp] [dhcp]
routeur-sam.adm.crans.org routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org #routeur-daniel.adm.crans.org
[crans_routeurs:children] [crans_routeurs:children]
dhcp dhcp
@ -84,30 +84,31 @@ tealc.adm.crans.org
sam.adm.crans.org sam.adm.crans.org
daniel.adm.crans.org daniel.adm.crans.org
jack.adm.crans.org jack.adm.crans.org
gulp.adm.crans.org #gulp.adm.crans.org
[crans_vm] [crans_vm]
voyager.adm.crans.org voyager.adm.crans.org
silice.adm.crans.org #silice.adm.crans.org
routeur-sam.adm.crans.org routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org #routeur-daniel.adm.crans.org
belenios # on changera plus tard #belenios.adm.crans.org
re2o-ldap.adm.crans.org #re2o-ldap.adm.crans.org
gitlab-ci.adm.crans.org gitlab-ci.adm.crans.org
gitzly.adm.crans.org gitzly.adm.crans.org
hodaur.adm.crans.org hodaur.adm.crans.org
monitoring.adm.crans.org monitoring.adm.crans.org
boeing.adm.crans.org #boeing.adm.crans.org
fluxx.adm.crans.org fluxx.adm.crans.org
unifi.adm.crans.org #unifi.adm.crans.org
pastemoisa.adm.crans.org #pastemoisa.adm.crans.org
casouley.adm.crans.org #casouley.adm.crans.org
kiwi.adm.crans.org kiwi.adm.crans.org
tracker.adm.crans.org tracker.adm.crans.org
jitsi.adm.crans.org jitsi.adm.crans.org
ethercalc-srv.adm.crans.org #ethercalc-srv.adm.crans.org
kenobi.adm.crans.org kenobi.adm.crans.org
roundcube.adm.crans.org roundcube.adm.crans.org
horde.adm.crans.org
[ovh_physical] [ovh_physical]
sputnik.adm.crans.org sputnik.adm.crans.org

8
lookup_plugins/ldap.py
View File

@ -1,10 +1,18 @@
"""
To use this lookup plugin, you need to pass ldap:
ssh -L 1636:172.16.10.1:636 172.16.10.1
"""
import ipaddress import ipaddress
from ansible.errors import AnsibleError, AnsibleParserError from ansible.errors import AnsibleError, AnsibleParserError
from ansible.plugins.lookup import LookupBase from ansible.plugins.lookup import LookupBase
from ansible.utils.display import Display from ansible.utils.display import Display
try:
import ldap import ldap
except ImportError:
raise AnsibleError("You need to install python3-ldap")
display = Display() display = Display()

2
plays/horde.yml
View File

@ -2,5 +2,7 @@
--- ---
# Moi j'aime le ocaml et lui il installe horde # Moi j'aime le ocaml et lui il installe horde
- hosts: horde - hosts: horde
vars:
horde: '{{ glob_horde | default({}) | combine(loc_horde | default({})) }}'
roles: roles:
- horde - horde

74
plays/monitoring.yml
View File

@ -6,17 +6,17 @@
# Prometheus targets.json # Prometheus targets.json
prometheus: prometheus:
node_targets: "{{ groups['server'] | list | sort }}" node_targets: "{{ groups['server'] | list | sort }}"
ups_snmp_targets: ups_snmp_targets: []
- pulsar.adm.crans.org # 0B # - pulsar.adm.crans.org # 0B
- quasar.adm.crans.org # 4J # - quasar.adm.crans.org # 4J
unifi_snmp_targets: "{{ groups['crans_unifi'] | list | sort }}" unifi_snmp_targets: [] # "{{ groups['crans_unifi'] | list | sort }}"
blackbox_targets: blackbox_targets:
- https://crans.org - https://crans.org
- https://www.crans.org - https://www.crans.org
- https://grafana.crans.org - https://grafana.crans.org
- https://wiki.crans.org - https://wiki.crans.org
- https://pad.crans.org - https://pad.crans.org
apache_targets: [zamok.adm.crans.org] apache_targets: [] # [zamok.adm.crans.org]
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@ -26,38 +26,38 @@
ldap_passwd: "{{ vault_ldap_grafana_passwd }}" ldap_passwd: "{{ vault_ldap_grafana_passwd }}"
ldap_base: 'dc=crans,dc=org' ldap_base: 'dc=crans,dc=org'
ldap_master_ipv4: '10.231.136.19' ldap_master_ipv4: '172.16.10.1'
ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_user_tree: "ou=users,{{ ldap_base }}"
roles: roles:
- prometheus - prometheus
- prometheus-alertmanager - prometheus-alertmanager
- prometheus-snmp-exporter #- prometheus-snmp-exporter
- prometheus-blackbox-exporter - prometheus-blackbox-exporter
- ninjabot - ninjabot
- grafana - grafana
# Deploy backup Prometheus on backup server # Deploy backup Prometheus on backup server
- hosts: odlyd.adm.crans.org #- hosts: odlyd.adm.crans.org
vars: # vars:
# only critical infra # # only critical infra
prometheus: # prometheus:
node_targets: # node_targets:
- odlyd.adm.crans.org # me, myself and I # - odlyd.adm.crans.org # me, myself and I
- zamok.adm.crans.org # parce que WeeChat c'est critique # - zamok.adm.crans.org # parce que WeeChat c'est critique
- thot.adm.crans.org # la bdd adh est critique... enfin a skip # - thot.adm.crans.org # la bdd adh est critique... enfin a skip
- zbee.adm.crans.org # zbeu! la bay! # - zbee.adm.crans.org # zbeu! la bay!
- stitch.adm.crans.org # last hope virtu # - stitch.adm.crans.org # last hope virtu
- redisdead.adm.crans.org # Postmen... youtu.be/vEkY6W-fEZQ?t=132 # - redisdead.adm.crans.org # Postmen... youtu.be/vEkY6W-fEZQ?t=132
ups_snmp_targets: # ups_snmp_targets:
- pulsar.adm.crans.org # 0B # - pulsar.adm.crans.org # 0B
- quasar.adm.crans.org # 4J # - quasar.adm.crans.org # 4J
#
snmp_unifi_password: "{{ vault_snmp_unifi_password }}" # snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
roles: # roles:
- prometheus # - prometheus
- prometheus-alertmanager # - prometheus-alertmanager
- prometheus-snmp-exporter # - prometheus-snmp-exporter
- ninjabot # - ninjabot
# Monitor all hosts # Monitor all hosts
@ -67,15 +67,15 @@
roles: ["prometheus-node-exporter"] roles: ["prometheus-node-exporter"]
# Export apache metrics # Export apache metrics
- hosts: zamok.adm.crans.org #- hosts: zamok.adm.crans.org
vars: # vars:
adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}" # adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}"
roles: ["prometheus-apache-exporter"] # roles: ["prometheus-apache-exporter"]
# Monitor mailq with a special text exporter # Monitor mailq with a special text exporter
- hosts: redisdead.adm.crans.org #- hosts: redisdead.adm.crans.org
roles: ["prometheus-node-exporter-postfix"] # roles: ["prometheus-node-exporter-postfix"]
# Monitor logs with mtail # Monitor logs with mtail
- hosts: thot.adm.crans.org #- hosts: thot.adm.crans.org
roles: ["mtail"] # roles: ["mtail"]

2
plays/network-interfaces.yml
View File

@ -1,6 +1,6 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
- hosts: voyager.adm.crans.org,boeing.adm.crans.org,fluxx.adm.crans.org,hodaur.adm.crans.org,unifi.adm.crans.org,kiwi.adm.crans.org,roundcube.adm.crans.org - hosts: voyager.adm.crans.org,boeing.adm.crans.org,fluxx.adm.crans.org,hodaur.adm.crans.org,unifi.adm.crans.org,kiwi.adm.crans.org,roundcube.adm.crans.org,monitoring.adm.crans.org
vars: vars:
vlan: vlan:
- name: srv - name: srv

3
plays/reverse-proxy.yml
View File

@ -1,6 +1,9 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
- hosts: reverseproxy - hosts: reverseproxy
vars:
certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
mirror: '{{ glob_mirror.name }}'
roles: roles:
- certbot - certbot
- nginx-reverseproxy - nginx-reverseproxy

2
roles/common-tools/tasks/main.yml
View File

@ -16,7 +16,6 @@
- htop # better than top - htop # better than top
- zsh # to be able to ssh @erdnaxe - zsh # to be able to ssh @erdnaxe
- fish # to motivate @edpibu - fish # to motivate @edpibu
- oidentd # postgresql identification
- aptitude # nice to have for Ansible - aptitude # nice to have for Ansible
- acl # advanced ACL - acl # advanced ACL
- iotop # monitor i/o - iotop # monitor i/o
@ -42,6 +41,7 @@
- doc-debian # graphical - doc-debian # graphical
- debian-faq # graphical - debian-faq # graphical
- os-prober # makes grub-install lag - os-prober # makes grub-install lag
- oidentd # kill the monster, https://youtu.be/yhNB0vO7FxI
- python3-reportbug - python3-reportbug
register: apt_result register: apt_result
retries: 3 retries: 3

13
roles/grafana/tasks/main.yml
View File

@ -1,15 +1,4 @@
--- ---
- name: Install APT HTTPS support
apt:
name:
- apt-transport-https
- gpg
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Import Grafana GPG signing key - name: Import Grafana GPG signing key
apt_key: apt_key:
url: https://packages.grafana.com/gpg.key url: https://packages.grafana.com/gpg.key
@ -21,7 +10,7 @@
- name: Add Grafana repository - name: Add Grafana repository
apt_repository: apt_repository:
repo: deb https://packages.grafana.com/oss/deb stable main repo: deb http://mirror.adm.crans.org/grafana/oss/deb stable main
state: present state: present
update_cache: true update_cache: true

2
roles/horde/README.md
View File

@ -2,7 +2,7 @@
Ce rôle ansible deploie une instance du webmail horde. Ce rôle ansible deploie une instance du webmail horde.
## Variables ## Variables
- glob_horde. : - horde. :
- secret : le secret de horde - secret : le secret de horde
- imap : le serveur imap - imap : le serveur imap
- smtp : le serveur smtp (il doit juste être contactable depuis le serveur - smtp : le serveur smtp (il doit juste être contactable depuis le serveur

23
roles/horde/tasks/main.yml
View File

@ -3,9 +3,13 @@
- name: Install horde APT dependencies - name: Install horde APT dependencies
apt: apt:
update_cache: true update_cache: true
name: name: '{{ item }}'
loop: # Install dependencies in the right order.
- nginx - nginx
- php7.3-fpm
- php-horde-webmail - php-horde-webmail
- php-pgsql
- oidentd
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
@ -21,6 +25,23 @@
- horde/horde/conf.php - horde/horde/conf.php
- horde/imp/backends.php - horde/imp/backends.php
- name: Enable horde plugins
template:
src: 'horde/{{ item }}/conf.php.j2'
dest: '/etc/horde/{{ item }}/conf.php'
owner: www-data
group: www-data
mode: 0640
loop:
- gollem
- imp
- ingo
- kronolith
- mnemo
- nag
- trean
- turba
- name: Configure nginx site - name: Configure nginx site
template: template:
src: '{{ item }}.j2' src: '{{ item }}.j2'

8
roles/horde/templates/horde/gollem/conf.php.j2 100644
View File

@ -0,0 +1,8 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: c70cc328a58f2b69cb67558ab883380298313e1e $
$conf['backend']['backend_list'] = 'none';
$conf['foldercache']['use_cache'] = false;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

8
roles/horde/templates/horde/horde/conf.php.j2
View File

@ -6,7 +6,7 @@ $conf['vhosts'] = false;
$conf['debug_level'] = E_ALL & ~E_NOTICE; $conf['debug_level'] = E_ALL & ~E_NOTICE;
$conf['max_exec_time'] = 0; $conf['max_exec_time'] = 0;
$conf['compress_pages'] = true; $conf['compress_pages'] = true;
$conf['secret_key'] = '{{ glob_horde.secret }}'; $conf['secret_key'] = '{{ horde.secret }}';
$conf['umask'] = 077; $conf['umask'] = 077;
$conf['testdisable'] = true; $conf['testdisable'] = true;
$conf['use_ssl'] = 1; $conf['use_ssl'] = 1;
@ -23,7 +23,7 @@ $conf['session']['max_time'] = 72000;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME']; $conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/'; $conf['cookie']['path'] = '/';
$conf['sql']['username'] = 'www-data'; $conf['sql']['username'] = 'www-data';
$conf['sql']['hostspec'] = '{{ glob_horde.db }}'; $conf['sql']['hostspec'] = '{{ horde.db }}';
$conf['sql']['protocol'] = 'tcp'; $conf['sql']['protocol'] = 'tcp';
$conf['sql']['database'] = 'horde5'; $conf['sql']['database'] = 'horde5';
$conf['sql']['charset'] = 'utf-8'; $conf['sql']['charset'] = 'utf-8';
@ -32,14 +32,14 @@ $conf['sql']['logqueries'] = false;
$conf['sql']['phptype'] = 'pgsql'; $conf['sql']['phptype'] = 'pgsql';
$conf['nosql']['phptype'] = false; $conf['nosql']['phptype'] = false;
$conf['ldap']['useldap'] = false; $conf['ldap']['useldap'] = false;
$conf['auth']['admins'] = array({{ glob_horde.admins | join(', ')}}); $conf['auth']['admins'] = array({{ horde.admins | join(', ')}});
$conf['auth']['checkip'] = false; $conf['auth']['checkip'] = false;
$conf['auth']['checkbrowser'] = true; $conf['auth']['checkbrowser'] = true;
$conf['auth']['resetpassword'] = false; $conf['auth']['resetpassword'] = false;
$conf['auth']['alternate_login'] = false; $conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false; $conf['auth']['redirect_on_logout'] = false;
$conf['auth']['list_users'] = 'list'; $conf['auth']['list_users'] = 'list';
$conf['auth']['params']['hostspec'] = '{{ glob_horde.imap }}'; $conf['auth']['params']['hostspec'] = '{{ horde.imap }}';
$conf['auth']['params']['port'] = 143; $conf['auth']['params']['port'] = 143;
$conf['auth']['params']['secure'] = 'tls'; $conf['auth']['params']['secure'] = 'tls';
$conf['auth']['driver'] = 'imap'; $conf['auth']['driver'] = 'imap';

6
roles/horde/templates/horde/imp/backends.php.j2
View File

@ -4,14 +4,14 @@ $servers['imp'] = array(
// Disabled by default // Disabled by default
'disabled' => false, 'disabled' => false,
'name' => 'IMAP Cr@ns', 'name' => 'IMAP Cr@ns',
'hostspec' => '{{ glob_horde.imap }}', 'hostspec' => '{{ horde.imap }}',
'hordeauth' => true, 'hordeauth' => true,
'protocol' => 'imap', 'protocol' => 'imap',
'port' => 143, 'port' => 143,
'secure' => 'tls', 'secure' => 'tls',
'maildomain' => '{{ glob_horde.maildomain }}', 'maildomain' => '{{ horde.maildomain }}',
'smtp' => array( 'smtp' => array(
'host' => '{{ glob_horde.smtp }}', 'host' => '{{ horde.smtp }}',
'port' => 25, 'port' => 25,
), ),
'cache' => false, 'cache' => false,

22
roles/horde/templates/horde/imp/conf.php.j2 100644
View File

@ -0,0 +1,22 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: 48bf0b4cc99e7941b4432a29e70e145b8d654cc7 $
$conf['user']['allow_view_source'] = true;
$conf['server']['server_list'] = 'none';
$conf['compose']['use_vfs'] = false;
$conf['compose']['link_attachments'] = false;
$conf['compose']['attach_size_limit'] = 0;
$conf['compose']['attach_count_limit'] = 0;
$conf['compose']['reply_limit'] = 200000;
$conf['compose']['ac_threshold'] = 3;
$conf['compose']['htmlsig_img_size'] = 30000;
$conf['pgp']['keylength'] = 0;
$conf['maillog']['driver'] = 'history';
$conf['sentmail']['driver'] = 'Null';
$conf['contactsimage']['backends'] = array('IMP_Contacts_Avatar_Addressbook');
$conf['tasklist']['use_tasklist'] = true;
$conf['notepad']['use_notepad'] = true;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

12
roles/horde/templates/horde/ingo/conf.php.j2 100644
View File

@ -0,0 +1,12 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: 48142d13ef06c07f56427fe5b43981631bdbfdb0 $
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['rules']['userheader'] = true;
$conf['spam']['header'] = 'X-Spam-Level';
$conf['spam']['char'] = '*';
$conf['spam']['compare'] = 'string';
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

23
roles/horde/templates/horde/kronolith/conf.php.j2 100644
View File

@ -0,0 +1,23 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: 380230c774efc2661b03a58bd71824d28cdc6040 $
$conf['calendar']['params']['table'] = 'kronolith_events';
$conf['calendar']['params']['driverconfig'] = 'horde';
$conf['calendar']['params']['utc'] = true;
$conf['calendar']['driver'] = 'sql';
$conf['storage']['params']['table'] = 'kronolith_storage';
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['calendars']['driver'] = 'default';
$conf['resource']['params']['table'] = 'kronolith_resources';
$conf['resource']['params']['driverconfig'] = 'horde';
$conf['resource']['params']['utc'] = true;
$conf['resource']['driver'] = 'sql';
$conf['autoshare']['shareperms'] = 'none';
$conf['share']['notify'] = false;
$conf['holidays']['enable'] = true;
$conf['menu']['import_export'] = true;
$conf['maps']['driver'] = false;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

11
roles/horde/templates/horde/mnemo/conf.php.j2 100644
View File

@ -0,0 +1,11 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: d97e56b407852ff0a86c7d88c9a57c8f3089e82f $
$conf['storage']['params']['table'] = 'mnemo_memos';
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['notepads']['driver'] = 'default';
$conf['menu']['import_export'] = true;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

11
roles/horde/templates/horde/nag/conf.php.j2 100644
View File

@ -0,0 +1,11 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: 7a2eb8e9002cee73d99d618dfb6509a56ab639ec $
$conf['storage']['params']['table'] = 'nag_tasks';
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['tasklists']['driver'] = 'default';
$conf['menu']['import_export'] = true;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

10
roles/horde/templates/horde/trean/conf.php.j2 100644
View File

@ -0,0 +1,10 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: 5622bdf8096764a63c7e1039b09edb337bd46a0f $
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['content_index']['enabled'] = false;
$conf['favicons']['type'] = 'horde';
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

11
roles/horde/templates/horde/turba/conf.php.j2 100644
View File

@ -0,0 +1,11 @@
{{ ansible_header | comment(decoration='// ') }}
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
// $Id: 4cd616848fb2e5c81200bf7c65930e9086ec2dcd $
$conf['menu']['import_export'] = true;
$conf['shares']['source'] = 'localsql';
$conf['comments']['allow'] = true;
$conf['documents']['type'] = 'horde';
$conf['tags']['enabled'] = true;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

11
roles/horde/templates/nginx/sites-available/horde.j2
View File

@ -1,17 +1,16 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
server { server {
listen {{ glob_horde.admin_src_hostname }}:80; listen [{{ horde.ipv6 }}]:80;
listen {{ loc_horde.ipv6 }}:80 ipv6only=on; server_name {{ horde.admin_src_hostname }} {{ horde.src_hostname }};
server_name {{ glob_horde.admin_src_hostname }} {{ glob_horde.src_hostname }};
root /usr/share/; root /usr/share/;
location / { location / {
return 302 https://{{ glob_horde.dest_hostname }}/horde; return 302 https://{{ horde.dest_hostname }}/horde;
} }
include "snippets/php.conf"; include "snippets/php.conf";
set_real_ip_from {{ glob_horde.zone_ipv4 }}; set_real_ip_from {{ horde.zone_ipv4 }};
set_real_ip_from {{ glob_horde.zone_ipv6 }}; set_real_ip_from {{ horde.zone_ipv6 }};
real_ip_header P-Real-Ip; real_ip_header P-Real-Ip;
} }

11
roles/horde/templates/nginx/sites-available/webmail.j2
View File

@ -1,12 +1,11 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
server { server {
listen {{ glob_horde.admin_dest_hostname }}:80; listen {{ horde.ipv4 }}:80;
listen {{ loc_horde.ipv6 }}:80; server_name {{ horde.dest_hostname }} {{ horde.admin_dest_hostname }};
server_name {{ glob_horde.dest_hostname }} {{ glob_horde.admin_dest_hostname }};
root /usr/share/; root /usr/share/;
location / { location / {
return 302 {{ glob_horde.redirection }}; return 302 {{ horde.redirection }};
} }
location /horde { location /horde {
try_files $uri $uri/ /horde/rampage.php?$args; try_files $uri $uri/ /horde/rampage.php?$args;
@ -14,8 +13,8 @@ server {
} }
include "snippets/php.conf"; include "snippets/php.conf";
set_real_ip_from {{ glob_horde.zone_ipv4 }}; set_real_ip_from {{ horde.zone_ipv4 }};
set_real_ip_from {{ glob_horde.zone_ipv6 }}; set_real_ip_from {{ horde.zone_ipv6 }};
real_ip_header P-Real-Ip; real_ip_header P-Real-Ip;
} }

10
roles/moinmoin/templates/cron.d/moinmoin.j2
View File

@ -1,13 +1,13 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
# Generate calendars
0 * * * * /usr/bin/python /var/local/wiki/data/plugin/action/EventsBDE.py > /var/local/calendrier/bde.ics
0 * * * * /usr/bin/python /var/local/wiki/data/plugin/action/EventsCrans.py > /var/local/calendrier/crans.ics
0 * * * * /usr/bin/python /var/local/wiki/data/plugin/action/Sports.py > /var/local/calendrier/sports.ics
# Generate sitemap # Generate sitemap
5 5 * * * /usr/bin/wget "http://wiki.adm.crans.org/PageAccueil?action=sitemap" -O /var/local/moin_htdocs_crans/www-sitemap.xml 5 5 * * * /usr/bin/wget "http://wiki.adm.crans.org/PageAccueil?action=sitemap" -O /var/local/moin_htdocs_crans/www-sitemap.xml
# Cleanup # Cleanup
17 3 * * * www-data /usr/bin/find /var/local/wiki/data/cache/__session__ -mtime +30 -delete 17 3 * * * www-data /usr/bin/find /var/local/wiki/data/cache/__session__ -mtime +30 -delete
27 3 * * * www-data /usr/bin/find /var/local/wiki/tickets -mtime +30 -delete 27 3 * * * www-data /usr/bin/find /var/local/wiki/tickets -mtime +30 -delete
{% if not moinmoin.main %}
# Sync main wiki to backup
02 02 * * * root rsync -a4 --exclude "attachments" rsync://kiwi.adm.crans.org/wiki /var/local/wiki
{% endif %}

27
roles/moinmoin/templates/moin/mywiki.py.j2
View File

@ -48,10 +48,11 @@ class Config(FarmConfig):
# This is checked by some rather critical and potentially harmful actions, # This is checked by some rather critical and potentially harmful actions,
# like despam or PackageInstaller action: # like despam or PackageInstaller action:
superuser= [u"PeBecue", u"Wiki20-100", u"WikiB2moo", u"WikiBoudy", u"Benjamin", u"WikiPollion", u"Fardale", u"WikiErdnaxe"] # WikiShirenn is a giant avocado https://youtu.be/UJeH8gcjuj0
superuser= [u"PeBecue", u"Wiki20-100", u"WikiB2moo", u"WikiBoudy", u"Benjamin", u"WikiPollion", u"Fardale", u"WikiErdnaxe", u"WikiShirenn"]
# Custom logo # Custom logo
logo_string = u'<img src="/wiki/logo.png" alt="Crans" height="60">' logo_string = u'<img src="/wiki/logo.svg" alt="Crans" height="60">'
# French by default # French by default
language_default = 'fr' language_default = 'fr'
@ -139,22 +140,42 @@ class Config(FarmConfig):
auth = [ auth = [
moin.MoinAuth(), moin.MoinAuth(),
{% if moinmoin.main %}
cas.CASAuth("https://cas.crans.org", cas.CASAuth("https://cas.crans.org",
fallback_url='https://wiki.crans.org/', fallback_url='https://wiki.crans.org/',
ticket_path='/var/local/wiki/tickets/', ticket_path='/var/local/wiki/tickets/',
assoc_path='/var/local/wiki/assowiki/', assoc_path='/var/local/wiki/assowiki/',
), ),
ip_range.IpRange( ip_range.IpRange(
local_nets=['185.230.76.0/22', '10.53.0.0/16', '10.54.0.0/16', '2a0c:700:0::/40'], local_nets=[
'185.230.76.0/22', # ENS
'185.230.79.0/23', # test pour zamok
'10.53.0.0/16',
'10.54.0.0/16',
'2a0c:700:0::/40',
'45.66.108.0/22', # IPv4 Aurore
'2a09:6840::/29' # IPv6 Aurore
],
actions=['newaccount'], actions=['newaccount'],
actions_msg={'newaccount':"La cr&eacute;ation de comptes n'est autoris&eacute;e que depuis le r&eacute;seau du Cr@ns ou sur zamok."}, actions_msg={'newaccount':"La cr&eacute;ation de comptes n'est autoris&eacute;e que depuis le r&eacute;seau du Cr@ns ou sur zamok."},
), ),
categorie_public.PublicCategories(pub_cats=[u'Cat\xe9goriePagePublique']), # Avec trusted à False, les acl de Known s'appliquent categorie_public.PublicCategories(pub_cats=[u'Cat\xe9goriePagePublique']), # Avec trusted à False, les acl de Known s'appliquent
{% endif %}
] ]
# Force text editor as CKEditor is broken # Force text editor as CKEditor is broken
editor_force = True editor_force = True
def ip_autorised_create_account(self,ip): def ip_autorised_create_account(self,ip):
{% if moinmoin.main %}
return ip.startswith('185.230.76.') or ip.startswith('185.230.77.') or ip.startswith('185.230.78.') or ip.startswith('185.230.79.') or ip.startswith('10.') or ip.startswith('2a0c:700:0:') return ip.startswith('185.230.76.') or ip.startswith('185.230.77.') or ip.startswith('185.230.78.') or ip.startswith('185.230.79.') or ip.startswith('10.') or ip.startswith('2a0c:700:0:')
{% else %}
return False
{% endif %}
{% if not moinmoin.main %}
# Stop new accounts being created
actions_excluded = config.multiconfig.DefaultConfig.actions_excluded + [
'newaccount', 'recoverpass'
]
{% endif %}

9
roles/moinmoin/templates/nginx/sites-available/wiki.j2
View File

@ -3,7 +3,7 @@
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name wiki.crans.org; server_name wiki.adm.crans.org;
access_log /var/log/nginx/wiki.log combined; access_log /var/log/nginx/wiki.log combined;
error_log /var/log/nginx/wiki.error.log; error_log /var/log/nginx/wiki.error.log;
@ -25,10 +25,7 @@ server {
include uwsgi_params; include uwsgi_params;
} }
set_real_ip_from 10.231.136.0/24; set_real_ip_from 172.16.10.0/24;
set_real_ip_from 2a0c:700:0::/48; set_real_ip_from fd00:0:0:10::/64;
set_real_ip_from 185.230.76.0/22; #filaire publique
set_real_ip_from 10.53.0.0/16; #nat des machines wifi crans
set_real_ip_from 10.54.0.0/16; #nat des machines filaires crans
real_ip_header X-Real-Ip; real_ip_header X-Real-Ip;
} }

21
roles/ninjabot/tasks/main.yml
View File

@ -17,18 +17,18 @@
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- name: Deploy NinjaBot main systemd unit - name: Clone NinjaBot code
git:
repo: https://gitlab.adm.crans.org/nounous/NinjaBot.git
dest: /var/local/ninjabot
version: master
- name: Deploy NinjaBot systemd unit
template: template:
src: systemd/system/ninjabot.service.j2 src: systemd/system/ninjabot.service.j2
dest: /etc/systemd/system/ninjabot.service dest: /etc/systemd/system/ninjabot.service
mode: 0644 mode: 0644
- name: Deploy NinjaBot webhook systemd unit
template:
src: systemd/system/ninjabot-webhook.service.j2
dest: /etc/systemd/system/ninjabot-webhook.service
mode: 0644
- name: Load and activate NinjaBot service - name: Load and activate NinjaBot service
systemd: systemd:
name: ninjabot name: ninjabot
@ -36,13 +36,6 @@
enabled: true enabled: true
state: started state: started
- name: Load and activate NinjaBot webook service
systemd:
name: ninjabot-webhook
daemon_reload: true
enabled: true
state: started
- name: Indicate NinjaBot in motd - name: Indicate NinjaBot in motd
template: template:
src: update-motd.d/05-service.j2 src: update-motd.d/05-service.j2

15
roles/ninjabot/templates/systemd/system/ninjabot-webhook.service.j2
View File

@ -1,15 +0,0 @@
{{ ansible_header | comment }}
[Unit]
Description=NinjaBot WebHook server
After=network.target ninjabot.service
[Service]
Type=simple
WorkingDirectory=/var/local/ninjabot
User=ninjabot
Group=nogroup
ExecStart=/usr/bin/python3 /var/local/ninjabot/main.py
Restart=always
[Install]
WantedBy=multi-user.target

4
roles/ninjabot/templates/systemd/system/ninjabot.service.j2
View File

@ -6,9 +6,9 @@ After=network.target
[Service] [Service]
Type=simple Type=simple
WorkingDirectory=/var/local/ninjabot WorkingDirectory=/var/local/ninjabot
User=ninjabot User=nobody
Group=nogroup Group=nogroup
ExecStart=/usr/bin/python3 /var/local/ninjabot/ninjabot.py ExecStart=/usr/bin/python3 /var/local/ninjabot/main.py
Restart=always Restart=always
[Install] [Install]

2
roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2
View File

@ -58,5 +58,5 @@ inhibit_rules:
receivers: receivers:
- name: 'webhook-ninjabot' - name: 'webhook-ninjabot'
webhook_configs: webhook_configs:
- url: 'http://fyre.adm.crans.org:5000/' - url: 'http://localhost:5000/'
send_resolved: true send_resolved: true

2
roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2
View File

@ -4,7 +4,7 @@
# Due to shell scaping, to pass backslashes for regexes, you need to double # Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again # them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too. # (\\\\d to mean \d), and escape newlines too.
ARGS="--web.listen-address={{ adm_ipv4 }}:9100" ARGS="--web.listen-address={{ query('ldap', 'ip', ansible_hostname, 10) | ipv4 | first }}:9100"
# Prometheus-node-exporter supports the following options: # Prometheus-node-exporter supports the following options:
# #

7
roles/prometheus/tasks/main.yml
View File

@ -11,12 +11,14 @@
template: template:
src: prometheus/prometheus.yml.j2 src: prometheus/prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml dest: /etc/prometheus/prometheus.yml
mode: 0644
notify: Restart Prometheus notify: Restart Prometheus
- name: Configure Prometheus alert rules - name: Configure Prometheus alert rules
template: template:
src: "prometheus/{{ item }}.j2" src: "prometheus/{{ item }}.j2"
dest: "/etc/prometheus/{{ item }}" dest: "/etc/prometheus/{{ item }}"
mode: 0644
notify: Restart Prometheus notify: Restart Prometheus
loop: loop:
- alert.rules.yml - alert.rules.yml
@ -27,18 +29,21 @@
copy: copy:
content: "{{ [{'targets': prometheus.node_targets}] | to_nice_json }}" content: "{{ [{'targets': prometheus.node_targets}] | to_nice_json }}"
dest: /etc/prometheus/targets.json dest: /etc/prometheus/targets.json
mode: 0644
# We don't need to restart Prometheus when updating nodes # We don't need to restart Prometheus when updating nodes
- name: Configure Prometheus UPS SNMP devices - name: Configure Prometheus UPS SNMP devices
copy: copy:
content: "{{ [{'targets': prometheus.ups_snmp_targets}] | to_nice_json }}" content: "{{ [{'targets': prometheus.ups_snmp_targets}] | to_nice_json }}"
dest: /etc/prometheus/targets_ups_snmp.json dest: /etc/prometheus/targets_ups_snmp.json
mode: 0644
# We don't need to restart Prometheus when updating nodes # We don't need to restart Prometheus when updating nodes
- name: Configure Prometheus Ubiquity Unifi SNMP devices - name: Configure Prometheus Ubiquity Unifi SNMP devices
copy: copy:
content: "{{ [{'targets': prometheus.unifi_snmp_targets}] | to_nice_json }}" content: "{{ [{'targets': prometheus.unifi_snmp_targets}] | to_nice_json }}"
dest: /etc/prometheus/targets_unifi_snmp.json dest: /etc/prometheus/targets_unifi_snmp.json
mode: 0644
when: prometheus.unifi_snmp_targets is defined when: prometheus.unifi_snmp_targets is defined
# We don't need to restart Prometheus when updating nodes # We don't need to restart Prometheus when updating nodes
@ -46,6 +51,7 @@
copy: copy:
content: "{{ [{'targets': prometheus.apache_targets}] | to_nice_json }}" content: "{{ [{'targets': prometheus.apache_targets}] | to_nice_json }}"
dest: /etc/prometheus/targets_apache.json dest: /etc/prometheus/targets_apache.json
mode: 0644
when: prometheus.apache_targets is defined when: prometheus.apache_targets is defined
# We don't need to restart Prometheus when updating nodes # We don't need to restart Prometheus when updating nodes
@ -53,6 +59,7 @@
copy: copy:
content: "{{ [{'targets': prometheus.blackbox_targets}] | to_nice_json }}" content: "{{ [{'targets': prometheus.blackbox_targets}] | to_nice_json }}"
dest: /etc/prometheus/targets_blackbox.json dest: /etc/prometheus/targets_blackbox.json
mode: 0644
when: prometheus.blackbox_targets is defined when: prometheus.blackbox_targets is defined
- name: Activate prometheus service - name: Activate prometheus service

2
roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2
View File

@ -1,2 +1,2 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
deb http://download.proxmox.com/debian/pve {{ ansible_lsb.codename }} pve-no-subscription deb http://mirror.adm.crans.org/proxmox/debian/pve {{ ansible_lsb.codename }} pve-no-subscription