diff --git a/all.yml b/all.yml index ac216f33..bcb5b71b 100755 --- a/all.yml +++ b/all.yml @@ -12,10 +12,8 @@ - import_playbook: plays/borgbackup_client.yml - import_playbook: plays/cas.yml - import_playbook: plays/certbot.yml -- import_playbook: plays/constellation.yml - import_playbook: plays/dhcp.yml - import_playbook: plays/dns-authoritative.yml -- import_playbook: plays/dns-recursive.yml - import_playbook: plays/dovecot.yml - import_playbook: plays/ethercalc.yml - import_playbook: plays/etherpad.yml @@ -51,6 +49,7 @@ - import_playbook: plays/radvd.yml - import_playbook: plays/re2o-ldap.yml - import_playbook: plays/re2o.yml +- import_playbook: plays/restic_client.yml - import_playbook: plays/reverse-proxy.yml - import_playbook: plays/root.yml - import_playbook: plays/roundcube.yml @@ -63,6 +62,5 @@ - import_playbook: plays/unbound.yml - import_playbook: plays/utilities.yml - import_playbook: plays/vm_setup.yml -- import_playbook: plays/vsftpd.yml - import_playbook: plays/wireguard.yml - import_playbook: plays/zamok.yml diff --git a/group_vars/all/borg.yml b/group_vars/all/borg.yml index fc64d92e..991dcd24 100644 --- a/group_vars/all/borg.yml +++ b/group_vars/all/borg.yml @@ -9,8 +9,7 @@ glob_borg: - /backup/borg-server - /backup/borg-adh remote: - - borg@backup-ft.adm.crans.org:/backup/borg-server/{{ ansible_hostname }} - - borg@backup-thot.adm.crans.org:/backup/borg-server/{{ ansible_hostname }} + - ssh://borg@backup-ft.adm.crans.org/backup/borg-server/{{ ansible_hostname }} retention: - ["daily", 4] - ["monthly", 6] diff --git a/group_vars/all/home_nounou.yml b/group_vars/all/home_nounou.yml index 04898044..3bff1f66 100644 --- a/group_vars/all/home_nounou.yml +++ b/group_vars/all/home_nounou.yml @@ -1,7 +1,7 @@ --- glob_home_nounou: mounts: - - ip: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}" + - ip: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}" mountpoint: /pool/home target: /home_nounou name: home_nounou diff --git a/group_vars/all/ldap.yml b/group_vars/all/ldap.yml index 876bac30..30a2bd89 100644 --- a/group_vars/all/ldap.yml +++ b/group_vars/all/ldap.yml @@ -3,8 +3,8 @@ glob_ldap: uri: 'ldap://yson-partou.adm.crans.org/' users_base: 'cn=Utilisateurs,dc=crans,dc=org' servers: - - "{{ query('ldap', 'ip4', 'wall-e', 'adm') }}" -# - "{{ query('ldap', 'ip4', 'sam', 'adm') }}" -# - "{{ query('ldap', 'ip4', 'daniel', 'adm') }}" -# - "{{ query('ldap', 'ip4', 'jack', 'adm') }}" + - "{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}" +# - "{{ lookup('ldap', 'ip4', 'sam', 'adm') }}" +# - "{{ lookup('ldap', 'ip4', 'daniel', 'adm') }}" +# - "{{ lookup('ldap', 'ip4', 'jack', 'adm') }}" base: 'dc=crans,dc=org' diff --git a/group_vars/all/mirror.yml b/group_vars/all/mirror.yml index 81376705..4df6a241 100644 --- a/group_vars/all/mirror.yml +++ b/group_vars/all/mirror.yml @@ -1,10 +1,8 @@ --- glob_mirror: hostname: mirror.adm.crans.org - ip: "{{ query('ldap', 'ip4', 'eclat', 'adm') }}" + ip: "{{ lookup('ldap', 'ip4', 'eclat', 'adm') }}" debian_mirror: http://mirror.adm.crans.org/debian -ubuntu_mirror: http://mirror.adm.crans.org/ubuntu proxmox_mirror: http://mirror.adm.crans.org/proxmox/debian/pve debian_components: main contrib non-free -ubuntu_components: main restricted universe multiverse diff --git a/group_vars/all/network_interfaces.yml b/group_vars/all/network_interfaces.yml index 3d533147..08ae7463 100644 --- a/group_vars/all/network_interfaces.yml +++ b/group_vars/all/network_interfaces.yml @@ -3,12 +3,12 @@ glob_network_interfaces: vlan: - name: srv id: 2 - gateway: "{{ query('ldap', 'ip4', 'passerelle', 'srv') }}" - gateway_v6: "{{ query('ldap', 'ip6', 'passerelle', 'srv') }}" + gateway: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv') }}" + gateway_v6: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv') }}" - name: srv_nat id: 3 - gateway: "{{ query('ldap', 'ip4', 'passerelle', 'srv-nat') }}" - gateway_v6: "{{ query('ldap', 'ip6', 'passerelle', 'srv-nat') }}" + gateway: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv-nat') }}" + gateway_v6: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv-nat') }}" - name: san id: 4 extra: @@ -19,14 +19,14 @@ glob_network_interfaces: - "mtu 9000" - name: adm id: 10 - dns: "{{ query('ldap', 'ip4', 'romanesco', 'adm') }}" + dns: "{{ lookup('ldap', 'ip4', 'romanesco', 'adm') }}" - name: adh id: 12 - name: adh_adm id: 13 - name: renater id: 38 - gateway: "{{ query('ldap', 'ip4', 'dsi', 'renater') }}" + gateway: "{{ lookup('ldap', 'ip4', 'dsi', 'renater') }}" - name: lp id: 56 - name: auto diff --git a/group_vars/all/prometheus_nginx_exporter.yaml b/group_vars/all/prometheus_nginx_exporter.yaml index acb00f53..18e8c716 100644 --- a/group_vars/all/prometheus_nginx_exporter.yaml +++ b/group_vars/all/prometheus_nginx_exporter.yaml @@ -1,3 +1,3 @@ --- glob_prometheus_nginx_exporter: - listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}" + listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}" diff --git a/group_vars/all/prometheus_node_exporter.yaml b/group_vars/all/prometheus_node_exporter.yaml index 72a6bc8f..feeb7bbb 100644 --- a/group_vars/all/prometheus_node_exporter.yaml +++ b/group_vars/all/prometheus_node_exporter.yaml @@ -1,3 +1,3 @@ --- glob_prometheus_node_exporter: - listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}" + listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}" diff --git a/group_vars/all/restic.yml b/group_vars/all/restic.yml new file mode 100644 index 00000000..3dccc7c1 --- /dev/null +++ b/group_vars/all/restic.yml @@ -0,0 +1,17 @@ +--- +glob_restic: + config: + base: + to_exclude: + - /var/cache + - /var/lib/lxcfs + to_backup: + - /etc + - /var + retention: + - [--keep-daily, 2] + - [--keep-weekly, 2] + - [--keep-monthly, 2] + - [--keep-yearly, 1] + remote: + - rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/ diff --git a/group_vars/all/rsyslog_client.yml b/group_vars/all/rsyslog_client.yml index f8406365..5b33523e 100644 --- a/group_vars/all/rsyslog_client.yml +++ b/group_vars/all/rsyslog_client.yml @@ -1,3 +1,3 @@ --- glob_rsyslog_client: - server: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}" diff --git a/group_vars/all/ssh_known_hosts.yml b/group_vars/all/ssh_known_hosts.yml index 047b4f8c..4a3c42ef 100644 --- a/group_vars/all/ssh_known_hosts.yml +++ b/group_vars/all/ssh_known_hosts.yml @@ -12,4 +12,4 @@ glob_service_ssh_known_hosts: frequency: "*/10 * * * *" config: ldap: - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}" + server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}" diff --git a/group_vars/all/sudo.yml b/group_vars/all/sudo.yml new file mode 100644 index 00000000..799d1dd2 --- /dev/null +++ b/group_vars/all/sudo.yml @@ -0,0 +1,3 @@ +--- +glob_sudo: + group: "NOUNOUS" diff --git a/group_vars/arpproxy.yml b/group_vars/arpproxy.yml index f5db4b2a..0463553f 100644 --- a/group_vars/arpproxy.yml +++ b/group_vars/arpproxy.yml @@ -1,4 +1,5 @@ --- +# Semble mettre à jour les routes glob_service_proxy: git: remote: https://gitlab.adm.crans.org/nounous/proxy.git diff --git a/group_vars/aurore/home_nounou.yml b/group_vars/aurore/home_nounou.yml index a2126f8c..86b33901 100644 --- a/group_vars/aurore/home_nounou.yml +++ b/group_vars/aurore/home_nounou.yml @@ -1,7 +1,7 @@ --- loc_home_nounou: mounts: - - ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}" + - ip: "{{ lookup('ldap', 'ip4', 'thot', 'adm') }}" mountpoint: /home_nounou target: /home_nounou name: home_nounou diff --git a/group_vars/aurore/ldap.yml b/group_vars/aurore/ldap.yml index 7cc7dad2..0e2c8085 100644 --- a/group_vars/aurore/ldap.yml +++ b/group_vars/aurore/ldap.yml @@ -1,4 +1,4 @@ --- loc_ldap: servers: - - "{{ query('ldap', 'ip4', 'thot', 'adm') }}" + - "{{ lookup('ldap', 'ip4', 'thot', 'adm') }}" diff --git a/group_vars/aurore/ssh_known_hosts.yml b/group_vars/aurore/ssh_known_hosts.yml index fc67c9df..cb33ce83 100644 --- a/group_vars/aurore/ssh_known_hosts.yml +++ b/group_vars/aurore/ssh_known_hosts.yml @@ -2,4 +2,4 @@ loc_service_ssh_known_hosts: config: ldap: - server: "ldaps://{{ query('ldap', 'ip4', 'thot', 'adm') }}" + server: "ldaps://{{ lookup('ldap', 'ip4', 'thot', 'adm') }}" diff --git a/group_vars/bird.yml b/group_vars/bird.yml index 702ae11f..0424b984 100644 --- a/group_vars/bird.yml +++ b/group_vars/bird.yml @@ -49,4 +49,4 @@ glob_bird: ipv6: true glob_prometheus_bird_exporter: - listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}" + listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}" diff --git a/group_vars/ceph_test.yml b/group_vars/ceph_test.yml deleted file mode 100644 index 53db0819..00000000 --- a/group_vars/ceph_test.yml +++ /dev/null @@ -1,3 +0,0 @@ -glob_ceph: - mirror: 'http://mirror.adm.crans.org/download.ceph.com/debian-quincy' - mirror_key: 'http://mirror.adm.crans.org/download.ceph.com/keys/release.asc' diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml index 696f9997..895a2a19 100644 --- a/group_vars/certbot.yml +++ b/group_vars/certbot.yml @@ -15,7 +15,7 @@ glob_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. diff --git a/group_vars/constellation.yml b/group_vars/constellation.yml deleted file mode 100644 index 620292fe..00000000 --- a/group_vars/constellation.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -glob_constellation: - django_secret_key: "{{ vault.constellation.django_secret_key }}" - admins: - - ('Root', 'root@crans.org') - allowed_hosts: - - 'constellation.crans.org' - - 'intranet.crans.org' - email: - ssl: false - host: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}" - port: 25 - user: '' - password: '' - from: "root@crans.org" - from_full: "Crans " - database: - host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}" - port: 5432 - user: 'constellation' - password: "{{ vault.constellation.django_db_password }}" - name: 'constellation' - front: true - crontab: true - applications: - - 'access' - - 'billing' - - 'dnsmanager' - - 'firewall' - - 'layers' - - 'management' - - 'member' - - 'topography' - - 'unix' - stripe: - private_key: '{{ vault.constellation.stripe.live.private_key }}' - public_key: '{{ vault.constellation.stripe.live.public_key }}' - note: - url: 'https://note.crans.org/' - client_id: '{{ vault.constellation.note.client_id }}' - client_secret: '{{ vault.constellation.note.client_secret }}' - debug: false - owner: root - group: _nounou - version: main - settings_local_owner: www-data - settings_local_group: _nounou diff --git a/group_vars/constellation_front.yml b/group_vars/constellation_front.yml deleted file mode 100644 index f0be3b70..00000000 --- a/group_vars/constellation_front.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -loc_nginx: - service_name: constellation - ssl: [] - servers: - - ssl: false - default: true - server_name: - - "constellation.crans.org" - - "intranet.crans.org" - locations: - - filter: "/static" - params: - - "alias {% if constellation.version == 'main' %}/var/lib/constellation/static/{% else %}/var/local/constellation/static/{% endif %}" - - - filter: "/media" - params: - - "alias {% if constellation.version == 'main' %}/var/lib/constellation/media/{% else %}/var/local/constellation/media/{% endif %}" - - - filter: "/doc" - params: - - "alias /var/www/constellation-doc/" - - - filter: "/" - params: - - "uwsgi_pass constellation" - - "include /etc/nginx/uwsgi_params" - upstreams: - - name: 'constellation' - server: 'unix:///var/run/uwsgi/app/constellation/constellation.sock' diff --git a/group_vars/dhcp.yml b/group_vars/dhcp.yml index bffecd92..27475477 100644 --- a/group_vars/dhcp.yml +++ b/group_vars/dhcp.yml @@ -8,8 +8,5 @@ glob_service_dhcp: name: dhcp install_dir: /var/local/services/dhcp generated: true - cron: - frequency: "*/2 * * * *" - options: -q dependencies: - python3-jinja2 diff --git a/group_vars/django_cas.yml b/group_vars/django_cas.yml index b0db89b0..f6ee474d 100644 --- a/group_vars/django_cas.yml +++ b/group_vars/django_cas.yml @@ -6,14 +6,14 @@ glob_django_cas: dn: 'cn=Utilisateurs,dc=crans,dc=org' password: "{{ vault.cas.ldap.password }}" user: 'cn=cas,ou=service-users,dc=crans,dc=org' - server: "{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}" db: host: tealc.adm.crans.org password: "{{ vault.cas.database.password }}" secret_key: "{{ vault.cas.secret_key }}" mail: address: 'root@crans.org' - host: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}" + host: "{{ lookup('ldap', 'ip4', 'redisdead', 'adm') }}" port: 25 loc_nginx: diff --git a/group_vars/dovecot.yml b/group_vars/dovecot.yml index cfa8f645..0e25ac39 100644 --- a/group_vars/dovecot.yml +++ b/group_vars/dovecot.yml @@ -1,7 +1,7 @@ --- glob_dovecot: ldap: - uri: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}/" + uri: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}/" dn: 'cn=dovecot,ou=service-users,dc=crans,dc=org' pass: "{{ vault.dovecot.dnpass }}" users_base: 'cn=Utilisateurs,dc=crans,dc=org' diff --git a/group_vars/ethercalc.yml b/group_vars/ethercalc.yml index 775cc2f2..a2270d46 100644 --- a/group_vars/ethercalc.yml +++ b/group_vars/ethercalc.yml @@ -1,3 +1,3 @@ --- glob_ethercalc: - ip: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}" + ip: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}" diff --git a/group_vars/galene.yml b/group_vars/galene.yml index d3ae3759..c8305167 100644 --- a/group_vars/galene.yml +++ b/group_vars/galene.yml @@ -36,4 +36,4 @@ service_nginx: - "proxy_pass http://localhost:8444" glob_galene: - version: 0.6.1 + version: 0.96.3 diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml index 80b1837a..92340aa0 100644 --- a/group_vars/keepalived.yml +++ b/group_vars/keepalived.yml @@ -2,7 +2,7 @@ glob_keepalived: mail_source: keepalived@crans.org mail_destination: root@crans.org - smtp_server: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}" + smtp_server: "{{ lookup('ldap', 'ip4', 'redisdead', 'adm') }}" routeur_id: "{{ ansible_hostname }}" pool: VI_ALL: @@ -20,19 +20,19 @@ glob_keepalived: ipv6: - {ip: '2a0c:700:28::1/64', scope: 'global'} - vlan: srv - ipv4: "{{ query('ldap', 'ip4', 'passerelle', 'srv') }}/26" + ipv4: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv') }}/26" ipv6: - - {ip: "{{ query('ldap', 'ip6', 'passerelle', 'srv') }}/64", scope: 'global'} + - {ip: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv') }}/64", scope: 'global'} - {ip: 'fe80::1/64', scope: 'link'} - vlan: srv_nat - ipv4: "{{ query('ldap', 'ip4', 'passerelle', 'srv-nat') }}/24" + ipv4: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv-nat') }}/24" ipv6: - - {ip: "{{ query('ldap', 'ip6', 'passerelle', 'srv-nat') }}/64", scope: 'global'} + - {ip: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv-nat') }}/64", scope: 'global'} - {ip: 'fe80::1/64', scope: 'link'} - vlan: adh - ipv4: "{{ query('ldap', 'ip4', 'passerelle', 'adh') }}/24" + ipv4: "{{ lookup('ldap', 'ip4', 'passerelle', 'adh') }}/24" ipv6: - - {ip: "{{ query('ldap', 'ip6', 'passerelle', 'adh') }}/48", scope: 'global'} + - {ip: "{{ lookup('ldap', 'ip6', 'passerelle', 'adh') }}/48", scope: 'global'} - {ip: 'fe80::1/64', scope: 'link'} # - vlan: ens # ipv4: 100.84.0.99/16 diff --git a/group_vars/mailman.yml b/group_vars/mailman.yml index 202d7dca..4d494a45 100644 --- a/group_vars/mailman.yml +++ b/group_vars/mailman.yml @@ -57,13 +57,13 @@ glob_mailman3: database: user: "mailman3" pass: "{{ vault.mailman3.database.pass }}" - host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}" + host: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}" port: 5432 name: "mailman3" web_database: user: "mailman3web" pass: "{{ vault.mailman3.web_database.pass }}" - host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}" + host: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}" port: 5432 name: "mailman3web" restadmin_pass: "{{ vault.mailman3.restadmin_pass }}" diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml index 3dc6e157..e8f065e6 100644 --- a/group_vars/nginx.yml +++ b/group_vars/nginx.yml @@ -1,6 +1,7 @@ --- glob_nginx: contact: contact@crans.org + extra_params: [] who: "L'équipe technique du Cr@ns" service_name: service ssl: diff --git a/group_vars/postfix.yml b/group_vars/postfix.yml index 42ee4953..898a1ed3 100644 --- a/group_vars/postfix.yml +++ b/group_vars/postfix.yml @@ -1,3 +1,3 @@ --- glob_prometheus_postfix_exporter: - listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}" + listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}" diff --git a/group_vars/prefix_delegation.yml b/group_vars/prefix_delegation.yml index 06325303..bf85722f 100644 --- a/group_vars/prefix_delegation.yml +++ b/group_vars/prefix_delegation.yml @@ -14,6 +14,6 @@ loc_service_prefix_delegation: prefix: "2a0c:700:12::" length: "48" ldap: - server: "ldaps://{{ query('ldap', 'ip4', 'flirt', 'adm') }}" + server: "ldaps://{{ lookup('ldap', 'ip4', 'flirt', 'adm') }}" binddn: "{{ vault.ldap_adh_reader.binddn }}" password: "{{ vault.ldap_adh_reader.bindpass }}" diff --git a/group_vars/printer.yml b/group_vars/printer.yml index b0af8365..b7a4f3ed 100644 --- a/group_vars/printer.yml +++ b/group_vars/printer.yml @@ -8,14 +8,14 @@ glob_printer: - 'imprimante.crans.org' email: ssl: false - host: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}" + host: "{{ lookup('ldap', 'ip4', 'redisdead', 'adm') }}" port: 25 user: '' password: '' from: "root@crans.org" from_full: "Crans " database: - host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}" + host: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}" port: 5432 user: 'helloworld' password: "{{ vault.printer.django_db_password }}" @@ -27,9 +27,9 @@ glob_printer: note_id: 2088 note_alias: 'Crans' printer_name: 'Lexmark_X950_Series' - domain: "{{ query('ldap', 'ip4', 'printer', 'lp') }}" + domain: "{{ lookup('ldap', 'ip4', 'printer', 'lp') }}" scan_server: - address: "{{ query('ldap', 'ip4', ansible_hostname, 'lp') }}" + address: "{{ lookup('ldap', 'ip4', ansible_hostname, 'lp') }}" port: 9751 debug: false owner: www-data @@ -38,7 +38,7 @@ glob_printer: settings_local_owner: www-data settings_local_group: _nounou ldap: - uri: "ldaps://{{ query('ldap', 'ip4', 'tealc', 'adm') }}/" + uri: "ldaps://{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}/" dn_template: uid=%(user)s,ou=passwd,dc=crans,dc=org group_search: ou=group,dc=crans,dc=org read_group: cn=_user,ou=group,dc=crans,dc=org diff --git a/group_vars/prometheus.yml b/group_vars/prometheus.yml index 5100a06f..bbe5a062 100644 --- a/group_vars/prometheus.yml +++ b/group_vars/prometheus.yml @@ -13,7 +13,7 @@ glob_service_prometheus_target: options: "" config: ldap: - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}" + server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}" glob_ninjabot: config: diff --git a/group_vars/re2o.yml b/group_vars/re2o.yml index 430b0a9f..7e361267 100644 --- a/group_vars/re2o.yml +++ b/group_vars/re2o.yml @@ -9,7 +9,7 @@ glob_re2o: - 'intranet.adm.crans.org' - 're2o.crans.org' - 'intranet.crans.org' - - "{{ query('ldap', 'ip4', 're2o', 'adm') }}" + - "{{ lookup('ldap', 'ip4', 're2o', 'adm') }}" from_email: "root@crans.org" smtp_server: smtp.adm.crans.org ldap: @@ -18,7 +18,7 @@ glob_re2o: dn: "{{ vault.slapd.re2o.admin.binddn }}" database: password: "{{ vault.re2o.database.password }}" - uri: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}" + uri: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}" optional_apps: - api - captcha diff --git a/group_vars/re2o_front.yml b/group_vars/re2o_front.yml index 3c2ffb80..63bc0ff4 100644 --- a/group_vars/re2o_front.yml +++ b/group_vars/re2o_front.yml @@ -1,8 +1,8 @@ --- glob_re2o_front: server_names: - - "{{ query('ldap', 'ip4', 're2o', 'adm') }}" - - "[{{ query('ldap', 'ip6', 're2o', 'adm') }}]" + - "{{ lookup('ldap', 'ip4', 're2o', 'adm') }}" + - "[{{ lookup('ldap', 'ip6', 're2o', 'adm') }}]" - re2o.adm.crans.org - intranet.adm.crans.org - re2o.crans.org diff --git a/group_vars/re2o_ldap.yml b/group_vars/re2o_ldap.yml index e3bfb6cd..d6293920 100644 --- a/group_vars/re2o_ldap.yml +++ b/group_vars/re2o_ldap.yml @@ -1,7 +1,7 @@ --- glob_re2o_ldap: suffix: dc=crans,dc=org - url: "ldaps://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}:636" + url: "ldaps://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}:636" root_password_hash: "{{ vault.slapd.re2o.admin.bindpass_hash }}" certificate: "{{ vault.slapd.re2o.certificate }}" private_key: "{{ vault.slapd.re2o.private_key }}" diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml index f5d35f14..1e7cd4f8 100644 --- a/group_vars/reverseproxy.yml +++ b/group_vars/reverseproxy.yml @@ -8,7 +8,7 @@ loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. @@ -16,7 +16,7 @@ loc_service_certbot: algorithm: HMAC-SHA512 "crans.eu": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. @@ -24,7 +24,7 @@ loc_service_certbot: algorithm: HMAC-SHA512 "crans.fr": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. @@ -49,34 +49,35 @@ glob_reverseproxy: # Services web Crans - {from: belenios.crans.org, to: 172.16.10.111} - {from: cas.crans.org, to: 172.16.10.120} - - {from: constellation-dev.crans.org, to: 172.16.10.167} - {from: eclats.crans.org, to: 172.16.10.104} - - {from: ftps.crans.org, to: 172.16.10.113} + - {from: element.crans.org, to: "172.16.10.118"} - {from: ethercalc.crans.org, to: "172.16.10.133:8000"} - {from: framadate.crans.org, to: 172.16.10.109} + - {from: ftps.crans.org, to: 172.16.10.113} - {from: galene-token.crans.org, to: "172.16.10.115:3000"} - {from: grafana.crans.org, to: "172.16.10.121:3000"} - - {from: hedgedoc.crans.org, to: "172.16.10.128:3000"} - {from: helloworld.crans.org, to: 172.16.10.131} + - {from: hosts.crans.org, to: 172.16.10.114} - {from: imprimante.crans.org, to: 172.16.10.131} - {from: intranet.crans.org, to: 172.16.10.156} - {from: linx.crans.org, to: "172.16.10.119:8080"} - {from: lists.crans.org, to: 172.16.10.110} - - {from: matrix.crans.org, to: "172.16.10.123:8008"} + - {from: mediakiwi.crans.org, to: "172.16.10.144"} - {from: mirrors.crans.org, to: 172.16.10.104} - - {from: nextcloud.crans.org, to: 172.16.10.137} + - {from: nextcloud.crans.org, to: 172.16.10.146} - {from: onlyoffice.crans.org, to: 172.16.10.148} - {from: owncloud.crans.org, to: 172.16.10.136} - {from: pad.crans.org, to: "172.16.10.130:9001"} + - {from: pdf.crans.org, to: "172.16.10.140"} - {from: re2o.crans.org, to: 172.16.10.156} - {from: re2o-dev.crans.org, to: 172.16.10.166} - {from: roundcube.crans.org, to: 172.16.10.107} - {from: tmpad.crans.org, to: "172.16.10.130:9002"} + - {from: vaultwarden.crans.org, to: "172.16.10.159"} - {from: webirc.crans.org, to: "172.16.10.31:9000"} - {from: webmail.crans.org, to: 172.16.10.107} - {from: wiki.crans.org, to: 172.16.10.161} - {from: zero.crans.org, to: 172.16.10.130} - - {from: hosts.crans.org, to: 172.16.10.114} # Zamok - {from: amap.crans.org, to: 172.16.10.31} @@ -84,10 +85,9 @@ glob_reverseproxy: - {from: perso.crans.org, to: 172.16.10.31} redirect_sites: - - {from: crans.org, to: www.crans.org} - # Aliases or legacy support - {from: adopteunpingouin.crans.org, to: install-party.crans.org} + - {from: adopteunmanchot.crans.org, to: install-party.crans.org} - {from: clubs.crans.org, to: perso.crans.org} - {from: i-p.crans.org, to: install-party.crans.org} - {from: pot-vieux.crans.org, to: perso.crans.org/club-vieux} @@ -97,7 +97,15 @@ glob_reverseproxy: - {from: tv.crans.org, to: wiki.crans.org/CransTv} - {from: wikipedia.crans.org, to: wiki.crans.org} + # To the wiki + - {from: mediawiki.crans.org, to: mediakiwi.crans.org} + + # To pdf + - {from: stirling.crans.org, to: pdf.crans.org} + - {from: stirling-pdf.crans.org, to: pdf.crans.org} + static_sites: - autoconfig.crans.org - install-party.crans.org + - crans.org - www.crans.org diff --git a/group_vars/routeurs_vm.yml b/group_vars/routeurs_vm.yml index 3ff8a719..97a68ddb 100644 --- a/group_vars/routeurs_vm.yml +++ b/group_vars/routeurs_vm.yml @@ -20,8 +20,8 @@ loc_dhcp: vlan: "adh" default_lease_time: "600" max_lease_time: "7200" - routers: "{{ query('ldap', 'ip4', 'passerelle', 'adh') }}" - dns: ["{{ query('ldap', 'ip4', 'romanesco', 'adh') }}"] + routers: "{{ lookup('ldap', 'ip4', 'passerelle', 'adh') }}" + dns: ["{{ lookup('ldap', 'ip4', 'romanesco', 'adh') }}"] domain_name: "adh.crans.org" domain_search: "adh.crans.org" options: [] @@ -31,9 +31,25 @@ loc_service_dhcp: git: remote: https://gitlab.adm.crans.org/nounous/dhcp.git version: main - cron: - frequency: "*/2 * * * *" - options: -r + systemd: + Unit: + After: network-online.target + Wants: network-online.target + StartLimitBurst: 3 + StartLimitInterval: 40 + Service: + Restart: on-failure + RestartSec: 10 + ExecStart: "/usr/bin/python3 /var/local/services/dhcp/dhcp.py -r" + Type: oneshot + User: root + timer: + Unit: [] + Timer: + OnCalendar: "*:0/2" + Persistent: true + Install: + WantedBy: timers.target config: ldap: server: ldaps://flirt.adm.crans.org diff --git a/group_vars/slapd.yml b/group_vars/slapd.yml index 3b9bf4d5..b4d899f9 100644 --- a/group_vars/slapd.yml +++ b/group_vars/slapd.yml @@ -1,6 +1,6 @@ --- glob_slapd: - master_ip: "{{ query('ldap', 'ip4', 'wall-e', 'adm') }}" + master_ip: "{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}" regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*|description:.*|location:.*)$" replication_credentials: "{{ vault.slapd.main.replication_credentials }}" private_key: "{{ vault.slapd.main.private_key }}" diff --git a/group_vars/sssd.yml b/group_vars/sssd.yml index f43aaac3..162d0255 100644 --- a/group_vars/sssd.yml +++ b/group_vars/sssd.yml @@ -4,17 +4,17 @@ glob_sssd: domain: wall-e.adm.crans.org enumerate: "true" servers: - - "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/" - - "ldaps://{{ query('ldap', 'ip4', 'sam', 'adm') }}/" - - "ldaps://{{ query('ldap', 'ip4', 'daniel', 'adm') }}/" - - "ldaps://{{ query('ldap', 'ip4', 'jack', 'adm') }}/" + - "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/" + - "ldaps://{{ lookup('ldap', 'ip4', 'sam', 'adm') }}/" + - "ldaps://{{ lookup('ldap', 'ip4', 'daniel', 'adm') }}/" + - "ldaps://{{ lookup('ldap', 'ip4', 'jack', 'adm') }}/" base: "dc=crans,dc=org" secondary: domain: yson-partou.adm.crans.org enumerate: "false" servers: - - "ldaps://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}/" - - "ldaps://{{ query('ldap', 'ip4', 'terenez', 'adm') }}/" + - "ldaps://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}/" + - "ldaps://{{ lookup('ldap', 'ip4', 'terenez', 'adm') }}/" base: "dc=crans,dc=org" bind: dn: "{{ vault.sssd.secondary_ldap.binddn }}" diff --git a/group_vars/thelounge.yml b/group_vars/thelounge.yml index d2fe4a9e..4e3266e2 100644 --- a/group_vars/thelounge.yml +++ b/group_vars/thelounge.yml @@ -20,7 +20,7 @@ glob_thelounge: join: "#general" ldap_enable: "false" ldap: - url: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}" + url: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}" primaryKey: "cn" rootDN: "{{ vault.thelounge.ldap.rootDN }}" rootPassword: "{{ vault.thelounge.ldap.rootPassword }}" diff --git a/group_vars/viarezo/home_nounou.yml b/group_vars/viarezo/home_nounou.yml index f9150196..43268991 100644 --- a/group_vars/viarezo/home_nounou.yml +++ b/group_vars/viarezo/home_nounou.yml @@ -1,7 +1,7 @@ --- loc_home_nounou: mounts: - - ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}" + - ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}" mountpoint: /home_nounou target: /home_nounou name: home_nounou diff --git a/group_vars/viarezo/ldap.yml b/group_vars/viarezo/ldap.yml index 0a128c3d..6e02b950 100644 --- a/group_vars/viarezo/ldap.yml +++ b/group_vars/viarezo/ldap.yml @@ -1,4 +1,4 @@ --- loc_ldap: servers: - - "{{ query('ldap', 'ip4', 'ft', 'adm') }}" + - "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}" diff --git a/group_vars/viarezo/ssh_known_hosts.yml b/group_vars/viarezo/ssh_known_hosts.yml index 72ec7a9d..d656c165 100644 --- a/group_vars/viarezo/ssh_known_hosts.yml +++ b/group_vars/viarezo/ssh_known_hosts.yml @@ -2,4 +2,4 @@ loc_service_ssh_known_hosts: config: ldap: - server: "ldaps://{{ query('ldap', 'ip4', 'ft', 'adm') }}" + server: "ldaps://{{ lookup('ldap', 'ip4', 'ft', 'adm') }}" diff --git a/group_vars/virtu.yml b/group_vars/virtu.yml index 335ab4b5..df8c6a0a 100644 --- a/group_vars/virtu.yml +++ b/group_vars/virtu.yml @@ -5,6 +5,8 @@ glob_debian_images: rsync_module: 'mirror' include_extra_images: false +# Semble servir à synchroniser les nounous et apprenti⋅es avec le ldap dans +# proxmox glob_service_proxmox_user: git: remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git @@ -18,7 +20,7 @@ glob_service_proxmox_user: config: ldap: admin: - uri: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/" + uri: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/" userBase: "ou=passwd,dc=crans,dc=org" realm: "pam" dependencies: @@ -34,7 +36,7 @@ loc_service_certbot: config: "adm.crans.org": zone: _acme-challenge.adm.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_adm_challenge. diff --git a/group_vars/virtu_adh.yml b/group_vars/virtu_adh.yml index 3df3c664..3b397949 100644 --- a/group_vars/virtu_adh.yml +++ b/group_vars/virtu_adh.yml @@ -1,4 +1,6 @@ --- +# Semble servir à synchroniser les nounous et apprenti⋅es avec le ldap dans +# proxmox glob_service_proxmox_user: git: remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git @@ -12,11 +14,11 @@ glob_service_proxmox_user: config: ldap: admin: - uri: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/" + uri: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/" userBase: "ou=passwd,dc=crans,dc=org" realm: "pam" user: - uri: "ldaps://{{ query('ldap', 'ip4', 'flirt', 'adm') }}/" + uri: "ldaps://{{ lookup('ldap', 'ip4', 'flirt', 'adm') }}/" userBase: "ou=users,dc=adh,dc=crans,dc=org" realm: "pve" binddn: "{{ vault.ldap_adh_reader.binddn }}" diff --git a/group_vars/wiki.yml b/group_vars/wiki.yml index 47419505..cfbd7aeb 100644 --- a/group_vars/wiki.yml +++ b/group_vars/wiki.yml @@ -1,8 +1,53 @@ --- glob_moinmoin: + data_dir: /var/local/wiki/data + front_page: PageAccueil + interwikiname: CransWiki + ip_autorised: + - ip.startswith('185.230.76.') # IPv4 Crans + - ip.startswith('185.230.77.') + - ip.startswith('185.230.78.') + - ip.startswith('185.230.79.') + - ip.startswith('172.16.') # IPv4 local + - ip.startswith('138.231.') + - ip.startswith('45.66.108.') # IPv4 Aurore + - ip.startswith('45.66.109.') + - ip.startswith('45.66.110.') + - ip.startswith('45.66.111.') + - ip.startswith('2a0c:700:') # IPv6 Crans + - ip.startswith('2a09:6840:') # IPv6 Aurore + mail: + from: Crans Wiki + server: smtp.adm.crans.org main: false + new_account_ip: + - 45.66.108.0/22, # IPv4 Aurore + - 100.64.0.0/10, # IPv4 adherents + - 138.231.175.203/32, # IPv4 PC Kfet + - 172.16.0.0/16, # IPv4 local + - 185.230.76.0/22, # IPv4 Crans + - 2a0c:700::/32, # IPv6 Crans + - 2a09:6840::/32, # IPv6 Aurore + site_name: Crans Wiki + superuser: + - u"Benjamin" + - u"DsAc" + - u"PeBecue" + - u"SolalNathan" + - u"VanilleNiven" + - u"WikiAeltheos" + - u"WikiBleizi" + - u"WikiGabo" + - u"WikiKorenstin" + - u"WikiLzebulon" + - u"WikiPigeonMoelleux" + - u"WikiPollion" + - u"WikiShirenn" + - u"Wiki20-100" loc_nginx: + extra_params: + - "limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;" service_name: wiki ssl: [] servers: @@ -33,6 +78,7 @@ loc_nginx: - filter: "/" params: + - "limit_req zone=mylimit burst=100 nodelay" - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket" - "include uwsgi_params" diff --git a/host_vars/apprentis.adm.crans.org.yml b/host_vars/apprentis.adm.crans.org.yml index 7a6e61c3..b3eaa07b 100644 --- a/host_vars/apprentis.adm.crans.org.yml +++ b/host_vars/apprentis.adm.crans.org.yml @@ -7,3 +7,20 @@ loc_unattended: loc_needrestart: override: [] + +loc_borg: + to_backup: + - /etc + - /home_nounou + - /var + +loc_restic: + config: + base: + to_backup: + - /etc + - /home_nounou + - /var + +loc_sudo: + group: "USERS" diff --git a/host_vars/backup-ft.adm.crans.org.yml b/host_vars/backup-ft.adm.crans.org.yml index 4663b9c6..28c62814 100644 --- a/host_vars/backup-ft.adm.crans.org.yml +++ b/host_vars/backup-ft.adm.crans.org.yml @@ -10,14 +10,14 @@ loc_needrestart: loc_home_nounou: mounts: - - ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}" + - ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}" mountpoint: /home_nounou target: /home_nounou name: home_nounou owner: root group: _user mode: '0750' - - ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}" + - ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}" mountpoint: /rpool/backup target: /backup name: backup diff --git a/host_vars/backup-thot.adm.crans.org.yml b/host_vars/backup-thot.adm.crans.org.yml deleted file mode 100644 index a307080c..00000000 --- a/host_vars/backup-thot.adm.crans.org.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -interfaces: - adm: ens18 - -loc_unattended: - reboot: true - -loc_needrestart: - override: [] - -loc_home_nounou: - mounts: - - ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}" - mountpoint: /home_nounou - target: /home_nounou - name: home_nounou - owner: root - group: _user - mode: '0750' - - ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}" - mountpoint: /rpool/backup - target: /backup - name: backup - owner: root - group: root - mode: '0755' diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml index 3f739a8a..d864c5f3 100644 --- a/host_vars/boeing.adm.crans.org.yml +++ b/host_vars/boeing.adm.crans.org.yml @@ -18,9 +18,9 @@ loc_wireguard: peers: - public_key: "{{ vault.wireguard.sputnik.pubkey }}" allowed_ips: - - "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}/32" - - "{{ query('ldap', 'ip6', 'sputnik', 'adm') }}/128" - endpoint: "{{ query('ldap', 'ip4', 'sputnik', 'srv') }}:51820" + - "{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}/32" + - "{{ lookup('ldap', 'ip6', 'sputnik', 'adm') }}/128" + endpoint: "{{ lookup('ldap', 'ip4', 'sputnik', 'srv') }}:51820" post_up: - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" @@ -36,7 +36,7 @@ loc_wireguard: peers: - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}" allowed_ips: - - "{{ query('ldap', 'network', 'adm') }}" + - "{{ lookup('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" persistent_keepalive: 25 post_up: @@ -54,7 +54,7 @@ loc_wireguard: peers: - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}" allowed_ips: - - "{{ query('ldap', 'network', 'adm') }}" + - "{{ lookup('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" persistent_keepalive: 25 post_up: @@ -69,7 +69,7 @@ loc_wireguard: loc_service_proxy: config: ldap: - - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/" + - server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/" protocol: "proxy" filter: ".adm.crans.org" proxy: diff --git a/host_vars/cameron.adm.crans.org b/host_vars/cameron.adm.crans.org.yml similarity index 63% rename from host_vars/cameron.adm.crans.org rename to host_vars/cameron.adm.crans.org.yml index b16813c5..a0a65849 100644 --- a/host_vars/cameron.adm.crans.org +++ b/host_vars/cameron.adm.crans.org.yml @@ -10,6 +10,28 @@ loc_borg: - /var/mail - /var/lib/lxcfs +loc_restic: + config: + base: + to_exclude: + - /var/cache + - /var/mail + - /var/lib/lxcfs + pool: + to_exclude: + - "*.pyc" + - "\\#*\\#" + - "*~" + to_backup: + - /pool/home + - /pool/mail + retention: + - [--keep-daily, 4] + - [--keep-weekly, 4] + - [--keep-monthly, 6] + backup_extra_param: " --exclude-if-present .nobackup" + +# Semble créer les homes des nouvelleaux adhérent⋅es loc_service_home: name: home install_dir: /var/local/services/home @@ -23,7 +45,7 @@ loc_service_home: version: master config: ldap: - server: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}/" + server: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}/" binddn: "{{ vault.services.home.ldap.binddn }}" basedn: cn=Utilisateurs,dc=crans,dc=org password: "{{ vault.services.home.ldap.bindpass }}" @@ -34,6 +56,7 @@ loc_service_home: path: /pool/mail quota: 10G +# Semble faire les backups des homes individuellement avec borg loc_service_borg: name: borg install_dir: /var/local/services/borg @@ -48,7 +71,7 @@ loc_service_borg: version: main config: ldap: - server: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}" + server: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}" binddn: "{{ vault.services.home.ldap.binddn }}" rootdn: cn=Utilisateurs,dc=crans,dc=org password: "{{ vault.services.home.ldap.bindpass }}" diff --git a/host_vars/cephiroth.adm.crans.org b/host_vars/cephiroth.adm.crans.org deleted file mode 100644 index ed4d6dcd..00000000 --- a/host_vars/cephiroth.adm.crans.org +++ /dev/null @@ -1,17 +0,0 @@ ---- -interfaces: - disable: true - -loc_needrestart: - override: [] - -loc_borg: - to_backup: - - /etc - - /home_nounou - - /var - -loc_slapd: - ip: "{{ query('ldap', 'ip4', 'cephiroth', 'adm') }}" - replica: true - replica_rid: 5 diff --git a/host_vars/chene.adm.crans.org.yml b/host_vars/chene.adm.crans.org.yml index c8deaa80..7a6e61c3 100644 --- a/host_vars/chene.adm.crans.org.yml +++ b/host_vars/chene.adm.crans.org.yml @@ -1,7 +1,6 @@ --- interfaces: adm: ens18 - srv_nat: ens19 loc_unattended: reboot: true diff --git a/host_vars/constellation-dev.adm.crans.org.yml b/host_vars/constellation-dev.adm.crans.org.yml deleted file mode 100644 index 2e929d94..00000000 --- a/host_vars/constellation-dev.adm.crans.org.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -interfaces: - adm: eth0 - srv_nat: eth1 - -loc_unattended: - reboot: true - -loc_needrestart: - override: [] - -loc_constellation: - allowed_hosts: - - 'constellation-dev.crans.org' - database: - host: '127.0.0.1' - user: 'constellation-dev' - name: 'constellation-dev' - applications: - - 'access' - - 'billing' - - 'debug' - - 'dnsmanager' - - 'firewall' - - 'layers' - - 'management' - - 'member' - - 'topography' - - 'unix' - stripe: - private_key: '{{ vault.constellation.stripe.test.private_key }}' - public_key: '{{ vault.constellation.stripe.test.public_key }}' - note: - url: 'https://note-dev.crans.org/' - client_id: '{{ vault.constellation.note.client_id }}' - client_secret: '{{ vault.constellation.note.client_secret }}' - debug: true - version: dev diff --git a/host_vars/daneel.adm.crans.org.yml b/host_vars/daneel.adm.crans.org.yml deleted file mode 100644 index 1af89089..00000000 --- a/host_vars/daneel.adm.crans.org.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -interfaces: - disable: true - adm: ens18 - san: ens19 - -loc_needrestart: - override: [] diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml index 7d40fa5c..a6fc7090 100644 --- a/host_vars/daniel.adm.crans.org.yml +++ b/host_vars/daniel.adm.crans.org.yml @@ -6,7 +6,7 @@ loc_needrestart: override: [] loc_slapd: - ip: "{{ query('ldap', 'ip4', 'daniel', 'adm') }}" + ip: "{{ lookup('ldap', 'ip4', 'daniel', 'adm') }}" replica: true replica_rid: 2 diff --git a/host_vars/jitsi.adm.crans.org.yml b/host_vars/eclaircie.adm.crans.org.yml similarity index 75% rename from host_vars/jitsi.adm.crans.org.yml rename to host_vars/eclaircie.adm.crans.org.yml index b98b6279..f0fc138d 100644 --- a/host_vars/jitsi.adm.crans.org.yml +++ b/host_vars/eclaircie.adm.crans.org.yml @@ -1,7 +1,8 @@ --- interfaces: adm: ens18 - srv: ens19 + san: ens19 + srv_nat: ens20 loc_unattended: reboot: true diff --git a/host_vars/eclat.adm.crans.org.yml b/host_vars/eclat.adm.crans.org.yml index 3cb60555..9c3871ce 100644 --- a/host_vars/eclat.adm.crans.org.yml +++ b/host_vars/eclat.adm.crans.org.yml @@ -12,7 +12,7 @@ loc_needrestart: loc_nfs_mount: mounts: - - ip: "{{ query('ldap', 'ip4', 'tealc', 'san') }}" + - ip: "{{ lookup('ldap', 'ip4', 'tealc', 'san') }}" mountpoint: /pool/mirror target: /mirror name: mirror diff --git a/host_vars/ft.adm.crans.org.yml b/host_vars/ft.adm.crans.org.yml index 5e57b5ba..168e7162 100644 --- a/host_vars/ft.adm.crans.org.yml +++ b/host_vars/ft.adm.crans.org.yml @@ -11,7 +11,15 @@ loc_borg: - /home_nounou - /var +loc_restic: + config: + base: + to_backup: + - /etc + - /home_nounou + - /var + loc_slapd: - ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}" + ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}" replica: true replica_rid: 6 diff --git a/host_vars/fyre.adm.crans.org.yml b/host_vars/fyre.adm.crans.org.yml index 535dd4a5..81b18048 100644 --- a/host_vars/fyre.adm.crans.org.yml +++ b/host_vars/fyre.adm.crans.org.yml @@ -10,33 +10,6 @@ loc_needrestart: override: [] loc_prometheus: - node: - config: - - job_name: servers - file_sd_configs: - - files: - - '/etc/prometheus/targets/node.json' - relabel_configs: - - source_labels: [__address__] - target_label: __param_target - - source_labels: [__param_target] - target_label: instance - - source_labels: [__param_target] - target_label: __address__ - replacement: '$1:9100' - - nginx: - config: - - job_name: nginx - file_sd_configs: - - files: - - '/etc/prometheus/targets/nginx.json' - relabel_configs: - - source_labels: [__address__] - target_label: instance - - source_labels: [instance] - target_label: __address__ - replacement: '$1:9117' apache: config: @@ -50,29 +23,59 @@ loc_prometheus: target_label: __address__ replacement: '$1:9117' + bind: + config: + - job_name: bind + file_sd_configs: + - files: + - '/etc/prometheus/targets/bind.json' + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - source_labels: [__param_target] + target_label: __address__ + replacement: '$1:9119' + + bird: + config: + - job_name: bird + file_sd_configs: + - files: + - '/etc/prometheus/targets/bird.json' + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - source_labels: [__param_target] + target_label: __address__ + replacement: '$1:9324' + blackbox: file: targets/blackbox.json targets: + - http://ftp.crans.org/ + - https://cas.crans.org/ - https://crans.org/ - https://www.crans.org/ - - https://webirc.crans.org/ - - https://jitsi.crans.org/ - - https://ftps.crans.org/ - - http://ftp.crans.org/ - - https://grafana.crans.org/ - - https://roundcube.crans.org/ - - https://zero.crans.org/ - - https://wiki.crans.org/PageAccueil - - https://framadate.crans.org/ - - https://pad.crans.org/ - - https://lists.crans.org/ - - https://cas.crans.org/ - https://ethercalc.crans.org/ + - https://framadate.crans.org/ + - https://ftps.crans.org/ - https://gitlab.crans.org/ - - https://perso.crans.org/crans/ + - https://grafana.crans.org/ - https://install-party.crans.org/ - https://intranet.crans.org/ + - https://jitsi.crans.org/ + - https://lists.crans.org/ - https://owncloud.crans.org/ + - https://pad.crans.org/ + - https://perso.crans.org/crans/ + - https://roundcube.crans.org/ + - https://webirc.crans.org/ + - https://wiki.crans.org/PageAccueil + - https://zero.crans.org/ config: - job_name: blackbox file_sd_configs: @@ -106,27 +109,30 @@ loc_prometheus: - target_label: __address__ replacement: 127.0.0.1:9115 - bird: + ilo_snmp: config: - - job_name: bird + - job_name: ilo_snmp file_sd_configs: - files: - - '/etc/prometheus/targets/bird.json' + - '/etc/prometheus/targets/ilo_snmp.json' + metrics_path: '/snmp' + params: + module: + - ilo relabel_configs: - source_labels: [__address__] target_label: __param_target - source_labels: [__param_target] target_label: instance - - source_labels: [__param_target] + - replacement: '127.0.0.1:9116' target_label: __address__ - replacement: '$1:9324' - bind: + mtail: config: - - job_name: bind + - job_name: mtail file_sd_configs: - files: - - '/etc/prometheus/targets/bind.json' + - '/etc/prometheus/targets/mtail.json' relabel_configs: - source_labels: [__address__] target_label: __param_target @@ -134,7 +140,50 @@ loc_prometheus: target_label: instance - source_labels: [__param_target] target_label: __address__ - replacement: '$1:9119' + replacement: '$1:3903' + + mysql: + config: + - job_name: mysql + file_sd_configs: + - files: + - '/etc/prometheus/targets/mysql.json' + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - source_labels: [__param_target] + target_label: __address__ + replacement: '$1:9104' + + nginx: + config: + - job_name: nginx + file_sd_configs: + - files: + - '/etc/prometheus/targets/nginx.json' + relabel_configs: + - source_labels: [__address__] + target_label: instance + - source_labels: [instance] + target_label: __address__ + replacement: '$1:9117' + + node: + config: + - job_name: servers + file_sd_configs: + - files: + - '/etc/prometheus/targets/node.json' + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - source_labels: [__param_target] + target_label: __address__ + replacement: '$1:9100' postfix: config: @@ -166,54 +215,50 @@ loc_prometheus: target_label: __address__ replacement: '$1:9187' - mysql: + printer_snmp: config: - - job_name: mysql - file_sd_configs: - - files: - - '/etc/prometheus/targets/mysql.json' - relabel_configs: - - source_labels: [__address__] - target_label: __param_target - - source_labels: [__param_target] - target_label: instance - - source_labels: [__param_target] - target_label: __address__ - replacement: '$1:9104' - - mtail: - config: - - job_name: mtail - file_sd_configs: - - files: - - '/etc/prometheus/targets/mtail.json' - relabel_configs: - - source_labels: [__address__] - target_label: __param_target - - source_labels: [__param_target] - target_label: instance - - source_labels: [__param_target] - target_label: __address__ - replacement: '$1:3903' - - ilo_snmp: - config: - - job_name: ilo_snmp - file_sd_configs: - - files: - - '/etc/prometheus/targets/ilo_snmp.json' + - job_name: printer_snmp + static_configs: + - targets: ["printer.lp.crans.org"] metrics_path: '/snmp' params: module: - - ilo + - printer_mib relabel_configs: - source_labels: [__address__] target_label: __param_target - source_labels: [__param_target] target_label: instance - - replacement: '127.0.0.1:9116' + - replacement: "{{ lookup('ldap', 'ip4', 'helloworld', 'adm') }}:9116" target_label: __address__ + synapse: + config: + - job_name: synapse + static_configs: + - targets: ["matrix.crans.org"] + scrape_interval: 15s + metrics_path: "/_synapse/metrics" + + jitsi: + config: + - job_name: jitsi + static_configs: + - targets: ["jitsi.adm.crans.org"] + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - source_labels: [__param_target] + target_label: __address__ + replacement: '$1:9700' + + + tsdb: + retention_time: "180d" + retention_size: "200GB" + ups_snmp: config: - job_name: ups_snmp @@ -233,23 +278,3 @@ loc_prometheus: target_label: instance - replacement: 127.0.0.1:9116 target_label: __address__ - - printer_snmp: - config: - - job_name: printer_snmp - static_configs: - - targets: ["printer.lp.crans.org"] - metrics_path: '/snmp' - params: - module: - - printer_mib - relabel_configs: - - source_labels: [__address__] - target_label: __param_target - - source_labels: [__param_target] - target_label: instance - - replacement: "{{ query('ldap', 'ip4', 'helloworld', 'adm') }}:9116" - target_label: __address__ - tsdb: - retention_time: "180d" - retention_size: "200GB" diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml index f88fe3ce..99b6ebe4 100644 --- a/host_vars/gitzly.adm.crans.org.yml +++ b/host_vars/gitzly.adm.crans.org.yml @@ -22,7 +22,7 @@ loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. @@ -30,7 +30,7 @@ loc_service_certbot: algorithm: HMAC-SHA512 "adm.crans.org": zone: _acme-challenge.adm.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_adm_challenge. diff --git a/host_vars/helloworld.adm.crans.org.yml b/host_vars/helloworld.adm.crans.org.yml index 8e318d8a..e500fe32 100644 --- a/host_vars/helloworld.adm.crans.org.yml +++ b/host_vars/helloworld.adm.crans.org.yml @@ -11,4 +11,4 @@ loc_needrestart: override: [] loc_snmp_exporter: - listen_address: "{{ query('ldap', 'ip4', 'helloworld', 'adm') }}:9116" + listen_address: "{{ lookup('ldap', 'ip4', 'helloworld', 'adm') }}:9116" diff --git a/host_vars/irc.adm.crans.org.yml b/host_vars/irc.adm.crans.org.yml index 6260d72f..26f4d09f 100644 --- a/host_vars/irc.adm.crans.org.yml +++ b/host_vars/irc.adm.crans.org.yml @@ -54,22 +54,22 @@ loc_inspircd: - name: crans.org - name: adm.crans.org bind: - - address: "{{ query('ldap', 'ip4', 'irc', 'srv') }}" + - address: "{{ lookup('ldap', 'ip4', 'irc', 'srv') }}" type: clients clair: 6667 ssl: 6697 certificate: crans.org - - address: "{{ query('ldap', 'ip6', 'irc', 'srv') }}" + - address: "{{ lookup('ldap', 'ip6', 'irc', 'srv') }}" type: clients clair: 6667 ssl: 6697 certificate: crans.org - - address: "{{ query('ldap', 'ip4', 'irc', 'adm') }}" + - address: "{{ lookup('ldap', 'ip4', 'irc', 'adm') }}" type: clients clair: 6667 ssl: 6697 certificate: adm.crans.org - - address: "{{ query('ldap', 'ip6', 'irc', 'adm') }}" + - address: "{{ lookup('ldap', 'ip6', 'irc', 'adm') }}" type: clients clair: 6667 ssl: 6697 @@ -80,28 +80,28 @@ loc_inspircd: connect: - name: zamok allows: - ipv4: "{{ query('ldap', 'ip4', 'zamok', 'srv') }}/32" - ipv6: "{{ query('ldap', 'ip6', 'zamok', 'srv') }}/128" + ipv4: "{{ lookup('ldap', 'ip4', 'zamok', 'srv') }}/32" + ipv6: "{{ lookup('ldap', 'ip6', 'zamok', 'srv') }}/128" threshold: 1 - name: irc allows: - ipv4: "{{ query('ldap', 'ip4', 'irc', 'srv') }}/32" - ipv6: "{{ query('ldap', 'ip6', 'irc', 'srv') }}/128" + ipv4: "{{ lookup('ldap', 'ip4', 'irc', 'srv') }}/32" + ipv6: "{{ lookup('ldap', 'ip6', 'irc', 'srv') }}/128" threshold: 1 - name: gitlab allows: - ipv4: "{{ query('ldap', 'ip4', 'gitzly', 'srv') }}/32" - ipv6: "{{ query('ldap', 'ip6', 'gitzly', 'srv') }}/128" + ipv4: "{{ lookup('ldap', 'ip4', 'gitzly', 'srv') }}/32" + ipv6: "{{ lookup('ldap', 'ip6', 'gitzly', 'srv') }}/128" threshold: 10 commandrate: 10000 - name: monitoring allows: - ipv4: "{{ query('ldap', 'ip4', 'fyre', 'adm') }}/32" - ipv6: "{{ query('ldap', 'ip6', 'fyre', 'adm') }}/128" + ipv4: "{{ lookup('ldap', 'ip4', 'fyre', 'adm') }}/32" + ipv6: "{{ lookup('ldap', 'ip6', 'fyre', 'adm') }}/128" threshold: 10 commandrate: 10000 modes: true - dns: "{{ query('ldap', 'ip4', 'romanesco', 'srv') }}" + dns: "{{ lookup('ldap', 'ip4', 'romanesco', 'srv') }}" services: name: services.irc.crans.org port: 6668 @@ -127,7 +127,7 @@ loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. @@ -135,7 +135,7 @@ loc_service_certbot: algorithm: HMAC-SHA512 "adm.crans.org": zone: _acme-challenge.adm.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_adm_challenge. diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml index e8e51245..96a39a03 100644 --- a/host_vars/jack.adm.crans.org.yml +++ b/host_vars/jack.adm.crans.org.yml @@ -6,7 +6,7 @@ loc_needrestart: override: [] loc_slapd: - ip: "{{ query('ldap', 'ip4', 'jack', 'adm') }}" + ip: "{{ lookup('ldap', 'ip4', 'jack', 'adm') }}" replica: true replica_rid: 3 diff --git a/host_vars/kameron.adm.crans.org.yml b/host_vars/kameron.adm.crans.org.yml deleted file mode 100644 index fe58a1d8..00000000 --- a/host_vars/kameron.adm.crans.org.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -interfaces: - adm: ens18 - san: ens19 - zef: ens20 - -loc_needrestart: - override: [] diff --git a/host_vars/listenup.adm.crans.org.yml b/host_vars/listenup.adm.crans.org.yml deleted file mode 100644 index 1af89089..00000000 --- a/host_vars/listenup.adm.crans.org.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -interfaces: - disable: true - adm: ens18 - san: ens19 - -loc_needrestart: - override: [] diff --git a/host_vars/netns.adm.crans.org b/host_vars/netns.adm.crans.org.yml similarity index 100% rename from host_vars/netns.adm.crans.org rename to host_vars/netns.adm.crans.org.yml diff --git a/host_vars/otter.adm.crans.org.yml b/host_vars/otter.adm.crans.org.yml deleted file mode 100644 index fe58a1d8..00000000 --- a/host_vars/otter.adm.crans.org.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -interfaces: - adm: ens18 - san: ens19 - zef: ens20 - -loc_needrestart: - override: [] diff --git a/host_vars/owl.adm.crans.org.yml b/host_vars/owl.adm.crans.org.yml index 3170721e..cb7377df 100644 --- a/host_vars/owl.adm.crans.org.yml +++ b/host_vars/owl.adm.crans.org.yml @@ -16,3 +16,11 @@ loc_borg: to_exclude: - /var/mail - /var/lib/lxcfs + +loc_restic: + config: + base: + to_exclude: + - /var/cache + - /var/mail + - /var/lib/lxcfs diff --git a/host_vars/owncloud.adm.crans.org.yml b/host_vars/owncloud.adm.crans.org.yml index 9184485e..b0040835 100644 --- a/host_vars/owncloud.adm.crans.org.yml +++ b/host_vars/owncloud.adm.crans.org.yml @@ -15,4 +15,4 @@ loc_needrestart: loc_ldap: base_dn: "{{ vault.slapd.re2o.admin.binddn }}" password: "{{ vault.slapd.re2o.admin.bindpass }}" - uri: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}" + uri: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}" diff --git a/host_vars/ptf.adm.crans.org.yml b/host_vars/ptf.adm.crans.org.yml index f3dbec9b..40d22e53 100644 --- a/host_vars/ptf.adm.crans.org.yml +++ b/host_vars/ptf.adm.crans.org.yml @@ -12,7 +12,7 @@ loc_needrestart: loc_nfs_mount: mounts: - - ip: "{{ query('ldap', 'ip4', 'tealc', 'san') }}" + - ip: "{{ lookup('ldap', 'ip4', 'tealc', 'san') }}" mountpoint: /pool/ftp target: /ftp name: ftp diff --git a/host_vars/re2o-dev.adm.crans.org.yml b/host_vars/re2o-dev.adm.crans.org.yml index da943a59..c851e724 100644 --- a/host_vars/re2o-dev.adm.crans.org.yml +++ b/host_vars/re2o-dev.adm.crans.org.yml @@ -10,4 +10,4 @@ loc_needrestart: override: [] loc_re2o_ldap_replica: - url: "ldaps://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}:636" + url: "ldaps://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}:636" diff --git a/host_vars/redisdead.adm.crans.org.yml b/host_vars/redisdead.adm.crans.org.yml index 065c1117..2173ed05 100644 --- a/host_vars/redisdead.adm.crans.org.yml +++ b/host_vars/redisdead.adm.crans.org.yml @@ -25,7 +25,7 @@ loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. @@ -33,7 +33,7 @@ loc_service_certbot: algorithm: HMAC-SHA512 "adm.crans.org": zone: _acme-challenge.adm.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_adm_challenge. diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml index 9996b31c..61d5a9cb 100644 --- a/host_vars/routeur-ft.adm.crans.org.yml +++ b/host_vars/routeur-ft.adm.crans.org.yml @@ -18,14 +18,14 @@ loc_wireguard: peers: - public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}" allowed_ips: - - "{{ query('ldap', 'network', 'adm') }}" + - "{{ lookup('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - endpoint: "{{ query('ldap', 'ip4', 'boeing', 'srv') }}:51821" + endpoint: "{{ lookup('ldap', 'ip4', 'boeing', 'srv') }}:51821" persistent_keepalive: 25 post_up: - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - - "ip route add {{ query('ldap', 'ip4', 'tealc', 'adm') }} dev %i proto proxy" + - "ip route add {{ lookup('ldap', 'ip4', 'tealc', 'adm') }} dev %i proto proxy" - "python3 /var/local/services/proxy/proxy.py --alter" pre_down: - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" @@ -35,8 +35,8 @@ loc_wireguard: loc_service_proxy: config: ldap: - - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/" - - server: "ldaps://{{ query('ldap', 'ip4', 'ft', 'adm') }}/" + - server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/" + - server: "ldaps://{{ lookup('ldap', 'ip4', 'ft', 'adm') }}/" protocol: "proxy" filter: ".adm.crans.org" proxy: diff --git a/host_vars/routeur-sam.adm.crans.org/restic.yml b/host_vars/routeur-sam.adm.crans.org/restic.yml new file mode 100644 index 00000000..08611345 --- /dev/null +++ b/host_vars/routeur-sam.adm.crans.org/restic.yml @@ -0,0 +1,8 @@ +--- +loc_restic: + config: + base: + to_backup: + - /etc + - /home_nounou + - /var diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml deleted file mode 100644 index ea3c8c1d..00000000 --- a/host_vars/routeur-thot.adm.crans.org.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -interfaces: - adm: ens18 - auto: ens19 - -loc_unattended: - reboot: true - -loc_needrestart: - override: [] - -loc_wireguard: - tunnels: - - name: "boeing" - listen_port: 51820 - private_key: "{{ vault.wireguard.routeur_thot.privkey }}" - table: "off" - peers: - - public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}" - allowed_ips: - - "{{ query('ldap', 'network', 'adm') }}" - - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - endpoint: "{{ query('ldap', 'ip4', 'boeing', 'srv') }}:51822" - persistent_keepalive: 25 - post_up: - - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - - "ip route add {{ query('ldap', 'ip4', 'tealc', 'adm') }} dev %i proto proxy" - - "python3 /var/local/services/proxy/proxy.py --alter" - pre_down: - - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" - - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" - - -loc_service_proxy: - config: - ldap: - - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/" - - server: "ldaps://{{ query('ldap', 'ip4', 'thot', 'adm') }}/" - protocol: "proxy" - filter: ".adm.crans.org" - proxy: - default: "boeing" - aurore: "ens18" diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml index a9693e4d..cf432bd0 100644 --- a/host_vars/sam.adm.crans.org.yml +++ b/host_vars/sam.adm.crans.org.yml @@ -11,8 +11,17 @@ loc_borg: - /home_nounou - /var + +loc_restic: + config: + base: + to_backup: + - /etc + - /home_nounou + - /var + loc_slapd: - ip: "{{ query('ldap', 'ip4', 'sam', 'adm') }}" + ip: "{{ lookup('ldap', 'ip4', 'sam', 'adm') }}" replica: true replica_rid: 1 diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml index c6cf1716..178706c6 100644 --- a/host_vars/sputnik.adm.crans.org.yml +++ b/host_vars/sputnik.adm.crans.org.yml @@ -18,21 +18,21 @@ loc_wireguard: tunnels: - name: "sputnik" addresses: - - "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}/24" - - "{{ query('ldap', 'ip6', 'sputnik', 'adm') }}/64" + - "{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}/24" + - "{{ lookup('ldap', 'ip6', 'sputnik', 'adm') }}/64" listen_port: 51820 private_key: "{{ vault.wireguard.sputnik.privkey }}" peers: - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}" allowed_ips: - - "{{ query('ldap', 'network', 'adm') }}" + - "{{ lookup('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - endpoint: "{{ query('ldap', 'ip4', 'boeing', 'srv') }}:51820" + endpoint: "{{ lookup('ldap', 'ip4', 'boeing', 'srv') }}:51820" post_up: - "/sbin/ip link set sputnik alias adm" loc_slapd: - ip: "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}" + ip: "{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}" replica: true replica_rid: 4 @@ -48,7 +48,7 @@ loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. @@ -56,7 +56,7 @@ loc_service_certbot: algorithm: HMAC-SHA512 "adm.crans.org": zone: _acme-challenge.adm.crans.org - server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_adm_challenge. @@ -82,4 +82,4 @@ loc_bind: loc_service_ssh_known_hosts: config: ldap: - server: "ldaps://{{ query('ldap', 'ip4', 'sputnik', 'adm') }}" + server: "ldaps://{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}" diff --git a/host_vars/tealc.adm.crans.org.yml b/host_vars/tealc.adm.crans.org.yml index 8618f5ad..fb3e128f 100644 --- a/host_vars/tealc.adm.crans.org.yml +++ b/host_vars/tealc.adm.crans.org.yml @@ -21,13 +21,11 @@ loc_postgres: - db: roundcube user: roundcube map: {name: webmail, system: www-data, pg: roundcube} - - {db: owncloud, user: owncloud} - {db: cas, user: cas} - - {db: hedgedoc, user: hedgedoc} + - {db: owncloud, user: owncloud} - {db: sqlgrey, user: sqlgrey, method: ident} - {db: re2o, user: re2o} - {db: re2o_test, user: re2o} - - {db: constellation-dev, user: constellation-dev} - {db: mailman3, user: mailman3} - {db: mailman3web, user: mailman3web} - {db: all, user: all, subnets: ['127.0.0.1/32', '::1/128'], local: true} @@ -43,6 +41,27 @@ loc_borg: - /var - /pool/home +loc_restic: + config: + base: + to_backup: + - /etc + - /var + pool: + force_calendar: "5:00" + to_exclude: + - "*.pyc" + - "\\#*\\#" + - "*~" + to_backup: + - /pool/home + - /pool/mail + retention: + - [--keep-daily, 4] + - [--keep-weekly, 4] + - [--keep-monthly, 6] + backup_extra_param: " --exclude-if-present .nobackup" + loc_rsyslog_server: name: tealc root: /pool/logs diff --git a/host_vars/tealch.adm.crans.org.yml b/host_vars/tealch.adm.crans.org.yml deleted file mode 100644 index fe58a1d8..00000000 --- a/host_vars/tealch.adm.crans.org.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -interfaces: - adm: ens18 - san: ens19 - zef: ens20 - -loc_needrestart: - override: [] diff --git a/host_vars/thot.adm.crans.org.yml b/host_vars/thot.adm.crans.org.yml deleted file mode 100644 index 327842cc..00000000 --- a/host_vars/thot.adm.crans.org.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -interfaces: - disable: true - -loc_needrestart: - override: [] - -loc_borg: - to_backup: - - /etc - - /home_nounou - - /var - -loc_slapd: - ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}" - replica: true - replica_rid: 5 diff --git a/host_vars/wall-e.adm.crans.org b/host_vars/wall-e.adm.crans.org.yml similarity index 100% rename from host_vars/wall-e.adm.crans.org rename to host_vars/wall-e.adm.crans.org.yml diff --git a/host_vars/zamok.adm.crans.org.yml b/host_vars/zamok.adm.crans.org.yml index 90e157d4..82d72aa5 100644 --- a/host_vars/zamok.adm.crans.org.yml +++ b/host_vars/zamok.adm.crans.org.yml @@ -19,27 +19,37 @@ loc_borg: - /var/lib/lxcfs - /var/lib/mysql +loc_restic: + config: + base: + to_exclude: + - /var/cache + - /var/mail + - /var/lib/podman + - /var/lib/lxcfs + - /var/lib/mysql + loc_thelounge: - host: "\"{{ query('ldap', 'ip4', 'zamok', 'adm') }}\"" + host: "\"{{ lookup('ldap', 'ip4', 'zamok', 'adm') }}\"" oidentd: "\"/usr/local/lib/thelounge/.oidentd.conf\"" reverseProxy: "true" ldap_enable: "true" loc_crans_scripts: group: nounou - dests: + dest: - /usr/scripts loc_nfs_mount: mounts: - - ip: "{{ query('ldap', 'ip4', 'cameron', 'san') }}" + - ip: "{{ lookup('ldap', 'ip4', 'cameron', 'san') }}" mountpoint: /pool/home target: /home name: home owner: root group: root mode: '0755' - - ip: "{{ query('ldap', 'ip4', 'cameron', 'san') }}" + - ip: "{{ lookup('ldap', 'ip4', 'cameron', 'san') }}" mountpoint: /pool/mail target: /var/mail name: var-mail diff --git a/hosts b/hosts index 98babe28..d3d467be 100644 --- a/hosts +++ b/hosts @@ -6,7 +6,6 @@ zamok.adm.crans.org [arpproxy] boeing.adm.crans.org routeur-ft.adm.crans.org -routeur-thot.adm.crans.org [autoconfig] hodaur.adm.crans.org @@ -16,7 +15,6 @@ cameron.adm.crans.org [backups] backup-ft.adm.crans.org -backup-thot.adm.crans.org [baie] cameron.adm.crans.org @@ -31,41 +29,27 @@ routeurs_vm [blackbox] fyre.adm.crans.org -[ceph_test] -tealch.adm.crans.org -kameron.adm.crans.org -otter.adm.crans.org -daneel.adm.crans.org -listenup.adm.crans.org - [certbot] irc.adm.crans.org proxy-pve-adh.adm.crans.org -sputnik.adm.crans.org [certbot:children] dovecot galene -gitlab -jitsi -mailman postfix reverseproxy virtu vsftpd_mirror -[constellation:children] -constellation_front - -[constellation_front] -constellation-dev.adm.crans.org +# Catégorie des VM de test/dev +[dev] +re2o-dev.crans.org [dhcp:children] routeurs_vm [dropbear] ft.adm.crans.org -thot.adm.crans.org [docker:children] gitlab_runner @@ -117,9 +101,6 @@ fyre.adm.crans.org [irc] irc.adm.crans.org -[jitsi] -jitsi.adm.crans.org - [keepalived] routeur-daniel.adm.crans.org routeur-jack.adm.crans.org @@ -150,10 +131,8 @@ irc.adm.crans.org ptf.adm.crans.org [nginx:children] -constellation_front django_cas galene -jitsi mailman mirror_frontend printer @@ -166,7 +145,6 @@ wiki eclat.adm.crans.org [opendkim:children] -mailman postfix [postfix] @@ -242,7 +220,6 @@ helloworld.adm.crans.org wall-e.adm.crans.org #sam.adm.crans.org #sputnik.adm.crans.org -#thot.adm.crans.org [sssd] zamok.adm.crans.org @@ -263,17 +240,11 @@ sam.adm.crans.org [virtu_backup] ft.adm.crans.org -thot.adm.crans.org - -[virtu_ceph] -daneel.adm.crans.org -listenup.adm.crans.org [virtu:children] virtu_adh virtu_adm virtu_backup -virtu_ceph [vsftpd_mirror] eclat.adm.crans.org @@ -285,20 +256,15 @@ kiwi.adm.crans.org [wireguard] boeing.adm.crans.org routeur-ft.adm.crans.org -routeur-thot.adm.crans.org sputnik.adm.crans.org [crans_routeurs:children] routeurs_vm [crans_physical] -thot.adm.crans.org zamok.adm.crans.org -cephiroth.adm.crans.org -#zbee.adm.crans.org [crans_physical:children] -aurore_physical baie virtu viarezo_physical @@ -309,24 +275,19 @@ belenios.adm.crans.org boeing.adm.crans.org cas.adm.crans.org chene.adm.crans.org -constellation-dev.adm.crans.org eclaircie.adm.crans.org eclat.adm.crans.org ethercalc.adm.crans.org en7.adm.crans.org flirt.adm.crans.org -fluxx.adm.crans.org fyre.adm.crans.org gitlab-ci.adm.crans.org gitzly.adm.crans.org helloworld.adm.crans.org hodaur.adm.crans.org -horde.adm.crans.org irc.adm.crans.org -jitsi.adm.crans.org kenobi.adm.crans.org kiwi.adm.crans.org -ldap-adm.adm.crans.org linx.adm.crans.org mailman.adm.crans.org neree.adm.crans.org @@ -344,6 +305,7 @@ routeur-2754.adm.crans.org silice.adm.crans.org trinity.adm.crans.org voyager.adm.crans.org +wall-e.adm.crans.org yson-partou.adm.crans.org [viarezo_physical] @@ -357,20 +319,7 @@ routeur-ft.adm.crans.org viarezo_physical viarezo_vm -[aurore_physical] -thot.adm.crans.org - -[aurore_vm] -backup-thot.adm.crans.org -routeur-thot.adm.crans.org - -[aurore:children] -aurore_physical -aurore_vm - [crans_vm:children] -aurore_vm -ceph_test routeurs_vm viarezo_vm @@ -390,7 +339,6 @@ ilo-jack.adm.crans.org ilo-odlyd.adm.crans.org ilo-sam.adm.crans.org ilo-stitch.adm.crans.org -ilo-thot.adm.crans.org ilo-zamok.adm.crans.org # everything at crans diff --git a/lookup_plugins/ldap.py b/lookup_plugins/ldap.py index 42501ffd..7bb9a206 100644 --- a/lookup_plugins/ldap.py +++ b/lookup_plugins/ldap.py @@ -63,18 +63,18 @@ class LookupModule(LookupBase): def ip4(self, host, vlan): """ Retrieve the first IPv4 addresse of an interface of a device - query('ldap', 'ip4', HOST, VLAN) + lookup('ldap', 'ip4', HOST, VLAN) """ result = [ res for res in self.ip(host, vlan) if ipaddress.ip_address(res).version == 4 ] - return result[0] + return [result[0]] def ip6(self, host, vlan): """ Retrieve the first IPv6 addresse of an interface of a device - query('ldap', 'ip6', HOST, VLAN) + lookup('ldap', 'ip6', HOST, VLAN) """ result = [ res for res in self.ip(host, vlan) if ipaddress.ip_address(res).version == 6 ] - return result[0] + return [result[0]] def all_ip(self, host): """ @@ -200,7 +200,7 @@ class LookupModule(LookupBase): query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork") result = self.base.result(query_id) result = result[1][0][1] - return str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8')))) + return [str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))] elif terms[0] == 'zones': query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, "objectClass=ipNetwork") result = self.base.result(query_id) diff --git a/plays/borgbackup_client.yml b/plays/borgbackup_client.yml index 945cd80d..1df5b5be 100755 --- a/plays/borgbackup_client.yml +++ b/plays/borgbackup_client.yml @@ -2,7 +2,7 @@ --- - import_playbook: ssh_known_hosts.yml -- hosts: server +- hosts: server,!dev,!apprentis.adm.crans.org vars: borg: "{{ glob_borg | default({}) | combine(loc_borg | default({})) }}" roles: diff --git a/plays/constellation.yml b/plays/constellation.yml deleted file mode 100755 index 68bfa737..00000000 --- a/plays/constellation.yml +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: constellation - vars: - constellation: "{{ glob_constellation | combine(loc_constellation | default({}), recursive=True) }}" - roles: - - constellation - -- hosts: constellation_front - vars: - constellation: "{{ glob_constellation | combine(loc_constellation | default({}), recursive=True) }}" - nginx: "{{ glob_nginx | combine(loc_nginx | default({})) }}" - roles: - - nginx - - constellation-front - - constellation-doc diff --git a/plays/monitoring.yml b/plays/monitoring.yml index 680c3fc5..9c6d5590 100755 --- a/plays/monitoring.yml +++ b/plays/monitoring.yml @@ -62,6 +62,13 @@ roles: - prometheus-postfix-exporter +# Export apache metrics (avait disparu depuis f7347e41d2) +#- hosts: zamok.adm.crans.org +# vars: +# adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}" +# roles: +# - prometheus-apache-exporter + # Monitor logs with mtail - hosts: mtail vars: diff --git a/plays/restic_client.yml b/plays/restic_client.yml new file mode 100755 index 00000000..b5593525 --- /dev/null +++ b/plays/restic_client.yml @@ -0,0 +1,8 @@ +#!/usr/bin/env ansible-playbook +--- + +- hosts: server,!dev + vars: + restic: "{{ glob_restic | default({}) | combine(loc_restic | default({}), recursive=true) }}" + roles: + - restic-client diff --git a/plays/root.yml b/plays/root.yml index 48b558c2..fc0f8a22 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -30,6 +30,7 @@ - import_playbook: scripts.yml - import_playbook: vm_setup.yml - import_playbook: borgbackup_client.yml +- import_playbook: restic_client.yml - import_playbook: network_interfaces.yml - import_playbook: nullmailer.yml diff --git a/plays/routeurs.yml b/plays/routeurs.yml index fc141cc4..0ac1af8b 100755 --- a/plays/routeurs.yml +++ b/plays/routeurs.yml @@ -4,7 +4,6 @@ - import_playbook: bird.yml - import_playbook: freeradius.yml - import_playbook: firewall.yml -- import_playbook: dns-recursive.yml - import_playbook: prefix-delegation.yml - import_playbook: radvd.yml - import_playbook: keepalived.yml diff --git a/plays/users.yml b/plays/users.yml index a6522ad1..57ad19fa 100755 --- a/plays/users.yml +++ b/plays/users.yml @@ -6,7 +6,7 @@ roles: - ldap-client -- hosts: server,!ovh_physical,!tealc.adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org,!ft.adm.crans.org,!thot.adm.crans.org +- hosts: server,!ovh_physical,!apprentis.adm.crans.org,!ft.adm.crans.org,!routeur-sam.adm.crans.org,!sam.adm.crans.org,!tealc.adm.crans.org vars: nfs_mount: "{{ glob_home_nounou | default({}) | combine(loc_home_nounou | default({})) }}" roles: diff --git a/plays/utilities.yml b/plays/utilities.yml index a786c8da..9d1ab3a5 100755 --- a/plays/utilities.yml +++ b/plays/utilities.yml @@ -2,9 +2,10 @@ --- - hosts: server vars: - root: "{{ glob_root | default({}) | combine(loc_root | default({})) }}" - ntp_client: "{{ glob_ntp_client | combine(loc_ntp_client | default({})) }}" needrestart: "{{ glob_needrestart | default({}) | combine(loc_needrestart | default({})) }}" + ntp_client: "{{ glob_ntp_client | combine(loc_ntp_client | default({})) }}" + root: "{{ glob_root | default({}) | combine(loc_root | default({})) }}" + sudo: "{{ glob_sudo | default({}) | combine(loc_sudo | default({})) }}" unattended: "{{ glob_unattended | default({}) | combine(loc_unattended | default({})) }}" roles: - root diff --git a/plays/vsftpd.yml b/plays/vsftpd.yml deleted file mode 100755 index ece6df48..00000000 --- a/plays/vsftpd.yml +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -# Deploy vsftpd server on the mirrors -- hosts: vsftpd_mirror - vars: - certbot: "{{ loc_certbot | default(glob_certbot | default([])) }}" - vsftpd: "{{ glob_vsftpd_mirror | default({}) | combine(loc_vsftpd | default({})) }}" - roles: - - certbot - - vsftpd - -# Deploy vstfpd on the camera serveur -- hosts: vsftpd_cameras - vars: - vsftpd: "{{ glob_vsftpd_cameras | default({}) | combine(loc_vsftpd | default({})) }}" - roles: - - vsftpd diff --git a/plays/zamok.yml b/plays/zamok.yml index c4bbfbe0..5d311fcf 100755 --- a/plays/zamok.yml +++ b/plays/zamok.yml @@ -8,4 +8,3 @@ roles: - zamok-tools # - postfix - - prometheus-node-exporter-postfix diff --git a/roles/arpproxy/README.md b/roles/arpproxy/README.md new file mode 100644 index 00000000..1ff5a34a --- /dev/null +++ b/roles/arpproxy/README.md @@ -0,0 +1,3 @@ +# Arpproxy + +Active arpproxy. Utilise le repo [proxy](https://gitlab.crans.org/nounous/proxy). diff --git a/roles/borgbackup-client/handlers/main.yml b/roles/borgbackup-client/handlers/main.yml new file mode 100644 index 00000000..d9ea49fd --- /dev/null +++ b/roles/borgbackup-client/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart timer + service: + name: borgmatic.timer + state: restarted + +- name: systemctl daemon-reload + systemd: + daemon_reload: true diff --git a/roles/borgbackup-client/tasks/main.yml b/roles/borgbackup-client/tasks/main.yml index 2833d6b5..957a6c35 100644 --- a/roles/borgbackup-client/tasks/main.yml +++ b/roles/borgbackup-client/tasks/main.yml @@ -61,13 +61,27 @@ register: borg_init changed_when: '"does not exist" in borg_init.stderr' -- name: Deploy borg cron +- name: Deploy borgmatic systemd template: - src: cron.d/borg.j2 - dest: /etc/cron.d/borg{{ borg.path_suffix | default('') }} + src: "systemd/system/{{ item }}.j2" + dest: /etc/systemd/system/{{ item }} + mode: 0600 + owner: root + group: root + loop: + - borgmatic.service + - borgmatic.timer + notify: + - Restart timer + - systemctl daemon-reload - name: Indicate role in motd template: src: update-motd.d/04-service.j2 dest: /etc/update-motd.d/04-borgbackup mode: 0755 + +- name: Enable timer + service: + name: borgmatic.timer + enabled: true diff --git a/roles/borgbackup-client/templates/cron.d/borg.j2 b/roles/borgbackup-client/templates/cron.d/borg.j2 deleted file mode 100644 index 26309d44..00000000 --- a/roles/borgbackup-client/templates/cron.d/borg.j2 +++ /dev/null @@ -1,9 +0,0 @@ -{{ ansible_header | comment }} - -PATH=$PATH:/usr/sbin:/usr/bin:/usr/local/bin:/sbin:/bin - -{% if borg.path_suffix is defined %} -{{ 60 | random(seed=inventory_hostname) }} {{ 24 | random(seed=inventory_hostname) }} * * * root borgmatic -c /etc/borgmatic/config{{ borg.path_suffix }}.yaml --syslog-verbosity 1 -{% else %} -{{ 60 | random(seed=inventory_hostname) }} {{ 24 | random(seed=inventory_hostname) }} * * * root borgmatic --syslog-verbosity 1 -{% endif %} diff --git a/roles/borgbackup-client/templates/systemd/system/borgmatic.service.j2 b/roles/borgbackup-client/templates/systemd/system/borgmatic.service.j2 new file mode 100644 index 00000000..46ab63d7 --- /dev/null +++ b/roles/borgbackup-client/templates/systemd/system/borgmatic.service.j2 @@ -0,0 +1,15 @@ +{{ ansible_header | comment }} + +[Unit] +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +User=root + +{% if borg.path_suffix is defined %} +ExecStart=borgmatic -c /etc/borgmatic/config{{ borg.path_suffix }}.yaml --syslog-verbosity 1 +{% else %} +ExecStart=borgmatic --syslog-verbosity 1 +{% endif %} diff --git a/roles/borgbackup-client/templates/systemd/system/borgmatic.timer.j2 b/roles/borgbackup-client/templates/systemd/system/borgmatic.timer.j2 new file mode 100644 index 00000000..4aad3f85 --- /dev/null +++ b/roles/borgbackup-client/templates/systemd/system/borgmatic.timer.j2 @@ -0,0 +1,10 @@ +{{ ansible_header | comment }} + +[Unit] + +[Timer] +OnCalendar={{ 24 | random(seed=inventory_hostname) }}:{{ 60 | random(seed=inventory_hostname) }} +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/ceph/tasks/main.yml b/roles/ceph/tasks/main.yml deleted file mode 100644 index 6b4b2ed4..00000000 --- a/roles/ceph/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Fetch ceph repository public key - get_url: - url: "{{ ceph.mirror_key }}" - dest: /etc/apt/trusted.gpg.d/ceph-release.asc - -- name: Add ceph to source lists - lineinfile: - path: /etc/apt/sources.list.d/ceph.list - regexp: '^deb' - create: true - line: 'deb [signed-by=/etc/apt/trusted.gpg.d/ceph-release.asc] {{ ceph.mirror }} {{ ansible_distribution_release }} main' - -- name: Install ceph - apt: - name: - - ceph - - ceph-mds - - ceph-volume - - rsync - - nvme-cli - - smartmontools - install_recommends: false - update_cache: true - register: apt_result - retries: 3 - until: apt_result is succeeded diff --git a/roles/common-tools/README.md b/roles/common-tools/README.md new file mode 100644 index 00000000..d7294be6 --- /dev/null +++ b/roles/common-tools/README.md @@ -0,0 +1,9 @@ +# Common tools + +Installe et configure les outils essentiels pour l'administration des serveurs. + +Par exemple : + +- git +- nano +- screen diff --git a/roles/constellation-doc/tasks/main.yml b/roles/constellation-doc/tasks/main.yml deleted file mode 100644 index 31253733..00000000 --- a/roles/constellation-doc/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Install Sphinx and RTD theme - apt: - update_cache: true - install_recommends: false - name: - - python3-sphinx - - python3-sphinx-rtd-theme - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Create documentation directory with good permissions - file: - path: /var/www/constellation-doc - state: directory - owner: www-data - group: www-data - mode: u=rwx,g=rwxs,o=rx - -- name: Build HTML documentation - command: sphinx-build -b dirhtml {{ project_path }}/docs/ /var/www/constellation-doc/ - become_user: www-data diff --git a/roles/constellation-front/handlers/main.yml b/roles/constellation-front/handlers/main.yml deleted file mode 100644 index 73c9606a..00000000 --- a/roles/constellation-front/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart uWSGI - systemd: - name: uwsgi - state: restarted diff --git a/roles/constellation-front/tasks/main.yml b/roles/constellation-front/tasks/main.yml deleted file mode 100644 index 73d966b5..00000000 --- a/roles/constellation-front/tasks/main.yml +++ /dev/null @@ -1,110 +0,0 @@ ---- -- name: Install some front APT packages - apt: - install_recommends: false - update_cache: true - name: - - python3-django-crispy-forms - - python3-django-filters - - python3-djangorestframework - - python3-django-tables2 - - python3-docutils - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Install some front pip packages - pip: - name: - - git+https://gitlab.adm.crans.org/nounous/crispy-bootstrap5.git - -- name: Set data directories in development mode - when: constellation.version != "master" - set_fact: - project_path: /var/local/constellation - module_path: /var/local/constellation/constellation - -- name: Set data directories in production mode - when: constellation.version == "master" - set_fact: - project_path: /usr/local/lib/python3.9/dist-packages/constellation - module_path: /usr/local/lib/python3.9/dist-packages/constellation - -- name: Check front dependencies (production) - when: constellation.version == "master" - pip: - name: - - git+https://gitlab.adm.crans.org/nounous/constellation.git[front] - state: latest - -- name: Install uWSGI - apt: - install_recommends: false - update_cache: true - name: - - uwsgi - - uwsgi-plugin-python3 - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Copy constellation uWSGI app - template: - src: uwsgi/apps-available/constellation.ini.j2 - dest: /etc/uwsgi/apps-available/constellation.ini - owner: root - group: root - mode: 0644 - notify: Restart uWSGI - -- name: Activate constellation uWSGI app - file: - src: ../apps-available/constellation.ini - dest: /etc/uwsgi/apps-enabled/constellation.ini - owner: root - group: root - state: link - ignore_errors: "{{ ansible_check_mode }}" - notify: Restart uWSGI - -# In the future, migrations will be included in the repository. -- name: Make Django migrations - django_manage: - command: makemigrations - project_path: "{{ project_path }}" - notify: Restart uWSGI - -- name: Migrate database - django_manage: - command: migrate - project_path: "{{ project_path }}" - notify: Restart uWSGI - -- name: Create static files directory - file: - path: /var/lib/constellation/{{ item }} - state: directory - mode: "2775" - owner: www-data - group: "{{ constellation.group }}" - recurse: true - loop: - - static - - media - -- name: Symlink static and media directories (dev) - file: - src: /var/lib/constellation/{{ item }} - dest: /var/local/constellation/{{ item }} - state: link - owner: www-data - group: "{{ constellation.group }}" - loop: - - static - - media - -- name: Collect static files - django_manage: - command: collectstatic - project_path: "{{ project_path }}" - notify: Restart uWSGI diff --git a/roles/constellation-front/templates/uwsgi/apps-available/constellation.ini.j2 b/roles/constellation-front/templates/uwsgi/apps-available/constellation.ini.j2 deleted file mode 100644 index bf2bbeda..00000000 --- a/roles/constellation-front/templates/uwsgi/apps-available/constellation.ini.j2 +++ /dev/null @@ -1,23 +0,0 @@ -{{ ansible_header | comment }} - -[uwsgi] -uid = www-data -gid = www-data -# Django-related settings -# the base directory (full path) -chdir = {{ project_path }} -wsgi-file = {{ module_path }}/wsgi.py -plugin = python3 -# process-related settings -# master -master = true -# maximum number of worker processes -processes = 10 -# the socket (use the full path to be safe -socket = /var/run/uwsgi/app/constellation/constellation.sock -# ... with appropriate permissions - may be needed -chmod-socket = 664 -# clear environment on exit -vacuum = true -# Touch reload -touch-reload = {{ module_path }}/settings.py diff --git a/roles/constellation/tasks/main.yml b/roles/constellation/tasks/main.yml deleted file mode 100644 index c8ac9a4c..00000000 --- a/roles/constellation/tasks/main.yml +++ /dev/null @@ -1,143 +0,0 @@ ---- -- name: Pin Django from Debian bullseye-backports - template: - src: apt/sources.list.d/bullseye-backports.list.j2 - dest: /etc/apt/sources.list.d/bullseye-backports.list - -- name: Install constellation dependencies - apt: - update_cache: true - install_recommends: false - name: - - gettext - - python3-django - - python3-django-extensions - - python3-django-polymorphic - - python3-ipython - - python3-pip - - python3-psycopg2 - - python3-requests - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Install constellation pip dependencies - pip: - name: - - git+https://gitlab.adm.crans.org/nounous/django-dnsmanager.git - -- name: Set configuration directories in development mode - when: constellation.version != "main" - set_fact: - module_path: /var/local/constellation/constellation - project_path: /var/local/constellation - -- name: Set configuration directories in production mode - when: constellation.version == "main" - set_fact: - module_path: /usr/local/lib/python3.9/dist-packages/constellation - project_path: /usr/local/lib/python3.9/dist-packages/constellation - -- name: Create constellation directory - file: - path: /etc/constellation - state: directory - mode: "2775" - owner: "{{ constellation.owner }}" - group: "{{ constellation.group }}" - -- name: Set ACL for constellation directory - acl: - path: /etc/constellation - default: true - entity: nounou - etype: group - permissions: rwx - state: query - ignore_errors: "{{ ansible_check_mode }}" - -- name: Clone constellation repository (development) - when: constellation.version != "main" - git: - repo: https://gitlab.adm.crans.org/nounous/constellation.git - dest: "{{ project_path }}" - umask: "002" - version: "{{ constellation.version }}" - recursive: true - -- name: Install pip module with editable flag (development) - when: constellation.version != "main" - pip: - name: - - "{{ project_path }}" - editable: true - state: latest - -- name: Install and upgrade constellation (production) - when: constellation.version == "main" - pip: - name: - - git+https://gitlab.adm.crans.org/nounous/constellation.git - state: latest - -- name: Set owner of cloned project - when: constellation.version != "main" - file: - path: "{{ project_path }}" - owner: "{{ constellation.owner }}" - group: "{{ constellation.group }}" - recurse: true - -- name: Deploy Constellation settings_local.py - template: - src: constellation/settings_local.py.j2 - dest: /etc/constellation/settings_local.py - mode: 0660 - owner: "{{ constellation.settings_local_owner }}" - group: "{{ constellation.settings_local_group }}" - -- name: Symlink configuration file - file: - src: /etc/constellation/settings_local.py - dest: "{{ module_path }}/settings_local.py" - state: link - -- name: Deploy crontab - when: constellation.crontab - template: - src: cron.d/constellation.j2 - dest: /etc/cron.d/constellation - owner: root - group: root - mode: 0644 - -- name: Compile messages - when: not constellation.front - django_manage: - command: compilemessages - project_path: "{{ project_path }}" - -# In the future, migrations will be included in the repository. -- name: Make Django migrations (non-front app) - when: not constellation.front - django_manage: - command: makemigrations - project_path: "{{ project_path }}" - -- name: Migrate database (non-front app) - when: not constellation.front - django_manage: - command: migrate - project_path: "{{ project_path }}" - -- name: Load initial data (non-front app) - when: not constellation.front - django_manage: - command: loaddata initial - project_path: "{{ project_path }}" - -- name: Indicate constellation in motd - template: - src: update-motd.d/05-service.j2 - dest: /etc/update-motd.d/05-constellation - mode: 0755 diff --git a/roles/constellation/templates/apt/sources.list.d/bullseye-backports.list.j2 b/roles/constellation/templates/apt/sources.list.d/bullseye-backports.list.j2 deleted file mode 100644 index e231539d..00000000 --- a/roles/constellation/templates/apt/sources.list.d/bullseye-backports.list.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{{ ansible_header | comment }} - -deb {{ debian_mirror }} bullseye-backports main diff --git a/roles/constellation/templates/constellation/settings_local.py.j2 b/roles/constellation/templates/constellation/settings_local.py.j2 deleted file mode 100644 index 913a2541..00000000 --- a/roles/constellation/templates/constellation/settings_local.py.j2 +++ /dev/null @@ -1,75 +0,0 @@ -{{ ansible_header | comment }} - -# A secret key used by the server. -SECRET_KEY = "{{ constellation.django_secret_key }}" - -# Should the server run in debug mode ? -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = {{ constellation.debug }} - -# A list of admins of the services. Receive mails when an error occurs -ADMINS = [{% for admin in constellation.admins %}{{ admin }}, {% endfor %}] - -# The list of hostname the server will respond to. -ALLOWED_HOSTS = [{% for host in constellation.allowed_hosts %}'{{ host }}', {% endfor %}] - -# Installed applications -LOCAL_APPS = [ -{% for app in constellation.applications %} - '{{ app }}', -{% endfor %} -] - -# Activate this option if a web front is needed -USE_FRONT = {{ constellation.front }} - -# The time zone the server is runned in -TIME_ZONE = 'Europe/Paris' - -# The storage systems parameters to use -DATABASES = { - 'default': { # The DB - 'ENGINE': 'django.db.backends.postgresql', - 'NAME': '{{ constellation.database.name }}', - 'USER': '{{ constellation.database.user }}', - 'PASSWORD': "{{ constellation.database.password }}", - 'HOST': '{{ constellation.database.host }}', - 'PORT': '{{ constellation.database.port }}', - }, -} - -{% if constellation.version == "main" %} -{% if constellation.front %} -STATIC_ROOT = "/var/lib/constellation/static/" - -{% endif %} -MEDIA_ROOT = "/var/lib/constellation/media/" -{% endif %} - -# The mail configuration for Constellation to send mails -EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' -EMAIL_USE_SSL = {{ constellation.email.ssl }} -EMAIL_HOST = '{{ constellation.email.host }}' -EMAIL_PORT = {{ constellation.email.port }} -EMAIL_HOST_USER = '{{ constellation.email.user }}' -EMAIL_HOST_PASSWORD = '{{ constellation.email.password }}' -SERVER_EMAIL = '{{ constellation.email.from }}' -DEFAULT_FROM_EMAIL = '{{ constellation.email.from_full }}' -{% if constellation.front %} -{% if constellation.comnpay is defined %} - -COMNPAY_ID_TPE = '{{ constellation.comnpay.tpe }}' -COMNPAY_SECRET_KEY = '{{ constellation.comnpay.secret }}' -{% endif %} -{% if constellation.stripe is defined %} - -STRIPE_PRIVATE_KEY = "{{ constellation.stripe.private_key }}" -STRIPE_PUBLIC_KEY = "{{ constellation.stripe.public_key }}" -{% endif %} -{% if constellation.note is defined %} - -NOTE_KFET_URL = "{{ constellation.note.url }}" -NOTE_KFET_CLIENT_ID = "{{ constellation.note.client_id }}" -NOTE_KFET_CLIENT_SECRET = "{{ constellation.note.client_secret }}" -{% endif %} -{% endif %} diff --git a/roles/constellation/templates/cron.d/constellation.j2 b/roles/constellation/templates/cron.d/constellation.j2 deleted file mode 100644 index c87dbea9..00000000 --- a/roles/constellation/templates/cron.d/constellation.j2 +++ /dev/null @@ -1,4 +0,0 @@ -{{ ansible_header }} - -# m h dom mon dow user command -24 4 * * * root constellation check_consistency diff --git a/roles/constellation/templates/update-motd.d/05-service.j2 b/roles/constellation/templates/update-motd.d/05-service.j2 deleted file mode 100755 index dee40fbe..00000000 --- a/roles/constellation/templates/update-motd.d/05-service.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/tail +14 -{{ ansible_header | comment }} -> Constellation a été déployé sur cette machine. Voir {{ project_path }}/. diff --git a/roles/debian-apt-sources/README.md b/roles/debian-apt-sources/README.md new file mode 100644 index 00000000..a098d873 --- /dev/null +++ b/roles/debian-apt-sources/README.md @@ -0,0 +1,3 @@ +# Debian apt sources + +Configure les sources de debian avec le miroir du crans. diff --git a/roles/ethercalc/README.md b/roles/ethercalc/README.md new file mode 100644 index 00000000..ebd110da --- /dev/null +++ b/roles/ethercalc/README.md @@ -0,0 +1,8 @@ +# Ethercalc + +Installe et configure ethercalc + +## Variables + +glob_ethercalc: + ip: ip du serveur diff --git a/roles/etherpad/README.md b/roles/etherpad/README.md new file mode 100644 index 00000000..41e8514a --- /dev/null +++ b/roles/etherpad/README.md @@ -0,0 +1,31 @@ +# Etherpad + +Installe et configure etherpad + +## Variables + +glob_etherpad: + instances: + - name: nom de l'instance + title: titre de la page + favicon: icon de la page + skin: + ip: ip du serveur + port: port + version: version du pad + database: + user: utilisateur de la bdd + host: serveur pgsql + name: nom de la bdd + default_pad_text: texte par défaut des pads + admin: + user: utilisateur admin + password: mot de passe + apikey: clé api + temporary: + enabled: activer les pads éphémères + delay: durée avant suppression + loop: true si une boucle est utilisée + loop_delay: delai entre chaque itération de la boucle + delete_at_start: true si la suppression à lieu au démarrage du pad + deleted_text: message après suppression diff --git a/roles/logall/README.md b/roles/logall/README.md new file mode 100644 index 00000000..cad35649 --- /dev/null +++ b/roles/logall/README.md @@ -0,0 +1,3 @@ +# Logall + +Configure les logs du firewall. diff --git a/roles/logos/README.md b/roles/logos/README.md new file mode 100644 index 00000000..954bccf7 --- /dev/null +++ b/roles/logos/README.md @@ -0,0 +1,12 @@ +# Logos + +Copie les logos du crans. + +## Variables + +logos: + - which: source du logo (cf : files/) + where: destination du logo + owner: propriétaire (défaut : root) + group: groupe (defaut : root) + mode: permissions (defaut : 0644) diff --git a/roles/matrix-synapse/handlers/main.yml b/roles/matrix-synapse/handlers/main.yml deleted file mode 100644 index aab51dae..00000000 --- a/roles/matrix-synapse/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart matrix-synapse - service: - name: matrix-synapse - state: restarted diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml deleted file mode 100644 index 6ba08617..00000000 --- a/roles/matrix-synapse/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: Configure Debian backports repository - template: - src: apt/sources.list.d/backports.list.j2 - dest: /etc/apt/sources.list.d/backports.list - -- name: Install matrix-synapse - apt: - update_cache: true - default_release: "{{ ansible_lsb.codename }}-backports" - name: matrix-synapse - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Configure matrix-synapse - template: - src: matrix-synapse/conf.d/{{ item }}.j2 - dest: /etc/matrix-synapse/conf.d/{{ item }} - mode: 0640 - owner: matrix-synapse - group: nogroup - loop: - - app_service_config_files.yaml - - database.yaml - - listeners.yaml - - report_stats.yaml - - server_name.yaml - notify: Restart matrix-synapse diff --git a/roles/matrix-synapse/templates/apt/sources.list.d/backports.list.j2 b/roles/matrix-synapse/templates/apt/sources.list.d/backports.list.j2 deleted file mode 100644 index 6326b3e4..00000000 --- a/roles/matrix-synapse/templates/apt/sources.list.d/backports.list.j2 +++ /dev/null @@ -1 +0,0 @@ -deb {{ debian_mirror }} {{ ansible_lsb.codename }}-backports main contrib non-free diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/app_service_config_files.yaml.j2 b/roles/matrix-synapse/templates/matrix-synapse/conf.d/app_service_config_files.yaml.j2 deleted file mode 100644 index 7ed59eac..00000000 --- a/roles/matrix-synapse/templates/matrix-synapse/conf.d/app_service_config_files.yaml.j2 +++ /dev/null @@ -1 +0,0 @@ -app_service_config_files: ["/var/local/matrix-appservice-irc/registration.yaml"] diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/database.yaml.j2 b/roles/matrix-synapse/templates/matrix-synapse/conf.d/database.yaml.j2 deleted file mode 100644 index ceaf706e..00000000 --- a/roles/matrix-synapse/templates/matrix-synapse/conf.d/database.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -database: - name: "psycopg2" - args: - user: "{{ matrix_synapse.database.user }}" - password: "{{ matrix_synapse.database.password }}" - database: "{{ matrix_synapse.database.name }}" - host: "{{ matrix_synapse.database.host }}" - cp_min: 5 - cp_max: 10 diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 b/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 deleted file mode 100644 index a37ad8f6..00000000 --- a/roles/matrix-synapse/templates/matrix-synapse/conf.d/listeners.yaml.j2 +++ /dev/null @@ -1,14 +0,0 @@ -listeners: - - port: 8008 - tls: false - bind_addresses: - - '::' - - '0.0.0.0' - type: http - x_forwarded: true - resources: - - names: [client] - compress: true - - names: [federation] - compress: false - diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/report_stats.yaml.j2 b/roles/matrix-synapse/templates/matrix-synapse/conf.d/report_stats.yaml.j2 deleted file mode 100644 index 47d71ee0..00000000 --- a/roles/matrix-synapse/templates/matrix-synapse/conf.d/report_stats.yaml.j2 +++ /dev/null @@ -1,2 +0,0 @@ -report_stats: false - diff --git a/roles/matrix-synapse/templates/matrix-synapse/conf.d/server_name.yaml.j2 b/roles/matrix-synapse/templates/matrix-synapse/conf.d/server_name.yaml.j2 deleted file mode 100644 index 0da924aa..00000000 --- a/roles/matrix-synapse/templates/matrix-synapse/conf.d/server_name.yaml.j2 +++ /dev/null @@ -1,2 +0,0 @@ -server_name: crans.org - diff --git a/roles/moinmoin-gendoc/README.md b/roles/moinmoin-gendoc/README.md new file mode 100644 index 00000000..e0095309 --- /dev/null +++ b/roles/moinmoin-gendoc/README.md @@ -0,0 +1,3 @@ +# Moinmoin gendoc + +Générateur automatique de la documentation sur le wiki. diff --git a/roles/moinmoin-gendoc/tasks/main.yml b/roles/moinmoin-gendoc/tasks/main.yml index c66ad943..c62ef82a 100644 --- a/roles/moinmoin-gendoc/tasks/main.yml +++ b/roles/moinmoin-gendoc/tasks/main.yml @@ -9,9 +9,10 @@ - name: get dmidecode facts dmidecode_facts: {} -- name: get ssh fingerprints - sshfp: {} - register: sshfp + +#- name: get ssh fingerprints +# sshfp: {} +# register: sshfp - name: Create wiki page documenting {{ ansible_hostname }} (physical) when: ansible_system_vendor != 'QEMU' diff --git a/roles/moinmoin-gendoc/templates/server.j2 b/roles/moinmoin-gendoc/templates/server.j2 index c49a5039..9aa6612b 100644 --- a/roles/moinmoin-gendoc/templates/server.j2 +++ b/roles/moinmoin-gendoc/templates/server.j2 @@ -78,7 +78,7 @@ et {{ (ansible_memory_mb.swap.total/1024)|round(1) }} GiB de SWAP. {{ interface.macaddress }} || {% endif %} {% endfor %} - +{# === Clés publiques SSH de la machine === '''RSA''' : @@ -94,4 +94,4 @@ et {{ (ansible_memory_mb.swap.total/1024)|round(1) }} GiB de SWAP. '''ED25519''' : {{ '{{{' }} {{ sshfp.ssh_host_key_ed25519_fp }} -{{ '}}}' }} +{{ '}}}' }}#} diff --git a/roles/moinmoin/README.md b/roles/moinmoin/README.md new file mode 100644 index 00000000..29168bdb --- /dev/null +++ b/roles/moinmoin/README.md @@ -0,0 +1,20 @@ +# Moinmoin + +Installe et configure le wiki (avec hardcode) + +## Variables + +```yaml +moinmoin: + data_dir: dossier contenant les données + front_page: nom de la page d'accueil + interwikiname: nom + ip_autorised: liste de conditions que l'ip doit vérifier + mail: + from: email du wiki + server: adresse du serveur + main: booléen + new_account_ip: liste de range ip + site_name: nom du site + superuser: liste des noms wiki des superusers +``` diff --git a/roles/moinmoin/templates/moin/mywiki.py.j2 b/roles/moinmoin/templates/moin/mywiki.py.j2 index 2295ac02..cb6c07b7 100644 --- a/roles/moinmoin/templates/moin/mywiki.py.j2 +++ b/roles/moinmoin/templates/moin/mywiki.py.j2 @@ -24,8 +24,8 @@ from MoinMoin import config class Config(FarmConfig): # basic options (you normally need to change these) - sitename = u'Crans Wiki' - interwikiname = 'CransWiki' + sitename = u'{{ moinmoin.site_name }}' + interwikiname = '{{ moinmoin.interwikiname }}' # name of entry page / front page [Unicode], choose one of those: @@ -33,9 +33,9 @@ class Config(FarmConfig): #page_front_page = u"MyStartingPage" # b) if wiki content is maintained in many languages - page_front_page = u"PageAccueil" + page_front_page = u"{{ moinmoin.front_page }}" - data_dir = '/var/local/wiki/data' + data_dir = '{{ moinmoin.data_dir }}' # From here every parameters was added by the Crans -- data_underlay_dir = '/var/local/wiki/underlay/' @@ -47,13 +47,13 @@ class Config(FarmConfig): charset='utf-8' # Mailing - mail_from = u"Crans Wiki " - mail_smarthost='smtp.adm.crans.org' + mail_from = u"{{ moinmoin.mail.from }}" + mail_smarthost='{{ moinmoin.mail.server }}' # This is checked by some rather critical and potentially harmful actions, # like despam or PackageInstaller action: # WikiShirenn is a giant avocado https://youtu.be/UJeH8gcjuj0 - superuser= [u"PeBecue", u"Wiki20-100", u"Benjamin", u"WikiPollion", u"WikiErdnaxe", u"WikiShirenn", u"WikiYnerant", u"DsAc", u"VanilleNiven", u"WikiAeltheos", u"WikiBleizi", u"SolalNathan"] + superuser= [{{ moinmoin.superuser | join(", ")}}] # Custom logo logo_string = u'Crans' @@ -77,6 +77,12 @@ class Config(FarmConfig): solenoid_userprefs = True solenoid_theme_credit = False + page_credits = [ + u'Propulsé par MoinMoin', + u'Mentions légales' + ]; + + chart_options = {'width': 600, 'height': 300} refresh = (0, 'external') @@ -99,9 +105,8 @@ class Config(FarmConfig): # Barre de navigation navi_bar = [ u"[[ModificationsRécentes|Modifications récentes]]", - u"[[RechercherUnePage|Rechercher]]", + u"[[RechercherUnePage|Recherche avancée]]", u"[[SommaireDeL'Aide|Aide]]", - u"[[MentionsLégales|Mentions Légales]]" ] # Lock @@ -134,7 +139,7 @@ class Config(FarmConfig): # Import auth methods import sys - sys.path.append('/var/local/wiki/data') + sys.path.append('{{ moinmoin.data_dir }}') from plugin.auth import categorie_public, ip_range, cas, moin # Si la methode d'authentification est trusted @@ -152,13 +157,9 @@ class Config(FarmConfig): ), ip_range.IpRange( local_nets=[ - '185.230.76.0/22', # IPv4 Crans - '172.16.0.0/16', # IPv4 local - '100.64.0.0/10', # IPv4 adherents - '2a0c:700::/32', # IPv6 Crans - '45.66.108.0/22', # IPv4 Aurore - '2a09:6840::/32', # IPv6 Aurore - '138.231.175.203/32', # IPv4 PC Kfet +{% for ip_range in moinmoin.new_account_ip %} + '{{ ip_range }}', +{% endfor %} ], actions=['newaccount'], actions_msg={'newaccount':"La création de comptes n'est autorisée que depuis le réseau du Crans ou sur zamok."}, @@ -172,19 +173,7 @@ class Config(FarmConfig): def ip_autorised_create_account(self, ip): {% if moinmoin.main %} - return ip.startswith('185.230.76.') \ - or ip.startswith('185.230.77.') \ - or ip.startswith('185.230.78.') \ - or ip.startswith('185.230.79.') \ - or ip.startswith('172.16.') \ - or ip.startwith('138.231.') \ - or ip.startwith('45.66.108.') \ - or ip.startwith('45.66.109.') \ - or ip.startwith('45.66.110.') \ - or ip.startwith('45.66.111.') \ - or ip.startswith('2a0c:700:') \ - or ip.startswith('2a09:6840:') \ - or ip.startswith("138.231.175.203") + return {{ moinmoin.ip_autorised | join(" \\\n or ")}} {% else %} return False {% endif %} @@ -195,3 +184,9 @@ class Config(FarmConfig): 'newaccount', 'recoverpass' ] {% endif %} + + # up the cookie lifetime since we fixed ACL linked to cookies and people + # are gettings disconnected more often, default is (0,12), which means 12h + # for logged in users and disabled for anonymous. + cookie_lifetime = (0, 7*24) + diff --git a/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 b/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 index 65fd8532..e06845d9 100644 --- a/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 +++ b/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 @@ -2,12 +2,13 @@ plugin = python chdir = /usr/share/moin/server/ wsgi-file = /usr/share/moin/server/moin.wsgi -max-request = 50 +max-request = 50 harakiri = 300 cheaper = 1 cheaper-initial = 1 die-on-term workers = 5 +processes = 5 reload-on-rss = 200M evil-reload-on-rss = 300M ksm = true diff --git a/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2 b/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2 index e9be1bf3..3f115582 100644 --- a/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2 +++ b/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2 @@ -6,8 +6,8 @@ auto {{ interfaces[item.name] }} iface {{ interfaces[item.name] }} inet dhcp iface {{ interfaces[item.name] }} inet6 auto {% else %} -{% set subnet_network = (query('ldap', 'network', vlan_name) | ansible.utils.ipaddr('network')) %} -{% set subnet_netmask = (query('ldap', 'network', vlan_name) | ansible.utils.ipaddr('netmask')) %} +{% set subnet_network = (lookup('ldap', 'network', vlan_name) | ansible.utils.ipaddr('network')) %} +{% set subnet_netmask = (lookup('ldap', 'network', vlan_name) | ansible.utils.ipaddr('netmask')) %} {% set ips = query('ldap', 'ip', ansible_hostname, vlan_name) %} {% if (ips | ansible.utils.ipv4 | length) > 0 %} auto {{ interfaces[item.name] }} diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 5b51da86..b4291500 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -43,6 +43,16 @@ - redirect notify: Reload nginx +- name: Create log directories + when: reverseproxy is defined + file: + path: /var/log/nginx/{{ item.from }} + state: directory + mode: 0755 + owner: root + with_items: + - "{{ reverseproxy.reverseproxy_sites }}" + - name: Activate reverse proxy sites when: reverseproxy is defined file: diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2 index 66c95249..0d7be7e7 100644 --- a/roles/nginx/templates/nginx/sites-available/service.j2 +++ b/roles/nginx/templates/nginx/sites-available/service.j2 @@ -7,6 +7,10 @@ map $http_upgrade $connection_upgrade { '' close; } +{% for param in nginx.extra_params %} +{{ param }} +{% endfor %} + {% for upstream in nginx.upstreams -%} upstream {{ upstream.name }} { # Path of the server diff --git a/roles/ninjabot/README.md b/roles/ninjabot/README.md new file mode 100644 index 00000000..df4e4e38 --- /dev/null +++ b/roles/ninjabot/README.md @@ -0,0 +1,8 @@ +# NinjaBot + +NinjaBot (Prometheus) est utilisé pour relayer les alertes de Prometheus sur un +canal IRC. NinjaBot est cloné depuis le [repo](https://gitlab.crans.org/nounous/NinjaBot) + +## Variables + +ninjabot.config: variable du fichier de configuration ninjabot.json diff --git a/roles/ntp-client/README.md b/roles/ntp-client/README.md new file mode 100644 index 00000000..cd6fee30 --- /dev/null +++ b/roles/ntp-client/README.md @@ -0,0 +1,8 @@ +# NTP client + +Installe et configure un client ntp. + +## Variables + +glob_ntp_client: + servers: serveurs diff --git a/roles/ntp-server/README.md b/roles/ntp-server/README.md new file mode 100644 index 00000000..a9c827c1 --- /dev/null +++ b/roles/ntp-server/README.md @@ -0,0 +1,8 @@ +# NTP server + +Installe et configure un serveur NTP + +## Variables + +glob_ntp_server: + open: adresses ip diff --git a/roles/onlyoffice/README.md b/roles/onlyoffice/README.md new file mode 100644 index 00000000..a43180ff --- /dev/null +++ b/roles/onlyoffice/README.md @@ -0,0 +1,4 @@ +# Onlyoffice + +Ne marche pas. +Indique les étapes suivies pour l'installation et la configuration. diff --git a/roles/openssh/README.md b/roles/openssh/README.md new file mode 100644 index 00000000..65b25696 --- /dev/null +++ b/roles/openssh/README.md @@ -0,0 +1,3 @@ +# Openssh + +Installe et configure un serveur ssh. diff --git a/roles/owncloud-autofs/README.md b/roles/owncloud-autofs/README.md new file mode 100644 index 00000000..91c8ecb9 --- /dev/null +++ b/roles/owncloud-autofs/README.md @@ -0,0 +1,13 @@ +# Owncloud autofs + +Configure le automount dans Owncloud afin de permettre d'automatiquement monter +(et démonter) les homes adhérents. + +Remarque : autofs est utilisé pour Nextcloud. + +## Variables + +loc_ldap: + base_dn: base_dn + password: mot de passe + uri: serveur diff --git a/roles/owncloud/README.md b/roles/owncloud/README.md new file mode 100644 index 00000000..ffd2486d --- /dev/null +++ b/roles/owncloud/README.md @@ -0,0 +1,3 @@ +# Owncloud + +Installe et configure Owncloud. diff --git a/roles/prometheus-alertmanager/README.md b/roles/prometheus-alertmanager/README.md new file mode 100644 index 00000000..4db7e37b --- /dev/null +++ b/roles/prometheus-alertmanager/README.md @@ -0,0 +1,4 @@ +# Prometheus Alertmanager + +Installe et configure prometheus-alertmanager. Semble récupérer les alertes et +erreurs afin de les transmettre à NinjaBot (qui les envoie sur IRC). diff --git a/roles/prometheus/README.md b/roles/prometheus/README.md new file mode 100644 index 00000000..a3b6b283 --- /dev/null +++ b/roles/prometheus/README.md @@ -0,0 +1,12 @@ +# Prometheus + +Installe et configure prometheus. La liste des serveurs à monitorer est +automatiquement synchroniser avec le ldap (champ description: monitoring:) à +l'aide du script [prometheus-target](https://gitlab.crans.org/nounous/prometheus-target). + +## Variables + +prometheus: + tsdb: + retention_time: Durée de conservation maximale + retention_size: Taille maximale diff --git a/roles/proxmox-debian-images/README.md b/roles/proxmox-debian-images/README.md new file mode 100644 index 00000000..7bcc8e0c --- /dev/null +++ b/roles/proxmox-debian-images/README.md @@ -0,0 +1,11 @@ +# Proxmox-debian-images + +Initialise et télécharge des iso (typiquement debian) + +## Variables + +debian_images: + cron_timer: fréquence du cron + rsync_host: serveur + rsync_module: module + include_extra_images: précise si ubuntu et arch doivent être télécharger diff --git a/roles/qemu-guest-agent/README.md b/roles/qemu-guest-agent/README.md new file mode 100644 index 00000000..0085dced --- /dev/null +++ b/roles/qemu-guest-agent/README.md @@ -0,0 +1,3 @@ +# Qemu guest agent + +Installe qemu guest agent diff --git a/roles/restic-client/README.md b/roles/restic-client/README.md new file mode 100644 index 00000000..eff3303a --- /dev/null +++ b/roles/restic-client/README.md @@ -0,0 +1,21 @@ +# Restic client + +Restic client est déployé sur toutes les machines du crans. Il permet de +configurer les backups sur toutes les machines du crans. Plus d'information sur +la [documentation](gitlab.crans.org/nounous/documentation). + +## Variables + +glob_restic: (ou loc_restic dans host_vars) + config: + : + force_calendar: si n'existe pas, utilise une heure aléatoire, si existe + force une heure. + to_exclude: chemins à ne pas backuper + to_backup: chemins à backuper + retention: règles de conservations + remote: Serveurs sur lesquels les backups doivent être effectuées + +Remarque : il est possible de configurer plusieurs backups (notamment pour avoir +des rétentions différentes ou pour les séparer) en mettant plusieurs +configurations dans `config` (avec des noms différents). diff --git a/roles/restic-client/handlers/main.yml b/roles/restic-client/handlers/main.yml new file mode 100644 index 00000000..1c59875c --- /dev/null +++ b/roles/restic-client/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart timer + service: + name: restic-{{ item }}.timer + state: restarted + loop: "{{ restic.config.keys() }}" + +- name: systemctl daemon-reload + systemd: + daemon_reload: true diff --git a/roles/restic-client/tasks/main.yml b/roles/restic-client/tasks/main.yml new file mode 100644 index 00000000..0c77d506 --- /dev/null +++ b/roles/restic-client/tasks/main.yml @@ -0,0 +1,75 @@ +--- +- name: Install restic + apt: + update_cache: true + name: + - restic + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Ensures /etc/restic exists + file: + path: /etc/restic + state: directory + mode: 0700 + owner: root + +- name: Deploy restic config + template: + src: "restic/base{{ item.1 }}.j2" + dest: /etc/restic/{{ item.0 }}{{ item.1 }} + mode: 0600 + owner: root + group: root + with_nested: + - "{{ restic.config }}" + - { .env, -excludes, -includes, -password, -repo } + notify: + - Restart timer + - systemctl daemon-reload + +- name: Deploy restic systemd + template: + src: "systemd/system/restic-base{{ item.1 }}.j2" + dest: /etc/systemd/system/restic-{{ item.0 }}{{ item.1 }} + mode: 0600 + owner: root + group: root + with_nested: + - "{{ restic.config }}" + - { .service, .timer } + notify: + - Restart timer + - systemctl daemon-reload + +- name: Init restic repository (Debian >=12) + command: + cmd: "restic init --repository-file /etc/restic/{{ item }}-repo --password-file /etc/restic/base-password" + register: restic_init + ignore_errors: true + loop: "{{ restic.config.keys() }}" + when: + - ansible_facts['distribution_major_version'] >= "12" + +- name: Init restic repository (Debian <12) + command: + cmd: "restic init --repo {{ restic.remote.0 + item }} --password-file /etc/restic/{{ item }}-password" + register: restic_init + ignore_errors: true + loop: "{{ restic.config.keys() }}" + when: + - ansible_facts['distribution_major_version'] < "12" + +- name: Indicate role in motd + template: + src: update-motd.d/04-service.j2 + dest: /etc/update-motd.d/04-restic + mode: 0755 + +- name: Enable timer + service: + name: restic-{{ item }}.timer + enabled: true + loop: "{{ restic.config.keys() }}" diff --git a/roles/restic-client/templates/restic/base-excludes.j2 b/roles/restic-client/templates/restic/base-excludes.j2 new file mode 100644 index 00000000..74c44686 --- /dev/null +++ b/roles/restic-client/templates/restic/base-excludes.j2 @@ -0,0 +1,3 @@ +{% for dir in restic.config[item.0].to_exclude %} +{{ dir }} +{% endfor %} diff --git a/roles/restic-client/templates/restic/base-includes.j2 b/roles/restic-client/templates/restic/base-includes.j2 new file mode 100644 index 00000000..9e65415d --- /dev/null +++ b/roles/restic-client/templates/restic/base-includes.j2 @@ -0,0 +1,3 @@ +{% for dir in restic.config[item.0].to_backup %} +{{ dir }} +{% endfor %} diff --git a/roles/restic-client/templates/restic/base-password.j2 b/roles/restic-client/templates/restic/base-password.j2 new file mode 100644 index 00000000..71801274 --- /dev/null +++ b/roles/restic-client/templates/restic/base-password.j2 @@ -0,0 +1 @@ +{{ vault.restic[ansible_hostname].repo_password[item.0] }} diff --git a/roles/restic-client/templates/restic/base-repo.j2 b/roles/restic-client/templates/restic/base-repo.j2 new file mode 100644 index 00000000..405c63a1 --- /dev/null +++ b/roles/restic-client/templates/restic/base-repo.j2 @@ -0,0 +1,3 @@ +{% for repo in restic.remote %} +{{ repo }}{{ item.0 }} +{% endfor %} diff --git a/roles/restic-client/templates/restic/base.env.j2 b/roles/restic-client/templates/restic/base.env.j2 new file mode 100644 index 00000000..61cdf890 --- /dev/null +++ b/roles/restic-client/templates/restic/base.env.j2 @@ -0,0 +1,13 @@ +{{ ansible_header | comment }} + +{% if ansible_facts['distribution_major_version'] >= "12" %} +RESTIC_REPOSITORY_FILE="/etc/restic/{{ item.0 }}-repo" +{% else %} +RESTIC_REPOSITORY="{{ restic.remote.0 + item.0 }}" +{% endif %} +RESTIC_PASSWORD_FILE="/etc/restic/{{ item.0 }}-password" + +RESTIC_CACHE_DIR="/var/cache/restic" +RESTIC_COMPRESSION="max" +RESTIC_PROGRESS_FPS=1 +RESTIC_PACK_SIZE="64M" diff --git a/roles/restic-client/templates/systemd/system/restic-base.service.j2 b/roles/restic-client/templates/systemd/system/restic-base.service.j2 new file mode 100644 index 00000000..99ff8409 --- /dev/null +++ b/roles/restic-client/templates/systemd/system/restic-base.service.j2 @@ -0,0 +1,19 @@ +{{ ansible_header | comment }} + +[Unit] +After=network-online.target +Wants=network-online.target +StartLimitBurst=3 +StartLimitInterval=24h + +[Service] +Restart=on-failure +RestartSec=30 + +EnvironmentFile=/etc/restic/{{ item.0 }}.env +ExecStartPre=restic unlock +ExecStart=restic backup --files-from=/etc/restic/{{ item.0 }}-includes --exclude-file=/etc/restic/{{ item.0 }}-excludes{{ restic.config[item.0].backup_extra_param | default("") }} +ExecStartPost=restic forget --prune{% for freq, n in restic.config[item.0].retention %} {{ freq }} {{ n }}{% endfor %} + +Type=oneshot +User=root diff --git a/roles/restic-client/templates/systemd/system/restic-base.timer.j2 b/roles/restic-client/templates/systemd/system/restic-base.timer.j2 new file mode 100644 index 00000000..b132a45f --- /dev/null +++ b/roles/restic-client/templates/systemd/system/restic-base.timer.j2 @@ -0,0 +1,14 @@ +{{ ansible_header | comment }} + +[Unit] + +[Timer] +{% if restic.config[item.0].force_calendar is defined %} +OnCalendar={{ restic.config[item.0].force_calendar }} +{% else %} +OnCalendar={{ 24 | random(seed=inventory_hostname+item.0) }}:{{ 60 | random(seed=inventory_hostname+item.0) }} +{% endif %} +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/restic-client/templates/update-motd.d/04-service.j2 b/roles/restic-client/templates/update-motd.d/04-service.j2 new file mode 100755 index 00000000..19e00b90 --- /dev/null +++ b/roles/restic-client/templates/update-motd.d/04-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +> Restic (Client) a été déployé sur cette machine. Voir /etc/restic/. diff --git a/roles/root-config/README.md b/roles/root-config/README.md new file mode 100644 index 00000000..5ac4f9bc --- /dev/null +++ b/roles/root-config/README.md @@ -0,0 +1,3 @@ +# Root config + +Configure les différentes applications de root (typiquement nano et vim). diff --git a/roles/root-config/tasks/main.yml b/roles/root-config/tasks/main.yml index 4631e40d..44550cb6 100644 --- a/roles/root-config/tasks/main.yml +++ b/roles/root-config/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Create or rewrite .nanorc for root +- name: Create or rewrite .nanorc and .vimrc for root template: src: "{{ item.src }}.j2" dest: /root/{{ item.dest }} diff --git a/roles/root/README.md b/roles/root/README.md new file mode 100644 index 00000000..99f1e374 --- /dev/null +++ b/roles/root/README.md @@ -0,0 +1,6 @@ +# Root + +Configure le mot de passe root. + +Remarque : Bien que le role `root` ne fasse que cela, le playbook root permet de +pré-configurer une vm entièrement (backups, sudoers, home_nounou, ...) diff --git a/roles/serial-tty/README.md b/roles/serial-tty/README.md new file mode 100644 index 00000000..f3bf44ed --- /dev/null +++ b/roles/serial-tty/README.md @@ -0,0 +1,3 @@ +# Serial tty + +Active un terminal série pour proxmox. diff --git a/roles/service/README.md b/roles/service/README.md new file mode 100644 index 00000000..9238c9c6 --- /dev/null +++ b/roles/service/README.md @@ -0,0 +1,25 @@ +# Service + +Permet d'installer et de configurer des services issues d'un git. En +parituclier, il sert à automatiquement configurer les scripts maisons du crans. + +## Variables + +```yaml +services: + name: nom du service + install_dir: chemin où le repo sera cloner + systemd: si existe, configure un systemd service + catégorie: par exemple Unit ou Service + option: valeur -> par exemple Restart: on-failure + timer: si existe, configure un timer systemd + catégorie: par exemple Timer + option: valeur -> par exemple OnCalendar: "23:59" + cron: si existe configure un cron + frequency: fréquence d'éxécution du cron + dependencies: liste des dépendances à installer (dans apt) + git: + remote: repo à cloner + version: version + config: variable à écrire dans le fichier de configuration {{ service.install_dir }}/{{ service.name }}.json +``` diff --git a/roles/service/handlers/main.yml b/roles/service/handlers/main.yml new file mode 100644 index 00000000..50c12b79 --- /dev/null +++ b/roles/service/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart timer + service: + name: services-{{ service.name }}.timer + enabled: true + state: restarted + +- name: systemctl daemon-reload + systemd: + daemon_reload: true diff --git a/roles/service/tasks/main.yml b/roles/service/tasks/main.yml index 73fbfb59..db201dcf 100644 --- a/roles/service/tasks/main.yml +++ b/roles/service/tasks/main.yml @@ -57,6 +57,23 @@ dest: /etc/cron.d/services-{{ service.name }} when: service.cron is defined and service.cron.frequency is defined +- name: Deploy systemd service + template: + src: systemd/system/service.service.j2 + dest: /etc/systemd/system/services-{{ service.name }}.service + notify: + - systemctl daemon-reload + when: service.systemd is defined + +- name: Deploy systemd timer + template: + src: systemd/system/service.timer.j2 + dest: /etc/systemd/system/services-{{ service.name }}.timer + notify: + - Restart timer + - systemctl daemon-reload + when: service.timer is defined + - name: Deploy service configuration template: src: service/config.json diff --git a/roles/service/templates/systemd/system/service.service.j2 b/roles/service/templates/systemd/system/service.service.j2 new file mode 100644 index 00000000..3c433bb9 --- /dev/null +++ b/roles/service/templates/systemd/system/service.service.j2 @@ -0,0 +1,9 @@ +{{ ansible_header | comment }} + +{% for category in service.systemd %} + +[{{ category }}] +{% for option in service.systemd[category] %} +{{ option }}={{ service.systemd[category][option] }} +{% endfor %} +{% endfor %} diff --git a/roles/service/templates/systemd/system/service.timer.j2 b/roles/service/templates/systemd/system/service.timer.j2 new file mode 100644 index 00000000..2b8653a2 --- /dev/null +++ b/roles/service/templates/systemd/system/service.timer.j2 @@ -0,0 +1,9 @@ +{{ ansible_header | comment }} + +{% for category in service.timer %} + +[{{ category }}] +{% for option in service.timer[category] %} +{{ option }}={{ service.timer[category][option] }} +{% endfor %} +{% endfor %} diff --git a/roles/sudo/README.md b/roles/sudo/README.md new file mode 100644 index 00000000..269b7a96 --- /dev/null +++ b/roles/sudo/README.md @@ -0,0 +1,10 @@ +# Sudo + +Configure les sudoers. + +## Variables + +```yaml +sudo: + group: nom du groupe des sudoers +``` diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml index 487a6587..2701c683 100644 --- a/roles/sudo/tasks/main.yml +++ b/roles/sudo/tasks/main.yml @@ -1,11 +1,10 @@ --- - name: Configure sudoers template: - src: "{{ item.src }}.j2" - dest: "/etc/{{ item.dst | default(item.src) }}" + src: "{{ item }}.j2" + dest: "/etc/{{ item }}" mode: 0440 loop: - - src: sudoers.d/custom_passprompt - - src: sudoers.d/group_privilege - - src: "sudoers.{{ ansible_distribution_release }}" - dst: "sudoers" + - sudoers.d/custom_passprompt + - sudoers.d/group_privilege + - sudoers diff --git a/roles/sudo/templates/sudoers.bookworm.j2 b/roles/sudo/templates/sudoers.bookworm.j2 deleted file mode 100644 index 9f018b88..00000000 --- a/roles/sudo/templates/sudoers.bookworm.j2 +++ /dev/null @@ -1,27 +0,0 @@ -{{ ansible_header | comment }} -# -# See the man page for details on how to write a sudoers file. -# -Defaults env_reset -Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - -# Host alias specification -User_Alias USERS= %_user -User_Alias NOUNOUS= %_nounou - -# User alias specification - -# Cmnd alias specification - -# User privilege specification -root ALL=(ALL:ALL) ALL - -{% if 'virtu' in group_names %} -# Pour vérifier quels vms sont sur quels virtus -USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list - -{% endif %} -# See sudoers(5) for more information on "@include" directives: - -@includedir /etc/sudoers.d diff --git a/roles/sudo/templates/sudoers.bullseye.j2 b/roles/sudo/templates/sudoers.bullseye.j2 deleted file mode 100644 index 9f018b88..00000000 --- a/roles/sudo/templates/sudoers.bullseye.j2 +++ /dev/null @@ -1,27 +0,0 @@ -{{ ansible_header | comment }} -# -# See the man page for details on how to write a sudoers file. -# -Defaults env_reset -Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - -# Host alias specification -User_Alias USERS= %_user -User_Alias NOUNOUS= %_nounou - -# User alias specification - -# Cmnd alias specification - -# User privilege specification -root ALL=(ALL:ALL) ALL - -{% if 'virtu' in group_names %} -# Pour vérifier quels vms sont sur quels virtus -USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list - -{% endif %} -# See sudoers(5) for more information on "@include" directives: - -@includedir /etc/sudoers.d diff --git a/roles/sudo/templates/sudoers.d/group_privilege.j2 b/roles/sudo/templates/sudoers.d/group_privilege.j2 index 2b7e31fd..f9566e10 100644 --- a/roles/sudo/templates/sudoers.d/group_privilege.j2 +++ b/roles/sudo/templates/sudoers.d/group_privilege.j2 @@ -1,3 +1,3 @@ {{ ansible_header | comment }} # Group privilege specification -NOUNOUS ALL=(ALL:ALL) ALL +{{ sudo.group }} ALL=(ALL:ALL) ALL diff --git a/roles/sudo/templates/sudoers.buster.j2 b/roles/sudo/templates/sudoers.j2 similarity index 85% rename from roles/sudo/templates/sudoers.buster.j2 rename to roles/sudo/templates/sudoers.j2 index 91b37793..ebca2611 100644 --- a/roles/sudo/templates/sudoers.buster.j2 +++ b/roles/sudo/templates/sudoers.j2 @@ -24,4 +24,4 @@ USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list {% endif %} # See sudoers(5) for more information on "@include" directives: -#includedir /etc/sudoers.d +{% if ansible_facts['distribution_major_version'] == "10" %}#{% else %}@{% endif %}includedir /etc/sudoers.d diff --git a/roles/wireguard/README.md b/roles/wireguard/README.md new file mode 100644 index 00000000..eed1c0a0 --- /dev/null +++ b/roles/wireguard/README.md @@ -0,0 +1,19 @@ +# Wireguard + +Installe et configure wireguard + +## Variables + +loc_wireguard: + tunnels: + - name: nom + listen_port: port + private_key: clé privée + table: "off" + peers: + - public_key: clé publique de la machine distante + allowed_ips: ips autorisées + endpoint: ip:port (facultatif) + persistent_keepalive: int (facultatif) + post_up: actions après activation + pre_down: actions avant arrêt diff --git a/roles/zamok-tools/README.md b/roles/zamok-tools/README.md new file mode 100644 index 00000000..45135019 --- /dev/null +++ b/roles/zamok-tools/README.md @@ -0,0 +1,3 @@ +# Zamok tools + +Installe les logiciels nécessaire sur Zamok et configure les pages persos. diff --git a/shell.nix b/shell.nix new file mode 100644 index 00000000..284fd53d --- /dev/null +++ b/shell.nix @@ -0,0 +1,11 @@ +{ pkgs ? import {} }: + pkgs.mkShell { + buildInputs = with pkgs.buildPackages; [ + ansible_2_16 + python312 + python312Packages.jinja2 + python312Packages.jmespath # plays/dhcp.yml + python312Packages.python-ldap + ]; + LANG="C.UTF-8"; +}