Merge branch 'mise_a_niveau' into 'main'

Mise à jour de ansible

See merge request nounous/ansible!353

all.yml

@@ -12,10 +12,8 @@
 - import_playbook: plays/borgbackup_client.yml
 - import_playbook: plays/cas.yml
 - import_playbook: plays/certbot.yml
-- import_playbook: plays/constellation.yml
 - import_playbook: plays/dhcp.yml
 - import_playbook: plays/dns-authoritative.yml
-- import_playbook: plays/dns-recursive.yml
 - import_playbook: plays/dovecot.yml
 - import_playbook: plays/ethercalc.yml
 - import_playbook: plays/etherpad.yml
@@ -51,6 +49,7 @@
 - import_playbook: plays/radvd.yml
 - import_playbook: plays/re2o-ldap.yml
 - import_playbook: plays/re2o.yml
+- import_playbook: plays/restic_client.yml
 - import_playbook: plays/reverse-proxy.yml
 - import_playbook: plays/root.yml
 - import_playbook: plays/roundcube.yml
@@ -63,6 +62,5 @@
 - import_playbook: plays/unbound.yml
 - import_playbook: plays/utilities.yml
 - import_playbook: plays/vm_setup.yml
-- import_playbook: plays/vsftpd.yml
 - import_playbook: plays/wireguard.yml
 - import_playbook: plays/zamok.yml

group_vars/all/borg.yml

@@ -9,8 +9,7 @@ glob_borg:
     - /backup/borg-server
     - /backup/borg-adh
   remote:
-    - borg@backup-ft.adm.crans.org:/backup/borg-server/{{ ansible_hostname }}
+    - ssh://borg@backup-ft.adm.crans.org/backup/borg-server/{{ ansible_hostname }}
-    - borg@backup-thot.adm.crans.org:/backup/borg-server/{{ ansible_hostname }}
   retention:
     - ["daily", 4]
     - ["monthly", 6]

group_vars/all/home_nounou.yml

@@ -1,7 +1,7 @@
 ---
 glob_home_nounou:
   mounts:
-    - ip: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}"
       mountpoint: /pool/home
       target: /home_nounou
       name: home_nounou

group_vars/all/ldap.yml

@@ -3,8 +3,8 @@ glob_ldap:
   uri: 'ldap://yson-partou.adm.crans.org/'
   users_base: 'cn=Utilisateurs,dc=crans,dc=org'
   servers:
-    - "{{ query('ldap', 'ip4', 'wall-e', 'adm') }}"
+    - "{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}"
-#    - "{{ query('ldap', 'ip4', 'sam', 'adm') }}"
+#    - "{{ lookup('ldap', 'ip4', 'sam', 'adm') }}"
-#    - "{{ query('ldap', 'ip4', 'daniel', 'adm') }}"
+#    - "{{ lookup('ldap', 'ip4', 'daniel', 'adm') }}"
-#    - "{{ query('ldap', 'ip4', 'jack', 'adm') }}"
+#    - "{{ lookup('ldap', 'ip4', 'jack', 'adm') }}"
   base: 'dc=crans,dc=org'

group_vars/all/mirror.yml

@@ -1,10 +1,8 @@
 ---
 glob_mirror:
   hostname: mirror.adm.crans.org
-  ip: "{{ query('ldap', 'ip4', 'eclat', 'adm') }}"
+  ip: "{{ lookup('ldap', 'ip4', 'eclat', 'adm') }}"
 
 debian_mirror: http://mirror.adm.crans.org/debian
-ubuntu_mirror: http://mirror.adm.crans.org/ubuntu
 proxmox_mirror: http://mirror.adm.crans.org/proxmox/debian/pve
 debian_components: main contrib non-free
-ubuntu_components: main restricted universe multiverse

group_vars/all/network_interfaces.yml

@@ -3,12 +3,12 @@ glob_network_interfaces:
   vlan:
     - name: srv
       id: 2
-      gateway: "{{ query('ldap', 'ip4', 'passerelle', 'srv') }}"
+      gateway: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv') }}"
-      gateway_v6: "{{ query('ldap', 'ip6', 'passerelle', 'srv') }}"
+      gateway_v6: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv') }}"
     - name: srv_nat
       id: 3
-      gateway: "{{ query('ldap', 'ip4', 'passerelle', 'srv-nat') }}"
+      gateway: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv-nat') }}"
-      gateway_v6: "{{ query('ldap', 'ip6', 'passerelle', 'srv-nat') }}"
+      gateway_v6: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv-nat') }}"
     - name: san
       id: 4
       extra:
@@ -19,14 +19,14 @@ glob_network_interfaces:
         - "mtu 9000"
     - name: adm
       id: 10
-      dns: "{{ query('ldap', 'ip4', 'romanesco', 'adm') }}"
+      dns: "{{ lookup('ldap', 'ip4', 'romanesco', 'adm') }}"
     - name: adh
       id: 12
     - name: adh_adm
       id: 13
     - name: renater
       id: 38
-      gateway: "{{ query('ldap', 'ip4', 'dsi', 'renater') }}"
+      gateway: "{{ lookup('ldap', 'ip4', 'dsi', 'renater') }}"
     - name: lp
       id: 56
     - name: auto

group_vars/all/prometheus_nginx_exporter.yaml

@@ -1,3 +1,3 @@
 ---
 glob_prometheus_nginx_exporter:
-  listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}"
+  listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}"

group_vars/all/prometheus_node_exporter.yaml

@@ -1,3 +1,3 @@
 ---
 glob_prometheus_node_exporter:
-  listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}"
+  listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}"

group_vars/all/restic.yml

@@ -0,0 +1,17 @@
+---
+glob_restic:
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/lib/lxcfs
+      to_backup:
+        - /etc
+        - /var
+      retention:
+        - [--keep-daily, 2]
+        - [--keep-weekly, 2]
+        - [--keep-monthly, 2]
+        - [--keep-yearly, 1]
+  remote:
+    - rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/

group_vars/all/rsyslog_client.yml

@@ -1,3 +1,3 @@
 ---
 glob_rsyslog_client:
-  server: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}"
+  server: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}"

group_vars/all/ssh_known_hosts.yml

@@ -12,4 +12,4 @@ glob_service_ssh_known_hosts:
     frequency: "*/10 * * * *"
   config:
     ldap:
-      server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}"
+      server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}"

group_vars/all/sudo.yml

@@ -0,0 +1,3 @@
+---
+glob_sudo:
+  group: "NOUNOUS"

group_vars/arpproxy.yml

@@ -1,4 +1,5 @@
 ---
+# Semble mettre à jour les routes
 glob_service_proxy:
   git:
     remote: https://gitlab.adm.crans.org/nounous/proxy.git

group_vars/aurore/home_nounou.yml

@@ -1,7 +1,7 @@
 ---
 loc_home_nounou:
   mounts:
-    - ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'thot', 'adm') }}"
       mountpoint: /home_nounou
       target: /home_nounou
       name: home_nounou

group_vars/aurore/ldap.yml

@@ -1,4 +1,4 @@
 ---
 loc_ldap:
   servers:
-    - "{{ query('ldap', 'ip4', 'thot', 'adm') }}"
+    - "{{ lookup('ldap', 'ip4', 'thot', 'adm') }}"

group_vars/aurore/ssh_known_hosts.yml

@@ -2,4 +2,4 @@
 loc_service_ssh_known_hosts:
   config:
     ldap:
-      server: "ldaps://{{ query('ldap', 'ip4', 'thot', 'adm') }}"
+      server: "ldaps://{{ lookup('ldap', 'ip4', 'thot', 'adm') }}"

group_vars/bird.yml

@@ -49,4 +49,4 @@ glob_bird:
       ipv6: true
 
 glob_prometheus_bird_exporter:
-  listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}"
+  listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}"

group_vars/ceph_test.yml

@@ -1,3 +0,0 @@
-glob_ceph:
-  mirror: 'http://mirror.adm.crans.org/download.ceph.com/debian-quincy'
-  mirror_key: 'http://mirror.adm.crans.org/download.ceph.com/keys/release.asc'

group_vars/certbot.yml

@@ -15,7 +15,7 @@ glob_service_certbot:
   config:
     "crans.org":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.

group_vars/constellation.yml

@@ -1,47 +0,0 @@
----
-glob_constellation:
-  django_secret_key: "{{ vault.constellation.django_secret_key }}"
-  admins:
-    - ('Root', 'root@crans.org')
-  allowed_hosts:
-    - 'constellation.crans.org'
-    - 'intranet.crans.org'
-  email:
-    ssl: false
-    host: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}"
-    port: 25
-    user: ''
-    password: ''
-    from: "root@crans.org"
-    from_full: "Crans <root@crans.org>"
-  database:
-    host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}"
-    port: 5432
-    user: 'constellation'
-    password: "{{ vault.constellation.django_db_password }}"
-    name: 'constellation'
-  front: true
-  crontab: true
-  applications:
-    - 'access'
-    - 'billing'
-    - 'dnsmanager'
-    - 'firewall'
-    - 'layers'
-    - 'management'
-    - 'member'
-    - 'topography'
-    - 'unix'
-  stripe:
-    private_key: '{{ vault.constellation.stripe.live.private_key }}'
-    public_key: '{{ vault.constellation.stripe.live.public_key }}'
-  note:
-    url: 'https://note.crans.org/'
-    client_id: '{{ vault.constellation.note.client_id }}'
-    client_secret: '{{ vault.constellation.note.client_secret }}'
-  debug: false
-  owner: root
-  group: _nounou
-  version: main
-  settings_local_owner: www-data
-  settings_local_group: _nounou

group_vars/constellation_front.yml

@@ -1,30 +0,0 @@
----
-loc_nginx:
-  service_name: constellation
-  ssl: []
-  servers:
-    - ssl: false
-      default: true
-      server_name:
-        - "constellation.crans.org"
-        - "intranet.crans.org"
-      locations:
-        - filter: "/static"
-          params:
-            - "alias {% if constellation.version == 'main' %}/var/lib/constellation/static/{% else %}/var/local/constellation/static/{% endif %}"
-
-        - filter: "/media"
-          params:
-            - "alias {% if constellation.version == 'main' %}/var/lib/constellation/media/{% else %}/var/local/constellation/media/{% endif %}"
-
-        - filter: "/doc"
-          params:
-            - "alias /var/www/constellation-doc/"
-
-        - filter: "/"
-          params:
-            - "uwsgi_pass constellation"
-            - "include /etc/nginx/uwsgi_params"
-  upstreams:
-    - name: 'constellation'
-      server: 'unix:///var/run/uwsgi/app/constellation/constellation.sock'

group_vars/dhcp.yml

@@ -8,8 +8,5 @@ glob_service_dhcp:
   name: dhcp
   install_dir: /var/local/services/dhcp
   generated: true
-  cron:
-    frequency: "*/2 * * * *"
-    options: -q
   dependencies:
     - python3-jinja2

group_vars/django_cas.yml

@@ -6,14 +6,14 @@ glob_django_cas:
     dn: 'cn=Utilisateurs,dc=crans,dc=org'
     password: "{{ vault.cas.ldap.password }}"
     user: 'cn=cas,ou=service-users,dc=crans,dc=org'
-    server: "{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}"
+    server: "{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}"
   db:
     host: tealc.adm.crans.org
     password: "{{ vault.cas.database.password }}"
   secret_key: "{{ vault.cas.secret_key }}"
   mail:
     address: 'root@crans.org'
-    host: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}"
+    host: "{{ lookup('ldap', 'ip4', 'redisdead', 'adm') }}"
     port: 25
 
 loc_nginx:

group_vars/dovecot.yml

@@ -1,7 +1,7 @@
 ---
 glob_dovecot:
   ldap:
-    uri: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}/"
+    uri: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}/"
     dn: 'cn=dovecot,ou=service-users,dc=crans,dc=org'
     pass: "{{ vault.dovecot.dnpass }}"
     users_base: 'cn=Utilisateurs,dc=crans,dc=org'

group_vars/ethercalc.yml

@@ -1,3 +1,3 @@
 ---
 glob_ethercalc:
-  ip: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}"
+  ip: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}"

group_vars/galene.yml

@@ -36,4 +36,4 @@ service_nginx:
             - "proxy_pass http://localhost:8444"
 
 glob_galene:
-  version: 0.6.1
+  version: 0.96.3

group_vars/keepalived.yml

@@ -2,7 +2,7 @@
 glob_keepalived:
   mail_source: keepalived@crans.org
   mail_destination: root@crans.org
-  smtp_server: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}"
+  smtp_server: "{{ lookup('ldap', 'ip4', 'redisdead', 'adm') }}"
   routeur_id: "{{ ansible_hostname }}"
   pool:
     VI_ALL:
@@ -20,19 +20,19 @@ glob_keepalived:
           ipv6:
             - {ip: '2a0c:700:28::1/64', scope: 'global'}
         - vlan: srv
-          ipv4: "{{ query('ldap', 'ip4', 'passerelle', 'srv') }}/26"
+          ipv4: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv') }}/26"
           ipv6:
-            - {ip: "{{ query('ldap', 'ip6', 'passerelle', 'srv') }}/64", scope: 'global'}
+            - {ip: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv') }}/64", scope: 'global'}
             - {ip: 'fe80::1/64', scope: 'link'}
         - vlan: srv_nat
-          ipv4: "{{ query('ldap', 'ip4', 'passerelle', 'srv-nat') }}/24"
+          ipv4: "{{ lookup('ldap', 'ip4', 'passerelle', 'srv-nat') }}/24"
           ipv6:
-            - {ip: "{{ query('ldap', 'ip6', 'passerelle', 'srv-nat') }}/64", scope: 'global'}
+            - {ip: "{{ lookup('ldap', 'ip6', 'passerelle', 'srv-nat') }}/64", scope: 'global'}
             - {ip: 'fe80::1/64', scope: 'link'}
         - vlan: adh
-          ipv4: "{{ query('ldap', 'ip4', 'passerelle', 'adh') }}/24"
+          ipv4: "{{ lookup('ldap', 'ip4', 'passerelle', 'adh') }}/24"
           ipv6:
-            - {ip: "{{ query('ldap', 'ip6', 'passerelle', 'adh') }}/48", scope: 'global'}
+            - {ip: "{{ lookup('ldap', 'ip6', 'passerelle', 'adh') }}/48", scope: 'global'}
             - {ip: 'fe80::1/64', scope: 'link'}
         # - vlan: ens
         #   ipv4: 100.84.0.99/16

group_vars/mailman.yml

@@ -57,13 +57,13 @@ glob_mailman3:
   database:
     user: "mailman3"
     pass: "{{ vault.mailman3.database.pass }}"
-    host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}"
+    host: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}"
     port: 5432
     name: "mailman3"
   web_database:
     user: "mailman3web"
     pass: "{{ vault.mailman3.web_database.pass }}"
-    host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}"
+    host: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}"
     port: 5432
     name: "mailman3web"
   restadmin_pass: "{{ vault.mailman3.restadmin_pass }}"

group_vars/nginx.yml

@@ -1,6 +1,7 @@
 ---
 glob_nginx:
   contact: contact@crans.org
+  extra_params: []
   who: "L'équipe technique du Cr@ns"
   service_name: service
   ssl:

group_vars/postfix.yml

@@ -1,3 +1,3 @@
 ---
 glob_prometheus_postfix_exporter:
-  listen_addr: "{{ query('ldap', 'ip4', ansible_hostname, 'adm') }}"
+  listen_addr: "{{ lookup('ldap', 'ip4', ansible_hostname, 'adm') }}"

group_vars/prefix_delegation.yml

@@ -14,6 +14,6 @@ loc_service_prefix_delegation:
     prefix: "2a0c:700:12::"
     length: "48"
     ldap:
-      server: "ldaps://{{ query('ldap', 'ip4', 'flirt', 'adm') }}"
+      server: "ldaps://{{ lookup('ldap', 'ip4', 'flirt', 'adm') }}"
       binddn: "{{ vault.ldap_adh_reader.binddn }}"
       password: "{{ vault.ldap_adh_reader.bindpass }}"

group_vars/printer.yml

@@ -8,14 +8,14 @@ glob_printer:
     - 'imprimante.crans.org'
   email:
     ssl: false
-    host: "{{ query('ldap', 'ip4', 'redisdead', 'adm') }}"
+    host: "{{ lookup('ldap', 'ip4', 'redisdead', 'adm') }}"
     port: 25
     user: ''
     password: ''
     from: "root@crans.org"
     from_full: "Crans <root@crans.org>"
   database:
-    host: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}"
+    host: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}"
     port: 5432
     user: 'helloworld'
     password: "{{ vault.printer.django_db_password }}"
@@ -27,9 +27,9 @@ glob_printer:
     note_id: 2088
     note_alias: 'Crans'
   printer_name: 'Lexmark_X950_Series'
-  domain: "{{ query('ldap', 'ip4', 'printer', 'lp') }}"
+  domain: "{{ lookup('ldap', 'ip4', 'printer', 'lp') }}"
   scan_server:
-    address: "{{ query('ldap', 'ip4', ansible_hostname, 'lp') }}"
+    address: "{{ lookup('ldap', 'ip4', ansible_hostname, 'lp') }}"
     port: 9751
   debug: false
   owner: www-data
@@ -38,7 +38,7 @@ glob_printer:
   settings_local_owner: www-data
   settings_local_group: _nounou
   ldap:
-    uri: "ldaps://{{ query('ldap', 'ip4', 'tealc', 'adm') }}/"
+    uri: "ldaps://{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}/"
     dn_template: uid=%(user)s,ou=passwd,dc=crans,dc=org
     group_search: ou=group,dc=crans,dc=org
     read_group: cn=_user,ou=group,dc=crans,dc=org

group_vars/prometheus.yml

@@ -13,7 +13,7 @@ glob_service_prometheus_target:
     options: ""
   config:
     ldap:
-      server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}"
+      server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}"
 
 glob_ninjabot:
   config:

group_vars/re2o.yml

@@ -9,7 +9,7 @@ glob_re2o:
     - 'intranet.adm.crans.org'
     - 're2o.crans.org'
     - 'intranet.crans.org'
-    - "{{ query('ldap', 'ip4', 're2o', 'adm') }}"
+    - "{{ lookup('ldap', 'ip4', 're2o', 'adm') }}"
   from_email: "root@crans.org"
   smtp_server: smtp.adm.crans.org
   ldap:
@@ -18,7 +18,7 @@ glob_re2o:
     dn: "{{ vault.slapd.re2o.admin.binddn }}"
   database:
     password: "{{ vault.re2o.database.password }}"
-    uri: "{{ query('ldap', 'ip4', 'tealc', 'adm') }}"
+    uri: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}"
   optional_apps:
     - api
     - captcha

group_vars/re2o_front.yml

@@ -1,8 +1,8 @@
 ---
 glob_re2o_front:
   server_names:
-    - "{{ query('ldap', 'ip4', 're2o', 'adm') }}"
+    - "{{ lookup('ldap', 'ip4', 're2o', 'adm') }}"
-    - "[{{ query('ldap', 'ip6', 're2o', 'adm') }}]"
+    - "[{{ lookup('ldap', 'ip6', 're2o', 'adm') }}]"
     - re2o.adm.crans.org
     - intranet.adm.crans.org
     - re2o.crans.org

group_vars/re2o_ldap.yml

@@ -1,7 +1,7 @@
 ---
 glob_re2o_ldap:
   suffix: dc=crans,dc=org
-  url: "ldaps://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}:636"
+  url: "ldaps://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}:636"
   root_password_hash: "{{ vault.slapd.re2o.admin.bindpass_hash }}"
   certificate: "{{ vault.slapd.re2o.certificate }}"
   private_key: "{{ vault.slapd.re2o.private_key }}"

group_vars/reverseproxy.yml

@@ -8,7 +8,7 @@ loc_service_certbot:
   config:
     "crans.org":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.
@@ -16,7 +16,7 @@ loc_service_certbot:
         algorithm: HMAC-SHA512
     "crans.eu":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.
@@ -24,7 +24,7 @@ loc_service_certbot:
         algorithm: HMAC-SHA512
     "crans.fr":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.
@@ -49,34 +49,35 @@ glob_reverseproxy:
     # Services web Crans
     - {from: belenios.crans.org, to: 172.16.10.111}
     - {from: cas.crans.org, to: 172.16.10.120}
-    - {from: constellation-dev.crans.org, to: 172.16.10.167}
     - {from: eclats.crans.org, to: 172.16.10.104}
-    - {from: ftps.crans.org, to: 172.16.10.113}
+    - {from: element.crans.org, to: "172.16.10.118"}
     - {from: ethercalc.crans.org, to: "172.16.10.133:8000"}
     - {from: framadate.crans.org, to: 172.16.10.109}
+    - {from: ftps.crans.org, to: 172.16.10.113}
     - {from: galene-token.crans.org, to: "172.16.10.115:3000"}
     - {from: grafana.crans.org, to: "172.16.10.121:3000"}
-    - {from: hedgedoc.crans.org, to: "172.16.10.128:3000"}
     - {from: helloworld.crans.org, to: 172.16.10.131}
+    - {from: hosts.crans.org, to: 172.16.10.114}
     - {from: imprimante.crans.org, to: 172.16.10.131}
     - {from: intranet.crans.org, to: 172.16.10.156}
     - {from: linx.crans.org, to: "172.16.10.119:8080"}
     - {from: lists.crans.org, to: 172.16.10.110}
-    - {from: matrix.crans.org, to: "172.16.10.123:8008"}
+    - {from: mediakiwi.crans.org, to: "172.16.10.144"}
     - {from: mirrors.crans.org, to: 172.16.10.104}
-    - {from: nextcloud.crans.org, to: 172.16.10.137}
+    - {from: nextcloud.crans.org, to: 172.16.10.146}
     - {from: onlyoffice.crans.org, to: 172.16.10.148}
     - {from: owncloud.crans.org, to: 172.16.10.136}
     - {from: pad.crans.org, to: "172.16.10.130:9001"}
+    - {from: pdf.crans.org, to: "172.16.10.140"}
     - {from: re2o.crans.org, to: 172.16.10.156}
     - {from: re2o-dev.crans.org, to: 172.16.10.166}
     - {from: roundcube.crans.org, to: 172.16.10.107}
     - {from: tmpad.crans.org, to: "172.16.10.130:9002"}
+    - {from: vaultwarden.crans.org, to: "172.16.10.159"}
     - {from: webirc.crans.org, to: "172.16.10.31:9000"}
     - {from: webmail.crans.org, to: 172.16.10.107}
     - {from: wiki.crans.org, to: 172.16.10.161}
     - {from: zero.crans.org, to: 172.16.10.130}
-    - {from: hosts.crans.org, to: 172.16.10.114}
 
     # Zamok
     - {from: amap.crans.org, to: 172.16.10.31}
@@ -84,10 +85,9 @@ glob_reverseproxy:
     - {from: perso.crans.org, to: 172.16.10.31}
 
   redirect_sites:
-    - {from: crans.org, to: www.crans.org}
-
     # Aliases or legacy support
     - {from: adopteunpingouin.crans.org, to: install-party.crans.org}
+    - {from: adopteunmanchot.crans.org, to: install-party.crans.org}
     - {from: clubs.crans.org, to: perso.crans.org}
     - {from: i-p.crans.org, to: install-party.crans.org}
     - {from: pot-vieux.crans.org, to: perso.crans.org/club-vieux}
@@ -97,7 +97,15 @@ glob_reverseproxy:
     - {from: tv.crans.org, to: wiki.crans.org/CransTv}
     - {from: wikipedia.crans.org, to: wiki.crans.org}
 
+    # To the wiki
+    - {from: mediawiki.crans.org, to: mediakiwi.crans.org}
+    
+    # To pdf
+    - {from: stirling.crans.org, to: pdf.crans.org}
+    - {from: stirling-pdf.crans.org, to: pdf.crans.org}
+
   static_sites:
     - autoconfig.crans.org
     - install-party.crans.org
+    - crans.org
     - www.crans.org

group_vars/routeurs_vm.yml

@@ -20,8 +20,8 @@ loc_dhcp:
       vlan: "adh"
       default_lease_time: "600"
       max_lease_time: "7200"
-      routers: "{{ query('ldap', 'ip4', 'passerelle', 'adh') }}"
+      routers: "{{ lookup('ldap', 'ip4', 'passerelle', 'adh') }}"
-      dns: ["{{ query('ldap', 'ip4', 'romanesco', 'adh') }}"]
+      dns: ["{{ lookup('ldap', 'ip4', 'romanesco', 'adh') }}"]
       domain_name: "adh.crans.org"
       domain_search: "adh.crans.org"
       options: []
@@ -31,9 +31,25 @@ loc_service_dhcp:
   git:
     remote: https://gitlab.adm.crans.org/nounous/dhcp.git
     version: main
-  cron:
+  systemd:
-    frequency: "*/2 * * * *"
+    Unit:
-    options: -r
+      After: network-online.target
+      Wants: network-online.target
+      StartLimitBurst: 3
+      StartLimitInterval: 40
+    Service:
+      Restart: on-failure
+      RestartSec: 10
+      ExecStart: "/usr/bin/python3 /var/local/services/dhcp/dhcp.py -r"
+      Type: oneshot
+      User: root
+  timer:
+    Unit: []
+    Timer:
+      OnCalendar: "*:0/2"
+      Persistent: true
+    Install:
+      WantedBy: timers.target
   config:
     ldap:
       server: ldaps://flirt.adm.crans.org

group_vars/slapd.yml

@@ -1,6 +1,6 @@
 ---
 glob_slapd:
-  master_ip: "{{ query('ldap', 'ip4', 'wall-e', 'adm') }}"
+  master_ip: "{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}"
   regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*|description:.*|location:.*)$"
   replication_credentials: "{{ vault.slapd.main.replication_credentials }}"
   private_key: "{{ vault.slapd.main.private_key }}"

group_vars/sssd.yml

@@ -4,17 +4,17 @@ glob_sssd:
     domain: wall-e.adm.crans.org
     enumerate: "true"
     servers:
-      - "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/"
+      - "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/"
-      - "ldaps://{{ query('ldap', 'ip4', 'sam', 'adm') }}/"
+      - "ldaps://{{ lookup('ldap', 'ip4', 'sam', 'adm') }}/"
-      - "ldaps://{{ query('ldap', 'ip4', 'daniel', 'adm') }}/"
+      - "ldaps://{{ lookup('ldap', 'ip4', 'daniel', 'adm') }}/"
-      - "ldaps://{{ query('ldap', 'ip4', 'jack', 'adm') }}/"
+      - "ldaps://{{ lookup('ldap', 'ip4', 'jack', 'adm') }}/"
     base: "dc=crans,dc=org"
   secondary:
     domain: yson-partou.adm.crans.org
     enumerate: "false"
     servers:
-      - "ldaps://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}/"
+      - "ldaps://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}/"
-      - "ldaps://{{ query('ldap', 'ip4', 'terenez', 'adm') }}/"
+      - "ldaps://{{ lookup('ldap', 'ip4', 'terenez', 'adm') }}/"
     base: "dc=crans,dc=org"
     bind:
       dn: "{{ vault.sssd.secondary_ldap.binddn }}"

group_vars/thelounge.yml

@@ -20,7 +20,7 @@ glob_thelounge:
     join: "#general"
   ldap_enable: "false"
   ldap:
-    url: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}"
+    url: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}"
     primaryKey: "cn"
     rootDN: "{{ vault.thelounge.ldap.rootDN }}"
     rootPassword: "{{ vault.thelounge.ldap.rootPassword }}"

group_vars/viarezo/home_nounou.yml

@@ -1,7 +1,7 @@
 ---
 loc_home_nounou:
   mounts:
-    - ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"
       mountpoint: /home_nounou
       target: /home_nounou
       name: home_nounou

group_vars/viarezo/ldap.yml

@@ -1,4 +1,4 @@
 ---
 loc_ldap:
   servers:
-    - "{{ query('ldap', 'ip4', 'ft', 'adm') }}"
+    - "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"

group_vars/viarezo/ssh_known_hosts.yml

@@ -2,4 +2,4 @@
 loc_service_ssh_known_hosts:
   config:
     ldap:
-      server: "ldaps://{{ query('ldap', 'ip4', 'ft', 'adm') }}"
+      server: "ldaps://{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"

group_vars/virtu.yml

@@ -5,6 +5,8 @@ glob_debian_images:
   rsync_module: 'mirror'
   include_extra_images: false
 
+# Semble servir à synchroniser les nounous et apprenti⋅es avec le ldap dans
+# proxmox
 glob_service_proxmox_user:
   git:
     remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git
@@ -18,7 +20,7 @@ glob_service_proxmox_user:
   config:
     ldap:
       admin:
-        uri: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/"
+        uri: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/"
         userBase: "ou=passwd,dc=crans,dc=org"
         realm: "pam"
   dependencies:
@@ -34,7 +36,7 @@ loc_service_certbot:
   config:
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_adm_challenge.

group_vars/virtu_adh.yml

@@ -1,4 +1,6 @@
 ---
+# Semble servir à synchroniser les nounous et apprenti⋅es avec le ldap dans
+# proxmox
 glob_service_proxmox_user:
   git:
     remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git
@@ -12,11 +14,11 @@ glob_service_proxmox_user:
   config:
     ldap:
       admin:
-        uri: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/"
+        uri: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/"
         userBase: "ou=passwd,dc=crans,dc=org"
         realm: "pam"
       user:
-        uri: "ldaps://{{ query('ldap', 'ip4', 'flirt', 'adm') }}/"
+        uri: "ldaps://{{ lookup('ldap', 'ip4', 'flirt', 'adm') }}/"
         userBase: "ou=users,dc=adh,dc=crans,dc=org"
         realm: "pve"
         binddn: "{{ vault.ldap_adh_reader.binddn }}"

group_vars/wiki.yml

@@ -1,8 +1,53 @@
 ---
 glob_moinmoin:
+  data_dir: /var/local/wiki/data
+  front_page: PageAccueil
+  interwikiname: CransWiki
+  ip_autorised:
+    - ip.startswith('185.230.76.') # IPv4 Crans
+    - ip.startswith('185.230.77.')
+    - ip.startswith('185.230.78.')
+    - ip.startswith('185.230.79.')
+    - ip.startswith('172.16.')     # IPv4 local
+    - ip.startswith('138.231.')
+    - ip.startswith('45.66.108.')  # IPv4 Aurore
+    - ip.startswith('45.66.109.')
+    - ip.startswith('45.66.110.')
+    - ip.startswith('45.66.111.')
+    - ip.startswith('2a0c:700:')   # IPv6 Crans
+    - ip.startswith('2a09:6840:')  # IPv6 Aurore
+  mail:
+    from: Crans Wiki <wiki@crans.org>
+    server: smtp.adm.crans.org
   main: false
+  new_account_ip:
+    - 45.66.108.0/22,     # IPv4 Aurore
+    - 100.64.0.0/10,      # IPv4 adherents
+    - 138.231.175.203/32, # IPv4 PC Kfet
+    - 172.16.0.0/16,      # IPv4 local
+    - 185.230.76.0/22,    # IPv4 Crans
+    - 2a0c:700::/32,      # IPv6 Crans
+    - 2a09:6840::/32,     # IPv6 Aurore
+  site_name: Crans Wiki
+  superuser:
+    - u"Benjamin"
+    - u"DsAc"
+    - u"PeBecue"
+    - u"SolalNathan"
+    - u"VanilleNiven"
+    - u"WikiAeltheos"
+    - u"WikiBleizi"
+    - u"WikiGabo"
+    - u"WikiKorenstin"
+    - u"WikiLzebulon"
+    - u"WikiPigeonMoelleux"
+    - u"WikiPollion"
+    - u"WikiShirenn"
+    - u"Wiki20-100"
 
 loc_nginx:
+  extra_params:
+    - "limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;"
   service_name: wiki
   ssl: []
   servers:
@@ -33,6 +78,7 @@ loc_nginx:
 
         - filter: "/"
           params:
+            - "limit_req zone=mylimit burst=100 nodelay"
             - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket"
             - "include uwsgi_params"
 

host_vars/apprentis.adm.crans.org.yml

@@ -7,3 +7,20 @@ loc_unattended:
 
 loc_needrestart:
   override: []
+
+loc_borg:
+  to_backup:
+    - /etc
+    - /home_nounou
+    - /var
+
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var
+
+loc_sudo:
+  group: "USERS"

host_vars/backup-ft.adm.crans.org.yml

@@ -10,14 +10,14 @@ loc_needrestart:
 
 loc_home_nounou:
   mounts:
-    - ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"
       mountpoint: /home_nounou
       target: /home_nounou
       name: home_nounou
       owner: root
       group: _user
       mode: '0750'
-    - ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"
       mountpoint: /rpool/backup
       target: /backup
       name: backup

host_vars/backup-thot.adm.crans.org.yml

@@ -1,26 +0,0 @@
----
-interfaces:
-  adm: ens18
-
-loc_unattended:
-  reboot: true
-
-loc_needrestart:
-  override: []
-
-loc_home_nounou:
-  mounts:
-    - ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}"
-      mountpoint: /home_nounou
-      target: /home_nounou
-      name: home_nounou
-      owner: root
-      group: _user
-      mode: '0750'
-    - ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}"
-      mountpoint: /rpool/backup
-      target: /backup
-      name: backup
-      owner: root
-      group: root
-      mode: '0755'

host_vars/boeing.adm.crans.org.yml

@@ -18,9 +18,9 @@ loc_wireguard:
       peers:
         - public_key: "{{ vault.wireguard.sputnik.pubkey }}"
           allowed_ips:
-            - "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}/32"
+            - "{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}/32"
-            - "{{ query('ldap', 'ip6', 'sputnik', 'adm') }}/128"
+            - "{{ lookup('ldap', 'ip6', 'sputnik', 'adm') }}/128"
-          endpoint: "{{ query('ldap', 'ip4', 'sputnik', 'srv') }}:51820"
+          endpoint: "{{ lookup('ldap', 'ip4', 'sputnik', 'srv') }}:51820"
       post_up:
         - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
         - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
@@ -36,7 +36,7 @@ loc_wireguard:
       peers:
         - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
           allowed_ips:
-            - "{{ query('ldap', 'network', 'adm') }}"
+            - "{{ lookup('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
           persistent_keepalive: 25
       post_up:
@@ -54,7 +54,7 @@ loc_wireguard:
       peers:
         - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
           allowed_ips:
-            - "{{ query('ldap', 'network', 'adm') }}"
+            - "{{ lookup('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
           persistent_keepalive: 25
       post_up:
@@ -69,7 +69,7 @@ loc_wireguard:
 loc_service_proxy:
   config:
     ldap:
-      - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/"
+      - server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/"
     protocol: "proxy"
     filter: ".adm.crans.org"
     proxy:

host_vars/cameron.adm.crans.org.yml

@@ -10,6 +10,28 @@ loc_borg:
     - /var/mail
     - /var/lib/lxcfs
 
+loc_restic:
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/mail
+        - /var/lib/lxcfs
+    pool:
+      to_exclude:
+        - "*.pyc"
+        - "\\#*\\#"
+        - "*~"
+      to_backup:
+        - /pool/home
+        - /pool/mail
+      retention:
+        - [--keep-daily, 4]
+        - [--keep-weekly, 4]
+        - [--keep-monthly, 6]
+      backup_extra_param: " --exclude-if-present .nobackup"
+
+# Semble créer les homes des nouvelleaux adhérent⋅es
 loc_service_home:
   name: home
   install_dir: /var/local/services/home
@@ -23,7 +45,7 @@ loc_service_home:
     version: master
   config:
     ldap:
-      server: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}/"
+      server: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}/"
       binddn: "{{ vault.services.home.ldap.binddn }}"
       basedn: cn=Utilisateurs,dc=crans,dc=org
       password: "{{ vault.services.home.ldap.bindpass }}"
@@ -34,6 +56,7 @@ loc_service_home:
       path: /pool/mail
       quota: 10G
 
+# Semble faire les backups des homes individuellement avec borg
 loc_service_borg:
   name: borg
   install_dir: /var/local/services/borg
@@ -48,7 +71,7 @@ loc_service_borg:
     version: main
   config:
     ldap:
-      server: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}"
+      server: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}"
       binddn: "{{ vault.services.home.ldap.binddn }}"
       rootdn: cn=Utilisateurs,dc=crans,dc=org
       password: "{{ vault.services.home.ldap.bindpass }}"

host_vars/cephiroth.adm.crans.org

@@ -1,17 +0,0 @@
----
-interfaces:
-  disable: true
-
-loc_needrestart:
-  override: []
-
-loc_borg:
-  to_backup:
-    - /etc
-    - /home_nounou
-    - /var
-
-loc_slapd:
-  ip: "{{ query('ldap', 'ip4', 'cephiroth', 'adm') }}"
-  replica: true
-  replica_rid: 5

host_vars/chene.adm.crans.org.yml

@@ -1,7 +1,6 @@
 ---
 interfaces:
   adm: ens18
-  srv_nat: ens19
 
 loc_unattended:
   reboot: true

host_vars/constellation-dev.adm.crans.org.yml

@@ -1,38 +0,0 @@
----
-interfaces:
-  adm: eth0
-  srv_nat: eth1
-
-loc_unattended:
-  reboot: true
-
-loc_needrestart:
-  override: []
-
-loc_constellation:
-  allowed_hosts:
-    - 'constellation-dev.crans.org'
-  database:
-    host: '127.0.0.1'
-    user: 'constellation-dev'
-    name: 'constellation-dev'
-  applications:
-    - 'access'
-    - 'billing'
-    - 'debug'
-    - 'dnsmanager'
-    - 'firewall'
-    - 'layers'
-    - 'management'
-    - 'member'
-    - 'topography'
-    - 'unix'
-  stripe:
-    private_key: '{{ vault.constellation.stripe.test.private_key }}'
-    public_key: '{{ vault.constellation.stripe.test.public_key }}'
-  note:
-    url: 'https://note-dev.crans.org/'
-    client_id: '{{ vault.constellation.note.client_id }}'
-    client_secret: '{{ vault.constellation.note.client_secret }}'
-  debug: true
-  version: dev

host_vars/daneel.adm.crans.org.yml

@@ -1,8 +0,0 @@
----
-interfaces:
-  disable: true
-  adm: ens18
-  san: ens19
-
-loc_needrestart:
-  override: []

host_vars/daniel.adm.crans.org.yml

@@ -6,7 +6,7 @@ loc_needrestart:
   override: []
 
 loc_slapd:
-  ip: "{{ query('ldap', 'ip4', 'daniel', 'adm') }}"
+  ip: "{{ lookup('ldap', 'ip4', 'daniel', 'adm') }}"
   replica: true
   replica_rid: 2
 

host_vars/eclaircie.adm.crans.org.yml

@@ -1,7 +1,8 @@
 ---
 interfaces:
   adm: ens18
-  srv: ens19
+  san: ens19
+  srv_nat: ens20
 
 loc_unattended:
   reboot: true

host_vars/eclat.adm.crans.org.yml

@@ -12,7 +12,7 @@ loc_needrestart:
 
 loc_nfs_mount:
   mounts:
-    - ip: "{{ query('ldap', 'ip4', 'tealc', 'san') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'tealc', 'san') }}"
       mountpoint: /pool/mirror
       target: /mirror
       name: mirror

host_vars/ft.adm.crans.org.yml

@@ -11,7 +11,15 @@ loc_borg:
     - /home_nounou
     - /var
 
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var
+
 loc_slapd:
-  ip: "{{ query('ldap', 'ip4', 'ft', 'adm') }}"
+  ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"
   replica: true
   replica_rid: 6

host_vars/fyre.adm.crans.org.yml

@@ -10,33 +10,6 @@ loc_needrestart:
   override: []
 
 loc_prometheus:
-  node:
-    config:
-      - job_name: servers
-        file_sd_configs:
-          - files:
-              - '/etc/prometheus/targets/node.json'
-        relabel_configs:
-          - source_labels: [__address__]
-            target_label: __param_target
-          - source_labels: [__param_target]
-            target_label: instance
-          - source_labels: [__param_target]
-            target_label: __address__
-            replacement: '$1:9100'
-
-  nginx:
-    config:
-      - job_name: nginx
-        file_sd_configs:
-          - files:
-              - '/etc/prometheus/targets/nginx.json'
-        relabel_configs:
-          - source_labels: [__address__]
-            target_label: instance
-          - source_labels: [instance]
-            target_label: __address__
-            replacement: '$1:9117'
 
   apache:
     config:
@@ -50,29 +23,59 @@ loc_prometheus:
             target_label: __address__
             replacement: '$1:9117'
 
+  bind:
+    config:
+      - job_name: bind
+        file_sd_configs:
+          - files:
+              - '/etc/prometheus/targets/bind.json'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - source_labels: [__param_target]
+            target_label: __address__
+            replacement: '$1:9119'
+
+  bird:
+    config:
+      - job_name: bird
+        file_sd_configs:
+          - files:
+              - '/etc/prometheus/targets/bird.json'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - source_labels: [__param_target]
+            target_label: __address__
+            replacement: '$1:9324'
+
   blackbox:
     file: targets/blackbox.json
     targets:
+      - http://ftp.crans.org/
+      - https://cas.crans.org/
       - https://crans.org/
       - https://www.crans.org/
-      - https://webirc.crans.org/
-      - https://jitsi.crans.org/
-      - https://ftps.crans.org/
-      - http://ftp.crans.org/
-      - https://grafana.crans.org/
-      - https://roundcube.crans.org/
-      - https://zero.crans.org/
-      - https://wiki.crans.org/PageAccueil
-      - https://framadate.crans.org/
-      - https://pad.crans.org/
-      - https://lists.crans.org/
-      - https://cas.crans.org/
       - https://ethercalc.crans.org/
+      - https://framadate.crans.org/
+      - https://ftps.crans.org/
       - https://gitlab.crans.org/
-      - https://perso.crans.org/crans/
+      - https://grafana.crans.org/
       - https://install-party.crans.org/
       - https://intranet.crans.org/
+      - https://jitsi.crans.org/
+      - https://lists.crans.org/
       - https://owncloud.crans.org/
+      - https://pad.crans.org/
+      - https://perso.crans.org/crans/
+      - https://roundcube.crans.org/
+      - https://webirc.crans.org/
+      - https://wiki.crans.org/PageAccueil
+      - https://zero.crans.org/
     config:
       - job_name: blackbox
         file_sd_configs:
@@ -106,27 +109,30 @@ loc_prometheus:
           - target_label: __address__
             replacement: 127.0.0.1:9115
 
-  bird:
+  ilo_snmp:
     config:
-      - job_name: bird
+      - job_name: ilo_snmp
         file_sd_configs:
           - files:
-              - '/etc/prometheus/targets/bird.json'
+              - '/etc/prometheus/targets/ilo_snmp.json'
+        metrics_path: '/snmp'
+        params:
+          module:
+            - ilo
         relabel_configs:
           - source_labels: [__address__]
             target_label: __param_target
           - source_labels: [__param_target]
             target_label: instance
-          - source_labels: [__param_target]
+          - replacement: '127.0.0.1:9116'
             target_label: __address__
-            replacement: '$1:9324'
 
-  bind:
+  mtail:
     config:
-      - job_name: bind
+      - job_name: mtail
         file_sd_configs:
           - files:
-              - '/etc/prometheus/targets/bind.json'
+              - '/etc/prometheus/targets/mtail.json'
         relabel_configs:
           - source_labels: [__address__]
             target_label: __param_target
@@ -134,7 +140,50 @@ loc_prometheus:
             target_label: instance
           - source_labels: [__param_target]
             target_label: __address__
-            replacement: '$1:9119'
+            replacement: '$1:3903'
+
+  mysql:
+    config:
+      - job_name: mysql
+        file_sd_configs:
+          - files:
+              - '/etc/prometheus/targets/mysql.json'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - source_labels: [__param_target]
+            target_label: __address__
+            replacement: '$1:9104'
+
+  nginx:
+    config:
+      - job_name: nginx
+        file_sd_configs:
+          - files:
+              - '/etc/prometheus/targets/nginx.json'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: instance
+          - source_labels: [instance]
+            target_label: __address__
+            replacement: '$1:9117'
+
+  node:
+    config:
+      - job_name: servers
+        file_sd_configs:
+          - files:
+              - '/etc/prometheus/targets/node.json'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - source_labels: [__param_target]
+            target_label: __address__
+            replacement: '$1:9100'
 
   postfix:
     config:
@@ -166,54 +215,50 @@ loc_prometheus:
             target_label: __address__
             replacement: '$1:9187'
 
-  mysql:
+  printer_snmp:
     config:
-      - job_name: mysql
+      - job_name: printer_snmp
-        file_sd_configs:
+        static_configs:
-          - files:
+          - targets: ["printer.lp.crans.org"]
-              - '/etc/prometheus/targets/mysql.json'
-        relabel_configs:
-          - source_labels: [__address__]
-            target_label: __param_target
-          - source_labels: [__param_target]
-            target_label: instance
-          - source_labels: [__param_target]
-            target_label: __address__
-            replacement: '$1:9104'
-
-  mtail:
-    config:
-      - job_name: mtail
-        file_sd_configs:
-          - files:
-              - '/etc/prometheus/targets/mtail.json'
-        relabel_configs:
-          - source_labels: [__address__]
-            target_label: __param_target
-          - source_labels: [__param_target]
-            target_label: instance
-          - source_labels: [__param_target]
-            target_label: __address__
-            replacement: '$1:3903'
-
-  ilo_snmp:
-    config:
-      - job_name: ilo_snmp
-        file_sd_configs:
-          - files:
-              - '/etc/prometheus/targets/ilo_snmp.json'
         metrics_path: '/snmp'
         params:
           module:
-            - ilo
+            - printer_mib
         relabel_configs:
           - source_labels: [__address__]
             target_label: __param_target
           - source_labels: [__param_target]
             target_label: instance
-          - replacement: '127.0.0.1:9116'
+          - replacement: "{{ lookup('ldap', 'ip4', 'helloworld', 'adm') }}:9116"
             target_label: __address__
 
+  synapse:
+    config:
+      - job_name: synapse
+        static_configs:
+          - targets: ["matrix.crans.org"]
+        scrape_interval: 15s
+        metrics_path: "/_synapse/metrics"
+
+  jitsi:
+    config:
+      - job_name: jitsi
+        static_configs:
+          - targets: ["jitsi.adm.crans.org"]
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - source_labels: [__param_target]
+            target_label: __address__
+            replacement: '$1:9700'
+      
+
+  tsdb:
+    retention_time: "180d"
+    retention_size: "200GB"
+
   ups_snmp:
     config:
       - job_name: ups_snmp
@@ -233,23 +278,3 @@ loc_prometheus:
             target_label: instance
           - replacement: 127.0.0.1:9116
             target_label: __address__
-
-  printer_snmp:
-    config:
-      - job_name: printer_snmp
-        static_configs:
-          - targets: ["printer.lp.crans.org"]
-        metrics_path: '/snmp'
-        params:
-          module:
-            - printer_mib
-        relabel_configs:
-          - source_labels: [__address__]
-            target_label: __param_target
-          - source_labels: [__param_target]
-            target_label: instance
-          - replacement: "{{ query('ldap', 'ip4', 'helloworld', 'adm') }}:9116"
-            target_label: __address__
-  tsdb:
-    retention_time: "180d"
-    retention_size: "200GB"

host_vars/gitzly.adm.crans.org.yml

@@ -22,7 +22,7 @@ loc_service_certbot:
   config:
     "crans.org":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.
@@ -30,7 +30,7 @@ loc_service_certbot:
         algorithm: HMAC-SHA512
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_adm_challenge.

host_vars/helloworld.adm.crans.org.yml

@@ -11,4 +11,4 @@ loc_needrestart:
   override: []
 
 loc_snmp_exporter:
-  listen_address: "{{ query('ldap', 'ip4', 'helloworld', 'adm') }}:9116"
+  listen_address: "{{ lookup('ldap', 'ip4', 'helloworld', 'adm') }}:9116"

host_vars/irc.adm.crans.org.yml

@@ -54,22 +54,22 @@ loc_inspircd:
     - name: crans.org
     - name: adm.crans.org
   bind:
-    - address: "{{ query('ldap', 'ip4', 'irc', 'srv') }}"
+    - address: "{{ lookup('ldap', 'ip4', 'irc', 'srv') }}"
       type: clients
       clair: 6667
       ssl: 6697
       certificate: crans.org
-    - address: "{{ query('ldap', 'ip6', 'irc', 'srv') }}"
+    - address: "{{ lookup('ldap', 'ip6', 'irc', 'srv') }}"
       type: clients
       clair: 6667
       ssl: 6697
       certificate: crans.org
-    - address: "{{ query('ldap', 'ip4', 'irc', 'adm') }}"
+    - address: "{{ lookup('ldap', 'ip4', 'irc', 'adm') }}"
       type: clients
       clair: 6667
       ssl: 6697
       certificate: adm.crans.org
-    - address: "{{ query('ldap', 'ip6', 'irc', 'adm') }}"
+    - address: "{{ lookup('ldap', 'ip6', 'irc', 'adm') }}"
       type: clients
       clair: 6667
       ssl: 6697
@@ -80,28 +80,28 @@ loc_inspircd:
   connect:
     - name: zamok
       allows:
-        ipv4: "{{ query('ldap', 'ip4', 'zamok', 'srv') }}/32"
+        ipv4: "{{ lookup('ldap', 'ip4', 'zamok', 'srv') }}/32"
-        ipv6: "{{ query('ldap', 'ip6', 'zamok', 'srv') }}/128"
+        ipv6: "{{ lookup('ldap', 'ip6', 'zamok', 'srv') }}/128"
       threshold: 1
     - name: irc
       allows:
-        ipv4: "{{ query('ldap', 'ip4', 'irc', 'srv') }}/32"
+        ipv4: "{{ lookup('ldap', 'ip4', 'irc', 'srv') }}/32"
-        ipv6: "{{ query('ldap', 'ip6', 'irc', 'srv') }}/128"
+        ipv6: "{{ lookup('ldap', 'ip6', 'irc', 'srv') }}/128"
       threshold: 1
     - name: gitlab
       allows:
-        ipv4: "{{ query('ldap', 'ip4', 'gitzly', 'srv') }}/32"
+        ipv4: "{{ lookup('ldap', 'ip4', 'gitzly', 'srv') }}/32"
-        ipv6: "{{ query('ldap', 'ip6', 'gitzly', 'srv') }}/128"
+        ipv6: "{{ lookup('ldap', 'ip6', 'gitzly', 'srv') }}/128"
       threshold: 10
       commandrate: 10000
     - name: monitoring
       allows:
-        ipv4: "{{ query('ldap', 'ip4', 'fyre', 'adm') }}/32"
+        ipv4: "{{ lookup('ldap', 'ip4', 'fyre', 'adm') }}/32"
-        ipv6: "{{ query('ldap', 'ip6', 'fyre', 'adm') }}/128"
+        ipv6: "{{ lookup('ldap', 'ip6', 'fyre', 'adm') }}/128"
       threshold: 10
       commandrate: 10000
       modes: true
-  dns: "{{ query('ldap', 'ip4', 'romanesco', 'srv') }}"
+  dns: "{{ lookup('ldap', 'ip4', 'romanesco', 'srv') }}"
   services:
     name: services.irc.crans.org
     port: 6668
@@ -127,7 +127,7 @@ loc_service_certbot:
   config:
     "crans.org":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.
@@ -135,7 +135,7 @@ loc_service_certbot:
         algorithm: HMAC-SHA512
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_adm_challenge.

host_vars/jack.adm.crans.org.yml

@@ -6,7 +6,7 @@ loc_needrestart:
   override: []
 
 loc_slapd:
-  ip: "{{ query('ldap', 'ip4', 'jack', 'adm') }}"
+  ip: "{{ lookup('ldap', 'ip4', 'jack', 'adm') }}"
   replica: true
   replica_rid: 3
 

host_vars/kameron.adm.crans.org.yml

@@ -1,8 +0,0 @@
----
-interfaces:
-  adm: ens18
-  san: ens19
-  zef: ens20
-
-loc_needrestart:
-  override: []

host_vars/listenup.adm.crans.org.yml

@@ -1,8 +0,0 @@
----
-interfaces:
-  disable: true
-  adm: ens18
-  san: ens19
-
-loc_needrestart:
-  override: []

host_vars/otter.adm.crans.org.yml

@@ -1,8 +0,0 @@
----
-interfaces:
-  adm: ens18
-  san: ens19
-  zef: ens20
-
-loc_needrestart:
-  override: []

host_vars/owl.adm.crans.org.yml

@@ -16,3 +16,11 @@ loc_borg:
   to_exclude:
     - /var/mail
     - /var/lib/lxcfs
+
+loc_restic:
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/mail
+        - /var/lib/lxcfs

host_vars/owncloud.adm.crans.org.yml

@@ -15,4 +15,4 @@ loc_needrestart:
 loc_ldap:
   base_dn: "{{ vault.slapd.re2o.admin.binddn }}"
   password: "{{ vault.slapd.re2o.admin.bindpass }}"
-  uri: "ldap://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}"
+  uri: "ldap://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}"

host_vars/ptf.adm.crans.org.yml

@@ -12,7 +12,7 @@ loc_needrestart:
 
 loc_nfs_mount:
   mounts:
-    - ip: "{{ query('ldap', 'ip4', 'tealc', 'san') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'tealc', 'san') }}"
       mountpoint: /pool/ftp
       target: /ftp
       name: ftp

host_vars/re2o-dev.adm.crans.org.yml

@@ -10,4 +10,4 @@ loc_needrestart:
   override: []
 
 loc_re2o_ldap_replica:
-  url: "ldaps://{{ query('ldap', 'ip4', 'yson-partou', 'adm') }}:636"
+  url: "ldaps://{{ lookup('ldap', 'ip4', 'yson-partou', 'adm') }}:636"

host_vars/redisdead.adm.crans.org.yml

@@ -25,7 +25,7 @@ loc_service_certbot:
   config:
     "crans.org":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.
@@ -33,7 +33,7 @@ loc_service_certbot:
         algorithm: HMAC-SHA512
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_adm_challenge.

host_vars/routeur-ft.adm.crans.org.yml

@@ -18,14 +18,14 @@ loc_wireguard:
       peers:
         - public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}"
           allowed_ips:
-            - "{{ query('ldap', 'network', 'adm') }}"
+            - "{{ lookup('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
-          endpoint: "{{ query('ldap', 'ip4', 'boeing', 'srv') }}:51821"
+          endpoint: "{{ lookup('ldap', 'ip4', 'boeing', 'srv') }}:51821"
           persistent_keepalive: 25
       post_up:
         - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
         - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
-        - "ip route add {{ query('ldap', 'ip4', 'tealc', 'adm') }} dev %i proto proxy"
+        - "ip route add {{ lookup('ldap', 'ip4', 'tealc', 'adm') }} dev %i proto proxy"
         - "python3 /var/local/services/proxy/proxy.py --alter"
       pre_down:
         - "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
@@ -35,8 +35,8 @@ loc_wireguard:
 loc_service_proxy:
   config:
     ldap:
-      - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/"
+      - server: "ldaps://{{ lookup('ldap', 'ip4', 'wall-e', 'adm') }}/"
-      - server: "ldaps://{{ query('ldap', 'ip4', 'ft', 'adm') }}/"
+      - server: "ldaps://{{ lookup('ldap', 'ip4', 'ft', 'adm') }}/"
     protocol: "proxy"
     filter: ".adm.crans.org"
     proxy:

host_vars/routeur-sam.adm.crans.org/restic.yml

@@ -0,0 +1,8 @@
+---
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var

host_vars/routeur-thot.adm.crans.org.yml

@@ -1,45 +0,0 @@
----
-interfaces:
-  adm: ens18
-  auto: ens19
-
-loc_unattended:
-  reboot: true
-
-loc_needrestart:
-  override: []
-
-loc_wireguard:
-  tunnels:
-    - name: "boeing"
-      listen_port: 51820
-      private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
-      table: "off"
-      peers:
-        - public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}"
-          allowed_ips:
-            - "{{ query('ldap', 'network', 'adm') }}"
-            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
-          endpoint: "{{ query('ldap', 'ip4', 'boeing', 'srv') }}:51822"
-          persistent_keepalive: 25
-      post_up:
-        - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
-        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
-        - "ip route add {{ query('ldap', 'ip4', 'tealc', 'adm') }} dev %i proto proxy"
-        - "python3 /var/local/services/proxy/proxy.py --alter"
-      pre_down:
-        - "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
-        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
-        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
-
-
-loc_service_proxy:
-  config:
-    ldap:
-      - server: "ldaps://{{ query('ldap', 'ip4', 'wall-e', 'adm') }}/"
-      - server: "ldaps://{{ query('ldap', 'ip4', 'thot', 'adm') }}/"
-    protocol: "proxy"
-    filter: ".adm.crans.org"
-    proxy:
-      default: "boeing"
-      aurore: "ens18"

host_vars/sam.adm.crans.org.yml

@@ -11,8 +11,17 @@ loc_borg:
     - /home_nounou
     - /var
 
+
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var
+
 loc_slapd:
-  ip: "{{ query('ldap', 'ip4', 'sam', 'adm') }}"
+  ip: "{{ lookup('ldap', 'ip4', 'sam', 'adm') }}"
   replica: true
   replica_rid: 1
 

host_vars/sputnik.adm.crans.org.yml

@@ -18,21 +18,21 @@ loc_wireguard:
   tunnels:
     - name: "sputnik"
       addresses:
-        - "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}/24"
+        - "{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}/24"
-        - "{{ query('ldap', 'ip6', 'sputnik', 'adm') }}/64"
+        - "{{ lookup('ldap', 'ip6', 'sputnik', 'adm') }}/64"
       listen_port: 51820
       private_key: "{{ vault.wireguard.sputnik.privkey }}"
       peers:
         - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}"
           allowed_ips:
-            - "{{ query('ldap', 'network', 'adm') }}"
+            - "{{ lookup('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
-          endpoint: "{{ query('ldap', 'ip4', 'boeing', 'srv') }}:51820"
+          endpoint: "{{ lookup('ldap', 'ip4', 'boeing', 'srv') }}:51820"
       post_up:
         - "/sbin/ip link set sputnik alias adm"
 
 loc_slapd:
-  ip: "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}"
+  ip: "{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}"
   replica: true
   replica_rid: 4
 
@@ -48,7 +48,7 @@ loc_service_certbot:
   config:
     "crans.org":
       zone: _acme-challenge.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_challenge.
@@ -56,7 +56,7 @@ loc_service_certbot:
         algorithm: HMAC-SHA512
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
-      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      server: "{{ lookup('ldap', 'ip4', 'silice', 'adm') }}"
       port: 53
       key:
         name: certbot_adm_challenge.
@@ -82,4 +82,4 @@ loc_bind:
 loc_service_ssh_known_hosts:
   config:
     ldap:
-      server: "ldaps://{{ query('ldap', 'ip4', 'sputnik', 'adm') }}"
+      server: "ldaps://{{ lookup('ldap', 'ip4', 'sputnik', 'adm') }}"

host_vars/tealc.adm.crans.org.yml

@@ -21,13 +21,11 @@ loc_postgres:
     - db: roundcube
       user: roundcube
       map: {name: webmail, system: www-data, pg: roundcube}
-    - {db: owncloud, user: owncloud}
     - {db: cas, user: cas}
-    - {db: hedgedoc, user: hedgedoc}
+    - {db: owncloud, user: owncloud}
     - {db: sqlgrey, user: sqlgrey, method: ident}
     - {db: re2o, user: re2o}
     - {db: re2o_test, user: re2o}
-    - {db: constellation-dev, user: constellation-dev}
     - {db: mailman3, user: mailman3}
     - {db: mailman3web, user: mailman3web}
     - {db: all, user: all, subnets: ['127.0.0.1/32', '::1/128'], local: true}
@@ -43,6 +41,27 @@ loc_borg:
     - /var
     - /pool/home
 
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /var
+    pool:
+      force_calendar: "5:00"
+      to_exclude:
+        - "*.pyc"
+        - "\\#*\\#"
+        - "*~"
+      to_backup:
+        - /pool/home
+        - /pool/mail
+      retention:
+        - [--keep-daily, 4]
+        - [--keep-weekly, 4]
+        - [--keep-monthly, 6]
+      backup_extra_param: " --exclude-if-present .nobackup"
+
 loc_rsyslog_server:
   name: tealc
   root: /pool/logs

host_vars/tealch.adm.crans.org.yml

@@ -1,8 +0,0 @@
----
-interfaces:
-  adm: ens18
-  san: ens19
-  zef: ens20
-
-loc_needrestart:
-  override: []

host_vars/thot.adm.crans.org.yml

@@ -1,17 +0,0 @@
----
-interfaces:
-  disable: true
-
-loc_needrestart:
-  override: []
-
-loc_borg:
-  to_backup:
-    - /etc
-    - /home_nounou
-    - /var
-
-loc_slapd:
-  ip: "{{ query('ldap', 'ip4', 'thot', 'adm') }}"
-  replica: true
-  replica_rid: 5

host_vars/zamok.adm.crans.org.yml

@@ -19,27 +19,37 @@ loc_borg:
     - /var/lib/lxcfs
     - /var/lib/mysql
 
+loc_restic:
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/mail
+        - /var/lib/podman
+        - /var/lib/lxcfs
+        - /var/lib/mysql
+
 loc_thelounge:
-  host: "\"{{ query('ldap', 'ip4', 'zamok', 'adm') }}\""
+  host: "\"{{ lookup('ldap', 'ip4', 'zamok', 'adm') }}\""
   oidentd: "\"/usr/local/lib/thelounge/.oidentd.conf\""
   reverseProxy: "true"
   ldap_enable: "true"
 
 loc_crans_scripts:
   group: nounou
-  dests:
+  dest:
     - /usr/scripts
 
 loc_nfs_mount:
   mounts:
-    - ip: "{{ query('ldap', 'ip4', 'cameron', 'san') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'cameron', 'san') }}"
       mountpoint: /pool/home
       target: /home
       name: home
       owner: root
       group: root
       mode: '0755'
-    - ip: "{{ query('ldap', 'ip4', 'cameron', 'san') }}"
+    - ip: "{{ lookup('ldap', 'ip4', 'cameron', 'san') }}"
       mountpoint: /pool/mail
       target: /var/mail
       name: var-mail

hosts

@@ -6,7 +6,6 @@ zamok.adm.crans.org
 [arpproxy]
 boeing.adm.crans.org
 routeur-ft.adm.crans.org
-routeur-thot.adm.crans.org
 
 [autoconfig]
 hodaur.adm.crans.org
@@ -16,7 +15,6 @@ cameron.adm.crans.org
 
 [backups]
 backup-ft.adm.crans.org
-backup-thot.adm.crans.org
 
 [baie]
 cameron.adm.crans.org
@@ -31,41 +29,27 @@ routeurs_vm
 [blackbox]
 fyre.adm.crans.org
 
-[ceph_test]
-tealch.adm.crans.org
-kameron.adm.crans.org
-otter.adm.crans.org
-daneel.adm.crans.org
-listenup.adm.crans.org
-
 [certbot]
 irc.adm.crans.org
 proxy-pve-adh.adm.crans.org
-sputnik.adm.crans.org
 
 [certbot:children]
 dovecot
 galene
-gitlab
-jitsi
-mailman
 postfix
 reverseproxy
 virtu
 vsftpd_mirror
 
-[constellation:children]
+# Catégorie des VM de test/dev
-constellation_front
+[dev]
-
+re2o-dev.crans.org
-[constellation_front]
-constellation-dev.adm.crans.org
 
 [dhcp:children]
 routeurs_vm
 
 [dropbear]
 ft.adm.crans.org
-thot.adm.crans.org
 
 [docker:children]
 gitlab_runner
@@ -117,9 +101,6 @@ fyre.adm.crans.org
 [irc]
 irc.adm.crans.org
 
-[jitsi]
-jitsi.adm.crans.org
-
 [keepalived]
 routeur-daniel.adm.crans.org
 routeur-jack.adm.crans.org
@@ -150,10 +131,8 @@ irc.adm.crans.org
 ptf.adm.crans.org
 
 [nginx:children]
-constellation_front
 django_cas
 galene
-jitsi
 mailman
 mirror_frontend
 printer
@@ -166,7 +145,6 @@ wiki
 eclat.adm.crans.org
 
 [opendkim:children]
-mailman
 postfix
 
 [postfix]
@@ -242,7 +220,6 @@ helloworld.adm.crans.org
 wall-e.adm.crans.org
 #sam.adm.crans.org
 #sputnik.adm.crans.org
-#thot.adm.crans.org
 
 [sssd]
 zamok.adm.crans.org
@@ -263,17 +240,11 @@ sam.adm.crans.org
 
 [virtu_backup]
 ft.adm.crans.org
-thot.adm.crans.org
-
-[virtu_ceph]
-daneel.adm.crans.org
-listenup.adm.crans.org
 
 [virtu:children]
 virtu_adh
 virtu_adm
 virtu_backup
-virtu_ceph
 
 [vsftpd_mirror]
 eclat.adm.crans.org
@@ -285,20 +256,15 @@ kiwi.adm.crans.org
 [wireguard]
 boeing.adm.crans.org
 routeur-ft.adm.crans.org
-routeur-thot.adm.crans.org
 sputnik.adm.crans.org
 
 [crans_routeurs:children]
 routeurs_vm
 
 [crans_physical]
-thot.adm.crans.org
 zamok.adm.crans.org
-cephiroth.adm.crans.org
-#zbee.adm.crans.org
 
 [crans_physical:children]
-aurore_physical
 baie
 virtu
 viarezo_physical
@@ -309,24 +275,19 @@ belenios.adm.crans.org
 boeing.adm.crans.org
 cas.adm.crans.org
 chene.adm.crans.org
-constellation-dev.adm.crans.org
 eclaircie.adm.crans.org
 eclat.adm.crans.org
 ethercalc.adm.crans.org
 en7.adm.crans.org
 flirt.adm.crans.org
-fluxx.adm.crans.org
 fyre.adm.crans.org
 gitlab-ci.adm.crans.org
 gitzly.adm.crans.org
 helloworld.adm.crans.org
 hodaur.adm.crans.org
-horde.adm.crans.org
 irc.adm.crans.org
-jitsi.adm.crans.org
 kenobi.adm.crans.org
 kiwi.adm.crans.org
-ldap-adm.adm.crans.org
 linx.adm.crans.org
 mailman.adm.crans.org
 neree.adm.crans.org
@@ -344,6 +305,7 @@ routeur-2754.adm.crans.org
 silice.adm.crans.org
 trinity.adm.crans.org
 voyager.adm.crans.org
+wall-e.adm.crans.org
 yson-partou.adm.crans.org
 
 [viarezo_physical]
@@ -357,20 +319,7 @@ routeur-ft.adm.crans.org
 viarezo_physical
 viarezo_vm
 
-[aurore_physical]
-thot.adm.crans.org
-
-[aurore_vm]
-backup-thot.adm.crans.org
-routeur-thot.adm.crans.org
-
-[aurore:children]
-aurore_physical
-aurore_vm
-
 [crans_vm:children]
-aurore_vm
-ceph_test
 routeurs_vm
 viarezo_vm
 
@@ -390,7 +339,6 @@ ilo-jack.adm.crans.org
 ilo-odlyd.adm.crans.org
 ilo-sam.adm.crans.org
 ilo-stitch.adm.crans.org
-ilo-thot.adm.crans.org
 ilo-zamok.adm.crans.org
 
 # everything at crans

lookup_plugins/ldap.py

@@ -63,18 +63,18 @@ class LookupModule(LookupBase):
     def ip4(self, host, vlan):
         """
         Retrieve the first IPv4 addresse of an interface of a device
-        query('ldap', 'ip4', HOST, VLAN)
+        lookup('ldap', 'ip4', HOST, VLAN)
         """
         result = [ res for res in self.ip(host, vlan) if ipaddress.ip_address(res).version == 4 ]
-        return result[0]
+        return [result[0]]
 
     def ip6(self, host, vlan):
         """
         Retrieve the first IPv6 addresse of an interface of a device
-        query('ldap', 'ip6', HOST, VLAN)
+        lookup('ldap', 'ip6', HOST, VLAN)
         """
         result = [ res for res in self.ip(host, vlan) if ipaddress.ip_address(res).version == 6 ]
-        return result[0]
+        return [result[0]]
 
     def all_ip(self, host):
         """
@@ -200,7 +200,7 @@ class LookupModule(LookupBase):
             query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
             result = self.base.result(query_id)
             result = result[1][0][1]
-            return str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))
+            return [str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))]
         elif terms[0] == 'zones':
             query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, "objectClass=ipNetwork")
             result = self.base.result(query_id)

plays/borgbackup_client.yml

@@ -2,7 +2,7 @@
 ---
 - import_playbook: ssh_known_hosts.yml
 
-- hosts: server
+- hosts: server,!dev,!apprentis.adm.crans.org
   vars:
     borg: "{{ glob_borg | default({}) | combine(loc_borg | default({})) }}"
   roles:

plays/constellation.yml

@@ -1,16 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: constellation
-  vars:
-    constellation: "{{ glob_constellation | combine(loc_constellation | default({}), recursive=True) }}"
-  roles:
-    - constellation
-
-- hosts: constellation_front
-  vars:
-    constellation: "{{ glob_constellation | combine(loc_constellation | default({}), recursive=True) }}"
-    nginx: "{{ glob_nginx | combine(loc_nginx | default({})) }}"
-  roles:
-    - nginx
-    - constellation-front
-    - constellation-doc

plays/monitoring.yml

@@ -62,6 +62,13 @@
   roles:
     - prometheus-postfix-exporter
 
+# Export apache metrics (avait disparu depuis f7347e41d2)
+#- hosts: zamok.adm.crans.org
+#  vars:
+#    adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}"
+#  roles:
+#    - prometheus-apache-exporter
+
 # Monitor logs with mtail
 - hosts: mtail
   vars:

plays/restic_client.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+
+- hosts: server,!dev
+  vars:
+    restic: "{{ glob_restic | default({}) | combine(loc_restic | default({}), recursive=true) }}"
+  roles:
+    - restic-client

plays/root.yml

@@ -30,6 +30,7 @@
 - import_playbook: scripts.yml
 - import_playbook: vm_setup.yml
 - import_playbook: borgbackup_client.yml
+- import_playbook: restic_client.yml
 - import_playbook: network_interfaces.yml
 - import_playbook: nullmailer.yml
 

plays/routeurs.yml

@@ -4,7 +4,6 @@
 - import_playbook: bird.yml
 - import_playbook: freeradius.yml
 - import_playbook: firewall.yml
-- import_playbook: dns-recursive.yml
 - import_playbook: prefix-delegation.yml
 - import_playbook: radvd.yml
 - import_playbook: keepalived.yml

plays/users.yml

@@ -6,7 +6,7 @@
   roles:
     - ldap-client
 
-- hosts: server,!ovh_physical,!tealc.adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org,!ft.adm.crans.org,!thot.adm.crans.org
+- hosts: server,!ovh_physical,!apprentis.adm.crans.org,!ft.adm.crans.org,!routeur-sam.adm.crans.org,!sam.adm.crans.org,!tealc.adm.crans.org
   vars:
     nfs_mount: "{{ glob_home_nounou | default({}) | combine(loc_home_nounou | default({})) }}"
   roles:

plays/utilities.yml

@@ -2,9 +2,10 @@
 ---
 - hosts: server
   vars:
-    root: "{{ glob_root | default({}) | combine(loc_root | default({})) }}"
-    ntp_client: "{{ glob_ntp_client | combine(loc_ntp_client | default({})) }}"
     needrestart: "{{ glob_needrestart | default({}) | combine(loc_needrestart | default({})) }}"
+    ntp_client: "{{ glob_ntp_client | combine(loc_ntp_client | default({})) }}"
+    root: "{{ glob_root | default({}) | combine(loc_root | default({})) }}"
+    sudo: "{{ glob_sudo | default({}) | combine(loc_sudo | default({})) }}"
     unattended: "{{ glob_unattended | default({}) | combine(loc_unattended | default({})) }}"
   roles:
     - root

plays/vsftpd.yml

@@ -1,17 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-# Deploy vsftpd server on the mirrors
-- hosts: vsftpd_mirror
-  vars:
-    certbot: "{{ loc_certbot | default(glob_certbot | default([])) }}"
-    vsftpd: "{{ glob_vsftpd_mirror | default({}) | combine(loc_vsftpd | default({})) }}"
-  roles:
-    - certbot
-    - vsftpd
-
-# Deploy vstfpd on the camera serveur
-- hosts: vsftpd_cameras
-  vars:
-    vsftpd: "{{ glob_vsftpd_cameras | default({}) | combine(loc_vsftpd | default({})) }}"
-  roles:
-    - vsftpd

plays/zamok.yml

@@ -8,4 +8,3 @@
   roles:
     - zamok-tools
     # - postfix
-    - prometheus-node-exporter-postfix

roles/arpproxy/README.md

@@ -0,0 +1,3 @@
+# Arpproxy
+
+Active arpproxy. Utilise le repo [proxy](https://gitlab.crans.org/nounous/proxy).

roles/borgbackup-client/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Restart timer
+  service:
+    name: borgmatic.timer
+    state: restarted
+
+- name: systemctl daemon-reload
+  systemd:
+    daemon_reload: true

roles/borgbackup-client/tasks/main.yml

@@ -61,13 +61,27 @@
   register: borg_init
   changed_when: '"does not exist" in borg_init.stderr'
 
-- name: Deploy borg cron
+- name: Deploy borgmatic systemd
   template:
-    src: cron.d/borg.j2
+    src: "systemd/system/{{ item }}.j2"
-    dest: /etc/cron.d/borg{{ borg.path_suffix | default('') }}
+    dest: /etc/systemd/system/{{ item }}
+    mode: 0600
+    owner: root
+    group: root
+  loop:
+    - borgmatic.service
+    - borgmatic.timer
+  notify:
+    - Restart timer
+    - systemctl daemon-reload
 
 - name: Indicate role in motd
   template:
     src: update-motd.d/04-service.j2
     dest: /etc/update-motd.d/04-borgbackup
     mode: 0755
+
+- name: Enable timer
+  service:
+    name: borgmatic.timer
+    enabled: true

roles/borgbackup-client/templates/cron.d/borg.j2

@@ -1,9 +0,0 @@
-{{ ansible_header | comment }}
-
-PATH=$PATH:/usr/sbin:/usr/bin:/usr/local/bin:/sbin:/bin
-
-{% if borg.path_suffix is defined %}
-{{ 60 | random(seed=inventory_hostname) }} {{ 24 | random(seed=inventory_hostname) }} * * * root borgmatic -c /etc/borgmatic/config{{ borg.path_suffix }}.yaml --syslog-verbosity 1
-{% else %}
-{{ 60 | random(seed=inventory_hostname) }} {{ 24 | random(seed=inventory_hostname) }} * * * root borgmatic --syslog-verbosity 1
-{% endif %}