Suppression (vielles) machines (constellation-dev, fluxx, hedgedoc, horde, zbee) et renommage ldap-adm en wall-e

2024-10-30 20:44:15 +01:00 · 2024-10-30 20:44:15 +01:00 · 8c15a54cf2
parent 85268a8f70
commit 8c15a54cf2
17 changed files with 3 additions and 539 deletions
--- a/all.yml
+++ b/all.yml
@ -12,7 +12,6 @@
 - import_playbook: plays/borgbackup_client.yml
 - import_playbook: plays/cas.yml
 - import_playbook: plays/certbot.yml
 - import_playbook: plays/constellation.yml
 - import_playbook: plays/dhcp.yml
 - import_playbook: plays/dns-authoritative.yml
 - import_playbook: plays/dovecot.yml
--- a/group_vars/constellation.yml
+++ b/group_vars/constellation.yml
@ -1,47 +0,0 @@
 ---
 glob_constellation:
  django_secret_key: "{{ vault.constellation.django_secret_key }}"
  admins:
    - ('Root', 'root@crans.org')
  allowed_hosts:
    - 'constellation.crans.org'
    - 'intranet.crans.org'
  email:
    ssl: false
    host: "{{ lookup('ldap', 'ip4', 'redisdead', 'adm') }}"
    port: 25
    user: ''
    password: ''
    from: "root@crans.org"
    from_full: "Crans <root@crans.org>"
  database:
    host: "{{ lookup('ldap', 'ip4', 'tealc', 'adm') }}"
    port: 5432
    user: 'constellation'
    password: "{{ vault.constellation.django_db_password }}"
    name: 'constellation'
  front: true
  crontab: true
  applications:
    - 'access'
    - 'billing'
    - 'dnsmanager'
    - 'firewall'
    - 'layers'
    - 'management'
    - 'member'
    - 'topography'
    - 'unix'
  stripe:
    private_key: '{{ vault.constellation.stripe.live.private_key }}'
    public_key: '{{ vault.constellation.stripe.live.public_key }}'
  note:
    url: 'https://note.crans.org/'
    client_id: '{{ vault.constellation.note.client_id }}'
    client_secret: '{{ vault.constellation.note.client_secret }}'
  debug: false
  owner: root
  group: _nounou
  version: main
  settings_local_owner: www-data
  settings_local_group: _nounou
--- a/group_vars/constellation_front.yml
+++ b/group_vars/constellation_front.yml
@ -1,30 +0,0 @@
 ---
 loc_nginx:
  service_name: constellation
  ssl: []
  servers:
    - ssl: false
      default: true
      server_name:
        - "constellation.crans.org"
        - "intranet.crans.org"
      locations:
        - filter: "/static"
          params:
            - "alias {% if constellation.version == 'main' %}/var/lib/constellation/static/{% else %}/var/local/constellation/static/{% endif %}"
        - filter: "/media"
          params:
            - "alias {% if constellation.version == 'main' %}/var/lib/constellation/media/{% else %}/var/local/constellation/media/{% endif %}"
        - filter: "/doc"
          params:
            - "alias /var/www/constellation-doc/"
        - filter: "/"
          params:
            - "uwsgi_pass constellation"
            - "include /etc/nginx/uwsgi_params"
  upstreams:
    - name: 'constellation'
      server: 'unix:///var/run/uwsgi/app/constellation/constellation.sock'
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@ -49,15 +49,14 @@ glob_reverseproxy:
    # Services web Crans
    - {from: belenios.crans.org, to: 172.16.10.111}
    - {from: cas.crans.org, to: 172.16.10.120}
    - {from: constellation-dev.crans.org, to: 172.16.10.167}
    - {from: eclats.crans.org, to: 172.16.10.104}
    - {from: ethercalc.crans.org, to: "172.16.10.133:8000"}
    - {from: framadate.crans.org, to: 172.16.10.109}
    - {from: ftps.crans.org, to: 172.16.10.113}
    - {from: galene-token.crans.org, to: "172.16.10.115:3000"}
    - {from: grafana.crans.org, to: "172.16.10.121:3000"}
    - {from: hedgedoc.crans.org, to: "172.16.10.128:3000"}
    - {from: helloworld.crans.org, to: 172.16.10.131}
    - {from: hosts.crans.org, to: 172.16.10.114}
    - {from: imprimante.crans.org, to: 172.16.10.131}
    - {from: intranet.crans.org, to: 172.16.10.156}
    - {from: linx.crans.org, to: "172.16.10.119:8080"}
@ -76,7 +75,6 @@ glob_reverseproxy:
    - {from: webmail.crans.org, to: 172.16.10.107}
    - {from: wiki.crans.org, to: 172.16.10.161}
    - {from: zero.crans.org, to: 172.16.10.130}
    - {from: hosts.crans.org, to: 172.16.10.114}
    # Zamok
    - {from: amap.crans.org, to: 172.16.10.31}
--- a/host_vars/constellation-dev.adm.crans.org.yml
+++ b/host_vars/constellation-dev.adm.crans.org.yml
@ -1,38 +0,0 @@
 ---
 interfaces:
  adm: eth0
  srv_nat: eth1
 loc_unattended:
  reboot: true
 loc_needrestart:
  override: []
 loc_constellation:
  allowed_hosts:
    - 'constellation-dev.crans.org'
  database:
    host: '127.0.0.1'
    user: 'constellation-dev'
    name: 'constellation-dev'
  applications:
    - 'access'
    - 'billing'
    - 'debug'
    - 'dnsmanager'
    - 'firewall'
    - 'layers'
    - 'management'
    - 'member'
    - 'topography'
    - 'unix'
  stripe:
    private_key: '{{ vault.constellation.stripe.test.private_key }}'
    public_key: '{{ vault.constellation.stripe.test.public_key }}'
  note:
    url: 'https://note-dev.crans.org/'
    client_id: '{{ vault.constellation.note.client_id }}'
    client_secret: '{{ vault.constellation.note.client_secret }}'
  debug: true
  version: dev
--- a/host_vars/tealc.adm.crans.org.yml
+++ b/host_vars/tealc.adm.crans.org.yml
@ -21,13 +21,11 @@ loc_postgres:
    - db: roundcube
      user: roundcube
      map: {name: webmail, system: www-data, pg: roundcube}
    - {db: owncloud, user: owncloud}
    - {db: cas, user: cas}
-    - {db: hedgedoc, user: hedgedoc}
+    - {db: owncloud, user: owncloud}
    - {db: sqlgrey, user: sqlgrey, method: ident}
    - {db: re2o, user: re2o}
    - {db: re2o_test, user: re2o}
    - {db: constellation-dev, user: constellation-dev}
    - {db: mailman3, user: mailman3}
    - {db: mailman3web, user: mailman3web}
    - {db: all, user: all, subnets: ['127.0.0.1/32', '::1/128'], local: true}
--- a/13
+++ b/13
@ -44,12 +44,6 @@ reverseproxy
 virtu
 vsftpd_mirror
 [constellation:children]
 constellation_front
 [constellation_front]
 constellation-dev.adm.crans.org
 [dhcp:children]
 routeurs_vm
@ -140,7 +134,6 @@ irc.adm.crans.org
 ptf.adm.crans.org
 [nginx:children]
 constellation_front
 django_cas
 galene
 jitsi
@ -277,7 +270,6 @@ routeurs_vm
 [crans_physical]
 zamok.adm.crans.org
 #zbee.adm.crans.org
 [crans_physical:children]
 aurore_physical
@ -291,24 +283,20 @@ belenios.adm.crans.org
 boeing.adm.crans.org
 cas.adm.crans.org
 chene.adm.crans.org
 constellation-dev.adm.crans.org
 eclaircie.adm.crans.org
 eclat.adm.crans.org
 ethercalc.adm.crans.org
 en7.adm.crans.org
 flirt.adm.crans.org
 fluxx.adm.crans.org
 fyre.adm.crans.org
 gitlab-ci.adm.crans.org
 gitzly.adm.crans.org
 helloworld.adm.crans.org
 hodaur.adm.crans.org
 horde.adm.crans.org
 irc.adm.crans.org
 jitsi.adm.crans.org
 kenobi.adm.crans.org
 kiwi.adm.crans.org
 ldap-adm.adm.crans.org
 linx.adm.crans.org
 mailman.adm.crans.org
 neree.adm.crans.org
@ -326,6 +314,7 @@ routeur-2754.adm.crans.org
 silice.adm.crans.org
 trinity.adm.crans.org
 voyager.adm.crans.org
 wall-e.adm.crans.org
 yson-partou.adm.crans.org
 [viarezo_physical]
--- a/plays/constellation.yml
+++ b/plays/constellation.yml
@ -1,16 +0,0 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: constellation
  vars:
    constellation: "{{ glob_constellation | combine(loc_constellation | default({}), recursive=True) }}"
  roles:
    - constellation
 - hosts: constellation_front
  vars:
    constellation: "{{ glob_constellation | combine(loc_constellation | default({}), recursive=True) }}"
    nginx: "{{ glob_nginx | combine(loc_nginx | default({})) }}"
  roles:
    - nginx
    - constellation-front
    - constellation-doc
--- a/roles/constellation-doc/tasks/main.yml
+++ b/roles/constellation-doc/tasks/main.yml
@ -1,23 +0,0 @@
 ---
 - name: Install Sphinx and RTD theme
  apt:
    update_cache: true
    install_recommends: false
    name:
      - python3-sphinx
      - python3-sphinx-rtd-theme
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Create documentation directory with good permissions
  file:
    path: /var/www/constellation-doc
    state: directory
    owner: www-data
    group: www-data
    mode: u=rwx,g=rwxs,o=rx
 - name: Build HTML documentation
  command: sphinx-build -b dirhtml {{ project_path }}/docs/ /var/www/constellation-doc/
  become_user: www-data
--- a/roles/constellation-front/handlers/main.yml
+++ b/roles/constellation-front/handlers/main.yml
@ -1,5 +0,0 @@
 ---
 - name: Restart uWSGI
  systemd:
    name: uwsgi
    state: restarted
--- a/roles/constellation-front/tasks/main.yml
+++ b/roles/constellation-front/tasks/main.yml
@ -1,110 +0,0 @@
 ---
 - name: Install some front APT packages
  apt:
    install_recommends: false
    update_cache: true
    name:
      - python3-django-crispy-forms
      - python3-django-filters
      - python3-djangorestframework
      - python3-django-tables2
      - python3-docutils
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Install some front pip packages
  pip:
    name:
      - git+https://gitlab.adm.crans.org/nounous/crispy-bootstrap5.git
 - name: Set data directories in development mode
  when: constellation.version != "master"
  set_fact:
    project_path: /var/local/constellation
    module_path: /var/local/constellation/constellation
 - name: Set data directories in production mode
  when: constellation.version == "master"
  set_fact:
    project_path: /usr/local/lib/python3.9/dist-packages/constellation
    module_path: /usr/local/lib/python3.9/dist-packages/constellation
 - name: Check front dependencies (production)
  when: constellation.version == "master"
  pip:
    name:
      - git+https://gitlab.adm.crans.org/nounous/constellation.git[front]
    state: latest
 - name: Install uWSGI
  apt:
    install_recommends: false
    update_cache: true
    name:
      - uwsgi
      - uwsgi-plugin-python3
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Copy constellation uWSGI app
  template:
    src: uwsgi/apps-available/constellation.ini.j2
    dest: /etc/uwsgi/apps-available/constellation.ini
    owner: root
    group: root
    mode: 0644
  notify: Restart uWSGI
 - name: Activate constellation uWSGI app
  file:
    src: ../apps-available/constellation.ini
    dest: /etc/uwsgi/apps-enabled/constellation.ini
    owner: root
    group: root
    state: link
  ignore_errors: "{{ ansible_check_mode }}"
  notify: Restart uWSGI
 # In the future, migrations will be included in the repository.
 - name: Make Django migrations
  django_manage:
    command: makemigrations
    project_path: "{{ project_path }}"
  notify: Restart uWSGI
 - name: Migrate database
  django_manage:
    command: migrate
    project_path: "{{ project_path }}"
  notify: Restart uWSGI
 - name: Create static files directory
  file:
    path: /var/lib/constellation/{{ item }}
    state: directory
    mode: "2775"
    owner: www-data
    group: "{{ constellation.group }}"
    recurse: true
  loop:
    - static
    - media
 - name: Symlink static and media directories (dev)
  file:
    src: /var/lib/constellation/{{ item }}
    dest: /var/local/constellation/{{ item }}
    state: link
    owner: www-data
    group: "{{ constellation.group }}"
  loop:
    - static
    - media
 - name: Collect static files
  django_manage:
    command: collectstatic
    project_path: "{{ project_path }}"
  notify: Restart uWSGI
--- a/roles/constellation-front/templates/uwsgi/apps-available/constellation.ini.j2
+++ b/roles/constellation-front/templates/uwsgi/apps-available/constellation.ini.j2
@ -1,23 +0,0 @@
 {{ ansible_header | comment }}
 [uwsgi]
 uid             = www-data
 gid             = www-data
 # Django-related settings
 # the base directory (full path)
 chdir           = {{ project_path }}
 wsgi-file       = {{ module_path }}/wsgi.py
 plugin          = python3
 # process-related settings
 # master
 master          = true
 # maximum number of worker processes
 processes       = 10
 # the socket (use the full path to be safe
 socket          = /var/run/uwsgi/app/constellation/constellation.sock
 # ... with appropriate permissions - may be needed
 chmod-socket    = 664
 # clear environment on exit
 vacuum          = true
 # Touch reload
 touch-reload = {{ module_path }}/settings.py
--- a/roles/constellation/tasks/main.yml
+++ b/roles/constellation/tasks/main.yml
@ -1,143 +0,0 @@
 ---
 - name: Pin Django from Debian bullseye-backports
  template:
    src: apt/sources.list.d/bullseye-backports.list.j2
    dest: /etc/apt/sources.list.d/bullseye-backports.list
 - name: Install constellation dependencies
  apt:
    update_cache: true
    install_recommends: false
    name:
      - gettext
      - python3-django
      - python3-django-extensions
      - python3-django-polymorphic
      - python3-ipython
      - python3-pip
      - python3-psycopg2
      - python3-requests
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Install constellation pip dependencies
  pip:
    name:
      - git+https://gitlab.adm.crans.org/nounous/django-dnsmanager.git
 - name: Set configuration directories in development mode
  when: constellation.version != "main"
  set_fact:
    module_path: /var/local/constellation/constellation
    project_path: /var/local/constellation
 - name: Set configuration directories in production mode
  when: constellation.version == "main"
  set_fact:
    module_path: /usr/local/lib/python3.9/dist-packages/constellation
    project_path: /usr/local/lib/python3.9/dist-packages/constellation
 - name: Create constellation directory
  file:
    path: /etc/constellation
    state: directory
    mode: "2775"
    owner: "{{ constellation.owner }}"
    group: "{{ constellation.group }}"
 - name: Set ACL for constellation directory
  acl:
    path: /etc/constellation
    default: true
    entity: nounou
    etype: group
    permissions: rwx
    state: query
  ignore_errors: "{{ ansible_check_mode }}"
 - name: Clone constellation repository (development)
  when: constellation.version != "main"
  git:
    repo: https://gitlab.adm.crans.org/nounous/constellation.git
    dest: "{{ project_path }}"
    umask: "002"
    version: "{{ constellation.version }}"
    recursive: true
 - name: Install pip module with editable flag (development)
  when: constellation.version != "main"
  pip:
    name:
      - "{{ project_path }}"
    editable: true
    state: latest
 - name: Install and upgrade constellation (production)
  when: constellation.version == "main"
  pip:
    name:
      - git+https://gitlab.adm.crans.org/nounous/constellation.git
    state: latest
 - name: Set owner of cloned project
  when: constellation.version != "main"
  file:
    path: "{{ project_path }}"
    owner: "{{ constellation.owner }}"
    group: "{{ constellation.group }}"
    recurse: true
 - name: Deploy Constellation settings_local.py
  template:
    src: constellation/settings_local.py.j2
    dest: /etc/constellation/settings_local.py
    mode: 0660
    owner: "{{ constellation.settings_local_owner }}"
    group: "{{ constellation.settings_local_group }}"
 - name: Symlink configuration file
  file:
    src: /etc/constellation/settings_local.py
    dest: "{{ module_path }}/settings_local.py"
    state: link
 - name: Deploy crontab
  when: constellation.crontab
  template:
    src: cron.d/constellation.j2
    dest: /etc/cron.d/constellation
    owner: root
    group: root
    mode: 0644
 - name: Compile messages
  when: not constellation.front
  django_manage:
    command: compilemessages
    project_path: "{{ project_path }}"
 # In the future, migrations will be included in the repository.
 - name: Make Django migrations (non-front app)
  when: not constellation.front
  django_manage:
    command: makemigrations
    project_path: "{{ project_path }}"
 - name: Migrate database (non-front app)
  when: not constellation.front
  django_manage:
    command: migrate
    project_path: "{{ project_path }}"
 - name: Load initial data (non-front app)
  when: not constellation.front
  django_manage:
    command: loaddata initial
    project_path: "{{ project_path }}"
 - name: Indicate constellation in motd
  template:
    src: update-motd.d/05-service.j2
    dest: /etc/update-motd.d/05-constellation
    mode: 0755
--- a/roles/constellation/templates/apt/sources.list.d/bullseye-backports.list.j2
+++ b/roles/constellation/templates/apt/sources.list.d/bullseye-backports.list.j2
@ -1,3 +0,0 @@
 {{ ansible_header | comment }}
 deb {{ debian_mirror }} bullseye-backports main
--- a/roles/constellation/templates/constellation/settings_local.py.j2
+++ b/roles/constellation/templates/constellation/settings_local.py.j2
@ -1,75 +0,0 @@
 {{ ansible_header | comment }}
 # A secret key used by the server.
 SECRET_KEY = "{{ constellation.django_secret_key }}"
 # Should the server run in debug mode ?
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = {{ constellation.debug }}
 # A list of admins of the services. Receive mails when an error occurs
 ADMINS = [{% for admin in constellation.admins %}{{ admin }}, {% endfor %}]
 # The list of hostname the server will respond to.
 ALLOWED_HOSTS = [{% for host in constellation.allowed_hosts %}'{{ host }}', {% endfor %}]
 # Installed applications
 LOCAL_APPS = [
 {% for app in constellation.applications %}
    '{{ app }}',
 {% endfor %}
 ]
 # Activate this option if a web front is needed
 USE_FRONT = {{ constellation.front }}
 # The time zone the server is runned in
 TIME_ZONE = 'Europe/Paris'
 # The storage systems parameters to use
 DATABASES = {
    'default': {  # The DB
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': '{{ constellation.database.name }}',
        'USER': '{{ constellation.database.user }}',
        'PASSWORD': "{{ constellation.database.password }}",
        'HOST': '{{ constellation.database.host }}',
        'PORT': '{{ constellation.database.port }}',
    },
 }
 {% if constellation.version == "main" %}
 {% if constellation.front %}
 STATIC_ROOT = "/var/lib/constellation/static/"
 {% endif %}
 MEDIA_ROOT = "/var/lib/constellation/media/"
 {% endif %}
 # The mail configuration for Constellation to send mails
 EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
 EMAIL_USE_SSL = {{ constellation.email.ssl }}
 EMAIL_HOST = '{{ constellation.email.host }}'
 EMAIL_PORT = {{ constellation.email.port }}
 EMAIL_HOST_USER = '{{ constellation.email.user }}'
 EMAIL_HOST_PASSWORD = '{{ constellation.email.password }}'
 SERVER_EMAIL = '{{ constellation.email.from }}'
 DEFAULT_FROM_EMAIL = '{{ constellation.email.from_full }}'
 {% if constellation.front %}
 {% if constellation.comnpay is defined %}
 COMNPAY_ID_TPE = '{{ constellation.comnpay.tpe }}'
 COMNPAY_SECRET_KEY = '{{ constellation.comnpay.secret }}'
 {% endif %}
 {% if constellation.stripe is defined %}
 STRIPE_PRIVATE_KEY = "{{ constellation.stripe.private_key }}"
 STRIPE_PUBLIC_KEY = "{{ constellation.stripe.public_key }}"
 {% endif %}
 {% if constellation.note is defined %}
 NOTE_KFET_URL = "{{ constellation.note.url }}"
 NOTE_KFET_CLIENT_ID = "{{ constellation.note.client_id }}"
 NOTE_KFET_CLIENT_SECRET = "{{ constellation.note.client_secret }}"
 {% endif %}
 {% endif %}
--- a/roles/constellation/templates/cron.d/constellation.j2
+++ b/roles/constellation/templates/cron.d/constellation.j2
@ -1,4 +0,0 @@
 {{ ansible_header }}
 # m  h   dom mon dow     user   command
 24  4   *   *   *        root   constellation check_consistency
--- a/roles/constellation/templates/update-motd.d/05-service.j2
+++ b/roles/constellation/templates/update-motd.d/05-service.j2
@ -1,3 +0,0 @@
 #!/usr/bin/tail +14
 {{ ansible_header | comment }}
 [0m> [38;5;82mConstellation[0m a été déployé sur cette machine. Voir [38;5;6m{{ project_path }}/[0m.
		`@ -1,3 +0,0 @@`
			`{{ ansible_header \| comment }}`

			`deb {{ debian_mirror }} bullseye-backports main`