From f4326afd766daaec60da7fa340b3e28d21d98365 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Tue, 28 Apr 2020 22:29:12 +0200 Subject: [PATCH 001/126] [re2o_lookup] Make use of cache. --- ansible.cfg | 7 + lookup_plugins/re2oapi.py | 285 +++++++++++++++++++++++++++++--------- 2 files changed, 223 insertions(+), 69 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index ec5d521e..5b23c72b 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -45,3 +45,10 @@ api_hostname = intranet.crans.org # Whether or not using vault_cranspasswords use_cpasswords = True + +# Specify cache plugin for re2o API. By default, cache nothing +cache = jsonfile + +# Time in second before the cache expired. 0 means never expire cache. +# Default is 120 seconds. +timeout = 120 diff --git a/lookup_plugins/re2oapi.py b/lookup_plugins/re2oapi.py index 9099c9e3..53d23555 100644 --- a/lookup_plugins/re2oapi.py +++ b/lookup_plugins/re2oapi.py @@ -7,6 +7,8 @@ For a detailed example look at https://github.com/ansible/ansible/blob/3dbf89e8a The API Client has been adapted from https://gitlab.federez.net/re2o/re2oapi """ +from ansible.plugins.loader import cache_loader + from pathlib import Path import datetime import requests @@ -340,6 +342,73 @@ class LookupModule(LookupBase): - debug: var=dnszones """ + def _readconfig(self, section="re2o", key=None, boolean=False, + integer=False): + config = self._config + if not config: + return None + else: + if config.has_option(section, key): + display.vvv("Found key {} in configuration file".format(key)) + if boolean: + return config.getboolean(section, key) + elif integer: + return config.getint(section, key) + else: + return config.get(section, key) + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + + config_manager = ConfigManager() + config_file = config_manager.data.get_setting(name="CONFIG_FILE").value + self._config = ConfigParser() + self._config.read(config_file) + + display.vvv("Using {} as configuration file.".format(config_file)) + + self._api_hostname = None + self._api_username = None + self._api_password = None + self._use_cpasswords = None + self._cache_plugin = None + self._cache = None + self._timeout = 120 + + if self._config.has_section("re2o"): + display.vvv("Found section re2o in configuration file") + + self._api_hostname = self._readconfig(key="api_hostname") + self._use_cpasswords = self._readconfig(key="use_cpasswords", + boolean=True) + self._cache_plugin = self._readconfig(key="cache") + self._timeout = self._readconfig(key="timeout", integer=True) + + if self._cache_plugin is not None: + display.vvv("Using {} as cache plugin".format(self._cache_plugin)) + + if self._cache_plugin == 'jsonfile': + self._cachedir = Path.home() / ".cache/Ansible/re2oapi" + display.vvv("Cache directory is {}".format(self._cachedir)) + if not self._cachedir.exists(): + # Creates Ansible cache directory with right permissions + # if it doesn't exist yet. + display.vvv("Cache directory doesn't exist. Creating it.") + try: + self._cachedir.mkdir(mode=0o700, parents=True) + except Exception as e: + raise AnsibleError("""Unable to create {dir}. + Original error was : {err}""" + .format(dir=self._cachedir, + err=to_native(e))) + self._cache = cache_loader.get('jsonfile', + _uri=self._cachedir, + _timeout=self._timeout, + ) + else: + raise AnsibleError("Cache plugin {} not supported" + .format(self._cache_plugin)) + def run(self, terms, variables=None, api_hostname=None, api_username=None, api_password=None, use_tls=True): @@ -354,33 +423,20 @@ class LookupModule(LookupBase): :returns: A list of results to the specific queries. """ - config_manager = ConfigManager() - config_file = config_manager.data.get_setting(name="CONFIG_FILE").value - config = ConfigParser() - config.read(config_file) + # Use the hostname specified by the user if it exists. + if api_hostname is not None: + display.vvv("Overriding api_hostname with {}".format(api_hostname)) + else: + api_hostname = self._api_hostname - use_cpasswords = False - - if config.has_section("re2o"): - display.vvv("Found section re2o in configuration file") - if config.has_option("re2o", "api_hostname"): - display.vvv("Found option api_hostname in config file") - api_hostname = config.get("re2o", "api_hostname") - display.vvv("Override api_hostname with {} from configuration" - .format(api_hostname)) - if config.has_option("re2o", "use_cpasswords"): - display.vvv("Found option use_cpasswords in config file") - use_cpasswords = config.getboolean("re2o", "use_cpasswords") - display.vvv("Override api_hostname with {} from configuration" - .format(use_cpasswords)) - - if api_hostname is None: + if self._api_hostname is None: raise AnsibleError(to_native( 'You must specify a hostname to contact re2oAPI' )) - if api_username is None and api_password is None and use_cpasswords: - display.vvv("Use cpasswords vault to get API credentials.") + if (api_username is None and api_password is None + and self._use_cpasswords): + display.vvv("Using cpasswords vault to get API credentials.") api_username = variables.get('vault_re2o_service_user') api_password = variables.get('vault_re2o_service_password') @@ -399,7 +455,7 @@ class LookupModule(LookupBase): res = [] dterms = collections.deque(terms) - machines_roles = None # TODO : Cache this. + display.vvv("Lookup terms are {}".format(terms)) while dterms: term = dterms.popleft() @@ -411,10 +467,7 @@ class LookupModule(LookupBase): elif term == 'get_role': try: role_name = dterms.popleft() - roles, machines_roles = self._get_role(api_client, - role_name, - machines_roles, - ) + roles = self._get_role(api_client, role_name) res.append(roles) except IndexError: display.v("Error in re2oapi : No role_name provided") @@ -429,59 +482,153 @@ class LookupModule(LookupBase): .format(to_native(e))) return res + def _get_cache(self, key): + if self._cache: + return self._cache.get(key) + else: + return None + + def _set_cache(self, key, value): + if self._cache: + return self._cache.set(key, value) + else: + return None + + def _is_cached(self, key): + if self._cache: + return self._cache.contains(key) + else: + return False + def _getzones(self, api_client): display.v("Getting dns zone names") - zones = api_client.list('dns/zones') - zones_name = [zone["name"][1:] for zone in zones] + zones, zones_name = None, None + + if self._is_cached('dnszones'): + zones_name = self._get_cache('dnszones') + + if zones_name is not None: + display.vvv("Found dnszones in cache.") + + else: + if self._is_cached('dns_zones'): + zones = self._get_cache('dns_zones') + if zones is not None: + display.vvv("Found dns/zones in cache.") + else: + display.vvv("Contacting the API, endpoint dns/zones...") + zones = api_client.list('dns/zones') + display.vvv("...Done") + zones_name = [zone["name"][1:] for zone in zones] + display.vvv("Storing dnszones in cache.") + self._set_cache('dnszones', zones_name) + return zones_name def _getreverse(self, api_client): display.v("Getting dns reverse zones") - display.vvv("Contacting the API, endpoint dns/reverse-zones...") - zones = api_client.list('dns/reverse-zones') - display.vvv("...Done") - res = [] - for zone in zones: - if zone['ptr_records']: - display.vvv('Found PTR records') - subnets = [] - for net in zone['cidrs']: - net = netaddr.IPNetwork(net) - if net.prefixlen > 24: - subnets.extend(net.subnet(32)) - elif net.prefixlen > 16: - subnets.extend(net.subnet(24)) - elif net.prefixlen > 8: - subnets.extend(net.subnet(16)) - else: - subnets.extend(net.subnet(8)) - for subnet in subnets: - _address = netaddr.IPAddress(subnet.first) - rev_dns_a = _address.reverse_dns.split('.')[:-1] - if subnet.prefixlen == 8: - zone_name = '.'.join(rev_dns_a[3:]) - elif subnet.prefixlen == 16: - zone_name = '.'.join(rev_dns_a[2:]) - elif subnet.prefixlen == 24: - zone_name = '.'.join(rev_dns_a[1:]) - res.append(zone_name) - display.vvv("Found reverse zone {}".format(zone_name)) + + zones, res = None, None + + if self._is_cached('dnsreverse'): + res = self._get_cache('dnsreverse') + + if res is not None: + display.vvv("Found dnsreverse in cache.") + + else: + if self._is_cached('dns_reverse-zones'): + zones = self._get_cache('dns_reverse-zones') + + if zones is not None: + display.vvv("Found dns/reverse-zones in cache.") + else: + display.vvv("Contacting the API, endpoint dns/reverse-zones..") + zones = api_client.list('dns/reverse-zones') + display.vvv("...Done") + + display.vvv("Trying to format dns reverse in a nice way.") + res = [] + for zone in zones: + if zone['ptr_records']: + display.vvv('Found PTR records') + subnets = [] + for net in zone['cidrs']: + net = netaddr.IPNetwork(net) + if net.prefixlen > 24: + subnets.extend(net.subnet(32)) + elif net.prefixlen > 16: + subnets.extend(net.subnet(24)) + elif net.prefixlen > 8: + subnets.extend(net.subnet(16)) + else: + subnets.extend(net.subnet(8)) + + for subnet in subnets: + _address = netaddr.IPAddress(subnet.first) + rev_dns_a = _address.reverse_dns.split('.')[:-1] + if subnet.prefixlen == 8: + zone_name = '.'.join(rev_dns_a[3:]) + elif subnet.prefixlen == 16: + zone_name = '.'.join(rev_dns_a[2:]) + elif subnet.prefixlen == 24: + zone_name = '.'.join(rev_dns_a[1:]) + res.append(zone_name) + display.vvv("Found reverse zone {}".format(zone_name)) + if zone['ptr_v6_records']: display.vvv("Found PTR v6 record") - net = netaddr.IPNetwork(zone['prefix_v6']+'/'+str(zone['prefix_v6_length'])) - net_class = max(((net.prefixlen -1) // 4) +1, 1) + net = netaddr.IPNetwork(zone['prefix_v6'] + + '/' + + str(zone['prefix_v6_length'])) + net_class = max(((net.prefixlen - 1) // 4) + 1, 1) zone6_name = ".".join( - netaddr.IPAddress(net.first).reverse_dns.split('.')[32 - net_class:])[:-1] + netaddr.IPAddress(net.first) + .reverse_dns.split('.')[32 - net_class:])[:-1] res.append(zone6_name) display.vvv("Found reverse zone {}".format(zone6_name)) - return list(set(res)) + + display.vvv("Storing dns reverse zones in cache.") + self._set_cache('dnsreverse', list(set(res))) + + return res def _rawquery(self, api_client, endpoint): - display.v("Make a raw query to endpoint {}".format(endpoint)) - return api_client.list(endpoint) + res = None + if self._is_cached(endpoint.replace('/', '_')): + res = self._get_cache(endpoint.replace('/', '_')) + if res is not None: + display.vvv("Found {} in cache.".format(endpoint)) + else: + display.v("Making a raw query {host}/api/{endpoint}" + .format(host=self.api_hostname, endpoint=endpoint)) + res = api_client.list(endpoint) + display.vvv("Storing result in cache.") + self._set_cache(endpoint.replace('/', '_'), res) + return res - def _get_role(self, api_client, role_name, machines_roles): - if machines_roles is None: - machines_roles = api_client.list("machines/role") - return list(filter(lambda machine: machine["role_type"] == role_name, - machines_roles)), machines_roles + def _get_role(self, api_client, role_name): + res, machines_roles = None, None + + if self._is_cached(role_name): + res = self._get_cache(role_name) + + if res is not None: + display.vvv("Found {} in cache.".format(role_name)) + else: + if self._is_cached("machines_role"): + machines_roles = self._get_cache("machines_role") + + if machines_roles is not None: + display.vvv("Found machines/roles in cache.") + else: + machines_roles = api_client.list("machines/role") + display.vvv("Storing machines/role in cache.") + self._set_cache("machines_role", machines_roles) + + res = list(filter(lambda m: m["role_type"] == role_name, + machines_roles)) + display.vvv("Storing {} in cache.".format(role_name)) + self._set_cache(role_name, res) + + return res From c103710745a0feeb060738e6ba82223b14331330 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Wed, 29 Apr 2020 10:53:58 +0200 Subject: [PATCH 002/126] [rsync-client] Add wireguard interface. Enable backups on sputnik. --- roles/rsync-client/tasks/main.yml | 4 ++++ roles/rsync-client/templates/rsyncd.conf.j2 | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/rsync-client/tasks/main.yml b/roles/rsync-client/tasks/main.yml index 13c9f44c..2647c076 100644 --- a/roles/rsync-client/tasks/main.yml +++ b/roles/rsync-client/tasks/main.yml @@ -30,3 +30,7 @@ name: rsync enabled: true state: started + +- name: TODO + debug: + msg: Make use of the lookup plugin to avoid hardcoding things ? diff --git a/roles/rsync-client/templates/rsyncd.conf.j2 b/roles/rsync-client/templates/rsyncd.conf.j2 index e3ed5ade..bea4fc7c 100644 --- a/roles/rsync-client/templates/rsyncd.conf.j2 +++ b/roles/rsync-client/templates/rsyncd.conf.j2 @@ -34,13 +34,14 @@ address = {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.ad path = /var auth users = backupcrans secrets file = /etc/rsyncd.secrets -hosts allow = zephir.adm.crans.org 10.231.136.6 +hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %} + [slash] path = / auth users = backupcrans secrets file = /etc/rsyncd.secrets -hosts allow = zephir.adm.crans.org 10.231.136.6 +hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %} {# rsync readonly pour le miroir #} {% if ansible_hostname == "charybde" %} From 8e1062459b38a9060d0bf3da8b4457ac7ee6131f Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Mon, 20 Apr 2020 18:56:42 +0200 Subject: [PATCH 003/126] [interfaces] Deploy /etc/network/interfaces for adm --- interfaces.yml | 12 ++++++++++++ roles/interfaces/tasks/main.yml | 7 +++++++ .../templates/network/interfaces.d/02-adm.j2 | 17 +++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100755 interfaces.yml create mode 100644 roles/interfaces/tasks/main.yml create mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2 diff --git a/interfaces.yml b/interfaces.yml new file mode 100755 index 00000000..0d028edc --- /dev/null +++ b/interfaces.yml @@ -0,0 +1,12 @@ +#!/usr/bin/env ansible-playbook +--- +# Set variable adm_iface for all servers +- hosts: server + tasks: + - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: adm_iface + check_mode: no + +- hosts: boeing.adm.crans.org + roles: + - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml new file mode 100644 index 00000000..095878e4 --- /dev/null +++ b/roles/interfaces/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Deploy adm interface config + template: + src: network/interfaces.d/02-adm.j2 + dest: /etc/network/interfaces.d/02-adm + mode: 0644 + when: adm_iface.stdout diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 new file mode 100644 index 00000000..79cbe5fa --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ adm_iface.stdout }} +iface {{ adm_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }} + dns-nameservers 10.231.136.152 10.231.136.4 + dns-search adm.crans.org + up /sbin/ip link set $IFACE alias adm + +iface {{ adm_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 From d21a2116af4a1e24fd84df93ec1b056671915834 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Mon, 20 Apr 2020 19:46:47 +0200 Subject: [PATCH 004/126] [interfaces] Deploy /etc/network/interfaces for srv and ens --- interfaces.yml | 12 +++++++++++ roles/interfaces/tasks/main.yml | 20 +++++++++++++++++++ .../templates/network/interfaces.d/00-srv.j2 | 19 ++++++++++++++++++ .../templates/network/interfaces.d/01-ens.j2 | 19 ++++++++++++++++++ .../templates/network/interfaces.d/02-adm.j2 | 6 ++---- .../templates/network/interfaces.j2 | 10 ++++++++++ 6 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2 create mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2 create mode 100644 roles/interfaces/templates/network/interfaces.j2 diff --git a/interfaces.yml b/interfaces.yml index 0d028edc..872d81ee 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -6,7 +6,19 @@ - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: adm_iface check_mode: no + - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: srv_iface + check_mode: no + - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: ens_iface + check_mode: no - hosts: boeing.adm.crans.org + vars: + - adm_dns: 10.231.136.152 10.231.136.4 + - srv_gateway: 185.230.79.254 + - srv_dns: 185.230.79.152 185.230.79.4 + - ens_gateway: 138.231.136.254 + - ens_dns: 138.231.136.152 138.231.136.4 roles: - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 095878e4..336a267d 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -1,4 +1,24 @@ --- +- name: Deploy default interfaces config + template: + src: network/interfaces.j2 + dest: /etc/network/interfaces + mode: 0644 + +- name: Deploy srv interface config + template: + src: network/interfaces.d/00-srv.j2 + dest: /etc/network/interfaces.d/00-srv + mode: 0644 + when: srv_iface.stdout + +- name: Deploy ens interface config + template: + src: network/interfaces.d/01-ens.j2 + dest: /etc/network/interfaces.d/01-ens + mode: 0644 + when: ens_iface.stdout + - name: Deploy adm interface config template: src: network/interfaces.d/02-adm.j2 diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 new file mode 100644 index 00000000..4c7468a1 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -0,0 +1,19 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ srv_iface.stdout }} +iface {{ srv_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }} + gateway {{ srv_gateway }} + mtu 1496 + dns-nameservers {{ srv_dns }} + dns-search crans.org + up /sbin/ip link set $IFACE alias srv + +iface {{ srv_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 new file mode 100644 index 00000000..d168be5d --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -0,0 +1,19 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ ens_iface.stdout }} +iface {{ ens_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }} + gateway {{ ens_gateway }} + mtu 1496 + dns-nameservers {{ ens_dns }} + dns-search crans.org + up /sbin/ip link set $IFACE alias ens + +iface {{ ens_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index 79cbe5fa..d0b5b833 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -6,12 +6,10 @@ iface {{ adm_iface.stdout }} inet static network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }} netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }} broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }} - dns-nameservers 10.231.136.152 10.231.136.4 + mtu 1496 + dns-nameservers {{ adm_dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm iface {{ adm_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.j2 b/roles/interfaces/templates/network/interfaces.j2 new file mode 100644 index 00000000..0c339966 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.j2 @@ -0,0 +1,10 @@ +{{ ansible_header | comment }} + +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback From 210fc18a988f4aea5dcaadbce7cec6cccd136087 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Mon, 20 Apr 2020 20:45:00 +0200 Subject: [PATCH 005/126] [interfaces] Add supplementary lines from local facts --- .../interfaces/templates/network/interfaces.d/01-ens.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index d168be5d..c7a34671 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -11,6 +11,15 @@ iface {{ ens_iface.stdout }} inet static dns-nameservers {{ ens_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias ens +{% if 'interfaces' in ansible_local %} +{% if ens_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %} +{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} iface {{ ens_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }} From 32e24ff38a3190217497ac5cd399f5eaef1ebdf4 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Mon, 20 Apr 2020 22:27:17 +0200 Subject: [PATCH 006/126] [interfaces] Add supplementary lines from local facts to all interfaces --- .../templates/network/interfaces.d/00-srv.j2 | 18 ++++++++++++++++++ .../templates/network/interfaces.d/01-ens.j2 | 9 +++++++++ .../templates/network/interfaces.d/02-adm.j2 | 18 ++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 4c7468a1..7fc0390f 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -11,9 +11,27 @@ iface {{ srv_iface.stdout }} inet static dns-nameservers {{ srv_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias srv +{% if 'interfaces' in ansible_local %} +{% if srv_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %} +{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} iface {{ srv_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 +{% if 'interfaces' in ansible_local %} +{% if srv_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %} +{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index c7a34671..e94243b1 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -26,3 +26,12 @@ iface {{ ens_iface.stdout }} inet6 static autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 +{% if 'interfaces' in ansible_local %} +{% if ens_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %} +{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index d0b5b833..bd928eae 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -10,6 +10,24 @@ iface {{ adm_iface.stdout }} inet static dns-nameservers {{ adm_dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm +{% if 'interfaces' in ansible_local %} +{% if adm_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %} +{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} iface {{ adm_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if adm_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %} +{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From 382548c6333eadd45025390d97825f962d0f4d2b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 08:50:46 +0200 Subject: [PATCH 007/126] [interfaces] Configure fil interface --- interfaces.yml | 15 +++++--- roles/interfaces/tasks/main.yml | 7 ++++ .../templates/network/interfaces.d/00-srv.j2 | 2 +- .../templates/network/interfaces.d/21-fil.j2 | 34 +++++++++++++++++++ 4 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2 diff --git a/interfaces.yml b/interfaces.yml index 872d81ee..e637a5cc 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -3,22 +3,27 @@ # Set variable adm_iface for all servers - hosts: server tasks: - - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: adm_iface - check_mode: no - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: srv_iface check_mode: no - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: ens_iface check_mode: no + - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: adm_iface + check_mode: no + - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: fil_iface + check_mode: no -- hosts: boeing.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org vars: - - adm_dns: 10.231.136.152 10.231.136.4 - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 - ens_gateway: 138.231.136.254 - ens_dns: 138.231.136.152 138.231.136.4 + - adm_dns: 10.231.136.152 10.231.136.4 + - fil_gateway: 10.54.0.254 + - fil_dns: 10.54.0.152 10.54.0.4 roles: - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 336a267d..d9751a36 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -25,3 +25,10 @@ dest: /etc/network/interfaces.d/02-adm mode: 0644 when: adm_iface.stdout + +- name: Deploy fil interface config + template: + src: network/interfaces.d/21-fil.j2 + dest: /etc/network/interfaces.d/21-fil + mode: 0644 + when: fil_iface.stdout diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 7fc0390f..1367d156 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -15,7 +15,7 @@ iface {{ srv_iface.stdout }} inet static {% if srv_iface.stdout in ansible_local.interfaces %} {% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %} {% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %} - {{ line }} + {{ line }} {% endfor %} {% endif %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 new file mode 100644 index 00000000..469f0531 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ fil_iface.stdout }} +iface {{ fil_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }} + gateway {{ fil_gateway }} + mtu 1496 + dns-nameservers {{ fil_dns }} + dns-search fil.crans.org + up /sbin/ip link set $IFACE alias fil +{% if 'interfaces' in ansible_local %} +{% if fil_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %} +{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ fil_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if fil_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %} +{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From 9e263ee31bbfcac69873cd23f7aaa1e81d5ce5d3 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 09:57:02 +0200 Subject: [PATCH 008/126] [interfaces] Change interfaces.fact format --- .../templates/network/interfaces.d/00-srv.j2 | 12 ++++++------ .../templates/network/interfaces.d/01-ens.j2 | 12 ++++++------ .../templates/network/interfaces.d/02-adm.j2 | 12 ++++++------ .../templates/network/interfaces.d/21-fil.j2 | 12 ++++++------ 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 1367d156..9e934d98 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -12,9 +12,9 @@ iface {{ srv_iface.stdout }} inet static dns-search crans.org up /sbin/ip link set $IFACE alias srv {% if 'interfaces' in ansible_local %} -{% if srv_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %} -{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -27,9 +27,9 @@ iface {{ srv_iface.stdout }} inet6 static accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if 'interfaces' in ansible_local %} -{% if srv_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %} -{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index e94243b1..ac2bed20 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -12,9 +12,9 @@ iface {{ ens_iface.stdout }} inet static dns-search crans.org up /sbin/ip link set $IFACE alias ens {% if 'interfaces' in ansible_local %} -{% if ens_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %} -{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -27,9 +27,9 @@ iface {{ ens_iface.stdout }} inet6 static accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if 'interfaces' in ansible_local %} -{% if ens_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %} -{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index bd928eae..dce7c3e4 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -11,9 +11,9 @@ iface {{ adm_iface.stdout }} inet static dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm {% if 'interfaces' in ansible_local %} -{% if adm_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %} -{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -23,9 +23,9 @@ iface {{ adm_iface.stdout }} inet static iface {{ adm_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} -{% if adm_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %} -{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index 469f0531..f9453e0f 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -12,9 +12,9 @@ iface {{ fil_iface.stdout }} inet static dns-search fil.crans.org up /sbin/ip link set $IFACE alias fil {% if 'interfaces' in ansible_local %} -{% if fil_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %} -{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -24,9 +24,9 @@ iface {{ fil_iface.stdout }} inet static iface {{ fil_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} -{% if fil_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %} -{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} From c108c019337a531235eebc2faa45e0ce578b2200 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 12:06:26 +0200 Subject: [PATCH 009/126] [interfaces] Alias ansible facts --- .../templates/network/interfaces.d/00-srv.j2 | 11 ++++++----- .../templates/network/interfaces.d/01-ens.j2 | 11 ++++++----- .../templates/network/interfaces.d/02-adm.j2 | 11 ++++++----- .../templates/network/interfaces.d/21-fil.j2 | 11 ++++++----- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 9e934d98..53151878 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %} allow-hotplug {{ srv_iface.stdout }} iface {{ srv_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }} + address {{ srv.ipv4.address }} + network {{ srv.ipv4.network }} + netmask {{ srv.ipv4.netmask }} + broadcast {{ srv.ipv4.broadcast }} gateway {{ srv_gateway }} mtu 1496 dns-nameservers {{ srv_dns }} @@ -22,7 +23,7 @@ iface {{ srv_iface.stdout }} inet static {% endif %} iface {{ srv_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }} + address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index ac2bed20..62cb77fc 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %} allow-hotplug {{ ens_iface.stdout }} iface {{ ens_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }} + address {{ ens.ipv4.address }} + network {{ ens.ipv4.network }} + netmask {{ ens.ipv4.netmask }} + broadcast {{ ens.ipv4.broadcast }} gateway {{ ens_gateway }} mtu 1496 dns-nameservers {{ ens_dns }} @@ -22,7 +23,7 @@ iface {{ ens_iface.stdout }} inet static {% endif %} iface {{ ens_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }} + address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index dce7c3e4..95991513 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %} allow-hotplug {{ adm_iface.stdout }} iface {{ adm_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }} + address {{ adm.ipv4.address }} + network {{ adm.ipv4.network }} + netmask {{ adm.ipv4.netmask }} + broadcast {{ adm.ipv4.broadcast }} mtu 1496 dns-nameservers {{ adm_dns }} dns-search adm.crans.org @@ -21,7 +22,7 @@ iface {{ adm_iface.stdout }} inet static {% endif %} iface {{ adm_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} + address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} {% if 'sup_if_6' in ansible_local.interfaces %} {% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index f9453e0f..0e08910a 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %} allow-hotplug {{ fil_iface.stdout }} iface {{ fil_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }} + address {{ fil.ipv4.address }} + network {{ fil.ipv4.network }} + netmask {{ fil.ipv4.netmask }} + broadcast {{ fil.ipv4.broadcast }} gateway {{ fil_gateway }} mtu 1496 dns-nameservers {{ fil_dns }} @@ -22,7 +23,7 @@ iface {{ fil_iface.stdout }} inet static {% endif %} iface {{ fil_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }} + address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} {% if 'sup_if_6' in ansible_local.interfaces %} {% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} From 1d7c6102edbb174d2957033ad0d469fc47e9bf83 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 12:07:38 +0200 Subject: [PATCH 010/126] [interfaces] Deploy interfaces on tracker --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index e637a5cc..84c59ca2 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -16,7 +16,7 @@ register: fil_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 8631a875e3976a64b5942fa2b1e764cc68796dac Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 12:20:58 +0200 Subject: [PATCH 011/126] [interfaces] Deploy interfaces on voyager --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 84c59ca2..839423b8 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -16,7 +16,7 @@ register: fil_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 5d5a6f0b5c78c2b2230597717116820d263dbbf9 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 13:24:34 +0200 Subject: [PATCH 012/126] [interfaces] Configure adh interface --- roles/interfaces/tasks/main.yml | 7 ++++ .../templates/network/interfaces.d/23-adh.j2 | 38 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2 diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index d9751a36..4bf0fc42 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -32,3 +32,10 @@ dest: /etc/network/interfaces.d/21-fil mode: 0644 when: fil_iface.stdout + +- name: Deploy adh interface config + template: + src: network/interfaces.d/23-adh.j2 + dest: /etc/network/interfaces.d/23-adh + mode: 0644 + when: adh_iface.stdout diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 new file mode 100644 index 00000000..bc03ccc1 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -0,0 +1,38 @@ +{{ ansible_header | comment }} + +{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %} +allow-hotplug {{ adh_iface.stdout }} +iface {{ adh_iface.stdout }} inet static + address {{ adh.ipv4.address }} + network {{ adh.ipv4.network }} + netmask {{ adh.ipv4.netmask }} + broadcast {{ adh.ipv4.broadcast }} + gateway {{ adh_gateway }} + mtu 1496 + dns-nameservers {{ adh_dns }} + dns-search crans.org + up /sbin/ip link set $IFACE alias adh +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ adh_iface.stdout }} inet6 static + address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From 10bbc43ddc2678213ddc5c0efae746f653316628 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 13:25:24 +0200 Subject: [PATCH 013/126] [interfaces] Configure adh interface --- interfaces.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/interfaces.yml b/interfaces.yml index 839423b8..057a71e2 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -15,6 +15,9 @@ - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: fil_iface check_mode: no + - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: adh_iface + check_mode: no - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org vars: @@ -25,5 +28,7 @@ - adm_dns: 10.231.136.152 10.231.136.4 - fil_gateway: 10.54.0.254 - fil_dns: 10.54.0.152 10.54.0.4 + - adh_gateway: 185.230.78.254 + - adh_dns: 185.230.78.152 185.230.78.4 roles: - interfaces From 815f3cf086c900c3332b45ea5ba9c044c4fae917 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 13:26:47 +0200 Subject: [PATCH 014/126] [interfaces] Deploy interfaces on lutim --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 057a71e2..2474e3bb 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -19,7 +19,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 97f7227a335ebc7d2c30f83d134b7bb396cd8203 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 14:23:42 +0200 Subject: [PATCH 015/126] [interfaces] Deploy interfaces on gateau --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 2474e3bb..1196a291 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -19,7 +19,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 70b13432d3e9bde19c16c88eb8bd4eb01dd5a011 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 14:26:59 +0200 Subject: [PATCH 016/126] [interfaces] Deploy interfaces on owncloud-srv --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 1196a291..f0a87578 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -19,7 +19,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 7f87571e17a1b7d548ae28749089d0539205ce4d Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 14:40:53 +0200 Subject: [PATCH 017/126] [interfaces] Deploy interfaces on charybde --- interfaces.yml | 4 +++ roles/interfaces/tasks/main.yml | 7 ++++ .../network/interfaces.d/03-borne.j2 | 34 +++++++++++++++++++ 3 files changed, 45 insertions(+) create mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2 diff --git a/interfaces.yml b/interfaces.yml index f0a87578..f83070ac 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -12,6 +12,9 @@ - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: adm_iface check_mode: no + - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: borne_iface + check_mode: no - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: fil_iface check_mode: no @@ -26,6 +29,7 @@ - ens_gateway: 138.231.136.254 - ens_dns: 138.231.136.152 138.231.136.4 - adm_dns: 10.231.136.152 10.231.136.4 + - borne_dns: 10.231.148.4 - fil_gateway: 10.54.0.254 - fil_dns: 10.54.0.152 10.54.0.4 - adh_gateway: 185.230.78.254 diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 4bf0fc42..91fe4164 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -26,6 +26,13 @@ mode: 0644 when: adm_iface.stdout +- name: Deploy adm interface config + template: + src: network/interfaces.d/03-borne.j2 + dest: /etc/network/interfaces.d/03-borne + mode: 0644 + when: borne_iface.stdout + - name: Deploy fil interface config template: src: network/interfaces.d/21-fil.j2 diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 new file mode 100644 index 00000000..0eb3ecb2 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} + +{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %} +allow-hotplug {{ borne_iface.stdout }} +iface {{ borne_iface.stdout }} inet static + address {{ borne.ipv4.address }} + network {{ borne.ipv4.network }} + netmask {{ borne.ipv4.netmask }} + broadcast {{ borne.ipv4.broadcast }} + mtu 1496 + dns-nameservers {{ borne_dns }} + dns-search borne.crans.org + up /sbin/ip link set $IFACE alias borne +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ borne_iface.stdout }} inet6 static + address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From 19e5074c384ae46ab0cdeb2f6b19ec19a55d9a4b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 14:42:58 +0200 Subject: [PATCH 018/126] [interfaces] Deploy interfaces on charybde --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index f83070ac..b6115cc5 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -22,7 +22,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 47d7c347d407965e14e19cae25015be04183d166 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 14:55:37 +0200 Subject: [PATCH 019/126] [interfaces] Fix task description --- roles/interfaces/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 91fe4164..5b41c028 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -26,7 +26,7 @@ mode: 0644 when: adm_iface.stdout -- name: Deploy adm interface config +- name: Deploy borne interface config template: src: network/interfaces.d/03-borne.j2 dest: /etc/network/interfaces.d/03-borne From bc8430b1e59c113c800f654338ed5bc0323d0134 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 14:56:01 +0200 Subject: [PATCH 020/126] [interfaces] Deploy interfaces on cas-srv --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index b6115cc5..52b9a667 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -22,7 +22,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 9027b42b33a444530fb67bc7c8e6c0c5f3209ba7 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 16:50:16 +0200 Subject: [PATCH 021/126] [interfaces] Configure switch interface --- interfaces.yml | 6 +++- roles/interfaces/tasks/main.yml | 7 ++++ .../network/interfaces.d/04-switch.j2 | 34 +++++++++++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2 diff --git a/interfaces.yml b/interfaces.yml index 52b9a667..1feb86ca 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -15,6 +15,9 @@ - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: borne_iface check_mode: no + - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: switch_iface + check_mode: no - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: fil_iface check_mode: no @@ -29,7 +32,8 @@ - ens_gateway: 138.231.136.254 - ens_dns: 138.231.136.152 138.231.136.4 - adm_dns: 10.231.136.152 10.231.136.4 - - borne_dns: 10.231.148.4 + - borne_dns: 10.231.148.52 10.231.148.4 + - switch_dns: 10.231.100.152 10.231.100.4 - fil_gateway: 10.54.0.254 - fil_dns: 10.54.0.152 10.54.0.4 - adh_gateway: 185.230.78.254 diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 5b41c028..210e3142 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -33,6 +33,13 @@ mode: 0644 when: borne_iface.stdout +- name: Deploy switch interface config + template: + src: network/interfaces.d/04-switch.j2 + dest: /etc/network/interfaces.d/04-switch + mode: 0644 + when: switch_iface.stdout + - name: Deploy fil interface config template: src: network/interfaces.d/21-fil.j2 diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 new file mode 100644 index 00000000..d8cfeb8b --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} + +{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %} +allow-hotplug {{ switch_iface.stdout }} +iface {{ switch_iface.stdout }} inet static + address {{ switch.ipv4.address }} + network {{ switch.ipv4.network }} + netmask {{ switch.ipv4.netmask }} + broadcast {{ switch.ipv4.broadcast }} + mtu 1496 + dns-nameservers {{ switch_dns }} + dns-search switch.crans.org + up /sbin/ip link set $IFACE alias switch +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ switch_iface.stdout }} inet6 static + address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From bfbd14195ec55a3584aa87f96cb3cf5623f4c5ae Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 21 Apr 2020 16:55:34 +0200 Subject: [PATCH 022/126] [interfaces] Deploy interfaces on fyre --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 1feb86ca..a17fd7f0 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -25,7 +25,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 08bc68aca6676054f5897c388d424a4dff382936 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 27 Apr 2020 21:28:43 +0200 Subject: [PATCH 023/126] [interfaces] allow-hotplug to auto --- roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/02-adm.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/03-borne.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/04-switch.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/21-fil.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 53151878..a1426f64 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %} -allow-hotplug {{ srv_iface.stdout }} +auto {{ srv_iface.stdout }} iface {{ srv_iface.stdout }} inet static address {{ srv.ipv4.address }} network {{ srv.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index 62cb77fc..4da6da89 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %} -allow-hotplug {{ ens_iface.stdout }} +auto {{ ens_iface.stdout }} iface {{ ens_iface.stdout }} inet static address {{ ens.ipv4.address }} network {{ ens.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index 95991513..1708e777 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %} -allow-hotplug {{ adm_iface.stdout }} +auto {{ adm_iface.stdout }} iface {{ adm_iface.stdout }} inet static address {{ adm.ipv4.address }} network {{ adm.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 index 0eb3ecb2..749f144e 100644 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %} -allow-hotplug {{ borne_iface.stdout }} +auto {{ borne_iface.stdout }} iface {{ borne_iface.stdout }} inet static address {{ borne.ipv4.address }} network {{ borne.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 index d8cfeb8b..fb007a7b 100644 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %} -allow-hotplug {{ switch_iface.stdout }} +auto {{ switch_iface.stdout }} iface {{ switch_iface.stdout }} inet static address {{ switch.ipv4.address }} network {{ switch.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index 0e08910a..a77e747f 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %} -allow-hotplug {{ fil_iface.stdout }} +auto {{ fil_iface.stdout }} iface {{ fil_iface.stdout }} inet static address {{ fil.ipv4.address }} network {{ fil.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index bc03ccc1..ee1578d6 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %} -allow-hotplug {{ adh_iface.stdout }} +auto {{ adh_iface.stdout }} iface {{ adh_iface.stdout }} inet static address {{ adh.ipv4.address }} network {{ adh.ipv4.network }} From 73df03ce90deded947375922219f4eb9025911eb Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 27 Apr 2020 21:34:41 +0200 Subject: [PATCH 024/126] [interfaces] Install vlan --- roles/interfaces/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 210e3142..c155fc1b 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -1,4 +1,13 @@ --- +- name: Install vlan support + apt: + update_cache: true + name: vlan + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + - name: Deploy default interfaces config template: src: network/interfaces.j2 From 4c132e6d30f0916098149ff0ae280fa140c2b4e1 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 28 Apr 2020 18:06:07 +0200 Subject: [PATCH 025/126] [interfaces] Deploy interfaces on silice --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index a17fd7f0..5c35aa32 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -25,7 +25,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 3b9b9796659b97e5d90efc4f23ea34a4b3fe61af Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 28 Apr 2020 18:26:59 +0200 Subject: [PATCH 026/126] [interfaces] use is defined --- roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/02-adm.j2 | 8 ++------ .../interfaces/templates/network/interfaces.d/03-borne.j2 | 8 ++------ .../templates/network/interfaces.d/04-switch.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/21-fil.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 8 ++------ 7 files changed, 14 insertions(+), 42 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index a1426f64..ba4f486c 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -12,27 +12,23 @@ iface {{ srv_iface.stdout }} inet static dns-nameservers {{ srv_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias srv -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ srv_iface.stdout }} inet6 static address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index 4da6da89..36e6d154 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -12,27 +12,23 @@ iface {{ ens_iface.stdout }} inet static dns-nameservers {{ ens_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias ens -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ ens_iface.stdout }} inet6 static address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index 1708e777..a78a660a 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -11,24 +11,20 @@ iface {{ adm_iface.stdout }} inet static dns-nameservers {{ adm_dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ adm_iface.stdout }} inet6 static address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 index 749f144e..f9996740 100644 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -11,24 +11,20 @@ iface {{ borne_iface.stdout }} inet static dns-nameservers {{ borne_dns }} dns-search borne.crans.org up /sbin/ip link set $IFACE alias borne -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ borne_iface.stdout }} inet6 static address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 index fb007a7b..57e6630f 100644 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -11,24 +11,20 @@ iface {{ switch_iface.stdout }} inet static dns-nameservers {{ switch_dns }} dns-search switch.crans.org up /sbin/ip link set $IFACE alias switch -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ switch_iface.stdout }} inet6 static address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index a77e747f..198f2ca0 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -12,24 +12,20 @@ iface {{ fil_iface.stdout }} inet static dns-nameservers {{ fil_dns }} dns-search fil.crans.org up /sbin/ip link set $IFACE alias fil -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ fil_iface.stdout }} inet6 static address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index ee1578d6..df9a47ad 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -12,27 +12,23 @@ iface {{ adh_iface.stdout }} inet static dns-nameservers {{ adh_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias adh -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ adh_iface.stdout }} inet6 static address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} From 358e690e4830ed722c90f00059a20690b6058aa3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 28 Apr 2020 18:46:38 +0200 Subject: [PATCH 027/126] [interfaces] Do not force autoconf --- roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 3 --- roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 3 --- roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 3 --- 3 files changed, 9 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index ba4f486c..2bf4b97b 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -22,9 +22,6 @@ iface {{ srv_iface.stdout }} inet static iface {{ srv_iface.stdout }} inet6 static address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if ansible_local.interfaces.sup_if_6 is defined %} {% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index 36e6d154..e1f101e2 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -22,9 +22,6 @@ iface {{ ens_iface.stdout }} inet static iface {{ ens_iface.stdout }} inet6 static address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if ansible_local.interfaces.sup_if_6 is defined %} {% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index df9a47ad..45241e6b 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -22,9 +22,6 @@ iface {{ adh_iface.stdout }} inet static iface {{ adh_iface.stdout }} inet6 static address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if ansible_local.interfaces.sup_if_6 is defined %} {% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} From e4acc35c0193af493549e53047bda57b24818992 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 28 Apr 2020 18:59:35 +0200 Subject: [PATCH 028/126] [interfaces] Add metrics --- interfaces.yml | 34 +++++++++++++------ .../templates/network/interfaces.d/00-srv.j2 | 5 +-- .../templates/network/interfaces.d/01-ens.j2 | 5 +-- .../templates/network/interfaces.d/02-adm.j2 | 2 +- .../network/interfaces.d/03-borne.j2 | 2 +- .../network/interfaces.d/04-switch.j2 | 2 +- .../templates/network/interfaces.d/21-fil.j2 | 5 +-- .../templates/network/interfaces.d/23-adh.j2 | 5 +-- 8 files changed, 38 insertions(+), 22 deletions(-) diff --git a/interfaces.yml b/interfaces.yml index 5c35aa32..431b69bc 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -27,16 +27,28 @@ - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org vars: - - srv_gateway: 185.230.79.254 - - srv_dns: 185.230.79.152 185.230.79.4 - - ens_gateway: 138.231.136.254 - - ens_dns: 138.231.136.152 138.231.136.4 - - adm_dns: 10.231.136.152 10.231.136.4 - - borne_dns: 10.231.148.52 10.231.148.4 - - switch_dns: 10.231.100.152 10.231.100.4 - - fil_gateway: 10.54.0.254 - - fil_dns: 10.54.0.152 10.54.0.4 - - adh_gateway: 185.230.78.254 - - adh_dns: 185.230.78.152 185.230.78.4 + vlan: + srv: + metric: 100 + gateway: 185.230.79.254 + dns: 185.230.79.152 185.230.79.4 + ens: + metric: 300 + gateway: 138.231.136.254 + dns: 138.231.136.152 138.231.136.4 + adm: + dns: 10.231.136.152 10.231.136.4 + borne: + dns: 10.231.148.52 10.231.148.4 + switch: + dns: 10.231.100.152 10.231.100.4 + fil: + metric: 400 + gateway: 10.54.0.254 + dns: 10.54.0.152 10.54.0.4 + adh: + metric: 200 + gateway: 185.230.78.254 + dns: 185.230.78.152 185.230.78.4 roles: - interfaces diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 2bf4b97b..8ac4b8a5 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -7,9 +7,10 @@ iface {{ srv_iface.stdout }} inet static network {{ srv.ipv4.network }} netmask {{ srv.ipv4.netmask }} broadcast {{ srv.ipv4.broadcast }} - gateway {{ srv_gateway }} + gateway {{ vlan.srv.gateway }} + metric {{ vlan.srv.metric }} mtu 1496 - dns-nameservers {{ srv_dns }} + dns-nameservers {{ vlan.srv.dns }} dns-search crans.org up /sbin/ip link set $IFACE alias srv {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index e1f101e2..6c308f23 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -7,9 +7,10 @@ iface {{ ens_iface.stdout }} inet static network {{ ens.ipv4.network }} netmask {{ ens.ipv4.netmask }} broadcast {{ ens.ipv4.broadcast }} - gateway {{ ens_gateway }} + gateway {{ vlan.ens.gateway }} + metric {{ vlan.ens.metric }} mtu 1496 - dns-nameservers {{ ens_dns }} + dns-nameservers {{ vlan.ens.dns }} dns-search crans.org up /sbin/ip link set $IFACE alias ens {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index a78a660a..62fb1f1e 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -8,7 +8,7 @@ iface {{ adm_iface.stdout }} inet static netmask {{ adm.ipv4.netmask }} broadcast {{ adm.ipv4.broadcast }} mtu 1496 - dns-nameservers {{ adm_dns }} + dns-nameservers {{ vlan.adm.dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 index f9996740..7db48f6a 100644 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -8,7 +8,7 @@ iface {{ borne_iface.stdout }} inet static netmask {{ borne.ipv4.netmask }} broadcast {{ borne.ipv4.broadcast }} mtu 1496 - dns-nameservers {{ borne_dns }} + dns-nameservers {{ vlan.borne.dns }} dns-search borne.crans.org up /sbin/ip link set $IFACE alias borne {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 index 57e6630f..586adef9 100644 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -8,7 +8,7 @@ iface {{ switch_iface.stdout }} inet static netmask {{ switch.ipv4.netmask }} broadcast {{ switch.ipv4.broadcast }} mtu 1496 - dns-nameservers {{ switch_dns }} + dns-nameservers {{ vlan.switch.dns }} dns-search switch.crans.org up /sbin/ip link set $IFACE alias switch {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index 198f2ca0..c5bb9508 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -7,9 +7,10 @@ iface {{ fil_iface.stdout }} inet static network {{ fil.ipv4.network }} netmask {{ fil.ipv4.netmask }} broadcast {{ fil.ipv4.broadcast }} - gateway {{ fil_gateway }} + gateway {{ vlan.fil.gateway }} + metric {{ vlan.fil.metric }} mtu 1496 - dns-nameservers {{ fil_dns }} + dns-nameservers {{ vlan.fil.dns }} dns-search fil.crans.org up /sbin/ip link set $IFACE alias fil {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index 45241e6b..de2b21b7 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -7,9 +7,10 @@ iface {{ adh_iface.stdout }} inet static network {{ adh.ipv4.network }} netmask {{ adh.ipv4.netmask }} broadcast {{ adh.ipv4.broadcast }} - gateway {{ adh_gateway }} + gateway {{ vlan.adh.gateway }} + metric {{ vlan.adh.metric }} mtu 1496 - dns-nameservers {{ adh_dns }} + dns-nameservers {{ vlan.adh.dns }} dns-search crans.org up /sbin/ip link set $IFACE alias adh {% if ansible_local.interfaces.sup_if_4 is defined %} From bb28a75b4eed4cfed18f9690034c1ee0291f016a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Tue, 28 Apr 2020 20:27:58 +0200 Subject: [PATCH 029/126] [interface] Factorize --- interfaces.yml | 72 +++++++++++-------- roles/interfaces/tasks/main.yml | 51 ++----------- .../templates/network/interfaces.d/00-srv.j2 | 32 --------- .../templates/network/interfaces.d/01-ens.j2 | 32 --------- .../templates/network/interfaces.d/02-adm.j2 | 30 -------- .../network/interfaces.d/03-borne.j2 | 30 -------- .../network/interfaces.d/04-switch.j2 | 30 -------- .../templates/network/interfaces.d/21-fil.j2 | 32 --------- .../templates/network/interfaces.d/23-adh.j2 | 32 --------- .../templates/network/interfaces.d/ifalias.j2 | 36 ++++++++++ 10 files changed, 85 insertions(+), 292 deletions(-) delete mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2 create mode 100644 roles/interfaces/templates/network/interfaces.d/ifalias.j2 diff --git a/interfaces.yml b/interfaces.yml index 431b69bc..5c7107a7 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -1,54 +1,70 @@ #!/usr/bin/env ansible-playbook --- -# Set variable adm_iface for all servers +# Get ifname of configured vlan for all servers - hosts: server tasks: - - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: srv_iface - check_mode: no - - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: ens_iface - check_mode: no - - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: adm_iface - check_mode: no - - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: borne_iface - check_mode: no - - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: switch_iface - check_mode: no - - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: fil_iface - check_mode: no - - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: adh_iface + - shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\"" check_mode: no + register: ifaces + loop: + - srv + - ens + - adm + - borne + - switch + - fil - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org vars: vlan: - srv: + - name: srv + id: 0 metric: 100 gateway: 185.230.79.254 dns: 185.230.79.152 185.230.79.4 - ens: + dns_search: crans.org + ifnames: "{{ ifaces | json_query('results[?item==`srv`].stdout') }}" + + - name: ens + id: 1 metric: 300 gateway: 138.231.136.254 dns: 138.231.136.152 138.231.136.4 - adm: + dns_search: crans.org + ifnames: "{{ ifaces | json_query('results[?item==`ens`].stdout') }}" + + - name: adm + id: 2 dns: 10.231.136.152 10.231.136.4 - borne: + dns_search: adm.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`adm`].stdout') }}" + + - name: borne + id: 3 dns: 10.231.148.52 10.231.148.4 - switch: + dns_search: borne.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`borne`].stdout') }}" + + - name: switch + id: 4 dns: 10.231.100.152 10.231.100.4 - fil: + dns_search: switch.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`switch`].stdout') }}" + + - name: fil + id: 21 metric: 400 gateway: 10.54.0.254 dns: 10.54.0.152 10.54.0.4 - adh: + dns_search: fil.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`fil`].stdout') }}" + + - name: adh + id: 23 metric: 200 gateway: 185.230.78.254 dns: 185.230.78.152 185.230.78.4 + dns_search: crans.org + ifnames: "{{ ifaces | json_query('results[?item==`adh`].stdout') }}" roles: - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index c155fc1b..886b45d3 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -14,51 +14,10 @@ dest: /etc/network/interfaces mode: 0644 -- name: Deploy srv interface config +- name: Deploy interfaces config template: - src: network/interfaces.d/00-srv.j2 - dest: /etc/network/interfaces.d/00-srv + src: "network/interfaces.d/ifalias.j2" + dest: "/etc/network/interfaces.d/{{ '%02d' | format(item.id) }}-{{ item.name }}" mode: 0644 - when: srv_iface.stdout - -- name: Deploy ens interface config - template: - src: network/interfaces.d/01-ens.j2 - dest: /etc/network/interfaces.d/01-ens - mode: 0644 - when: ens_iface.stdout - -- name: Deploy adm interface config - template: - src: network/interfaces.d/02-adm.j2 - dest: /etc/network/interfaces.d/02-adm - mode: 0644 - when: adm_iface.stdout - -- name: Deploy borne interface config - template: - src: network/interfaces.d/03-borne.j2 - dest: /etc/network/interfaces.d/03-borne - mode: 0644 - when: borne_iface.stdout - -- name: Deploy switch interface config - template: - src: network/interfaces.d/04-switch.j2 - dest: /etc/network/interfaces.d/04-switch - mode: 0644 - when: switch_iface.stdout - -- name: Deploy fil interface config - template: - src: network/interfaces.d/21-fil.j2 - dest: /etc/network/interfaces.d/21-fil - mode: 0644 - when: fil_iface.stdout - -- name: Deploy adh interface config - template: - src: network/interfaces.d/23-adh.j2 - dest: /etc/network/interfaces.d/23-adh - mode: 0644 - when: adh_iface.stdout + when: (item.ifnames | length > 0) and item.ifnames[0] != '' + loop: "{{ vlan }}" diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 deleted file mode 100644 index 8ac4b8a5..00000000 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %} -auto {{ srv_iface.stdout }} -iface {{ srv_iface.stdout }} inet static - address {{ srv.ipv4.address }} - network {{ srv.ipv4.network }} - netmask {{ srv.ipv4.netmask }} - broadcast {{ srv.ipv4.broadcast }} - gateway {{ vlan.srv.gateway }} - metric {{ vlan.srv.metric }} - mtu 1496 - dns-nameservers {{ vlan.srv.dns }} - dns-search crans.org - up /sbin/ip link set $IFACE alias srv -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ srv_iface.stdout }} inet6 static - address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 deleted file mode 100644 index 6c308f23..00000000 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %} -auto {{ ens_iface.stdout }} -iface {{ ens_iface.stdout }} inet static - address {{ ens.ipv4.address }} - network {{ ens.ipv4.network }} - netmask {{ ens.ipv4.netmask }} - broadcast {{ ens.ipv4.broadcast }} - gateway {{ vlan.ens.gateway }} - metric {{ vlan.ens.metric }} - mtu 1496 - dns-nameservers {{ vlan.ens.dns }} - dns-search crans.org - up /sbin/ip link set $IFACE alias ens -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ ens_iface.stdout }} inet6 static - address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 deleted file mode 100644 index 62fb1f1e..00000000 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{{ ansible_header | comment }} - -{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %} -auto {{ adm_iface.stdout }} -iface {{ adm_iface.stdout }} inet static - address {{ adm.ipv4.address }} - network {{ adm.ipv4.network }} - netmask {{ adm.ipv4.netmask }} - broadcast {{ adm.ipv4.broadcast }} - mtu 1496 - dns-nameservers {{ vlan.adm.dns }} - dns-search adm.crans.org - up /sbin/ip link set $IFACE alias adm -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ adm_iface.stdout }} inet6 static - address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 deleted file mode 100644 index 7db48f6a..00000000 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{{ ansible_header | comment }} - -{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %} -auto {{ borne_iface.stdout }} -iface {{ borne_iface.stdout }} inet static - address {{ borne.ipv4.address }} - network {{ borne.ipv4.network }} - netmask {{ borne.ipv4.netmask }} - broadcast {{ borne.ipv4.broadcast }} - mtu 1496 - dns-nameservers {{ vlan.borne.dns }} - dns-search borne.crans.org - up /sbin/ip link set $IFACE alias borne -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ borne_iface.stdout }} inet6 static - address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 deleted file mode 100644 index 586adef9..00000000 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{{ ansible_header | comment }} - -{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %} -auto {{ switch_iface.stdout }} -iface {{ switch_iface.stdout }} inet static - address {{ switch.ipv4.address }} - network {{ switch.ipv4.network }} - netmask {{ switch.ipv4.netmask }} - broadcast {{ switch.ipv4.broadcast }} - mtu 1496 - dns-nameservers {{ vlan.switch.dns }} - dns-search switch.crans.org - up /sbin/ip link set $IFACE alias switch -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ switch_iface.stdout }} inet6 static - address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 deleted file mode 100644 index c5bb9508..00000000 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %} -auto {{ fil_iface.stdout }} -iface {{ fil_iface.stdout }} inet static - address {{ fil.ipv4.address }} - network {{ fil.ipv4.network }} - netmask {{ fil.ipv4.netmask }} - broadcast {{ fil.ipv4.broadcast }} - gateway {{ vlan.fil.gateway }} - metric {{ vlan.fil.metric }} - mtu 1496 - dns-nameservers {{ vlan.fil.dns }} - dns-search fil.crans.org - up /sbin/ip link set $IFACE alias fil -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ fil_iface.stdout }} inet6 static - address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 deleted file mode 100644 index de2b21b7..00000000 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %} -auto {{ adh_iface.stdout }} -iface {{ adh_iface.stdout }} inet static - address {{ adh.ipv4.address }} - network {{ adh.ipv4.network }} - netmask {{ adh.ipv4.netmask }} - broadcast {{ adh.ipv4.broadcast }} - gateway {{ vlan.adh.gateway }} - metric {{ vlan.adh.metric }} - mtu 1496 - dns-nameservers {{ vlan.adh.dns }} - dns-search crans.org - up /sbin/ip link set $IFACE alias adh -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ adh_iface.stdout }} inet6 static - address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/ifalias.j2 b/roles/interfaces/templates/network/interfaces.d/ifalias.j2 new file mode 100644 index 00000000..daf6a938 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/ifalias.j2 @@ -0,0 +1,36 @@ +{{ ansible_header | comment }} + +{% set ifconfig = hostvars[inventory_hostname]['ansible_' + item.ifnames[0]] %} +auto {{ item.ifnames[0] }} +iface {{ item.ifnames[0] }} inet static + address {{ ifconfig.ipv4.address }} + network {{ ifconfig.ipv4.network }} + netmask {{ ifconfig.ipv4.netmask }} + broadcast {{ ifconfig.ipv4.broadcast }} +{% if item.gateway is defined %} + gateway {{ item.gateway }} +{% endif %} +{% if item.metric is defined %} + metric {{ item.metric }} +{% endif %} + mtu 1496 + dns-nameservers {{ item.dns }} + dns-search {{ item.dns_search }} + up /sbin/ip link set $IFACE alias {{ item.name }} +{% if ansible_local.interfaces.sup_if_4 is defined %} +{% if item.ifnames[0] in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[item.ifnames[0]] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} + +iface {{ item.ifnames[0] }} inet6 static + address {{ ifconfig.ipv6[0].address }}/{{ ifconfig.ipv6[0].prefix }} +{% if ansible_local.interfaces.sup_if_6 is defined %} +{% if item.ifnames[0] in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[item.ifnames[0]] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} From 2c8ad8f6fd6b632647bd40bd917c212f6025b549 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Wed, 29 Apr 2020 12:15:12 +0200 Subject: [PATCH 030/126] [backuppc] Initial role --- roles/backuppc/tasks/main.yml | 20 +++++++++++++++++++ .../templates/update-motd.d/05-service.j2 | 3 +++ services_web.yml | 4 ++++ 3 files changed, 27 insertions(+) create mode 100644 roles/backuppc/tasks/main.yml create mode 100755 roles/backuppc/templates/update-motd.d/05-service.j2 diff --git a/roles/backuppc/tasks/main.yml b/roles/backuppc/tasks/main.yml new file mode 100644 index 00000000..bb1e89b2 --- /dev/null +++ b/roles/backuppc/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install backuppc + apt: + update_cache: true + name: backuppc + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Disable mlocate indexation of backup files + lineinfile: + path: /etc/updatedb.conf + regexp: '^PRUNEPATHS' + line: PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph /var/lib/backuppc /backup" + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-backuppc + mode: 0755 diff --git a/roles/backuppc/templates/update-motd.d/05-service.j2 b/roles/backuppc/templates/update-motd.d/05-service.j2 new file mode 100755 index 00000000..e0e1810d --- /dev/null +++ b/roles/backuppc/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +> BackupPC a été déployé sur cette machine. Voir /etc/backuppc/ et /var/lib/backuppc/. diff --git a/services_web.yml b/services_web.yml index a6dbe2eb..934c70f9 100755 --- a/services_web.yml +++ b/services_web.yml @@ -114,3 +114,7 @@ - ftpsync - rsync-mirror - nginx-pubftp + +- hosts: zephir.adm.crans.org + roles: + - backuppc From 4d4fae85f532626c7c82edb267b78d61573276ae Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Wed, 29 Apr 2020 12:20:52 +0200 Subject: [PATCH 031/126] Let's eat some backups --- services_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services_web.yml b/services_web.yml index 934c70f9..e52e8a23 100755 --- a/services_web.yml +++ b/services_web.yml @@ -115,6 +115,6 @@ - rsync-mirror - nginx-pubftp -- hosts: zephir.adm.crans.org +- hosts: zephir.adm.crans.org,omnomnom.adm.crans.org roles: - backuppc From 5406ec7a0553a4d8f230e0757960e2fa4fa7cfde Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Fri, 1 May 2020 16:59:47 +0200 Subject: [PATCH 032/126] [bind-authoritative] Add zone _acme-challenge.adm.crans.org --- .../templates/bind/named.conf.local.j2 | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2 index 9752be76..e11f50c3 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.local.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2 @@ -35,6 +35,29 @@ zone "_acme-challenge.crans.org" { file "bak._acme-challenge.crans.org"; }; +// Let's Encrypt Challenge DNS-01 zone +zone "_acme-challenge.adm.crans.org" { +{% if is_master %} + type master; + notify yes; + update-policy { + grant certbot_challenge. name _acme-challenge.adm.crans.org. txt; + }; +{% else %} + type slave; + masters { +{% for ip in masters_ipv4 %} + {{ ip }}; +{% endfor -%} +{% for ip in masters_ipv6 %} + {{ ip }}; +{% endfor %} + }; + notify no; +{% endif %} + file "bak._acme-challenge.adm.crans.org"; +}; + zone "_acme-challenge.crans.fr" { {% if is_master %} type master; From 65363c64816910e594536ea6d69591fe6a83ad5a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 1 May 2020 17:17:18 +0200 Subject: [PATCH 033/126] Certbot role for gitzly --- network.yml | 20 ++++++++++++++++++- roles/certbot/tasks/main.yml | 4 ++-- .../letsencrypt/conf.d/crans.org.ini.j2 | 6 +++--- .../templates/letsencrypt/rfc2136.ini.j2 | 4 ++-- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/network.yml b/network.yml index b7d09a19..ed74f96c 100755 --- a/network.yml +++ b/network.yml @@ -51,7 +51,25 @@ # Deploy reverse proxy - hosts: bakdaur.adm.crans.org vars: - certbot_dns_secret: "{{ vault_certbot_dns_secret }}" + certbot: + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: root@crans.org + certname: crans.org + domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" + bind: + masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" + roles: + - certbot + +- hosts: gitzly.adm.crans.org + vars: + certbot: + dns_rfc2136_name: certbot_adm_challenge. + dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}" + mail: root@crans.org + certname: adm.crans.org + domains: "*.adm.crans.org" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" roles: diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 86e7c6e3..3a862fcb 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -24,6 +24,6 @@ - name: Add Certbot configuration template: - src: letsencrypt/conf.d/crans.org.ini.j2 - dest: /etc/letsencrypt/conf.d/crans.org.ini + src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2" + dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 index d311fa76..837a60a9 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 @@ -10,7 +10,7 @@ rsa-key-size = 4096 # server = https://acme-staging.api.letsencrypt.org/directory # Uncomment and update to register with the specified e-mail address -email = root@crans.org +email = {{ certbot.mail }} # Uncomment to use a text interface instead of ncurses text = True @@ -21,5 +21,5 @@ dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini dns-rfc2136-propagation-seconds = 30 # Wildcard the domain -cert-name = crans.org -domains = crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu +cert-name = {{ certbot.certname }} +domains = {{ certbot.domains }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 index 54b272b5..a41a547d 100644 --- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -2,6 +2,6 @@ dns_rfc2136_server = {{ dns_masters_ipv4 | first }} dns_rfc2136_port = 53 -dns_rfc2136_name = certbot_challenge. -dns_rfc2136_secret = {{ certbot_dns_secret }} +dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} +dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} dns_rfc2136_algorithm = HMAC-SHA512 From 28595429473955aa2cd25286feca74053051e051 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 1 May 2020 17:35:27 +0200 Subject: [PATCH 034/126] New DNS key --- network.yml | 1 + roles/bind-authoritative/templates/bind/named.conf.local.j2 | 6 +++++- roles/certbot/tasks/main.yml | 2 +- .../conf.d/{crans.org.ini.j2 => certname.ini.j2} | 0 4 files changed, 7 insertions(+), 2 deletions(-) rename roles/certbot/templates/letsencrypt/conf.d/{crans.org.ini.j2 => certname.ini.j2} (100%) diff --git a/network.yml b/network.yml index ed74f96c..97cc9737 100755 --- a/network.yml +++ b/network.yml @@ -40,6 +40,7 @@ - hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org vars: certbot_dns_secret: "{{ vault_certbot_dns_secret }}" + certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}" diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2 index e11f50c3..9d76d8e8 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.local.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2 @@ -10,6 +10,10 @@ key "certbot_challenge." { algorithm hmac-sha512; secret "{{ certbot_dns_secret }}"; }; +key "certbot_adm_challenge." { + algorithm hmac-sha512; + secret "{{ certbot_adm_dns_secret }}"; +}; {% endif %} // Let's Encrypt Challenge DNS-01 zone @@ -41,7 +45,7 @@ zone "_acme-challenge.adm.crans.org" { type master; notify yes; update-policy { - grant certbot_challenge. name _acme-challenge.adm.crans.org. txt; + grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt; }; {% else %} type slave; diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 3a862fcb..b32845cc 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -24,6 +24,6 @@ - name: Add Certbot configuration template: - src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2" + src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 similarity index 100% rename from roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 rename to roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 From fa586e9a946deb195b43d05c722d52734a79e95c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 1 May 2020 18:37:51 +0200 Subject: [PATCH 035/126] Clean up Framadate for shireen --- roles/framadate/tasks/main.yml | 14 +++++++------- .../templates/update-motd.d/05-service.j2 | 3 +-- services_web.yml | 12 ++++-------- 3 files changed, 12 insertions(+), 17 deletions(-) diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index b3584f62..02c698e7 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -16,23 +16,23 @@ - name: Clone framadate project git: - repo: "{{ framadate_repo }}" - dest: "{{ framadate_path }}" - version: "{{ framadate_version }}" + repo: "{{ framadate.repo }}" + dest: "{{ framadate.path }}" + version: "{{ framadate.version }}" - name: Set perms on framadate code file: - path: "{{ framadate_path }}" + path: "{{ framadate.path }}" state: directory - owner: "{{ framadate_user }}" + owner: www-data recurse: true - name: Install Framadate dependencies composer: command: install - working_dir: "{{ framadate_path }}" + working_dir: "{{ framadate.path }}" become: true - become_user: "{{ framadate_user }}" + become_user: www-data register: composer_result retries: 3 until: composer_result is succeeded diff --git a/roles/framadate/templates/update-motd.d/05-service.j2 b/roles/framadate/templates/update-motd.d/05-service.j2 index bf029cde..d0598362 100755 --- a/roles/framadate/templates/update-motd.d/05-service.j2 +++ b/roles/framadate/templates/update-motd.d/05-service.j2 @@ -1,4 +1,3 @@ #!/usr/bin/tail +14 {{ ansible_header | comment }} -> framadate a été déployé sur cette machine. - Voir {{ framadate_path }} +> Framadate a été déployé sur cette machine. Voir {{ framadate.path }}. diff --git a/services_web.yml b/services_web.yml index e52e8a23..17515e3f 100755 --- a/services_web.yml +++ b/services_web.yml @@ -7,14 +7,10 @@ # Deploy FramaDate - hosts: voyager.adm.crans.org vars: - # mirror on Crans GitLab because adm has no network - framadate_repo: https://framagit.org/framasoft/framadate/framadate.git - framadate_version: 1.1.10 - - # User who will run framadate - # you will have to `sudo -u THISUSER zsh` to debug - framadate_user: www-data - framadate_path: /var/www/framadate + framadate: + repo: https://framagit.org/framasoft/framadate/framadate.git + version: 1.1.10 + path: /var/www/framadate roles: - framadate From 39a33bfa062f24d1ded491628ea920d92ccaad59 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 2 May 2020 10:18:10 +0200 Subject: [PATCH 036/126] [nginx-reverseproxy] Initial role --- network.yml | 72 ++++++++++++++++ roles/nginx-reverseproxy/handlers/main.yml | 5 ++ roles/nginx-reverseproxy/tasks/main.yml | 40 +++++++++ .../templates/nginx/redirect.j2 | 83 +++++++++++++++++++ .../templates/nginx/reverseproxy.j2 | 62 ++++++++++++++ .../nginx/reverseproxy_redirect_dname.j2 | 44 ++++++++++ .../templates/update-motd.d/05-service.j2 | 3 + .../templates/www/html/50x.html.j2 | 63 ++++++++++++++ 8 files changed, 372 insertions(+) create mode 100644 roles/nginx-reverseproxy/handlers/main.yml create mode 100644 roles/nginx-reverseproxy/tasks/main.yml create mode 100644 roles/nginx-reverseproxy/templates/nginx/redirect.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 create mode 100755 roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 create mode 100644 roles/nginx-reverseproxy/templates/www/html/50x.html.j2 diff --git a/network.yml b/network.yml index 97cc9737..daf70236 100755 --- a/network.yml +++ b/network.yml @@ -60,8 +60,80 @@ domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" + nginx: + ssl: + cert: /etc/letsencrypt/live/crans.org/fullchain.pem + cert_key: /etc/letsencrypt/live/crans.org/privkey.pem + trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem + + redirect_dnames: + - crans.eu + - crans.fr + + reverseproxy_sites: + # Services web Crans + - {from: lutim.crans.org, to: 10.231.136.69} + - {from: zero.crans.org, to: 10.231.136.76} + - {from: pad.crans.org, to: 10.231.136.76} + - {from: ethercalc.crans.org, to: 10.231.136.203} + - {from: mediadrop.crans.org, to: 10.231.136.106} + - {from: videos.crans.org, to: 10.231.136.106} + - {from: video.crans.org, to: 10.231.136.106} + - {from: roundcube.crans.org, to: 10.231.136.105} + - {from: phabricator.crans.org, to: 10.231.136.123} + - {from: trackerusercontent.crans.org, to: 10.231.136.123} + - {from: cas.crans.org, to: 10.231.136.18} + - {from: auth.crans.org, to: 10.231.136.18} + - {from: login.crans.org, to: 10.231.136.18} + - {from: webmail.crans.org, to: 10.231.136.107} + - {from: horde.crans.org, to: 10.231.136.107} + - {from: owncloud.crans.org, to: 10.231.136.26} + - {from: ftps.crans.org, to: 10.231.136.98} + - {from: wiki.crans.org, to: 10.231.136.204} + - {from: www.crans.org, to: 10.231.136.46} + - {from: doc.crans.org, to: 10.231.136.46} + - {from: limesurvey.crans.org, to: 10.231.136.253} + - {from: lutim.crans.org, to: 10.231.136.69} + - {from: perso.crans.org, to: 10.231.136.1} + - {from: webnews.crans.org, to: 10.231.136.63} + - {from: re2o.crans.org, to: 10.231.136.9} + - {from: intranet.crans.org, to: 10.231.136.9} + - {from: autoconfig.crans.org, to: 10.231.136.46} + - {from: grafana.crans.org, to: 10.231.136.102} + - {from: webirc.crans.org, to: "10.231.136.1:9000"} + + # Zamok + - {from: install-party.crans.org, to: 10.231.136.1} + - {from: med.crans.org, to: 10.231.136.1} + - {from: med-cartons.crans.org, to: 10.231.136.1} + - {from: amap.crans.org, to: 10.231.136.1} + - {from: pot-vieux.crans.org, to: 10.231.136.1} + - {from: bonvivens.crans.org, to: 10.231.136.1} + + redirect_sites: + - {from: crans.org, to: www.crans.org} + + # Aliases or legacy support + - {from: factures.crans.org, to: intranet.crans.org} + - {from: accounts.crans.org, to: intranet.crans.org} + - {from: intranet2.crans.org, to: intranet.crans.org} + - {from: clubs.crans.org, to: perso.crans.org} + - {from: task.crans.org, to: phabricator.crans.org} + - {from: adopteunpingouin.crans.org, to: install-party.crans.org} + - {from: i-p.crans.org, to: install-party.crans.org} + + # To the wiki + - {from: wikipedia.crans.org, to: wiki.crans.org} + - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage} + - {from: television.crans.org, to: wiki.crans.org/CransTv} + - {from: tv.crans.org, to: wiki.crans.org/CransTv} + + # ENS Cachan + - {from: crans.ens-cachan.fr, to: www.crans.org} + - {from: install-party.ens-cachan.fr, to: install-party.crans.org} roles: - certbot + - nginx-reverseproxy - hosts: gitzly.adm.crans.org vars: diff --git a/roles/nginx-reverseproxy/handlers/main.yml b/roles/nginx-reverseproxy/handlers/main.yml new file mode 100644 index 00000000..6dfcdd76 --- /dev/null +++ b/roles/nginx-reverseproxy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml new file mode 100644 index 00000000..3c95a8f7 --- /dev/null +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: Install NGINX + apt: + update_cache: true + name: nginx + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Copy reverse proxy sites + template: + src: "nginx/{{ item }}.j2" + dest: "/etc/nginx/sites-available/{{ item }}" + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Activate sites + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + state: link + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Copy 50x error page + template: + src: www/html/50x.html.j2 + dest: /var/www/html/50x.html + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-nginx + mode: 0755 diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 new file mode 100644 index 00000000..fb177b9a --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 @@ -0,0 +1,83 @@ +{{ ansible_header | comment }} + +{% for site in nginx.redirect_sites %} +# Redirect http://{{ site.from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ site.from }} to https://{{ site.to }} +server { + listen 443; + listen [::]:443; + + server_name {{ site.from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endfor %} + +{# Also redirect for DNAMEs #} +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.redirect_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +# Redirect http://{{ from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ site.to }} +server { + listen 443; + listen [::]:443; + + server_name {{ from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endfor %} +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 new file mode 100644 index 00000000..eab44a49 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 @@ -0,0 +1,62 @@ +{{ ansible_header | comment }} + +{% for site in nginx.reverseproxy_sites %} +# Redirect http://{{ site.from }} to https://{{ site.from }} +server { + listen 80; + listen [::]:80 + + server_name {{ site.from }}; + + location / { + return 302 https://$host$request_uri; + } +} + +# Reverse proxify https://{{ site.from }} to http://{{ site.to }} +server { + listen 443; + listen [::]:443; + + server_name {{ site.from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + # Log into separate log files + access_log /var/log/nginx/{{ site.from }}.log; + error_log /var/log/nginx/{{ site.from }}_error.log; + + # Keep the TCP connection open a bit for faster browsing + keepalive_timeout 70; + + # Custom error page + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/www/html; + } + + set_real_ip_from 10.231.136.0/24; + set_real_ip_from 2a0c:700:0:2::/64; + real_ip_header P-Real-Ip; + + location / { + proxy_set_header Host {{ site.from }}; + proxy_set_header P-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + proxy_pass http://{{ site.to }}; + } +} + +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 new file mode 100644 index 00000000..1affe511 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 @@ -0,0 +1,44 @@ +{{ ansible_header | comment }} + +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.reverseproxy_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +{% set to = site.from %} +# Redirect http://{{ from }} to http://{{ to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ to }} +server { + listen 443; + listen [::]:443; + + server_name {{ from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + location / { + return 302 https://{{ to }}$request_uri; + } +} + +{% endfor %} +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 new file mode 100755 index 00000000..82373d0b --- /dev/null +++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +> NGINX a été déployé sur cette machine. Voir /etc/nginx/. diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 new file mode 100644 index 00000000..b4bde1f9 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 @@ -0,0 +1,63 @@ + + + + + 502 + + + + +

502

+

Whoops, le service prend trop de temps à répondre…

+

Essayez de rafraîchir la page. Si le problème persiste, pensez + à contacter l'équipe technique du Cr@ns.

+ + + From ee1cb0e86ee5240d9a61baf9f2f3bf197ed56065 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 2 May 2020 10:39:45 +0200 Subject: [PATCH 037/126] Fix yaml syntax --- base.yml | 4 ++-- interfaces.yml | 2 +- network.yml | 2 +- roles/postfix/handlers/main.yml | 1 + upgrade.yml | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/base.yml b/base.yml index 5bf6a4e7..1f3d6506 100755 --- a/base.yml +++ b/base.yml @@ -6,8 +6,8 @@ - name: Register adm interface in adm_iface variable shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: adm_iface - check_mode: no - changed_when: True + check_mode: false + changed_when: true args: executable: /bin/bash diff --git a/interfaces.yml b/interfaces.yml index 5c7107a7..bce7ced2 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -4,7 +4,7 @@ - hosts: server tasks: - shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\"" - check_mode: no + check_mode: false register: ifaces loop: - srv diff --git a/network.yml b/network.yml index daf70236..fdc49662 100755 --- a/network.yml +++ b/network.yml @@ -65,7 +65,7 @@ cert: /etc/letsencrypt/live/crans.org/fullchain.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem - + redirect_dnames: - crans.eu - crans.fr diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml index 49094649..8fa449d5 100644 --- a/roles/postfix/handlers/main.yml +++ b/roles/postfix/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: generate postmaps command: /usr/sbin/postmap {{ item }} loop: diff --git a/upgrade.yml b/upgrade.yml index 27798c15..194f0137 100755 --- a/upgrade.yml +++ b/upgrade.yml @@ -21,7 +21,7 @@ - hosts: owncloud-srv.adm.crans.org become_user: www-data - become: yes + become: true vars: # Owncloud command line interface occ_bin: '/var/www/owncloud/occ' From 0a16ac0b0c14b5a85b1d165a85881754227a27d8 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 2 May 2020 13:03:29 +0200 Subject: [PATCH 038/126] Minor fixes on reverse proxy --- network.yml | 3 +-- roles/certbot/tasks/main.yml | 5 +++++ roles/nginx-reverseproxy/tasks/main.yml | 10 +++++++++- roles/nginx-reverseproxy/templates/nginx/redirect.j2 | 2 ++ .../nginx-reverseproxy/templates/nginx/reverseproxy.j2 | 2 +- .../templates/nginx/reverseproxy_redirect_dname.j2 | 2 ++ 6 files changed, 20 insertions(+), 4 deletions(-) diff --git a/network.yml b/network.yml index fdc49662..2bde72ff 100755 --- a/network.yml +++ b/network.yml @@ -50,7 +50,7 @@ - bind-authoritative # Deploy reverse proxy -- hosts: bakdaur.adm.crans.org +- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org vars: certbot: dns_rfc2136_name: certbot_challenge. @@ -93,7 +93,6 @@ - {from: www.crans.org, to: 10.231.136.46} - {from: doc.crans.org, to: 10.231.136.46} - {from: limesurvey.crans.org, to: 10.231.136.253} - - {from: lutim.crans.org, to: 10.231.136.69} - {from: perso.crans.org, to: 10.231.136.1} - {from: webnews.crans.org, to: 10.231.136.63} - {from: re2o.crans.org, to: 10.231.136.9} diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index b32845cc..2e9c8b26 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -22,6 +22,11 @@ mode: 0600 owner: root +- name: Create /etc/letsencrypt/conf.d + file: + path: /etc/letsencrypt/conf.d + state: directory + - name: Add Certbot configuration template: src: "letsencrypt/conf.d/certname.ini.j2" diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 3c95a8f7..1fee6a3c 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -2,11 +2,19 @@ - name: Install NGINX apt: update_cache: true - name: nginx + name: + - nginx + - python3-certbot-nginx # for options-ssl-nginx.conf register: apt_result retries: 3 until: apt_result is succeeded +- name: Copy certbot SSL snippet + copy: + remote_src: true + src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf + dest: /etc/letsencrypt/options-ssl-nginx.conf + - name: Copy reverse proxy sites template: src: "nginx/{{ item }}.j2" diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 index fb177b9a..4d60807e 100644 --- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 @@ -43,6 +43,7 @@ server { {% for dname in nginx.redirect_dnames %} {% for site in nginx.redirect_sites %} {% set from = site.from | regex_replace('crans.org', dname) %} +{% if from != site.from %} # Redirect http://{{ from }} to http://{{ site.to }} server { listen 80; @@ -79,5 +80,6 @@ server { } } +{% endif %} {% endfor %} {% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 index eab44a49..31c34462 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 @@ -4,7 +4,7 @@ # Redirect http://{{ site.from }} to https://{{ site.from }} server { listen 80; - listen [::]:80 + listen [::]:80; server_name {{ site.from }}; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 index 1affe511..8fc57808 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 @@ -4,6 +4,7 @@ {% for site in nginx.reverseproxy_sites %} {% set from = site.from | regex_replace('crans.org', dname) %} {% set to = site.from %} +{% if from != site.from %} # Redirect http://{{ from }} to http://{{ to }} server { listen 80; @@ -40,5 +41,6 @@ server { } } +{% endif %} {% endfor %} {% endfor %} From 07a5be28d2a7c87c36815f84d716ed791e86920c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 2 May 2020 13:05:16 +0200 Subject: [PATCH 039/126] =?UTF-8?q?j'ai=20d=C3=A9t=C3=A9r=C3=A9=20frontdau?= =?UTF-8?q?r=20mami!?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index 2bde72ff..a6ec7a1c 100755 --- a/network.yml +++ b/network.yml @@ -50,7 +50,7 @@ - bind-authoritative # Deploy reverse proxy -- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org +- hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org vars: certbot: dns_rfc2136_name: certbot_challenge. From 4967a5294692163dd1aa389632296e67e592444b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sat, 2 May 2020 13:19:16 +0200 Subject: [PATCH 040/126] [keepalived] Don't hardcode proxies adm interface --- roles/keepalived/templates/keepalived/keepalived.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2 index 219d6b4f..9237116f 100644 --- a/roles/keepalived/templates/keepalived/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2 @@ -20,7 +20,7 @@ vrrp_instance VI_DAUR4 { priority 100 {% endif %} - interface eth1 + interface {{ keepalived.if_adm }} virtual_router_id 51 advert_int 2 authentication { @@ -46,7 +46,7 @@ vrrp_instance VI_DAUR6 { priority 100 {% endif %} - interface eth1 + interface {{ keepalived.if_adm }} virtual_router_id 51 advert_int 2 authentication { From 912f998168eecc10011932b446a3d1fc269de76f Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 2 May 2020 13:29:07 +0200 Subject: [PATCH 041/126] =?UTF-8?q?Il=20=C3=A9tait=20une=20fois,=20dans=20?= =?UTF-8?q?un=20virtu=20tr=C3=A8s=20tr=C3=A8s=20lointain?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts | 2 +- interfaces.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 32248d9f..6b4c2755 100644 --- a/hosts +++ b/hosts @@ -34,7 +34,7 @@ cas-srv.adm.crans.org dhcp.adm.crans.org eap.adm.crans.org ethercalc-srv.adm.crans.org -#frontdaur.adm.crans.org +frontdaur.adm.crans.org gitzly.adm.crans.org horde-srv.adm.crans.org ipv6-zayo.adm.crans.org diff --git a/interfaces.yml b/interfaces.yml index bce7ced2..b32a9d03 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -14,7 +14,7 @@ - switch - fil -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org vars: vlan: - name: srv From d8a54c329abfc96a0ee84655c2d1831bac43076d Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sat, 2 May 2020 14:17:00 +0200 Subject: [PATCH 042/126] [keepalived] Deploy keepalived on frontdaur --- re2o-api.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/re2o-api.yml b/re2o-api.yml index 0952348c..da0938f9 100755 --- a/re2o-api.yml +++ b/re2o-api.yml @@ -88,3 +88,20 @@ router_broadcast_wifinewserveurs: 10.53.0.255 roles: - keepalived + +# Deploy keepalived on frontdaur +- hosts: frontdaur.adm.crans.org + vars: + keepalived: + radius: false + router: false + proxy: true + proxy_primary: false + proxy_password: "{{ vault_keepalived_proxy_password }}" + if_adm: eth1 + if_srv: eth0 + proxy_ipv4_srv: 185.230.79.194 + proxy_broadcast_srv: 185.230.79.255 + proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00 + roles: + - keepalived From fd6fb1cdb3e44b43628b4dbb2b965dd0b9df0782 Mon Sep 17 00:00:00 2001 From: pa Date: Sat, 2 May 2020 15:43:26 +0200 Subject: [PATCH 043/126] [Framadate] log file creation --- roles/framadate/tasks/main.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 02c698e7..1452702c 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -37,9 +37,12 @@ retries: 3 until: composer_result is succeeded -# cd framadate -# sudo -u www-data touch admin/stdout.log -# sudo chmod 600 admin/stdout.log +- name: + file: + path: "{{ framadate.path }}/admin/stdout.log" + owner: www-data + state: touch + mode: 0600 - name: Indicate role in motd template: From 660f951c41640501056509d3311c0660f3167063 Mon Sep 17 00:00:00 2001 From: pa Date: Sat, 2 May 2020 15:56:27 +0200 Subject: [PATCH 044/126] [Framadate] Specify commit hash of develop branch --- services_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services_web.yml b/services_web.yml index 17515e3f..283f4482 100755 --- a/services_web.yml +++ b/services_web.yml @@ -9,7 +9,7 @@ vars: framadate: repo: https://framagit.org/framasoft/framadate/framadate.git - version: 1.1.10 + version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd" path: /var/www/framadate roles: - framadate From 0ece2dd51ca7b2ab8e012d6ab487c590062b6c0a Mon Sep 17 00:00:00 2001 From: pa Date: Sat, 2 May 2020 16:47:28 +0200 Subject: [PATCH 045/126] [Framdate] nginx configuration --- roles/framadate/tasks/main.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 1452702c..80de2318 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -4,8 +4,8 @@ apt: update_cache: true name: - - apache2 - - libapache2-mod-php + - nginx + - php-fpm - php-intl - php-mbstring - php-pgsql @@ -37,15 +37,27 @@ retries: 3 until: composer_result is succeeded -- name: +- name: Create log file file: path: "{{ framadate.path }}/admin/stdout.log" owner: www-data state: touch mode: 0600 +- name: Configure nginx site + template: + src: nginx-site.j2 + dest: /etc/nginx/sites-available/framadate.conf + +- name: Enable nginx site + file: + src: /etc/nginx/sites-available/framadate.conf + dest: /etc/nginx/stes-enabled/framadate.conf + state: link + - name: Indicate role in motd template: src: update-motd.d/05-service.j2 dest: /etc/update-motd.d/05-framadate mode: 0755 + From af9d904ea30922b4ebe8265bdf0a695abfa86ddb Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 2 May 2020 16:54:42 +0200 Subject: [PATCH 046/126] [framadate] NGINX config --- roles/framadate/tasks/main.yml | 6 +-- roles/framadate/templates/nginx-site.j2 | 60 +++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 roles/framadate/templates/nginx-site.j2 diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 80de2318..507b86e2 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -47,12 +47,12 @@ - name: Configure nginx site template: src: nginx-site.j2 - dest: /etc/nginx/sites-available/framadate.conf + dest: /etc/nginx/sites-available/framadate - name: Enable nginx site file: - src: /etc/nginx/sites-available/framadate.conf - dest: /etc/nginx/stes-enabled/framadate.conf + src: /etc/nginx/sites-available/framadate + dest: /etc/nginx/sites-enabled/framadate state: link - name: Indicate role in motd diff --git a/roles/framadate/templates/nginx-site.j2 b/roles/framadate/templates/nginx-site.j2 new file mode 100644 index 00000000..ef963c3e --- /dev/null +++ b/roles/framadate/templates/nginx-site.j2 @@ -0,0 +1,60 @@ +{{ ansible_header | comment }} + +server { + listen 80; + listen [::]:80; + + server_name framadate.crans.org; + + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'"; + add_header Referrer-Policy "strict-origin"; + + root {{ framadate.path }}; + + index index.php; + + location ~^/(\.git)/{ + deny all; + } + + location ~ /\. { + deny all; + } + + location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh { + deny all; + } + + location /admin/ { + auth_basic "Restricted access"; + auth_basic_user_file /etc/nginx/.htpasswd; + + location ~ \.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + } + try_files $uri $uri/ =401; + } + + location / { + rewrite "^/admin$" "/admin/" permanent; + + # Clean URL + rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last; + rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last; + rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last; + rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last; + rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last; + rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last; + try_files $uri /index.php; + } + + location ~ \.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + } +} + From 628d4d08ade15f048dbf9be0606fccabe989f9fe Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 2 May 2020 18:00:09 +0200 Subject: [PATCH 047/126] Working FramaDate --- network.yml | 1 + roles/framadate/tasks/main.yml | 5 +++++ services_web.yml | 2 ++ 3 files changed, 8 insertions(+) diff --git a/network.yml b/network.yml index a6ec7a1c..16865b78 100755 --- a/network.yml +++ b/network.yml @@ -100,6 +100,7 @@ - {from: autoconfig.crans.org, to: 10.231.136.46} - {from: grafana.crans.org, to: 10.231.136.102} - {from: webirc.crans.org, to: "10.231.136.1:9000"} + - {from: framadate.crans.org, to: 185.230.79.194} # Zamok - {from: install-party.crans.org, to: 10.231.136.1} diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 507b86e2..4c39e3d5 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -44,6 +44,11 @@ state: touch mode: 0600 +- name: Configure admin password + copy: + content: "{{ framadate.admin_username }}:{{ framadate.admin_password_hash }}\n" + dest: /etc/nginx/.htpasswd + - name: Configure nginx site template: src: nginx-site.j2 diff --git a/services_web.yml b/services_web.yml index 283f4482..4c6f7d78 100755 --- a/services_web.yml +++ b/services_web.yml @@ -11,6 +11,8 @@ repo: https://framagit.org/framasoft/framadate/framadate.git version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd" path: /var/www/framadate + admin_username: framadate + admin_password_hash: "{{ vault_framadate_password_hash }}" roles: - framadate From c25f1df3c0c359e226a523bb5a1b67e03b43a83e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 10:03:12 +0200 Subject: [PATCH 048/126] Some changes in keepalived template --- re2o-api.yml | 17 +++++--------- roles/keepalived/tasks/main.yml | 3 +-- .../templates/keepalived/keepalived.conf.j2 | 22 +++++++++---------- 3 files changed, 17 insertions(+), 25 deletions(-) diff --git a/re2o-api.yml b/re2o-api.yml index da0938f9..2d04db0f 100755 --- a/re2o-api.yml +++ b/re2o-api.yml @@ -11,7 +11,6 @@ router: true router_password: "{{ vault_keepalived_router_password }}" router_primary: false - proxy: false if_serveurs: eth0.1 if_adm: eth0.2 if_bornes: eth0.3 @@ -55,11 +54,9 @@ - hosts: gulp.adm.crans.org vars: keepalived: - radius: false router: true router_password: "{{ vault_keepalived_router_password }}" router_primary: true - proxy: false if_serveurs: eno1.1 if_adm: eno1.2 if_bornes: eno1.3 @@ -93,15 +90,13 @@ - hosts: frontdaur.adm.crans.org vars: keepalived: - radius: false - router: false - proxy: true - proxy_primary: false - proxy_password: "{{ vault_keepalived_proxy_password }}" + proxy: + primary: false + password: "{{ vault_keepalived_proxy_password }}" + ipv4: 185.230.79.194 + ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00 + broadcast: 185.230.79.255 if_adm: eth1 if_srv: eth0 - proxy_ipv4_srv: 185.230.79.194 - proxy_broadcast_srv: 185.230.79.255 - proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00 roles: - keepalived diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml index e0678e1e..7efe258f 100644 --- a/roles/keepalived/tasks/main.yml +++ b/roles/keepalived/tasks/main.yml @@ -2,8 +2,7 @@ - name: Install keepalived apt: update_cache: true - name: - - keepalived + name: keepalived register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2 index 9237116f..e488e71c 100644 --- a/roles/keepalived/templates/keepalived/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2 @@ -8,11 +8,11 @@ global_defs { smtp_server smtp.adm.crans.org } -{% if keepalived.proxy %} +{% if keepalived.proxy is defined %} vrrp_instance VI_DAUR4 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. -{% if keepalived.proxy_primary %} +{% if keepalived.proxy.primary %} state MASTER priority 150 {% else %} @@ -25,20 +25,18 @@ vrrp_instance VI_DAUR4 { advert_int 2 authentication { auth_type PASS - auth_pass {{ keepalived.proxy_password }} + auth_pass {{ keepalived.proxy.password }} } virtual_ipaddress { - {{ keepalived.proxy_ipv4 }}/32 brd 138.231.143.255 dev eth0 scope global + {{ keepalived.proxy.ipv4 }}/32 brd {{ keepalived.proxy.broadcast }} dev {{ keepalived.if_srv }} scope global } } -{% endif %} -{% if keepalived.proxy %} vrrp_instance VI_DAUR6 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. -{% if keepalived.proxy_primary %} +{% if keepalived.proxy.primary %} state MASTER priority 150 {% else %} @@ -51,16 +49,16 @@ vrrp_instance VI_DAUR6 { advert_int 2 authentication { auth_type PASS - auth_pass {{ keepalived.proxy_password }} + auth_pass {{ keepalived.proxy.password }} } virtual_ipaddress { - {{ keepalived.proxy_ipv6 }}/64 dev eth0 scope global + {{ keepalived.proxy.ipv6 }}/64 dev {{ keepalived.if_srv }} scope global } } {% endif %} -{% if keepalived.radius %} +{% if keepalived.radius is defined %} vrrp_instance VI_RAD4 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. @@ -90,7 +88,7 @@ vrrp_instance VI_RAD4 { } {% endif %} -{% if keepalived.radius %} +{% if keepalived.radius is defined %} vrrp_instance VI_RAD6 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. @@ -120,7 +118,7 @@ vrrp_instance VI_RAD6 { } {% endif %} -{% if keepalived.router %} +{% if keepalived.router is defined %} vrrp_instance VI_ROUT { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. From 611d0e70f85b017ee5319f7ee2a6b7322a582f48 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 10:47:29 +0200 Subject: [PATCH 049/126] Ansible on bakdaur --- clean_servers.yml | 2 ++ interfaces.yml | 2 +- re2o-api.yml | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/clean_servers.yml b/clean_servers.yml index e6198e87..0f68d4cc 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -45,6 +45,8 @@ - acpid - xscreensaver # was on owncloud - openbsd-inetd + - byobu # we already have screen and tmux + - ipython # go use ipython3! register: apt_result retries: 3 until: apt_result is succeeded diff --git a/interfaces.yml b/interfaces.yml index b32a9d03..04b2d828 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -14,7 +14,7 @@ - switch - fil -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org,bakdaur.adm.crans.org vars: vlan: - name: srv diff --git a/re2o-api.yml b/re2o-api.yml index 2d04db0f..0ce54882 100755 --- a/re2o-api.yml +++ b/re2o-api.yml @@ -100,3 +100,18 @@ if_srv: eth0 roles: - keepalived + +# Deploy keepalived on bakdaur +- hosts: bakdaur.adm.crans.org + vars: + keepalived: + proxy: + primary: true + password: "{{ vault_keepalived_proxy_password }}" + ipv4: 185.230.79.194 + ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00 + broadcast: 185.230.79.255 + if_adm: eth0 + if_srv: eth1 + roles: + - keepalived From 8de8c49f731cbd89e6d2171445490368f654c000 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 11:01:28 +0200 Subject: [PATCH 050/126] Ouspi, framdate was using srv ip --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index 16865b78..e007de0f 100755 --- a/network.yml +++ b/network.yml @@ -100,7 +100,7 @@ - {from: autoconfig.crans.org, to: 10.231.136.46} - {from: grafana.crans.org, to: 10.231.136.102} - {from: webirc.crans.org, to: "10.231.136.1:9000"} - - {from: framadate.crans.org, to: 185.230.79.194} + - {from: framadate.crans.org, to: 10.231.136.153} # Zamok - {from: install-party.crans.org, to: 10.231.136.1} From 108884732652b08e15fc54eca2a5f40c0844b252 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 12:51:16 +0200 Subject: [PATCH 051/126] SSL snippet and drop TLS 1.0 and 1.1 --- roles/nginx-reverseproxy/tasks/main.yml | 16 +++++---- .../templates/letsencrypt/dhparam.j2 | 8 +++++ .../nginx/{ => sites-available}/redirect.j2 | 34 +++++-------------- .../{ => sites-available}/reverseproxy.j2 | 17 +++------- .../reverseproxy_redirect_dname.j2 | 17 +++------- .../nginx/snippets/options-ssl.conf.j2 | 17 ++++++++++ 6 files changed, 51 insertions(+), 58 deletions(-) create mode 100644 roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/redirect.j2 (58%) rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy.j2 (75%) rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy_redirect_dname.j2 (61%) create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 1fee6a3c..55af7c18 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -9,15 +9,19 @@ retries: 3 until: apt_result is succeeded -- name: Copy certbot SSL snippet - copy: - remote_src: true - src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf - dest: /etc/letsencrypt/options-ssl-nginx.conf +- name: Copy snippets + template: + src: nginx/snippets/options-ssl.conf.j2 + dest: /etc/nginx/snippets/options-ssl.conf + +- name: Copy dhparam + template: + src: letsencrypt/dhparam.j2 + dest: /etc/letsencrypt/dhparam - name: Copy reverse proxy sites template: - src: "nginx/{{ item }}.j2" + src: "nginx/sites-available/{{ item }}.j2" dest: "/etc/nginx/sites-available/{{ item }}" loop: - reverseproxy diff --git a/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 new file mode 100644 index 00000000..9b182b72 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 similarity index 58% rename from roles/nginx-reverseproxy/templates/nginx/redirect.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 index 4d60807e..9cdb545b 100644 --- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 @@ -15,22 +15,13 @@ server { # Redirect https://{{ site.from }} to https://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ site.from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ site.to }}$request_uri; @@ -58,22 +49,13 @@ server { # Redirect https://{{ from }} to https://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ site.to }}$request_uri; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 similarity index 75% rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 31c34462..50ef7b2e 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -15,22 +15,13 @@ server { # Reverse proxify https://{{ site.from }} to http://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ site.from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; # Log into separate log files access_log /var/log/nginx/{{ site.from }}.log; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 similarity index 61% rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 index 8fc57808..db2084a4 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -19,22 +19,13 @@ server { # Redirect https://{{ from }} to https://{{ to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ to }}$request_uri; diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 new file mode 100644 index 00000000..c585cc26 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +ssl_certificate {{ nginx.ssl.cert }}; +ssl_certificate_key {{ nginx.ssl.cert_key }}; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_dhparam /etc/letsencrypt/dhparam; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + From 6bc22ab1165d7782c10734d43420ed2d8c8e50a4 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 14:19:00 +0200 Subject: [PATCH 052/126] Grafana on :3000 --- network.yml | 2 +- roles/grafana/tasks/main.yml | 10 ---------- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/network.yml b/network.yml index e007de0f..8f70b911 100755 --- a/network.yml +++ b/network.yml @@ -98,7 +98,7 @@ - {from: re2o.crans.org, to: 10.231.136.9} - {from: intranet.crans.org, to: 10.231.136.9} - {from: autoconfig.crans.org, to: 10.231.136.46} - - {from: grafana.crans.org, to: 10.231.136.102} + - {from: grafana.crans.org, to: "10.231.136.102:3000"} - {from: webirc.crans.org, to: "10.231.136.1:9000"} - {from: framadate.crans.org, to: 10.231.136.153} diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 1442c08f..1d472f15 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -33,13 +33,6 @@ retries: 3 until: apt_result is succeeded -# This capability enables grafana to bind :80 -- name: Add cap_net_bind_service to grafana - capabilities: - path: /usr/sbin/grafana-server - capability: cap_net_bind_service+ep - state: present - - name: Configure Grafana ini_file: path: /etc/grafana/grafana.ini @@ -48,9 +41,6 @@ value: "{{ item.value }}" mode: 0640 loop: - - section: server - option: http_port - value: "80" - section: server option: root_url value: "{{ grafana_root_url }}" From 80dd183a8664fc59cd59947024cc1442286c961c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 15:19:29 +0200 Subject: [PATCH 053/126] [nginx] Reverse WebSocket --- network.yml | 2 +- roles/nginx-reverseproxy/tasks/main.yml | 7 +++++-- .../nginx/sites-available/reverseproxy.j2 | 13 ++++++++----- .../nginx/snippets/options-proxypass.conf.j2 | 17 +++++++++++++++++ 4 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 diff --git a/network.yml b/network.yml index 8f70b911..23160615 100755 --- a/network.yml +++ b/network.yml @@ -74,7 +74,7 @@ # Services web Crans - {from: lutim.crans.org, to: 10.231.136.69} - {from: zero.crans.org, to: 10.231.136.76} - - {from: pad.crans.org, to: 10.231.136.76} + - {from: pad.crans.org, to: "10.231.136.76:9001"} - {from: ethercalc.crans.org, to: 10.231.136.203} - {from: mediadrop.crans.org, to: 10.231.136.106} - {from: videos.crans.org, to: 10.231.136.106} diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 55af7c18..5a0e298f 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -11,8 +11,11 @@ - name: Copy snippets template: - src: nginx/snippets/options-ssl.conf.j2 - dest: /etc/nginx/snippets/options-ssl.conf + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + loop: + - options-ssl.conf + - options-proxypass.conf - name: Copy dhparam template: diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 50ef7b2e..52a278bf 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -1,5 +1,12 @@ {{ ansible_header | comment }} +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + {% for site in nginx.reverseproxy_sites %} # Redirect http://{{ site.from }} to https://{{ site.from }} server { @@ -41,12 +48,8 @@ server { real_ip_header P-Real-Ip; location / { - proxy_set_header Host {{ site.from }}; - proxy_set_header P-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_redirect off; proxy_pass http://{{ site.to }}; + include "/etc/nginx/snippets/options-proxypass.conf"; } } diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 new file mode 100644 index 00000000..a14f3b7f --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +proxy_redirect off; +proxy_set_header Host $host; + +# Pass the real client IP +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +# Tell proxified server that we are HTTPS, fix Wordpress +proxy_set_header X-Forwarded-Proto https; + +# WebSocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; + From f73b136b1ec6538d395d0c1a4ff29d1e27654124 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 3 May 2020 15:49:06 +0200 Subject: [PATCH 054/126] [re2o_lookup] Use cache_plugin if available to store authentication token --- ansible.cfg | 7 ++- lookup_plugins/re2oapi.py | 112 +++++++++++++++++++++++--------------- 2 files changed, 73 insertions(+), 46 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 5b23c72b..85718531 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -50,5 +50,8 @@ use_cpasswords = True cache = jsonfile # Time in second before the cache expired. 0 means never expire cache. -# Default is 120 seconds. -timeout = 120 +# Default is 24 hours. +timeout = 86400 + +# Default is 12 hours. +timeout_token = 43200 diff --git a/lookup_plugins/re2oapi.py b/lookup_plugins/re2oapi.py index 53d23555..e1f1041b 100644 --- a/lookup_plugins/re2oapi.py +++ b/lookup_plugins/re2oapi.py @@ -30,38 +30,67 @@ from ansible.config.manager import ConfigManager # Ansible Logger to stdout display = Display() -# Number of seconds before expiration where renewing the token is done -TIME_FOR_RENEW = 120 # Default name of the file to store tokens. Path $HOME/{DEFAUlt_TOKEN_FILENAME} DEFAULT_TOKEN_FILENAME = '.re2o.token' +# If no plugin is used, then use this as token timeout. +# Overriden by key timeout_token from ansible configuration. +TIME_FOR_RENEW = 43200 # 12 jours class Client: """ Class based client to contact re2o API. """ - def __init__(self, hostname, username, password, use_tls=True): + def __init__(self, hostname, username, password, + use_tls=True, cachetoken=None): """ :arg hostname: The hostname of the Re2o instance to use. :arg username: The username to use. :arg password: The password to use. :arg use_tls: A boolean to specify whether the client should use a a TLS connection. Default is True. Please, keep it. + :arg cachetoken: The cache to use to manage authentication token. + If it is None, then store the token in a file. """ self.use_tls = use_tls self.hostname = hostname self._username = username self._password = password - - self.token_file = Path.home() / DEFAULT_TOKEN_FILENAME + self._cachetoken = cachetoken + self.token_file = None + if self._cachetoken is None: + self.token_file = Path.home() / DEFAULT_TOKEN_FILENAME + display.vvv("Setting token file to {}".format(self.token_file)) + else: + try: + display.vvv("Using {} as cache plugin" + .format(self._cachetoken.plugin_name)) + except AttributeError: + # Happens when plugin_name is not implemented... + # For example with memcached + display.vvv("Using cache plugin specified in configuration.") display.v("Connecting to {hostname} as user {user}".format( hostname=to_native(self.hostname), user=to_native(self._username))) - try: - self.token = self._get_token_from_file() - except AnsibleFileNotFound: - display.vv("Force renew the token") - self._force_renew_token() + + @property + def token(self): + if self._cachetoken: + display.vvv("Trying to get token from cache.") + if self._cachetoken.contains("auth_token"): + display.vvv("Found token in cache.") + return self._cachetoken.get("auth_token") + else: + display.vvv("Token not found. Forcing renew.") + return self._force_renew_token() + else: + try: + token = self._get_token_from_file() + if token['expiration'] < datetime.datetime.now() + \ + datetime.timedelta(seconds=TIME_FOR_RENEW): + return self._force_renew_token() + except AnsibleError: + return self._force_renew_token() def _get_token_from_file(self): display.vv("Trying to fetch token from {}".format(self.token_file)) @@ -95,13 +124,18 @@ class Client: ) ) else: - display.vv("""Token successfully retreived from - file {token}""".format(token=self.token_file)) + display.vv("Token successfully retreived from " + "file {token}".format(token=self.token_file)) return ret def _force_renew_token(self): - self.token = self._get_token_from_server() - self._save_token_to_file() + token = self._get_token_from_server() + if self._cachetoken: + display.vvv("Storing authentication token in cache") + self._cachetoken.set("auth_token", token.get('token')) + else: + self._save_token_to_file(token) + return token.get('token') def _get_token_from_server(self): display.vv("Requesting a new token for {user}@{host}".format( @@ -141,7 +175,7 @@ class Client: def _parse_date(self, date, date_format="%Y-%m-%dT%H:%M:%S"): return datetime.datetime.strptime(date.split('.')[0], date_format) - def _save_token_to_file(self): + def _save_token_to_file(self, token): display.vv("Saving token to file {}".format(self.token_file)) try: # Read previous data to avoid erasures @@ -155,8 +189,8 @@ class Client: if self.hostname not in data.keys(): data[self.hostname] = {} data[self.hostname][self._username] = { - 'token': self.token['token'], - 'expiration': self.token['expiration'].isoformat(), + 'token': token['token'], + 'expiration': token['expiration'].isoformat(), } try: @@ -171,22 +205,6 @@ class Client: display.vv("Token successfully written to file {}" .format(self.token_file)) - def get_token(self): - """ - Retrieves the token to use for the current connection. - Automatically renewed if needed. - """ - if self.need_renew_token: - self._force_renew_token() - - return self.token['token'] - - @property - def need_renew_token(self): - return self.token['expiration'] < \ - datetime.datetime.now() + \ - datetime.timedelta(seconds=TIME_FOR_RENEW) - def _request(self, method, url, headers={}, params={}, *args, **kwargs): display.vv("Building the {method} request to {url}.".format( method=method.upper(), @@ -194,9 +212,9 @@ class Client: )) # Force the 'Authorization' field with the right token. - display.vvv("Forcing authentication token.") + display.vvv("Forcing authentication token in headers.") headers.update({ - 'Authorization': 'Token {}'.format(self.get_token()) + 'Authorization': 'Token {}'.format(self.token) }) # Use a json format unless the user already specified something @@ -215,10 +233,10 @@ class Client: # Force re-login to the server (case of a wrong token but valid # credentials) and then retry the request without catching errors. display.vv("Token refused. Trying to refresh the token.") - self._force_renew_token() + token = self._force_renew_token() headers.update({ - 'Authorization': 'Token {}'.format(self.get_token()) + 'Authorization': 'Token {}'.format(token) }) display.vv("Re-performing the request {method} {url}".format( method=method.upper(), @@ -342,11 +360,11 @@ class LookupModule(LookupBase): - debug: var=dnszones """ - def _readconfig(self, section="re2o", key=None, boolean=False, - integer=False): + def _readconfig(self, section="re2o", key=None, default=None, + boolean=False, integer=False): config = self._config if not config: - return None + return default else: if config.has_option(section, key): display.vvv("Found key {} in configuration file".format(key)) @@ -373,7 +391,9 @@ class LookupModule(LookupBase): self._use_cpasswords = None self._cache_plugin = None self._cache = None - self._timeout = 120 + self._timeout = 86400 # 1 day + self._cachetoken = None + self._timeouttoken = TIME_FOR_RENEW # 12 hours if self._config.has_section("re2o"): display.vvv("Found section re2o in configuration file") @@ -382,7 +402,11 @@ class LookupModule(LookupBase): self._use_cpasswords = self._readconfig(key="use_cpasswords", boolean=True) self._cache_plugin = self._readconfig(key="cache") - self._timeout = self._readconfig(key="timeout", integer=True) + self._timeout = self._readconfig(key="timeout", integer=True, + default=86400) + self._timeouttoken = self._readconfig(key="timeout_token", + integer=True, + default=TIME_FOR_RENEW) if self._cache_plugin is not None: display.vvv("Using {} as cache plugin".format(self._cache_plugin)) @@ -450,8 +474,8 @@ class LookupModule(LookupBase): 'You must specify a valid password to connect to re2oAPI' )) - api_client = Client(api_hostname, api_username, - api_password, use_tls=True) + api_client = Client(api_hostname, api_username, api_password, + use_tls=True, cachetoken=self._cachetoken) res = [] dterms = collections.deque(terms) From c0e02b29ba88fd25fe8bd8bb02d218238abecbb8 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 3 May 2020 15:49:58 +0200 Subject: [PATCH 055/126] [re2o_lookup] Add support for json, yaml, pickle and memcached cache plugins. --- ansible.cfg | 5 +++ lookup_plugins/re2oapi.py | 68 ++++++++++++++++++++++++++++----------- 2 files changed, 55 insertions(+), 18 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 85718531..149b1ce6 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -49,6 +49,11 @@ use_cpasswords = True # Specify cache plugin for re2o API. By default, cache nothing cache = jsonfile +# Only used for memcached plugin +# List of connection information for the memcached DBs +# Default is ['127.0.0.1:11211'] +# memcached_connection = ['127.0.0.1:11211'] + # Time in second before the cache expired. 0 means never expire cache. # Default is 24 hours. timeout = 86400 diff --git a/lookup_plugins/re2oapi.py b/lookup_plugins/re2oapi.py index e1f1041b..2a8b4819 100644 --- a/lookup_plugins/re2oapi.py +++ b/lookup_plugins/re2oapi.py @@ -374,6 +374,27 @@ class LookupModule(LookupBase): return config.getint(section, key) else: return config.get(section, key) + else: + return default + + def _manage_cachedir(self, cachedir=None, plugin=None): + try: + self._uri = cachedir / plugin + except Exception: + raise AnsibleError("Undefined specification for cache plugin") + + display.vvv("Cache directory is {}".format(self._uri)) + if not self._uri.exists(): + # Creates Ansible cache directory with right permissions + # if it doesn't exist yet. + display.vvv("Cache directory doesn't exist. Creating it.") + try: + self._uri.mkdir(mode=0o700, parents=True) + except Exception as e: + raise AnsibleError("""Unable to create {dir}. + Original error was : {err}""".format(dir=self._uri, + err=to_native(e))) + def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -410,29 +431,36 @@ class LookupModule(LookupBase): if self._cache_plugin is not None: display.vvv("Using {} as cache plugin".format(self._cache_plugin)) + cachedir = Path.home() / ".cache/ansible/re2oapi" if self._cache_plugin == 'jsonfile': - self._cachedir = Path.home() / ".cache/Ansible/re2oapi" - display.vvv("Cache directory is {}".format(self._cachedir)) - if not self._cachedir.exists(): - # Creates Ansible cache directory with right permissions - # if it doesn't exist yet. - display.vvv("Cache directory doesn't exist. Creating it.") - try: - self._cachedir.mkdir(mode=0o700, parents=True) - except Exception as e: - raise AnsibleError("""Unable to create {dir}. - Original error was : {err}""" - .format(dir=self._cachedir, - err=to_native(e))) - self._cache = cache_loader.get('jsonfile', - _uri=self._cachedir, - _timeout=self._timeout, - ) + self._manage_cachedir(cachedir=cachedir, plugin='json') + elif self._cache_plugin == 'yaml': + self._manage_cachedir(cachedir=cachedir, plugin='yaml') + elif self._cache_plugin == 'pickle': + self._manage_cachedir(cachedir=cachedir, plugin='pickle') + elif self._cache_plugin == 'memcached': + # requires packages python3-memcache and memcached + display.vvvv("Please make sure you have installed packages" + "python3-memcache and memcached" + ) + self._uri = self._readconfig(key='memcached_connection', + default=['127.0.0.1:11211'], + ) else: raise AnsibleError("Cache plugin {} not supported" .format(self._cache_plugin)) + self._cache = cache_loader.get(self._cache_plugin, + _uri=self._uri, + _timeout=self._timeout, + ) + self._cachetoken = cache_loader.get(self._cache_plugin, + _uri=self._uri, + _timeout=self._timeouttoken, + ) + + def run(self, terms, variables=None, api_hostname=None, api_username=None, api_password=None, use_tls=True): @@ -546,7 +574,7 @@ class LookupModule(LookupBase): zones_name = [zone["name"][1:] for zone in zones] display.vvv("Storing dnszones in cache.") self._set_cache('dnszones', zones_name) - + display.vvv('\n') return zones_name def _getreverse(self, api_client): @@ -615,6 +643,7 @@ class LookupModule(LookupBase): display.vvv("Storing dns reverse zones in cache.") self._set_cache('dnsreverse', list(set(res))) + display.vvv('\n') return res def _rawquery(self, api_client, endpoint): @@ -629,6 +658,8 @@ class LookupModule(LookupBase): res = api_client.list(endpoint) display.vvv("Storing result in cache.") self._set_cache(endpoint.replace('/', '_'), res) + + display.vvv('\n') return res def _get_role(self, api_client, role_name): @@ -655,4 +686,5 @@ class LookupModule(LookupBase): display.vvv("Storing {} in cache.".format(role_name)) self._set_cache(role_name, res) + display.vvv('\n') return res From cb6e85880482eac80431b48064eda8d67e60479b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Mon, 4 May 2020 12:19:32 +0200 Subject: [PATCH 056/126] =?UTF-8?q?[nginx-reverseproxy]=20Trailing=20space?= =?UTF-8?q?s=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../templates/nginx/sites-available/reverseproxy.j2 | 2 +- .../templates/nginx/snippets/options-ssl.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 52a278bf..0898da05 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -36,7 +36,7 @@ server { # Keep the TCP connection open a bit for faster browsing keepalive_timeout 70; - + # Custom error page error_page 500 502 503 504 /50x.html; location = /50x.html { diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 index c585cc26..1a9273a8 100644 --- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 @@ -3,7 +3,7 @@ ssl_certificate {{ nginx.ssl.cert }}; ssl_certificate_key {{ nginx.ssl.cert_key }}; ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; +ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_dhparam /etc/letsencrypt/dhparam; ssl_protocols TLSv1.2 TLSv1.3; From 38ff5c192ff5a4e6daec61c662091dd6078e4bd3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Wed, 6 May 2020 12:59:08 +0200 Subject: [PATCH 057/126] Fix nginx max body size --- .../templates/nginx/snippets/options-proxypass.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 index a14f3b7f..0b864a68 100644 --- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 @@ -15,3 +15,5 @@ proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; +# For Owncloud WebDav +client_max_body_size 10G; From 539706f1136b2b6a7e459a3afa2d88b15eea13ef Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Thu, 7 May 2020 14:02:29 +0200 Subject: [PATCH 058/126] Remove /etc/default/bcfg2 on ansible managed hosts. --- clean_servers.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/clean_servers.yml b/clean_servers.yml index 0f68d4cc..79b61bd5 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -76,6 +76,7 @@ - /etc/cron.d/autobcfg2 - /etc/cron.d/bcfg2-run - /etc/cron.d/pull-repos-scripts + - /etc/default/bcfg2 - /etc/munin - /etc/icinga2 - /etc/nut From 21c953a4cab1acde0f2868521c28960e42fd9daf Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Fri, 8 May 2020 01:16:24 +0200 Subject: [PATCH 059/126] [clean_servers] More bcfg2 clean up --- clean_servers.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clean_servers.yml b/clean_servers.yml index 79b61bd5..218948f2 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -64,6 +64,9 @@ path: "{{ item }}" state: absent loop: + - /etc/bcfg2.conf + - /etc/bcfg2.conf.ucf-dist + - /etc/crans - /etc/cron.d/munin-crans - /etc/cron.d/munin-node - /etc/cron.d/munin-node.dpkg-dist @@ -79,6 +82,7 @@ - /etc/default/bcfg2 - /etc/munin - /etc/icinga2 + - /etc/init.d/bcfg2 - /etc/nut - /etc/nginx/sites-enabled/status - /etc/nginx/sites-available/status From 4ad342843fee6871660be746b53180ab5fc76788 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 10:11:38 +0200 Subject: [PATCH 060/126] Simplify monitoring playbook --- monitoring.yml | 55 ++++++++++++---------------- roles/grafana/tasks/main.yml | 2 +- roles/grafana/templates/ldap.toml.j2 | 4 +- roles/prometheus/tasks/main.yml | 10 ++--- 4 files changed, 31 insertions(+), 40 deletions(-) diff --git a/monitoring.yml b/monitoring.yml index f2084bda..d3a26fac 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -4,27 +4,35 @@ - hosts: fyre.adm.crans.org vars: # Prometheus targets.json - prometheus_targets: - - targets: "{{ groups['server'] | list | sort }}" - prometheus_ups_snmp_targets: - - targets: [pulsar.adm.crans.org] - prometheus_unifi_snmp_targets: - - targets: "{{ groups['crans_unifi'] | list | sort }}" - prometheus_blackbox_targets: - - targets: - - https://crans.org - - https://www.crans.org - - https://grafana.crans.org - - https://wiki.crans.org - - https://pad.crans.org - prometheus_apache_targets: - - targets: [zamok.adm.crans.org] + prometheus: + node_targets: "{{ groups['server'] | list | sort }}" + ups_snmp_targets: [pulsar.adm.crans.org] + unifi_snmp_targets: "{{ groups['crans_unifi'] | list | sort }}" + blackbox_targets: + - https://crans.org + - https://www.crans.org + - https://grafana.crans.org + - https://wiki.crans.org + - https://pad.crans.org + apache_targets: [zamok.adm.crans.org] + snmp_unifi_password: "{{ vault_snmp_unifi_password }}" + + grafana: + root_url: https://grafana.crans.org + ldap_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}" + ldap_passwd: "{{ vault_ldap_grafana_passwd }}" + + ldap_base: 'dc=crans,dc=org' + ldap_master_ipv4: '10.231.136.19' + ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" roles: - prometheus - prometheus-alertmanager - prometheus-snmp-exporter - prometheus-blackbox-exporter + - ninjabot + - grafana # Monitor all hosts - hosts: server,test_vm @@ -42,23 +50,6 @@ roles: - smartd-hp-smartarray -# Deploy grafana -- hosts: fyre.adm.crans.org - vars: - grafana_root_url: https://grafana.crans.org - ldap_base: 'dc=crans,dc=org' - ldap_master_ipv4: '10.231.136.19' - ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" - ldap_grafana_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}" - ldap_grafana_passwd: "{{ vault_ldap_grafana_passwd }}" - roles: - - grafana - -# Deploy NinjaBot -- hosts: fyre.adm.crans.org - roles: - - ninjabot - # Monitor mailq with a special text exporter - hosts: redisdead.adm.crans.org roles: diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 1d472f15..6b290178 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -43,7 +43,7 @@ loop: - section: server option: root_url - value: "{{ grafana_root_url }}" + value: "{{ grafana.root_url }}" - section: session # This will break with HTTPS option: cookie_secure value: "true" diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2 index 8fee2473..1fd96e12 100644 --- a/roles/grafana/templates/ldap.toml.j2 +++ b/roles/grafana/templates/ldap.toml.j2 @@ -21,10 +21,10 @@ ssl_skip_verify = false # client_key = "/path/to/client.key" # Search user bind dn -bind_dn = "{{ ldap_grafana_bind_dn }}" +bind_dn = "{{ grafana.ldap_bind_dn }}" # Search user bind password # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" -bind_password = '{{ ldap_grafana_passwd }}' +bind_password = '{{ grafana.ldap_passwd }}' # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" search_filter = "(cn=%s)" diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 26b74bf7..7ed4ad9a 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -25,31 +25,31 @@ # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus nodes copy: - content: "{{ prometheus_targets | to_nice_json }}" + content: "{{ [{'targets': prometheus.node_targets}] | to_nice_json }}" dest: /etc/prometheus/targets.json # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus UPS SNMP devices copy: - content: "{{ prometheus_ups_snmp_targets | to_nice_json }}" + content: "{{ [{'targets': prometheus.ups_snmp_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_ups_snmp.json # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus Ubiquity Unifi SNMP devices copy: - content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" + content: "{{ [{'targets': prometheus.unifi_snmp_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_unifi_snmp.json # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus Apache targets copy: - content: "{{ prometheus_apache_targets | to_nice_json }}" + content: "{{ [{'targets': prometheus.apache_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_apache.json # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus Blackbox targets copy: - content: "{{ prometheus_blackbox_targets | to_nice_json }}" + content: "{{ [{'targets': prometheus.blackbox_targets}] | to_nice_json }}" dest: /etc/prometheus/targets_blackbox.json - name: Activate prometheus service From fa7f646c9a86a93c2ebd3a7137b1cd2677836497 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 10:18:29 +0200 Subject: [PATCH 061/126] Reverse directly to EtherCalc --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index 23160615..d8b6e50f 100755 --- a/network.yml +++ b/network.yml @@ -75,7 +75,7 @@ - {from: lutim.crans.org, to: 10.231.136.69} - {from: zero.crans.org, to: 10.231.136.76} - {from: pad.crans.org, to: "10.231.136.76:9001"} - - {from: ethercalc.crans.org, to: 10.231.136.203} + - {from: ethercalc.crans.org, to: "10.231.136.203:8000"} - {from: mediadrop.crans.org, to: 10.231.136.106} - {from: videos.crans.org, to: 10.231.136.106} - {from: video.crans.org, to: 10.231.136.106} From 21fd284cc5a9966b38f21b40a8426ee47572e007 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 10:40:50 +0200 Subject: [PATCH 062/126] EtherCalc role --- roles/ethercalc/tasks/main.yml | 52 +++++++++++++++++++ .../systemd/system/ethercalc.service.j2 | 17 ++++++ .../templates/update-motd.d/05-service.j2 | 3 ++ services_web.yml | 14 +++-- 4 files changed, 78 insertions(+), 8 deletions(-) create mode 100644 roles/ethercalc/tasks/main.yml create mode 100644 roles/ethercalc/templates/systemd/system/ethercalc.service.j2 create mode 100755 roles/ethercalc/templates/update-motd.d/05-service.j2 diff --git a/roles/ethercalc/tasks/main.yml b/roles/ethercalc/tasks/main.yml new file mode 100644 index 00000000..8447bf2b --- /dev/null +++ b/roles/ethercalc/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Install APT HTTPS support + apt: + name: apt-transport-https + state: present + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Import NodeJS GPG signing key + apt_key: + url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key + state: present + validate_certs: false + register: apt_key_result + retries: 3 + until: apt_key_result is succeeded + +- name: Add NodeJS repository + apt_repository: + repo: "deb https://deb.nodesource.com/node_10.x {{ ansible_lsb.codename }} main" + state: present + update_cache: true + +- name: Install Redis and NPM + apt: + update_cache: true + name: + - redis-server + - nodejs + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Install EtherCalc systemd unit + template: + src: systemd/system/ethercalc.service.j2 + dest: /etc/systemd/system/ethercalc.service + +- name: Activate EtherCalc service + systemd: + daemon_reload: true + name: ethercalc + enabled: true + state: started + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-ethercalc + mode: 0755 diff --git a/roles/ethercalc/templates/systemd/system/ethercalc.service.j2 b/roles/ethercalc/templates/systemd/system/ethercalc.service.j2 new file mode 100644 index 00000000..22fb27e5 --- /dev/null +++ b/roles/ethercalc/templates/systemd/system/ethercalc.service.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +[Unit] +Description=Ethercalc +Require=redis-server.service + +[Service] +Type=simple +Restart=on-failure +RestartSec=3 +User=redis +Group=redis +PIDFile=/var/run/ethercalc.pid +ExecStart=/usr/bin/ethercalc --host 10.231.136.203 --port 8000 + +[Install] +WantedBy=multi-user.target diff --git a/roles/ethercalc/templates/update-motd.d/05-service.j2 b/roles/ethercalc/templates/update-motd.d/05-service.j2 new file mode 100755 index 00000000..00b76513 --- /dev/null +++ b/roles/ethercalc/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +> EtherCalc a été déployé sur cette machine. Voir /usr/lib/node_modules/ethercalc/. diff --git a/services_web.yml b/services_web.yml index 4c6f7d78..a22869d2 100755 --- a/services_web.yml +++ b/services_web.yml @@ -16,20 +16,18 @@ roles: - framadate -# Deploy CAS - hosts: cas-srv.adm.crans.org - roles: - - django-cas + roles: ["django-cas"] # Deploy Gitlab CI - hosts: gateau.adm.crans.org - roles: - - docker + roles: ["docker"] -# Deploy TV - hosts: cochon.adm.crans.org - roles: - - mumudvb + roles: ["mumudvb"] + +- hosts: ethercalc-srv.adm.crans.org + roles: ["ethercalc"] # Deploy OwnCloud - hosts: owncloud-srv.adm.crans.org From c5617f4c7700c32a14a2129794f3c00d7f86337e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 May 2020 10:45:36 +0200 Subject: [PATCH 063/126] [ethercalc] NPM install --- roles/ethercalc/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/ethercalc/tasks/main.yml b/roles/ethercalc/tasks/main.yml index 8447bf2b..ba3c77c7 100644 --- a/roles/ethercalc/tasks/main.yml +++ b/roles/ethercalc/tasks/main.yml @@ -33,6 +33,15 @@ retries: 3 until: apt_result is succeeded +- name: Install EtherCalc + npm: + name: ethercalc + global: true + state: latest + register: npm_result + retries: 3 + until: npm_result is succeeded + - name: Install EtherCalc systemd unit template: src: systemd/system/ethercalc.service.j2 From 90d25818e1ebcc8164855b629427916b375928e8 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 10 May 2020 09:35:38 +0200 Subject: [PATCH 064/126] DU EtherCalc --- interfaces.yml | 2 +- roles/ethercalc/tasks/main.yml | 25 +------------------------ 2 files changed, 2 insertions(+), 25 deletions(-) diff --git a/interfaces.yml b/interfaces.yml index 04b2d828..add512dc 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -14,7 +14,7 @@ - switch - fil -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org,bakdaur.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org,bakdaur.adm.crans.org,ethercalc-srv.adm.crans.org vars: vlan: - name: srv diff --git a/roles/ethercalc/tasks/main.yml b/roles/ethercalc/tasks/main.yml index ba3c77c7..e5e04bfa 100644 --- a/roles/ethercalc/tasks/main.yml +++ b/roles/ethercalc/tasks/main.yml @@ -1,34 +1,11 @@ --- -- name: Install APT HTTPS support - apt: - name: apt-transport-https - state: present - update_cache: true - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Import NodeJS GPG signing key - apt_key: - url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key - state: present - validate_certs: false - register: apt_key_result - retries: 3 - until: apt_key_result is succeeded - -- name: Add NodeJS repository - apt_repository: - repo: "deb https://deb.nodesource.com/node_10.x {{ ansible_lsb.codename }} main" - state: present - update_cache: true - - name: Install Redis and NPM apt: update_cache: true name: - redis-server - nodejs + - npm register: apt_result retries: 3 until: apt_result is succeeded From a761100b28e9942166f8edb8d8fca1c960bffda8 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 10 May 2020 13:43:19 +0200 Subject: [PATCH 065/126] Why the hell would you use non ascii characters ? --- roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index 837a60a9..1f8350b7 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment(decoration='# ') }} -# Pour appliquer cette conf et générer la conf de renewal : -# certbot --config wildcard.ini certonly +# To generate the certificate, please use the following command +# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 From 4ef9586d2accb0782ff95bef23631fb408a09eec Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 10 May 2020 13:46:30 +0200 Subject: [PATCH 066/126] Wildcard certificate on MX servers. For the sake of completeness I commit this play. --- certbot.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100755 certbot.yml diff --git a/certbot.yml b/certbot.yml new file mode 100755 index 00000000..6a6a3eb5 --- /dev/null +++ b/certbot.yml @@ -0,0 +1,34 @@ +#!/usr/bin/env ansible-playbook +--- +# Temporary +# Wildcard certificate for MX servers +- hosts: titanic.adm.crans.org + vars: + certbot: + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: root@crans.org + certname: crans.org + domains: "*.crans.org" + bind: + masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" + roles: + - certbot + tasks: + - name: Symlink smtp certificate + file: + src: /etc/letsencrypt/live/crans.org/fullchain.pem + dest: /etc/ssl/certs/smtp.pem + state: link + force: true + - name: Symlink smtp private key + file: + src: /etc/letsencrypt/live/crans.org/privkey.pem + dest: /etc/ssl/private/smtp.pem + state: link + force: true + - name: reload postfix + systemd: + enabled: yes + state: restarted + name: postfix From 22cdae2d0d24ea33ecad75530dd3f23b4b49e457 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Fri, 15 May 2020 15:45:13 +0200 Subject: [PATCH 067/126] [re2o-mail-server] Au revoir LXir --- .../templates/re2o-services/mail-server/mail-aliases | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/re2o-mail-server/templates/re2o-services/mail-server/mail-aliases b/roles/re2o-mail-server/templates/re2o-services/mail-server/mail-aliases index 3fa31a21..1869e9e0 160000 --- a/roles/re2o-mail-server/templates/re2o-services/mail-server/mail-aliases +++ b/roles/re2o-mail-server/templates/re2o-services/mail-server/mail-aliases @@ -1 +1 @@ -Subproject commit 3fa31a218d75835aa196ebd174906f3656ef22bd +Subproject commit 1869e9e08e926da376c2f7a6db69a6a5dc126b86 From 4b627c6e750b96512b0f1ea38f014a7c4711b811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Paulon?= Date: Sun, 17 May 2020 03:58:20 +0200 Subject: [PATCH 068/126] =?UTF-8?q?on=20met=20des=20templates=20corrects?= =?UTF-8?q?=20pour=20chsh=20(et=20chsh.ldap=20sert=20=C3=A0=20rien)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/ldap-client/tasks/main.yml | 2 +- roles/ldap-client/templates/bin/chsh.j2 | 4 ++++ roles/ldap-client/templates/bin/chsh.ldap.j2 | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 roles/ldap-client/templates/bin/chsh.j2 create mode 100644 roles/ldap-client/templates/bin/chsh.ldap.j2 diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml index 3912f981..8195e6f1 100644 --- a/roles/ldap-client/tasks/main.yml +++ b/roles/ldap-client/tasks/main.yml @@ -36,7 +36,7 @@ # Disable passwd and chsh - name: Copy passwd and chsh scripts template: - src: bin/passwd.j2 + src: "bin/{{ item }}.j2" dest: "/usr/local/bin/{{ item }}" mode: 0755 loop: diff --git a/roles/ldap-client/templates/bin/chsh.j2 b/roles/ldap-client/templates/bin/chsh.j2 new file mode 100644 index 00000000..37462f78 --- /dev/null +++ b/roles/ldap-client/templates/bin/chsh.j2 @@ -0,0 +1,4 @@ +#!/bin/sh +{{ ansible_header | comment }} +echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}" + diff --git a/roles/ldap-client/templates/bin/chsh.ldap.j2 b/roles/ldap-client/templates/bin/chsh.ldap.j2 new file mode 100644 index 00000000..175fdfc1 --- /dev/null +++ b/roles/ldap-client/templates/bin/chsh.ldap.j2 @@ -0,0 +1,4 @@ +#!/bin/sh +{{ ansible_header | comment }} +echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}" +echo "De toutes façons la vraie commande aurait pas marché, on installe pas nslcd-utils sur les serveurs normalement." From 801811ffa86dade1cc9954944723c2a948b417f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Paulon?= Date: Sun, 17 May 2020 03:59:09 +0200 Subject: [PATCH 069/126] on backup la partition var/lib/mailman sur redisdead --- roles/rsync-client/templates/rsyncd.conf.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/rsync-client/templates/rsyncd.conf.j2 b/roles/rsync-client/templates/rsyncd.conf.j2 index bea4fc7c..780ab375 100644 --- a/roles/rsync-client/templates/rsyncd.conf.j2 +++ b/roles/rsync-client/templates/rsyncd.conf.j2 @@ -62,6 +62,16 @@ hosts allow = * read only = yes {% endif %} +{# on veut backuper /var/lib/mailman sur redisdead #} +{% if ansible_hostname == "redisdead" %} +[mailman] +path = /var/lib/mailman +auth users = backupcrans +secrets file = /etc/rsyncd.secrets +hosts allow = zephir.adm.crans.org 10.231.136.6 +{% endif %} + + {# TODO: implémenter le vrai système comme dans BCFG2 #} {# TODO: implémenter le cas particulier cpasswords-main et wiki #} From 6862b26d1786bf797ac5fcf37888212d4d2337b1 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 17 May 2020 08:15:46 +0200 Subject: [PATCH 070/126] Use adm ipv4 for monitoring --- monitoring.yml | 11 ++ roles/prometheus-node-exporter/tasks/main.yml | 8 +- .../default/prometheus-node-exporter.j2 | 130 ++++++++++++++++++ 3 files changed, 144 insertions(+), 5 deletions(-) create mode 100644 roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 diff --git a/monitoring.yml b/monitoring.yml index d3a26fac..af00948e 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -1,5 +1,16 @@ #!/usr/bin/env ansible-playbook --- +# Set variable adm_iface for all servers +- hosts: server + tasks: + - name: Register adm interface in adm_iface variable + shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: adm_iface + check_mode: false + changed_when: true + args: + executable: /bin/bash + # Deploy Prometheus - hosts: fyre.adm.crans.org vars: diff --git a/roles/prometheus-node-exporter/tasks/main.yml b/roles/prometheus-node-exporter/tasks/main.yml index 74502bfd..31460b8f 100644 --- a/roles/prometheus-node-exporter/tasks/main.yml +++ b/roles/prometheus-node-exporter/tasks/main.yml @@ -31,11 +31,9 @@ # Doesn't work on Debian Stretch with the old prometheus package - name: Make Prometheus node-exporter listen on adm only - lineinfile: - path: /etc/default/prometheus-node-exporter - regexp: '^ARGS=' - line: | - ARGS="--web.listen-address={{ ansible_hostname }}.adm.crans.org:9100" + template: + src: default/prometheus-node-exporter.j2 + dest: /etc/default/prometheus-node-exporter notify: Restart prometheus-node-exporter tags: restart-node-exporter diff --git a/roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 b/roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 new file mode 100644 index 00000000..c5e2b8e5 --- /dev/null +++ b/roles/prometheus-node-exporter/templates/default/prometheus-node-exporter.j2 @@ -0,0 +1,130 @@ +{{ ansible_header | comment }} + +# Set the command-line arguments to pass to the server. +# Due to shell scaping, to pass backslashes for regexes, you need to double +# them (\\d for \d). If running under systemd, you need to double them again +# (\\\\d to mean \d), and escape newlines too. +ARGS="--web.listen-address={{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }}:9100" + +# Prometheus-node-exporter supports the following options: +# +# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$" +# Regexp of devices to ignore for diskstats. +# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)" +# Regexp of mount points to ignore for filesystem +# collector. +# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$" +# Regexp of filesystem types to ignore for +# filesystem collector. +# --collector.netdev.ignored-devices="^lo$" +# Regexp of net devices to ignore for netdev +# collector. +# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$" +# Regexp of fields to return for netstat +# collector. +# --collector.ntp.server="127.0.0.1" +# NTP server to use for ntp collector +# --collector.ntp.protocol-version=4 +# NTP protocol version +# --collector.ntp.server-is-local +# Certify that collector.ntp.server address is the +# same local host as this collector. +# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query +# --collector.ntp.max-distance=3.46608s +# Max accumulated distance to the root +# --collector.ntp.local-offset-tolerance=1ms +# Offset between local clock and local ntpd time +# to tolerate +# --path.procfs="/proc" procfs mountpoint. +# --path.sysfs="/sys" sysfs mountpoint. +# --collector.qdisc.fixtures="" +# test fixtures to use for qdisc collector +# end-to-end testing +# --collector.runit.servicedir="/etc/service" +# Path to runit service directory. +# --collector.supervisord.url="http://localhost:9001/RPC2" +# XML RPC endpoint. +# --collector.systemd.unit-whitelist=".+" +# Regexp of systemd units to whitelist. Units must +# both match whitelist and not match blacklist to +# be included. +# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)" +# Regexp of systemd units to blacklist. Units must +# both match whitelist and not match blacklist to +# be included. +# --collector.systemd.private +# Establish a private, direct connection to +# systemd without dbus. +# --collector.textfile.directory="/var/lib/prometheus/node-exporter" +# Directory to read text files with metrics from. +# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*" +# Regexp of fields to return for vmstat collector. +# --collector.wifi.fixtures="" +# test fixtures to use for wifi collector metrics +# --collector.arp Enable the arp collector (default: enabled). +# --collector.bcache Enable the bcache collector (default: enabled). +# --collector.bonding Enable the bonding collector (default: enabled). +# --collector.buddyinfo Enable the buddyinfo collector (default: +# disabled). +# --collector.conntrack Enable the conntrack collector (default: +# enabled). +# --collector.cpu Enable the cpu collector (default: enabled). +# --collector.diskstats Enable the diskstats collector (default: +# enabled). +# --collector.drbd Enable the drbd collector (default: disabled). +# --collector.edac Enable the edac collector (default: enabled). +# --collector.entropy Enable the entropy collector (default: enabled). +# --collector.filefd Enable the filefd collector (default: enabled). +# --collector.filesystem Enable the filesystem collector (default: +# enabled). +# --collector.hwmon Enable the hwmon collector (default: enabled). +# --collector.infiniband Enable the infiniband collector (default: +# enabled). +# --collector.interrupts Enable the interrupts collector (default: +# disabled). +# --collector.ipvs Enable the ipvs collector (default: enabled). +# --collector.ksmd Enable the ksmd collector (default: disabled). +# --collector.loadavg Enable the loadavg collector (default: enabled). +# --collector.logind Enable the logind collector (default: disabled). +# --collector.mdadm Enable the mdadm collector (default: enabled). +# --collector.meminfo Enable the meminfo collector (default: enabled). +# --collector.meminfo_numa Enable the meminfo_numa collector (default: +# disabled). +# --collector.mountstats Enable the mountstats collector (default: +# disabled). +# --collector.netdev Enable the netdev collector (default: enabled). +# --collector.netstat Enable the netstat collector (default: enabled). +# --collector.nfs Enable the nfs collector (default: enabled). +# --collector.nfsd Enable the nfsd collector (default: enabled). +# --collector.ntp Enable the ntp collector (default: disabled). +# --collector.qdisc Enable the qdisc collector (default: disabled). +# --collector.runit Enable the runit collector (default: disabled). +# --collector.sockstat Enable the sockstat collector (default: +# enabled). +# --collector.stat Enable the stat collector (default: enabled). +# --collector.supervisord Enable the supervisord collector (default: +# disabled). +# --collector.systemd Enable the systemd collector (default: enabled). +# --collector.tcpstat Enable the tcpstat collector (default: +# disabled). +# --collector.textfile Enable the textfile collector (default: +# enabled). +# --collector.time Enable the time collector (default: enabled). +# --collector.uname Enable the uname collector (default: enabled). +# --collector.vmstat Enable the vmstat collector (default: enabled). +# --collector.wifi Enable the wifi collector (default: enabled). +# --collector.xfs Enable the xfs collector (default: enabled). +# --collector.zfs Enable the zfs collector (default: enabled). +# --collector.timex Enable the timex collector (default: enabled). +# --web.listen-address=":9100" +# Address on which to expose metrics and web +# interface. +# --web.telemetry-path="/metrics" +# Path under which to expose metrics. +# --log.level="info" Only log messages with the given severity or +# above. Valid levels: [debug, info, warn, error, +# fatal] +# --log.format="logger:stderr" +# Set the log target and format. Example: +# "logger:syslog?appname=bob&local=7" or +# "logger:stdout?json=true" From ca9b60e34617f0f9ddbb5cdaa59c843aedc4b7f5 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 17 May 2020 08:30:26 +0200 Subject: [PATCH 071/126] Clean at and monit --- clean_servers.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clean_servers.yml b/clean_servers.yml index 218948f2..4f727380 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -9,6 +9,7 @@ apt: state: absent name: + - at - arpwatch # old sniffing - collectd - collectd-utils # old monitoring @@ -28,6 +29,7 @@ - monitoring-plugins-standard - monitoring-plugins-basic - monitoring-plugins-common + - monit - libmonitoring-plugin-perl - snmp - nagios-plugins-contrib From 41e941034e0a7efc5cbd6134094eb6aaf11be378 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 17 May 2020 08:32:29 +0200 Subject: [PATCH 072/126] [reverseproxy] Do not install nginx certbot --- roles/nginx-reverseproxy/tasks/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 5a0e298f..b1e39458 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -2,9 +2,7 @@ - name: Install NGINX apt: update_cache: true - name: - - nginx - - python3-certbot-nginx # for options-ssl-nginx.conf + name: nginx register: apt_result retries: 3 until: apt_result is succeeded From 00c5769d6e930294b6a76551db46e1d55b195bf2 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 17 May 2020 09:05:32 +0200 Subject: [PATCH 073/126] [clean_servers] Clean up nagios. --- clean_servers.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/clean_servers.yml b/clean_servers.yml index 4f727380..0b6b7fd0 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -85,9 +85,12 @@ - /etc/munin - /etc/icinga2 - /etc/init.d/bcfg2 + - /etc/nagios + - /etc/nagios-plugins - /etc/nut - /etc/nginx/sites-enabled/status - /etc/nginx/sites-available/status + - /etc/pnp4nagios - /var/local/aptdater - /etc/apt-dater-host.conf - /etc/sudoers.d/apt-dater-host From 79f4d274b07f80f585dfcac8bb41fc77980a9aa7 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 17 May 2020 09:05:53 +0200 Subject: [PATCH 074/126] Wildcard certificate on redisdead --- certbot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot.yml b/certbot.yml index 6a6a3eb5..80f49ebc 100755 --- a/certbot.yml +++ b/certbot.yml @@ -2,7 +2,7 @@ --- # Temporary # Wildcard certificate for MX servers -- hosts: titanic.adm.crans.org +- hosts: titanic.adm.crans.org, redisdead.adm.crans.org vars: certbot: dns_rfc2136_name: certbot_challenge. From e585efb9afdba643ebc577d3d2acce575ffe7c10 Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 17 May 2020 09:06:20 +0200 Subject: [PATCH 075/126] Add apt-file to common tools --- roles/common-tools/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/common-tools/tasks/main.yml b/roles/common-tools/tasks/main.yml index 70488e80..b92fea69 100644 --- a/roles/common-tools/tasks/main.yml +++ b/roles/common-tools/tasks/main.yml @@ -4,6 +4,7 @@ update_cache: true install_recommends: false name: + - apt-file - sudo - molly-guard # prevent reboot - ntp # network time sync From 4ebcfa287a2cbc8c0dfbf50cfc8261f8bc73839e Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sun, 17 May 2020 11:09:23 +0200 Subject: [PATCH 076/126] Huge clean up in mailman configuration --- logos/crans.png | Bin 0 -> 10618 bytes mailman.yml | 23 + roles/mailman/handlers/main.yml | 5 + roles/mailman/tasks/main.yml | 39 + .../mailman/templates/mailman/create.html.j2 | 13 + roles/mailman/templates/mailman/mm_cfg.py.j2 | 226 ++++++ .../templates/update-motd.d/05-mailman.j2 | 3 + .../usr/lib/mailman/Mailman/htmlformat.py.j2 | 742 ++++++++++++++++++ roles/nginx-mailman/handlers/main.yml | 5 + roles/nginx-mailman/tasks/main.yml | 43 + .../templates/nginx/mailman_passwd.j2 | 2 + .../nginx/sites-available/mailman.j2 | 94 +++ .../nginx/snippets/fastcgi-mailman.conf.j2 | 18 + .../nginx/snippets/fastcgi-mailman.conf.j2~ | 18 + .../nginx/snippets/options-ssl.conf.j2 | 17 + .../templates/update-motd.d/05-service.j2 | 3 + .../templates/var/www/custom_401.html.j2 | 18 + .../templates/var/www/robots.txt.j2 | 4 + 18 files changed, 1273 insertions(+) create mode 100644 logos/crans.png create mode 100755 mailman.yml create mode 100644 roles/mailman/handlers/main.yml create mode 100644 roles/mailman/tasks/main.yml create mode 100644 roles/mailman/templates/mailman/create.html.j2 create mode 100644 roles/mailman/templates/mailman/mm_cfg.py.j2 create mode 100755 roles/mailman/templates/update-motd.d/05-mailman.j2 create mode 100644 roles/mailman/templates/usr/lib/mailman/Mailman/htmlformat.py.j2 create mode 100644 roles/nginx-mailman/handlers/main.yml create mode 100644 roles/nginx-mailman/tasks/main.yml create mode 100644 roles/nginx-mailman/templates/nginx/mailman_passwd.j2 create mode 100644 roles/nginx-mailman/templates/nginx/sites-available/mailman.j2 create mode 100644 roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2 create mode 100644 roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2~ create mode 100644 roles/nginx-mailman/templates/nginx/snippets/options-ssl.conf.j2 create mode 100755 roles/nginx-mailman/templates/update-motd.d/05-service.j2 create mode 100644 roles/nginx-mailman/templates/var/www/custom_401.html.j2 create mode 100644 roles/nginx-mailman/templates/var/www/robots.txt.j2 diff --git a/logos/crans.png b/logos/crans.png new file mode 100644 index 0000000000000000000000000000000000000000..9c5e281a69694f2aed73c8466229c3dcb96b9609 GIT binary patch literal 10618 zcmV-=DTUUFP)Px#32;bRa{vIiivR$)ivgap9Z&!O00(qQO+^RV2OR()GevfT4*&ol07*naRCwC$ zeQA_kS9Rt&=g#-dQ%#aemL=P=WeeGWZ3Y`-z<@C(q>UL8AS8saoPlJ8rjyQEWOX`2 zXCR@6)ye8kH=T}g(n$z30b>(J+Zba98{4u}l4?-RZ+`dP`Q9`2k6m^3Tq?;j5wsk0 zf0TxL@4kD!v(G-?{`TJIVJRj0(e(qk)C=&LMkgC%`~pRmTqqB+{7v+UasKP$@zYRZ6)nQbNj){P8!w`kkZ6aP8wCdi_uS z*bPDm{Os$+$_+3bD6GZolRFX0w?jiLUF#Vo^$&k+vT)xED+eR@{jY;u2|<319*lnLRt7{q%j$@WiKH zI}N%&_wHM;po@#^Ns`#MO(_N5rfJ%XIJz~<5+NaxHMv&{6;0C=MNw5%Rn-jK)8F)& zub)_1@6w=~_^p>6*nR8G*DWnAwcBk+*DOP6C!utcbG=Q#9c4w{5L-GzHYbEZnwMLE<(sKj4k`#57`@BFuFl? zkCX@-wqfPd1^Ls*ADHU{HZ%{bzRqWU5JVE`FyQb ztJmwLQpvV$a3()|v%MgY#TX;ivs@3ZF_;{nyC>D!`VVuQHzc{#osxzacH>Q!M0jxlnw)F(41T{0sL67~^#EptbuT0BTv5 zX_|m9c!SaFufFuX)NTIq2i|2nVyVs z@!gr`%*k$=GAX&_)YkEPZo78$m0R9bc+)S1ajNmYWmyp2X6TH*?DJoLYDY!++ogR!6fU`G@5jRE7s!8>*q#%$vUhws^t?Ksh2+PTEH)aAv$$7* z(4V^KANn$F5B<5Br=N`f)7x%@UjgSmzaDveWTS-r!QGF2{=pM*90{5Vo=U-_V1lPC zaxfpdt_u&Osz8%8MNuAna_v9-<)e#heZgYEQpr;Z^Fd=44kQu7;Se-|ESw)@n(!-K z*K@fXsNET|*?>70pZK+RUA(ISrb;P=aLX`^N~Kb%RPy=!w&GS_px+vx8HdO1Zg}#z zfBbOE#6j>n zLb1SIuC%2QD3};VO+~h@W1@_@9YXNF-Q$cgNbW+crK)N!m#bE*nS0$rV8555-|NYK zKaSQ`f|JL>`Qyp@(j9l++G@3g5ZNd|Uq4^qZbkOdqpiFC;Hy#SvDo9O&uJ`qA{do| zAt8jMEb);DXJ%#;MS=0uYV|+))b}2Ga)re{OFW(ioW_WQrE@8`5KJUKr^c~k$23hV z6biLkO$dPq=?UdKsq$DLS0mw5#u<}bBB4m3OCePx3fOyjL3vHpI8-*YO@|8!bBu9j z;DtgVi?~LikqCX-L-+JV)ar!`$Ag7q(aM6IhQIoj*G%WllP6CKA#B^OR;w__TXxIy zhU|$I=dM5eY8bja9MZ(&G!SXX5?|052_~hKQb?8}B4=i1G)*g&N^uY3YHLzbX7ruBhI)`j~+b=`%EO{6XhKbd4+C*c^tAZU|}GVSfmN!ObUq! zMnoZ+7Ae}jF1dF_R*3kS-Nn~U6f+Z6RTYG7FuE*|&0uu}`n?|dZaWH=7X0If!^IQ% z#DC{C2VT2>Pruijo0|)Q0ApOKR0tuqZRc`1SO@2aM`nD8GI9IA`M*mm9Tp8}G~|g# z;~@(jOXHVcJh5Y}m^VopM{yD}#t6o?ZP#iwT-g1&r*xLMG#IeNWzmpE1DSdU_D<}- zc)Xg|J?RV&~&wNkBpSK9bvS4@;m9b*g*0W3EY8M3`@HbuX+&X-o({;|XU?BP=6-tp1{ zZ$5N+uiI@lo9%XcFc>6BVp-Ps`1tPKyQin8$HvBTx!kr4`k!U9fA+bjme=|$@o3`l z)K9}c4Z1J8V&~1*@9+0|gTbKN_LC&xoFjx_47ptHyKT&A#A2VP0gHz;=u~XE$Ogc`ywiK_PjN5B$*w;C|Y^>VI8K$C{ib9a|QyNg; z4gHqacl4ZEEUU#bG0Z3X>Bk;A`kPlxmh(B-1L5ZuYrWrVZjHQ$u;ZLq4|8Qc>J^oa~>-@|$``-4_+kMaLv^TC^uQwbH8DoZF z&p+$>>^D!io-b$wn>&k#2QD7Fa^J-A@^ZJ^jiN|OX_}^GS-D&eoLVlI zJJK%;o(h%-mT(q|B)H?Puk3Z(>+9>o;gE9q?}H+qnJUamrBZ1$8jVJyTCJWXxcFxw`_Pjsf>Xg_ z!Kk1i=E>_{amCu&TDRMUkUXEym&@g9wOXlEfG}B>b>y)?@}A^W2qszDsMwY!mzUd_ zQIyN&dc9t3j6L?2_eZhf9Xsqk{is|$`Qevee)(i0j)J953sT>490N?iYDc$eD4-kX zp}zXm;|Fdg*v3S8c&SxnF=GsEmVb3q@hjh1Xz=iNuikOPMK4Q|#P@y2ar*s!x7+Ra z`#}&$DQ(-fZM#@3mdoWzrBW`JOQljSmpkvO*aot*%YDhI;8Y4KSh{z*9)(`N-v`AL z;_=DJ$xQ69EKApQ`sg!KFex~aLJD55$(7IyE@e!C>IJZV&{FF+zxvFNt#9R7e%2mZpJzNQp`%($XkNl4=|e!}daX z7txKyR@`ickeUTQyOQGHy=Ld0QjT+;BuN;C0BgVB_dG9K{t&H|N~Kb%l+WjF+lF}L zyvw*7$hNve$y3QWk^)Iq%-Ms%APhq(WiFR%G#b;>)4O)QV;gH$ zB7_iQ%=5e?Nq}I&p6gzE@MLZ(oImN$d{3+`{ML`(k|VO&Y<4=G!C(+4Niel%@RC=% zjf+yOi!>E1MT}K>ybnc1UHPWHGj6X>x95Ih2MfcHF}iH$h+)KBxULID1>m4AuU1Xd z7xg0RIvxw{G0a+ zv~syTK0dx<$BvylcQzUg2p?gF6@_eoiX=jaF%BMC*Y!%JGCn>&IXQX%if3>Rj? zh1rk3{+0Edxw^W#u{;%R?d?A~oVY|$1Ze*O~bd%pewpz+Hy9{H3 zutF5wjgqRt;OPs6Lgtl5MNcW^mZy?JaxMrVx~@Y=^MEzRhF-kBly;jRyz@=HUa!;X z^!t6+$}ise;Urb#W;0wo5zZd@!2T%>*_1IVq#)AQe22;-vP6?uqzO-wW~*hZimT_5 zfx!ZDxt!;Du=bNAp_Fz8;b$K_`MC#<_nd$;3i=$9!qo5$hjzZ>4Od;gzjP*LAWGO5 z9-6!7%STSG_LDS~QXnBVSL7(FLa>xZgLl5+z;FKIzdDm{cM91(JL;{ThcUs5s%T~} zWV?z&8NmqL{Fao|mf6gv4su!4${k0!bZ|25tY20wRt$B1wbSeMf-qcr*9T&%C9QVc zTuD34wAa48b{VGWa5(fM-%Ht-uXw4%ghv6A5=kiqUzlI8H6^J{qAEfXNr^4Xf&@5Y zj8gjd4=(+$`{!vI3z`U?N=^|HQc5IIkfJYr>)5>y9(mQlT_6AO8^`OV(Haqi&@(6d zzx2mnYjs`0V!;y0DU$Hs)5@Qu;4EfgKk^6Q=;2nUOJy6#9@;HTx^P@|fKaaY~&Yb^13Syg1vY2bUf4Dm&?VCth2On=5g9jRk(Y z)rvjWaU2Lq8WXF5l@A1An|D2V@}#XPgsbRM2_Fp)CWPQz{P|ZpPc8&34MYMeQYygc zFvgf5yfNU19-n>pN08`?Echm-yelOi#u5ZW+XtCc8qHV{H^&Y^$@c;#s^ zHQushvZ@P5F-06R&k<30NxkfJ+pg)3YRRt*trz9jnxjijB=#+*pHB%6~jYW|}^WJr)mH5(*ZBG>j0!Siy>liG~yf zV}hjY^!;D?-M{|BU%h>L$9O)UH!bVe{`A2p^jS2du`AM0@I*2yWabLCx;(*Co_hUW zcV=b=_Mv*cp4k(`{il$vS8}g?`Ndy;_$bC0VFjyL3T4JMY?n?)Q4~es$PB|6_0|{@ zw4ICJ5Sxj`lbA;#mfS#M&2^(FN=miZswF4qf`u7>e&)_Ac3)iF)o(Z3&2>=IbGclh zSX31S2^baL%orsCNtvYCx`01dJ!7V+u-K!K!(xvo9!oqyBPlq>geV%;EJd@4Zeg-v zQ0>0=AOGV1kNo6K^?H4_#phRgJPBCr@z`VWkSCsCi9~XH8YYnxT=2Bt?;SgKET7Mh zjg29MAVAf1J);V0wtheQ{+qt>oudgC2xBA(Rxm>3@uuAuajdlK^?E*^hsYW{gOu{L z)UOZ4!YFR8?B@Pumroy>taX~}{chKBoHR{=#!uC2 zVc2qrzJR2c4NgifIG1w6k~9tG_=#qL(}*P=Pka^+Y0xuB{HkmARf{?jY0vT7gLusg zL#`sCBCJRx5GIcuS^d^yhYww`=j(^5WC^DcXECP%i=A7p+uJCc3ZhXMoT-2pHm=px z)nc(o2mv*fF*f?LQ(D*5Sovcgcw~Dxul%G_0pXyD=UM+ zAd8VorBb8Os7&pAqJ9Yre3lMIy^PF0i4dY2Qi_(Z4nxFgC{mDw231?U_iZO zc%Da-q@;;rMXrXVEAto=Bos_kjPN5*&X+8-xMp&eN=}jBlCy)COkTOSv9`9>9Sou< zg6MhMsxt73kTGJ6onDo$jwT9kf9=5&3#*_0!efXKf>j|TMiL_=7>b2hT&0L8_>_A^ zLQp|tDcA-xkO&0RO@7Oz6bKV0QIaH}dm&6jnn=!sg2FKLJTHs%N~O}o#KevrJ9duM z->W-MaD2o=!_B)9_{-)XiK-!#EINu1si3joDW@S%{2zboE4^XA)oOuH&vxK_b{e}l z1=rXO_lO=@(bj$SS-TcmE|!!$=Vue1e=>ok$`nC1+AH!KvU>a3;hl{$SAvVMH|D zNhK&)gbFtt5LB>as-8zYZnavOB$Vyis;Z`4?dhh@r9hYXznQsrg2onVn z1!Dzcf-v5?Q6h;X5+db^FKB=zVvJxAOTE&v$XL$pJ39J`Fu#_@N1QJ3Dj)X))6moj6*8|^Tnr5w5 z1BI|qD5$EctR;s#F6IQd338I&q|VbU7rOS!R$@rkiU zsZ=ygGmAX4RSv2-sDSx=Uf1<)B883ZOjTi`t~+!|y`X&M;in%tyz2OL8}jii7Q#dt zAQ6rgbAS~5roLCnhGK%uO}S*|u;P z5~E%gNDxK{VTq)&5l;)bL60Oth%*LJ8OR-zlasr4?HV5+2Z21*9Q^3f%svEXG^Hi8 zXCONg3X&2bf)zrDGL*KLPR+GcrK_k)GFA0nvR8ZM!SRbGOMvMp$1)59h`||cHggDt zLZM!-CrNVi^?dJSZgF{Sc6s0iQJgZ^{5S6onLZ%}!EP!lg%iCwg;n$GF&lCUfD6QJ3&qP?yP;O4 zTrL-j#k^%*%lJ1UMa>uDptPRk$D;vb%%<^Mtl?)p6)7slSVRF2L&qh<;m|Zqz~z&J zTFf0aY`nci1R|NXey? zJFDtcz4*Z4UbF9FqHF?65GI%?m}rEOa6nx+Z$=}=b<$buNUrS2iyE34J& z*w|RHSgh;%^~Lbv9#wJ$#@S(d@wNUk#L92085WD~ZMujMVwm@p_I<4|rr-khG~{sR zt))&^BnePptgFH0*Adg^^CzO^xv05f7BonkA-rj`&wl>Vvk}fxw2Ki21A;`(buY2^ zOct8W*7ACH=*N@^DpH@N9>oMJgeY)(B=KkNd#r2|(2pvWN>&ND{SJ1zTYyi^lx$E! zft+S%W^AE&FcYv+2q7QbQ+~YbMvAKBid{T?4D+Jz2SH%l_Ur1_E)m_k>MZz}2VUCm zVpWxl@gx*cD1}h19MKJkLeg$qa!TDn(ppzz@1oLp7*Z(>1pars=Re0}0gMrtDWs@% zT{jFJgf~j55NSZ2#n`4qlTt{@v7$aT-<_MAi{luC0+_|oyt;a}-T{PQDS_pJ49Yhz zz;p|;VCGqAA3|tH!TRax!hbp5!>Xd@3iH~fn!8$bT|ob$a{e7OnpN;HO$#G|^~^Gj#pQ9lOF zd61dT=kwiecQ_n|VVI_Ao>DytXTov863i*WL<+RDw8S|F4-SIlDCbqrUf~Y816Wz` zelXQh54*(xo*IN-KEC$u%XaLo7;rkl8>Y&KTZ6B46QXO1Y0nyagVepvb#`i+uIuG; zc{gLGV6N+O&Mnm{n|4ve-B$B*k?6YL9(Kdt+R*iQ5}T@$%jIGh@krZLfbfI zBBg|%+cp}zOn$B%fByJVcXjEvZ#b~0WM_3(nx=hlU)}MSzUwE%u&`z{bB({mjq4Nl zM$Dl;3@8EA#V1KJ91aN~oO3$~%c@ij9h-WBH&zK$CTN<5F+n5o1V-mxTMkSw7aA#ulHy!%G zQrlfPv732!-}dUUyamj6v*?vrmi6I%)&F^9^;=#-3`?jX#RWL7ZNZx2vjQ zT2>eYaU65b1wvFa`o+d_W%r`cu6q27(s0dF5lTl5@tkZH6Qb&>QN-9A zRqcUgLh}hQq9jTDAUd()eBtrcBWql+SnyQPh$lhSl0t|miZb-G6eoDz@3U(OV;oEL ztq}cnm(R8a(c)Y%cjO(H?fA&+Un@EHeIJU4;aPz*6pO`o?};YnS3lni(=br%oMPvt zWj{`=C-kyX-lNw^9tjmorW%o9b4)nr)agfyv-4*Cjk`^#^Uk$B&6bvXJ;fc~Z@T*r%67K0Pd6x{YFZ@>A_?kV4OlO%ypf`aTUrq1W{ zjImcH$rxY0uRWagOlq2nX)9KaShiwXRMSIM!-|4XBE>)?2@Bk`+m4$nL#NBHoSrC^ zpjHe*;ao1KKR%C;|Gdot5s4M7kOUc68cC}7DMc>bVmli;z7$djDN;^jo(41?u&`Gz zs=LOEj^muA!RYxR`*e!#_vKfHl6qmXz8cKW1oKC4*irkpA9%ZpWV_vtq6pRn)N_E_ z0yk}07D5Q<+U;m%q1k?-k5-Tos0LAWtZ78k5ZDXnB29P{^1!8@JEq}-leMwDNrZq3 zvn)%mX^T?8$ORGtKNk-G&IFMg5`wb?bG`jW;{X5&07*naRL0NjL8O#WSOqFDi#-=F3p7tGy0(Y>u-GZjhFB9ok0); zL9mhDfZYIO3y6ZU>eP{r15#+W9jDXucw1^QA`wzzgt(9zk_8o)b+uejuH1KV%{G!G z35G)u$e}*FR4Nq;1uO+;v0$NKu@F>(oN`8(1gEi}F;61|H5y26r1H-2dPvAiK{<;= z60pRdo+!Nf&_#haOw$x*~_d5=6ZqV*`Bw@gXbq*+}lkF3#sNEg1ASV=!ohAsl@MGm+J>5Q5`Dcey9Pi$Tm? zDwVQB(nRW0zr*4oPeY!DNa~{pn{2T~DL4)LEF5qeqUWlbmmB3VTyiD_l{~#@qOf=8 z?nc>iojz!sF#EiWGr#wcDp4KpO6HGce+ZjYrJ&Vov#Sof#dW#?RKZ#9y-G~iGi@gJ(bNBEjLm` zNK-Z2wCY6zA<0-|(W(C!gAmc-s?WsJ6!T=Yx7%}bb4QOJg-6QT_qXT+&MKh1w!SP_P%pM_PrO^3c=KT zk?p*0-~M`eZEbC7Z4Hv6j4=qh0nHFXIF(Ap z_kGv%fX@PN&5#8*omH4Y-xmmjnPUO-FO^ELa~2AP)4TMt_!}4tWLXeG@L6X+HVytC zo&>0FtyY_un3$ZLgv!^fknnkPgWE2@DBL~P@Ap?$R(ic298(5aJjg-7kpeJmNDZ7a znVHY>NA4L+-(p)uN@>9oPYPvQ%Yf@%NmveGGJr#&4reeOifKO#$e0J zD&@h+!p@d44QN~fK36W6DW#@q#&JvtDHe-RdXlYB7)3S>V`F0&<6^NGhT+){up3Rk z!qb9YGg{%i#lxN}vYQ2+8#)%O1sJ?#S(Qo!G9txdF{}1}R=wiAA5J^|lCkIN-B)D= z20{qPRA-%onx?IFgVolcSS-TLGbJd~t+Ok$L3jadCaS8IN+sZY;2bh!vr&L6$mjD= zF9c@3C3f1@4`l9M+dS9;j$g>g<#Xp0&OT|jZG&$r7K@OPhg~bHW*C*x5JKpY-^a6$ z&UH}z&R>Y)*z>&Ma2Q1qJY}{gz~GNAbcfwO8IhneI=tn!qr(6*1jq`70(i`Cuefa>bVOAu$9AX1N|I5JOifgS;KBUfgb*Z*T*N4{HqVW z4mw?+#scE8(atuB&`M`Whc06bB5`N}KUH78-2gHj4kkX+fJO_3x16W|>jUQFc^yVM z`WT~to+*M;&+(=(+h7isWpU241+x7yaH)sBe3$g_u`U{W{Rd+vhQr}tFbIMGf+$#7 z8E|nzqnP} zr+XcYhx}M?dHTk)C%`^mCs@95m5C{vwJY}a`F|o zLl>drIM6BvoD{aZ%{p8(zp_!@eR63%j$?2LS(5mLc<}!Z;LxQn--TS44$<*})c0La z%9GIW3eB0OX+m@`%7+j_Yh522JC@ekaPAJ|NHSvkqDOZ5LAmfP>7nJmoO8w4b+>i9 zT`*WEWE(BJ9Q7)lK>&v7dSQ|zQ4~RUbEeh5=#gD`2z#jCN6!opt6ysEzG|ZjG>)@& z!qK25^C!zK7wQRzo}X-9+ZHywP_FZQdY`nW2R-y;7cD2of%ko+*Xu#CJh0$=J`c#A ze(uF;*9SFv=!L*%2_d64`(j5HUGuJJeokLmyW#qGc*qMH9@!CjEIaiHWIYhxw>_@VkJ2kPqs<;E>IZ zii4s=P=>12D)b9vWNY*aqg1e1&_u9EF$DC`ODQvN@FSbuP{lyIsaC77qQM)CW?8nF z-dHWKqa=!5o&-Cm>tLz~p$ypII7I5XQH+3feZ?*X#VM+{X{S(fkx_f>)DLiz4c=rorS%26To z%8oKVzlZ9*=#b5*6`Ze<<>Alo`I;|YWV5P~j8UK$?AJ8oAAPU*3nK>m(Uo2Q4 + + +Creation de mailing list + + + +

Creation de mailing list

+Il faut s'adresser a nounou arobase crans point org. + + diff --git a/roles/mailman/templates/mailman/mm_cfg.py.j2 b/roles/mailman/templates/mailman/mm_cfg.py.j2 new file mode 100644 index 00000000..25f82461 --- /dev/null +++ b/roles/mailman/templates/mailman/mm_cfg.py.j2 @@ -0,0 +1,226 @@ +{{ ansible_header | comment }} +# -*- python -*- + +# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 USA + + +"""This is the module which takes your site-specific settings. + +From a raw distribution it should be copied to mm_cfg.py. If you +already have an mm_cfg.py, be careful to add in only the new settings +you want. The complete set of distributed defaults, with annotation, +are in ./Defaults. In mm_cfg, override only those you want to +change, after the + + from Defaults import * + +line (see below). + +Note that these are just default settings - many can be overridden via the +admin and user interfaces on a per-list or per-user basis. + +Note also that some of the settings are resolved against the active list +setting by using the value as a format string against the +list-instance-object's dictionary - see the distributed value of +DEFAULT_MSG_FOOTER for an example.""" + + +####################################################### +# Here's where we get the distributed defaults. # + +from Defaults import * + + +##### +# General system-wide defaults +##### + +# Should image logos be used? Set this to 0 to disable image logos from "our +# sponsors" and just use textual links instead (this will also disable the +# shortcut "favicon"). Otherwise, this should contain the URL base path to +# the logo images (and must contain the trailing slash).. If you want to +# disable Mailman's logo footer altogther, hack +# Mailman/htmlformat.py:MailmanLogo(), which also contains the hardcoded links +# and image names. +IMAGE_LOGOS = '/images/mailman/' + +#------------------------------------------------------------- +# The name of the list Mailman uses to send password reminders +# and similar. Don't change if you want mailman-owner to be +# a valid local part. +MAILMAN_SITE_LIST = '{{ mailman.site_list }}' + +DEFAULT_URL= '{{ mailman.default_url }}' +DEFAULT_URL_PATTERN = 'https://%s/' +add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) + +#------------------------------------------------------------- +# Default domain for email addresses of newly created MLs +DEFAULT_EMAIL_HOST = '{{ mailman.default_host }}' +#------------------------------------------------------------- +# Default host for web interface of newly created MLs +DEFAULT_URL_HOST = '{{ mailman.default_host }}' +#------------------------------------------------------------- +# Required when setting any of its arguments. +add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) + +#------------------------------------------------------------- +# Do we send monthly reminders? +DEFAULT_SEND_REMINDERS = No + +# Normally when a site administrator authenticates to a web page with the site +# password, they get a cookie which authorizes them as the list admin. It +# makes me nervous to hand out site auth cookies because if this cookie is +# cracked or intercepted, the intruder will have access to every list on the +# site. OTOH, it's dang handy to not have to re-authenticate to every list on +# the site. Set this value to Yes to allow site admin cookies. +ALLOW_SITE_ADMIN_COOKIES = Yes + +##### +# Archive defaults +##### + +PUBLIC_ARCHIVE_URL = '{{ mailman.default_url }}archives/%(listname)s' + +# Are archives on or off by default? +DEFAULT_ARCHIVE = Off + +# Are archives public or private by default? +# 0=public, 1=private +DEFAULT_ARCHIVE_PRIVATE = 1 + +# Pipermail assumes that messages bodies contain US-ASCII text. +# Change this option to define a different character set to be used as +# the default character set for the archive. The term "character set" +# is used in MIME to refer to a method of converting a sequence of +# octets into a sequence of characters. If you change the default +# charset, you might need to add it to VERBATIM_ENCODING below. +DEFAULT_CHARSET = 'utf-8' + +# Most character set encodings require special HTML entity characters to be +# quoted, otherwise they won't look right in the Pipermail archives. However +# some character sets must not quote these characters so that they can be +# rendered properly in the browsers. The primary issue is multi-byte +# encodings where the octet 0x26 does not always represent the & character. +# This variable contains a list of such characters sets which are not +# HTML-quoted in the archives. +VERBATIM_ENCODING = ['utf-8'] + +##### +# General defaults +##### + +# The default language for this server. Whenever we can't figure out the list +# context or user context, we'll fall back to using this language. See +# LC_DESCRIPTIONS below for legal values. +DEFAULT_SERVER_LANGUAGE = '{{ mailman.default_language }}' + +# How many members to display at a time on the admin cgi to unsubscribe them +# or change their options? +DEFAULT_ADMIN_MEMBER_CHUNKSIZE = 50 + +# set this variable to Yes to allow list owners to delete their own mailing +# lists. You may not want to give them this power, in which case, setting +# this variable to No instead requires list removal to be done by the site +# administrator, via the command line script bin/rmlist. +#OWNERS_CAN_DELETE_THEIR_OWN_LISTS = No + +# Set this variable to Yes to allow list owners to set the "personalized" +# flags on their mailing lists. Turning these on tells Mailman to send +# separate email messages to each user instead of batching them together for +# delivery to the MTA. This gives each member a more personalized message, +# but can have a heavy impact on the performance of your system. +#OWNERS_CAN_ENABLE_PERSONALIZATION = No + +##### +# List defaults. NOTE: Changing these values does NOT change the +# configuration of an existing list. It only defines the default for new +# lists you subsequently create. +##### + +# Should a list, by default be advertised? What is the default maximum number +# of explicit recipients allowed? What is the default maximum message size +# allowed? +DEFAULT_LIST_ADVERTISED = Yes + +# {header-name: regexp} spam filtering - we include some for example sake. +DEFAULT_BOUNCE_MATCHING_HEADERS = """ +# Les lignes commencant par # sont des commentairtes. +#from: .*-owner@yahoogroups.com +#from: .*@uplinkpro.com +#from: .*@coolstats.comic.com +#from: .*@trafficmagnet.com +#from: .*@hotmail.com +#X-Reject: 450 +#X-Reject: 554 +""" + +# Mailman can be configured to strip any existing Reply-To: header, or simply +# extend any existing Reply-To: with one based on the above setting. +DEFAULT_FIRST_STRIP_REPLY_TO = Yes + +# SUBSCRIBE POLICY +# 0 - open list (only when ALLOW_OPEN_SUBSCRIBE is set to 1) ** +# 1 - confirmation required for subscribes +# 2 - admin approval required for subscribes +# 3 - both confirmation and admin approval required +# +# ** please do not choose option 0 if you are not allowing open +# subscribes (next variable) +DEFAULT_SUBSCRIBE_POLICY = 3 + +# Is the list owner notified of subscribes/unsubscribes? +DEFAULT_ADMIN_NOTIFY_MCHANGES = Yes + +# Do we send monthly reminders? +DEFAULT_SEND_REMINDERS = No + +# What should happen to non-member posts which do not match explicit +# non-member actions? +# 0 = Accept +# 1 = Hold +# 2 = Reject +# 3 = Discard +DEFAULT_GENERIC_NONMEMBER_ACTION = 1 + +# Use spamassassin automatically +GLOBAL_PIPELINE.insert(5, '{{ spamassassin }}') +# Discard messages with score higher than ... +SPAMASSASSIN_DISCARD_SCORE = 8 +# Hold in moderation messages with score higher than ... +SPAMASSASSIN_HOLD_SCORE = 2.1 + +# Add SpamAssassin administration interface on gui +# To make it work, you need to edit Gui/__init__.py +# with +# from SpamAssassin import SpamAssassin +ADMIN_CATEGORIES.append("spamassassin") + +# Add header to keep +PLAIN_DIGEST_KEEP_HEADERS.append('X-Spam-Score') + +# configure MTA +MTA = 'Postfix' +SMTPHOST = '{{ smtphost }}' +SMTP_MAX_RCPTS = 50 + + +POSTFIX_STYLE_VIRTUAL_DOMAINS = ["{{ mailman.default_host }}"] + +# Note - if you're looking for something that is imported from mm_cfg, but you +# didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py. diff --git a/roles/mailman/templates/update-motd.d/05-mailman.j2 b/roles/mailman/templates/update-motd.d/05-mailman.j2 new file mode 100755 index 00000000..d3fee0db --- /dev/null +++ b/roles/mailman/templates/update-motd.d/05-mailman.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +> Mailman a été déployé sur cette machine. Voir /etc/mailman/ et /var/lib/mailman/. diff --git a/roles/mailman/templates/usr/lib/mailman/Mailman/htmlformat.py.j2 b/roles/mailman/templates/usr/lib/mailman/Mailman/htmlformat.py.j2 new file mode 100644 index 00000000..146f9576 --- /dev/null +++ b/roles/mailman/templates/usr/lib/mailman/Mailman/htmlformat.py.j2 @@ -0,0 +1,742 @@ +{{ ansible_header | comment }} +# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. + + +"""Library for program-based construction of an HTML documents. + +Encapsulate HTML formatting directives in classes that act as containers +for python and, recursively, for nested HTML formatting objects. +""" + + +# Eventually could abstract down to HtmlItem, which outputs an arbitrary html +# object given start / end tags, valid options, and a value. Ug, objects +# shouldn't be adding their own newlines. The next object should. + + +import types + +from Mailman import mm_cfg +from Mailman import Utils +from Mailman.i18n import _, get_translation + +from Mailman.CSRFcheck import csrf_token + +SPACE = ' ' +EMPTYSTRING = '' +NL = '\n' + + + +# Format an arbitrary object. +def HTMLFormatObject(item, indent): + "Return a presentation of an object, invoking their Format method if any." + if type(item) == type(''): + return item + elif not hasattr(item, "Format"): + return `item` + else: + return item.Format(indent) + +def CaseInsensitiveKeyedDict(d): + result = {} + for (k,v) in d.items(): + result[k.lower()] = v + return result + +# Given references to two dictionaries, copy the second dictionary into the +# first one. +def DictMerge(destination, fresh_dict): + for (key, value) in fresh_dict.items(): + destination[key] = value + +class Table: + def __init__(self, **table_opts): + self.cells = [] + self.cell_info = {} + self.row_info = {} + self.opts = table_opts + + def AddOptions(self, opts): + DictMerge(self.opts, opts) + + # Sets all of the cells. It writes over whatever cells you had there + # previously. + + def SetAllCells(self, cells): + self.cells = cells + + # Add a new blank row at the end + def NewRow(self): + self.cells.append([]) + + # Add a new blank cell at the end + def NewCell(self): + self.cells[-1].append('') + + def AddRow(self, row): + self.cells.append(row) + + def AddCell(self, cell): + self.cells[-1].append(cell) + + def AddCellInfo(self, row, col, **kws): + kws = CaseInsensitiveKeyedDict(kws) + if not self.cell_info.has_key(row): + self.cell_info[row] = { col : kws } + elif self.cell_info[row].has_key(col): + DictMerge(self.cell_info[row], kws) + else: + self.cell_info[row][col] = kws + + def AddRowInfo(self, row, **kws): + kws = CaseInsensitiveKeyedDict(kws) + if not self.row_info.has_key(row): + self.row_info[row] = kws + else: + DictMerge(self.row_info[row], kws) + + # What's the index for the row we just put in? + def GetCurrentRowIndex(self): + return len(self.cells)-1 + + # What's the index for the col we just put in? + def GetCurrentCellIndex(self): + return len(self.cells[-1])-1 + + def ExtractCellInfo(self, info): + valid_mods = ['align', 'valign', 'nowrap', 'rowspan', 'colspan', + 'bgcolor'] + output = '' + + for (key, val) in info.items(): + if not key in valid_mods: + continue + if key == 'nowrap': + output = output + ' NOWRAP' + continue + else: + output = output + ' %s="%s"' % (key.upper(), val) + + return output + + def ExtractRowInfo(self, info): + valid_mods = ['align', 'valign', 'bgcolor'] + output = '' + + for (key, val) in info.items(): + if not key in valid_mods: + continue + output = output + ' %s="%s"' % (key.upper(), val) + + return output + + def ExtractTableInfo(self, info): + valid_mods = ['align', 'width', 'border', 'cellspacing', 'cellpadding', + 'bgcolor'] + + output = '' + + for (key, val) in info.items(): + if not key in valid_mods: + continue + if key == 'border' and val == None: + output = output + ' BORDER' + continue + else: + output = output + ' %s="%s"' % (key.upper(), val) + + return output + + def FormatCell(self, row, col, indent): + try: + my_info = self.cell_info[row][col] + except: + my_info = None + + output = '\n' + ' '*indent + '' + + for i in range(len(self.cells[row])): + output = output + self.FormatCell(row, i, indent + 2) + + output = output + '\n' + ' '*indent + '' + + return output + + def Format(self, indent=0): + output = '\n' + ' '*indent + '' + + for i in range(len(self.cells)): + output = output + self.FormatRow(i, indent + 2) + + output = output + '\n' + ' '*indent + '\n' + + return output + + +class Link: + def __init__(self, href, text, target=None): + self.href = href + self.text = text + self.target = target + + def Format(self, indent=0): + texpr = "" + if self.target != None: + texpr = ' target="%s"' % self.target + return '%s' % (HTMLFormatObject(self.href, indent), + texpr, + HTMLFormatObject(self.text, indent)) + +class FontSize: + """FontSize is being deprecated - use FontAttr(..., size="...") instead.""" + def __init__(self, size, *items): + self.items = list(items) + self.size = size + + def Format(self, indent=0): + output = '' % self.size + for item in self.items: + output = output + HTMLFormatObject(item, indent) + output = output + '' + return output + +class FontAttr: + """Present arbitrary font attributes.""" + def __init__(self, *items, **kw): + self.items = list(items) + self.attrs = kw + + def Format(self, indent=0): + seq = [] + for k, v in self.attrs.items(): + seq.append('%s="%s"' % (k, v)) + output = '' % SPACE.join(seq) + for item in self.items: + output = output + HTMLFormatObject(item, indent) + output = output + '' + return output + + +class Container: + def __init__(self, *items): + if not items: + self.items = [] + else: + self.items = items + + def AddItem(self, obj): + self.items.append(obj) + + def Format(self, indent=0): + output = [] + for item in self.items: + output.append(HTMLFormatObject(item, indent)) + return EMPTYSTRING.join(output) + + +class Label(Container): + align = 'right' + + def __init__(self, *items): + Container.__init__(self, *items) + + def Format(self, indent=0): + return ('
' % self.align) + \ + Container.Format(self, indent) + \ + '
' + + +# My own standard document template. YMMV. +# something more abstract would be more work to use... + +class Document(Container): + title = None + language = None + bgcolor = mm_cfg.WEB_BG_COLOR + suppress_head = 0 + + def set_language(self, lang=None): + self.language = lang + + def set_bgcolor(self, color): + self.bgcolor = color + + def SetTitle(self, title): + self.title = title + + def Format(self, indent=0, **kws): + charset = 'us-ascii' + if self.language and Utils.IsLanguage(self.language): + charset = Utils.GetCharSet(self.language) + output = ['Content-Type: text/html; charset=%s' % charset] + output.append('Cache-control: no-cache\n') + if not self.suppress_head: + kws.setdefault('bgcolor', self.bgcolor) + tab = ' ' * indent + output.extend([tab, + '', + '' + ]) + if mm_cfg.IMAGE_LOGOS: + output.append('' % + (mm_cfg.IMAGE_LOGOS + mm_cfg.SHORTCUT_ICON)) + # Hit all the bases + output.append('' % charset) + if self.title: + output.append('%s%s' % (tab, self.title)) + # Add CSS to visually hide some labeling text but allow screen + # readers to read it. + output.append("""\ + +""") + if mm_cfg.WEB_HEAD_ADD: + output.append(mm_cfg.WEB_HEAD_ADD) + output.append('%s' % tab) + quals = [] + # Default link colors + if mm_cfg.WEB_VLINK_COLOR: + kws.setdefault('vlink', mm_cfg.WEB_VLINK_COLOR) + if mm_cfg.WEB_ALINK_COLOR: + kws.setdefault('alink', mm_cfg.WEB_ALINK_COLOR) + if mm_cfg.WEB_LINK_COLOR: + kws.setdefault('link', mm_cfg.WEB_LINK_COLOR) + for k, v in kws.items(): + quals.append('%s="%s"' % (k, v)) + output.append('%s' % direction) + # Always do this... + output.append(Container.Format(self, indent)) + if not self.suppress_head: + output.append('%s' % tab) + output.append('%s' % tab) + return NL.join(output) + + def addError(self, errmsg, tag=None): + if tag is None: + tag = _('Error: ') + self.AddItem(Header(3, Bold(FontAttr( + _(tag), color=mm_cfg.WEB_ERROR_COLOR, size='+2')).Format() + + Italic(errmsg).Format())) + + +class HeadlessDocument(Document): + """Document without head section, for templates that provide their own.""" + suppress_head = 1 + + +class StdContainer(Container): + def Format(self, indent=0): + # If I don't start a new I ignore indent + output = '<%s>' % self.tag + output = output + Container.Format(self, indent) + output = '%s' % (output, self.tag) + return output + + +class QuotedContainer(Container): + def Format(self, indent=0): + # If I don't start a new I ignore indent + output = '<%s>%s' % ( + self.tag, + Utils.websafe(Container.Format(self, indent)), + self.tag) + return output + +class Header(StdContainer): + def __init__(self, num, *items): + self.items = items + self.tag = 'h%d' % num + +class Address(StdContainer): + tag = 'address' + +class Underline(StdContainer): + tag = 'u' + +class Bold(StdContainer): + tag = 'strong' + +class Italic(StdContainer): + tag = 'em' + +class Preformatted(QuotedContainer): + tag = 'pre' + +class Subscript(StdContainer): + tag = 'sub' + +class Superscript(StdContainer): + tag = 'sup' + +class Strikeout(StdContainer): + tag = 'strike' + +class Center(StdContainer): + tag = 'center' + +class Form(Container): + def __init__(self, action='', method='POST', encoding=None, + mlist=None, contexts=None, user=None, *items): + apply(Container.__init__, (self,) + items) + self.action = action + self.method = method + self.encoding = encoding + self.mlist = mlist + self.contexts = contexts + self.user = user + + def set_action(self, action): + self.action = action + + def Format(self, indent=0): + spaces = ' ' * indent + encoding = '' + if self.encoding: + encoding = 'enctype="%s"' % self.encoding + output = '\n%s
\n' % ( + spaces, self.action, self.method, encoding) + if self.mlist: + output = output + \ + '\n' \ + % csrf_token(self.mlist, self.contexts, self.user) + output = output + Container.Format(self, indent+2) + output = '%s\n%s
\n' % (output, spaces) + return output + + +class InputObj: + def __init__(self, name, ty, value, checked, **kws): + self.name = name + self.type = ty + self.value = value + self.checked = checked + self.kws = kws + + def Format(self, indent=0): + charset = get_translation().charset() or 'us-ascii' + output = ['') + ret = SPACE.join(output) + if self.type == 'TEXT' and isinstance(ret, unicode): + ret = ret.encode(charset, 'xmlcharrefreplace') + return ret + + +class SubmitButton(InputObj): + def __init__(self, name, button_text): + InputObj.__init__(self, name, "SUBMIT", button_text, checked=0) + +class PasswordBox(InputObj): + def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH): + InputObj.__init__(self, name, "PASSWORD", value, checked=0, size=size) + +class TextBox(InputObj): + def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH): + if isinstance(value, str): + safevalue = Utils.websafe(value) + else: + safevalue = value + InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size) + +class Hidden(InputObj): + def __init__(self, name, value=''): + InputObj.__init__(self, name, 'HIDDEN', value, checked=0) + +class TextArea: + def __init__(self, name, text='', rows=None, cols=None, wrap='soft', + readonly=0): + if isinstance(text, str): + # Double escape HTML entities in non-readonly areas. + doubleescape = not readonly + safetext = Utils.websafe(text, doubleescape) + else: + safetext = text + self.name = name + self.text = safetext + self.rows = rows + self.cols = cols + self.wrap = wrap + self.readonly = readonly + + def Format(self, indent=0): + charset = get_translation().charset() or 'us-ascii' + output = '