Au revoir cachan :'(

2022-02-24 13:22:00 +01:00 · 2022-02-24 13:22:00 +01:00 · ab78352554
parent db79b88812
commit ab78352554
25 changed files with 14 additions and 587 deletions
--- a/group_vars/all/borg.yml
+++ b/group_vars/all/borg.yml
@ -7,7 +7,7 @@ glob_borg:
    - /var
  path: /backup/borg
  remote:
-    - borg@zephir.adm.crans.org:/backup/borg/{{ ansible_hostname }}
+    - borg@zephir-c.adm.crans.org:/backup/borg/{{ ansible_hostname }}
  retention:
    - ["daily", 4]
    - ["monthly", 6]
--- a/group_vars/cachan/home_nounou.yml
+++ b/group_vars/cachan/home_nounou.yml
@ -1,8 +1,8 @@
 ---
 glob_home_nounou:
  mounts:
-    - ip: "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
+    - ip: "{{ query('ldap', 'ip', 'charybde', 'cachan-adm') | ipv4 | first }}"
-      mountpoint: /rpool/home
+      mountpoint: /pool/home
      target: /home_nounou
      name: home_nounou
      owner: root
--- a/group_vars/cachan/ldap.yml
+++ b/group_vars/cachan/ldap.yml
@ -1,7 +0,0 @@
 ---
 glob_ldap:
  uri: 'ldaps://re2o-ldap.cachan-adm.crans.org/'
  users_base: 'cn=Utilisateurs,dc=crans,dc=org'
  servers:
    - "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
  base: 'dc=crans,dc=org'
--- a/group_vars/cachan/mirror.yml
+++ b/group_vars/cachan/mirror.yml
@ -1,8 +0,0 @@
 ---
 glob_mirror:
  hostname: mirror.cachan-adm.crans.org
  ip: 172.17.10.30
 debian_mirror: http://mirror.cachan-adm.crans.org/debian
 debian_components: main contrib non-free
 proxmox_mirror: http://mirror.cachan-adm.crans.org/proxmox/debian/pve
--- a/group_vars/cachan/network_interfaces.yml
+++ b/group_vars/cachan/network_interfaces.yml
@ -1,23 +1,11 @@
 ---
 glob_network_interfaces:
  vlan:
    - name: cachan_srv
      id: 2
      gateway: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv') | ipv4 | first }}"
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv') | ipv4 | first }}"
      gateway_v6: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv') | ipv6 | first }}"
    - name: cachan_srv_nat
      id: 3
      gateway: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv-nat') | ipv4 | first }}"
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv-nat') | ipv4 | first }}"
      gateway_v6: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv-nat') | ipv6 | first }}"
    - name: cachan_adm
      id: 10
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adm') | ipv4 | first }}"
      extra:
        - "post-up /sbin/ip route add 172.16.10.0/24 via {{ query('ldap', 'ip', 'terenez', 'cachan-adm') | ipv4 | first }}"
    # extra_v6:
    #   - "post-up /sbin/ip -6 route add fd00:0:0:10::/64 {{ query('ldap', 'ip', 'terenez', 'cachan-adm') | ipv6 | first }}"
    - name: infra
      id: 11
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}"
--- a/group_vars/cachan/prometheus_nginx_exporter.yaml
+++ b/group_vars/cachan/prometheus_nginx_exporter.yaml
@ -1,3 +0,0 @@
 ---
 glob_prometheus_nginx_exporter:
  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'cachan-adm') | ipv4 | first }}"
--- a/group_vars/cachan/rsyslog_client.yml
+++ b/group_vars/cachan/rsyslog_client.yml
@ -1,3 +0,0 @@
 ---
 glob_rsyslog_client:
  server: "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
--- a/host_vars/charybde.cachan-adm.crans.org.yml
+++ b/host_vars/charybde.cachan-adm.crans.org.yml
@ -3,39 +3,9 @@ debian_mirror: 'file:/pool/mirror/pub/debian'
 interfaces:
  cachan_adm: eth0.10
  cachan_srv: eth1.2
  infra: eth0.111
 loc_ntp_server:
  open:
    - 172.17.10.0/24
    - 172.16.32.0/22
 loc_vsftpd:
  anonymous:
    root: /pool/mirror/pub
 loc_ftpsync:
  root: /pool/mirror/pub
 loc_rsync_mirror:
  root: /pool/mirror/pub
 loc_apt_mirror:
  root: /pool/mirror/pub
 loc_nginx:
  service_name: ftp
  ssl: []
  servers:
    - server_name:
        - "mirror"
        - "mirror.*"
      root: "/pool/mirror/pub"
      locations:
        - filter: "/"
          params:
            - "autoindex on"
            - "autoindex_exact_size off"
            - "add_before_body /.html/HEADER.html"
            - "add_after_body /.html/FOOTER.html"
--- a/host_vars/fyre.cachan-adm.crans.org.yml
+++ b/host_vars/fyre.cachan-adm.crans.org.yml
@ -1,103 +0,0 @@
 ---
 interfaces:
  cachan_adm: ens18
  infra: ens19
 glob_snmp_exporter:
  procurve_password: "{{ vault.snmp_procurve_password }}"
  unifi_password: "{{ vault.snmp_unifi_password }}"
 loc_ninjabot:
  config:
    nick: fyre
    server: irc.adm.crans.org
    port: 6667
    channel: "#monitoring"
 loc_prometheus:
  node:
    file: targets_node.json
    targets: "{{ groups['server'] | select('match', '^.*\\.cachan-adm\\.crans\\.org$')  | list | sort }}"
    config:
      - job_name: servers
        file_sd_configs:
          - files:
              - '/etc/prometheus/targets_node.json'
        relabel_configs:
          - source_labels: [__address__]
            target_label: __param_target
          - source_labels: [__param_target]
            target_label: instance
          - source_labels: [__param_target]
            target_label: __address__
            replacement: '$1:9100'
  ups_snmp:
    file: targets_ups_snmp.json
    targets:
      - pulsar.cachan-adm.crans.org  # 0B
      - quasar.cachan-adm.crans.org  # 4J
    config:
      - job_name: ups_snmp
        file_sd_configs:
          - files:
              - '/etc/prometheus/targets_ups_snmp.json'
        metrics_path: /snmp
        params:
          module: [eatonups]
        relabel_configs:
          - source_labels: [__address__]
            target_label: __param_target
          - source_labels: [__param_target]
            target_label: instance
          - target_label: __address__
            replacement: 127.0.0.1:9116
  unifi_snmp:
    file: targets_unifi_snmp.json
    targets: "{{ groups['crans_unifi'] | list | sort }}"
    config:
      - job_name: unifi_snmp
        file_sd_configs:
          - files:
              - '/etc/prometheus/targets_unifi_snmp.json'
        metrics_path: /snmp
        params:
          module: [ubiquiti_unifi]
        relabel_configs:
          - source_labels: [__address__]
            target_label: __param_target
          - source_labels: [__param_target]
            target_label: instance
          - target_label: __address__
            replacement: 127.0.0.1:9116
  nginx:
    file: targets_nginx.json
    targets: "{{ groups['nginx'] | select('match', '^.*\\.cachan-adm\\.crans\\.org$')  | list | sort }}"
    config:
      - job_name: nginx
        file_sd_configs:
          - files:
              - '/etc/prometheus/targets_nginx.json'
        relabel_configs:
          - source_labels: [__address__]
            target_label: instance
          - source_labels: [instance]
            target_label: __address__
            replacement: '$1:9117'
  mtail:
    file: targets_mtail.json
    targets:
      - gulp.cachan-adm.crans.org
    config:
      - job_name: mtail
        static_configs:
          - targets: ["gulp.cachan-adm.crans.org"]
        relabel_configs:
          - source_labels: [__address__]
            target_label: instance
          - source_labels: [instance]
            target_label: __address__
            replacement: '$1:3903'
--- a/host_vars/gulp.cachan-adm.crans.org.yml
+++ b/host_vars/gulp.cachan-adm.crans.org.yml
@ -1,58 +0,0 @@
 ---
 loc_slapd:
  ip: "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
  replica: true
  replica_rid: 5
 glob_ntp_client:
  servers:
    - terenez.cachan-adm.crans.org
 debian_mirror: http://mirror.cachan-adm.crans.org/debian
 proxmox_mirror: http://mirror.cachan-adm.crans.org/proxmox/debian/pve
 loc_debian_images:
  rsync_host: 'mirror.cachan-adm.crans.org'
  rsync_module: 'ftp'
 loc_postgres:
  subnets:
    - 172.17.10.0/24
    - fd00:0:0:3010::/64
  version: 11
  hosts:
    - {db: re2o, user: re2o}
  addresses: "['gulp.cachan-adm.crans.org'] + {{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipaddr('address') }}"
  backup:
    dir: /var/local/db-backup
    frequency: "{{ 60 | random(seed=inventory_hostname) }} {{ ((24 | random(seed=inventory_hostname))+12)%24 }} * * *"
 loc_borg:
  remote:
    - borg@zephir.cachan-adm.crans.org:/backup/borg/{{ ansible_hostname }}
  ssh_options: ""
 glob_prometheus_node_exporter:
  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'cachan-adm') | ipv4 | first }}"
 loc_rsyslog_server:
  name: gulp
  root: /var/log
  rules:
    - name: cablage
      rotate: 365
      ips:
        - 172.16.33
        - 172.16.34
      programs:
        - firewall
        - radiusd
        - dhcpd
  modules:
    - name: imudp
      index: 53
    - name: imrelp
      index: 52
      vars:
        - name: InputRELPServerRun
          value: 20514
--- a/host_vars/re2o-ldap.cachan-adm.crans.org.yml
+++ b/host_vars/re2o-ldap.cachan-adm.crans.org.yml
@ -1,3 +0,0 @@
 ---
 interfaces:
  cachan_adm: ens18
--- a/host_vars/re2o.cachan-adm.crans.org.yml
+++ b/host_vars/re2o.cachan-adm.crans.org.yml
@ -1,51 +0,0 @@
 ---
 interfaces:
  cachan_adm: ens18
  cachan_srv_nat: ens19
 loc_re2o:
  owner: root
  group: _nounou
  version: crans
  settings_local_owner: www-data
  settings_local_group: _nounou
  django_secret_key: "{{ vault.re2o_django_secret_key }}"
  aes_key: "{{ vault.re2o_aes_key }}"
  admins:
    - ('Root', 'root@crans.org')
  allowed_hosts:
    - "{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv4 | first }}"
    - "[{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv6 | first }}]"
    - "{{ query('ldap', 'ip', 'c3po', 'adm') | ipv4 | first }}"
    - "[{{ query('ldap', 'ip', 'c3po', 'adm') | ipv6 | first }}]"
    - re2o.cachan-adm.crans.org
    - intranet.cachan-adm.crans.org
    - re2o.adm.crans.org
    - re2o.crans.org
    - intranet.crans.org
  from_email: "root@crans.org"
  ldap:
    master_password: "{{ vault.ldap_master_password }}"
    uri: "ldap://{{ query('ldap', 'ip', 're2o-ldap', 'cachan-adm') | ipv4 | first }}/"
    dn: "cn=admin,dc=crans,dc=org"
  database:
    password: "{{ vault.re2o_db_password }}"
    uri: "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
 loc_nginx:
  real_ip_from:
    - "172.17.0.0/16"
    - "fd00:0:0:3000::/56"
 loc_re2o_front:
  server_names:
    - "{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv4 | first }}"
    - "[{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv6 | first }}]"
    - "{{ query('ldap', 'ip', 'c3po', 'adm') | ipv4 | first }}"
    - "[{{ query('ldap', 'ip', 'c3po', 'adm') | ipv6 | first }}]"
    - re2o.cachan-adm.crans.org
    - intranet.cachan-adm.crans.org
    - re2o.adm.crans.org
    - re2o.crans.org
    - intranet.crans.org
--- a/host_vars/rodauh.cachan-adm.crans.org.yml
+++ b/host_vars/rodauh.cachan-adm.crans.org.yml
@ -1,28 +0,0 @@
 ---
 interfaces:
  cachan_adm: ens18
  cachan_srv: ens19
 loc_certbot:
  - mail: root@crans.org
    certname: crans.org
    domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
 loc_nginx:
  servers: []
  ssl:
    - name: crans.org
      cert: /etc/letsencrypt/live/crans.org/fullchain.pem
      cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
      trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
  real_ip_from:
    - "172.17.0.0/16"
    - "fd00:0:0:3000::/56"
 loc_reverseproxy:
  reverseproxy_sites:
    - {from: mirrors.crans.org, to: 172.17.10.30}
    - {from: intranet.crans.org, to: 172.17.10.203}
    - {from: re2o.crans.org, to: 172.17.10.203}
  redirect_sites: []
--- a/host_vars/routeur-gulp.cachan-adm.crans.org/bird.yml
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/bird.yml
@ -1,34 +0,0 @@
 ---
 loc_bird:
  ipv4:
    id: 158.255.113.73
    binds:
      - 158.255.113.73
    statics:
      - 185.230.76.0/24
    bgps:
      - name: zayo
        allow_local_as: 1
        local:
          as: 204515
        remote:
          as: 8218
          address: 158.255.113.72
        allow_export_prefixes:
          - 185.230.76.0/22+
  ipv6:
    id: 185.230.79.62
    binds:
      - 2001:1b48:2:103::bb:2
    statics:
      - 2a0c:700:3000::/36
    bgps:
      - name: zayo
        allow_local_as: 1
        local:
          as: 204515
        remote:
          as: 8218
          address: 2001:1b48:2:103::bb:1
        allow_export_prefixes:
          - 2a0c:700::/32+
--- a/host_vars/routeur-gulp.cachan-adm.crans.org/dhcp.yml
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/dhcp.yml
@ -1,62 +0,0 @@
 ---
 loc_dhcp:
  authoritative: true
  subnets:
    - network: "185.230.76.0/26"
      deny_unknown: true
      vlan: "cachan_adh"
      default_lease_time: "600"
      max_lease_time: "7200"
      routers: "185.230.76.62"
      dns: ["185.230.76.62"]
      domain_name: "adh.crans.org"
      domain_search: "adh.crans.org"
      options: []
      lease_file: "/var/local/services/dhcp/generated/dhcp.cachan-adh.crans.org.list"
    - network: "100.64.0.0/16"
      deny_unknown: true
      vlan: "adh_nat"
      default_lease_time: "600"
      max_lease_time: "7200"
      routers: "100.64.0.99"
      dns: ["100.64.0.99"]
      domain_name: "adh-nat.crans.org"
      domain_search: "adh-nat.crans.org"
      options: []
      lease_file: "/var/local/services/dhcp/generated/dhcp.adh-nat.crans.org.list"
    - network: "172.16.32.0/22"
      deny_unknown: true
      vlan: "infra"
      default_lease_time: "600"
      max_lease_time: "7200"
      dns: ["172.16.32.99"]
      domain_name: "infra.crans.org"
      domain_search: "infra.crans.org"
      options: []
      lease_file: "/var/local/services/dhcp/generated/dhcp.infra.crans.org.list"
    - network: 100.65.0.0/16
      vlan: "federez"
      default_lease_time: "600"
      max_lease_time: "7200"
      routers: "100.65.0.99"
      dns: ["100.65.0.99"]
      domain_name: "federez.net"
      domain_search: "federez.net"
      ranges:
        - min: 100.65.1.0
          max: 100.65.255.254
      options: []
 loc_service_dhcp:
  re2o:
    hostname: "{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv4 | first }}"
    user: services
    password: "{{ vault.re2o_service_password }}"
  git:
    remote: https://gitlab.adm.crans.org/nounous/dhcp.git
    version: cachan
  config:
    subnets:
      adh-nat.crans.org: 100.64.0.0/16
      cachan-adh.crans.org: 185.230.76.0/26
      infra.crans.org: 172.16.32.0/22
--- a/host_vars/routeur-gulp.cachan-adm.crans.org/firewall.yml
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/firewall.yml
@ -1,9 +0,0 @@
 ---
 loc_service_firewall:
  re2o:
    hostname: "{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv4 | first }}"
    user: services
    password: "{{ vault.re2o_service_password }}"
  git:
    remote: https://gitlab.adm.crans.org/nounous/firewall.git
    version: gulp
--- a/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
@ -1,25 +0,0 @@
 ---
 loc_re2o:
  owner: freerad
  group: _nounou
  version: master_freeradius_python3
  settings_local_owner: freerad
  settings_local_group: _nounou
  django_secret_key: "{{ vault.re2o_django_secret_key }}"
  aes_key: "{{ vault.re2o_aes_key }}"
  admins:
    - ('Root', 'root@crans.org')
  allowed_hosts:
    - 're2o.cachan-adm.crans.org'
    - 'intranet.cachan-adm.crans.org'
  from_email: "root@crans.org"
  ldap:
    master_password: "{{ vault.ldap_master_password }}"
    uri: "ldap://{{ query('ldap', 'ip', 're2o-ldap', 'cachan-adm') | ipv4 | first }}/"
    dn: "cn=admin,dc=crans,dc=org"
  database:
    password: "{{ vault.re2o_db_password }}"
    uri: "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
  optional_apps: []
--- a/host_vars/routeur-gulp.cachan-adm.crans.org/radvd.yml
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/radvd.yml
@ -1,24 +0,0 @@
 ---
 loc_radvd:
  subnets:
    - name: cachan_adh
      prefix: 2a0c:700:3012::/64
      dnssl: adh.crans.org
      dns:
        - "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adh') | ipv6 | first }}"
    - name: adh_nat
      prefix: 2a0c:700:3013::/64
      dnssl: adh-nat.crans.org
      dns:
        - "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adh') | ipv6 | first }}"
    - name: federez
      prefix: 2a0c:700:254::/64
      dnssl: federez.net
      dns:
        - 2a0c:700:254::ff:fe00:99fe
    - name: infra
      prefix: fd00:0:0:11::/64
      no_gateway: true
      dnssl: infra.crans.org
      dns:
        - fd00::11:0:ff:fe00:9911
--- a/host_vars/routeur-gulp.cachan-adm.crans.org/vars.yml
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/vars.yml
@ -1,10 +0,0 @@
 ---
 interfaces:
  adm: ens18
  srv: ens20
  srv_nat: ens21
  cachan_adh: ens22
  adh_nat: ens23
  infra: ens1
  zayo: ens2
  federez: enp1s3
--- a/host_vars/terenez.cachan-adm.crans.org.yml
+++ b/host_vars/terenez.cachan-adm.crans.org.yml
@ -1,41 +0,0 @@
 ---
 interfaces:
  cachan_adm: ens18
  cachan_srv: ens19
  infra: ens20
 # Don't route to adm so we redefine local network interfaces
 loc_network_interfaces:
  vlan:
    - name: cachan_srv
      id: 2
      gateway: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv') | ipv4 | first }}"
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv') | ipv4 | first }}"
      gateway_v6: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-srv') | ipv6 | first }}"
    - name: cachan_adm
      id: 10
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adm') | ipv4 | first }}"
    - name: infra
      id: 11
      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}"
 loc_ntp_server:
  open:
    - 172.17.10.0/24
    - 172.16.32.0/22
 loc_wireguard:
  tunnels:
    - name: "gulp"
      addresses:
        - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/24"
        - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/64"
      listen_port: 51820
      private_key: "{{ vault.wireguard_terenez_private_key }}"
      peers:
        - public_key: "{{ vault.wireguard_vol447_public_key }}"
          allowed_ips:
            - "{{ query('ldap', 'network', 'adm') }}"
            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
          endpoint: "{{ query('ldap', 'ip', 'vol447', 'srv') | ipv4 | first }}:51820"
      post_up: "/sbin/ip link set gulp alias adm"
--- a/host_vars/unifi.cachan-adm.crans.org.yml
+++ b/host_vars/unifi.cachan-adm.crans.org.yml
@ -1,5 +0,0 @@
 ---
 interfaces:
  cachan_adm: ens18
  cachan_srv_nat: ens19
  infra: ens20
--- a/host_vars/vol447.adm.crans.org.yml
+++ b/host_vars/vol447.adm.crans.org.yml
@ -9,10 +9,10 @@ loc_wireguard:
      listen_port: 51820
      private_key: "{{ vault.wireguard_vol447_private_key }}"
      peers:
-        - public_key: "{{ vault.wireguard_terenez_public_key }}"
+        - public_key: "{{ vault.wireguard_charybde_public_key }}"
          allowed_ips:
-            - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/32"
+            - "{{ query('ldap', 'ip', 'charybde', 'adm') | ipv4 | first }}/32"
-            - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/128"
+            - "{{ query('ldap', 'ip', 'charybde', 'adm') | ipv6 | first }}/128"
-          endpoint: "{{ query('ldap', 'ip', 'terenez', 'cachan-srv') | ipv4 | first }}:51820"
+          endpoint: "{{ query('ldap', 'ip', 'freebox', 'srv') | ipv4 | first }}:51820"
-      post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"
+      post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ipv6 | first }} dev ens18"
-      post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"
+      post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ipv6 | first }} dev ens18"
--- a/59
+++ b/59
@ -20,9 +20,6 @@ tealc.adm.crans.org
 [belenios]
 belenios.adm.crans.org
 [bird]
 routeur-gulp.cachan-adm.crans.org
 [bird:children]
 routeurs_vm
@ -125,15 +122,12 @@ linx.adm.crans.org
 mailman.adm.crans.org
 [mtail]
 gulp.cachan-adm.crans.org
 tealc.adm.crans.org
 [mirror_backend]
 charybde.cachan-adm.crans.org
 eclat.adm.crans.org
 [mirror_frontend]
 charybde.cachan-adm.crans.org
 tealc.adm.crans.org
 [nginx]
@ -157,7 +151,6 @@ wiki
 [ntp_server]
 charybde.cachan-adm.crans.org
 eclat.adm.crans.org
 terenez.cachan-adm.crans.org
 [opendkim:children]
 mailman
@ -173,11 +166,9 @@ ovh_physical
 [postgres]
 tealc.adm.crans.org
 gulp.cachan-adm.crans.org
 [postgres:children]
 virtu_adm
 virtu_cachan
 [prefix_delegation]
 routeur-sam.adm.crans.org
@ -189,27 +180,21 @@ helloworld.adm.crans.org
 [prometheus]
 monitoring.adm.crans.org
 fyre.cachan-adm.crans.org
 [prometheus_alertmanager]
 monitoring.adm.crans.org
 [radius]
 routeur-gulp.cachan-adm.crans.org
 [radvd:children]
 routeurs_vm
 [re2o]
-# re2o.adm.crans.org
+re2o.adm.crans.org
 re2o.cachan-adm.crans.org
 [re2o:children]
 radius
 [re2o_front]
-# re2o.adm.crans.org
+re2o.adm.crans.org
 re2o.cachan-adm.crans.org
 [re2o_ldap_replica]
 re2o-dev.adm.crans.org
@ -217,7 +202,6 @@ yson-partou.adm.crans.org
 [reverseproxy]
 hodaur.adm.crans.org
 rodauh.cachan-adm.crans.org
 sputnik.adm.crans.org
 [reverseproxy:children]
@ -226,43 +210,30 @@ gitlab
 [roundcube]
 roundcube.adm.crans.org
 [routeurs_cachan]
 routeur-gulp.cachan-adm.crans.org
 [routeurs_vm]
 routeur-daniel.adm.crans.org
 routeur-jack.adm.crans.org
 routeur-sam.adm.crans.org
 [routeurs_vm:children]
 routeurs_cachan
 [rsyncd]
 charybde.cachan-adm.crans.org
 eclat.adm.crans.org
 [rsyslog_server]
 gulp.cachan-adm.crans.org
 tealc.adm.crans.org
 [snmp]
 monitoring.adm.crans.org
 helloworld.adm.crans.org
 [unifi]
 unifi.cachan-adm.crans.org
 [slapd]
 tealc.adm.crans.org
 sam.adm.crans.org
 daniel.adm.crans.org
 jack.adm.crans.org
 sputnik.adm.crans.org
 gulp.cachan-adm.crans.org
 [sssd]
 zamok.adm.crans.org
 zamok-tmtc.adm.crans.org
 [thelounge]
 irc.adm.crans.org
@ -281,52 +252,29 @@ sam.adm.crans.org
 [virtu:children]
 virtu_adh
 virtu_adm
 virtu_cachan
 [virtu_cachan]
 gulp.cachan-adm.crans.org
 [vsftpd_mirror]
 charybde.cachan-adm.crans.org
 eclat.adm.crans.org
 ptf.adm.crans.org
 [vsftpd_cameras]
 zephir.cachan-adm.crans.org
 [wiki]
 kiwi.adm.crans.org
 sputnik.adm.crans.org
 [wireguard]
 boeing.adm.crans.org
 charybde.cachan-adm.crans.org
 sputnik.adm.crans.org
 terenez.cachan-adm.crans.org
 vol447.adm.crans.org
 [cachan:children]
 cachan_physical
 cachan_vm
 [cachan_physical]
 charybde.cachan-adm.crans.org
 omnomnom.cachan-adm.crans.org
 zephir.cachan-adm.crans.org
 [cachan_physical:children]
 virtu_cachan
 [cachan_vm]
 fyre.cachan-adm.crans.org
 re2o.cachan-adm.crans.org
 re2o-ldap.cachan-adm.crans.org
 rodauh.cachan-adm.crans.org
 terenez.cachan-adm.crans.org
 # unifi.cachan-adm.crans.org
 [cachan_vm:children]
 routeurs_cachan
 [crans_routeurs:children]
 routeurs_vm
@ -386,7 +334,6 @@ voyager.adm.crans.org
 yson-partou.adm.crans.org
 [crans_vm:children]
 cachan_vm
 routeurs_vm
 [ovh_physical]
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@ -1,13 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
- hosts: routeurs_vm !routeur-gulp.cachan-adm.crans.org
+- hosts: routeurs_vm
  roles:
    - logall
 - hosts: routeur-gulp.cachan-adm.crans.org
  roles:
    - logall-cachan
 - hosts: firewall
  vars:
    service: "{{ glob_service_firewall | default({}) | combine(loc_service_firewall | default({})) }}"
--- a/plays/root.yml
+++ b/plays/root.yml
@ -21,7 +21,7 @@
  roles:
    - ldap-client
- hosts: server,!ovh_physical,!tealc.adm.crans.org,!gulp.cachan-adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org
+- hosts: server,!ovh_physical,!tealc.adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org
  vars:
    nfs_mount: "{{ glob_home_nounou | default({}) | combine(loc_home_nounou | default({})) }}"
  roles: