crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

pleasing erdnaxe and yamllint

certbot_on_virtu
_shirenn 2021-12-04 21:55:14 +01:00
parent a8bf67f18e
commit afbc9f2b58
77 changed files with 170 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.yamllint.yml
View File

@ -2,6 +2,5 @@
extends: default
rules:
line-length:
level: warning
line-length: disable
...

2
all.yml
View File

@ -10,7 +10,7 @@
# Common configuration
- import_playbook: plays/mail.yml
- import_playbook: plays/nfs.yml
#- import_playbook: plays/logs.yml TODO: rsyncd
# - import_playbook: plays/logs.yml TODO: rsyncd
- import_playbook: plays/backup.yml # import borgbackup_client/server.yml
# - import_playbook: plays/network-interfaces.yml TODO: check this paybook
- import_playbook: plays/monitoring.yml

1
group_vars/all/network_interfaces.yml
View File

@ -1,3 +1,4 @@
---
glob_network_interfaces:
vlan:
- name: srv

1
group_vars/cachan/network_interfaces.yml
View File

@ -1,3 +1,4 @@
---
glob_network_interfaces:
vlan:
- name: cachan_srv

4
group_vars/dhcp.yml
View File

@ -1,13 +1,13 @@
---
glob_dhcp:
global_options:
- { key: "interface-mtu", value: "1500" }
- {key: "interface-mtu", value: "1500"}
global_parameters: []
glob_service_dhcp:
name: dhcp
install_dir: /var/local/services/dhcp
generated: yes
generated: true
cron:
frequency: "*/2 * * * *"
options: -q

1
group_vars/dovecot.yml
View File

@ -1,3 +1,4 @@
---
glob_dovecot:
ldap:
uri: "ldap://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ipv4 | first }}/"

1
group_vars/ethercalc.yml
View File

@ -1,2 +1,3 @@
---
glob_ethercalc:
ip: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"

1
group_vars/etherpad.yml
View File

@ -1,3 +1,4 @@
---
glob_etherpad:
instances:
- name: etherpad-lite

1
group_vars/firewall.yml
View File

@ -1,3 +1,4 @@
---
glob_service_firewall:
name: firewall
install_dir: /var/local/services/firewall

2
group_vars/framadate.yml
View File

@ -1,3 +1,4 @@
---
glob_framadate:
contact: contact@crans.org
automatic_response: no-reply@crans.org
@ -8,4 +9,3 @@ glob_framadate:
admin_username: framadate
admin_password: "{{ vault.framadate_password }}"
db_password: "{{ vault.framadate_password_db }}"

11
group_vars/horde.yml
View File

@ -1,3 +1,4 @@
---
glob_horde:
secret: '{{ vault.horde_secret }}'
imap: imap.adm.crans.org
@ -13,10 +14,10 @@ glob_horde:
- "'erdnaxe'"
redirection: https://wiki.crans.org/VieCrans/PagesDeDeconnexion/ERR_CHOOSE_WEBMAIL
src_hostname: horde.crans.org
dest_hostname : webmail.crans.org
admin_src_hostname : horde.adm.crans.org
admin_dest_hostname : webmail.adm.crans.org
zone_ipv4 : 172.16.10.0/24
zone_ipv6 : fd00:0:0:10::/64
dest_hostname: webmail.crans.org
admin_src_hostname: horde.adm.crans.org
admin_dest_hostname: webmail.adm.crans.org
zone_ipv4: 172.16.10.0/24
zone_ipv6: fd00:0:0:10::/64
ipv4: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"
ipv6: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv6 | first }}"

2
group_vars/keepalived.yml
View File

@ -8,7 +8,7 @@ glob_keepalived:
VI_ALL:
password: "{{ vault.keepalived.password }}"
id: 60
ipv6: yes
ipv6: true
notify: /var/local/services/keepalived/keepalived.py
zones:
- vlan: via

1
group_vars/mirror_backend.yml
View File

@ -1,3 +1,4 @@
---
glob_ftpsync:
root: /mirror/pub
mirror:

1
group_vars/postgres.yml
View File

@ -1,3 +1,4 @@
---
glob_postgres:
subnets:
- 172.16.10.0/24

1
group_vars/radvd.yml
View File

@ -1 +1,2 @@
---
glob_radvd: {}

1
group_vars/reverseproxy.yml
View File

@ -1,3 +1,4 @@
---
loc_certbot:
- mail: root@crans.org
certname: crans.org

1
group_vars/roundcube.yml
View File

@ -1,3 +1,4 @@
---
glob_roundcube:
name: Crans
imap_server: owl.adm.crans.org

1
group_vars/rsyncd.yml
View File

@ -9,4 +9,3 @@ glob_rsyncd:
path: /pool/mirror/pub/videolan
comment: VideoLAN repository
hosts_allow: "*"

1
group_vars/server/ntp.yml
View File

@ -1,3 +1,4 @@
---
glob_ntp_client:
servers:
- ntp.adm.crans.org

1
group_vars/sssd.yml
View File

@ -1,3 +1,4 @@
---
glob_sssd:
primary:
domain: tealc.adm.crans.org

1
group_vars/thelounge.yml
View File

@ -1,3 +1,4 @@
---
glob_thelounge:
public: "false"
host: "undefined"

1
host_vars/c3po.adm.crans.org.yml
View File

@ -1,2 +1,3 @@
---
interfaces:
adm: eth0

1
host_vars/codichotomie.adm.crans.org.yml
View File

@ -1,3 +1,4 @@
---
interfaces:
adm: eth0
srv_nat: eth1

2
host_vars/daniel.adm.crans.org.yml
View File

@ -6,5 +6,5 @@ loc_slapd:
loc_postgres:
version: 11
replica: yes
replica: true
addresses: "['daniel.adm.crans.org'] + {{ query('ldap', 'ip', 'daniel', 'adm') | ipaddr('address') }}"

2
host_vars/gulp.cachan-adm.crans.org.yml
View File

@ -17,7 +17,7 @@ loc_postgres:
- fd00:0:0:3010::/64
version: 11
hosts:
- { db: re2o, user: re2o }
- {db: re2o, user: re2o}
addresses: "['gulp.cachan-adm.crans.org'] + {{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipaddr('address') }}"
backup:
dir: /var/local/db-backup

6
host_vars/irc.adm.crans.org.yml
View File

@ -50,7 +50,7 @@ loc_inspircd:
type: clients
clair: 6667
ssl: 6697
- address : 172.16.10.129
- address: 172.16.10.129
type: clients
clair: 6667
- address: 127.0.0.1
@ -79,7 +79,7 @@ loc_inspircd:
ipv6: fd00::10:ff:fe01:2110/128
threshold: 10
commandrate: 10000
modes: yes
modes: true
dns: 185.230.79.62
services:
name: services.irc.crans.org
@ -87,8 +87,6 @@ loc_inspircd:
recvpass: "{{ vault.irc_anope_recvpass }}"
sendpass: "{{ vault.irc_anope_sendpass }}"
loc_anope:
recvpass: "{{ vault.irc_anope_recvpass }}"
sendpass: "{{ vault.irc_anope_sendpass }}"

2
host_vars/jack.adm.crans.org.yml
View File

@ -6,5 +6,5 @@ loc_slapd:
loc_postgres:
version: 11
replica: yes
replica: true
addresses: "['jack.adm.crans.org'] + {{ query('ldap', 'ip', 'jack', 'adm') | ipaddr('address') }}"

20
host_vars/monitoring.adm.crans.org.yml
View File

@ -1,3 +1,4 @@
---
interfaces:
adm: eth0
srv_nat: eth1
@ -89,22 +90,3 @@ loc_prometheus:
- source_labels: [instance]
target_label: __address__
replacement: '$1:3903'
# apache:
# targets:
# config:
# - job_name: apache
# file_sd_configs:
# - files:
# - '/etc/prometheus/targets_apache.json'
# relabel_configs:
# - source_labels: [__address__]
# target_label: instance
# - source_labels: [instance]
# target_label: __address__
# replacement: '$1:9117'
# bird_targets:
# - routeur-sam.adm.crans.org

1
host_vars/owncloud.adm.crans.org.yml
View File

@ -8,4 +8,3 @@ loc_ldap:
base_dn: "cn=admin,dc=crans,dc=org"
password: "{{ vault.ldap_master_password }}"
uri: "ldap://172.16.10.157"

4
host_vars/routeur-daniel.adm.crans.org/dhcp.yml
View File

@ -1,9 +1,9 @@
---
loc_dhcp:
authoritative: True
authoritative: true
subnets:
- network: "185.230.78.0/24"
deny_unknown: True
deny_unknown: true
vlan: "adh"
default_lease_time: "600"
max_lease_time: "7200"

1
host_vars/routeur-daniel.adm.crans.org/radvd.yml
View File

@ -1,3 +1,4 @@
---
loc_radvd:
subnets:
- name: adh

8
host_vars/routeur-gulp.cachan-adm.crans.org/dhcp.yml
View File

@ -1,9 +1,9 @@
---
loc_dhcp:
authoritative: True
authoritative: true
subnets:
- network: "185.230.76.0/26"
deny_unknown: True
deny_unknown: true
vlan: "cachan_adh"
default_lease_time: "600"
max_lease_time: "7200"
@ -14,7 +14,7 @@ loc_dhcp:
options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.cachan-adh.crans.org.list"
- network: "100.64.0.0/16"
deny_unknown: True
deny_unknown: true
vlan: "adh_nat"
default_lease_time: "600"
max_lease_time: "7200"
@ -25,7 +25,7 @@ loc_dhcp:
options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.adh-nat.crans.org.list"
- network: "172.16.32.0/22"
deny_unknown: True
deny_unknown: true
vlan: "infra"
default_lease_time: "600"
max_lease_time: "7200"

2
host_vars/routeur-gulp.cachan-adm.crans.org/radvd.yml
View File

@ -18,7 +18,7 @@ loc_radvd:
- 2a0c:700:254::ff:fe00:99fe
- name: infra
prefix: fd00:0:0:11::/64
no_gateway: yes
no_gateway: true
dnssl: infra.crans.org
dns:
- fd00::11:0:ff:fe00:9911

1
host_vars/routeur-gulp.cachan-adm.crans.org/vars.yml
View File

@ -8,4 +8,3 @@ interfaces:
infra: ens1
zayo: ens2
federez: enp1s3

4
host_vars/routeur-jack.adm.crans.org/dhcp.yml
View File

@ -1,9 +1,9 @@
---
loc_dhcp:
authoritative: True
authoritative: true
subnets:
- network: "185.230.78.0/24"
deny_unknown: True
deny_unknown: true
vlan: "adh"
default_lease_time: "600"
max_lease_time: "7200"

1
host_vars/routeur-jack.adm.crans.org/radvd.yml
View File

@ -1,3 +1,4 @@
---
loc_radvd:
subnets:
- name: adh

4
host_vars/routeur-sam.adm.crans.org/dhcp.yml
View File

@ -1,9 +1,9 @@
---
loc_dhcp:
authoritative: True
authoritative: true
subnets:
- network: "185.230.78.0/24"
deny_unknown: True
deny_unknown: true
vlan: "adh"
default_lease_time: "600"
max_lease_time: "7200"

1
host_vars/routeur-sam.adm.crans.org/radvd.yml
View File

@ -1,3 +1,4 @@
---
loc_radvd:
subnets:
- name: adh

2
host_vars/sam.adm.crans.org.yml
View File

@ -6,5 +6,5 @@ loc_slapd:
loc_postgres:
version: 11
replica: yes
replica: true
addresses: "['sam.adm.crans.org'] + {{ query('ldap', 'ip', 'sam', 'adm') | ipaddr('address') }}"

2
host_vars/sputnik.adm.crans.org.yml
View File

@ -73,7 +73,7 @@ loc_nginx:
servers:
- server_name:
- "wiki2.crans.org"
ssl : "crans.org"
ssl: "crans.org"
access_log: "/var/log/nginx/wiki.log combined"
error_log: "/var/log/nginx/wiki.error.log"
additional_params:

31
host_vars/tealc.adm.crans.org.yml
View File

@ -1,29 +1,30 @@
---
loc_postgres:
version: 11
hosts:
- db: etherpad
user: crans
map: { name: etherpad, system: etherpad, pg: crans }
map: {name: etherpad, system: etherpad, pg: crans}
- db: etherpad_tmp
user: crans
map: { name: etherpad_tmp, system: etherpad, pg: crans }
map: {name: etherpad_tmp, system: etherpad, pg: crans}
- db: horde5
user: www-data
map: { name: horde, system: www-data, pg: www-data }
map: {name: horde, system: www-data, pg: www-data}
- db: roundcube
user: roundcube
map: { name: webmail, system: www-data, pg: roundcube }
- { db: owncloud, user: owncloud }
- { db: cas, user: cas }
- { db: hedgedoc, user: hedgedoc }
- { db: sqlgrey, user: sqlgrey, method: ident }
- { db: re2o, user: re2o }
- { db: re2o_test, user: re2o }
- { db: constellation-dev, user: constellation-dev }
- { db: mailman3, user: mailman3 }
- { db: mailman3web, user: mailman3web }
- { db: all, user: all, subnets: ['127.0.0.1/32','::1/128'], local: yes }
- { db: replication, user: replication, local: yes }
map: {name: webmail, system: www-data, pg: roundcube}
- {db: owncloud, user: owncloud}
- {db: cas, user: cas}
- {db: hedgedoc, user: hedgedoc}
- {db: sqlgrey, user: sqlgrey, method: ident}
- {db: re2o, user: re2o}
- {db: re2o_test, user: re2o}
- {db: constellation-dev, user: constellation-dev}
- {db: mailman3, user: mailman3}
- {db: mailman3web, user: mailman3web}
- {db: all, user: all, subnets: ['127.0.0.1/32', '::1/128'], local: true}
- {db: replication, user: replication, local: true}
addresses: "['tealc.adm.crans.org'] + {{ query('ldap', 'ip', 'tealc', 'adm') | ipaddr('address') }}"
backup:
dir: /var/local/db-backup

1
host_vars/voyager.adm.crans.org.yml
View File

@ -1,3 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

2
plays/monitoring.yml
View File

@ -40,7 +40,7 @@
- prometheus-nginx-exporter
# Monitor mailq with a special text exporter
#- hosts: redisdead.adm.crans.org
# - hosts: redisdead.adm.crans.org
# roles: ["prometheus-node-exporter-postfix"]
# Monitor logs with mtail

2
plays/zamok.yml
View File

@ -8,5 +8,5 @@
adh: '{{ glob_adh | combine(loc_adh | default({}), recursive=True) }}'
roles:
- zamok-tools
# - postfix
# - postfix
- prometheus-node-exporter-postfix

1
roles/autoconfig/tasks/main.yml
View File

@ -1,3 +1,4 @@
---
- name: Create base directory
file:
path: "{{ autoconfig.path }}/mail"

4
roles/borgbackup-server/tasks/main.yml
View File

@ -11,9 +11,9 @@
- name: Create borgbackup user
user:
create_home: yes
create_home: true
home: '/var/lib/borg/'
system: yes
system: true
state: present
update_password: always
name: borg

2
roles/common-tools/tasks/main.yml
View File

@ -53,7 +53,7 @@
owner: root
group: utmp
mode: '4755'
check_mode: no
check_mode: false
- name: Deploy screen tmpfile
template:

2
roles/django-cas/tasks/main.yml
View File

@ -17,7 +17,7 @@
git:
repo: '{{ django_cas.repo }}'
dest: '{{ django_cas.path }}'
force: yes
force: true
version: master
umask: '002'

1
roles/dovecot/tasks/main.yml
View File

@ -1,3 +1,4 @@
---
- name: Install dovecot
apt:
update_cache: true

2
roles/etherpad/handlers/main.yml
View File

@ -4,5 +4,3 @@
name: "{{ item.name }}"
state: restarted
loop: "{{ etherpad.instances }}"

8
roles/freeradius/tasks/main.yml
View File

@ -44,21 +44,21 @@
src: /var/www/re2o/freeradius_utils/auth.py
dest: /etc/freeradius/3.0/auth.py
state: link
force: yes
force: true
notify: Restart freeradius
- name: Ensure ${certdir}/letsencrypt directory exists
file:
path: /etc/freeradius/3.0/certs/letsencrypt
state: directory
recurse: yes
recurse: true
- name: Symlink radius certificates
file:
src: /etc/letsencrypt/live/crans.org/{{ item }}
dest: /etc/freeradius/3.0/certs/letsencrypt/{{ item }}
state: link
force: yes
force: true
loop:
- fullchain.pem
- privkey.pem
@ -68,7 +68,7 @@
path: /etc/letsencrypt/{{ item }}
group: freerad
mode: '0755'
recurse: yes
recurse: true
loop:
- live
- archive

4
roles/galene/tasks/main.yml
View File

@ -75,8 +75,8 @@
- name: Enable systemd unit
systemd:
name: galene
enabled: yes
daemon_reload: yes
enabled: true
daemon_reload: true
state: started
- name: Indicate role in motd

14
roles/inspircd/tasks/main.yml
View File

@ -1,6 +1,4 @@
---
#- name: Install InspIRCd
- name: Deploy InspIRCd configuration
template:
src: "inspircd/{{ item.dest }}.j2"
@ -9,12 +7,12 @@
owner: irc
group: irc
loop:
- { dest: inspircd.conf, mode: "0644" }
- { dest: links.conf, mode: "0600" }
- { dest: power.conf, mode: "0600" }
- { dest: opers.conf, mode: "0600" }
- { dest: modules.conf, mode: "0600" }
- { dest: inspircd.motd, mode: "0644" }
- {dest: inspircd.conf, mode: "0644"}
- {dest: links.conf, mode: "0600"}
- {dest: power.conf, mode: "0600"}
- {dest: opers.conf, mode: "0600"}
- {dest: modules.conf, mode: "0600"}
- {dest: inspircd.motd, mode: "0644"}
notify: Reload InspIRCd
- name: Deploy certificate refresh CRON

2
roles/keepalived/tasks/main.yml
View File

@ -56,4 +56,4 @@
name: keepalived
daemon-reload: true
state: started
enabled: yes
enabled: true

6
roles/linx/tasks/main.yml
View File

@ -1,11 +1,11 @@
---
#- name: Install linx
# - name: Install linx
- name: Create linx user
user:
create_home: yes
create_home: true
home: /var/lib/linx
system: yes
system: true
state: present
password: "!"
update_password: always

7
roles/nfs-common/tasks/main.yml
View File

@ -16,11 +16,10 @@
- name: Disable and mask rpcbind.service
systemd:
name: rpcbind.service
enabled: no
masked: yes
enabled: false
masked: true
- name:
systemd:
name: rpcbind.socket
masked: yes
masked: true

2
roles/ntp-server/tasks/main.yml
View File

@ -12,7 +12,7 @@
path: /etc/default/ntp
regexp: '^NTPD_OPTS'
line: NTPD_OPTS='-g -x'
check_mode: no
check_mode: false
- name: Configure NTP
template:

5
roles/policyd/tasks/main.yml
View File

@ -1,3 +1,4 @@
---
- name: Install policyd-rate-limit
apt:
update_cache: true
@ -17,8 +18,8 @@
dest: "{{ item.dest }}"
chmod: 0640
loop:
- { src: policyd/policyd-rate-limit.yaml.j2, dest: /etc/policyd-rate-limit.yaml }
- { src: policyd/policyd.py.j2, dest: /usr/lib/python3/dist-packages/policyd_rate_limit }
- {src: policyd/policyd-rate-limit.yaml.j2, dest: /etc/policyd-rate-limit.yaml}
- {src: policyd/policyd.py.j2, dest: /usr/lib/python3/dist-packages/policyd_rate_limit}
when: postfix.primary
- name: Indicate role in motd

2
roles/prometheus-node-exporter/handlers/main.yml
View File

@ -6,4 +6,4 @@
- name: systemctl daemon-reload
systemd:
daemon_reload: yes
daemon_reload: true

2
roles/prometheus-node-exporter/tasks/main.yml
View File

@ -40,7 +40,7 @@
- name: systemctl daemon-reload
systemd:
daemon_reload: yes
daemon_reload: true
when: override.changed
- name: Activate prometheus-node-exporter service

2
roles/re2o-ldap-replica/tasks/main.yml
View File

@ -103,7 +103,7 @@
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
notify: Restart slapd
check_mode: no
check_mode: false
- name: Touch installation marker
when: not installation.stat.exists

8
roles/slapd/tasks/main.yml
View File

@ -21,9 +21,9 @@
owner: openldap
group: openldap
loop:
- { dest: slapd.conf, mode: "0600" }
- { dest: ldap.key, mode: "0600" }
- { dest: ldap.pem, mode: "0644" }
- {dest: slapd.conf, mode: "0600"}
- {dest: ldap.key, mode: "0600"}
- {dest: ldap.pem, mode: "0644"}
notify: Restart slapd
- name: Deploy ldap services
@ -32,4 +32,4 @@
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldaps://{{ slapd.ip }}/ ldapi:///"'
notify: Restart slapd
check_mode: no
check_mode: false

6
roles/statping/tasks/main.yml
View File

@ -3,13 +3,13 @@
unarchive:
src: https://github.com/statping/statping/releases/download/v0.90.74/statping-linux-amd64.tar.gz
dest: /usr/local/bin/
remote_src: yes
remote_src: true
- name: Create statping user
user:
create_home: yes
create_home: true
home: /var/lib/statping
system: yes
system: true
state: present
password: "!"
update_password: always