From e9fdfde4174da27e36081379d76a4e73e04cd53e Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 18:56:42 +0200
Subject: [PATCH 01/56] [interfaces] Deploy /etc/network/interfaces for adm

---
 interfaces.yml                                  | 12 ++++++++++++
 roles/interfaces/tasks/main.yml                 |  7 +++++++
 .../templates/network/interfaces.d/02-adm.j2    | 17 +++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100755 interfaces.yml
 create mode 100644 roles/interfaces/tasks/main.yml
 create mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2

diff --git a/interfaces.yml b/interfaces.yml
new file mode 100755
index 00000000..0d028edc
--- /dev/null
+++ b/interfaces.yml
@@ -0,0 +1,12 @@
+#!/usr/bin/env ansible-playbook
+---
+# Set variable adm_iface for all servers
+- hosts: server
+  tasks:
+    - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: adm_iface
+      check_mode: no
+
+- hosts: boeing.adm.crans.org
+  roles:
+    - interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
new file mode 100644
index 00000000..095878e4
--- /dev/null
+++ b/roles/interfaces/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Deploy adm interface config
+  template:
+    src: network/interfaces.d/02-adm.j2
+    dest: /etc/network/interfaces.d/02-adm
+    mode: 0644
+  when: adm_iface.stdout
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
new file mode 100644
index 00000000..79cbe5fa
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ adm_iface.stdout }}
+iface {{ adm_iface.stdout }} inet static
+	address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }}
+	network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }}
+	netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }}
+	broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }}
+	dns-nameservers 10.231.136.152 10.231.136.4
+	dns-search adm.crans.org
+	up /sbin/ip link set $IFACE alias adm
+
+iface {{ adm_iface.stdout }} inet6 static
+	address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
+	autoconf 1
+	accept_ra 2
+	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1

From 4b5c16e68373ac18936c113d89524f66be9abb22 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 19:46:47 +0200
Subject: [PATCH 02/56] [interfaces] Deploy /etc/network/interfaces for srv and
 ens

---
 interfaces.yml                                | 12 +++++++++++
 roles/interfaces/tasks/main.yml               | 20 +++++++++++++++++++
 .../templates/network/interfaces.d/00-srv.j2  | 19 ++++++++++++++++++
 .../templates/network/interfaces.d/01-ens.j2  | 19 ++++++++++++++++++
 .../templates/network/interfaces.d/02-adm.j2  |  6 ++----
 .../templates/network/interfaces.j2           | 10 ++++++++++
 6 files changed, 82 insertions(+), 4 deletions(-)
 create mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2
 create mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2
 create mode 100644 roles/interfaces/templates/network/interfaces.j2

diff --git a/interfaces.yml b/interfaces.yml
index 0d028edc..872d81ee 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -6,7 +6,19 @@
     - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: adm_iface
       check_mode: no
+    - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: srv_iface
+      check_mode: no
+    - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: ens_iface
+      check_mode: no
 
 - hosts: boeing.adm.crans.org
+  vars:
+    - adm_dns: 10.231.136.152 10.231.136.4
+    - srv_gateway: 185.230.79.254
+    - srv_dns: 185.230.79.152 185.230.79.4
+    - ens_gateway: 138.231.136.254
+    - ens_dns: 138.231.136.152 138.231.136.4
   roles:
     - interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 095878e4..336a267d 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -1,4 +1,24 @@
 ---
+- name: Deploy default interfaces config
+  template:
+    src: network/interfaces.j2
+    dest: /etc/network/interfaces
+    mode: 0644
+
+- name: Deploy srv interface config
+  template:
+    src: network/interfaces.d/00-srv.j2
+    dest: /etc/network/interfaces.d/00-srv
+    mode: 0644
+  when: srv_iface.stdout
+
+- name: Deploy ens interface config
+  template:
+    src: network/interfaces.d/01-ens.j2
+    dest: /etc/network/interfaces.d/01-ens
+    mode: 0644
+  when: ens_iface.stdout
+
 - name: Deploy adm interface config
   template:
     src: network/interfaces.d/02-adm.j2
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
new file mode 100644
index 00000000..4c7468a1
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -0,0 +1,19 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ srv_iface.stdout }}
+iface {{ srv_iface.stdout }} inet static
+	address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }}
+	network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }}
+	netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }}
+	broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }}
+	gateway {{ srv_gateway }}
+	mtu 1496
+	dns-nameservers {{ srv_dns }}
+	dns-search crans.org
+	up /sbin/ip link set $IFACE alias srv
+
+iface {{ srv_iface.stdout }} inet6 static
+	address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }}
+	autoconf 1
+	accept_ra 2
+	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
new file mode 100644
index 00000000..d168be5d
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -0,0 +1,19 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ ens_iface.stdout }}
+iface {{ ens_iface.stdout }} inet static
+	address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }}
+	network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }}
+	netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }}
+	broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }}
+	gateway {{ ens_gateway }}
+	mtu 1496
+	dns-nameservers {{ ens_dns }}
+	dns-search crans.org
+	up /sbin/ip link set $IFACE alias ens
+
+iface {{ ens_iface.stdout }} inet6 static
+	address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }}
+	autoconf 1
+	accept_ra 2
+	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index 79cbe5fa..d0b5b833 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -6,12 +6,10 @@ iface {{ adm_iface.stdout }} inet static
 	network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }}
 	netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }}
 	broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }}
-	dns-nameservers 10.231.136.152 10.231.136.4
+	mtu 1496
+	dns-nameservers {{ adm_dns }}
 	dns-search adm.crans.org
 	up /sbin/ip link set $IFACE alias adm
 
 iface {{ adm_iface.stdout }} inet6 static
 	address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
-	autoconf 1
-	accept_ra 2
-	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.j2 b/roles/interfaces/templates/network/interfaces.j2
new file mode 100644
index 00000000..0c339966
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.j2
@@ -0,0 +1,10 @@
+{{ ansible_header | comment }}
+
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback

From a6392502b9fce9ed7de7acac9a483703c5827c81 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 20:45:00 +0200
Subject: [PATCH 03/56] [interfaces] Add supplementary lines from local facts

---
 .../interfaces/templates/network/interfaces.d/01-ens.j2  | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index d168be5d..c7a34671 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -11,6 +11,15 @@ iface {{ ens_iface.stdout }} inet static
 	dns-nameservers {{ ens_dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias ens
+{% if 'interfaces' in ansible_local %}
+{% if ens_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %}
+{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
 
 iface {{ ens_iface.stdout }} inet6 static
 	address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }}

From 2667c3d696652bad1fad81d79badf768ed3697b1 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 22:27:17 +0200
Subject: [PATCH 04/56] [interfaces] Add supplementary lines from local facts
 to all interfaces

---
 .../templates/network/interfaces.d/00-srv.j2   | 18 ++++++++++++++++++
 .../templates/network/interfaces.d/01-ens.j2   |  9 +++++++++
 .../templates/network/interfaces.d/02-adm.j2   | 18 ++++++++++++++++++
 3 files changed, 45 insertions(+)

diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 4c7468a1..7fc0390f 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -11,9 +11,27 @@ iface {{ srv_iface.stdout }} inet static
 	dns-nameservers {{ srv_dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias srv
+{% if 'interfaces' in ansible_local %}
+{% if srv_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %}
+{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %}
+        {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
 
 iface {{ srv_iface.stdout }} inet6 static
 	address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }}
 	autoconf 1
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
+{% if 'interfaces' in ansible_local %}
+{% if srv_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %}
+{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index c7a34671..e94243b1 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -26,3 +26,12 @@ iface {{ ens_iface.stdout }} inet6 static
 	autoconf 1
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
+{% if 'interfaces' in ansible_local %}
+{% if ens_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %}
+{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index d0b5b833..bd928eae 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -10,6 +10,24 @@ iface {{ adm_iface.stdout }} inet static
 	dns-nameservers {{ adm_dns }}
 	dns-search adm.crans.org
 	up /sbin/ip link set $IFACE alias adm
+{% if 'interfaces' in ansible_local %}
+{% if adm_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %}
+{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
 
 iface {{ adm_iface.stdout }} inet6 static
 	address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if adm_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %}
+{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}

From 81de24e5bd0a72be7d88fb5980a354be5d8e2d4c Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 08:50:46 +0200
Subject: [PATCH 05/56] [interfaces] Configure fil interface

---
 interfaces.yml                                | 15 +++++---
 roles/interfaces/tasks/main.yml               |  7 ++++
 .../templates/network/interfaces.d/00-srv.j2  |  2 +-
 .../templates/network/interfaces.d/21-fil.j2  | 34 +++++++++++++++++++
 4 files changed, 52 insertions(+), 6 deletions(-)
 create mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2

diff --git a/interfaces.yml b/interfaces.yml
index 872d81ee..e637a5cc 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -3,22 +3,27 @@
 # Set variable adm_iface for all servers
 - hosts: server
   tasks:
-    - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: adm_iface
-      check_mode: no
     - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: srv_iface
       check_mode: no
     - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: ens_iface
       check_mode: no
+    - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: adm_iface
+      check_mode: no
+    - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: fil_iface
+      check_mode: no
 
-- hosts: boeing.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org
   vars:
-    - adm_dns: 10.231.136.152 10.231.136.4
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4
     - ens_gateway: 138.231.136.254
     - ens_dns: 138.231.136.152 138.231.136.4
+    - adm_dns: 10.231.136.152 10.231.136.4
+    - fil_gateway: 10.54.0.254
+    - fil_dns: 10.54.0.152 10.54.0.4
   roles:
     - interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 336a267d..d9751a36 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -25,3 +25,10 @@
     dest: /etc/network/interfaces.d/02-adm
     mode: 0644
   when: adm_iface.stdout
+
+- name: Deploy fil interface config
+  template:
+    src: network/interfaces.d/21-fil.j2
+    dest: /etc/network/interfaces.d/21-fil
+    mode: 0644
+  when: fil_iface.stdout
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 7fc0390f..1367d156 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -15,7 +15,7 @@ iface {{ srv_iface.stdout }} inet static
 {% if srv_iface.stdout in ansible_local.interfaces %}
 {% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %}
 {% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %}
-        {{ line }}
+	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
new file mode 100644
index 00000000..469f0531
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ fil_iface.stdout }}
+iface {{ fil_iface.stdout }} inet static
+	address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }}
+	network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }}
+	netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }}
+	broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }}
+	gateway {{ fil_gateway }}
+	mtu 1496
+	dns-nameservers {{ fil_dns }}
+	dns-search fil.crans.org
+	up /sbin/ip link set $IFACE alias fil
+{% if 'interfaces' in ansible_local %}
+{% if fil_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %}
+{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ fil_iface.stdout }} inet6 static
+	address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if fil_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %}
+{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}

From 11b90f8b51702b9f109514d4e19d914bb4ccc125 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 09:57:02 +0200
Subject: [PATCH 06/56] [interfaces] Change interfaces.fact format

---
 .../templates/network/interfaces.d/00-srv.j2         | 12 ++++++------
 .../templates/network/interfaces.d/01-ens.j2         | 12 ++++++------
 .../templates/network/interfaces.d/02-adm.j2         | 12 ++++++------
 .../templates/network/interfaces.d/21-fil.j2         | 12 ++++++------
 4 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 1367d156..9e934d98 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -12,9 +12,9 @@ iface {{ srv_iface.stdout }} inet static
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias srv
 {% if 'interfaces' in ansible_local %}
-{% if srv_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %}
-{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
@@ -27,9 +27,9 @@ iface {{ srv_iface.stdout }} inet6 static
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
 {% if 'interfaces' in ansible_local %}
-{% if srv_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %}
-{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index e94243b1..ac2bed20 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -12,9 +12,9 @@ iface {{ ens_iface.stdout }} inet static
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias ens
 {% if 'interfaces' in ansible_local %}
-{% if ens_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %}
-{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
@@ -27,9 +27,9 @@ iface {{ ens_iface.stdout }} inet6 static
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
 {% if 'interfaces' in ansible_local %}
-{% if ens_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %}
-{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index bd928eae..dce7c3e4 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -11,9 +11,9 @@ iface {{ adm_iface.stdout }} inet static
 	dns-search adm.crans.org
 	up /sbin/ip link set $IFACE alias adm
 {% if 'interfaces' in ansible_local %}
-{% if adm_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %}
-{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
@@ -23,9 +23,9 @@ iface {{ adm_iface.stdout }} inet static
 iface {{ adm_iface.stdout }} inet6 static
 	address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
 {% if 'interfaces' in ansible_local %}
-{% if adm_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %}
-{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index 469f0531..f9453e0f 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -12,9 +12,9 @@ iface {{ fil_iface.stdout }} inet static
 	dns-search fil.crans.org
 	up /sbin/ip link set $IFACE alias fil
 {% if 'interfaces' in ansible_local %}
-{% if fil_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %}
-{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
@@ -24,9 +24,9 @@ iface {{ fil_iface.stdout }} inet static
 iface {{ fil_iface.stdout }} inet6 static
 	address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }}
 {% if 'interfaces' in ansible_local %}
-{% if fil_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %}
-{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}

From 7b99fb22bd5d1d3a90367b7a1f9875e09d007719 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 12:06:26 +0200
Subject: [PATCH 07/56] [interfaces] Alias ansible facts

---
 .../templates/network/interfaces.d/00-srv.j2          | 11 ++++++-----
 .../templates/network/interfaces.d/01-ens.j2          | 11 ++++++-----
 .../templates/network/interfaces.d/02-adm.j2          | 11 ++++++-----
 .../templates/network/interfaces.d/21-fil.j2          | 11 ++++++-----
 4 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 9e934d98..53151878 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -1,11 +1,12 @@
 {{ ansible_header | comment }}
 
+{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %}
 allow-hotplug {{ srv_iface.stdout }}
 iface {{ srv_iface.stdout }} inet static
-	address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }}
-	network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }}
-	netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }}
-	broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }}
+	address {{ srv.ipv4.address }}
+	network {{ srv.ipv4.network }}
+	netmask {{ srv.ipv4.netmask }}
+	broadcast {{ srv.ipv4.broadcast }}
 	gateway {{ srv_gateway }}
 	mtu 1496
 	dns-nameservers {{ srv_dns }}
@@ -22,7 +23,7 @@ iface {{ srv_iface.stdout }} inet static
 {% endif %}
 
 iface {{ srv_iface.stdout }} inet6 static
-	address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }}
+	address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
 	autoconf 1
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index ac2bed20..62cb77fc 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -1,11 +1,12 @@
 {{ ansible_header | comment }}
 
+{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %}
 allow-hotplug {{ ens_iface.stdout }}
 iface {{ ens_iface.stdout }} inet static
-	address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }}
-	network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }}
-	netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }}
-	broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }}
+	address {{ ens.ipv4.address }}
+	network {{ ens.ipv4.network }}
+	netmask {{ ens.ipv4.netmask }}
+	broadcast {{ ens.ipv4.broadcast }}
 	gateway {{ ens_gateway }}
 	mtu 1496
 	dns-nameservers {{ ens_dns }}
@@ -22,7 +23,7 @@ iface {{ ens_iface.stdout }} inet static
 {% endif %}
 
 iface {{ ens_iface.stdout }} inet6 static
-	address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }}
+	address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
 	autoconf 1
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index dce7c3e4..95991513 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -1,11 +1,12 @@
 {{ ansible_header | comment }}
 
+{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %}
 allow-hotplug {{ adm_iface.stdout }}
 iface {{ adm_iface.stdout }} inet static
-	address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }}
-	network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }}
-	netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }}
-	broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }}
+	address {{ adm.ipv4.address }}
+	network {{ adm.ipv4.network }}
+	netmask {{ adm.ipv4.netmask }}
+	broadcast {{ adm.ipv4.broadcast }}
 	mtu 1496
 	dns-nameservers {{ adm_dns }}
 	dns-search adm.crans.org
@@ -21,7 +22,7 @@ iface {{ adm_iface.stdout }} inet static
 {% endif %}
 
 iface {{ adm_iface.stdout }} inet6 static
-	address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
+	address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }}
 {% if 'interfaces' in ansible_local %}
 {% if 'sup_if_6' in ansible_local.interfaces %}
 {% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index f9453e0f..0e08910a 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -1,11 +1,12 @@
 {{ ansible_header | comment }}
 
+{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %}
 allow-hotplug {{ fil_iface.stdout }}
 iface {{ fil_iface.stdout }} inet static
-	address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }}
-	network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }}
-	netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }}
-	broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }}
+	address {{ fil.ipv4.address }}
+	network {{ fil.ipv4.network }}
+	netmask {{ fil.ipv4.netmask }}
+	broadcast {{ fil.ipv4.broadcast }}
 	gateway {{ fil_gateway }}
 	mtu 1496
 	dns-nameservers {{ fil_dns }}
@@ -22,7 +23,7 @@ iface {{ fil_iface.stdout }} inet static
 {% endif %}
 
 iface {{ fil_iface.stdout }} inet6 static
-	address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }}
+	address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }}
 {% if 'interfaces' in ansible_local %}
 {% if 'sup_if_6' in ansible_local.interfaces %}
 {% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}

From 28706a622fe2d41b15450d378ab492f66f05603d Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 12:07:38 +0200
Subject: [PATCH 08/56] [interfaces] Deploy interfaces on tracker

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index e637a5cc..84c59ca2 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -16,7 +16,7 @@
       register: fil_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From d97384c314821c0c13a6a920264e61827b1e892b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 12:20:58 +0200
Subject: [PATCH 09/56] [interfaces] Deploy interfaces on voyager

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index 84c59ca2..839423b8 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -16,7 +16,7 @@
       register: fil_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From fdaa69a312fcfbfd368dc0da9881d2a2d9f5cd88 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 13:24:34 +0200
Subject: [PATCH 10/56] [interfaces] Configure adh interface

---
 roles/interfaces/tasks/main.yml               |  7 ++++
 .../templates/network/interfaces.d/23-adh.j2  | 38 +++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2

diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index d9751a36..4bf0fc42 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -32,3 +32,10 @@
     dest: /etc/network/interfaces.d/21-fil
     mode: 0644
   when: fil_iface.stdout
+
+- name: Deploy adh interface config
+  template:
+    src: network/interfaces.d/23-adh.j2
+    dest: /etc/network/interfaces.d/23-adh
+    mode: 0644
+  when: adh_iface.stdout
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
new file mode 100644
index 00000000..bc03ccc1
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -0,0 +1,38 @@
+{{ ansible_header | comment }}
+
+{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %}
+allow-hotplug {{ adh_iface.stdout }}
+iface {{ adh_iface.stdout }} inet static
+	address {{ adh.ipv4.address }}
+	network {{ adh.ipv4.network }}
+	netmask {{ adh.ipv4.netmask }}
+	broadcast {{ adh.ipv4.broadcast }}
+	gateway {{ adh_gateway }}
+	mtu 1496
+	dns-nameservers {{ adh_dns }}
+	dns-search crans.org
+	up /sbin/ip link set $IFACE alias adh
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ adh_iface.stdout }} inet6 static
+	address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
+	autoconf 1
+	accept_ra 2
+	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}

From c95aee10043a66b238f4a9c0d53fcb337462121c Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 13:25:24 +0200
Subject: [PATCH 11/56] [interfaces] Configure adh interface

---
 interfaces.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/interfaces.yml b/interfaces.yml
index 839423b8..057a71e2 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -15,6 +15,9 @@
     - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: fil_iface
       check_mode: no
+    - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: adh_iface
+      check_mode: no
 
 - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org
   vars:
@@ -25,5 +28,7 @@
     - adm_dns: 10.231.136.152 10.231.136.4
     - fil_gateway: 10.54.0.254
     - fil_dns: 10.54.0.152 10.54.0.4
+    - adh_gateway: 185.230.78.254
+    - adh_dns: 185.230.78.152 185.230.78.4
   roles:
     - interfaces

From 2b9cef3f82b69723084493792e397164d37f43de Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 13:26:47 +0200
Subject: [PATCH 12/56] [interfaces] Deploy interfaces on lutim

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index 057a71e2..2474e3bb 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -19,7 +19,7 @@
       register: adh_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From 8d1dc216873cf97d4167b5d28bbc2c22ce9f5bbe Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:23:42 +0200
Subject: [PATCH 13/56] [interfaces] Deploy interfaces on gateau

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index 2474e3bb..1196a291 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -19,7 +19,7 @@
       register: adh_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From a251e3071a1e0b83836b2c21027c8e17ba01cbba Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:26:59 +0200
Subject: [PATCH 14/56] [interfaces] Deploy interfaces on owncloud-srv

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index 1196a291..f0a87578 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -19,7 +19,7 @@
       register: adh_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From d38b3a48b7bb2f4754b86abf7eba5d0feeeb280d Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:40:53 +0200
Subject: [PATCH 15/56] [interfaces] Deploy interfaces on charybde

---
 interfaces.yml                                |  4 +++
 roles/interfaces/tasks/main.yml               |  7 ++++
 .../network/interfaces.d/03-borne.j2          | 34 +++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2

diff --git a/interfaces.yml b/interfaces.yml
index f0a87578..f83070ac 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -12,6 +12,9 @@
     - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: adm_iface
       check_mode: no
+    - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: borne_iface
+      check_mode: no
     - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: fil_iface
       check_mode: no
@@ -26,6 +29,7 @@
     - ens_gateway: 138.231.136.254
     - ens_dns: 138.231.136.152 138.231.136.4
     - adm_dns: 10.231.136.152 10.231.136.4
+    - borne_dns: 10.231.148.4
     - fil_gateway: 10.54.0.254
     - fil_dns: 10.54.0.152 10.54.0.4
     - adh_gateway: 185.230.78.254
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 4bf0fc42..91fe4164 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -26,6 +26,13 @@
     mode: 0644
   when: adm_iface.stdout
 
+- name: Deploy adm interface config
+  template:
+    src: network/interfaces.d/03-borne.j2
+    dest: /etc/network/interfaces.d/03-borne
+    mode: 0644
+  when: borne_iface.stdout
+
 - name: Deploy fil interface config
   template:
     src: network/interfaces.d/21-fil.j2
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
new file mode 100644
index 00000000..0eb3ecb2
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %}
+allow-hotplug {{ borne_iface.stdout }}
+iface {{ borne_iface.stdout }} inet static
+	address {{ borne.ipv4.address }}
+	network {{ borne.ipv4.network }}
+	netmask {{ borne.ipv4.netmask }}
+	broadcast {{ borne.ipv4.broadcast }}
+	mtu 1496
+	dns-nameservers {{ borne_dns }}
+	dns-search borne.crans.org
+	up /sbin/ip link set $IFACE alias borne
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ borne_iface.stdout }} inet6 static
+	address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}

From 521ff1d2681736818e59f4ffae3f2bb137e0f82c Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:42:58 +0200
Subject: [PATCH 16/56] [interfaces] Deploy interfaces on charybde

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index f83070ac..b6115cc5 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -22,7 +22,7 @@
       register: adh_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From a0a5d0964dba6fd4c21e5b852c81e7d3eb6383ef Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:55:37 +0200
Subject: [PATCH 17/56] [interfaces] Fix task description

---
 roles/interfaces/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 91fe4164..5b41c028 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -26,7 +26,7 @@
     mode: 0644
   when: adm_iface.stdout
 
-- name: Deploy adm interface config
+- name: Deploy borne interface config
   template:
     src: network/interfaces.d/03-borne.j2
     dest: /etc/network/interfaces.d/03-borne

From 3a56fd406ba98b60809e45e463b49f131079b631 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:56:01 +0200
Subject: [PATCH 18/56] [interfaces] Deploy interfaces on cas-srv

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index b6115cc5..52b9a667 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -22,7 +22,7 @@
       register: adh_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From 05d2349f6214d8955d70c5fcedcfc3dfc7bf87c3 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 16:50:16 +0200
Subject: [PATCH 19/56] [interfaces] Configure switch interface

---
 interfaces.yml                                |  6 +++-
 roles/interfaces/tasks/main.yml               |  7 ++++
 .../network/interfaces.d/04-switch.j2         | 34 +++++++++++++++++++
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2

diff --git a/interfaces.yml b/interfaces.yml
index 52b9a667..1feb86ca 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -15,6 +15,9 @@
     - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: borne_iface
       check_mode: no
+    - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+      register: switch_iface
+      check_mode: no
     - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: fil_iface
       check_mode: no
@@ -29,7 +32,8 @@
     - ens_gateway: 138.231.136.254
     - ens_dns: 138.231.136.152 138.231.136.4
     - adm_dns: 10.231.136.152 10.231.136.4
-    - borne_dns: 10.231.148.4
+    - borne_dns: 10.231.148.52 10.231.148.4
+    - switch_dns: 10.231.100.152 10.231.100.4
     - fil_gateway: 10.54.0.254
     - fil_dns: 10.54.0.152 10.54.0.4
     - adh_gateway: 185.230.78.254
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 5b41c028..210e3142 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -33,6 +33,13 @@
     mode: 0644
   when: borne_iface.stdout
 
+- name: Deploy switch interface config
+  template:
+    src: network/interfaces.d/04-switch.j2
+    dest: /etc/network/interfaces.d/04-switch
+    mode: 0644
+  when: switch_iface.stdout
+
 - name: Deploy fil interface config
   template:
     src: network/interfaces.d/21-fil.j2
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
new file mode 100644
index 00000000..d8cfeb8b
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %}
+allow-hotplug {{ switch_iface.stdout }}
+iface {{ switch_iface.stdout }} inet static
+	address {{ switch.ipv4.address }}
+	network {{ switch.ipv4.network }}
+	netmask {{ switch.ipv4.netmask }}
+	broadcast {{ switch.ipv4.broadcast }}
+	mtu 1496
+	dns-nameservers {{ switch_dns }}
+	dns-search switch.crans.org
+	up /sbin/ip link set $IFACE alias switch
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ switch_iface.stdout }} inet6 static
+	address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}

From d1cad85bfab4861db5863611e0ff5141eddfe305 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 16:55:34 +0200
Subject: [PATCH 20/56] [interfaces] Deploy interfaces on fyre

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index 1feb86ca..a17fd7f0 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -25,7 +25,7 @@
       register: adh_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From 51f49eb461defe1c8e0c6fec1d4d8c661904b8a6 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Mon, 27 Apr 2020 21:28:43 +0200
Subject: [PATCH 21/56] [interfaces] allow-hotplug to auto

---
 roles/interfaces/templates/network/interfaces.d/00-srv.j2    | 2 +-
 roles/interfaces/templates/network/interfaces.d/01-ens.j2    | 2 +-
 roles/interfaces/templates/network/interfaces.d/02-adm.j2    | 2 +-
 roles/interfaces/templates/network/interfaces.d/03-borne.j2  | 2 +-
 roles/interfaces/templates/network/interfaces.d/04-switch.j2 | 2 +-
 roles/interfaces/templates/network/interfaces.d/21-fil.j2    | 2 +-
 roles/interfaces/templates/network/interfaces.d/23-adh.j2    | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 53151878..a1426f64 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 
 {% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %}
-allow-hotplug {{ srv_iface.stdout }}
+auto {{ srv_iface.stdout }}
 iface {{ srv_iface.stdout }} inet static
 	address {{ srv.ipv4.address }}
 	network {{ srv.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index 62cb77fc..4da6da89 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 
 {% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %}
-allow-hotplug {{ ens_iface.stdout }}
+auto {{ ens_iface.stdout }}
 iface {{ ens_iface.stdout }} inet static
 	address {{ ens.ipv4.address }}
 	network {{ ens.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index 95991513..1708e777 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 
 {% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %}
-allow-hotplug {{ adm_iface.stdout }}
+auto {{ adm_iface.stdout }}
 iface {{ adm_iface.stdout }} inet static
 	address {{ adm.ipv4.address }}
 	network {{ adm.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
index 0eb3ecb2..749f144e 100644
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 
 {% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %}
-allow-hotplug {{ borne_iface.stdout }}
+auto {{ borne_iface.stdout }}
 iface {{ borne_iface.stdout }} inet static
 	address {{ borne.ipv4.address }}
 	network {{ borne.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
index d8cfeb8b..fb007a7b 100644
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 
 {% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %}
-allow-hotplug {{ switch_iface.stdout }}
+auto {{ switch_iface.stdout }}
 iface {{ switch_iface.stdout }} inet static
 	address {{ switch.ipv4.address }}
 	network {{ switch.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index 0e08910a..a77e747f 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 
 {% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %}
-allow-hotplug {{ fil_iface.stdout }}
+auto {{ fil_iface.stdout }}
 iface {{ fil_iface.stdout }} inet static
 	address {{ fil.ipv4.address }}
 	network {{ fil.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index bc03ccc1..ee1578d6 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 
 {% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %}
-allow-hotplug {{ adh_iface.stdout }}
+auto {{ adh_iface.stdout }}
 iface {{ adh_iface.stdout }} inet static
 	address {{ adh.ipv4.address }}
 	network {{ adh.ipv4.network }}

From 28ffd68a147995a93289f6dfb1b7516a157de411 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Mon, 27 Apr 2020 21:34:41 +0200
Subject: [PATCH 22/56] [interfaces] Install vlan

---
 roles/interfaces/tasks/main.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 210e3142..c155fc1b 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -1,4 +1,13 @@
 ---
+- name: Install vlan support
+  apt:
+    update_cache: true
+    name: vlan
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
 - name: Deploy default interfaces config
   template:
     src: network/interfaces.j2

From c651b608f838fa92797913a1d892299ea6d72302 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 28 Apr 2020 18:06:07 +0200
Subject: [PATCH 23/56] [interfaces] Deploy interfaces on silice

---
 interfaces.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interfaces.yml b/interfaces.yml
index a17fd7f0..5c35aa32 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -25,7 +25,7 @@
       register: adh_iface
       check_mode: no
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
   vars:
     - srv_gateway: 185.230.79.254
     - srv_dns: 185.230.79.152 185.230.79.4

From b1120e76378e44437c58dfcb7316a1c85a51b442 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 18:26:59 +0200
Subject: [PATCH 24/56] [interfaces] use is defined

---
 roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 8 ++------
 roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 8 ++------
 roles/interfaces/templates/network/interfaces.d/02-adm.j2 | 8 ++------
 .../interfaces/templates/network/interfaces.d/03-borne.j2 | 8 ++------
 .../templates/network/interfaces.d/04-switch.j2           | 8 ++------
 roles/interfaces/templates/network/interfaces.d/21-fil.j2 | 8 ++------
 roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 8 ++------
 7 files changed, 14 insertions(+), 42 deletions(-)

diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index a1426f64..ba4f486c 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -12,27 +12,23 @@ iface {{ srv_iface.stdout }} inet static
 	dns-nameservers {{ srv_dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias srv
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
 {% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %}
 {% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
 
 iface {{ srv_iface.stdout }} inet6 static
 	address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
 	autoconf 1
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index 4da6da89..36e6d154 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -12,27 +12,23 @@ iface {{ ens_iface.stdout }} inet static
 	dns-nameservers {{ ens_dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias ens
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
 {% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %}
 {% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
 
 iface {{ ens_iface.stdout }} inet6 static
 	address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
 	autoconf 1
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index 1708e777..a78a660a 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -11,24 +11,20 @@ iface {{ adm_iface.stdout }} inet static
 	dns-nameservers {{ adm_dns }}
 	dns-search adm.crans.org
 	up /sbin/ip link set $IFACE alias adm
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
 {% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %}
 {% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
 
 iface {{ adm_iface.stdout }} inet6 static
 	address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
index 749f144e..f9996740 100644
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -11,24 +11,20 @@ iface {{ borne_iface.stdout }} inet static
 	dns-nameservers {{ borne_dns }}
 	dns-search borne.crans.org
 	up /sbin/ip link set $IFACE alias borne
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
 {% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %}
 {% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
 
 iface {{ borne_iface.stdout }} inet6 static
 	address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
index fb007a7b..57e6630f 100644
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -11,24 +11,20 @@ iface {{ switch_iface.stdout }} inet static
 	dns-nameservers {{ switch_dns }}
 	dns-search switch.crans.org
 	up /sbin/ip link set $IFACE alias switch
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
 {% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %}
 {% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
 
 iface {{ switch_iface.stdout }} inet6 static
 	address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index a77e747f..198f2ca0 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -12,24 +12,20 @@ iface {{ fil_iface.stdout }} inet static
 	dns-nameservers {{ fil_dns }}
 	dns-search fil.crans.org
 	up /sbin/ip link set $IFACE alias fil
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
 {% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %}
 {% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
 
 iface {{ fil_iface.stdout }} inet6 static
 	address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index ee1578d6..df9a47ad 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -12,27 +12,23 @@ iface {{ adh_iface.stdout }} inet static
 	dns-nameservers {{ adh_dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias adh
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
 {% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %}
 {% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}
 
 iface {{ adh_iface.stdout }} inet6 static
 	address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
 	autoconf 1
 	accept_ra 2
 	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endif %}
-{% endif %}

From cfe9140a0bf4358dadf6cf719ecb2c59e9d5f932 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 18:46:38 +0200
Subject: [PATCH 25/56] [interfaces] Do not force autoconf

---
 roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 3 ---
 roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 3 ---
 roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 3 ---
 3 files changed, 9 deletions(-)

diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index ba4f486c..2bf4b97b 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -22,9 +22,6 @@ iface {{ srv_iface.stdout }} inet static
 
 iface {{ srv_iface.stdout }} inet6 static
 	address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
-	autoconf 1
-	accept_ra 2
-	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
 {% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index 36e6d154..e1f101e2 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -22,9 +22,6 @@ iface {{ ens_iface.stdout }} inet static
 
 iface {{ ens_iface.stdout }} inet6 static
 	address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
-	autoconf 1
-	accept_ra 2
-	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
 {% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index df9a47ad..45241e6b 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -22,9 +22,6 @@ iface {{ adh_iface.stdout }} inet static
 
 iface {{ adh_iface.stdout }} inet6 static
 	address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
-	autoconf 1
-	accept_ra 2
-	up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
 {% if ansible_local.interfaces.sup_if_6 is defined %}
 {% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
 {% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}

From 459d9cc55e246d2a4be9591d56f7ced61643fe09 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 18:59:35 +0200
Subject: [PATCH 26/56] [interfaces] Add metrics

---
 interfaces.yml                                | 34 +++++++++++++------
 .../templates/network/interfaces.d/00-srv.j2  |  5 +--
 .../templates/network/interfaces.d/01-ens.j2  |  5 +--
 .../templates/network/interfaces.d/02-adm.j2  |  2 +-
 .../network/interfaces.d/03-borne.j2          |  2 +-
 .../network/interfaces.d/04-switch.j2         |  2 +-
 .../templates/network/interfaces.d/21-fil.j2  |  5 +--
 .../templates/network/interfaces.d/23-adh.j2  |  5 +--
 8 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/interfaces.yml b/interfaces.yml
index 5c35aa32..431b69bc 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -27,16 +27,28 @@
 
 - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
   vars:
-    - srv_gateway: 185.230.79.254
-    - srv_dns: 185.230.79.152 185.230.79.4
-    - ens_gateway: 138.231.136.254
-    - ens_dns: 138.231.136.152 138.231.136.4
-    - adm_dns: 10.231.136.152 10.231.136.4
-    - borne_dns: 10.231.148.52 10.231.148.4
-    - switch_dns: 10.231.100.152 10.231.100.4
-    - fil_gateway: 10.54.0.254
-    - fil_dns: 10.54.0.152 10.54.0.4
-    - adh_gateway: 185.230.78.254
-    - adh_dns: 185.230.78.152 185.230.78.4
+    vlan:
+      srv:
+        metric: 100
+        gateway: 185.230.79.254
+        dns: 185.230.79.152 185.230.79.4
+      ens:
+        metric: 300
+        gateway: 138.231.136.254
+        dns: 138.231.136.152 138.231.136.4
+      adm:
+        dns: 10.231.136.152 10.231.136.4
+      borne:
+        dns: 10.231.148.52 10.231.148.4
+      switch:
+        dns: 10.231.100.152 10.231.100.4
+      fil:
+        metric: 400
+        gateway: 10.54.0.254
+        dns: 10.54.0.152 10.54.0.4
+      adh:
+        metric: 200
+        gateway: 185.230.78.254
+        dns: 185.230.78.152 185.230.78.4
   roles:
     - interfaces
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 2bf4b97b..8ac4b8a5 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -7,9 +7,10 @@ iface {{ srv_iface.stdout }} inet static
 	network {{ srv.ipv4.network }}
 	netmask {{ srv.ipv4.netmask }}
 	broadcast {{ srv.ipv4.broadcast }}
-	gateway {{ srv_gateway }}
+	gateway {{ vlan.srv.gateway }}
+	metric {{ vlan.srv.metric }}
 	mtu 1496
-	dns-nameservers {{ srv_dns }}
+	dns-nameservers {{ vlan.srv.dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias srv
 {% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index e1f101e2..6c308f23 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -7,9 +7,10 @@ iface {{ ens_iface.stdout }} inet static
 	network {{ ens.ipv4.network }}
 	netmask {{ ens.ipv4.netmask }}
 	broadcast {{ ens.ipv4.broadcast }}
-	gateway {{ ens_gateway }}
+	gateway {{ vlan.ens.gateway }}
+	metric {{ vlan.ens.metric }}
 	mtu 1496
-	dns-nameservers {{ ens_dns }}
+	dns-nameservers {{ vlan.ens.dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias ens
 {% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index a78a660a..62fb1f1e 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -8,7 +8,7 @@ iface {{ adm_iface.stdout }} inet static
 	netmask {{ adm.ipv4.netmask }}
 	broadcast {{ adm.ipv4.broadcast }}
 	mtu 1496
-	dns-nameservers {{ adm_dns }}
+	dns-nameservers {{ vlan.adm.dns }}
 	dns-search adm.crans.org
 	up /sbin/ip link set $IFACE alias adm
 {% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
index f9996740..7db48f6a 100644
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -8,7 +8,7 @@ iface {{ borne_iface.stdout }} inet static
 	netmask {{ borne.ipv4.netmask }}
 	broadcast {{ borne.ipv4.broadcast }}
 	mtu 1496
-	dns-nameservers {{ borne_dns }}
+	dns-nameservers {{ vlan.borne.dns }}
 	dns-search borne.crans.org
 	up /sbin/ip link set $IFACE alias borne
 {% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
index 57e6630f..586adef9 100644
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -8,7 +8,7 @@ iface {{ switch_iface.stdout }} inet static
 	netmask {{ switch.ipv4.netmask }}
 	broadcast {{ switch.ipv4.broadcast }}
 	mtu 1496
-	dns-nameservers {{ switch_dns }}
+	dns-nameservers {{ vlan.switch.dns }}
 	dns-search switch.crans.org
 	up /sbin/ip link set $IFACE alias switch
 {% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index 198f2ca0..c5bb9508 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -7,9 +7,10 @@ iface {{ fil_iface.stdout }} inet static
 	network {{ fil.ipv4.network }}
 	netmask {{ fil.ipv4.netmask }}
 	broadcast {{ fil.ipv4.broadcast }}
-	gateway {{ fil_gateway }}
+	gateway {{ vlan.fil.gateway }}
+	metric {{ vlan.fil.metric }}
 	mtu 1496
-	dns-nameservers {{ fil_dns }}
+	dns-nameservers {{ vlan.fil.dns }}
 	dns-search fil.crans.org
 	up /sbin/ip link set $IFACE alias fil
 {% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index 45241e6b..de2b21b7 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -7,9 +7,10 @@ iface {{ adh_iface.stdout }} inet static
 	network {{ adh.ipv4.network }}
 	netmask {{ adh.ipv4.netmask }}
 	broadcast {{ adh.ipv4.broadcast }}
-	gateway {{ adh_gateway }}
+	gateway {{ vlan.adh.gateway }}
+	metric {{ vlan.adh.metric }}
 	mtu 1496
-	dns-nameservers {{ adh_dns }}
+	dns-nameservers {{ vlan.adh.dns }}
 	dns-search crans.org
 	up /sbin/ip link set $IFACE alias adh
 {% if ansible_local.interfaces.sup_if_4 is defined %}

From a3e3532644bd38cc1c17b0d79e21ef0dd2745cc0 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 20:27:58 +0200
Subject: [PATCH 27/56] [interface] Factorize

---
 interfaces.yml                                | 72 +++++++++++--------
 roles/interfaces/tasks/main.yml               | 51 ++-----------
 .../templates/network/interfaces.d/00-srv.j2  | 32 ---------
 .../templates/network/interfaces.d/01-ens.j2  | 32 ---------
 .../templates/network/interfaces.d/02-adm.j2  | 30 --------
 .../network/interfaces.d/03-borne.j2          | 30 --------
 .../network/interfaces.d/04-switch.j2         | 30 --------
 .../templates/network/interfaces.d/21-fil.j2  | 32 ---------
 .../templates/network/interfaces.d/23-adh.j2  | 32 ---------
 .../templates/network/interfaces.d/ifalias.j2 | 36 ++++++++++
 10 files changed, 85 insertions(+), 292 deletions(-)
 delete mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2
 delete mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2
 delete mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2
 delete mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2
 delete mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2
 delete mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2
 delete mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2
 create mode 100644 roles/interfaces/templates/network/interfaces.d/ifalias.j2

diff --git a/interfaces.yml b/interfaces.yml
index 431b69bc..5c7107a7 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -1,54 +1,70 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Set variable adm_iface for all servers
+# Get ifname of configured vlan for all servers
 - hosts: server
   tasks:
-    - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: srv_iface
-      check_mode: no
-    - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: ens_iface
-      check_mode: no
-    - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: adm_iface
-      check_mode: no
-    - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: borne_iface
-      check_mode: no
-    - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: switch_iface
-      check_mode: no
-    - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: fil_iface
-      check_mode: no
-    - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
-      register: adh_iface
+    - shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\""
       check_mode: no
+      register: ifaces
+      loop:
+        - srv
+        - ens
+        - adm
+        - borne
+        - switch
+        - fil
 
 - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
   vars:
     vlan:
-      srv:
+      - name: srv
+        id: 0
         metric: 100
         gateway: 185.230.79.254
         dns: 185.230.79.152 185.230.79.4
-      ens:
+        dns_search: crans.org
+        ifnames: "{{ ifaces | json_query('results[?item==`srv`].stdout') }}"
+
+      - name: ens
+        id: 1
         metric: 300
         gateway: 138.231.136.254
         dns: 138.231.136.152 138.231.136.4
-      adm:
+        dns_search: crans.org
+        ifnames: "{{ ifaces | json_query('results[?item==`ens`].stdout') }}"
+
+      - name: adm
+        id: 2
         dns: 10.231.136.152 10.231.136.4
-      borne:
+        dns_search: adm.crans.org
+        ifnames: "{{ ifaces | json_query('results[?item==`adm`].stdout') }}"
+
+      - name: borne
+        id: 3
         dns: 10.231.148.52 10.231.148.4
-      switch:
+        dns_search: borne.crans.org
+        ifnames: "{{ ifaces | json_query('results[?item==`borne`].stdout') }}"
+
+      - name: switch
+        id: 4
         dns: 10.231.100.152 10.231.100.4
-      fil:
+        dns_search: switch.crans.org
+        ifnames: "{{ ifaces | json_query('results[?item==`switch`].stdout') }}"
+
+      - name: fil
+        id: 21
         metric: 400
         gateway: 10.54.0.254
         dns: 10.54.0.152 10.54.0.4
-      adh:
+        dns_search: fil.crans.org
+        ifnames: "{{ ifaces | json_query('results[?item==`fil`].stdout') }}"
+
+      - name: adh
+        id: 23
         metric: 200
         gateway: 185.230.78.254
         dns: 185.230.78.152 185.230.78.4
+        dns_search: crans.org
+        ifnames: "{{ ifaces | json_query('results[?item==`adh`].stdout') }}"
   roles:
     - interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index c155fc1b..886b45d3 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -14,51 +14,10 @@
     dest: /etc/network/interfaces
     mode: 0644
 
-- name: Deploy srv interface config
+- name: Deploy interfaces config
   template:
-    src: network/interfaces.d/00-srv.j2
-    dest: /etc/network/interfaces.d/00-srv
+    src: "network/interfaces.d/ifalias.j2"
+    dest: "/etc/network/interfaces.d/{{ '%02d' | format(item.id) }}-{{ item.name }}"
     mode: 0644
-  when: srv_iface.stdout
-
-- name: Deploy ens interface config
-  template:
-    src: network/interfaces.d/01-ens.j2
-    dest: /etc/network/interfaces.d/01-ens
-    mode: 0644
-  when: ens_iface.stdout
-
-- name: Deploy adm interface config
-  template:
-    src: network/interfaces.d/02-adm.j2
-    dest: /etc/network/interfaces.d/02-adm
-    mode: 0644
-  when: adm_iface.stdout
-
-- name: Deploy borne interface config
-  template:
-    src: network/interfaces.d/03-borne.j2
-    dest: /etc/network/interfaces.d/03-borne
-    mode: 0644
-  when: borne_iface.stdout
-
-- name: Deploy switch interface config
-  template:
-    src: network/interfaces.d/04-switch.j2
-    dest: /etc/network/interfaces.d/04-switch
-    mode: 0644
-  when: switch_iface.stdout
-
-- name: Deploy fil interface config
-  template:
-    src: network/interfaces.d/21-fil.j2
-    dest: /etc/network/interfaces.d/21-fil
-    mode: 0644
-  when: fil_iface.stdout
-
-- name: Deploy adh interface config
-  template:
-    src: network/interfaces.d/23-adh.j2
-    dest: /etc/network/interfaces.d/23-adh
-    mode: 0644
-  when: adh_iface.stdout
+  when: (item.ifnames | length > 0) and item.ifnames[0] != ''
+  loop: "{{ vlan }}"
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
deleted file mode 100644
index 8ac4b8a5..00000000
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %}
-auto {{ srv_iface.stdout }}
-iface {{ srv_iface.stdout }} inet static
-	address {{ srv.ipv4.address }}
-	network {{ srv.ipv4.network }}
-	netmask {{ srv.ipv4.netmask }}
-	broadcast {{ srv.ipv4.broadcast }}
-	gateway {{ vlan.srv.gateway }}
-	metric {{ vlan.srv.metric }}
-	mtu 1496
-	dns-nameservers {{ vlan.srv.dns }}
-	dns-search crans.org
-	up /sbin/ip link set $IFACE alias srv
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ srv_iface.stdout }} inet6 static
-	address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
deleted file mode 100644
index 6c308f23..00000000
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %}
-auto {{ ens_iface.stdout }}
-iface {{ ens_iface.stdout }} inet static
-	address {{ ens.ipv4.address }}
-	network {{ ens.ipv4.network }}
-	netmask {{ ens.ipv4.netmask }}
-	broadcast {{ ens.ipv4.broadcast }}
-	gateway {{ vlan.ens.gateway }}
-	metric {{ vlan.ens.metric }}
-	mtu 1496
-	dns-nameservers {{ vlan.ens.dns }}
-	dns-search crans.org
-	up /sbin/ip link set $IFACE alias ens
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ ens_iface.stdout }} inet6 static
-	address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
deleted file mode 100644
index 62fb1f1e..00000000
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %}
-auto {{ adm_iface.stdout }}
-iface {{ adm_iface.stdout }} inet static
-	address {{ adm.ipv4.address }}
-	network {{ adm.ipv4.network }}
-	netmask {{ adm.ipv4.netmask }}
-	broadcast {{ adm.ipv4.broadcast }}
-	mtu 1496
-	dns-nameservers {{ vlan.adm.dns }}
-	dns-search adm.crans.org
-	up /sbin/ip link set $IFACE alias adm
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ adm_iface.stdout }} inet6 static
-	address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
deleted file mode 100644
index 7db48f6a..00000000
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %}
-auto {{ borne_iface.stdout }}
-iface {{ borne_iface.stdout }} inet static
-	address {{ borne.ipv4.address }}
-	network {{ borne.ipv4.network }}
-	netmask {{ borne.ipv4.netmask }}
-	broadcast {{ borne.ipv4.broadcast }}
-	mtu 1496
-	dns-nameservers {{ vlan.borne.dns }}
-	dns-search borne.crans.org
-	up /sbin/ip link set $IFACE alias borne
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ borne_iface.stdout }} inet6 static
-	address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
deleted file mode 100644
index 586adef9..00000000
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %}
-auto {{ switch_iface.stdout }}
-iface {{ switch_iface.stdout }} inet static
-	address {{ switch.ipv4.address }}
-	network {{ switch.ipv4.network }}
-	netmask {{ switch.ipv4.netmask }}
-	broadcast {{ switch.ipv4.broadcast }}
-	mtu 1496
-	dns-nameservers {{ vlan.switch.dns }}
-	dns-search switch.crans.org
-	up /sbin/ip link set $IFACE alias switch
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ switch_iface.stdout }} inet6 static
-	address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
deleted file mode 100644
index c5bb9508..00000000
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %}
-auto {{ fil_iface.stdout }}
-iface {{ fil_iface.stdout }} inet static
-	address {{ fil.ipv4.address }}
-	network {{ fil.ipv4.network }}
-	netmask {{ fil.ipv4.netmask }}
-	broadcast {{ fil.ipv4.broadcast }}
-	gateway {{ vlan.fil.gateway }}
-	metric {{ vlan.fil.metric }}
-	mtu 1496
-	dns-nameservers {{ vlan.fil.dns }}
-	dns-search fil.crans.org
-	up /sbin/ip link set $IFACE alias fil
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ fil_iface.stdout }} inet6 static
-	address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
deleted file mode 100644
index de2b21b7..00000000
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %}
-auto {{ adh_iface.stdout }}
-iface {{ adh_iface.stdout }} inet static
-	address {{ adh.ipv4.address }}
-	network {{ adh.ipv4.network }}
-	netmask {{ adh.ipv4.netmask }}
-	broadcast {{ adh.ipv4.broadcast }}
-	gateway {{ vlan.adh.gateway }}
-	metric {{ vlan.adh.metric }}
-	mtu 1496
-	dns-nameservers {{ vlan.adh.dns }}
-	dns-search crans.org
-	up /sbin/ip link set $IFACE alias adh
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ adh_iface.stdout }} inet6 static
-	address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}
-	{{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/ifalias.j2 b/roles/interfaces/templates/network/interfaces.d/ifalias.j2
new file mode 100644
index 00000000..daf6a938
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/ifalias.j2
@@ -0,0 +1,36 @@
+{{ ansible_header | comment }}
+
+{% set ifconfig = hostvars[inventory_hostname]['ansible_' + item.ifnames[0]] %}
+auto {{ item.ifnames[0] }}
+iface {{ item.ifnames[0] }} inet static
+	address {{ ifconfig.ipv4.address }}
+	network {{ ifconfig.ipv4.network }}
+	netmask {{ ifconfig.ipv4.netmask }}
+	broadcast {{ ifconfig.ipv4.broadcast }}
+{% if item.gateway is defined %}
+	gateway {{ item.gateway }}
+{% endif %}
+{% if item.metric is defined %}
+	metric {{ item.metric }}
+{% endif %}
+	mtu 1496
+	dns-nameservers {{ item.dns }}
+	dns-search {{ item.dns_search }}
+	up /sbin/ip link set $IFACE alias {{ item.name }}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
+{% if item.ifnames[0] in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[item.ifnames[0]] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+
+iface {{ item.ifnames[0] }} inet6 static
+	address {{ ifconfig.ipv6[0].address }}/{{ ifconfig.ipv6[0].prefix }}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
+{% if item.ifnames[0] in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[item.ifnames[0]] %}
+	{{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}

From b9a7e19bc0a9c43bec79f335fcc4f54f50e17cff Mon Sep 17 00:00:00 2001
From: Bombar Maxime <bombar@crans.org>
Date: Wed, 29 Apr 2020 10:53:58 +0200
Subject: [PATCH 28/56] [rsync-client] Add wireguard interface. Enable backups
 on sputnik.

---
 roles/rsync-client/tasks/main.yml           | 4 ++++
 roles/rsync-client/templates/rsyncd.conf.j2 | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/roles/rsync-client/tasks/main.yml b/roles/rsync-client/tasks/main.yml
index 13c9f44c..2647c076 100644
--- a/roles/rsync-client/tasks/main.yml
+++ b/roles/rsync-client/tasks/main.yml
@@ -30,3 +30,7 @@
     name: rsync
     enabled: true
     state: started
+
+- name: TODO
+  debug:
+    msg: Make use of the lookup plugin to avoid hardcoding things ?
diff --git a/roles/rsync-client/templates/rsyncd.conf.j2 b/roles/rsync-client/templates/rsyncd.conf.j2
index e3ed5ade..bea4fc7c 100644
--- a/roles/rsync-client/templates/rsyncd.conf.j2
+++ b/roles/rsync-client/templates/rsyncd.conf.j2
@@ -34,13 +34,14 @@ address = {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.ad
 path = /var
 auth users = backupcrans
 secrets file = /etc/rsyncd.secrets
-hosts allow = zephir.adm.crans.org 10.231.136.6
+hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %}
+
 
 [slash]
 path = /
 auth users = backupcrans
 secrets file = /etc/rsyncd.secrets
-hosts allow = zephir.adm.crans.org 10.231.136.6
+hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %}
 
 {# rsync readonly pour le miroir #}
 {% if ansible_hostname == "charybde" %}

From a10fda1b196fe999d65db7f2faf2a5c4684f0542 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 29 Apr 2020 12:15:12 +0200
Subject: [PATCH 29/56] [backuppc] Initial role

---
 roles/backuppc/tasks/main.yml                 | 20 +++++++++++++++++++
 .../templates/update-motd.d/05-service.j2     |  3 +++
 services_web.yml                              |  4 ++++
 3 files changed, 27 insertions(+)
 create mode 100644 roles/backuppc/tasks/main.yml
 create mode 100755 roles/backuppc/templates/update-motd.d/05-service.j2

diff --git a/roles/backuppc/tasks/main.yml b/roles/backuppc/tasks/main.yml
new file mode 100644
index 00000000..bb1e89b2
--- /dev/null
+++ b/roles/backuppc/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Install backuppc
+  apt:
+    update_cache: true
+    name: backuppc
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Disable mlocate indexation of backup files
+  lineinfile:
+    path: /etc/updatedb.conf
+    regexp: '^PRUNEPATHS'
+    line: PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph /var/lib/backuppc /backup"
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-backuppc
+    mode: 0755
diff --git a/roles/backuppc/templates/update-motd.d/05-service.j2 b/roles/backuppc/templates/update-motd.d/05-service.j2
new file mode 100755
index 00000000..e0e1810d
--- /dev/null
+++ b/roles/backuppc/templates/update-motd.d/05-service.j2
@@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+> BackupPC a été déployé sur cette machine. Voir /etc/backuppc/ et /var/lib/backuppc/.
diff --git a/services_web.yml b/services_web.yml
index a6dbe2eb..934c70f9 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -114,3 +114,7 @@
     - ftpsync
     - rsync-mirror
     - nginx-pubftp
+
+- hosts: zephir.adm.crans.org
+  roles:
+    - backuppc

From aa47c499c6e66711ceebf6d7489f8de3ef5729ee Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 29 Apr 2020 12:20:52 +0200
Subject: [PATCH 30/56] Let's eat some backups

---
 services_web.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services_web.yml b/services_web.yml
index 934c70f9..e52e8a23 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -115,6 +115,6 @@
     - rsync-mirror
     - nginx-pubftp
 
-- hosts: zephir.adm.crans.org
+- hosts: zephir.adm.crans.org,omnomnom.adm.crans.org
   roles:
     - backuppc

From e54244e0c70d5f42808d70bcb8f7268df717f53f Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Fri, 1 May 2020 16:59:47 +0200
Subject: [PATCH 31/56] [bind-authoritative] Add zone
 _acme-challenge.adm.crans.org

---
 .../templates/bind/named.conf.local.j2        | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index 9752be76..e11f50c3 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -35,6 +35,29 @@ zone "_acme-challenge.crans.org" {
 	file "bak._acme-challenge.crans.org";
 };
 
+// Let's Encrypt Challenge DNS-01 zone
+zone "_acme-challenge.adm.crans.org" {
+{% if is_master %}
+	type master;
+	notify yes;
+	update-policy {
+		grant certbot_challenge. name _acme-challenge.adm.crans.org. txt;
+	};
+{% else %}
+	type slave;
+	masters {
+{% for ip in masters_ipv4 %}
+		{{ ip }};
+{% endfor -%}
+{% for ip in masters_ipv6 %}
+		{{ ip }};
+{% endfor %}
+	};
+	notify no;
+{% endif %}
+	file "bak._acme-challenge.adm.crans.org";
+};
+
 zone "_acme-challenge.crans.fr" {
 {% if is_master %}
 	type master;

From 80040dd35c45c6848ff557a8ba10c8276205cade Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 1 May 2020 17:17:18 +0200
Subject: [PATCH 32/56] Certbot role for gitzly

---
 network.yml                                   | 20 ++++++++++++++++++-
 roles/certbot/tasks/main.yml                  |  4 ++--
 .../letsencrypt/conf.d/crans.org.ini.j2       |  6 +++---
 .../templates/letsencrypt/rfc2136.ini.j2      |  4 ++--
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/network.yml b/network.yml
index b7d09a19..ed74f96c 100755
--- a/network.yml
+++ b/network.yml
@@ -51,7 +51,25 @@
 # Deploy reverse proxy
 - hosts: bakdaur.adm.crans.org
   vars:
-    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
+    certbot:
+      dns_rfc2136_name: certbot_challenge.
+      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+      mail: root@crans.org
+      certname: crans.org
+      domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+    bind:
+      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+  roles:
+    - certbot
+
+- hosts: gitzly.adm.crans.org
+  vars:
+    certbot:
+      dns_rfc2136_name: certbot_adm_challenge.
+      dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+      mail: root@crans.org
+      certname: adm.crans.org
+      domains: "*.adm.crans.org"
     bind:
       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
   roles:
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 86e7c6e3..3a862fcb 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -24,6 +24,6 @@
 
 - name: Add Certbot configuration
   template:
-    src: letsencrypt/conf.d/crans.org.ini.j2
-    dest: /etc/letsencrypt/conf.d/crans.org.ini
+    src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
     mode: 0644
diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
index d311fa76..837a60a9 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
@@ -10,7 +10,7 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory
 
 # Uncomment and update to register with the specified e-mail address
-email = root@crans.org
+email = {{ certbot.mail }}
 
 # Uncomment to use a text interface instead of ncurses
 text = True
@@ -21,5 +21,5 @@ dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
 dns-rfc2136-propagation-seconds = 30
 
 # Wildcard the domain
-cert-name = crans.org
-domains = crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu
+cert-name = {{ certbot.certname }}
+domains = {{ certbot.domains }}
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
index 54b272b5..a41a547d 100644
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -2,6 +2,6 @@
 
 dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
 dns_rfc2136_port = 53
-dns_rfc2136_name = certbot_challenge.
-dns_rfc2136_secret = {{ certbot_dns_secret }}
+dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
 dns_rfc2136_algorithm = HMAC-SHA512

From 4e6571a179e50d43f53c1c3c152c63c2c85c79f4 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 1 May 2020 17:35:27 +0200
Subject: [PATCH 33/56] New DNS key

---
 network.yml                                                 | 1 +
 roles/bind-authoritative/templates/bind/named.conf.local.j2 | 6 +++++-
 roles/certbot/tasks/main.yml                                | 2 +-
 .../conf.d/{crans.org.ini.j2 => certname.ini.j2}            | 0
 4 files changed, 7 insertions(+), 2 deletions(-)
 rename roles/certbot/templates/letsencrypt/conf.d/{crans.org.ini.j2 => certname.ini.j2} (100%)

diff --git a/network.yml b/network.yml
index ed74f96c..97cc9737 100755
--- a/network.yml
+++ b/network.yml
@@ -40,6 +40,7 @@
 - hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org
   vars:
     certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
+    certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
     bind:
       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
       slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index e11f50c3..9d76d8e8 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -10,6 +10,10 @@ key "certbot_challenge." {
 	algorithm hmac-sha512;
 	secret "{{ certbot_dns_secret }}";
 };
+key "certbot_adm_challenge." {
+	algorithm hmac-sha512;
+	secret "{{ certbot_adm_dns_secret }}";
+};
 {% endif %}
 
 // Let's Encrypt Challenge DNS-01 zone
@@ -41,7 +45,7 @@ zone "_acme-challenge.adm.crans.org" {
 	type master;
 	notify yes;
 	update-policy {
-		grant certbot_challenge. name _acme-challenge.adm.crans.org. txt;
+		grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt;
 	};
 {% else %}
 	type slave;
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 3a862fcb..b32845cc 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -24,6 +24,6 @@
 
 - name: Add Certbot configuration
   template:
-    src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2"
+    src: "letsencrypt/conf.d/certname.ini.j2"
     dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
     mode: 0644
diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
similarity index 100%
rename from roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
rename to roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

From bcba080057d86874a1740939a02bc17c71b80bcb Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 1 May 2020 18:37:51 +0200
Subject: [PATCH 34/56] Clean up Framadate for shireen

---
 roles/framadate/tasks/main.yml                     | 14 +++++++-------
 .../templates/update-motd.d/05-service.j2          |  3 +--
 services_web.yml                                   | 12 ++++--------
 3 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index b3584f62..02c698e7 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -16,23 +16,23 @@
 
 - name: Clone framadate project
   git:
-    repo: "{{ framadate_repo }}"
-    dest: "{{ framadate_path }}"
-    version: "{{ framadate_version }}"
+    repo: "{{ framadate.repo }}"
+    dest: "{{ framadate.path }}"
+    version: "{{ framadate.version }}"
 
 - name: Set perms on framadate code
   file:
-    path: "{{ framadate_path }}"
+    path: "{{ framadate.path }}"
     state: directory
-    owner: "{{ framadate_user }}"
+    owner: www-data
     recurse: true
 
 - name: Install Framadate dependencies
   composer:
     command: install
-    working_dir: "{{ framadate_path }}"
+    working_dir: "{{ framadate.path }}"
   become: true
-  become_user: "{{ framadate_user }}"
+  become_user: www-data
   register: composer_result
   retries: 3
   until: composer_result is succeeded
diff --git a/roles/framadate/templates/update-motd.d/05-service.j2 b/roles/framadate/templates/update-motd.d/05-service.j2
index bf029cde..d0598362 100755
--- a/roles/framadate/templates/update-motd.d/05-service.j2
+++ b/roles/framadate/templates/update-motd.d/05-service.j2
@@ -1,4 +1,3 @@
 #!/usr/bin/tail +14
 {{ ansible_header | comment }}
-> framadate a été déployé sur cette machine.
-  Voir {{ framadate_path }}
+> Framadate a été déployé sur cette machine. Voir {{ framadate.path }}.
diff --git a/services_web.yml b/services_web.yml
index e52e8a23..17515e3f 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -7,14 +7,10 @@
 # Deploy FramaDate
 - hosts: voyager.adm.crans.org
   vars:
-    # mirror on Crans GitLab because adm has no network
-    framadate_repo: https://framagit.org/framasoft/framadate/framadate.git
-    framadate_version: 1.1.10
-
-    # User who will run framadate
-    # you will have to `sudo -u THISUSER zsh` to debug
-    framadate_user: www-data
-    framadate_path: /var/www/framadate
+    framadate:
+      repo: https://framagit.org/framasoft/framadate/framadate.git
+      version: 1.1.10
+      path: /var/www/framadate
   roles:
     - framadate
 

From 37406ff774cdaad944d5083e84eceb159536d2ba Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 10:18:10 +0200
Subject: [PATCH 35/56] [nginx-reverseproxy] Initial role

---
 network.yml                                   | 72 ++++++++++++++++
 roles/nginx-reverseproxy/handlers/main.yml    |  5 ++
 roles/nginx-reverseproxy/tasks/main.yml       | 40 +++++++++
 .../templates/nginx/redirect.j2               | 83 +++++++++++++++++++
 .../templates/nginx/reverseproxy.j2           | 62 ++++++++++++++
 .../nginx/reverseproxy_redirect_dname.j2      | 44 ++++++++++
 .../templates/update-motd.d/05-service.j2     |  3 +
 .../templates/www/html/50x.html.j2            | 63 ++++++++++++++
 8 files changed, 372 insertions(+)
 create mode 100644 roles/nginx-reverseproxy/handlers/main.yml
 create mode 100644 roles/nginx-reverseproxy/tasks/main.yml
 create mode 100644 roles/nginx-reverseproxy/templates/nginx/redirect.j2
 create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
 create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
 create mode 100755 roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
 create mode 100644 roles/nginx-reverseproxy/templates/www/html/50x.html.j2

diff --git a/network.yml b/network.yml
index 97cc9737..daf70236 100755
--- a/network.yml
+++ b/network.yml
@@ -60,8 +60,80 @@
       domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
     bind:
       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+    nginx:
+      ssl:
+        cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+        cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+        trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+ 
+      redirect_dnames:
+        - crans.eu
+        - crans.fr
+
+      reverseproxy_sites:
+        # Services web Crans
+        - {from: lutim.crans.org, to: 10.231.136.69}
+        - {from: zero.crans.org, to: 10.231.136.76}
+        - {from: pad.crans.org, to: 10.231.136.76}
+        - {from: ethercalc.crans.org, to: 10.231.136.203}
+        - {from: mediadrop.crans.org, to: 10.231.136.106}
+        - {from: videos.crans.org, to: 10.231.136.106}
+        - {from: video.crans.org, to: 10.231.136.106}
+        - {from: roundcube.crans.org, to: 10.231.136.105}
+        - {from: phabricator.crans.org, to: 10.231.136.123}
+        - {from: trackerusercontent.crans.org, to: 10.231.136.123}
+        - {from: cas.crans.org, to: 10.231.136.18}
+        - {from: auth.crans.org, to: 10.231.136.18}
+        - {from: login.crans.org, to: 10.231.136.18}
+        - {from: webmail.crans.org, to: 10.231.136.107}
+        - {from: horde.crans.org, to: 10.231.136.107}
+        - {from: owncloud.crans.org, to: 10.231.136.26}
+        - {from: ftps.crans.org, to: 10.231.136.98}
+        - {from: wiki.crans.org, to: 10.231.136.204}
+        - {from: www.crans.org, to: 10.231.136.46}
+        - {from: doc.crans.org, to: 10.231.136.46}
+        - {from: limesurvey.crans.org, to: 10.231.136.253}
+        - {from: lutim.crans.org, to: 10.231.136.69}
+        - {from: perso.crans.org, to: 10.231.136.1}
+        - {from: webnews.crans.org, to: 10.231.136.63}
+        - {from: re2o.crans.org, to: 10.231.136.9}
+        - {from: intranet.crans.org, to: 10.231.136.9}
+        - {from: autoconfig.crans.org, to: 10.231.136.46}
+        - {from: grafana.crans.org, to: 10.231.136.102}
+        - {from: webirc.crans.org, to: "10.231.136.1:9000"}
+
+        # Zamok
+        - {from: install-party.crans.org, to: 10.231.136.1}
+        - {from: med.crans.org, to: 10.231.136.1}
+        - {from: med-cartons.crans.org, to: 10.231.136.1}
+        - {from: amap.crans.org, to: 10.231.136.1}
+        - {from: pot-vieux.crans.org, to: 10.231.136.1}
+        - {from: bonvivens.crans.org, to: 10.231.136.1}
+
+      redirect_sites:
+        - {from: crans.org, to: www.crans.org}
+
+        # Aliases or legacy support
+        - {from: factures.crans.org, to: intranet.crans.org}
+        - {from: accounts.crans.org, to: intranet.crans.org}
+        - {from: intranet2.crans.org, to: intranet.crans.org}
+        - {from: clubs.crans.org, to: perso.crans.org}
+        - {from: task.crans.org, to: phabricator.crans.org}
+        - {from: adopteunpingouin.crans.org, to: install-party.crans.org}
+        - {from: i-p.crans.org, to: install-party.crans.org}
+
+        # To the wiki
+        - {from: wikipedia.crans.org, to: wiki.crans.org}
+        - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage}
+        - {from: television.crans.org, to: wiki.crans.org/CransTv}
+        - {from: tv.crans.org, to: wiki.crans.org/CransTv}
+
+        # ENS Cachan
+        - {from: crans.ens-cachan.fr, to: www.crans.org}
+        - {from: install-party.ens-cachan.fr, to: install-party.crans.org}
   roles:
     - certbot
+    - nginx-reverseproxy
 
 - hosts: gitzly.adm.crans.org
   vars:
diff --git a/roles/nginx-reverseproxy/handlers/main.yml b/roles/nginx-reverseproxy/handlers/main.yml
new file mode 100644
index 00000000..6dfcdd76
--- /dev/null
+++ b/roles/nginx-reverseproxy/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
new file mode 100644
index 00000000..3c95a8f7
--- /dev/null
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: Install NGINX
+  apt:
+    update_cache: true
+    name: nginx
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Copy reverse proxy sites
+  template:
+    src: "nginx/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Activate sites
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Copy 50x error page
+  template:
+    src: www/html/50x.html.j2
+    dest: /var/www/html/50x.html
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-nginx
+    mode: 0755
diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
new file mode 100644
index 00000000..fb177b9a
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
@@ -0,0 +1,83 @@
+{{ ansible_header | comment }}
+
+{% for site in nginx.redirect_sites %}
+# Redirect http://{{ site.from }} to http://{{ site.to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ site.from }};
+
+    location / {
+        return 302 http://{{ site.to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ site.from }} to https://{{ site.to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ site.from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    location / {
+        return 302 https://{{ site.to }}$request_uri;
+    }
+}
+
+{% endfor %}
+
+{# Also redirect for DNAMEs #}
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.redirect_sites %}
+{% set from = site.from | regex_replace('crans.org', dname) %}
+# Redirect http://{{ from }} to http://{{ site.to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ from }};
+
+    location / {
+        return 302 http://{{ site.to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ from }} to https://{{ site.to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    location / {
+        return 302 https://{{ site.to }}$request_uri;
+    }
+}
+
+{% endfor %}
+{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
new file mode 100644
index 00000000..eab44a49
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
@@ -0,0 +1,62 @@
+{{ ansible_header | comment }}
+
+{% for site in nginx.reverseproxy_sites %}
+# Redirect http://{{ site.from }} to https://{{ site.from }}
+server {
+    listen 80;
+    listen [::]:80
+
+    server_name {{ site.from }};
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+
+# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ site.from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    # Log into separate log files
+    access_log      /var/log/nginx/{{ site.from }}.log;
+    error_log       /var/log/nginx/{{ site.from }}_error.log;
+
+    # Keep the TCP connection open a bit for faster browsing
+    keepalive_timeout 70;
+ 
+    # Custom error page
+    error_page  500 502 503 504  /50x.html;
+    location = /50x.html {
+        root /var/www/html;
+    }
+
+    set_real_ip_from 10.231.136.0/24;
+    set_real_ip_from 2a0c:700:0:2::/64;
+    real_ip_header P-Real-Ip;
+
+    location / {
+        proxy_set_header Host {{ site.from }};
+        proxy_set_header P-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_redirect off;
+        proxy_pass http://{{ site.to }};
+    }
+}
+
+{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
new file mode 100644
index 00000000..1affe511
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
@@ -0,0 +1,44 @@
+{{ ansible_header | comment }}
+
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.reverseproxy_sites %}
+{% set from = site.from | regex_replace('crans.org', dname) %}
+{% set to = site.from %}
+# Redirect http://{{ from }} to http://{{ to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ from }};
+
+    location / {
+        return 302 http://{{ to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ from }} to https://{{ to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    location / {
+        return 302 https://{{ to }}$request_uri;
+    }
+}
+
+{% endfor %}
+{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
new file mode 100755
index 00000000..82373d0b
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
@@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+> NGINX a été déployé sur cette machine. Voir /etc/nginx/.
diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
new file mode 100644
index 00000000..b4bde1f9
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
@@ -0,0 +1,63 @@
+<!doctype html>
+<html lang="fr">
+<head>
+    <meta charset="utf-8">
+    <title>502</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <style>
+        * {
+            line-height: 1.2;
+            margin: 0;
+        }
+
+        html {
+            color: #888;
+            display: table;
+            font-family: sans-serif;
+            height: 100%;
+            text-align: center;
+            width: 100%;
+        }
+
+        body {
+            display: table-cell;
+            vertical-align: middle;
+            margin: 2em auto;
+        }
+
+	a {
+	    color: #888;
+            text-decoration: underline dotted;
+	}
+
+        h1 {
+            color: #555;
+            font-size: 2em;
+            font-weight: 400;
+        }
+
+        p {
+            margin: 1em auto;
+            max-width: 480px;
+        }
+
+        @media only screen and (max-width: 280px) {
+            body, p {
+                width: 95%;
+            }
+
+            h1 {
+                font-size: 1.5em;
+                margin: 0 0 0.3em;
+            }
+        }
+    </style>
+</head>
+<body>
+    <h1>502</h1>
+    <p>Whoops, le service prend trop de temps à répondre…</p>
+    <p>Essayez de rafraîchir la page. Si le problème persiste, pensez
+    à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p>
+</body>
+</html>
+

From 3d80f716468ebdbbb8631092b1666626f2a8a716 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 10:39:45 +0200
Subject: [PATCH 36/56] Fix yaml syntax

---
 base.yml                        | 4 ++--
 interfaces.yml                  | 2 +-
 network.yml                     | 2 +-
 roles/postfix/handlers/main.yml | 1 +
 upgrade.yml                     | 2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/base.yml b/base.yml
index 5bf6a4e7..1f3d6506 100755
--- a/base.yml
+++ b/base.yml
@@ -6,8 +6,8 @@
     - name: Register adm interface in adm_iface variable
       shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
       register: adm_iface
-      check_mode: no
-      changed_when: True
+      check_mode: false
+      changed_when: true
       args:
         executable: /bin/bash
 
diff --git a/interfaces.yml b/interfaces.yml
index 5c7107a7..bce7ced2 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -4,7 +4,7 @@
 - hosts: server
   tasks:
     - shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\""
-      check_mode: no
+      check_mode: false
       register: ifaces
       loop:
         - srv
diff --git a/network.yml b/network.yml
index daf70236..fdc49662 100755
--- a/network.yml
+++ b/network.yml
@@ -65,7 +65,7 @@
         cert: /etc/letsencrypt/live/crans.org/fullchain.pem
         cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
         trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
- 
+
       redirect_dnames:
         - crans.eu
         - crans.fr
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index 49094649..8fa449d5 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,3 +1,4 @@
+---
 - name: generate postmaps
   command: /usr/sbin/postmap {{ item }}
   loop:
diff --git a/upgrade.yml b/upgrade.yml
index 27798c15..194f0137 100755
--- a/upgrade.yml
+++ b/upgrade.yml
@@ -21,7 +21,7 @@
 
 - hosts: owncloud-srv.adm.crans.org
   become_user: www-data
-  become: yes
+  become: true
   vars:
     # Owncloud command line interface
     occ_bin: '/var/www/owncloud/occ'

From 0a50480ad7b1479bd3004af20aae7f0be6da6ec7 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 13:03:29 +0200
Subject: [PATCH 37/56] Minor fixes on reverse proxy

---
 network.yml                                            |  3 +--
 roles/certbot/tasks/main.yml                           |  5 +++++
 roles/nginx-reverseproxy/tasks/main.yml                | 10 +++++++++-
 roles/nginx-reverseproxy/templates/nginx/redirect.j2   |  2 ++
 .../nginx-reverseproxy/templates/nginx/reverseproxy.j2 |  2 +-
 .../templates/nginx/reverseproxy_redirect_dname.j2     |  2 ++
 6 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/network.yml b/network.yml
index fdc49662..2bde72ff 100755
--- a/network.yml
+++ b/network.yml
@@ -50,7 +50,7 @@
     - bind-authoritative
 
 # Deploy reverse proxy
-- hosts: bakdaur.adm.crans.org
+- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org
   vars:
     certbot:
       dns_rfc2136_name: certbot_challenge.
@@ -93,7 +93,6 @@
         - {from: www.crans.org, to: 10.231.136.46}
         - {from: doc.crans.org, to: 10.231.136.46}
         - {from: limesurvey.crans.org, to: 10.231.136.253}
-        - {from: lutim.crans.org, to: 10.231.136.69}
         - {from: perso.crans.org, to: 10.231.136.1}
         - {from: webnews.crans.org, to: 10.231.136.63}
         - {from: re2o.crans.org, to: 10.231.136.9}
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index b32845cc..2e9c8b26 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -22,6 +22,11 @@
     mode: 0600
     owner: root
 
+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+
 - name: Add Certbot configuration
   template:
     src: "letsencrypt/conf.d/certname.ini.j2"
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index 3c95a8f7..1fee6a3c 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -2,11 +2,19 @@
 - name: Install NGINX
   apt:
     update_cache: true
-    name: nginx
+    name:
+      - nginx
+      - python3-certbot-nginx  # for options-ssl-nginx.conf
   register: apt_result
   retries: 3
   until: apt_result is succeeded
 
+- name: Copy certbot SSL snippet
+  copy:
+    remote_src: true
+    src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf
+    dest: /etc/letsencrypt/options-ssl-nginx.conf
+
 - name: Copy reverse proxy sites
   template:
     src: "nginx/{{ item }}.j2"
diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
index fb177b9a..4d60807e 100644
--- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
@@ -43,6 +43,7 @@ server {
 {% for dname in nginx.redirect_dnames %}
 {% for site in nginx.redirect_sites %}
 {% set from = site.from | regex_replace('crans.org', dname) %}
+{% if from != site.from %}
 # Redirect http://{{ from }} to http://{{ site.to }}
 server {
     listen 80;
@@ -79,5 +80,6 @@ server {
     }
 }
 
+{% endif %}
 {% endfor %}
 {% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
index eab44a49..31c34462 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
@@ -4,7 +4,7 @@
 # Redirect http://{{ site.from }} to https://{{ site.from }}
 server {
     listen 80;
-    listen [::]:80
+    listen [::]:80;
 
     server_name {{ site.from }};
 
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
index 1affe511..8fc57808 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
@@ -4,6 +4,7 @@
 {% for site in nginx.reverseproxy_sites %}
 {% set from = site.from | regex_replace('crans.org', dname) %}
 {% set to = site.from %}
+{% if from != site.from %}
 # Redirect http://{{ from }} to http://{{ to }}
 server {
     listen 80;
@@ -40,5 +41,6 @@ server {
     }
 }
 
+{% endif %}
 {% endfor %}
 {% endfor %}

From 6b8c84257f87f7029ce6740a0091d6e0ab5fa215 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 13:05:16 +0200
Subject: [PATCH 38/56] =?UTF-8?q?j'ai=20d=C3=A9t=C3=A9r=C3=A9=20frontdaur?=
 =?UTF-8?q?=20mami!?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 network.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/network.yml b/network.yml
index 2bde72ff..a6ec7a1c 100755
--- a/network.yml
+++ b/network.yml
@@ -50,7 +50,7 @@
     - bind-authoritative
 
 # Deploy reverse proxy
-- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org
+- hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org
   vars:
     certbot:
       dns_rfc2136_name: certbot_challenge.

From 22c22a3cb094f5e614f5988c679e4041a4f79fb2 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 2 May 2020 13:19:16 +0200
Subject: [PATCH 39/56] [keepalived] Don't hardcode proxies adm interface

---
 roles/keepalived/templates/keepalived/keepalived.conf.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2
index 219d6b4f..9237116f 100644
--- a/roles/keepalived/templates/keepalived/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2
@@ -20,7 +20,7 @@ vrrp_instance VI_DAUR4 {
   priority 100
 {% endif %}
 
-  interface eth1
+  interface {{ keepalived.if_adm }}
   virtual_router_id 51
   advert_int 2
   authentication {
@@ -46,7 +46,7 @@ vrrp_instance VI_DAUR6 {
   priority 100
 {% endif %}
 
-  interface eth1
+  interface {{ keepalived.if_adm }}
   virtual_router_id 51
   advert_int 2
   authentication {

From 341d4a1768cda2627a799a86921d2475638c4629 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 13:29:07 +0200
Subject: [PATCH 40/56] =?UTF-8?q?Il=20=C3=A9tait=20une=20fois,=20dans=20un?=
 =?UTF-8?q?=20virtu=20tr=C3=A8s=20tr=C3=A8s=20lointain?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hosts          | 2 +-
 interfaces.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts b/hosts
index 32248d9f..6b4c2755 100644
--- a/hosts
+++ b/hosts
@@ -34,7 +34,7 @@ cas-srv.adm.crans.org
 dhcp.adm.crans.org
 eap.adm.crans.org
 ethercalc-srv.adm.crans.org
-#frontdaur.adm.crans.org
+frontdaur.adm.crans.org
 gitzly.adm.crans.org
 horde-srv.adm.crans.org
 ipv6-zayo.adm.crans.org
diff --git a/interfaces.yml b/interfaces.yml
index bce7ced2..b32a9d03 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -14,7 +14,7 @@
         - switch
         - fil
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org
   vars:
     vlan:
       - name: srv

From e3bd8fcdabb638683417be2154abe24646109c0e Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 2 May 2020 14:17:00 +0200
Subject: [PATCH 41/56] [keepalived] Deploy keepalived on frontdaur

---
 re2o-api.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/re2o-api.yml b/re2o-api.yml
index 0952348c..da0938f9 100755
--- a/re2o-api.yml
+++ b/re2o-api.yml
@@ -88,3 +88,20 @@
       router_broadcast_wifinewserveurs: 10.53.0.255
   roles:
     - keepalived
+
+# Deploy keepalived on frontdaur
+- hosts: frontdaur.adm.crans.org
+  vars:
+    keepalived:
+      radius: false
+      router: false
+      proxy: true
+      proxy_primary: false
+      proxy_password: "{{ vault_keepalived_proxy_password }}"
+      if_adm: eth1
+      if_srv: eth0
+      proxy_ipv4_srv: 185.230.79.194
+      proxy_broadcast_srv: 185.230.79.255
+      proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00
+  roles:
+    - keepalived

From a96a0cfce4080b7dbe9b7d5a966cb8a90df1d5b2 Mon Sep 17 00:00:00 2001
From: pa <pa@crans.org>
Date: Sat, 2 May 2020 15:43:26 +0200
Subject: [PATCH 42/56] [Framadate] log file creation

---
 roles/framadate/tasks/main.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 02c698e7..1452702c 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -37,9 +37,12 @@
   retries: 3
   until: composer_result is succeeded
 
-# cd framadate
-# sudo -u www-data touch admin/stdout.log
-# sudo chmod 600 admin/stdout.log
+- name:
+  file:
+    path: "{{ framadate.path }}/admin/stdout.log"
+    owner: www-data
+    state: touch
+    mode: 0600
 
 - name: Indicate role in motd
   template:

From b51d53fe35a329dea6d8e87f0cf225f070f7b0a6 Mon Sep 17 00:00:00 2001
From: pa <pa@crans.org>
Date: Sat, 2 May 2020 15:56:27 +0200
Subject: [PATCH 43/56] [Framadate] Specify commit hash of develop branch

---
 services_web.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services_web.yml b/services_web.yml
index 17515e3f..283f4482 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -9,7 +9,7 @@
   vars:
     framadate:
       repo: https://framagit.org/framasoft/framadate/framadate.git
-      version: 1.1.10
+      version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd"
       path: /var/www/framadate
   roles:
     - framadate

From bc932b06171d1e34d63bfe0720d85a3e1c5e4523 Mon Sep 17 00:00:00 2001
From: pa <pa@crans.org>
Date: Sat, 2 May 2020 16:47:28 +0200
Subject: [PATCH 44/56] [Framdate] nginx configuration

---
 roles/framadate/tasks/main.yml | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 1452702c..80de2318 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -4,8 +4,8 @@
   apt:
     update_cache: true
     name:
-      - apache2
-      - libapache2-mod-php
+      - nginx
+      - php-fpm
       - php-intl
       - php-mbstring
       - php-pgsql
@@ -37,15 +37,27 @@
   retries: 3
   until: composer_result is succeeded
 
-- name:
+- name: Create log file
   file:
     path: "{{ framadate.path }}/admin/stdout.log"
     owner: www-data
     state: touch
     mode: 0600
 
+- name: Configure nginx site
+  template:
+    src: nginx-site.j2
+    dest: /etc/nginx/sites-available/framadate.conf
+
+- name: Enable nginx site
+  file:
+    src: /etc/nginx/sites-available/framadate.conf
+    dest: /etc/nginx/stes-enabled/framadate.conf
+    state: link
+
 - name: Indicate role in motd
   template:
     src: update-motd.d/05-service.j2
     dest: /etc/update-motd.d/05-framadate
     mode: 0755
+

From 86d17dedfaca8184f435688c3fe6b3a143a421de Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 16:54:42 +0200
Subject: [PATCH 45/56] [framadate] NGINX config

---
 roles/framadate/tasks/main.yml          |  6 +--
 roles/framadate/templates/nginx-site.j2 | 60 +++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 roles/framadate/templates/nginx-site.j2

diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 80de2318..507b86e2 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -47,12 +47,12 @@
 - name: Configure nginx site
   template:
     src: nginx-site.j2
-    dest: /etc/nginx/sites-available/framadate.conf
+    dest: /etc/nginx/sites-available/framadate
 
 - name: Enable nginx site
   file:
-    src: /etc/nginx/sites-available/framadate.conf
-    dest: /etc/nginx/stes-enabled/framadate.conf
+    src: /etc/nginx/sites-available/framadate
+    dest: /etc/nginx/sites-enabled/framadate
     state: link
 
 - name: Indicate role in motd
diff --git a/roles/framadate/templates/nginx-site.j2 b/roles/framadate/templates/nginx-site.j2
new file mode 100644
index 00000000..ef963c3e
--- /dev/null
+++ b/roles/framadate/templates/nginx-site.j2
@@ -0,0 +1,60 @@
+{{ ansible_header | comment }}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name framadate.crans.org;
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'";
+    add_header Referrer-Policy "strict-origin";
+
+    root {{ framadate.path }};
+
+    index index.php;
+
+    location ~^/(\.git)/{
+        deny all;
+    }
+
+    location ~ /\. {
+        deny all;
+    }
+
+    location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh {
+        deny all;
+    }
+
+    location /admin/ {
+        auth_basic "Restricted access";
+        auth_basic_user_file /etc/nginx/.htpasswd;
+
+        location ~ \.php$ {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include /etc/nginx/fastcgi_params;
+            fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+        }
+        try_files $uri $uri/ =401; 
+    }
+
+    location / {
+        rewrite "^/admin$" "/admin/" permanent;
+
+        # Clean URL
+        rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last;
+        rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last;
+        try_files $uri /index.php; 
+    }
+
+    location ~ \.php$ {
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    }
+}
+

From c8504973a86fa147f21c7e0a1e2a4c7a3d1afcd3 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 18:00:09 +0200
Subject: [PATCH 46/56] Working FramaDate

---
 network.yml                    | 1 +
 roles/framadate/tasks/main.yml | 5 +++++
 services_web.yml               | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/network.yml b/network.yml
index a6ec7a1c..16865b78 100755
--- a/network.yml
+++ b/network.yml
@@ -100,6 +100,7 @@
         - {from: autoconfig.crans.org, to: 10.231.136.46}
         - {from: grafana.crans.org, to: 10.231.136.102}
         - {from: webirc.crans.org, to: "10.231.136.1:9000"}
+        - {from: framadate.crans.org, to: 185.230.79.194}
 
         # Zamok
         - {from: install-party.crans.org, to: 10.231.136.1}
diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 507b86e2..4c39e3d5 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -44,6 +44,11 @@
     state: touch
     mode: 0600
 
+- name: Configure admin password
+  copy:
+    content: "{{ framadate.admin_username }}:{{ framadate.admin_password_hash }}\n"
+    dest: /etc/nginx/.htpasswd
+
 - name: Configure nginx site
   template:
     src: nginx-site.j2
diff --git a/services_web.yml b/services_web.yml
index 283f4482..4c6f7d78 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -11,6 +11,8 @@
       repo: https://framagit.org/framasoft/framadate/framadate.git
       version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd"
       path: /var/www/framadate
+      admin_username: framadate
+      admin_password_hash: "{{ vault_framadate_password_hash }}"
   roles:
     - framadate
 

From b3619d05f4cd21df7d48e897275c8cad450fd652 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 10:03:12 +0200
Subject: [PATCH 47/56] Some changes in keepalived template

---
 re2o-api.yml                                  | 17 +++++---------
 roles/keepalived/tasks/main.yml               |  3 +--
 .../templates/keepalived/keepalived.conf.j2   | 22 +++++++++----------
 3 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/re2o-api.yml b/re2o-api.yml
index da0938f9..2d04db0f 100755
--- a/re2o-api.yml
+++ b/re2o-api.yml
@@ -11,7 +11,6 @@
       router: true
       router_password: "{{ vault_keepalived_router_password }}"
       router_primary: false
-      proxy: false
       if_serveurs: eth0.1
       if_adm: eth0.2
       if_bornes: eth0.3
@@ -55,11 +54,9 @@
 - hosts: gulp.adm.crans.org
   vars:
     keepalived:
-      radius: false
       router: true
       router_password: "{{ vault_keepalived_router_password }}"
       router_primary: true
-      proxy: false
       if_serveurs: eno1.1
       if_adm: eno1.2
       if_bornes: eno1.3
@@ -93,15 +90,13 @@
 - hosts: frontdaur.adm.crans.org
   vars:
     keepalived:
-      radius: false
-      router: false
-      proxy: true
-      proxy_primary: false
-      proxy_password: "{{ vault_keepalived_proxy_password }}"
+      proxy:
+        primary: false
+        password: "{{ vault_keepalived_proxy_password }}"
+        ipv4: 185.230.79.194
+        ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00
+        broadcast: 185.230.79.255
       if_adm: eth1
       if_srv: eth0
-      proxy_ipv4_srv: 185.230.79.194
-      proxy_broadcast_srv: 185.230.79.255
-      proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00
   roles:
     - keepalived
diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml
index e0678e1e..7efe258f 100644
--- a/roles/keepalived/tasks/main.yml
+++ b/roles/keepalived/tasks/main.yml
@@ -2,8 +2,7 @@
 - name: Install keepalived
   apt:
     update_cache: true
-    name:
-      - keepalived
+    name: keepalived
   register: apt_result
   retries: 3
   until: apt_result is succeeded
diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2
index 9237116f..e488e71c 100644
--- a/roles/keepalived/templates/keepalived/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2
@@ -8,11 +8,11 @@ global_defs {
   smtp_server smtp.adm.crans.org
 }
 
-{% if keepalived.proxy %}
+{% if keepalived.proxy is defined %}
 vrrp_instance VI_DAUR4 {
   # We don't own the IP address, which allows manual triggering of IP change when machine comes UP
   # see man keepalived.conf.
-{% if keepalived.proxy_primary %}
+{% if keepalived.proxy.primary %}
   state MASTER
   priority 150
 {% else %}
@@ -25,20 +25,18 @@ vrrp_instance VI_DAUR4 {
   advert_int 2
   authentication {
     auth_type PASS
-    auth_pass {{ keepalived.proxy_password }}
+    auth_pass {{ keepalived.proxy.password }}
   }
 
   virtual_ipaddress {
-        {{ keepalived.proxy_ipv4 }}/32 brd 138.231.143.255 dev eth0 scope global
+    {{ keepalived.proxy.ipv4 }}/32 brd {{ keepalived.proxy.broadcast }} dev {{ keepalived.if_srv }} scope global
   }
 }
-{% endif %}
 
-{% if keepalived.proxy %}
 vrrp_instance VI_DAUR6 {
   # We don't own the IP address, which allows manual triggering of IP change when machine comes UP
   # see man keepalived.conf.
-{% if keepalived.proxy_primary %}
+{% if keepalived.proxy.primary %}
   state MASTER
   priority 150
 {% else %}
@@ -51,16 +49,16 @@ vrrp_instance VI_DAUR6 {
   advert_int 2
   authentication {
     auth_type PASS
-    auth_pass {{ keepalived.proxy_password }}
+    auth_pass {{ keepalived.proxy.password }}
   }
 
   virtual_ipaddress {
-        {{ keepalived.proxy_ipv6 }}/64 dev eth0 scope global
+    {{ keepalived.proxy.ipv6 }}/64 dev {{ keepalived.if_srv }} scope global
   }
 }
 {% endif %}
 
-{% if keepalived.radius %}
+{% if keepalived.radius is defined %}
 vrrp_instance VI_RAD4 {
   # We don't own the IP address, which allows manual triggering of IP change when machine comes UP
   # see man keepalived.conf.
@@ -90,7 +88,7 @@ vrrp_instance VI_RAD4 {
 }
 {% endif %}
 
-{% if keepalived.radius %}
+{% if keepalived.radius is defined %}
 vrrp_instance VI_RAD6 {
   # We don't own the IP address, which allows manual triggering of IP change when machine comes UP
   # see man keepalived.conf.
@@ -120,7 +118,7 @@ vrrp_instance VI_RAD6 {
 }
 {% endif %}
 
-{% if keepalived.router %}
+{% if keepalived.router is defined %}
 vrrp_instance VI_ROUT {
   # We don't own the IP address, which allows manual triggering of IP change when machine comes UP
   # see man keepalived.conf.

From ce54ee81969eae3ddfaa3a263f7a5a46eafe8fe0 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 10:47:29 +0200
Subject: [PATCH 48/56] Ansible on bakdaur

---
 clean_servers.yml |  2 ++
 interfaces.yml    |  2 +-
 re2o-api.yml      | 15 +++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/clean_servers.yml b/clean_servers.yml
index e6198e87..0f68d4cc 100755
--- a/clean_servers.yml
+++ b/clean_servers.yml
@@ -45,6 +45,8 @@
           - acpid
           - xscreensaver  # was on owncloud
           - openbsd-inetd
+          - byobu  # we already have screen and tmux
+          - ipython  # go use ipython3!
       register: apt_result
       retries: 3
       until: apt_result is succeeded
diff --git a/interfaces.yml b/interfaces.yml
index b32a9d03..04b2d828 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -14,7 +14,7 @@
         - switch
         - fil
 
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org,bakdaur.adm.crans.org
   vars:
     vlan:
       - name: srv
diff --git a/re2o-api.yml b/re2o-api.yml
index 2d04db0f..0ce54882 100755
--- a/re2o-api.yml
+++ b/re2o-api.yml
@@ -100,3 +100,18 @@
       if_srv: eth0
   roles:
     - keepalived
+
+# Deploy keepalived on bakdaur
+- hosts: bakdaur.adm.crans.org
+  vars:
+    keepalived:
+      proxy:
+        primary: true
+        password: "{{ vault_keepalived_proxy_password }}"
+        ipv4: 185.230.79.194
+        ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00
+        broadcast: 185.230.79.255
+      if_adm: eth0
+      if_srv: eth1
+  roles:
+    - keepalived

From ef1c4f6fbf3d83ccde094d1255c9350b9f7fa3fd Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 11:01:28 +0200
Subject: [PATCH 49/56] Ouspi, framdate was using srv ip

---
 network.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/network.yml b/network.yml
index 16865b78..e007de0f 100755
--- a/network.yml
+++ b/network.yml
@@ -100,7 +100,7 @@
         - {from: autoconfig.crans.org, to: 10.231.136.46}
         - {from: grafana.crans.org, to: 10.231.136.102}
         - {from: webirc.crans.org, to: "10.231.136.1:9000"}
-        - {from: framadate.crans.org, to: 185.230.79.194}
+        - {from: framadate.crans.org, to: 10.231.136.153}
 
         # Zamok
         - {from: install-party.crans.org, to: 10.231.136.1}

From 7d1ecd19a487a7348b59408aaa5c7bc19350a700 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 12:51:16 +0200
Subject: [PATCH 50/56] SSL snippet and drop TLS 1.0 and 1.1

---
 roles/nginx-reverseproxy/tasks/main.yml       | 16 +++++----
 .../templates/letsencrypt/dhparam.j2          |  8 +++++
 .../nginx/{ => sites-available}/redirect.j2   | 34 +++++--------------
 .../{ => sites-available}/reverseproxy.j2     | 17 +++-------
 .../reverseproxy_redirect_dname.j2            | 17 +++-------
 .../nginx/snippets/options-ssl.conf.j2        | 17 ++++++++++
 6 files changed, 51 insertions(+), 58 deletions(-)
 create mode 100644 roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2
 rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/redirect.j2 (58%)
 rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy.j2 (75%)
 rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy_redirect_dname.j2 (61%)
 create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2

diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index 1fee6a3c..55af7c18 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -9,15 +9,19 @@
   retries: 3
   until: apt_result is succeeded
 
-- name: Copy certbot SSL snippet
-  copy:
-    remote_src: true
-    src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf
-    dest: /etc/letsencrypt/options-ssl-nginx.conf
+- name: Copy snippets
+  template:
+    src: nginx/snippets/options-ssl.conf.j2
+    dest: /etc/nginx/snippets/options-ssl.conf
+
+- name: Copy dhparam
+  template:
+    src: letsencrypt/dhparam.j2
+    dest: /etc/letsencrypt/dhparam
 
 - name: Copy reverse proxy sites
   template:
-    src: "nginx/{{ item }}.j2"
+    src: "nginx/sites-available/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
   loop:
     - reverseproxy
diff --git a/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2
new file mode 100644
index 00000000..9b182b72
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2
similarity index 58%
rename from roles/nginx-reverseproxy/templates/nginx/redirect.j2
rename to roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2
index 4d60807e..9cdb545b 100644
--- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2
@@ -15,22 +15,13 @@ server {
 
 # Redirect https://{{ site.from }} to https://{{ site.to }}
 server {
-    listen 443;
-    listen [::]:443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     server_name {{ site.from }};
 
-    ssl on;
-    ssl_certificate {{ nginx.ssl.cert }};
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
 
     location / {
         return 302 https://{{ site.to }}$request_uri;
@@ -58,22 +49,13 @@ server {
 
 # Redirect https://{{ from }} to https://{{ site.to }}
 server {
-    listen 443;
-    listen [::]:443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     server_name {{ from }};
 
-    ssl on;
-    ssl_certificate {{ nginx.ssl.cert }};
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
 
     location / {
         return 302 https://{{ site.to }}$request_uri;
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
similarity index 75%
rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
index 31c34462..50ef7b2e 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@@ -15,22 +15,13 @@ server {
 
 # Reverse proxify https://{{ site.from }} to http://{{ site.to }}
 server {
-    listen 443;
-    listen [::]:443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     server_name {{ site.from }};
 
-    ssl on;
-    ssl_certificate {{ nginx.ssl.cert }};
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
 
     # Log into separate log files
     access_log      /var/log/nginx/{{ site.from }}.log;
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
similarity index 61%
rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
index 8fc57808..db2084a4 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
@@ -19,22 +19,13 @@ server {
 
 # Redirect https://{{ from }} to https://{{ to }}
 server {
-    listen 443;
-    listen [::]:443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     server_name {{ from }};
 
-    ssl on;
-    ssl_certificate {{ nginx.ssl.cert }};
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
 
     location / {
         return 302 https://{{ to }}$request_uri;
diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
new file mode 100644
index 00000000..c585cc26
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+ssl_certificate {{ nginx.ssl.cert }};
+ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  
+ssl_session_tickets off;
+ssl_dhparam /etc/letsencrypt/dhparam;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# Enable OCSP Stapling, point to certificate chain
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+

From e8b0d14a55eb6281c3b607541e13e6d96cae3955 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 14:19:00 +0200
Subject: [PATCH 51/56] Grafana on :3000

---
 network.yml                  |  2 +-
 roles/grafana/tasks/main.yml | 10 ----------
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/network.yml b/network.yml
index e007de0f..8f70b911 100755
--- a/network.yml
+++ b/network.yml
@@ -98,7 +98,7 @@
         - {from: re2o.crans.org, to: 10.231.136.9}
         - {from: intranet.crans.org, to: 10.231.136.9}
         - {from: autoconfig.crans.org, to: 10.231.136.46}
-        - {from: grafana.crans.org, to: 10.231.136.102}
+        - {from: grafana.crans.org, to: "10.231.136.102:3000"}
         - {from: webirc.crans.org, to: "10.231.136.1:9000"}
         - {from: framadate.crans.org, to: 10.231.136.153}
 
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
index 1442c08f..1d472f15 100644
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -33,13 +33,6 @@
   retries: 3
   until: apt_result is succeeded
 
-# This capability enables grafana to bind :80
-- name: Add cap_net_bind_service to grafana
-  capabilities:
-    path: /usr/sbin/grafana-server
-    capability: cap_net_bind_service+ep
-    state: present
-
 - name: Configure Grafana
   ini_file:
     path: /etc/grafana/grafana.ini
@@ -48,9 +41,6 @@
     value: "{{ item.value }}"
     mode: 0640
   loop:
-    - section: server
-      option: http_port
-      value: "80"
     - section: server
       option: root_url
       value: "{{ grafana_root_url }}"

From 6eaf509ff3a06b47983fe4ad04e56655d8d32701 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 15:19:29 +0200
Subject: [PATCH 52/56] [nginx] Reverse WebSocket

---
 network.yml                                     |  2 +-
 roles/nginx-reverseproxy/tasks/main.yml         |  7 +++++--
 .../nginx/sites-available/reverseproxy.j2       | 13 ++++++++-----
 .../nginx/snippets/options-proxypass.conf.j2    | 17 +++++++++++++++++
 4 files changed, 31 insertions(+), 8 deletions(-)
 create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2

diff --git a/network.yml b/network.yml
index 8f70b911..23160615 100755
--- a/network.yml
+++ b/network.yml
@@ -74,7 +74,7 @@
         # Services web Crans
         - {from: lutim.crans.org, to: 10.231.136.69}
         - {from: zero.crans.org, to: 10.231.136.76}
-        - {from: pad.crans.org, to: 10.231.136.76}
+        - {from: pad.crans.org, to: "10.231.136.76:9001"}
         - {from: ethercalc.crans.org, to: 10.231.136.203}
         - {from: mediadrop.crans.org, to: 10.231.136.106}
         - {from: videos.crans.org, to: 10.231.136.106}
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index 55af7c18..5a0e298f 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -11,8 +11,11 @@
 
 - name: Copy snippets
   template:
-    src: nginx/snippets/options-ssl.conf.j2
-    dest: /etc/nginx/snippets/options-ssl.conf
+    src: "nginx/snippets/{{ item }}.j2"
+    dest: "/etc/nginx/snippets/{{ item }}"
+  loop:
+    - options-ssl.conf
+    - options-proxypass.conf
 
 - name: Copy dhparam
   template:
diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
index 50ef7b2e..52a278bf 100644
--- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@@ -1,5 +1,12 @@
 {{ ansible_header | comment }}
 
+# Automatic Connection header for WebSocket support
+# See http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
 {% for site in nginx.reverseproxy_sites %}
 # Redirect http://{{ site.from }} to https://{{ site.from }}
 server {
@@ -41,12 +48,8 @@ server {
     real_ip_header P-Real-Ip;
 
     location / {
-        proxy_set_header Host {{ site.from }};
-        proxy_set_header P-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https;
-        proxy_redirect off;
         proxy_pass http://{{ site.to }};
+        include "/etc/nginx/snippets/options-proxypass.conf";
     }
 }
 
diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
new file mode 100644
index 00000000..a14f3b7f
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+proxy_redirect off;
+proxy_set_header Host $host;
+
+# Pass the real client IP
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+# Tell proxified server that we are HTTPS, fix Wordpress
+proxy_set_header X-Forwarded-Proto https;
+
+# WebSocket support
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+

From cb6e85880482eac80431b48064eda8d67e60479b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 4 May 2020 12:19:32 +0200
Subject: [PATCH 53/56] =?UTF-8?q?[nginx-reverseproxy]=20Trailing=20spaces?=
 =?UTF-8?q?=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../templates/nginx/sites-available/reverseproxy.j2             | 2 +-
 .../templates/nginx/snippets/options-ssl.conf.j2                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
index 52a278bf..0898da05 100644
--- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@@ -36,7 +36,7 @@ server {
 
     # Keep the TCP connection open a bit for faster browsing
     keepalive_timeout 70;
- 
+
     # Custom error page
     error_page  500 502 503 504  /50x.html;
     location = /50x.html {
diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
index c585cc26..1a9273a8 100644
--- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
@@ -3,7 +3,7 @@
 ssl_certificate {{ nginx.ssl.cert }};
 ssl_certificate_key {{ nginx.ssl.cert_key }};
 ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;  
+ssl_session_cache shared:MozSSL:10m;
 ssl_session_tickets off;
 ssl_dhparam /etc/letsencrypt/dhparam;
 ssl_protocols TLSv1.2 TLSv1.3;

From 38ff5c192ff5a4e6daec61c662091dd6078e4bd3 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 6 May 2020 12:59:08 +0200
Subject: [PATCH 54/56] Fix nginx max body size

---
 .../templates/nginx/snippets/options-proxypass.conf.j2          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
index a14f3b7f..0b864a68 100644
--- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
@@ -15,3 +15,5 @@ proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection $connection_upgrade;
 
+# For Owncloud WebDav
+client_max_body_size 10G;

From 539706f1136b2b6a7e459a3afa2d88b15eea13ef Mon Sep 17 00:00:00 2001
From: Bombar Maxime <bombar@crans.org>
Date: Thu, 7 May 2020 14:02:29 +0200
Subject: [PATCH 55/56] Remove /etc/default/bcfg2 on ansible managed hosts.

---
 clean_servers.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/clean_servers.yml b/clean_servers.yml
index 0f68d4cc..79b61bd5 100755
--- a/clean_servers.yml
+++ b/clean_servers.yml
@@ -76,6 +76,7 @@
         - /etc/cron.d/autobcfg2
         - /etc/cron.d/bcfg2-run
         - /etc/cron.d/pull-repos-scripts
+        - /etc/default/bcfg2
         - /etc/munin
         - /etc/icinga2
         - /etc/nut

From 21c953a4cab1acde0f2868521c28960e42fd9daf Mon Sep 17 00:00:00 2001
From: Bombar Maxime <bombar@crans.org>
Date: Fri, 8 May 2020 01:16:24 +0200
Subject: [PATCH 56/56] [clean_servers] More bcfg2 clean up

---
 clean_servers.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/clean_servers.yml b/clean_servers.yml
index 79b61bd5..218948f2 100755
--- a/clean_servers.yml
+++ b/clean_servers.yml
@@ -64,6 +64,9 @@
         path: "{{ item }}"
         state: absent
       loop:
+        - /etc/bcfg2.conf
+        - /etc/bcfg2.conf.ucf-dist
+        - /etc/crans
         - /etc/cron.d/munin-crans
         - /etc/cron.d/munin-node
         - /etc/cron.d/munin-node.dpkg-dist
@@ -79,6 +82,7 @@
         - /etc/default/bcfg2
         - /etc/munin
         - /etc/icinga2
+        - /etc/init.d/bcfg2
         - /etc/nut
         - /etc/nginx/sites-enabled/status
         - /etc/nginx/sites-available/status