From e9fdfde4174da27e36081379d76a4e73e04cd53e Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Mon, 20 Apr 2020 18:56:42 +0200 Subject: [PATCH 01/56] [interfaces] Deploy /etc/network/interfaces for adm --- interfaces.yml | 12 ++++++++++++ roles/interfaces/tasks/main.yml | 7 +++++++ .../templates/network/interfaces.d/02-adm.j2 | 17 +++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100755 interfaces.yml create mode 100644 roles/interfaces/tasks/main.yml create mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2 diff --git a/interfaces.yml b/interfaces.yml new file mode 100755 index 00000000..0d028edc --- /dev/null +++ b/interfaces.yml @@ -0,0 +1,12 @@ +#!/usr/bin/env ansible-playbook +--- +# Set variable adm_iface for all servers +- hosts: server + tasks: + - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: adm_iface + check_mode: no + +- hosts: boeing.adm.crans.org + roles: + - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml new file mode 100644 index 00000000..095878e4 --- /dev/null +++ b/roles/interfaces/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Deploy adm interface config + template: + src: network/interfaces.d/02-adm.j2 + dest: /etc/network/interfaces.d/02-adm + mode: 0644 + when: adm_iface.stdout diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 new file mode 100644 index 00000000..79cbe5fa --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ adm_iface.stdout }} +iface {{ adm_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }} + dns-nameservers 10.231.136.152 10.231.136.4 + dns-search adm.crans.org + up /sbin/ip link set $IFACE alias adm + +iface {{ adm_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 From 4b5c16e68373ac18936c113d89524f66be9abb22 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Mon, 20 Apr 2020 19:46:47 +0200 Subject: [PATCH 02/56] [interfaces] Deploy /etc/network/interfaces for srv and ens --- interfaces.yml | 12 +++++++++++ roles/interfaces/tasks/main.yml | 20 +++++++++++++++++++ .../templates/network/interfaces.d/00-srv.j2 | 19 ++++++++++++++++++ .../templates/network/interfaces.d/01-ens.j2 | 19 ++++++++++++++++++ .../templates/network/interfaces.d/02-adm.j2 | 6 ++---- .../templates/network/interfaces.j2 | 10 ++++++++++ 6 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2 create mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2 create mode 100644 roles/interfaces/templates/network/interfaces.j2 diff --git a/interfaces.yml b/interfaces.yml index 0d028edc..872d81ee 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -6,7 +6,19 @@ - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: adm_iface check_mode: no + - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: srv_iface + check_mode: no + - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: ens_iface + check_mode: no - hosts: boeing.adm.crans.org + vars: + - adm_dns: 10.231.136.152 10.231.136.4 + - srv_gateway: 185.230.79.254 + - srv_dns: 185.230.79.152 185.230.79.4 + - ens_gateway: 138.231.136.254 + - ens_dns: 138.231.136.152 138.231.136.4 roles: - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 095878e4..336a267d 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -1,4 +1,24 @@ --- +- name: Deploy default interfaces config + template: + src: network/interfaces.j2 + dest: /etc/network/interfaces + mode: 0644 + +- name: Deploy srv interface config + template: + src: network/interfaces.d/00-srv.j2 + dest: /etc/network/interfaces.d/00-srv + mode: 0644 + when: srv_iface.stdout + +- name: Deploy ens interface config + template: + src: network/interfaces.d/01-ens.j2 + dest: /etc/network/interfaces.d/01-ens + mode: 0644 + when: ens_iface.stdout + - name: Deploy adm interface config template: src: network/interfaces.d/02-adm.j2 diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 new file mode 100644 index 00000000..4c7468a1 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -0,0 +1,19 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ srv_iface.stdout }} +iface {{ srv_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }} + gateway {{ srv_gateway }} + mtu 1496 + dns-nameservers {{ srv_dns }} + dns-search crans.org + up /sbin/ip link set $IFACE alias srv + +iface {{ srv_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 new file mode 100644 index 00000000..d168be5d --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -0,0 +1,19 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ ens_iface.stdout }} +iface {{ ens_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }} + gateway {{ ens_gateway }} + mtu 1496 + dns-nameservers {{ ens_dns }} + dns-search crans.org + up /sbin/ip link set $IFACE alias ens + +iface {{ ens_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index 79cbe5fa..d0b5b833 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -6,12 +6,10 @@ iface {{ adm_iface.stdout }} inet static network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }} netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }} broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }} - dns-nameservers 10.231.136.152 10.231.136.4 + mtu 1496 + dns-nameservers {{ adm_dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm iface {{ adm_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.j2 b/roles/interfaces/templates/network/interfaces.j2 new file mode 100644 index 00000000..0c339966 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.j2 @@ -0,0 +1,10 @@ +{{ ansible_header | comment }} + +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback From a6392502b9fce9ed7de7acac9a483703c5827c81 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Mon, 20 Apr 2020 20:45:00 +0200 Subject: [PATCH 03/56] [interfaces] Add supplementary lines from local facts --- .../interfaces/templates/network/interfaces.d/01-ens.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index d168be5d..c7a34671 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -11,6 +11,15 @@ iface {{ ens_iface.stdout }} inet static dns-nameservers {{ ens_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias ens +{% if 'interfaces' in ansible_local %} +{% if ens_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %} +{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} iface {{ ens_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }} From 2667c3d696652bad1fad81d79badf768ed3697b1 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Mon, 20 Apr 2020 22:27:17 +0200 Subject: [PATCH 04/56] [interfaces] Add supplementary lines from local facts to all interfaces --- .../templates/network/interfaces.d/00-srv.j2 | 18 ++++++++++++++++++ .../templates/network/interfaces.d/01-ens.j2 | 9 +++++++++ .../templates/network/interfaces.d/02-adm.j2 | 18 ++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 4c7468a1..7fc0390f 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -11,9 +11,27 @@ iface {{ srv_iface.stdout }} inet static dns-nameservers {{ srv_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias srv +{% if 'interfaces' in ansible_local %} +{% if srv_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %} +{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} iface {{ srv_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 +{% if 'interfaces' in ansible_local %} +{% if srv_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %} +{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index c7a34671..e94243b1 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -26,3 +26,12 @@ iface {{ ens_iface.stdout }} inet6 static autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 +{% if 'interfaces' in ansible_local %} +{% if ens_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %} +{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index d0b5b833..bd928eae 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -10,6 +10,24 @@ iface {{ adm_iface.stdout }} inet static dns-nameservers {{ adm_dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm +{% if 'interfaces' in ansible_local %} +{% if adm_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %} +{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} iface {{ adm_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if adm_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %} +{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From 81de24e5bd0a72be7d88fb5980a354be5d8e2d4c Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 08:50:46 +0200 Subject: [PATCH 05/56] [interfaces] Configure fil interface --- interfaces.yml | 15 +++++--- roles/interfaces/tasks/main.yml | 7 ++++ .../templates/network/interfaces.d/00-srv.j2 | 2 +- .../templates/network/interfaces.d/21-fil.j2 | 34 +++++++++++++++++++ 4 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2 diff --git a/interfaces.yml b/interfaces.yml index 872d81ee..e637a5cc 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -3,22 +3,27 @@ # Set variable adm_iface for all servers - hosts: server tasks: - - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: adm_iface - check_mode: no - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: srv_iface check_mode: no - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: ens_iface check_mode: no + - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: adm_iface + check_mode: no + - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: fil_iface + check_mode: no -- hosts: boeing.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org vars: - - adm_dns: 10.231.136.152 10.231.136.4 - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 - ens_gateway: 138.231.136.254 - ens_dns: 138.231.136.152 138.231.136.4 + - adm_dns: 10.231.136.152 10.231.136.4 + - fil_gateway: 10.54.0.254 + - fil_dns: 10.54.0.152 10.54.0.4 roles: - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 336a267d..d9751a36 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -25,3 +25,10 @@ dest: /etc/network/interfaces.d/02-adm mode: 0644 when: adm_iface.stdout + +- name: Deploy fil interface config + template: + src: network/interfaces.d/21-fil.j2 + dest: /etc/network/interfaces.d/21-fil + mode: 0644 + when: fil_iface.stdout diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 7fc0390f..1367d156 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -15,7 +15,7 @@ iface {{ srv_iface.stdout }} inet static {% if srv_iface.stdout in ansible_local.interfaces %} {% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %} {% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %} - {{ line }} + {{ line }} {% endfor %} {% endif %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 new file mode 100644 index 00000000..469f0531 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} + +allow-hotplug {{ fil_iface.stdout }} +iface {{ fil_iface.stdout }} inet static + address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }} + network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }} + netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }} + broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }} + gateway {{ fil_gateway }} + mtu 1496 + dns-nameservers {{ fil_dns }} + dns-search fil.crans.org + up /sbin/ip link set $IFACE alias fil +{% if 'interfaces' in ansible_local %} +{% if fil_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %} +{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ fil_iface.stdout }} inet6 static + address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if fil_iface.stdout in ansible_local.interfaces %} +{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %} +{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From 11b90f8b51702b9f109514d4e19d914bb4ccc125 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 09:57:02 +0200 Subject: [PATCH 06/56] [interfaces] Change interfaces.fact format --- .../templates/network/interfaces.d/00-srv.j2 | 12 ++++++------ .../templates/network/interfaces.d/01-ens.j2 | 12 ++++++------ .../templates/network/interfaces.d/02-adm.j2 | 12 ++++++------ .../templates/network/interfaces.d/21-fil.j2 | 12 ++++++------ 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 1367d156..9e934d98 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -12,9 +12,9 @@ iface {{ srv_iface.stdout }} inet static dns-search crans.org up /sbin/ip link set $IFACE alias srv {% if 'interfaces' in ansible_local %} -{% if srv_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %} -{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -27,9 +27,9 @@ iface {{ srv_iface.stdout }} inet6 static accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if 'interfaces' in ansible_local %} -{% if srv_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %} -{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index e94243b1..ac2bed20 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -12,9 +12,9 @@ iface {{ ens_iface.stdout }} inet static dns-search crans.org up /sbin/ip link set $IFACE alias ens {% if 'interfaces' in ansible_local %} -{% if ens_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %} -{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -27,9 +27,9 @@ iface {{ ens_iface.stdout }} inet6 static accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if 'interfaces' in ansible_local %} -{% if ens_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %} -{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index bd928eae..dce7c3e4 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -11,9 +11,9 @@ iface {{ adm_iface.stdout }} inet static dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm {% if 'interfaces' in ansible_local %} -{% if adm_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %} -{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -23,9 +23,9 @@ iface {{ adm_iface.stdout }} inet static iface {{ adm_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} -{% if adm_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %} -{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index 469f0531..f9453e0f 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -12,9 +12,9 @@ iface {{ fil_iface.stdout }} inet static dns-search fil.crans.org up /sbin/ip link set $IFACE alias fil {% if 'interfaces' in ansible_local %} -{% if fil_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %} -{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} @@ -24,9 +24,9 @@ iface {{ fil_iface.stdout }} inet static iface {{ fil_iface.stdout }} inet6 static address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} -{% if fil_iface.stdout in ansible_local.interfaces %} -{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %} -{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} From 7b99fb22bd5d1d3a90367b7a1f9875e09d007719 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 12:06:26 +0200 Subject: [PATCH 07/56] [interfaces] Alias ansible facts --- .../templates/network/interfaces.d/00-srv.j2 | 11 ++++++----- .../templates/network/interfaces.d/01-ens.j2 | 11 ++++++----- .../templates/network/interfaces.d/02-adm.j2 | 11 ++++++----- .../templates/network/interfaces.d/21-fil.j2 | 11 ++++++----- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 9e934d98..53151878 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %} allow-hotplug {{ srv_iface.stdout }} iface {{ srv_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }} + address {{ srv.ipv4.address }} + network {{ srv.ipv4.network }} + netmask {{ srv.ipv4.netmask }} + broadcast {{ srv.ipv4.broadcast }} gateway {{ srv_gateway }} mtu 1496 dns-nameservers {{ srv_dns }} @@ -22,7 +23,7 @@ iface {{ srv_iface.stdout }} inet static {% endif %} iface {{ srv_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }} + address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index ac2bed20..62cb77fc 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %} allow-hotplug {{ ens_iface.stdout }} iface {{ ens_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }} + address {{ ens.ipv4.address }} + network {{ ens.ipv4.network }} + netmask {{ ens.ipv4.netmask }} + broadcast {{ ens.ipv4.broadcast }} gateway {{ ens_gateway }} mtu 1496 dns-nameservers {{ ens_dns }} @@ -22,7 +23,7 @@ iface {{ ens_iface.stdout }} inet static {% endif %} iface {{ ens_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }} + address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index dce7c3e4..95991513 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %} allow-hotplug {{ adm_iface.stdout }} iface {{ adm_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }} + address {{ adm.ipv4.address }} + network {{ adm.ipv4.network }} + netmask {{ adm.ipv4.netmask }} + broadcast {{ adm.ipv4.broadcast }} mtu 1496 dns-nameservers {{ adm_dns }} dns-search adm.crans.org @@ -21,7 +22,7 @@ iface {{ adm_iface.stdout }} inet static {% endif %} iface {{ adm_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }} + address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} {% if 'sup_if_6' in ansible_local.interfaces %} {% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index f9453e0f..0e08910a 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -1,11 +1,12 @@ {{ ansible_header | comment }} +{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %} allow-hotplug {{ fil_iface.stdout }} iface {{ fil_iface.stdout }} inet static - address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }} - network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }} - netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }} - broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }} + address {{ fil.ipv4.address }} + network {{ fil.ipv4.network }} + netmask {{ fil.ipv4.netmask }} + broadcast {{ fil.ipv4.broadcast }} gateway {{ fil_gateway }} mtu 1496 dns-nameservers {{ fil_dns }} @@ -22,7 +23,7 @@ iface {{ fil_iface.stdout }} inet static {% endif %} iface {{ fil_iface.stdout }} inet6 static - address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }} + address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }} {% if 'interfaces' in ansible_local %} {% if 'sup_if_6' in ansible_local.interfaces %} {% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} From 28706a622fe2d41b15450d378ab492f66f05603d Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 12:07:38 +0200 Subject: [PATCH 08/56] [interfaces] Deploy interfaces on tracker --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index e637a5cc..84c59ca2 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -16,7 +16,7 @@ register: fil_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From d97384c314821c0c13a6a920264e61827b1e892b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 12:20:58 +0200 Subject: [PATCH 09/56] [interfaces] Deploy interfaces on voyager --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 84c59ca2..839423b8 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -16,7 +16,7 @@ register: fil_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From fdaa69a312fcfbfd368dc0da9881d2a2d9f5cd88 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 13:24:34 +0200 Subject: [PATCH 10/56] [interfaces] Configure adh interface --- roles/interfaces/tasks/main.yml | 7 ++++ .../templates/network/interfaces.d/23-adh.j2 | 38 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2 diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index d9751a36..4bf0fc42 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -32,3 +32,10 @@ dest: /etc/network/interfaces.d/21-fil mode: 0644 when: fil_iface.stdout + +- name: Deploy adh interface config + template: + src: network/interfaces.d/23-adh.j2 + dest: /etc/network/interfaces.d/23-adh + mode: 0644 + when: adh_iface.stdout diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 new file mode 100644 index 00000000..bc03ccc1 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -0,0 +1,38 @@ +{{ ansible_header | comment }} + +{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %} +allow-hotplug {{ adh_iface.stdout }} +iface {{ adh_iface.stdout }} inet static + address {{ adh.ipv4.address }} + network {{ adh.ipv4.network }} + netmask {{ adh.ipv4.netmask }} + broadcast {{ adh.ipv4.broadcast }} + gateway {{ adh_gateway }} + mtu 1496 + dns-nameservers {{ adh_dns }} + dns-search crans.org + up /sbin/ip link set $IFACE alias adh +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ adh_iface.stdout }} inet6 static + address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} + autoconf 1 + accept_ra 2 + up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From c95aee10043a66b238f4a9c0d53fcb337462121c Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 13:25:24 +0200 Subject: [PATCH 11/56] [interfaces] Configure adh interface --- interfaces.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/interfaces.yml b/interfaces.yml index 839423b8..057a71e2 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -15,6 +15,9 @@ - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: fil_iface check_mode: no + - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: adh_iface + check_mode: no - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org vars: @@ -25,5 +28,7 @@ - adm_dns: 10.231.136.152 10.231.136.4 - fil_gateway: 10.54.0.254 - fil_dns: 10.54.0.152 10.54.0.4 + - adh_gateway: 185.230.78.254 + - adh_dns: 185.230.78.152 185.230.78.4 roles: - interfaces From 2b9cef3f82b69723084493792e397164d37f43de Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 13:26:47 +0200 Subject: [PATCH 12/56] [interfaces] Deploy interfaces on lutim --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 057a71e2..2474e3bb 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -19,7 +19,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 8d1dc216873cf97d4167b5d28bbc2c22ce9f5bbe Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 14:23:42 +0200 Subject: [PATCH 13/56] [interfaces] Deploy interfaces on gateau --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 2474e3bb..1196a291 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -19,7 +19,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From a251e3071a1e0b83836b2c21027c8e17ba01cbba Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 14:26:59 +0200 Subject: [PATCH 14/56] [interfaces] Deploy interfaces on owncloud-srv --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 1196a291..f0a87578 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -19,7 +19,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From d38b3a48b7bb2f4754b86abf7eba5d0feeeb280d Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 14:40:53 +0200 Subject: [PATCH 15/56] [interfaces] Deploy interfaces on charybde --- interfaces.yml | 4 +++ roles/interfaces/tasks/main.yml | 7 ++++ .../network/interfaces.d/03-borne.j2 | 34 +++++++++++++++++++ 3 files changed, 45 insertions(+) create mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2 diff --git a/interfaces.yml b/interfaces.yml index f0a87578..f83070ac 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -12,6 +12,9 @@ - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: adm_iface check_mode: no + - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: borne_iface + check_mode: no - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: fil_iface check_mode: no @@ -26,6 +29,7 @@ - ens_gateway: 138.231.136.254 - ens_dns: 138.231.136.152 138.231.136.4 - adm_dns: 10.231.136.152 10.231.136.4 + - borne_dns: 10.231.148.4 - fil_gateway: 10.54.0.254 - fil_dns: 10.54.0.152 10.54.0.4 - adh_gateway: 185.230.78.254 diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 4bf0fc42..91fe4164 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -26,6 +26,13 @@ mode: 0644 when: adm_iface.stdout +- name: Deploy adm interface config + template: + src: network/interfaces.d/03-borne.j2 + dest: /etc/network/interfaces.d/03-borne + mode: 0644 + when: borne_iface.stdout + - name: Deploy fil interface config template: src: network/interfaces.d/21-fil.j2 diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 new file mode 100644 index 00000000..0eb3ecb2 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} + +{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %} +allow-hotplug {{ borne_iface.stdout }} +iface {{ borne_iface.stdout }} inet static + address {{ borne.ipv4.address }} + network {{ borne.ipv4.network }} + netmask {{ borne.ipv4.netmask }} + broadcast {{ borne.ipv4.broadcast }} + mtu 1496 + dns-nameservers {{ borne_dns }} + dns-search borne.crans.org + up /sbin/ip link set $IFACE alias borne +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ borne_iface.stdout }} inet6 static + address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From 521ff1d2681736818e59f4ffae3f2bb137e0f82c Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 14:42:58 +0200 Subject: [PATCH 16/56] [interfaces] Deploy interfaces on charybde --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index f83070ac..b6115cc5 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -22,7 +22,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From a0a5d0964dba6fd4c21e5b852c81e7d3eb6383ef Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 14:55:37 +0200 Subject: [PATCH 17/56] [interfaces] Fix task description --- roles/interfaces/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 91fe4164..5b41c028 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -26,7 +26,7 @@ mode: 0644 when: adm_iface.stdout -- name: Deploy adm interface config +- name: Deploy borne interface config template: src: network/interfaces.d/03-borne.j2 dest: /etc/network/interfaces.d/03-borne From 3a56fd406ba98b60809e45e463b49f131079b631 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 14:56:01 +0200 Subject: [PATCH 18/56] [interfaces] Deploy interfaces on cas-srv --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index b6115cc5..52b9a667 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -22,7 +22,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 05d2349f6214d8955d70c5fcedcfc3dfc7bf87c3 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 16:50:16 +0200 Subject: [PATCH 19/56] [interfaces] Configure switch interface --- interfaces.yml | 6 +++- roles/interfaces/tasks/main.yml | 7 ++++ .../network/interfaces.d/04-switch.j2 | 34 +++++++++++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2 diff --git a/interfaces.yml b/interfaces.yml index 52b9a667..1feb86ca 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -15,6 +15,9 @@ - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: borne_iface check_mode: no + - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" + register: switch_iface + check_mode: no - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: fil_iface check_mode: no @@ -29,7 +32,8 @@ - ens_gateway: 138.231.136.254 - ens_dns: 138.231.136.152 138.231.136.4 - adm_dns: 10.231.136.152 10.231.136.4 - - borne_dns: 10.231.148.4 + - borne_dns: 10.231.148.52 10.231.148.4 + - switch_dns: 10.231.100.152 10.231.100.4 - fil_gateway: 10.54.0.254 - fil_dns: 10.54.0.152 10.54.0.4 - adh_gateway: 185.230.78.254 diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 5b41c028..210e3142 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -33,6 +33,13 @@ mode: 0644 when: borne_iface.stdout +- name: Deploy switch interface config + template: + src: network/interfaces.d/04-switch.j2 + dest: /etc/network/interfaces.d/04-switch + mode: 0644 + when: switch_iface.stdout + - name: Deploy fil interface config template: src: network/interfaces.d/21-fil.j2 diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 new file mode 100644 index 00000000..d8cfeb8b --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} + +{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %} +allow-hotplug {{ switch_iface.stdout }} +iface {{ switch_iface.stdout }} inet static + address {{ switch.ipv4.address }} + network {{ switch.ipv4.network }} + netmask {{ switch.ipv4.netmask }} + broadcast {{ switch.ipv4.broadcast }} + mtu 1496 + dns-nameservers {{ switch_dns }} + dns-search switch.crans.org + up /sbin/ip link set $IFACE alias switch +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_4' in ansible_local.interfaces %} +{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} + +iface {{ switch_iface.stdout }} inet6 static + address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }} +{% if 'interfaces' in ansible_local %} +{% if 'sup_if_6' in ansible_local.interfaces %} +{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} From d1cad85bfab4861db5863611e0ff5141eddfe305 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 21 Apr 2020 16:55:34 +0200 Subject: [PATCH 20/56] [interfaces] Deploy interfaces on fyre --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index 1feb86ca..a17fd7f0 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -25,7 +25,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From 51f49eb461defe1c8e0c6fec1d4d8c661904b8a6 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Mon, 27 Apr 2020 21:28:43 +0200 Subject: [PATCH 21/56] [interfaces] allow-hotplug to auto --- roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/02-adm.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/03-borne.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/04-switch.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/21-fil.j2 | 2 +- roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 53151878..a1426f64 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %} -allow-hotplug {{ srv_iface.stdout }} +auto {{ srv_iface.stdout }} iface {{ srv_iface.stdout }} inet static address {{ srv.ipv4.address }} network {{ srv.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index 62cb77fc..4da6da89 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %} -allow-hotplug {{ ens_iface.stdout }} +auto {{ ens_iface.stdout }} iface {{ ens_iface.stdout }} inet static address {{ ens.ipv4.address }} network {{ ens.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index 95991513..1708e777 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %} -allow-hotplug {{ adm_iface.stdout }} +auto {{ adm_iface.stdout }} iface {{ adm_iface.stdout }} inet static address {{ adm.ipv4.address }} network {{ adm.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 index 0eb3ecb2..749f144e 100644 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %} -allow-hotplug {{ borne_iface.stdout }} +auto {{ borne_iface.stdout }} iface {{ borne_iface.stdout }} inet static address {{ borne.ipv4.address }} network {{ borne.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 index d8cfeb8b..fb007a7b 100644 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %} -allow-hotplug {{ switch_iface.stdout }} +auto {{ switch_iface.stdout }} iface {{ switch_iface.stdout }} inet static address {{ switch.ipv4.address }} network {{ switch.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index 0e08910a..a77e747f 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %} -allow-hotplug {{ fil_iface.stdout }} +auto {{ fil_iface.stdout }} iface {{ fil_iface.stdout }} inet static address {{ fil.ipv4.address }} network {{ fil.ipv4.network }} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index bc03ccc1..ee1578d6 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -1,7 +1,7 @@ {{ ansible_header | comment }} {% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %} -allow-hotplug {{ adh_iface.stdout }} +auto {{ adh_iface.stdout }} iface {{ adh_iface.stdout }} inet static address {{ adh.ipv4.address }} network {{ adh.ipv4.network }} From 28ffd68a147995a93289f6dfb1b7516a157de411 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Mon, 27 Apr 2020 21:34:41 +0200 Subject: [PATCH 22/56] [interfaces] Install vlan --- roles/interfaces/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index 210e3142..c155fc1b 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -1,4 +1,13 @@ --- +- name: Install vlan support + apt: + update_cache: true + name: vlan + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + - name: Deploy default interfaces config template: src: network/interfaces.j2 From c651b608f838fa92797913a1d892299ea6d72302 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Tue, 28 Apr 2020 18:06:07 +0200 Subject: [PATCH 23/56] [interfaces] Deploy interfaces on silice --- interfaces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces.yml b/interfaces.yml index a17fd7f0..5c35aa32 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -25,7 +25,7 @@ register: adh_iface check_mode: no -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org vars: - srv_gateway: 185.230.79.254 - srv_dns: 185.230.79.152 185.230.79.4 From b1120e76378e44437c58dfcb7316a1c85a51b442 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Tue, 28 Apr 2020 18:26:59 +0200 Subject: [PATCH 24/56] [interfaces] use is defined --- roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/02-adm.j2 | 8 ++------ .../interfaces/templates/network/interfaces.d/03-borne.j2 | 8 ++------ .../templates/network/interfaces.d/04-switch.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/21-fil.j2 | 8 ++------ roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 8 ++------ 7 files changed, 14 insertions(+), 42 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index a1426f64..ba4f486c 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -12,27 +12,23 @@ iface {{ srv_iface.stdout }} inet static dns-nameservers {{ srv_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias srv -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ srv_iface.stdout }} inet6 static address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index 4da6da89..36e6d154 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -12,27 +12,23 @@ iface {{ ens_iface.stdout }} inet static dns-nameservers {{ ens_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias ens -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ ens_iface.stdout }} inet6 static address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index 1708e777..a78a660a 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -11,24 +11,20 @@ iface {{ adm_iface.stdout }} inet static dns-nameservers {{ adm_dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ adm_iface.stdout }} inet6 static address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 index 749f144e..f9996740 100644 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -11,24 +11,20 @@ iface {{ borne_iface.stdout }} inet static dns-nameservers {{ borne_dns }} dns-search borne.crans.org up /sbin/ip link set $IFACE alias borne -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ borne_iface.stdout }} inet6 static address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 index fb007a7b..57e6630f 100644 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -11,24 +11,20 @@ iface {{ switch_iface.stdout }} inet static dns-nameservers {{ switch_dns }} dns-search switch.crans.org up /sbin/ip link set $IFACE alias switch -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ switch_iface.stdout }} inet6 static address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index a77e747f..198f2ca0 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -12,24 +12,20 @@ iface {{ fil_iface.stdout }} inet static dns-nameservers {{ fil_dns }} dns-search fil.crans.org up /sbin/ip link set $IFACE alias fil -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ fil_iface.stdout }} inet6 static address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }} -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index ee1578d6..df9a47ad 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -12,27 +12,23 @@ iface {{ adh_iface.stdout }} inet static dns-nameservers {{ adh_dns }} dns-search crans.org up /sbin/ip link set $IFACE alias adh -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_4' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_4 is defined %} {% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %} {% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} iface {{ adh_iface.stdout }} inet6 static address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} autoconf 1 accept_ra 2 up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 -{% if 'interfaces' in ansible_local %} -{% if 'sup_if_6' in ansible_local.interfaces %} +{% if ansible_local.interfaces.sup_if_6 is defined %} {% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} {{ line }} {% endfor %} {% endif %} {% endif %} -{% endif %} From cfe9140a0bf4358dadf6cf719ecb2c59e9d5f932 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Tue, 28 Apr 2020 18:46:38 +0200 Subject: [PATCH 25/56] [interfaces] Do not force autoconf --- roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 3 --- roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 3 --- roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 3 --- 3 files changed, 9 deletions(-) diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index ba4f486c..2bf4b97b 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -22,9 +22,6 @@ iface {{ srv_iface.stdout }} inet static iface {{ srv_iface.stdout }} inet6 static address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if ansible_local.interfaces.sup_if_6 is defined %} {% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index 36e6d154..e1f101e2 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -22,9 +22,6 @@ iface {{ ens_iface.stdout }} inet static iface {{ ens_iface.stdout }} inet6 static address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if ansible_local.interfaces.sup_if_6 is defined %} {% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index df9a47ad..45241e6b 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -22,9 +22,6 @@ iface {{ adh_iface.stdout }} inet static iface {{ adh_iface.stdout }} inet6 static address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} - autoconf 1 - accept_ra 2 - up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1 {% if ansible_local.interfaces.sup_if_6 is defined %} {% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} {% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} From 459d9cc55e246d2a4be9591d56f7ced61643fe09 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Tue, 28 Apr 2020 18:59:35 +0200 Subject: [PATCH 26/56] [interfaces] Add metrics --- interfaces.yml | 34 +++++++++++++------ .../templates/network/interfaces.d/00-srv.j2 | 5 +-- .../templates/network/interfaces.d/01-ens.j2 | 5 +-- .../templates/network/interfaces.d/02-adm.j2 | 2 +- .../network/interfaces.d/03-borne.j2 | 2 +- .../network/interfaces.d/04-switch.j2 | 2 +- .../templates/network/interfaces.d/21-fil.j2 | 5 +-- .../templates/network/interfaces.d/23-adh.j2 | 5 +-- 8 files changed, 38 insertions(+), 22 deletions(-) diff --git a/interfaces.yml b/interfaces.yml index 5c35aa32..431b69bc 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -27,16 +27,28 @@ - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org vars: - - srv_gateway: 185.230.79.254 - - srv_dns: 185.230.79.152 185.230.79.4 - - ens_gateway: 138.231.136.254 - - ens_dns: 138.231.136.152 138.231.136.4 - - adm_dns: 10.231.136.152 10.231.136.4 - - borne_dns: 10.231.148.52 10.231.148.4 - - switch_dns: 10.231.100.152 10.231.100.4 - - fil_gateway: 10.54.0.254 - - fil_dns: 10.54.0.152 10.54.0.4 - - adh_gateway: 185.230.78.254 - - adh_dns: 185.230.78.152 185.230.78.4 + vlan: + srv: + metric: 100 + gateway: 185.230.79.254 + dns: 185.230.79.152 185.230.79.4 + ens: + metric: 300 + gateway: 138.231.136.254 + dns: 138.231.136.152 138.231.136.4 + adm: + dns: 10.231.136.152 10.231.136.4 + borne: + dns: 10.231.148.52 10.231.148.4 + switch: + dns: 10.231.100.152 10.231.100.4 + fil: + metric: 400 + gateway: 10.54.0.254 + dns: 10.54.0.152 10.54.0.4 + adh: + metric: 200 + gateway: 185.230.78.254 + dns: 185.230.78.152 185.230.78.4 roles: - interfaces diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 index 2bf4b97b..8ac4b8a5 100644 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 @@ -7,9 +7,10 @@ iface {{ srv_iface.stdout }} inet static network {{ srv.ipv4.network }} netmask {{ srv.ipv4.netmask }} broadcast {{ srv.ipv4.broadcast }} - gateway {{ srv_gateway }} + gateway {{ vlan.srv.gateway }} + metric {{ vlan.srv.metric }} mtu 1496 - dns-nameservers {{ srv_dns }} + dns-nameservers {{ vlan.srv.dns }} dns-search crans.org up /sbin/ip link set $IFACE alias srv {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 index e1f101e2..6c308f23 100644 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 @@ -7,9 +7,10 @@ iface {{ ens_iface.stdout }} inet static network {{ ens.ipv4.network }} netmask {{ ens.ipv4.netmask }} broadcast {{ ens.ipv4.broadcast }} - gateway {{ ens_gateway }} + gateway {{ vlan.ens.gateway }} + metric {{ vlan.ens.metric }} mtu 1496 - dns-nameservers {{ ens_dns }} + dns-nameservers {{ vlan.ens.dns }} dns-search crans.org up /sbin/ip link set $IFACE alias ens {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 index a78a660a..62fb1f1e 100644 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 @@ -8,7 +8,7 @@ iface {{ adm_iface.stdout }} inet static netmask {{ adm.ipv4.netmask }} broadcast {{ adm.ipv4.broadcast }} mtu 1496 - dns-nameservers {{ adm_dns }} + dns-nameservers {{ vlan.adm.dns }} dns-search adm.crans.org up /sbin/ip link set $IFACE alias adm {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 index f9996740..7db48f6a 100644 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 @@ -8,7 +8,7 @@ iface {{ borne_iface.stdout }} inet static netmask {{ borne.ipv4.netmask }} broadcast {{ borne.ipv4.broadcast }} mtu 1496 - dns-nameservers {{ borne_dns }} + dns-nameservers {{ vlan.borne.dns }} dns-search borne.crans.org up /sbin/ip link set $IFACE alias borne {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 index 57e6630f..586adef9 100644 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 @@ -8,7 +8,7 @@ iface {{ switch_iface.stdout }} inet static netmask {{ switch.ipv4.netmask }} broadcast {{ switch.ipv4.broadcast }} mtu 1496 - dns-nameservers {{ switch_dns }} + dns-nameservers {{ vlan.switch.dns }} dns-search switch.crans.org up /sbin/ip link set $IFACE alias switch {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 index 198f2ca0..c5bb9508 100644 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 @@ -7,9 +7,10 @@ iface {{ fil_iface.stdout }} inet static network {{ fil.ipv4.network }} netmask {{ fil.ipv4.netmask }} broadcast {{ fil.ipv4.broadcast }} - gateway {{ fil_gateway }} + gateway {{ vlan.fil.gateway }} + metric {{ vlan.fil.metric }} mtu 1496 - dns-nameservers {{ fil_dns }} + dns-nameservers {{ vlan.fil.dns }} dns-search fil.crans.org up /sbin/ip link set $IFACE alias fil {% if ansible_local.interfaces.sup_if_4 is defined %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 index 45241e6b..de2b21b7 100644 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 @@ -7,9 +7,10 @@ iface {{ adh_iface.stdout }} inet static network {{ adh.ipv4.network }} netmask {{ adh.ipv4.netmask }} broadcast {{ adh.ipv4.broadcast }} - gateway {{ adh_gateway }} + gateway {{ vlan.adh.gateway }} + metric {{ vlan.adh.metric }} mtu 1496 - dns-nameservers {{ adh_dns }} + dns-nameservers {{ vlan.adh.dns }} dns-search crans.org up /sbin/ip link set $IFACE alias adh {% if ansible_local.interfaces.sup_if_4 is defined %} From a3e3532644bd38cc1c17b0d79e21ef0dd2745cc0 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Tue, 28 Apr 2020 20:27:58 +0200 Subject: [PATCH 27/56] [interface] Factorize --- interfaces.yml | 72 +++++++++++-------- roles/interfaces/tasks/main.yml | 51 ++----------- .../templates/network/interfaces.d/00-srv.j2 | 32 --------- .../templates/network/interfaces.d/01-ens.j2 | 32 --------- .../templates/network/interfaces.d/02-adm.j2 | 30 -------- .../network/interfaces.d/03-borne.j2 | 30 -------- .../network/interfaces.d/04-switch.j2 | 30 -------- .../templates/network/interfaces.d/21-fil.j2 | 32 --------- .../templates/network/interfaces.d/23-adh.j2 | 32 --------- .../templates/network/interfaces.d/ifalias.j2 | 36 ++++++++++ 10 files changed, 85 insertions(+), 292 deletions(-) delete mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2 delete mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2 create mode 100644 roles/interfaces/templates/network/interfaces.d/ifalias.j2 diff --git a/interfaces.yml b/interfaces.yml index 431b69bc..5c7107a7 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -1,54 +1,70 @@ #!/usr/bin/env ansible-playbook --- -# Set variable adm_iface for all servers +# Get ifname of configured vlan for all servers - hosts: server tasks: - - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: srv_iface - check_mode: no - - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: ens_iface - check_mode: no - - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: adm_iface - check_mode: no - - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: borne_iface - check_mode: no - - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: switch_iface - check_mode: no - - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: fil_iface - check_mode: no - - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: adh_iface + - shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\"" check_mode: no + register: ifaces + loop: + - srv + - ens + - adm + - borne + - switch + - fil - hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org vars: vlan: - srv: + - name: srv + id: 0 metric: 100 gateway: 185.230.79.254 dns: 185.230.79.152 185.230.79.4 - ens: + dns_search: crans.org + ifnames: "{{ ifaces | json_query('results[?item==`srv`].stdout') }}" + + - name: ens + id: 1 metric: 300 gateway: 138.231.136.254 dns: 138.231.136.152 138.231.136.4 - adm: + dns_search: crans.org + ifnames: "{{ ifaces | json_query('results[?item==`ens`].stdout') }}" + + - name: adm + id: 2 dns: 10.231.136.152 10.231.136.4 - borne: + dns_search: adm.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`adm`].stdout') }}" + + - name: borne + id: 3 dns: 10.231.148.52 10.231.148.4 - switch: + dns_search: borne.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`borne`].stdout') }}" + + - name: switch + id: 4 dns: 10.231.100.152 10.231.100.4 - fil: + dns_search: switch.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`switch`].stdout') }}" + + - name: fil + id: 21 metric: 400 gateway: 10.54.0.254 dns: 10.54.0.152 10.54.0.4 - adh: + dns_search: fil.crans.org + ifnames: "{{ ifaces | json_query('results[?item==`fil`].stdout') }}" + + - name: adh + id: 23 metric: 200 gateway: 185.230.78.254 dns: 185.230.78.152 185.230.78.4 + dns_search: crans.org + ifnames: "{{ ifaces | json_query('results[?item==`adh`].stdout') }}" roles: - interfaces diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml index c155fc1b..886b45d3 100644 --- a/roles/interfaces/tasks/main.yml +++ b/roles/interfaces/tasks/main.yml @@ -14,51 +14,10 @@ dest: /etc/network/interfaces mode: 0644 -- name: Deploy srv interface config +- name: Deploy interfaces config template: - src: network/interfaces.d/00-srv.j2 - dest: /etc/network/interfaces.d/00-srv + src: "network/interfaces.d/ifalias.j2" + dest: "/etc/network/interfaces.d/{{ '%02d' | format(item.id) }}-{{ item.name }}" mode: 0644 - when: srv_iface.stdout - -- name: Deploy ens interface config - template: - src: network/interfaces.d/01-ens.j2 - dest: /etc/network/interfaces.d/01-ens - mode: 0644 - when: ens_iface.stdout - -- name: Deploy adm interface config - template: - src: network/interfaces.d/02-adm.j2 - dest: /etc/network/interfaces.d/02-adm - mode: 0644 - when: adm_iface.stdout - -- name: Deploy borne interface config - template: - src: network/interfaces.d/03-borne.j2 - dest: /etc/network/interfaces.d/03-borne - mode: 0644 - when: borne_iface.stdout - -- name: Deploy switch interface config - template: - src: network/interfaces.d/04-switch.j2 - dest: /etc/network/interfaces.d/04-switch - mode: 0644 - when: switch_iface.stdout - -- name: Deploy fil interface config - template: - src: network/interfaces.d/21-fil.j2 - dest: /etc/network/interfaces.d/21-fil - mode: 0644 - when: fil_iface.stdout - -- name: Deploy adh interface config - template: - src: network/interfaces.d/23-adh.j2 - dest: /etc/network/interfaces.d/23-adh - mode: 0644 - when: adh_iface.stdout + when: (item.ifnames | length > 0) and item.ifnames[0] != '' + loop: "{{ vlan }}" diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2 deleted file mode 100644 index 8ac4b8a5..00000000 --- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %} -auto {{ srv_iface.stdout }} -iface {{ srv_iface.stdout }} inet static - address {{ srv.ipv4.address }} - network {{ srv.ipv4.network }} - netmask {{ srv.ipv4.netmask }} - broadcast {{ srv.ipv4.broadcast }} - gateway {{ vlan.srv.gateway }} - metric {{ vlan.srv.metric }} - mtu 1496 - dns-nameservers {{ vlan.srv.dns }} - dns-search crans.org - up /sbin/ip link set $IFACE alias srv -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ srv_iface.stdout }} inet6 static - address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2 deleted file mode 100644 index 6c308f23..00000000 --- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %} -auto {{ ens_iface.stdout }} -iface {{ ens_iface.stdout }} inet static - address {{ ens.ipv4.address }} - network {{ ens.ipv4.network }} - netmask {{ ens.ipv4.netmask }} - broadcast {{ ens.ipv4.broadcast }} - gateway {{ vlan.ens.gateway }} - metric {{ vlan.ens.metric }} - mtu 1496 - dns-nameservers {{ vlan.ens.dns }} - dns-search crans.org - up /sbin/ip link set $IFACE alias ens -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ ens_iface.stdout }} inet6 static - address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2 deleted file mode 100644 index 62fb1f1e..00000000 --- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{{ ansible_header | comment }} - -{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %} -auto {{ adm_iface.stdout }} -iface {{ adm_iface.stdout }} inet static - address {{ adm.ipv4.address }} - network {{ adm.ipv4.network }} - netmask {{ adm.ipv4.netmask }} - broadcast {{ adm.ipv4.broadcast }} - mtu 1496 - dns-nameservers {{ vlan.adm.dns }} - dns-search adm.crans.org - up /sbin/ip link set $IFACE alias adm -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ adm_iface.stdout }} inet6 static - address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2 deleted file mode 100644 index 7db48f6a..00000000 --- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{{ ansible_header | comment }} - -{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %} -auto {{ borne_iface.stdout }} -iface {{ borne_iface.stdout }} inet static - address {{ borne.ipv4.address }} - network {{ borne.ipv4.network }} - netmask {{ borne.ipv4.netmask }} - broadcast {{ borne.ipv4.broadcast }} - mtu 1496 - dns-nameservers {{ vlan.borne.dns }} - dns-search borne.crans.org - up /sbin/ip link set $IFACE alias borne -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ borne_iface.stdout }} inet6 static - address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2 deleted file mode 100644 index 586adef9..00000000 --- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{{ ansible_header | comment }} - -{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %} -auto {{ switch_iface.stdout }} -iface {{ switch_iface.stdout }} inet static - address {{ switch.ipv4.address }} - network {{ switch.ipv4.network }} - netmask {{ switch.ipv4.netmask }} - broadcast {{ switch.ipv4.broadcast }} - mtu 1496 - dns-nameservers {{ vlan.switch.dns }} - dns-search switch.crans.org - up /sbin/ip link set $IFACE alias switch -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ switch_iface.stdout }} inet6 static - address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2 deleted file mode 100644 index c5bb9508..00000000 --- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %} -auto {{ fil_iface.stdout }} -iface {{ fil_iface.stdout }} inet static - address {{ fil.ipv4.address }} - network {{ fil.ipv4.network }} - netmask {{ fil.ipv4.netmask }} - broadcast {{ fil.ipv4.broadcast }} - gateway {{ vlan.fil.gateway }} - metric {{ vlan.fil.metric }} - mtu 1496 - dns-nameservers {{ vlan.fil.dns }} - dns-search fil.crans.org - up /sbin/ip link set $IFACE alias fil -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ fil_iface.stdout }} inet6 static - address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2 deleted file mode 100644 index de2b21b7..00000000 --- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{{ ansible_header | comment }} - -{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %} -auto {{ adh_iface.stdout }} -iface {{ adh_iface.stdout }} inet static - address {{ adh.ipv4.address }} - network {{ adh.ipv4.network }} - netmask {{ adh.ipv4.netmask }} - broadcast {{ adh.ipv4.broadcast }} - gateway {{ vlan.adh.gateway }} - metric {{ vlan.adh.metric }} - mtu 1496 - dns-nameservers {{ vlan.adh.dns }} - dns-search crans.org - up /sbin/ip link set $IFACE alias adh -{% if ansible_local.interfaces.sup_if_4 is defined %} -{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %} -{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} - -iface {{ adh_iface.stdout }} inet6 static - address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }} -{% if ansible_local.interfaces.sup_if_6 is defined %} -{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %} -{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %} - {{ line }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/roles/interfaces/templates/network/interfaces.d/ifalias.j2 b/roles/interfaces/templates/network/interfaces.d/ifalias.j2 new file mode 100644 index 00000000..daf6a938 --- /dev/null +++ b/roles/interfaces/templates/network/interfaces.d/ifalias.j2 @@ -0,0 +1,36 @@ +{{ ansible_header | comment }} + +{% set ifconfig = hostvars[inventory_hostname]['ansible_' + item.ifnames[0]] %} +auto {{ item.ifnames[0] }} +iface {{ item.ifnames[0] }} inet static + address {{ ifconfig.ipv4.address }} + network {{ ifconfig.ipv4.network }} + netmask {{ ifconfig.ipv4.netmask }} + broadcast {{ ifconfig.ipv4.broadcast }} +{% if item.gateway is defined %} + gateway {{ item.gateway }} +{% endif %} +{% if item.metric is defined %} + metric {{ item.metric }} +{% endif %} + mtu 1496 + dns-nameservers {{ item.dns }} + dns-search {{ item.dns_search }} + up /sbin/ip link set $IFACE alias {{ item.name }} +{% if ansible_local.interfaces.sup_if_4 is defined %} +{% if item.ifnames[0] in ansible_local.interfaces.sup_if_4 %} +{% for line in ansible_local.interfaces.sup_if_4[item.ifnames[0]] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} + +iface {{ item.ifnames[0] }} inet6 static + address {{ ifconfig.ipv6[0].address }}/{{ ifconfig.ipv6[0].prefix }} +{% if ansible_local.interfaces.sup_if_6 is defined %} +{% if item.ifnames[0] in ansible_local.interfaces.sup_if_6 %} +{% for line in ansible_local.interfaces.sup_if_6[item.ifnames[0]] %} + {{ line }} +{% endfor %} +{% endif %} +{% endif %} From b9a7e19bc0a9c43bec79f335fcc4f54f50e17cff Mon Sep 17 00:00:00 2001 From: Bombar Maxime <bombar@crans.org> Date: Wed, 29 Apr 2020 10:53:58 +0200 Subject: [PATCH 28/56] [rsync-client] Add wireguard interface. Enable backups on sputnik. --- roles/rsync-client/tasks/main.yml | 4 ++++ roles/rsync-client/templates/rsyncd.conf.j2 | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/rsync-client/tasks/main.yml b/roles/rsync-client/tasks/main.yml index 13c9f44c..2647c076 100644 --- a/roles/rsync-client/tasks/main.yml +++ b/roles/rsync-client/tasks/main.yml @@ -30,3 +30,7 @@ name: rsync enabled: true state: started + +- name: TODO + debug: + msg: Make use of the lookup plugin to avoid hardcoding things ? diff --git a/roles/rsync-client/templates/rsyncd.conf.j2 b/roles/rsync-client/templates/rsyncd.conf.j2 index e3ed5ade..bea4fc7c 100644 --- a/roles/rsync-client/templates/rsyncd.conf.j2 +++ b/roles/rsync-client/templates/rsyncd.conf.j2 @@ -34,13 +34,14 @@ address = {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.ad path = /var auth users = backupcrans secrets file = /etc/rsyncd.secrets -hosts allow = zephir.adm.crans.org 10.231.136.6 +hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %} + [slash] path = / auth users = backupcrans secrets file = /etc/rsyncd.secrets -hosts allow = zephir.adm.crans.org 10.231.136.6 +hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %} {# rsync readonly pour le miroir #} {% if ansible_hostname == "charybde" %} From a10fda1b196fe999d65db7f2faf2a5c4684f0542 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Wed, 29 Apr 2020 12:15:12 +0200 Subject: [PATCH 29/56] [backuppc] Initial role --- roles/backuppc/tasks/main.yml | 20 +++++++++++++++++++ .../templates/update-motd.d/05-service.j2 | 3 +++ services_web.yml | 4 ++++ 3 files changed, 27 insertions(+) create mode 100644 roles/backuppc/tasks/main.yml create mode 100755 roles/backuppc/templates/update-motd.d/05-service.j2 diff --git a/roles/backuppc/tasks/main.yml b/roles/backuppc/tasks/main.yml new file mode 100644 index 00000000..bb1e89b2 --- /dev/null +++ b/roles/backuppc/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install backuppc + apt: + update_cache: true + name: backuppc + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Disable mlocate indexation of backup files + lineinfile: + path: /etc/updatedb.conf + regexp: '^PRUNEPATHS' + line: PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph /var/lib/backuppc /backup" + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-backuppc + mode: 0755 diff --git a/roles/backuppc/templates/update-motd.d/05-service.j2 b/roles/backuppc/templates/update-motd.d/05-service.j2 new file mode 100755 index 00000000..e0e1810d --- /dev/null +++ b/roles/backuppc/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +[0m> [38;5;82mBackupPC[0m a été déployé sur cette machine. Voir [38;5;6m/etc/backuppc/[0m et [38;5;6m/var/lib/backuppc/[0m. diff --git a/services_web.yml b/services_web.yml index a6dbe2eb..934c70f9 100755 --- a/services_web.yml +++ b/services_web.yml @@ -114,3 +114,7 @@ - ftpsync - rsync-mirror - nginx-pubftp + +- hosts: zephir.adm.crans.org + roles: + - backuppc From aa47c499c6e66711ceebf6d7489f8de3ef5729ee Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Wed, 29 Apr 2020 12:20:52 +0200 Subject: [PATCH 30/56] Let's eat some backups --- services_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services_web.yml b/services_web.yml index 934c70f9..e52e8a23 100755 --- a/services_web.yml +++ b/services_web.yml @@ -115,6 +115,6 @@ - rsync-mirror - nginx-pubftp -- hosts: zephir.adm.crans.org +- hosts: zephir.adm.crans.org,omnomnom.adm.crans.org roles: - backuppc From e54244e0c70d5f42808d70bcb8f7268df717f53f Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Fri, 1 May 2020 16:59:47 +0200 Subject: [PATCH 31/56] [bind-authoritative] Add zone _acme-challenge.adm.crans.org --- .../templates/bind/named.conf.local.j2 | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2 index 9752be76..e11f50c3 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.local.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2 @@ -35,6 +35,29 @@ zone "_acme-challenge.crans.org" { file "bak._acme-challenge.crans.org"; }; +// Let's Encrypt Challenge DNS-01 zone +zone "_acme-challenge.adm.crans.org" { +{% if is_master %} + type master; + notify yes; + update-policy { + grant certbot_challenge. name _acme-challenge.adm.crans.org. txt; + }; +{% else %} + type slave; + masters { +{% for ip in masters_ipv4 %} + {{ ip }}; +{% endfor -%} +{% for ip in masters_ipv6 %} + {{ ip }}; +{% endfor %} + }; + notify no; +{% endif %} + file "bak._acme-challenge.adm.crans.org"; +}; + zone "_acme-challenge.crans.fr" { {% if is_master %} type master; From 80040dd35c45c6848ff557a8ba10c8276205cade Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Fri, 1 May 2020 17:17:18 +0200 Subject: [PATCH 32/56] Certbot role for gitzly --- network.yml | 20 ++++++++++++++++++- roles/certbot/tasks/main.yml | 4 ++-- .../letsencrypt/conf.d/crans.org.ini.j2 | 6 +++--- .../templates/letsencrypt/rfc2136.ini.j2 | 4 ++-- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/network.yml b/network.yml index b7d09a19..ed74f96c 100755 --- a/network.yml +++ b/network.yml @@ -51,7 +51,25 @@ # Deploy reverse proxy - hosts: bakdaur.adm.crans.org vars: - certbot_dns_secret: "{{ vault_certbot_dns_secret }}" + certbot: + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: root@crans.org + certname: crans.org + domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" + bind: + masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" + roles: + - certbot + +- hosts: gitzly.adm.crans.org + vars: + certbot: + dns_rfc2136_name: certbot_adm_challenge. + dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}" + mail: root@crans.org + certname: adm.crans.org + domains: "*.adm.crans.org" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" roles: diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 86e7c6e3..3a862fcb 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -24,6 +24,6 @@ - name: Add Certbot configuration template: - src: letsencrypt/conf.d/crans.org.ini.j2 - dest: /etc/letsencrypt/conf.d/crans.org.ini + src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2" + dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 index d311fa76..837a60a9 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 @@ -10,7 +10,7 @@ rsa-key-size = 4096 # server = https://acme-staging.api.letsencrypt.org/directory # Uncomment and update to register with the specified e-mail address -email = root@crans.org +email = {{ certbot.mail }} # Uncomment to use a text interface instead of ncurses text = True @@ -21,5 +21,5 @@ dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini dns-rfc2136-propagation-seconds = 30 # Wildcard the domain -cert-name = crans.org -domains = crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu +cert-name = {{ certbot.certname }} +domains = {{ certbot.domains }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 index 54b272b5..a41a547d 100644 --- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -2,6 +2,6 @@ dns_rfc2136_server = {{ dns_masters_ipv4 | first }} dns_rfc2136_port = 53 -dns_rfc2136_name = certbot_challenge. -dns_rfc2136_secret = {{ certbot_dns_secret }} +dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} +dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} dns_rfc2136_algorithm = HMAC-SHA512 From 4e6571a179e50d43f53c1c3c152c63c2c85c79f4 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Fri, 1 May 2020 17:35:27 +0200 Subject: [PATCH 33/56] New DNS key --- network.yml | 1 + roles/bind-authoritative/templates/bind/named.conf.local.j2 | 6 +++++- roles/certbot/tasks/main.yml | 2 +- .../conf.d/{crans.org.ini.j2 => certname.ini.j2} | 0 4 files changed, 7 insertions(+), 2 deletions(-) rename roles/certbot/templates/letsencrypt/conf.d/{crans.org.ini.j2 => certname.ini.j2} (100%) diff --git a/network.yml b/network.yml index ed74f96c..97cc9737 100755 --- a/network.yml +++ b/network.yml @@ -40,6 +40,7 @@ - hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org vars: certbot_dns_secret: "{{ vault_certbot_dns_secret }}" + certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}" diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2 index e11f50c3..9d76d8e8 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.local.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2 @@ -10,6 +10,10 @@ key "certbot_challenge." { algorithm hmac-sha512; secret "{{ certbot_dns_secret }}"; }; +key "certbot_adm_challenge." { + algorithm hmac-sha512; + secret "{{ certbot_adm_dns_secret }}"; +}; {% endif %} // Let's Encrypt Challenge DNS-01 zone @@ -41,7 +45,7 @@ zone "_acme-challenge.adm.crans.org" { type master; notify yes; update-policy { - grant certbot_challenge. name _acme-challenge.adm.crans.org. txt; + grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt; }; {% else %} type slave; diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 3a862fcb..b32845cc 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -24,6 +24,6 @@ - name: Add Certbot configuration template: - src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2" + src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 similarity index 100% rename from roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 rename to roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 From bcba080057d86874a1740939a02bc17c71b80bcb Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Fri, 1 May 2020 18:37:51 +0200 Subject: [PATCH 34/56] Clean up Framadate for shireen --- roles/framadate/tasks/main.yml | 14 +++++++------- .../templates/update-motd.d/05-service.j2 | 3 +-- services_web.yml | 12 ++++-------- 3 files changed, 12 insertions(+), 17 deletions(-) diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index b3584f62..02c698e7 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -16,23 +16,23 @@ - name: Clone framadate project git: - repo: "{{ framadate_repo }}" - dest: "{{ framadate_path }}" - version: "{{ framadate_version }}" + repo: "{{ framadate.repo }}" + dest: "{{ framadate.path }}" + version: "{{ framadate.version }}" - name: Set perms on framadate code file: - path: "{{ framadate_path }}" + path: "{{ framadate.path }}" state: directory - owner: "{{ framadate_user }}" + owner: www-data recurse: true - name: Install Framadate dependencies composer: command: install - working_dir: "{{ framadate_path }}" + working_dir: "{{ framadate.path }}" become: true - become_user: "{{ framadate_user }}" + become_user: www-data register: composer_result retries: 3 until: composer_result is succeeded diff --git a/roles/framadate/templates/update-motd.d/05-service.j2 b/roles/framadate/templates/update-motd.d/05-service.j2 index bf029cde..d0598362 100755 --- a/roles/framadate/templates/update-motd.d/05-service.j2 +++ b/roles/framadate/templates/update-motd.d/05-service.j2 @@ -1,4 +1,3 @@ #!/usr/bin/tail +14 {{ ansible_header | comment }} -> framadate a été déployé sur cette machine. - Voir {{ framadate_path }} +[0m> [38;5;82mFramadate[0m a été déployé sur cette machine. Voir [38;5;6m{{ framadate.path }}[0m. diff --git a/services_web.yml b/services_web.yml index e52e8a23..17515e3f 100755 --- a/services_web.yml +++ b/services_web.yml @@ -7,14 +7,10 @@ # Deploy FramaDate - hosts: voyager.adm.crans.org vars: - # mirror on Crans GitLab because adm has no network - framadate_repo: https://framagit.org/framasoft/framadate/framadate.git - framadate_version: 1.1.10 - - # User who will run framadate - # you will have to `sudo -u THISUSER zsh` to debug - framadate_user: www-data - framadate_path: /var/www/framadate + framadate: + repo: https://framagit.org/framasoft/framadate/framadate.git + version: 1.1.10 + path: /var/www/framadate roles: - framadate From 37406ff774cdaad944d5083e84eceb159536d2ba Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sat, 2 May 2020 10:18:10 +0200 Subject: [PATCH 35/56] [nginx-reverseproxy] Initial role --- network.yml | 72 ++++++++++++++++ roles/nginx-reverseproxy/handlers/main.yml | 5 ++ roles/nginx-reverseproxy/tasks/main.yml | 40 +++++++++ .../templates/nginx/redirect.j2 | 83 +++++++++++++++++++ .../templates/nginx/reverseproxy.j2 | 62 ++++++++++++++ .../nginx/reverseproxy_redirect_dname.j2 | 44 ++++++++++ .../templates/update-motd.d/05-service.j2 | 3 + .../templates/www/html/50x.html.j2 | 63 ++++++++++++++ 8 files changed, 372 insertions(+) create mode 100644 roles/nginx-reverseproxy/handlers/main.yml create mode 100644 roles/nginx-reverseproxy/tasks/main.yml create mode 100644 roles/nginx-reverseproxy/templates/nginx/redirect.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 create mode 100755 roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 create mode 100644 roles/nginx-reverseproxy/templates/www/html/50x.html.j2 diff --git a/network.yml b/network.yml index 97cc9737..daf70236 100755 --- a/network.yml +++ b/network.yml @@ -60,8 +60,80 @@ domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" + nginx: + ssl: + cert: /etc/letsencrypt/live/crans.org/fullchain.pem + cert_key: /etc/letsencrypt/live/crans.org/privkey.pem + trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem + + redirect_dnames: + - crans.eu + - crans.fr + + reverseproxy_sites: + # Services web Crans + - {from: lutim.crans.org, to: 10.231.136.69} + - {from: zero.crans.org, to: 10.231.136.76} + - {from: pad.crans.org, to: 10.231.136.76} + - {from: ethercalc.crans.org, to: 10.231.136.203} + - {from: mediadrop.crans.org, to: 10.231.136.106} + - {from: videos.crans.org, to: 10.231.136.106} + - {from: video.crans.org, to: 10.231.136.106} + - {from: roundcube.crans.org, to: 10.231.136.105} + - {from: phabricator.crans.org, to: 10.231.136.123} + - {from: trackerusercontent.crans.org, to: 10.231.136.123} + - {from: cas.crans.org, to: 10.231.136.18} + - {from: auth.crans.org, to: 10.231.136.18} + - {from: login.crans.org, to: 10.231.136.18} + - {from: webmail.crans.org, to: 10.231.136.107} + - {from: horde.crans.org, to: 10.231.136.107} + - {from: owncloud.crans.org, to: 10.231.136.26} + - {from: ftps.crans.org, to: 10.231.136.98} + - {from: wiki.crans.org, to: 10.231.136.204} + - {from: www.crans.org, to: 10.231.136.46} + - {from: doc.crans.org, to: 10.231.136.46} + - {from: limesurvey.crans.org, to: 10.231.136.253} + - {from: lutim.crans.org, to: 10.231.136.69} + - {from: perso.crans.org, to: 10.231.136.1} + - {from: webnews.crans.org, to: 10.231.136.63} + - {from: re2o.crans.org, to: 10.231.136.9} + - {from: intranet.crans.org, to: 10.231.136.9} + - {from: autoconfig.crans.org, to: 10.231.136.46} + - {from: grafana.crans.org, to: 10.231.136.102} + - {from: webirc.crans.org, to: "10.231.136.1:9000"} + + # Zamok + - {from: install-party.crans.org, to: 10.231.136.1} + - {from: med.crans.org, to: 10.231.136.1} + - {from: med-cartons.crans.org, to: 10.231.136.1} + - {from: amap.crans.org, to: 10.231.136.1} + - {from: pot-vieux.crans.org, to: 10.231.136.1} + - {from: bonvivens.crans.org, to: 10.231.136.1} + + redirect_sites: + - {from: crans.org, to: www.crans.org} + + # Aliases or legacy support + - {from: factures.crans.org, to: intranet.crans.org} + - {from: accounts.crans.org, to: intranet.crans.org} + - {from: intranet2.crans.org, to: intranet.crans.org} + - {from: clubs.crans.org, to: perso.crans.org} + - {from: task.crans.org, to: phabricator.crans.org} + - {from: adopteunpingouin.crans.org, to: install-party.crans.org} + - {from: i-p.crans.org, to: install-party.crans.org} + + # To the wiki + - {from: wikipedia.crans.org, to: wiki.crans.org} + - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage} + - {from: television.crans.org, to: wiki.crans.org/CransTv} + - {from: tv.crans.org, to: wiki.crans.org/CransTv} + + # ENS Cachan + - {from: crans.ens-cachan.fr, to: www.crans.org} + - {from: install-party.ens-cachan.fr, to: install-party.crans.org} roles: - certbot + - nginx-reverseproxy - hosts: gitzly.adm.crans.org vars: diff --git a/roles/nginx-reverseproxy/handlers/main.yml b/roles/nginx-reverseproxy/handlers/main.yml new file mode 100644 index 00000000..6dfcdd76 --- /dev/null +++ b/roles/nginx-reverseproxy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml new file mode 100644 index 00000000..3c95a8f7 --- /dev/null +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: Install NGINX + apt: + update_cache: true + name: nginx + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Copy reverse proxy sites + template: + src: "nginx/{{ item }}.j2" + dest: "/etc/nginx/sites-available/{{ item }}" + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Activate sites + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + state: link + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Copy 50x error page + template: + src: www/html/50x.html.j2 + dest: /var/www/html/50x.html + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-nginx + mode: 0755 diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 new file mode 100644 index 00000000..fb177b9a --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 @@ -0,0 +1,83 @@ +{{ ansible_header | comment }} + +{% for site in nginx.redirect_sites %} +# Redirect http://{{ site.from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ site.from }} to https://{{ site.to }} +server { + listen 443; + listen [::]:443; + + server_name {{ site.from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endfor %} + +{# Also redirect for DNAMEs #} +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.redirect_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +# Redirect http://{{ from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ site.to }} +server { + listen 443; + listen [::]:443; + + server_name {{ from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endfor %} +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 new file mode 100644 index 00000000..eab44a49 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 @@ -0,0 +1,62 @@ +{{ ansible_header | comment }} + +{% for site in nginx.reverseproxy_sites %} +# Redirect http://{{ site.from }} to https://{{ site.from }} +server { + listen 80; + listen [::]:80 + + server_name {{ site.from }}; + + location / { + return 302 https://$host$request_uri; + } +} + +# Reverse proxify https://{{ site.from }} to http://{{ site.to }} +server { + listen 443; + listen [::]:443; + + server_name {{ site.from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + # Log into separate log files + access_log /var/log/nginx/{{ site.from }}.log; + error_log /var/log/nginx/{{ site.from }}_error.log; + + # Keep the TCP connection open a bit for faster browsing + keepalive_timeout 70; + + # Custom error page + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/www/html; + } + + set_real_ip_from 10.231.136.0/24; + set_real_ip_from 2a0c:700:0:2::/64; + real_ip_header P-Real-Ip; + + location / { + proxy_set_header Host {{ site.from }}; + proxy_set_header P-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + proxy_pass http://{{ site.to }}; + } +} + +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 new file mode 100644 index 00000000..1affe511 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 @@ -0,0 +1,44 @@ +{{ ansible_header | comment }} + +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.reverseproxy_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +{% set to = site.from %} +# Redirect http://{{ from }} to http://{{ to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ to }} +server { + listen 443; + listen [::]:443; + + server_name {{ from }}; + + ssl on; + ssl_certificate {{ nginx.ssl.cert }}; + ssl_certificate_key {{ nginx.ssl.cert_key }}; + + # SSL ciphers updated by Debian + include "/etc/letsencrypt/options-ssl-nginx.conf"; + + # Enable OCSP Stapling, point to certificate chain + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + + location / { + return 302 https://{{ to }}$request_uri; + } +} + +{% endfor %} +{% endfor %} diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 new file mode 100755 index 00000000..82373d0b --- /dev/null +++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +[0m> [38;5;82mNGINX[0m a été déployé sur cette machine. Voir [38;5;6m/etc/nginx/[0m. diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 new file mode 100644 index 00000000..b4bde1f9 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 @@ -0,0 +1,63 @@ +<!doctype html> +<html lang="fr"> +<head> + <meta charset="utf-8"> + <title>502</title> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <style> + * { + line-height: 1.2; + margin: 0; + } + + html { + color: #888; + display: table; + font-family: sans-serif; + height: 100%; + text-align: center; + width: 100%; + } + + body { + display: table-cell; + vertical-align: middle; + margin: 2em auto; + } + + a { + color: #888; + text-decoration: underline dotted; + } + + h1 { + color: #555; + font-size: 2em; + font-weight: 400; + } + + p { + margin: 1em auto; + max-width: 480px; + } + + @media only screen and (max-width: 280px) { + body, p { + width: 95%; + } + + h1 { + font-size: 1.5em; + margin: 0 0 0.3em; + } + } + </style> +</head> +<body> + <h1>502</h1> + <p>Whoops, le service prend trop de temps à répondre…</p> + <p>Essayez de rafraîchir la page. Si le problème persiste, pensez + à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p> +</body> +</html> + From 3d80f716468ebdbbb8631092b1666626f2a8a716 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sat, 2 May 2020 10:39:45 +0200 Subject: [PATCH 36/56] Fix yaml syntax --- base.yml | 4 ++-- interfaces.yml | 2 +- network.yml | 2 +- roles/postfix/handlers/main.yml | 1 + upgrade.yml | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/base.yml b/base.yml index 5bf6a4e7..1f3d6506 100755 --- a/base.yml +++ b/base.yml @@ -6,8 +6,8 @@ - name: Register adm interface in adm_iface variable shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" register: adm_iface - check_mode: no - changed_when: True + check_mode: false + changed_when: true args: executable: /bin/bash diff --git a/interfaces.yml b/interfaces.yml index 5c7107a7..bce7ced2 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -4,7 +4,7 @@ - hosts: server tasks: - shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\"" - check_mode: no + check_mode: false register: ifaces loop: - srv diff --git a/network.yml b/network.yml index daf70236..fdc49662 100755 --- a/network.yml +++ b/network.yml @@ -65,7 +65,7 @@ cert: /etc/letsencrypt/live/crans.org/fullchain.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem - + redirect_dnames: - crans.eu - crans.fr diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml index 49094649..8fa449d5 100644 --- a/roles/postfix/handlers/main.yml +++ b/roles/postfix/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: generate postmaps command: /usr/sbin/postmap {{ item }} loop: diff --git a/upgrade.yml b/upgrade.yml index 27798c15..194f0137 100755 --- a/upgrade.yml +++ b/upgrade.yml @@ -21,7 +21,7 @@ - hosts: owncloud-srv.adm.crans.org become_user: www-data - become: yes + become: true vars: # Owncloud command line interface occ_bin: '/var/www/owncloud/occ' From 0a50480ad7b1479bd3004af20aae7f0be6da6ec7 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sat, 2 May 2020 13:03:29 +0200 Subject: [PATCH 37/56] Minor fixes on reverse proxy --- network.yml | 3 +-- roles/certbot/tasks/main.yml | 5 +++++ roles/nginx-reverseproxy/tasks/main.yml | 10 +++++++++- roles/nginx-reverseproxy/templates/nginx/redirect.j2 | 2 ++ .../nginx-reverseproxy/templates/nginx/reverseproxy.j2 | 2 +- .../templates/nginx/reverseproxy_redirect_dname.j2 | 2 ++ 6 files changed, 20 insertions(+), 4 deletions(-) diff --git a/network.yml b/network.yml index fdc49662..2bde72ff 100755 --- a/network.yml +++ b/network.yml @@ -50,7 +50,7 @@ - bind-authoritative # Deploy reverse proxy -- hosts: bakdaur.adm.crans.org +- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org vars: certbot: dns_rfc2136_name: certbot_challenge. @@ -93,7 +93,6 @@ - {from: www.crans.org, to: 10.231.136.46} - {from: doc.crans.org, to: 10.231.136.46} - {from: limesurvey.crans.org, to: 10.231.136.253} - - {from: lutim.crans.org, to: 10.231.136.69} - {from: perso.crans.org, to: 10.231.136.1} - {from: webnews.crans.org, to: 10.231.136.63} - {from: re2o.crans.org, to: 10.231.136.9} diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index b32845cc..2e9c8b26 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -22,6 +22,11 @@ mode: 0600 owner: root +- name: Create /etc/letsencrypt/conf.d + file: + path: /etc/letsencrypt/conf.d + state: directory + - name: Add Certbot configuration template: src: "letsencrypt/conf.d/certname.ini.j2" diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 3c95a8f7..1fee6a3c 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -2,11 +2,19 @@ - name: Install NGINX apt: update_cache: true - name: nginx + name: + - nginx + - python3-certbot-nginx # for options-ssl-nginx.conf register: apt_result retries: 3 until: apt_result is succeeded +- name: Copy certbot SSL snippet + copy: + remote_src: true + src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf + dest: /etc/letsencrypt/options-ssl-nginx.conf + - name: Copy reverse proxy sites template: src: "nginx/{{ item }}.j2" diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 index fb177b9a..4d60807e 100644 --- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2 @@ -43,6 +43,7 @@ server { {% for dname in nginx.redirect_dnames %} {% for site in nginx.redirect_sites %} {% set from = site.from | regex_replace('crans.org', dname) %} +{% if from != site.from %} # Redirect http://{{ from }} to http://{{ site.to }} server { listen 80; @@ -79,5 +80,6 @@ server { } } +{% endif %} {% endfor %} {% endfor %} diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 index eab44a49..31c34462 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 @@ -4,7 +4,7 @@ # Redirect http://{{ site.from }} to https://{{ site.from }} server { listen 80; - listen [::]:80 + listen [::]:80; server_name {{ site.from }}; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 index 1affe511..8fc57808 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 @@ -4,6 +4,7 @@ {% for site in nginx.reverseproxy_sites %} {% set from = site.from | regex_replace('crans.org', dname) %} {% set to = site.from %} +{% if from != site.from %} # Redirect http://{{ from }} to http://{{ to }} server { listen 80; @@ -40,5 +41,6 @@ server { } } +{% endif %} {% endfor %} {% endfor %} From 6b8c84257f87f7029ce6740a0091d6e0ab5fa215 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sat, 2 May 2020 13:05:16 +0200 Subject: [PATCH 38/56] =?UTF-8?q?j'ai=20d=C3=A9t=C3=A9r=C3=A9=20frontdaur?= =?UTF-8?q?=20mami!?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index 2bde72ff..a6ec7a1c 100755 --- a/network.yml +++ b/network.yml @@ -50,7 +50,7 @@ - bind-authoritative # Deploy reverse proxy -- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org +- hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org vars: certbot: dns_rfc2136_name: certbot_challenge. From 22c22a3cb094f5e614f5988c679e4041a4f79fb2 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Sat, 2 May 2020 13:19:16 +0200 Subject: [PATCH 39/56] [keepalived] Don't hardcode proxies adm interface --- roles/keepalived/templates/keepalived/keepalived.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2 index 219d6b4f..9237116f 100644 --- a/roles/keepalived/templates/keepalived/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2 @@ -20,7 +20,7 @@ vrrp_instance VI_DAUR4 { priority 100 {% endif %} - interface eth1 + interface {{ keepalived.if_adm }} virtual_router_id 51 advert_int 2 authentication { @@ -46,7 +46,7 @@ vrrp_instance VI_DAUR6 { priority 100 {% endif %} - interface eth1 + interface {{ keepalived.if_adm }} virtual_router_id 51 advert_int 2 authentication { From 341d4a1768cda2627a799a86921d2475638c4629 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sat, 2 May 2020 13:29:07 +0200 Subject: [PATCH 40/56] =?UTF-8?q?Il=20=C3=A9tait=20une=20fois,=20dans=20un?= =?UTF-8?q?=20virtu=20tr=C3=A8s=20tr=C3=A8s=20lointain?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts | 2 +- interfaces.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 32248d9f..6b4c2755 100644 --- a/hosts +++ b/hosts @@ -34,7 +34,7 @@ cas-srv.adm.crans.org dhcp.adm.crans.org eap.adm.crans.org ethercalc-srv.adm.crans.org -#frontdaur.adm.crans.org +frontdaur.adm.crans.org gitzly.adm.crans.org horde-srv.adm.crans.org ipv6-zayo.adm.crans.org diff --git a/interfaces.yml b/interfaces.yml index bce7ced2..b32a9d03 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -14,7 +14,7 @@ - switch - fil -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org vars: vlan: - name: srv From e3bd8fcdabb638683417be2154abe24646109c0e Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Sat, 2 May 2020 14:17:00 +0200 Subject: [PATCH 41/56] [keepalived] Deploy keepalived on frontdaur --- re2o-api.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/re2o-api.yml b/re2o-api.yml index 0952348c..da0938f9 100755 --- a/re2o-api.yml +++ b/re2o-api.yml @@ -88,3 +88,20 @@ router_broadcast_wifinewserveurs: 10.53.0.255 roles: - keepalived + +# Deploy keepalived on frontdaur +- hosts: frontdaur.adm.crans.org + vars: + keepalived: + radius: false + router: false + proxy: true + proxy_primary: false + proxy_password: "{{ vault_keepalived_proxy_password }}" + if_adm: eth1 + if_srv: eth0 + proxy_ipv4_srv: 185.230.79.194 + proxy_broadcast_srv: 185.230.79.255 + proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00 + roles: + - keepalived From a96a0cfce4080b7dbe9b7d5a966cb8a90df1d5b2 Mon Sep 17 00:00:00 2001 From: pa <pa@crans.org> Date: Sat, 2 May 2020 15:43:26 +0200 Subject: [PATCH 42/56] [Framadate] log file creation --- roles/framadate/tasks/main.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 02c698e7..1452702c 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -37,9 +37,12 @@ retries: 3 until: composer_result is succeeded -# cd framadate -# sudo -u www-data touch admin/stdout.log -# sudo chmod 600 admin/stdout.log +- name: + file: + path: "{{ framadate.path }}/admin/stdout.log" + owner: www-data + state: touch + mode: 0600 - name: Indicate role in motd template: From b51d53fe35a329dea6d8e87f0cf225f070f7b0a6 Mon Sep 17 00:00:00 2001 From: pa <pa@crans.org> Date: Sat, 2 May 2020 15:56:27 +0200 Subject: [PATCH 43/56] [Framadate] Specify commit hash of develop branch --- services_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services_web.yml b/services_web.yml index 17515e3f..283f4482 100755 --- a/services_web.yml +++ b/services_web.yml @@ -9,7 +9,7 @@ vars: framadate: repo: https://framagit.org/framasoft/framadate/framadate.git - version: 1.1.10 + version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd" path: /var/www/framadate roles: - framadate From bc932b06171d1e34d63bfe0720d85a3e1c5e4523 Mon Sep 17 00:00:00 2001 From: pa <pa@crans.org> Date: Sat, 2 May 2020 16:47:28 +0200 Subject: [PATCH 44/56] [Framdate] nginx configuration --- roles/framadate/tasks/main.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 1452702c..80de2318 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -4,8 +4,8 @@ apt: update_cache: true name: - - apache2 - - libapache2-mod-php + - nginx + - php-fpm - php-intl - php-mbstring - php-pgsql @@ -37,15 +37,27 @@ retries: 3 until: composer_result is succeeded -- name: +- name: Create log file file: path: "{{ framadate.path }}/admin/stdout.log" owner: www-data state: touch mode: 0600 +- name: Configure nginx site + template: + src: nginx-site.j2 + dest: /etc/nginx/sites-available/framadate.conf + +- name: Enable nginx site + file: + src: /etc/nginx/sites-available/framadate.conf + dest: /etc/nginx/stes-enabled/framadate.conf + state: link + - name: Indicate role in motd template: src: update-motd.d/05-service.j2 dest: /etc/update-motd.d/05-framadate mode: 0755 + From 86d17dedfaca8184f435688c3fe6b3a143a421de Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sat, 2 May 2020 16:54:42 +0200 Subject: [PATCH 45/56] [framadate] NGINX config --- roles/framadate/tasks/main.yml | 6 +-- roles/framadate/templates/nginx-site.j2 | 60 +++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 roles/framadate/templates/nginx-site.j2 diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 80de2318..507b86e2 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -47,12 +47,12 @@ - name: Configure nginx site template: src: nginx-site.j2 - dest: /etc/nginx/sites-available/framadate.conf + dest: /etc/nginx/sites-available/framadate - name: Enable nginx site file: - src: /etc/nginx/sites-available/framadate.conf - dest: /etc/nginx/stes-enabled/framadate.conf + src: /etc/nginx/sites-available/framadate + dest: /etc/nginx/sites-enabled/framadate state: link - name: Indicate role in motd diff --git a/roles/framadate/templates/nginx-site.j2 b/roles/framadate/templates/nginx-site.j2 new file mode 100644 index 00000000..ef963c3e --- /dev/null +++ b/roles/framadate/templates/nginx-site.j2 @@ -0,0 +1,60 @@ +{{ ansible_header | comment }} + +server { + listen 80; + listen [::]:80; + + server_name framadate.crans.org; + + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'"; + add_header Referrer-Policy "strict-origin"; + + root {{ framadate.path }}; + + index index.php; + + location ~^/(\.git)/{ + deny all; + } + + location ~ /\. { + deny all; + } + + location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh { + deny all; + } + + location /admin/ { + auth_basic "Restricted access"; + auth_basic_user_file /etc/nginx/.htpasswd; + + location ~ \.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + } + try_files $uri $uri/ =401; + } + + location / { + rewrite "^/admin$" "/admin/" permanent; + + # Clean URL + rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last; + rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last; + rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last; + rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last; + rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last; + rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last; + try_files $uri /index.php; + } + + location ~ \.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + } +} + From c8504973a86fa147f21c7e0a1e2a4c7a3d1afcd3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sat, 2 May 2020 18:00:09 +0200 Subject: [PATCH 46/56] Working FramaDate --- network.yml | 1 + roles/framadate/tasks/main.yml | 5 +++++ services_web.yml | 2 ++ 3 files changed, 8 insertions(+) diff --git a/network.yml b/network.yml index a6ec7a1c..16865b78 100755 --- a/network.yml +++ b/network.yml @@ -100,6 +100,7 @@ - {from: autoconfig.crans.org, to: 10.231.136.46} - {from: grafana.crans.org, to: 10.231.136.102} - {from: webirc.crans.org, to: "10.231.136.1:9000"} + - {from: framadate.crans.org, to: 185.230.79.194} # Zamok - {from: install-party.crans.org, to: 10.231.136.1} diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 507b86e2..4c39e3d5 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -44,6 +44,11 @@ state: touch mode: 0600 +- name: Configure admin password + copy: + content: "{{ framadate.admin_username }}:{{ framadate.admin_password_hash }}\n" + dest: /etc/nginx/.htpasswd + - name: Configure nginx site template: src: nginx-site.j2 diff --git a/services_web.yml b/services_web.yml index 283f4482..4c6f7d78 100755 --- a/services_web.yml +++ b/services_web.yml @@ -11,6 +11,8 @@ repo: https://framagit.org/framasoft/framadate/framadate.git version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd" path: /var/www/framadate + admin_username: framadate + admin_password_hash: "{{ vault_framadate_password_hash }}" roles: - framadate From b3619d05f4cd21df7d48e897275c8cad450fd652 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sun, 3 May 2020 10:03:12 +0200 Subject: [PATCH 47/56] Some changes in keepalived template --- re2o-api.yml | 17 +++++--------- roles/keepalived/tasks/main.yml | 3 +-- .../templates/keepalived/keepalived.conf.j2 | 22 +++++++++---------- 3 files changed, 17 insertions(+), 25 deletions(-) diff --git a/re2o-api.yml b/re2o-api.yml index da0938f9..2d04db0f 100755 --- a/re2o-api.yml +++ b/re2o-api.yml @@ -11,7 +11,6 @@ router: true router_password: "{{ vault_keepalived_router_password }}" router_primary: false - proxy: false if_serveurs: eth0.1 if_adm: eth0.2 if_bornes: eth0.3 @@ -55,11 +54,9 @@ - hosts: gulp.adm.crans.org vars: keepalived: - radius: false router: true router_password: "{{ vault_keepalived_router_password }}" router_primary: true - proxy: false if_serveurs: eno1.1 if_adm: eno1.2 if_bornes: eno1.3 @@ -93,15 +90,13 @@ - hosts: frontdaur.adm.crans.org vars: keepalived: - radius: false - router: false - proxy: true - proxy_primary: false - proxy_password: "{{ vault_keepalived_proxy_password }}" + proxy: + primary: false + password: "{{ vault_keepalived_proxy_password }}" + ipv4: 185.230.79.194 + ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00 + broadcast: 185.230.79.255 if_adm: eth1 if_srv: eth0 - proxy_ipv4_srv: 185.230.79.194 - proxy_broadcast_srv: 185.230.79.255 - proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00 roles: - keepalived diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml index e0678e1e..7efe258f 100644 --- a/roles/keepalived/tasks/main.yml +++ b/roles/keepalived/tasks/main.yml @@ -2,8 +2,7 @@ - name: Install keepalived apt: update_cache: true - name: - - keepalived + name: keepalived register: apt_result retries: 3 until: apt_result is succeeded diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2 index 9237116f..e488e71c 100644 --- a/roles/keepalived/templates/keepalived/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2 @@ -8,11 +8,11 @@ global_defs { smtp_server smtp.adm.crans.org } -{% if keepalived.proxy %} +{% if keepalived.proxy is defined %} vrrp_instance VI_DAUR4 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. -{% if keepalived.proxy_primary %} +{% if keepalived.proxy.primary %} state MASTER priority 150 {% else %} @@ -25,20 +25,18 @@ vrrp_instance VI_DAUR4 { advert_int 2 authentication { auth_type PASS - auth_pass {{ keepalived.proxy_password }} + auth_pass {{ keepalived.proxy.password }} } virtual_ipaddress { - {{ keepalived.proxy_ipv4 }}/32 brd 138.231.143.255 dev eth0 scope global + {{ keepalived.proxy.ipv4 }}/32 brd {{ keepalived.proxy.broadcast }} dev {{ keepalived.if_srv }} scope global } } -{% endif %} -{% if keepalived.proxy %} vrrp_instance VI_DAUR6 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. -{% if keepalived.proxy_primary %} +{% if keepalived.proxy.primary %} state MASTER priority 150 {% else %} @@ -51,16 +49,16 @@ vrrp_instance VI_DAUR6 { advert_int 2 authentication { auth_type PASS - auth_pass {{ keepalived.proxy_password }} + auth_pass {{ keepalived.proxy.password }} } virtual_ipaddress { - {{ keepalived.proxy_ipv6 }}/64 dev eth0 scope global + {{ keepalived.proxy.ipv6 }}/64 dev {{ keepalived.if_srv }} scope global } } {% endif %} -{% if keepalived.radius %} +{% if keepalived.radius is defined %} vrrp_instance VI_RAD4 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. @@ -90,7 +88,7 @@ vrrp_instance VI_RAD4 { } {% endif %} -{% if keepalived.radius %} +{% if keepalived.radius is defined %} vrrp_instance VI_RAD6 { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. @@ -120,7 +118,7 @@ vrrp_instance VI_RAD6 { } {% endif %} -{% if keepalived.router %} +{% if keepalived.router is defined %} vrrp_instance VI_ROUT { # We don't own the IP address, which allows manual triggering of IP change when machine comes UP # see man keepalived.conf. From ce54ee81969eae3ddfaa3a263f7a5a46eafe8fe0 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sun, 3 May 2020 10:47:29 +0200 Subject: [PATCH 48/56] Ansible on bakdaur --- clean_servers.yml | 2 ++ interfaces.yml | 2 +- re2o-api.yml | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/clean_servers.yml b/clean_servers.yml index e6198e87..0f68d4cc 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -45,6 +45,8 @@ - acpid - xscreensaver # was on owncloud - openbsd-inetd + - byobu # we already have screen and tmux + - ipython # go use ipython3! register: apt_result retries: 3 until: apt_result is succeeded diff --git a/interfaces.yml b/interfaces.yml index b32a9d03..04b2d828 100755 --- a/interfaces.yml +++ b/interfaces.yml @@ -14,7 +14,7 @@ - switch - fil -- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org +- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org,bakdaur.adm.crans.org vars: vlan: - name: srv diff --git a/re2o-api.yml b/re2o-api.yml index 2d04db0f..0ce54882 100755 --- a/re2o-api.yml +++ b/re2o-api.yml @@ -100,3 +100,18 @@ if_srv: eth0 roles: - keepalived + +# Deploy keepalived on bakdaur +- hosts: bakdaur.adm.crans.org + vars: + keepalived: + proxy: + primary: true + password: "{{ vault_keepalived_proxy_password }}" + ipv4: 185.230.79.194 + ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00 + broadcast: 185.230.79.255 + if_adm: eth0 + if_srv: eth1 + roles: + - keepalived From ef1c4f6fbf3d83ccde094d1255c9350b9f7fa3fd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sun, 3 May 2020 11:01:28 +0200 Subject: [PATCH 49/56] Ouspi, framdate was using srv ip --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index 16865b78..e007de0f 100755 --- a/network.yml +++ b/network.yml @@ -100,7 +100,7 @@ - {from: autoconfig.crans.org, to: 10.231.136.46} - {from: grafana.crans.org, to: 10.231.136.102} - {from: webirc.crans.org, to: "10.231.136.1:9000"} - - {from: framadate.crans.org, to: 185.230.79.194} + - {from: framadate.crans.org, to: 10.231.136.153} # Zamok - {from: install-party.crans.org, to: 10.231.136.1} From 7d1ecd19a487a7348b59408aaa5c7bc19350a700 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sun, 3 May 2020 12:51:16 +0200 Subject: [PATCH 50/56] SSL snippet and drop TLS 1.0 and 1.1 --- roles/nginx-reverseproxy/tasks/main.yml | 16 +++++---- .../templates/letsencrypt/dhparam.j2 | 8 +++++ .../nginx/{ => sites-available}/redirect.j2 | 34 +++++-------------- .../{ => sites-available}/reverseproxy.j2 | 17 +++------- .../reverseproxy_redirect_dname.j2 | 17 +++------- .../nginx/snippets/options-ssl.conf.j2 | 17 ++++++++++ 6 files changed, 51 insertions(+), 58 deletions(-) create mode 100644 roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/redirect.j2 (58%) rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy.j2 (75%) rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy_redirect_dname.j2 (61%) create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 1fee6a3c..55af7c18 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -9,15 +9,19 @@ retries: 3 until: apt_result is succeeded -- name: Copy certbot SSL snippet - copy: - remote_src: true - src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf - dest: /etc/letsencrypt/options-ssl-nginx.conf +- name: Copy snippets + template: + src: nginx/snippets/options-ssl.conf.j2 + dest: /etc/nginx/snippets/options-ssl.conf + +- name: Copy dhparam + template: + src: letsencrypt/dhparam.j2 + dest: /etc/letsencrypt/dhparam - name: Copy reverse proxy sites template: - src: "nginx/{{ item }}.j2" + src: "nginx/sites-available/{{ item }}.j2" dest: "/etc/nginx/sites-available/{{ item }}" loop: - reverseproxy diff --git a/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 new file mode 100644 index 00000000..9b182b72 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 similarity index 58% rename from roles/nginx-reverseproxy/templates/nginx/redirect.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 index 4d60807e..9cdb545b 100644 --- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 @@ -15,22 +15,13 @@ server { # Redirect https://{{ site.from }} to https://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ site.from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ site.to }}$request_uri; @@ -58,22 +49,13 @@ server { # Redirect https://{{ from }} to https://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ site.to }}$request_uri; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 similarity index 75% rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 31c34462..50ef7b2e 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -15,22 +15,13 @@ server { # Reverse proxify https://{{ site.from }} to http://{{ site.to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ site.from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; # Log into separate log files access_log /var/log/nginx/{{ site.from }}.log; diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 similarity index 61% rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 index 8fc57808..db2084a4 100644 --- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -19,22 +19,13 @@ server { # Redirect https://{{ from }} to https://{{ to }} server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ from }}; - ssl on; - ssl_certificate {{ nginx.ssl.cert }}; - ssl_certificate_key {{ nginx.ssl.cert_key }}; - - # SSL ciphers updated by Debian - include "/etc/letsencrypt/options-ssl-nginx.conf"; - - # Enable OCSP Stapling, point to certificate chain - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; location / { return 302 https://{{ to }}$request_uri; diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 new file mode 100644 index 00000000..c585cc26 --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +ssl_certificate {{ nginx.ssl.cert }}; +ssl_certificate_key {{ nginx.ssl.cert_key }}; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_dhparam /etc/letsencrypt/dhparam; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + From e8b0d14a55eb6281c3b607541e13e6d96cae3955 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sun, 3 May 2020 14:19:00 +0200 Subject: [PATCH 51/56] Grafana on :3000 --- network.yml | 2 +- roles/grafana/tasks/main.yml | 10 ---------- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/network.yml b/network.yml index e007de0f..8f70b911 100755 --- a/network.yml +++ b/network.yml @@ -98,7 +98,7 @@ - {from: re2o.crans.org, to: 10.231.136.9} - {from: intranet.crans.org, to: 10.231.136.9} - {from: autoconfig.crans.org, to: 10.231.136.46} - - {from: grafana.crans.org, to: 10.231.136.102} + - {from: grafana.crans.org, to: "10.231.136.102:3000"} - {from: webirc.crans.org, to: "10.231.136.1:9000"} - {from: framadate.crans.org, to: 10.231.136.153} diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 1442c08f..1d472f15 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -33,13 +33,6 @@ retries: 3 until: apt_result is succeeded -# This capability enables grafana to bind :80 -- name: Add cap_net_bind_service to grafana - capabilities: - path: /usr/sbin/grafana-server - capability: cap_net_bind_service+ep - state: present - - name: Configure Grafana ini_file: path: /etc/grafana/grafana.ini @@ -48,9 +41,6 @@ value: "{{ item.value }}" mode: 0640 loop: - - section: server - option: http_port - value: "80" - section: server option: root_url value: "{{ grafana_root_url }}" From 6eaf509ff3a06b47983fe4ad04e56655d8d32701 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Sun, 3 May 2020 15:19:29 +0200 Subject: [PATCH 52/56] [nginx] Reverse WebSocket --- network.yml | 2 +- roles/nginx-reverseproxy/tasks/main.yml | 7 +++++-- .../nginx/sites-available/reverseproxy.j2 | 13 ++++++++----- .../nginx/snippets/options-proxypass.conf.j2 | 17 +++++++++++++++++ 4 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 diff --git a/network.yml b/network.yml index 8f70b911..23160615 100755 --- a/network.yml +++ b/network.yml @@ -74,7 +74,7 @@ # Services web Crans - {from: lutim.crans.org, to: 10.231.136.69} - {from: zero.crans.org, to: 10.231.136.76} - - {from: pad.crans.org, to: 10.231.136.76} + - {from: pad.crans.org, to: "10.231.136.76:9001"} - {from: ethercalc.crans.org, to: 10.231.136.203} - {from: mediadrop.crans.org, to: 10.231.136.106} - {from: videos.crans.org, to: 10.231.136.106} diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 55af7c18..5a0e298f 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -11,8 +11,11 @@ - name: Copy snippets template: - src: nginx/snippets/options-ssl.conf.j2 - dest: /etc/nginx/snippets/options-ssl.conf + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + loop: + - options-ssl.conf + - options-proxypass.conf - name: Copy dhparam template: diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 50ef7b2e..52a278bf 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -1,5 +1,12 @@ {{ ansible_header | comment }} +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + {% for site in nginx.reverseproxy_sites %} # Redirect http://{{ site.from }} to https://{{ site.from }} server { @@ -41,12 +48,8 @@ server { real_ip_header P-Real-Ip; location / { - proxy_set_header Host {{ site.from }}; - proxy_set_header P-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_redirect off; proxy_pass http://{{ site.to }}; + include "/etc/nginx/snippets/options-proxypass.conf"; } } diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 new file mode 100644 index 00000000..a14f3b7f --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +proxy_redirect off; +proxy_set_header Host $host; + +# Pass the real client IP +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +# Tell proxified server that we are HTTPS, fix Wordpress +proxy_set_header X-Forwarded-Proto https; + +# WebSocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; + From cb6e85880482eac80431b48064eda8d67e60479b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot <graillot@crans.org> Date: Mon, 4 May 2020 12:19:32 +0200 Subject: [PATCH 53/56] =?UTF-8?q?[nginx-reverseproxy]=20Trailing=20spaces?= =?UTF-8?q?=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../templates/nginx/sites-available/reverseproxy.j2 | 2 +- .../templates/nginx/snippets/options-ssl.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 52a278bf..0898da05 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -36,7 +36,7 @@ server { # Keep the TCP connection open a bit for faster browsing keepalive_timeout 70; - + # Custom error page error_page 500 502 503 504 /50x.html; location = /50x.html { diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 index c585cc26..1a9273a8 100644 --- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 @@ -3,7 +3,7 @@ ssl_certificate {{ nginx.ssl.cert }}; ssl_certificate_key {{ nginx.ssl.cert_key }}; ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; +ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_dhparam /etc/letsencrypt/dhparam; ssl_protocols TLSv1.2 TLSv1.3; From 38ff5c192ff5a4e6daec61c662091dd6078e4bd3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss <erdnaxe@crans.org> Date: Wed, 6 May 2020 12:59:08 +0200 Subject: [PATCH 54/56] Fix nginx max body size --- .../templates/nginx/snippets/options-proxypass.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 index a14f3b7f..0b864a68 100644 --- a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 @@ -15,3 +15,5 @@ proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; +# For Owncloud WebDav +client_max_body_size 10G; From 539706f1136b2b6a7e459a3afa2d88b15eea13ef Mon Sep 17 00:00:00 2001 From: Bombar Maxime <bombar@crans.org> Date: Thu, 7 May 2020 14:02:29 +0200 Subject: [PATCH 55/56] Remove /etc/default/bcfg2 on ansible managed hosts. --- clean_servers.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/clean_servers.yml b/clean_servers.yml index 0f68d4cc..79b61bd5 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -76,6 +76,7 @@ - /etc/cron.d/autobcfg2 - /etc/cron.d/bcfg2-run - /etc/cron.d/pull-repos-scripts + - /etc/default/bcfg2 - /etc/munin - /etc/icinga2 - /etc/nut From 21c953a4cab1acde0f2868521c28960e42fd9daf Mon Sep 17 00:00:00 2001 From: Bombar Maxime <bombar@crans.org> Date: Fri, 8 May 2020 01:16:24 +0200 Subject: [PATCH 56/56] [clean_servers] More bcfg2 clean up --- clean_servers.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clean_servers.yml b/clean_servers.yml index 79b61bd5..218948f2 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -64,6 +64,9 @@ path: "{{ item }}" state: absent loop: + - /etc/bcfg2.conf + - /etc/bcfg2.conf.ucf-dist + - /etc/crans - /etc/cron.d/munin-crans - /etc/cron.d/munin-node - /etc/cron.d/munin-node.dpkg-dist @@ -79,6 +82,7 @@ - /etc/default/bcfg2 - /etc/munin - /etc/icinga2 + - /etc/init.d/bcfg2 - /etc/nut - /etc/nginx/sites-enabled/status - /etc/nginx/sites-available/status