crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

linter2

linter
_shirenn 2022-07-05 17:43:20 +02:00
parent a73d5892e4
commit c7068ac540
243 changed files with 1348 additions and 1547 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.yamllint.yml
View File

@ -3,4 +3,7 @@ extends: default
rules: rules:
line-length: disable line-length: disable
braces:
min-spaces-inside: 0
max-spaces-inside: 1
... ...

2
group_vars/adh_server.yml
View File

@ -2,7 +2,7 @@
glob_adh: glob_adh:
apache: apache:
listen_local: listen_local:
- "127.0.0.1:80" - 127.0.0.1:80
- "[::1]:80" - "[::1]:80"
listen_network: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap }}" listen_network: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap }}"
club_vhosts: club_vhosts:

27
group_vars/all/ansible-header.yml
View File

@ -1,18 +1,19 @@
--- ---
# Custom header # Custom header
dirty: "{% if template_fullpath is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_fullpath | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe', 'git diff --quiet || echo dirty') }}{% endif %}" dirty: "{% if template_fullpath is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_fullpath | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe',\
\ 'git diff --quiet || echo dirty') }}{% endif %}"
ansible_header: | ansible_header: |
+++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++
Ansible managed, don't modify the file locally. Ansible managed, don't modify the file locally.
See https://gitlab.crans.org/nounous/ansible. See https://gitlab.crans.org/nounous/ansible.
{% if template_fullpath is defined %}{% set _, rpath = template_fullpath.split('roles/', 1) %}Commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_fullpath | quote) }} {% if template_fullpath is defined %}{% set _, rpath = template_fullpath.split('roles/', 1) %}Commit: {% if dirty %}({{ dirty }}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_fullpath | quote) }}
{% if dirty %}Run by: {{ ansible_env.SUDO_USER }} {% if dirty %}Run by: {{ ansible_env.SUDO_USER }}
{% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_fullpath | quote) }} {% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_fullpath | quote) }}
{% endif %}Template: roles/{{ rpath }} {% endif %}Template: roles/{{ rpath }}
{% else %} {% else %}
Run by: {{ ansible_env.SUDO_USER }} Run by: {{ ansible_env.SUDO_USER }}
Latest commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git rev-parse HEAD') }} Latest commit: {% if dirty %}({{ dirty }}) {% endif %}{{ lookup('pipe', 'git rev-parse HEAD') }}
{% endif %} {% endif %}
+++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++

4
group_vars/all/borg.yml
View File

@ -11,8 +11,8 @@ glob_borg:
remote: remote:
- borg@backup-ft.adm.crans.org:/backup/borg-server/{{ ansible_hostname }} - borg@backup-ft.adm.crans.org:/backup/borg-server/{{ ansible_hostname }}
retention: retention:
- ["daily", 4] - [daily, 4]
- ["monthly", 6] - [monthly, 6]
consistency_check: consistency_check:
- disabled - disabled
extra_init: extra_init:

2
group_vars/all/home_nounou.yml
View File

@ -7,4 +7,4 @@ glob_home_nounou:
name: home_nounou name: home_nounou
owner: root owner: root
group: _user group: _user
mode: '0750' mode: "0750"

6
group_vars/all/ldap.yml
View File

@ -1,10 +1,10 @@
--- ---
glob_ldap: glob_ldap:
uri: 'ldap://re2o-ldap.adm.crans.org/' uri: ldap://re2o-ldap.adm.crans.org/
users_base: 'cn=Utilisateurs,dc=crans,dc=org' users_base: cn=Utilisateurs,dc=crans,dc=org
servers: servers:
- 172.16.10.1 - 172.16.10.1
- 172.16.10.11 - 172.16.10.11
- 172.16.10.12 - 172.16.10.12
- 172.16.10.13 - 172.16.10.13
base: 'dc=crans,dc=org' base: dc=crans,dc=org

5
group_vars/all/network_interfaces.yml
View File

@ -14,10 +14,11 @@ glob_network_interfaces:
- name: san - name: san
id: 4 id: 4
extra: extra:
- "mtu 9000" - mtu 9000
- name: adm - name: adm
id: 10 id: 10
dns: "{{ query('ldap', 'ip', 'routeur-sam', 'adm') | ansible.utils.ipv4 | first }} {{ query('ldap', 'ip', 'routeur-daniel', 'adm') | ansible.utils.ipv4 | first }}" dns: "{{ query('ldap', 'ip', 'routeur-sam', 'adm') | ansible.utils.ipv4 | first }} {{ query('ldap', 'ip', 'routeur-daniel', 'adm') | ansible.utils.ipv4 | first\
\ }}"
- name: adh - name: adh
id: 12 id: 12
gateway: "{{ query('ldap', 'ip', 'passerelle', 'adh') | ansible.utils.ipv4 | first }}" gateway: "{{ query('ldap', 'ip', 'passerelle', 'adh') | ansible.utils.ipv4 | first }}"

2
group_vars/all/root.yml
View File

@ -1,3 +1,3 @@
--- ---
glob_root: glob_root:
passwd_hash: '{{ vault.root.passwd_hash }}' passwd_hash: "{{ vault.root.passwd_hash }}"

2
group_vars/all/ssh_known_hosts.yml
View File

@ -12,4 +12,4 @@ glob_service_ssh_known_hosts:
frequency: "*/10 * * * *" frequency: "*/10 * * * *"
config: config:
ldap: ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}" server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}

2
group_vars/arpproxy.yml
View File

@ -8,6 +8,6 @@ glob_service_proxy:
generated: false generated: false
cron: cron:
frequency: "* * * * *" frequency: "* * * * *"
options: "--alter" options: --alter
proto_id: 201 proto_id: 201
main_interface: ens18 main_interface: ens18

2
group_vars/aurore/home_nounou.yml
View File

@ -7,4 +7,4 @@ loc_home_nounou:
name: home_nounou name: home_nounou
owner: root owner: root
group: _user group: _user
mode: '0750' mode: "0750"

2
group_vars/aurore/ssh_known_hosts.yml
View File

@ -2,4 +2,4 @@
loc_service_ssh_known_hosts: loc_service_ssh_known_hosts:
config: config:
ldap: ldap:
server: "ldaps://{{ query('ldap', 'ip', 'thot', 'adm') | ansible.utils.ipv4 | first }}" server: ldaps://{{ query('ldap', 'ip', 'thot', 'adm') | ansible.utils.ipv4 | first }}

2
group_vars/belenios.yml
View File

@ -12,4 +12,4 @@ logos:
where: /usr/share/belenios-server/logo.png where: /usr/share/belenios-server/logo.png
owner: root owner: root
group: root group: root
mode: '0644' mode: "0644"

2
group_vars/certbot.yml
View File

@ -13,7 +13,7 @@ glob_service_certbot:
remote: https://gitlab.adm.crans.org/nounous/certbot remote: https://gitlab.adm.crans.org/nounous/certbot
version: main version: main
config: config:
"crans.org": crans.org:
zone: _acme-challenge.crans.org zone: _acme-challenge.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53

44
group_vars/constellation.yml
View File

@ -4,41 +4,41 @@ glob_constellation:
admins: admins:
- ('Root', 'root@crans.org') - ('Root', 'root@crans.org')
allowed_hosts: allowed_hosts:
- 'constellation.crans.org' - constellation.crans.org
- 'intranet.crans.org' - intranet.crans.org
email: email:
ssl: false ssl: false
host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}" host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}"
port: 25 port: 25
user: '' user: ""
password: '' password: ""
from: "root@crans.org" from: root@crans.org
from_full: "Crans <root@crans.org>" from_full: Crans <root@crans.org>
database: database:
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}" host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432 port: 5432
user: 'constellation' user: constellation
password: "{{ vault.constellation.django_db_password }}" password: "{{ vault.constellation.django_db_password }}"
name: 'constellation' name: constellation
front: true front: true
crontab: true crontab: true
applications: applications:
- 'access' - access
- 'billing' - billing
- 'dnsmanager' - dnsmanager
- 'firewall' - firewall
- 'layers' - layers
- 'management' - management
- 'member' - member
- 'topography' - topography
- 'unix' - unix
stripe: stripe:
private_key: '{{ vault.constellation.stripe.live.private_key }}' private_key: "{{ vault.constellation.stripe.live.private_key }}"
public_key: '{{ vault.constellation.stripe.live.public_key }}' public_key: "{{ vault.constellation.stripe.live.public_key }}"
note: note:
url: 'https://note.crans.org/' url: https://note.crans.org/
client_id: '{{ vault.constellation.note.client_id }}' client_id: "{{ vault.constellation.note.client_id }}"
client_secret: '{{ vault.constellation.note.client_secret }}' client_secret: "{{ vault.constellation.note.client_secret }}"
debug: false debug: false
owner: root owner: root
group: _nounou group: _nounou

26
group_vars/constellation_front.yml
View File

@ -6,25 +6,25 @@ loc_nginx:
- ssl: false - ssl: false
default: true default: true
server_name: server_name:
- "constellation.crans.org" - constellation.crans.org
- "intranet.crans.org" - intranet.crans.org
locations: locations:
- filter: "/static" - filter: /static
params: params:
- "alias {% if constellation.version == 'main' %}/var/lib/constellation/static/{% else %}/var/local/constellation/static/{% endif %}" - alias {% if constellation.version == 'main' %}/var/lib/constellation/static/{% else %}/var/local/constellation/static/{% endif %}
- filter: "/media" - filter: /media
params: params:
- "alias {% if constellation.version == 'main' %}/var/lib/constellation/media/{% else %}/var/local/constellation/media/{% endif %}" - alias {% if constellation.version == 'main' %}/var/lib/constellation/media/{% else %}/var/local/constellation/media/{% endif %}
- filter: "/doc" - filter: /doc
params: params:
- "alias /var/www/constellation-doc/" - alias /var/www/constellation-doc/
- filter: "/" - filter: /
params: params:
- "uwsgi_pass constellation" - uwsgi_pass constellation
- "include /etc/nginx/uwsgi_params" - include /etc/nginx/uwsgi_params
upstreams: upstreams:
- name: 'constellation' - name: constellation
server: 'unix:///var/run/uwsgi/app/constellation/constellation.sock' server: unix:///var/run/uwsgi/app/constellation/constellation.sock

3
group_vars/dhcp.yml
View File

@ -1,9 +1,8 @@
--- ---
glob_dhcp: glob_dhcp:
global_options: global_options:
- {key: "interface-mtu", value: "1500"} - { key: interface-mtu, value: "1500" }
global_parameters: [] global_parameters: []
glob_service_dhcp: glob_service_dhcp:
name: dhcp name: dhcp
install_dir: /var/local/services/dhcp install_dir: /var/local/services/dhcp

28
group_vars/django_cas.yml
View File

@ -1,23 +1,23 @@
--- ---
glob_django_cas: glob_django_cas:
repo: 'http://gitlab.adm.crans.org/nounous/django-cas.git' repo: http://gitlab.adm.crans.org/nounous/django-cas.git
path: '/var/local/django-cas' path: /var/local/django-cas
ldap: ldap:
dn: 'cn=Utilisateurs,dc=crans,dc=org' dn: cn=Utilisateurs,dc=crans,dc=org
password: "{{ vault.cas.ldap.password }}" password: "{{ vault.cas.ldap.password }}"
user: 'cn=cas,ou=service-users,dc=crans,dc=org' user: cn=cas,ou=service-users,dc=crans,dc=org
server: 172.16.10.157 server: 172.16.10.157
db: db:
host: tealc.adm.crans.org host: tealc.adm.crans.org
password: "{{ vault.cas.database.password }}" password: "{{ vault.cas.database.password }}"
secret_key: "{{ vault.cas.secret_key }}" secret_key: "{{ vault.cas.secret_key }}"
mail: mail:
address: 'root@crans.org' address: root@crans.org
host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}" host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}"
port: 25 port: 25
loc_nginx: loc_nginx:
service_name: "cas" service_name: cas
ssl: [] ssl: []
servers: servers:
- server_name: - server_name:
@ -29,16 +29,16 @@ loc_nginx:
- auth.adm.crans.org - auth.adm.crans.org
default: true default: true
locations: locations:
- filter: "/cas" - filter: /cas
params: params:
- "rewrite ^/cas$ / redirect" - rewrite ^/cas$ / redirect
- "rewrite ^/cas/(.*)$ /$1 redirect" - rewrite ^/cas/(.*)$ /$1 redirect
- filter: "/static" - filter: /static
params: params:
- "alias /var/local/django-cas/cas/local_static" - alias /var/local/django-cas/cas/local_static
- filter: "/" - filter: /
params: params:
- "uwsgi_pass unix:///var/run/uwsgi/app/cas/socket" - uwsgi_pass unix:///var/run/uwsgi/app/cas/socket
- "include uwsgi_params" - include uwsgi_params

40
group_vars/dns_authoritative.yml
View File

@ -1,24 +1,24 @@
--- ---
glob_bind: glob_bind:
default: default:
format: 'bak.%s' format: bak.%s
zones: zones:
'_acme-challenge.crans.org': _acme-challenge.crans.org:
'_acme-challenge.adm.crans.org': _acme-challenge.adm.crans.org:
'adh.crans.org': {} adh.crans.org: {}
'adm.crans.org': {} adm.crans.org: {}
'cachan-adm.crans.org': {} cachan-adm.crans.org: {}
'crans.eu': {} crans.eu: {}
'crans.fr': {} crans.fr: {}
'crans.org': {} crans.org: {}
'lists.crans.org': {} lists.crans.org: {}
'san.crans.org': {} san.crans.org: {}
'renater.crans.org': {} renater.crans.org: {}
'ens.crans.org': {} ens.crans.org: {}
'lp.crans.org': {} lp.crans.org: {}
'admissibles.crans.org': {} admissibles.crans.org: {}
'76.230.185.in-addr.arpa': {} 76.230.185.in-addr.arpa: {}
'77.230.185.in-addr.arpa': {} 77.230.185.in-addr.arpa: {}
'78.230.185.in-addr.arpa': {} 78.230.185.in-addr.arpa: {}
'79.230.185.in-addr.arpa': {} 79.230.185.in-addr.arpa: {}
'0.0.7.0.c.0.a.2.ip6.arpa': {} 0.0.7.0.c.0.a.2.ip6.arpa: {}

8
group_vars/dovecot.yml
View File

@ -1,9 +1,9 @@
--- ---
glob_dovecot: glob_dovecot:
ldap: ldap:
uri: "ldap://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ansible.utils.ipv4 | first }}/" uri: ldap://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ansible.utils.ipv4 | first }}/
dn: 'cn=dovecot,ou=service-users,dc=crans,dc=org' dn: cn=dovecot,ou=service-users,dc=crans,dc=org
pass: "{{ vault.dovecot_dnpass }}" pass: "{{ vault.dovecot_dnpass }}"
users_base: 'cn=Utilisateurs,dc=crans,dc=org' users_base: cn=Utilisateurs,dc=crans,dc=org
home_path: '/home_adh' home_path: /home_adh
inet_listener: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap | join(', ') }}" inet_listener: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap | join(', ') }}"

4
group_vars/dropbear.yml
View File

@ -1,6 +1,6 @@
--- ---
glob_dropbear: glob_dropbear:
initramfs_ip: "::::{{ ansible_hostname }}:ens2f0:dhcp" initramfs_ip: ::::{{ ansible_hostname }}:ens2f0:dhcp
options: "-I 180 -j -k -p 80 -s" options: -I 180 -j -k -p 80 -s
authorized_keys: authorized_keys:
- "{{ vault.surface.pubkey }}" - "{{ vault.surface.pubkey }}"

6
group_vars/etherpad.yml
View File

@ -11,7 +11,7 @@ glob_etherpad:
user: crans user: crans
host: pgsql.adm.crans.org host: pgsql.adm.crans.org
name: etherpad name: etherpad
default_pad_text: "Etherpad du Crans.\\n\\nCe pad est vide, à vous de le remplir.\\n\\nhttps:\/\/etherpad.org" default_pad_text: Etherpad du Crans.\n\nCe pad est vide, à vous de le remplir.\n\nhttps://etherpad.org
admin: admin:
user: admin user: admin
password: "{{ vault.etherpad.admin.password }}" password: "{{ vault.etherpad.admin.password }}"
@ -28,7 +28,7 @@ glob_etherpad:
user: crans user: crans
host: pgsql.adm.crans.org host: pgsql.adm.crans.org
name: etherpad_tmp name: etherpad_tmp
default_pad_text: "Etherpad du Crans.\\n\\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\\n\\nhttps:\/\/etherpad.org" default_pad_text: Etherpad du Crans.\n\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\n\nhttps://etherpad.org
admin: admin:
user: admin user: admin
password: "{{ vault.etherpad.admin.password }}" password: "{{ vault.etherpad.admin.password }}"
@ -38,4 +38,4 @@ glob_etherpad:
loop: true loop: true
loop_delay: 86400 # one day, in seconds loop_delay: 86400 # one day, in seconds
delete_at_start: true delete_at_start: true
deleted_text: "Etherpad du Crans.\\n\\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\\n\\nhttps:\/\/etherpad.org" deleted_text: Etherpad du Crans.\n\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\n\nhttps://etherpad.org

2
group_vars/framadate.yml
View File

@ -5,7 +5,7 @@ glob_framadate:
smtp_server: smtp.adm.crans.org smtp_server: smtp.adm.crans.org
hostname: framadate.crans.org hostname: framadate.crans.org
repo: https://framagit.org/framasoft/framadate/framadate.git repo: https://framagit.org/framasoft/framadate/framadate.git
version: "1.1.16" version: 1.1.16
admin_username: framadate admin_username: framadate
admin_password: "{{ vault.framadate.admin_password }}" admin_password: "{{ vault.framadate.admin_password }}"
db_password: "{{ vault.framadate.db_password }}" db_password: "{{ vault.framadate.db_password }}"

24
group_vars/galene.yml
View File

@ -5,26 +5,26 @@ service_nginx:
- ssl: crans.org - ssl: crans.org
default: true default: true
server_name: server_name:
- "galene.crans.org" - galene.crans.org
locations: locations:
- filter: "/" - filter: /
params: params:
- "include /etc/nginx/snippets/options-proxypass.conf" - include /etc/nginx/snippets/options-proxypass.conf
- "proxy_pass http://localhost:8443" - proxy_pass http://localhost:8443
- filter: "~ ^/(\\w+)/$" - filter: ~ ^/(\w+)/$
params: params:
- "return 302 https://$host/group/$1" - return 302 https://$host/group/$1
- ssl: crans.org - ssl: crans.org
server_name: server_name:
- "neree.crans.org" - neree.crans.org
locations: locations:
- filter: "/" - filter: /
params: params:
- "include /etc/nginx/snippets/options-proxypass.conf" - include /etc/nginx/snippets/options-proxypass.conf
- "proxy_pass http://localhost:8443" - proxy_pass http://localhost:8443
- filter: "~ ^/(\\w+)/$" - filter: ~ ^/(\w+)/$
params: params:
- "return 302 https://$host/group/$1" - return 302 https://$host/group/$1

24
group_vars/gitlab.yml
View File

@ -1,21 +1,21 @@
--- ---
glob_gitlab: glob_gitlab:
url: 'https://gitlab.crans.org' url: https://gitlab.crans.org
time_zone: 'Europe/Paris' time_zone: Europe/Paris
email: 'gitlab@crans.org' email: gitlab@crans.org
email_display_name: 'Crans GitLab' email_display_name: Crans GitLab
ldap: ldap:
label: 'Crans' label: Crans
host: "{{ query('ldap', 'ip', 're2o-ldap', 'adm') | first }}" host: "{{ query('ldap', 'ip', 're2o-ldap', 'adm') | first }}"
port: 389 port: 389
uid: 'uid' uid: uid
bind_dn: 'cn=gitlab,ou=service-users,dc=crans,dc=org' bind_dn: cn=gitlab,ou=service-users,dc=crans,dc=org
bind_password: "{{ vault.gitlab.ldap.bind_password }}" bind_password: "{{ vault.gitlab.ldap.bind_password }}"
base: 'cn=Utilisateurs,dc=crans,dc=org' base: cn=Utilisateurs,dc=crans,dc=org
user_filter: '(&(!(shadowExpire=0))(uid=*))' user_filter: (&(!(shadowExpire=0))(uid=*))
cas_name: 'cas3' cas_name: cas3
cas_label: 'CAS Cr@ns' cas_label: CAS Cr@ns
cas_url: 'https://cas.crans.org' cas_url: https://cas.crans.org
smtp: smtp:
address: "{{ query('ldap', 'ip', 'redisdead', 'adm') | first }}" address: "{{ query('ldap', 'ip', 'redisdead', 'adm') | first }}"
port: 25 port: 25

10
group_vars/grafana.yml
View File

@ -3,10 +3,10 @@ glob_grafana:
root_url: https://grafana.crans.org root_url: https://grafana.crans.org
ldap_base: "{{ glob_ldap.base }}" ldap_base: "{{ glob_ldap.base }}"
ldap_master_ipv4: "{{ glob_ldap.servers[0] }}" ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}" ldap_user_tree: ou=passwd,{{ glob_ldap.base }}
ldap_group_tree: "ou=group,{{ glob_ldap.base }}" ldap_group_tree: ou=group,{{ glob_ldap.base }}
ldap_group_filter: "uid" ldap_group_filter: uid
ldap_group_admin: "cn=_nounou,ou=group,{{ glob_ldap.base }}" ldap_group_admin: cn=_nounou,ou=group,{{ glob_ldap.base }}
ldap_group_editor: "*" # Everyone is editor ldap_group_editor: "*" # Everyone is editor
logos: logos:
@ -14,4 +14,4 @@ logos:
where: /usr/share/grafana/public/img/grafana_icon.svg where: /usr/share/grafana/public/img/grafana_icon.svg
owner: root owner: root
group: root group: root
mode: '0644' mode: "0644"

2
group_vars/horde.yml
View File

@ -1,6 +1,6 @@
--- ---
glob_horde: glob_horde:
secret: '{{ vault.horde.secret }}' secret: "{{ vault.horde.secret }}"
imap: imap.adm.crans.org imap: imap.adm.crans.org
smtp: smtp.adm.crans.org smtp: smtp.adm.crans.org
maildomain: crans.org maildomain: crans.org

9
group_vars/jitsi.yml
View File

@ -2,23 +2,22 @@
# We use embedded Jitsi configuration # We use embedded Jitsi configuration
loc_nginx: loc_nginx:
servers: [] servers: []
glob_jitsi: glob_jitsi:
ip: "{{ query('ldap', 'ip', ansible_hostname, 'srv') }}" ip: "{{ query('ldap', 'ip', ansible_hostname, 'srv') }}"
hostname: "{{ ansible_hostname }}.crans.org" hostname: "{{ ansible_hostname }}.crans.org"
configuration: configuration:
- "liveStreamingEnabled" - liveStreamingEnabled
- "prejoinPageEnabled" - prejoinPageEnabled
logos: logos:
- which: crans_logo_white.svg - which: crans_logo_white.svg
where: /usr/share/jitsi-meet/images/watermark.svg where: /usr/share/jitsi-meet/images/watermark.svg
owner: root owner: root
group: root group: root
mode: '0644' mode: "0644"
- which: crans_favicon.ico - which: crans_favicon.ico
where: /usr/share/jitsi-meet/images/favicon.ico where: /usr/share/jitsi-meet/images/favicon.ico
owner: root owner: root
group: root group: root
mode: '0644' mode: "0644"

19
group_vars/keepalived.yml
View File

@ -14,29 +14,26 @@ glob_keepalived:
- vlan: via - vlan: via
ipv4: 138.195.159.250/30 ipv4: 138.195.159.250/30
ipv6: ipv6:
- {ip: '2a0c:b641:2f3::2/64', scope: 'global'} - { ip: 2a0c:b641:2f3::2/64, scope: global }
- vlan: aurore - vlan: aurore
ipv4: 185.230.79.253/29 ipv4: 185.230.79.253/29
ipv6: ipv6:
- {ip: '2a0c:700:28::1/64', scope: 'global'} - { ip: 2a0c:700:28::1/64, scope: global }
- vlan: srv - vlan: srv
ipv4: 185.230.79.62/26 ipv4: 185.230.79.62/26
ipv6: ipv6:
- {ip: '2a0c:700:2::ff:fe00:9902/64', scope: 'global'} - { ip: 2a0c:700:2::ff:fe00:9902/64, scope: global }
- {ip: 'fe80::1/64', scope: 'link'} - { ip: fe80::1/64, scope: link }
- vlan: srv_nat - vlan: srv_nat
ipv4: 172.16.3.99/24 ipv4: 172.16.3.99/24
ipv6: ipv6:
- {ip: '2a0c:700:3::ff:fe00:9903/64', scope: 'global'} - { ip: 2a0c:700:3::ff:fe00:9903/64, scope: global }
- {ip: 'fe80::1/64', scope: 'link'} - { ip: fe80::1/64, scope: link }
- vlan: adh - vlan: adh
ipv4: 185.230.78.99/24 ipv4: 185.230.78.99/24
ipv6: ipv6:
- {ip: '2a0c:700:12::ff:fe00:9912/48', scope: 'global'} - { ip: 2a0c:700:12::ff:fe00:9912/48, scope: global }
- {ip: 'fe80::1/64', scope: 'link'} - { ip: fe80::1/64, scope: link }
# - vlan: ens
# ipv4: 100.84.0.99/16
# ipv6: 2a0c:700:54::ff:fe00:9954/48
glob_service_keepalived: glob_service_keepalived:
name: keepalived name: keepalived

4
group_vars/linx.yml
View File

@ -1,4 +1,4 @@
--- ---
glob_linx: glob_linx:
siteurl: "https://linx.crans.org/" siteurl: https://linx.crans.org/
name: "CRANS Linx" name: CRANS Linx

72
group_vars/mailman.yml
View File

@ -3,83 +3,83 @@ loc_nginx:
service_name: mailman3 service_name: mailman3
upstreams: upstreams:
- name: mailman3 - name: mailman3
server: "unix:/run/mailman3-web/uwsgi.sock fail_timeout=0" server: unix:/run/mailman3-web/uwsgi.sock fail_timeout=0
servers: servers:
- ssl: false - ssl: false
server_name: server_name:
- "localhost" - localhost
locations: locations:
- filter: "/" - filter: /
params: params:
- "uwsgi_pass mailman3" - uwsgi_pass mailman3
- "include /etc/nginx/uwsgi_params" - include /etc/nginx/uwsgi_params
- ssl: false - ssl: false
default: true default: true
server_name: server_name:
- "lists.crans.org" - lists.crans.org
locations: locations:
- filter: "/" - filter: /
params: params:
- "uwsgi_pass mailman3" - uwsgi_pass mailman3
- "include /etc/nginx/uwsgi_params" - include /etc/nginx/uwsgi_params
- "satisfy any" - satisfy any
- "allow 185.230.76.0/22" - allow 185.230.76.0/22
- "allow 2a0c:700:0::/40" - allow 2a0c:700:0::/40
- "deny all" - deny all
- "auth_basic \"On n'aime pas les spambots, donc on a mis un mot de passe. Le login est Stop et le mot de passe est Spam.\"" - auth_basic "On n'aime pas les spambots, donc on a mis un mot de passe. Le login est Stop et le mot de passe est Spam."
- "auth_basic_user_file /etc/nginx/passwd" - auth_basic_user_file /etc/nginx/passwd
- "error_page 401 /error/401.html" - error_page 401 /error/401.html
- filter: "/mailman3/static" - filter: /mailman3/static
params: params:
- "alias /var/lib/mailman3/web/static" - alias /var/lib/mailman3/web/static
- filter: "/mailman3/static/favicon.ico" - filter: /mailman3/static/favicon.ico
params: params:
- "alias /var/lib/mailman3/web/static/postorius/img/favicon.ico" - alias /var/lib/mailman3/web/static/postorius/img/favicon.ico
- filter: "/error/" - filter: /error/
params: params:
- "internal" - internal
- "alias /var/www/html/" - alias /var/www/html/
- filter: "/robots.txt" - filter: /robots.txt
params: params:
- "alias /var/www/robots.txt" - alias /var/www/robots.txt
auth_passwd: auth_passwd:
Stop: "$apr1$NXaV5H7Q$J3ora3Jo5h775Y1nm93PN1" # Spam Stop: $apr1$NXaV5H7Q$J3ora3Jo5h775Y1nm93PN1 # Spam
deploy_robots_file: true deploy_robots_file: true
glob_mailman3: glob_mailman3:
site_owner: root@crans.org site_owner: root@crans.org
database: database:
user: "mailman3" user: mailman3
pass: "{{ vault.mailman3.database.pass }}" pass: "{{ vault.mailman3.database.pass }}"
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}" host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432 port: 5432
name: "mailman3" name: mailman3
web_database: web_database:
user: "mailman3web" user: mailman3web
pass: "{{ vault.mailman3.web_database.pass }}" pass: "{{ vault.mailman3.web_database.pass }}"
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}" host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432 port: 5432
name: "mailman3web" name: mailman3web
restadmin_pass: "{{ vault.mailman3.restadmin_pass }}" restadmin_pass: "{{ vault.mailman3.restadmin_pass }}"
archiver_key: "{{ vault.mailman3.archiver_key }}" archiver_key: "{{ vault.mailman3.archiver_key }}"
web_secret_key: "{{ vault.mailman3.web_secret_key }}" web_secret_key: "{{ vault.mailman3.web_secret_key }}"
web_domains: web_domains:
- "lists.crans.org" - lists.crans.org
default_domain: "lists.crans.org" default_domain: lists.crans.org
postfix_domain: "crans.org" postfix_domain: crans.org
loc_opendkim: loc_opendkim:
domain: "lists.crans.org" domain: lists.crans.org
selector: "lists" selector: lists
signing: signing:
- "*@lists.crans.org" - "*@lists.crans.org"
sender_headers: "List-Post,Sender,From" sender_headers: List-Post,Sender,From
txt_record: | txt_record: |
lists._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7jkgGjxZvQDbgFIuqb59lt7O1Jg6DFTSBxFlTfBW+3MF+AFjBR3AZ/UXwDA1vH4UTZqq0fWN6y6wqE/F7+HDjpqZGGuygZWTGVbBxwiKSjc2kq2mz7kLisE3a/jP8kyQDdb7fWrtTw9fxYu+Ygs0744otjRsui/ZK6zbrO8XQfd5UYnj4IGALeIuVFVLmwTY+VL/xWR/UjcfxgAprRfH0ec8PGlrxhpeLhUSJxw3Q6QfTnDsIpWLfJdgxILGa58TmhH6d+faxa1OIP37wswPjkDykmMFsCQJX9P7mXXR0+1FIRhhNpfCRXXj37udbIezDEMfA15rWSoYinPU+x7i6LhfJD7G40p1oDBiaOimZ8D/PUDAtoWRQeFiNOOQmNqDaVwlaOMvIZH2ZFD2I0eJIDb2FBYqhTb5GVyhKPePqT5FZE0s8SXqvYRNUWHuomS79kfo4TC74UPlavIbyCVTFlLi5ujc5RANm/FuH2w3ns1+YAlCeoblzwVdgN+h4/DI5kI88+0Hf+HCfQg+rPQL7ak7Wszo0iWvYUZ8t+IPbNDcVm5YI6koqkWGgfMrC0bDI5r+ZQACK15Fi6x3tV0umhytgRQWG9MyK61diNIc1LFsyL2lD0oOAjlpDlVSpUnXKhjRPq4YdaIojlgGSsWsq8sBhQTCY5DNHUuJLL1iPqsCAwEAAQ==" ; ----- DKIM key lists for lists.crans.org lists._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7jkgGjxZvQDbgFIuqb59lt7O1Jg6DFTSBxFlTfBW+3MF+AFjBR3AZ/UXwDA1vH4UTZqq0fWN6y6wqE/F7+HDjpqZGGuygZWTGVbBxwiKSjc2kq2mz7kLisE3a/jP8kyQDdb7fWrtTw9fxYu+Ygs0744otjRsui/ZK6zbrO8XQfd5UYnj4IGALeIuVFVLmwTY+VL/xWR/UjcfxgAprRfH0ec8PGlrxhpeLhUSJxw3Q6QfTnDsIpWLfJdgxILGa58TmhH6d+faxa1OIP37wswPjkDykmMFsCQJX9P7mXXR0+1FIRhhNpfCRXXj37udbIezDEMfA15rWSoYinPU+x7i6LhfJD7G40p1oDBiaOimZ8D/PUDAtoWRQeFiNOOQmNqDaVwlaOMvIZH2ZFD2I0eJIDb2FBYqhTb5GVyhKPePqT5FZE0s8SXqvYRNUWHuomS79kfo4TC74UPlavIbyCVTFlLi5ujc5RANm/FuH2w3ns1+YAlCeoblzwVdgN+h4/DI5kI88+0Hf+HCfQg+rPQL7ak7Wszo0iWvYUZ8t+IPbNDcVm5YI6koqkWGgfMrC0bDI5r+ZQACK15Fi6x3tV0umhytgRQWG9MyK61diNIc1LFsyL2lD0oOAjlpDlVSpUnXKhjRPq4YdaIojlgGSsWsq8sBhQTCY5DNHUuJLL1iPqsCAwEAAQ==" ; ----- DKIM key lists for lists.crans.org
private_key: "{{ vault.opendkim['lists.crans.org'].private_key }}" private_key: "{{ vault.opendkim['lists.crans.org'].private_key }}"

24
group_vars/mirror_backend.yml
View File

@ -10,17 +10,17 @@ glob_ftpsync:
targets: targets:
- name: main - name: main
dest: debian dest: debian
cron_time: "25 1,13" cron_time: 25 1,13
rsync_host: ftp.fr.debian.org rsync_host: ftp.fr.debian.org
rsync_path: debian rsync_path: debian
- name: security - name: security
dest: debian-security dest: debian-security
cron_time: "40 *" cron_time: 40 *
rsync_host: ftp.fr.debian.org rsync_host: ftp.fr.debian.org
rsync_path: debian-security rsync_path: debian-security
- name: ubuntu - name: ubuntu
dest: ubuntu dest: ubuntu
cron_time: "43 5,17" cron_time: 43 5,17
rsync_host: fr.archive.ubuntu.com rsync_host: fr.archive.ubuntu.com
rsync_path: ubuntu rsync_path: ubuntu
@ -29,49 +29,49 @@ glob_rsync_mirror:
targets: targets:
- name: videolan - name: videolan
dest: videolan dest: videolan
cron_time: "03 10,14,18,22,2,6" cron_time: 03 10,14,18,22,2,6
rsync_host: rsync.videolan.org rsync_host: rsync.videolan.org
rsync_path: videolan-ftp rsync_path: videolan-ftp
- name: debian - name: debian
dest: distributions/linux/debian dest: distributions/linux/debian
cron_time: "00 5" cron_time: 00 5
rsync_host: cdimage.debian.org rsync_host: cdimage.debian.org
rsync_path: cdimage/release rsync_path: cdimage/release
- name: debian-cloud - name: debian-cloud
dest: distributions/linux/debian/cloud dest: distributions/linux/debian/cloud
cron_time: "00 5" cron_time: 00 5
rsync_host: cdimage.debian.org rsync_host: cdimage.debian.org
rsync_path: cdimage/cloud/OpenStack rsync_path: cdimage/cloud/OpenStack
exclude: exclude:
- archive - archive
- name: ubuntu - name: ubuntu
dest: distributions/linux/ubuntu dest: distributions/linux/ubuntu
cron_time: "00 5" cron_time: 00 5
rsync_host: cdimage.ubuntu.com rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/releases rsync_path: cdimage/releases
- name: xubuntu - name: xubuntu
dest: distributions/linux/xubuntu dest: distributions/linux/xubuntu
cron_time: "00 5" cron_time: 00 5
rsync_host: cdimage.ubuntu.com rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/xubuntu/releases rsync_path: cdimage/xubuntu/releases
- name: kubuntu - name: kubuntu
dest: distributions/linux/kubuntu dest: distributions/linux/kubuntu
cron_time: "00 5" cron_time: 00 5
rsync_host: cdimage.ubuntu.com rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/kubuntu/releases rsync_path: cdimage/kubuntu/releases
- name: lubuntu - name: lubuntu
dest: distributions/linux/lubuntu dest: distributions/linux/lubuntu
cron_time: "00 5" cron_time: 00 5
rsync_host: cdimage.ubuntu.com rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/lubuntu/releases rsync_path: cdimage/lubuntu/releases
- name: ubuntu-mate - name: ubuntu-mate
dest: distributions/linux/ubuntu-mate dest: distributions/linux/ubuntu-mate
cron_time: "00 5" cron_time: 00 5
rsync_host: cdimage.ubuntu.com rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/ubuntu-mate/releases rsync_path: cdimage/ubuntu-mate/releases
- name: archlinux - name: archlinux
dest: archlinux dest: archlinux
cron_time: "08 3,15" cron_time: 08 3,15
rsync_host: archlinux.polymorf.fr rsync_host: archlinux.polymorf.fr
rsync_path: archlinux/ rsync_path: archlinux/

15
group_vars/nginx.yml
View File

@ -1,7 +1,7 @@
--- ---
glob_nginx: glob_nginx:
contact: contact@crans.org contact: contact@crans.org
who: "L'équipe technique du Cr@ns" who: L'équipe technique du Cr@ns
service_name: service service_name: service
ssl: ssl:
# Add adm.crans.org if necessary # Add adm.crans.org if necessary
@ -13,20 +13,19 @@ glob_nginx:
- ssl: false # Replace by crans.org or adm.crans.org - ssl: false # Replace by crans.org or adm.crans.org
default: true default: true
server_name: server_name:
- "default" - default
- "_" - _
root: "/var/www/html" root: /var/www/html
locations: locations:
- filter: "/" - filter: /
params: [] params: []
additional_params: [] additional_params: []
upstreams: [] upstreams: []
auth_passwd: [] auth_passwd: []
default_server: default_server:
default_ssl_server: default_ssl_server:
default_ssl_domain: crans.org default_ssl_domain: crans.org
real_ip_from: real_ip_from:
- "172.16.0.0/16" - 172.16.0.0/16
- "fd00::/56" - fd00::/56
deploy_robots_file: false deploy_robots_file: false

22
group_vars/opendkim.yml
View File

@ -1,21 +1,21 @@
--- ---
glob_opendkim: glob_opendkim:
domain: "crans.org" domain: crans.org
selector: "mail" selector: mail
signing: signing:
- "*@crans.org" - "*@crans.org"
- "*@crans.fr" - "*@crans.fr"
- "*@crans.eu" - "*@crans.eu"
trust: trust:
- "localhost" - localhost
- "127.0.0.1" - 127.0.0.1
- "::1" - ::1
- "185.230.79.0/26" - 185.230.79.0/26
- "172.16.3.0/24" - 172.16.3.0/24
- "172.16.10.0/24" - 172.16.10.0/24
- "2a0c:700:0:2::/64" - 2a0c:700:0:2::/64
- "2a0c:700:0:3::/64" - 2a0c:700:0:3::/64
- "2a0c:700:0:10::/64" - 2a0c:700:0:10::/64
- "*.crans.org" - "*.crans.org"
- "*.crans.fr" - "*.crans.fr"
- "*.crans.eu" - "*.crans.eu"

58
group_vars/printer.yml
View File

@ -4,29 +4,29 @@ glob_printer:
admins: admins:
- ('Root', 'root@crans.org') - ('Root', 'root@crans.org')
allowed_hosts: allowed_hosts:
- 'helloworld.crans.org' - helloworld.crans.org
- 'imprimante.crans.org' - imprimante.crans.org
email: email:
ssl: false ssl: false
host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}" host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}"
port: 25 port: 25
user: '' user: ""
password: '' password: ""
from: "root@crans.org" from: root@crans.org
from_full: "Crans <root@crans.org>" from_full: Crans <root@crans.org>
database: database:
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}" host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432 port: 5432
user: 'helloworld' user: helloworld
password: "{{ vault.printer.django_db_password }}" password: "{{ vault.printer.django_db_password }}"
name: 'helloworld' name: helloworld
note: note:
url: 'https://note.crans.org/' url: https://note.crans.org/
client_id: '{{ vault.printer.note.client_id }}' client_id: "{{ vault.printer.note.client_id }}"
client_secret: '{{ vault.printer.note.client_secret }}' client_secret: "{{ vault.printer.note.client_secret }}"
note_id: 2088 note_id: 2088
note_alias: 'Crans' note_alias: Crans
printer_name: 'Lexmark_X950_Series' printer_name: Lexmark_X950_Series
domain: "{{ query('ldap', 'ip', 'printer', 'lp') | ansible.utils.ipv4 | first }}" domain: "{{ query('ldap', 'ip', 'printer', 'lp') | ansible.utils.ipv4 | first }}"
scan_server: scan_server:
address: "{{ query('ldap', 'ip', ansible_hostname, 'lp') | ansible.utils.ipv4 | first }}" address: "{{ query('ldap', 'ip', ansible_hostname, 'lp') | ansible.utils.ipv4 | first }}"
@ -38,7 +38,7 @@ glob_printer:
settings_local_owner: www-data settings_local_owner: www-data
settings_local_group: _nounou settings_local_group: _nounou
ldap: ldap:
uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/" uri: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
dn_template: uid=%(user)s,ou=passwd,dc=crans,dc=org dn_template: uid=%(user)s,ou=passwd,dc=crans,dc=org
group_search: ou=group,dc=crans,dc=org group_search: ou=group,dc=crans,dc=org
read_group: cn=_user,ou=group,dc=crans,dc=org read_group: cn=_user,ou=group,dc=crans,dc=org
@ -51,28 +51,28 @@ loc_nginx:
- ssl: false - ssl: false
default: true default: true
server_name: server_name:
- "helloworld.crans.org" - helloworld.crans.org
- "imprimante.crans.org" - imprimante.crans.org
additional_params: additional_params:
- "client_max_body_size 100M" - client_max_body_size 100M
locations: locations:
- filter: "/static" - filter: /static
params: params:
- "alias /var/lib/django-printer/static/" - alias /var/lib/django-printer/static/
- filter: "/protected/files" - filter: /protected/files
params: params:
- "internal" - internal
- "alias /var/lib/django-printer/files/" - alias /var/lib/django-printer/files/
- filter: "/doc" - filter: /doc
params: params:
- "alias /var/www/django-printer-doc/" - alias /var/www/django-printer-doc/
- filter: "/" - filter: /
params: params:
- "uwsgi_pass printer" - uwsgi_pass printer
- "include /etc/nginx/uwsgi_params" - include /etc/nginx/uwsgi_params
upstreams: upstreams:
- name: 'printer' - name: printer
server: 'unix:///var/run/uwsgi/app/django-printer/socket' server: unix:///var/run/uwsgi/app/django-printer/socket

1
group_vars/prometheus.yml
View File

@ -1,6 +1,5 @@
--- ---
glob_prometheus: {} glob_prometheus: {}
glob_ninjabot: glob_ninjabot:
config: config:
nick: monitoring nick: monitoring

10
group_vars/radius.yml
View File

@ -2,23 +2,23 @@
glob_freeradius: glob_freeradius:
realm: crans realm: crans
proxy_to: FEDEREZ proxy_to: FEDEREZ
infra_switch: "172.16.33.0/24" infra_switch: 172.16.33.0/24
infra_bornes: "172.16.34.0/24" infra_bornes: 172.16.34.0/24
secret_switch: "{{ vault.radius.secret.switch }}" secret_switch: "{{ vault.radius.secret.switch }}"
secret_bornes: "{{ vault.radius.secret.bornes }}" secret_bornes: "{{ vault.radius.secret.bornes }}"
delegations: delegations:
- name: parangon - name: parangon
ipv4: 185.230.78.47 ipv4: 185.230.78.47
ipv6: 2a0c:700:12:0:67:e5ff:fee9:5 ipv6: 2a0c:700:12:0:67:e5ff:fee9:5
secret: '{{ vault.radius.secret.federez }}' secret: "{{ vault.radius.secret.federez }}"
server: radius-wifi server: radius-wifi
- name: dodecagon - name: dodecagon
ipv4: 195.154.165.76 ipv4: 195.154.165.76
ipv6: 2001:bc8:273e::1 ipv6: 2001:bc8:273e::1
secret: '{{ vault.radius.secret.federez }}' secret: "{{ vault.radius.secret.federez }}"
server: radius-wifi server: radius-wifi
loc_certbot: loc_certbot:
- mail: root@crans.org - mail: root@crans.org
certname: crans.org certname: crans.org
domains: "crans.org" domains: crans.org

16
group_vars/re2o.yml
View File

@ -5,20 +5,20 @@ glob_re2o:
admins: admins:
- ('Root', 'root@crans.org') - ('Root', 'root@crans.org')
allowed_hosts: allowed_hosts:
- 're2o.adm.crans.org' - re2o.adm.crans.org
- 'intranet.adm.crans.org' - intranet.adm.crans.org
- 're2o.crans.org' - re2o.crans.org
- 'intranet.crans.org' - intranet.crans.org
- '172.16.10.156' - 172.16.10.156
from_email: "root@crans.org" from_email: root@crans.org
smtp_server: smtp.adm.crans.org smtp_server: smtp.adm.crans.org
ldap: ldap:
master_password: "{{ vault.slapd.re2o.admin.bindpass }}" master_password: "{{ vault.slapd.re2o.admin.bindpass }}"
uri: "ldap://re2o-ldap.adm.crans.org/" uri: ldap://re2o-ldap.adm.crans.org/
dn: "{{ vault.slapd.re2o.admin.binddn }}" dn: "{{ vault.slapd.re2o.admin.binddn }}"
database: database:
password: "{{ vault.re2o.database.password }}" password: "{{ vault.re2o.database.password }}"
uri: "172.16.10.1" uri: 172.16.10.1
optional_apps: optional_apps:
- api - api
- captcha - captcha

18
group_vars/re2o_front.yml
View File

@ -15,19 +15,19 @@ service_nginx:
- ssl: false - ssl: false
server_name: "{{ re2o_front.server_names }}" server_name: "{{ re2o_front.server_names }}"
locations: locations:
- filter: "/static" - filter: /static
params: params:
- "alias /var/www/re2o/static_files/" - alias /var/www/re2o/static_files/
- filter: "/javascript" - filter: /javascript
params: params:
- "alias /usr/share/javascript/" - alias /usr/share/javascript/
- filter: "/media" - filter: /media
params: params:
- "alias /var/www/re2o/media/" - alias /var/www/re2o/media/
- filter: "/" - filter: /
params: params:
- "uwsgi_pass re2o" - uwsgi_pass re2o
- "include /etc/nginx/uwsgi_params" - include /etc/nginx/uwsgi_params
upstreams: upstreams:
- name: re2o - name: re2o
server: unix:///var/run/uwsgi/app/re2o/re2o.sock server: unix:///var/run/uwsgi/app/re2o/re2o.sock

2
group_vars/re2o_ldap.yml
View File

@ -1,7 +1,7 @@
--- ---
glob_re2o_ldap: glob_re2o_ldap:
suffix: dc=crans,dc=org suffix: dc=crans,dc=org
url: "ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636" url: ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636
root_password_hash: "{{ vault.slapd.re2o.admin.bindpass_hash }}" root_password_hash: "{{ vault.slapd.re2o.admin.bindpass_hash }}"
certificate: "{{ vault.slapd.re2o.certificate }}" certificate: "{{ vault.slapd.re2o.certificate }}"
private_key: "{{ vault.slapd.re2o.private_key }}" private_key: "{{ vault.slapd.re2o.private_key }}"

92
group_vars/reverseproxy.yml
View File

@ -2,11 +2,11 @@
loc_certbot: loc_certbot:
- mail: root@crans.org - mail: root@crans.org
certname: crans.org certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" domains: crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu
loc_service_certbot: loc_service_certbot:
config: config:
"crans.org": crans.org:
zone: _acme-challenge.crans.org zone: _acme-challenge.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -14,7 +14,7 @@ loc_service_certbot:
name: certbot_challenge. name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}" secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512 algorithm: HMAC-SHA512
"crans.eu": crans.eu:
zone: _acme-challenge.crans.org zone: _acme-challenge.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -22,7 +22,7 @@ loc_service_certbot:
name: certbot_challenge. name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}" secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512 algorithm: HMAC-SHA512
"crans.fr": crans.fr:
zone: _acme-challenge.crans.org zone: _acme-challenge.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -39,7 +39,6 @@ loc_nginx:
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
glob_reverseproxy: glob_reverseproxy:
redirect_dnames: redirect_dnames:
- crans.eu - crans.eu
@ -47,54 +46,51 @@ glob_reverseproxy:
reverseproxy_sites: reverseproxy_sites:
# Services web Crans # Services web Crans
- {from: belenios.crans.org, to: 172.16.10.111} - { from: belenios.crans.org, to: 172.16.10.111 }
- {from: cas.crans.org, to: 172.16.10.120} - { from: cas.crans.org, to: 172.16.10.120 }
- {from: constellation-dev.crans.org, to: 172.16.10.167} - { from: constellation-dev.crans.org, to: 172.16.10.167 }
- {from: eclats.crans.org, to: 172.16.10.104} - { from: eclats.crans.org, to: 172.16.10.104 }
- {from: ftps.crans.org, to: 172.16.10.113} - { from: ftps.crans.org, to: 172.16.10.113 }
- {from: ethercalc.crans.org, to: "172.16.10.133:8000"} - { from: ethercalc.crans.org, to: 172.16.10.133:8000 }
- {from: framadate.crans.org, to: 172.16.10.109} - { from: framadate.crans.org, to: 172.16.10.109 }
- {from: galene-token.crans.org, to: "172.16.10.115:3000"} - { from: galene-token.crans.org, to: 172.16.10.115:3000 }
- {from: grafana.crans.org, to: "172.16.10.121:3000"} - { from: grafana.crans.org, to: 172.16.10.121:3000 }
- {from: hedgedoc.crans.org, to: "172.16.10.128:3000"} - { from: hedgedoc.crans.org, to: 172.16.10.128:3000 }
- {from: helloworld.crans.org, to: 172.16.10.131} - { from: helloworld.crans.org, to: 172.16.10.131 }
- {from: horde.crans.org, to: 172.16.10.108} - { from: horde.crans.org, to: 172.16.10.108 }
- {from: imprimante.crans.org, to: 172.16.10.131} - { from: imprimante.crans.org, to: 172.16.10.131 }
- {from: intranet.crans.org, to: 172.16.10.156} - { from: intranet.crans.org, to: 172.16.10.156 }
- {from: linx.crans.org, to: "172.16.10.119:8080"} - { from: linx.crans.org, to: 172.16.10.119:8080 }
- {from: lists.crans.org, to: 172.16.10.110} - { from: lists.crans.org, to: 172.16.10.110 }
- {from: matrix.crans.org, to: "172.16.10.123:8008"} - { from: matrix.crans.org, to: 172.16.10.123:8008 }
- {from: mirrors.crans.org, to: 172.16.10.104} - { from: mirrors.crans.org, to: 172.16.10.104 }
- {from: owncloud.crans.org, to: 172.16.10.136} - { from: owncloud.crans.org, to: 172.16.10.136 }
- {from: pad.crans.org, to: "172.16.10.130:9001"} - { from: pad.crans.org, to: 172.16.10.130:9001 }
- {from: re2o.crans.org, to: 172.16.10.156} - { from: re2o.crans.org, to: 172.16.10.156 }
- {from: re2o-dev.crans.org, to: 172.16.10.166} - { from: re2o-dev.crans.org, to: 172.16.10.166 }
- {from: roundcube.crans.org, to: 172.16.10.107} - { from: roundcube.crans.org, to: 172.16.10.107 }
- {from: tmpad.crans.org, to: "172.16.10.130:9002"} - { from: tmpad.crans.org, to: 172.16.10.130:9002 }
- {from: webirc.crans.org, to: "172.16.10.31:9000"} - { from: webirc.crans.org, to: 172.16.10.31:9000 }
- {from: webmail.crans.org, to: 172.16.10.108} - { from: webmail.crans.org, to: 172.16.10.108 }
- {from: wiki.crans.org, to: 172.16.10.161} - { from: wiki.crans.org, to: 172.16.10.161 }
- {from: zero.crans.org, to: 172.16.10.130} - { from: zero.crans.org, to: 172.16.10.130 }
- {from: hosts.crans.org, to: 172.16.10.114} - { from: hosts.crans.org, to: 172.16.10.114 }
# Zamok # Zamok
- {from: amap.crans.org, to: 172.16.10.31} - { from: amap.crans.org, to: 172.16.10.31 }
- {from: bonvivens.crans.org, to: 172.16.10.31} - { from: bonvivens.crans.org, to: 172.16.10.31 }
- {from: perso.crans.org, to: 172.16.10.31} - { from: perso.crans.org, to: 172.16.10.31 }
redirect_sites: redirect_sites:
- {from: crans.org, to: www.crans.org} - { from: crans.org, to: www.crans.org }
# Aliases or legacy support # Aliases or legacy support
- {from: adopteunpingouin.crans.org, to: install-party.crans.org} - { from: adopteunpingouin.crans.org, to: install-party.crans.org }
- {from: clubs.crans.org, to: perso.crans.org} - { from: clubs.crans.org, to: perso.crans.org }
- {from: i-p.crans.org, to: install-party.crans.org} - { from: i-p.crans.org, to: install-party.crans.org }
- {from: pot-vieux.crans.org, to: perso.crans.org/club-vieux} - { from: pot-vieux.crans.org, to: perso.crans.org/club-vieux }
# To the wiki # To the wiki
- {from: television.crans.org, to: wiki.crans.org/CransTv} - { from: television.crans.org, to: wiki.crans.org/CransTv }
- {from: tv.crans.org, to: wiki.crans.org/CransTv} - { from: tv.crans.org, to: wiki.crans.org/CransTv }
- {from: wikipedia.crans.org, to: wiki.crans.org} - { from: wikipedia.crans.org, to: wiki.crans.org }
static_sites: static_sites:
- autoconfig.crans.org - autoconfig.crans.org

32
group_vars/roundcube.yml
View File

@ -7,16 +7,16 @@ glob_roundcube:
mail_domain: crans.org mail_domain: crans.org
des_key: "{{ vault.roundcube.des_key }}" des_key: "{{ vault.roundcube.des_key }}"
plugins: plugins:
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-intranet.git' - repo: https://gitlab.adm.crans.org/nounous/roundcube-intranet.git
name: intranet name: intranet
version: HEAD version: HEAD
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-plugin-filters.git' - repo: https://gitlab.adm.crans.org/nounous/roundcube-plugin-filters.git
name: filters name: filters
version: master version: master
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-plugin-automatic_addressbook.git' - repo: https://gitlab.adm.crans.org/nounous/roundcube-plugin-automatic_addressbook.git
name: automatic_addressbook name: automatic_addressbook
version: 0.4.3 version: 0.4.3
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-plugin-identity_smtp.git' - repo: https://gitlab.adm.crans.org/nounous/roundcube-plugin-identity_smtp.git
name: identity_smtp name: identity_smtp
version: HEAD version: HEAD
- name: zipdownload - name: zipdownload
@ -32,22 +32,22 @@ glob_roundcube:
classic: https://www.crans.org/images/crans_banner.png classic: https://www.crans.org/images/crans_banner.png
loc_nginx: loc_nginx:
service_name: "roundcube" service_name: roundcube
ssl: [] ssl: []
servers: servers:
- server_name: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap + [ansible_hostname, ansible_hostname + '.adm.crans.org'] }}" - server_name: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap + [ansible_hostname, ansible_hostname + '.adm.crans.org'] }}"
default: true default: true
root: "/var/lib/roundcube" root: /var/lib/roundcube
locations: locations:
- filter: "~ \\.php$" - filter: ~ \.php$
params: params:
- "include snippets/fastcgi-php.conf" - include snippets/fastcgi-php.conf
- "fastcgi_buffer_size 128k" - fastcgi_buffer_size 128k
- "fastcgi_buffers 4 256k" - fastcgi_buffers 4 256k
- "fastcgi_busy_buffers_size 256k" - fastcgi_busy_buffers_size 256k
- "fastcgi_pass unix:/var/run/php/php7.4-fpm.sock" - fastcgi_pass unix:/var/run/php/php7.4-fpm.sock
- "include fastcgi_params" - include fastcgi_params
additional_params: additional_params:
- "index index.php index.htm index.html" - index index.php index.htm index.html
- "try_files $uri $uri/ /index.php?q=$uri&$args" - try_files $uri $uri/ /index.php?q=$uri&$args
- "client_max_body_size 10G" - client_max_body_size 10G

4
group_vars/slapd.yml
View File

@ -1,7 +1,7 @@
--- ---
glob_slapd: glob_slapd:
master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}" master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*|description:.*|location:.*)$" regex: ^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*|description:.*|location:.*)$
replication_credentials: "{{ vault.slapd.tealc.replication_credentials }}" replication_credentials: "{{ vault.slapd.tealc.replication_credentials }}"
private_key: "{{ vault.slapd.tealc.private_key }}" private_key: "{{ vault.slapd.tealc.private_key }}"
certificate: "{{ vault.slapd.tealc.certificate }}" certificate: "{{ vault.slapd.tealc.certificate }}"

16
group_vars/sssd.yml
View File

@ -4,18 +4,18 @@ glob_sssd:
domain: tealc.adm.crans.org domain: tealc.adm.crans.org
enumerate: "true" enumerate: "true"
servers: servers:
- "ldaps://{{ query('ldap','ip','tealc','adm') | ansible.utils.ipv4 | first }}/" - ldaps://{{ query('ldap','ip','tealc','adm') | ansible.utils.ipv4 | first }}/
- "ldaps://{{ query('ldap','ip','sam','adm') | ansible.utils.ipv4 | first }}/" - ldaps://{{ query('ldap','ip','sam','adm') | ansible.utils.ipv4 | first }}/
- "ldaps://{{ query('ldap','ip','daniel','adm') | ansible.utils.ipv4 | first }}/" - ldaps://{{ query('ldap','ip','daniel','adm') | ansible.utils.ipv4 | first }}/
- "ldaps://{{ query('ldap','ip','jack','adm') | ansible.utils.ipv4 | first }}/" - ldaps://{{ query('ldap','ip','jack','adm') | ansible.utils.ipv4 | first }}/
base: "dc=crans,dc=org" base: dc=crans,dc=org
secondary: secondary:
domain: re2o-ldap.adm.crans.org domain: re2o-ldap.adm.crans.org
enumerate: "false" enumerate: "false"
servers: servers:
- "ldaps://{{ query('ldap','ip','re2o-ldap','adm') | ansible.utils.ipv4 | first }}/" - ldaps://{{ query('ldap','ip','re2o-ldap','adm') | ansible.utils.ipv4 | first }}/
- "ldaps://{{ query('ldap','ip','terenez','adm') | ansible.utils.ipv4 | first }}/" - ldaps://{{ query('ldap','ip','terenez','adm') | ansible.utils.ipv4 | first }}/
base: "dc=crans,dc=org" base: dc=crans,dc=org
bind: bind:
dn: "{{ vault.sssd.secondary_ldap.binddn }}" dn: "{{ vault.sssd.secondary_ldap.binddn }}"
passwd: "{{ vault.sssd.secondary_ldap.bindpass }}" passwd: "{{ vault.sssd.secondary_ldap.bindpass }}"

18
group_vars/thelounge.yml
View File

@ -1,7 +1,7 @@
--- ---
glob_thelounge: glob_thelounge:
public: "false" public: "false"
host: "undefined" host: undefined
reverseProxy: "false" reverseProxy: "false"
oidentd: "null" oidentd: "null"
irc: irc:
@ -11,16 +11,16 @@ glob_thelounge:
password: password:
tls: "true" tls: "true"
rejectUnauthorized: "true" rejectUnauthorized: "true"
nick: "thelounge%%" nick: thelounge%%
username: "thelounge" username: thelounge
realname: "The Lounge User" realname: The Lounge User
join: "#general" join: "#general"
ldap_enable: "false" ldap_enable: "false"
ldap: ldap:
url: "ldap://172.16.10.157" url: ldap://172.16.10.157
primaryKey: "cn" primaryKey: cn
rootDN: "{{ vault.thelounge.ldap.rootDN }}" rootDN: "{{ vault.thelounge.ldap.rootDN }}"
rootPassword: "{{ vault.thelounge.ldap.rootPassword }}" rootPassword: "{{ vault.thelounge.ldap.rootPassword }}"
filter: "(objectclass=inetOrgPerson)" filter: (objectclass=inetOrgPerson)
base: "dc=crans,dc=org" base: dc=crans,dc=org
scope: "sub" scope: sub

2
group_vars/viarezo/home_nounou.yml
View File

@ -7,4 +7,4 @@ loc_home_nounou:
name: home_nounou name: home_nounou
owner: root owner: root
group: _user group: _user
mode: '0750' mode: "0750"

2
group_vars/viarezo/ssh_known_hosts.yml
View File

@ -2,4 +2,4 @@
loc_service_ssh_known_hosts: loc_service_ssh_known_hosts:
config: config:
ldap: ldap:
server: "ldaps://{{ query('ldap', 'ip', 'ft', 'adm') | ansible.utils.ipv4 | first }}" server: ldaps://{{ query('ldap', 'ip', 'ft', 'adm') | ansible.utils.ipv4 | first }}

12
group_vars/virtu.yml
View File

@ -1,8 +1,8 @@
--- ---
glob_debian_images: glob_debian_images:
cron_timer: '39 06 * * *' cron_timer: 39 06 * * *
rsync_host: 'eclat.adm.crans.org' rsync_host: eclat.adm.crans.org
rsync_module: 'mirror' rsync_module: mirror
include_extra_images: false include_extra_images: false
glob_service_proxmox_user: glob_service_proxmox_user:
@ -18,9 +18,9 @@ glob_service_proxmox_user:
config: config:
ldap: ldap:
admin: admin:
uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/" uri: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
userBase: "ou=passwd,dc=crans,dc=org" userBase: ou=passwd,dc=crans,dc=org
realm: "pam" realm: pam
dependencies: dependencies:
- python3-jinja2 - python3-jinja2
- python3-ldap - python3-ldap

12
group_vars/virtu_adh.yml
View File

@ -12,13 +12,13 @@ glob_service_proxmox_user:
config: config:
ldap: ldap:
admin: admin:
uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/" uri: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
userBase: "ou=passwd,dc=crans,dc=org" userBase: ou=passwd,dc=crans,dc=org
realm: "pam" realm: pam
user: user:
uri: "ldaps://{{ query('ldap', 'ip', 'flirt', 'adm') | ansible.utils.ipv4 | first }}/" uri: ldaps://{{ query('ldap', 'ip', 'flirt', 'adm') | ansible.utils.ipv4 | first }}/
userBase: "ou=users,dc=adh,dc=crans,dc=org" userBase: ou=users,dc=adh,dc=crans,dc=org
realm: "pve" realm: pve
binddn: "{{ vault.ldap_adh_reader.binddn }}" binddn: "{{ vault.ldap_adh_reader.binddn }}"
passwd: "{{ vault.ldap_adh_reader.bindpass }}" passwd: "{{ vault.ldap_adh_reader.bindpass }}"
dependencies: dependencies:

2
group_vars/vsftpd_mirror.yml
View File

@ -4,4 +4,4 @@ glob_vsftpd_mirror:
cert: /etc/letsencrypt/live/crans.org/cert.pem cert: /etc/letsencrypt/live/crans.org/cert.pem
private_key: /etc/letsencrypt/live/crans.org/privkey.pem private_key: /etc/letsencrypt/live/crans.org/privkey.pem
anonymous: {} anonymous: {}
passive: yes passive: true

34
group_vars/wiki.yml
View File

@ -8,43 +8,43 @@ loc_nginx:
servers: servers:
- server_name: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap + [ansible_hostname, ansible_hostname + '.adm.crans.org'] }}" - server_name: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap + [ansible_hostname, ansible_hostname + '.adm.crans.org'] }}"
default: true default: true
access_log: "/var/log/nginx/wiki.log combined" access_log: /var/log/nginx/wiki.log combined
error_log: "/var/log/nginx/wiki.error.log" error_log: /var/log/nginx/wiki.error.log
additional_params: additional_params:
- "rewrite ^/$ $scheme://wiki.crans.org/PageAccueil" - rewrite ^/$ $scheme://wiki.crans.org/PageAccueil
- "client_max_body_size 15M" - client_max_body_size 15M
locations: locations:
- filter: "/wiki/" - filter: /wiki/
params: params:
- "alias /var/local/wiki/htdocs/" - alias /var/local/wiki/htdocs/
- filter: "/robots.txt" - filter: /robots.txt
params: params:
- "alias /var/local/wiki/robots.txt" - alias /var/local/wiki/robots.txt
- filter: "/favicon.ico" - filter: /favicon.ico
params: params:
- "alias /var/local/wiki/favicon.ico" - alias /var/local/wiki/favicon.ico
- filter: "/www-sitemap.xml" - filter: /www-sitemap.xml
params: params:
- "alias /var/local/wiki/www-sitemap.xml" - alias /var/local/wiki/www-sitemap.xml
- filter: "/" - filter: /
params: params:
- "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket" - uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket
- "include uwsgi_params" - include uwsgi_params
logos: logos:
- which: crans_logo_white.svg - which: crans_logo_white.svg
where: /var/local/wiki/htdocs/logo.svg where: /var/local/wiki/htdocs/logo.svg
owner: root owner: root
group: www-data group: www-data
mode: '0644' mode: "0644"
- which: crans_favicon.ico - which: crans_favicon.ico
where: /var/local/wiki/favicon.ico where: /var/local/wiki/favicon.ico
owner: root owner: root
group: www-data group: www-data
mode: '0644' mode: "0644"

4
host_vars/backup-ft.adm.crans.org.yml
View File

@ -10,11 +10,11 @@ loc_home_nounou:
name: home_nounou name: home_nounou
owner: root owner: root
group: _user group: _user
mode: '0750' mode: "0750"
- ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ansible.utils.ipv4 | first }}" - ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ansible.utils.ipv4 | first }}"
mountpoint: /rpool/backup mountpoint: /rpool/backup
target: /backup target: /backup
name: backup name: backup
owner: root owner: root
group: root group: root
mode: '0755' mode: "0755"

4
host_vars/backup-thot.adm.crans.org.yml
View File

@ -10,11 +10,11 @@ loc_home_nounou:
name: home_nounou name: home_nounou
owner: root owner: root
group: _user group: _user
mode: '0750' mode: "0750"
- ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ansible.utils.ipv4 | first }}" - ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ansible.utils.ipv4 | first }}"
mountpoint: /rpool/backup mountpoint: /rpool/backup
target: /backup target: /backup
name: backup name: backup
owner: root owner: root
group: root group: root
mode: '0755' mode: "0755"

60
host_vars/boeing.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard: loc_wireguard:
tunnels: tunnels:
- name: "sputnik" - name: sputnik
listen_port: 51820 listen_port: 51820
private_key: "{{ vault.wireguard.boeing.sputnik.privkey }}" private_key: "{{ vault.wireguard.boeing.sputnik.privkey }}"
table: "off" table: "off"
@ -16,14 +16,14 @@ loc_wireguard:
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv6 | first }}/128" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv6 | first }}/128"
endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ansible.utils.ipv4 | first }}:51820" endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ansible.utils.ipv4 | first }}:51820"
post_up: post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - sysctl -w net.ipv4.conf.%i.proxy_arp=1
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- "python3 /var/local/services/proxy/proxy.py --alter" - python3 /var/local/services/proxy/proxy.py --alter
pre_down: pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0" - sysctl -w net.ipv4.conf.%i.proxy_arp=0
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" - ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
- name: "viarezo" - name: viarezo
listen_port: 51821 listen_port: 51821
private_key: "{{ vault.wireguard.boeing.viarezo.privkey }}" private_key: "{{ vault.wireguard.boeing.viarezo.privkey }}"
table: "off" table: "off"
@ -31,17 +31,17 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.routeur_ft.pubkey }}" - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
allowed_ips: allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}" - "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
persistent_keepalive: 25 persistent_keepalive: 25
post_up: post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - sysctl -w net.ipv4.conf.%i.proxy_arp=1
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- "python3 /var/local/services/proxy/proxy.py --alter" - python3 /var/local/services/proxy/proxy.py --alter
pre_down: pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0" - sysctl -w net.ipv4.conf.%i.proxy_arp=0
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" - ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
- name: "aurore" - name: aurore
listen_port: 51822 listen_port: 51822
private_key: "{{ vault.wireguard.boeing.aurore.privkey }}" private_key: "{{ vault.wireguard.boeing.aurore.privkey }}"
table: "off" table: "off"
@ -49,25 +49,25 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.routeur_thot.pubkey }}" - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
allowed_ips: allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}" - "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
persistent_keepalive: 25 persistent_keepalive: 25
post_up: post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - sysctl -w net.ipv4.conf.%i.proxy_arp=1
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- "python3 /var/local/services/proxy/proxy.py --alter" - python3 /var/local/services/proxy/proxy.py --alter
pre_down: pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0" - sysctl -w net.ipv4.conf.%i.proxy_arp=0
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" - ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
loc_service_proxy: loc_service_proxy:
config: config:
ldap: ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/" server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
protocol: "proxy" protocol: proxy
filter: "adm.crans.org" filter: adm.crans.org
proxy: proxy:
default: "ens18" default: ens18
viarezo: "viarezo" viarezo: viarezo
aurore: "aurore" aurore: aurore
ovh: "sputnik" ovh: sputnik

38
host_vars/constellation-dev.adm.crans.org.yml
View File

@ -5,28 +5,28 @@ interfaces:
loc_constellation: loc_constellation:
allowed_hosts: allowed_hosts:
- 'constellation-dev.crans.org' - constellation-dev.crans.org
database: database:
host: '127.0.0.1' host: 127.0.0.1
user: 'constellation-dev' user: constellation-dev
name: 'constellation-dev' name: constellation-dev
applications: applications:
- 'access' - access
- 'billing' - billing
- 'debug' - debug
- 'dnsmanager' - dnsmanager
- 'firewall' - firewall
- 'layers' - layers
- 'management' - management
- 'member' - member
- 'topography' - topography
- 'unix' - unix
stripe: stripe:
private_key: '{{ vault.constellation.stripe.test.private_key }}' private_key: "{{ vault.constellation.stripe.test.private_key }}"
public_key: '{{ vault.constellation.stripe.test.public_key }}' public_key: "{{ vault.constellation.stripe.test.public_key }}"
note: note:
url: 'https://note-dev.crans.org/' url: https://note-dev.crans.org/
client_id: '{{ vault.constellation.note.client_id }}' client_id: "{{ vault.constellation.note.client_id }}"
client_secret: '{{ vault.constellation.note.client_secret }}' client_secret: "{{ vault.constellation.note.client_secret }}"
debug: true debug: true
version: dev version: dev

2
host_vars/daniel.adm.crans.org.yml
View File

@ -10,4 +10,4 @@ loc_postgres:
addresses: "['daniel.adm.crans.org'] + {{ query('ldap', 'ip', 'daniel', 'adm') | ansible.utils.ipaddr('address') }}" addresses: "['daniel.adm.crans.org'] + {{ query('ldap', 'ip', 'daniel', 'adm') | ansible.utils.ipaddr('address') }}"
loc_service_proxmox_user: loc_service_proxmox_user:
cron: null cron:

31
host_vars/eclat.adm.crans.org.yml
View File

@ -12,11 +12,10 @@ loc_nfs_mount:
name: mirror name: mirror
owner: root owner: root
group: root group: root
mode: '0755' mode: "0755"
loc_ftpsync: {} loc_ftpsync: {}
loc_rsync_mirror: {} loc_rsync_mirror: {}
loc_rsyncd: loc_rsyncd:
modules: modules:
- name: mirror - name: mirror
@ -33,22 +32,22 @@ loc_nginx:
ssl: [] ssl: []
servers: servers:
- server_name: - server_name:
- "eclat" - eclat
- "eclat.*" - eclat.*
- "eclats" - eclats
- "eclats.*" - eclats.*
- "mirror" - mirror
- "mirror.*" - mirror.*
- "mirrors" - mirrors
- "mirrors.*" - mirrors.*
root: "/mirror/pub" root: /mirror/pub
locations: locations:
- filter: "/" - filter: /
params: params:
- "autoindex on" - autoindex on
- "autoindex_exact_size off" - autoindex_exact_size off
- "add_before_body /.html/HEADER.html" - add_before_body /.html/HEADER.html
- "add_after_body /.html/FOOTER.html" - add_after_body /.html/FOOTER.html
loc_vsftpd: loc_vsftpd:
anonymous: anonymous:

10
host_vars/gitzly.adm.crans.org.yml
View File

@ -13,7 +13,7 @@ loc_certbot:
loc_service_certbot: loc_service_certbot:
config: config:
"crans.org": crans.org:
zone: _acme-challenge.crans.org zone: _acme-challenge.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -21,7 +21,7 @@ loc_service_certbot:
name: certbot_challenge. name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}" secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512 algorithm: HMAC-SHA512
"adm.crans.org": adm.crans.org:
zone: _acme-challenge.adm.crans.org zone: _acme-challenge.adm.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -41,12 +41,10 @@ loc_nginx:
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
servers: [] servers: []
loc_reverseproxy: loc_reverseproxy:
reverseproxy_sites: reverseproxy_sites:
- {from: gitlab.crans.org, to: "127.0.0.1:8000"} - { from: gitlab.crans.org, to: 127.0.0.1:8000 }
- {from: gitlab.adm.crans.org, to: "127.0.0.1:8000", ssl: adm.crans.org} - { from: gitlab.adm.crans.org, to: 127.0.0.1:8000, ssl: adm.crans.org }
redirect_sites: [] redirect_sites: []
static_sites: [] static_sites: []

2
host_vars/gulp.adm.crans.org.yml
View File

@ -3,4 +3,4 @@ loc_debian_images:
include_extra_images: true include_extra_images: true
loc_service_proxmox_user: loc_service_proxmox_user:
cron: null cron:

20
host_vars/irc.adm.crans.org.yml
View File

@ -4,24 +4,24 @@ interfaces:
srv: ens19 srv: ens19
loc_nginx: loc_nginx:
service_name: "thelounge" service_name: thelounge
servers: servers:
- server_name: - server_name:
- "irc.crans.org" - irc.crans.org
- "irc" - irc
default: true default: true
ssl: crans.org ssl: crans.org
locations: locations:
- filter: "^~ /web/" - filter: ^~ /web/
params: params:
- "proxy_pass http://localhost:9000/" - proxy_pass http://localhost:9000/
- "include \"/etc/nginx/snippets/options-proxypass.conf\"" - include "/etc/nginx/snippets/options-proxypass.conf"
- filter: "~ ^/$" - filter: ~ ^/$
params: params:
- "return 302 https://irc.crans.org/web/" - return 302 https://irc.crans.org/web/
- filter: "/" - filter: /
params: params:
- "return 302 \"https://wiki.crans.org/VieCrans/UtiliserIrc#Via_l.27interface_web\"" - return 302 "https://wiki.crans.org/VieCrans/UtiliserIrc#Via_l.27interface_web"
loc_thelounge: loc_thelounge:
public: "true" public: "true"

2
host_vars/jack.adm.crans.org.yml
View File

@ -10,4 +10,4 @@ loc_postgres:
addresses: "['jack.adm.crans.org'] + {{ query('ldap', 'ip', 'jack', 'adm') | ansible.utils.ipaddr('address') }}" addresses: "['jack.adm.crans.org'] + {{ query('ldap', 'ip', 'jack', 'adm') | ansible.utils.ipaddr('address') }}"
loc_service_proxmox_user: loc_service_proxmox_user:
cron: null cron:

28
host_vars/monitoring.adm.crans.org.yml
View File

@ -11,7 +11,7 @@ loc_prometheus:
- job_name: servers - job_name: servers
file_sd_configs: file_sd_configs:
- files: - files:
- '/etc/prometheus/targets_node.json' - /etc/prometheus/targets_node.json
relabel_configs: relabel_configs:
- source_labels: [__address__] - source_labels: [__address__]
target_label: __param_target target_label: __param_target
@ -19,7 +19,7 @@ loc_prometheus:
target_label: instance target_label: instance
- source_labels: [__param_target] - source_labels: [__param_target]
target_label: __address__ target_label: __address__
replacement: '$1:9100' replacement: $1:9100
nginx: nginx:
file: targets_nginx.json file: targets_nginx.json
@ -28,13 +28,13 @@ loc_prometheus:
- job_name: nginx - job_name: nginx
file_sd_configs: file_sd_configs:
- files: - files:
- '/etc/prometheus/targets_nginx.json' - /etc/prometheus/targets_nginx.json
relabel_configs: relabel_configs:
- source_labels: [__address__] - source_labels: [__address__]
target_label: instance target_label: instance
- source_labels: [instance] - source_labels: [instance]
target_label: __address__ target_label: __address__
replacement: '$1:9117' replacement: $1:9117
blackbox: blackbox:
file: targets_blackbox.json file: targets_blackbox.json
@ -64,7 +64,7 @@ loc_prometheus:
- job_name: blackbox - job_name: blackbox
file_sd_configs: file_sd_configs:
- files: - files:
- '/etc/prometheus/targets_blackbox.json' - /etc/prometheus/targets_blackbox.json
metrics_path: /probe metrics_path: /probe
params: params:
module: [http_2xx] # Look for a HTTP 200 response. module: [http_2xx] # Look for a HTTP 200 response.
@ -86,7 +86,7 @@ loc_prometheus:
- job_name: blackbox_icmp - job_name: blackbox_icmp
file_sd_configs: file_sd_configs:
- files: - files:
- '/etc/prometheus/targets_icmp.json' - /etc/prometheus/targets_icmp.json
metrics_path: /probe metrics_path: /probe
params: params:
module: [icmp] # Look for a ICMP ping module: [icmp] # Look for a ICMP ping
@ -105,13 +105,13 @@ loc_prometheus:
config: config:
- job_name: mtail - job_name: mtail
static_configs: static_configs:
- targets: ["tealc.adm.crans.org"] - targets: [tealc.adm.crans.org]
relabel_configs: relabel_configs:
- source_labels: [__address__] - source_labels: [__address__]
target_label: instance target_label: instance
- source_labels: [instance] - source_labels: [instance]
target_label: __address__ target_label: __address__
replacement: '$1:3903' replacement: $1:3903
ilo_snmp: ilo_snmp:
file: targets_ilo_snmp.json file: targets_ilo_snmp.json
@ -120,8 +120,8 @@ loc_prometheus:
- job_name: ilo_snmp - job_name: ilo_snmp
file_sd_configs: file_sd_configs:
- files: - files:
- '/etc/prometheus/targets_ilo_snmp.json' - /etc/prometheus/targets_ilo_snmp.json
metrics_path: '/snmp' metrics_path: /snmp
params: params:
module: module:
- ilo - ilo
@ -130,17 +130,17 @@ loc_prometheus:
target_label: __param_target target_label: __param_target
- source_labels: [__param_target] - source_labels: [__param_target]
target_label: instance target_label: instance
- replacement: '127.0.0.1:9116' - replacement: 127.0.0.1:9116
target_label: __address__ target_label: __address__
printer_snmp: printer_snmp:
file: targets_printer.json file: targets_printer.json
targets: ["printer.lp.crans.org"] targets: [printer.lp.crans.org]
config: config:
- job_name: printer_snmp - job_name: printer_snmp
static_configs: static_configs:
- targets: ["printer.lp.crans.org"] - targets: [printer.lp.crans.org]
metrics_path: '/snmp' metrics_path: /snmp
params: params:
module: module:
- printer_mib - printer_mib

2
host_vars/odlyd.adm.crans.org.yml
View File

@ -3,4 +3,4 @@ loc_debian_images:
include_extra_images: true include_extra_images: true
loc_service_proxmox_user: loc_service_proxmox_user:
cron: null cron:

2
host_vars/owncloud.adm.crans.org.yml
View File

@ -7,4 +7,4 @@ interfaces:
loc_ldap: loc_ldap:
base_dn: "{{ vault.slapd.re2o.admin.binddn }}" base_dn: "{{ vault.slapd.re2o.admin.binddn }}"
password: "{{ vault.slapd.re2o.admin.bindpass }}" password: "{{ vault.slapd.re2o.admin.bindpass }}"
uri: "ldap://172.16.10.157" uri: ldap://172.16.10.157

70
host_vars/ptf.adm.crans.org.yml
View File

@ -12,62 +12,62 @@ loc_nfs_mount:
name: ftp name: ftp
owner: root owner: root
group: root group: root
mode: '0755' mode: "0755"
loc_nginx: loc_nginx:
service_name: ptf service_name: ptf
ssl: [] ssl: []
servers: servers:
- server_name: - server_name:
- "ptf" - ptf
- "ptf.*" - ptf.*
- "ftp" - ftp
- "ftp.*" - ftp.*
root: /ftp root: /ftp
locations: locations:
- filter: "/" - filter: /
params: params:
- "autoindex on" - autoindex on
- "autoindex_exact_size off" - autoindex_exact_size off
- "add_before_body /.html/HEADER.html" - add_before_body /.html/HEADER.html
- "add_after_body /.html/FOOTER.html" - add_after_body /.html/FOOTER.html
- filter: ~ ^(\/pub)?(\/debian|\/ubuntu|\/archlinux|\/videolan|\/cdimage|\/grafana|\/proxmox|\/distributions)(.*)$ - filter: ~ ^(\/pub)?(\/debian|\/ubuntu|\/archlinux|\/videolan|\/cdimage|\/grafana|\/proxmox|\/distributions)(.*)$
params: params:
- return 301 http://eclat.crans.org$2$3 - return 301 http://eclat.crans.org$2$3
- filter: "/events" - filter: /events
params: params:
- "autoindex on" - autoindex on
- "autoindex_exact_size off" - autoindex_exact_size off
- "add_before_body /.html/HEADER.html" - add_before_body /.html/HEADER.html
- "add_after_body /.html/FOOTER.html" - add_after_body /.html/FOOTER.html
- "mp4" - mp4
- "mp4_buffer_size 1m" - mp4_buffer_size 1m
- "mp4_max_buffer_size 5m" - mp4_max_buffer_size 5m
- server_name: - server_name:
- "ptfs" - ptfs
- "ptfs.*" - ptfs.*
- "ftps" - ftps
- "ftps.*" - ftps.*
root: /ftp root: /ftp
locations: locations:
- filter: "/" - filter: /
params: params:
- "autoindex on" - autoindex on
- "autoindex_exact_size off" - autoindex_exact_size off
- "add_before_body /.html/HEADER.html" - add_before_body /.html/HEADER.html
- "add_after_body /.html/FOOTER.html" - add_after_body /.html/FOOTER.html
- filter: ~ ^(\/pub)?(\/debian|\/ubuntu|\/archlinux|\/videolan|\/cdimage|\/grafana|\/proxmox|\/distributions)(.*)$ - filter: ~ ^(\/pub)?(\/debian|\/ubuntu|\/archlinux|\/videolan|\/cdimage|\/grafana|\/proxmox|\/distributions)(.*)$
params: params:
- return 301 https://eclats.crans.org$2$3 - return 301 https://eclats.crans.org$2$3
- filter: "/events" - filter: /events
params: params:
- "autoindex on" - autoindex on
- "autoindex_exact_size off" - autoindex_exact_size off
- "add_before_body /.html/HEADER.html" - add_before_body /.html/HEADER.html
- "add_after_body /.html/FOOTER.html" - add_after_body /.html/FOOTER.html
- "mp4" - mp4
- "mp4_buffer_size 1m" - mp4_buffer_size 1m
- "mp4_max_buffer_size 5m" - mp4_max_buffer_size 5m
loc_vsftpd: loc_vsftpd:
anonymous: anonymous:

2
host_vars/re2o-dev.adm.crans.org.yml
View File

@ -4,4 +4,4 @@ interfaces:
srv_nat: eth1 srv_nat: eth1
loc_re2o_ldap_replica: loc_re2o_ldap_replica:
url: "ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636" url: ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636

4
host_vars/redisdead.adm.crans.org.yml
View File

@ -17,7 +17,7 @@ loc_certbot:
loc_service_certbot: loc_service_certbot:
config: config:
"crans.org": crans.org:
zone: _acme-challenge.crans.org zone: _acme-challenge.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -25,7 +25,7 @@ loc_service_certbot:
name: certbot_challenge. name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}" secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512 algorithm: HMAC-SHA512
"adm.crans.org": adm.crans.org:
zone: _acme-challenge.adm.crans.org zone: _acme-challenge.adm.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53

18
host_vars/romanesco.adm.crans.org.yml
View File

@ -1,8 +1,8 @@
--- ---
interfaces: interfaces:
name: ens18 adm: ens18
name: ens19 srv: ens19
name: ens20 adh: ens20
unbound: unbound:
verbosity: 1 verbosity: 1
@ -10,32 +10,32 @@ unbound:
- 0.0.0.0 - 0.0.0.0
- ::0 - ::0
access-control: access-control:
- name: "srv" - name: srv
addr: addr:
- 185.230.79.0/26 - 185.230.79.0/26
- 2a0c:700:2::/48 - 2a0c:700:2::/48
policy: allow policy: allow
- name: "srv-nat" - name: srv-nat
addr: addr:
- 172.16.3.0/24 - 172.16.3.0/24
- 2a0c:700:3::/48 - 2a0c:700:3::/48
policy: allow policy: allow
- name: "adm" - name: adm
addr: addr:
- 172.16.10.0/24 - 172.16.10.0/24
- fd00:0:0:10::/64 - fd00:0:0:10::/64
policy: allow policy: allow
- name: "infra" - name: infra
addr: addr:
- 172.16.32.0/22 - 172.16.32.0/22
- fd00:0:0:11::/64 - fd00:0:0:11::/64
policy: allow policy: allow
- name: "adh" - name: adh
addr: addr:
- 185.230.78.0/24 - 185.230.78.0/24
- 2a0c:700:12::/48 - 2a0c:700:12::/48
policy: allow policy: allow
- name: "adh-nat" - name: adh-nat
addr: addr:
- 100.64.0.0/16 - 100.64.0.0/16
- 2a0c:700:13::/48 - 2a0c:700:13::/48

8
host_vars/routeur-daniel.adm.crans.org/bird.yml
View File

@ -12,7 +12,7 @@ loc_bird:
- route 2a0c:700::/32 unreachable - route 2a0c:700::/32 unreachable
bgp: bgp:
- name: aurore4 - name: aurore4
description: "BGP4 session with aurore" description: BGP4 session with aurore
local: local:
asn: crans asn: crans
addr: 185.230.79.253 addr: 185.230.79.253
@ -21,7 +21,7 @@ loc_bird:
addr: 185.230.79.254 addr: 185.230.79.254
ipv4: true ipv4: true
- name: aurore6 - name: aurore6
description: "BGP6 session with aurore" description: BGP6 session with aurore
local: local:
asn: crans asn: crans
addr: 2a0c:700:28::1 addr: 2a0c:700:28::1
@ -30,7 +30,7 @@ loc_bird:
addr: 2a0c:700:28::2 addr: 2a0c:700:28::2
ipv6: true ipv6: true
- name: viarezo4 - name: viarezo4
description: "BGP4 session with viarezo" description: BGP4 session with viarezo
local: local:
asn: crans asn: crans
addr: 138.195.159.250 addr: 138.195.159.250
@ -39,7 +39,7 @@ loc_bird:
addr: 138.195.159.249 addr: 138.195.159.249
ipv4: true ipv4: true
- name: viarezo6 - name: viarezo6
description: "BGP6 session with viarezo" description: BGP6 session with viarezo
local: local:
asn: crans asn: crans
addr: 2a0c:b641:2f3::2 addr: 2a0c:b641:2f3::2

14
host_vars/routeur-daniel.adm.crans.org/dhcp.yml
View File

@ -2,17 +2,17 @@
loc_dhcp: loc_dhcp:
authoritative: true authoritative: true
subnets: subnets:
- network: "185.230.78.0/24" - network: 185.230.78.0/24
deny_unknown: true deny_unknown: true
vlan: "adh" vlan: adh
default_lease_time: "600" default_lease_time: "600"
max_lease_time: "7200" max_lease_time: "7200"
routers: "185.230.78.99" routers: 185.230.78.99
dns: ["185.230.78.99"] dns: [185.230.78.99]
domain_name: "adh.crans.org" domain_name: adh.crans.org
domain_search: "adh.crans.org" domain_search: adh.crans.org
options: [] options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.adh.crans.org.list" lease_file: /var/local/services/dhcp/generated/dhcp.adh.crans.org.list
loc_service_dhcp: loc_service_dhcp:
git: git:

3
host_vars/routeur-daniel.adm.crans.org/prefix_delegation.yml
View File

@ -1,5 +1,4 @@
--- ---
loc_service_prefix_delegation: loc_service_prefix_delegation:
name: prefix_delegation name: prefix_delegation
install_dir: /var/local/services/prefix_delegation install_dir: /var/local/services/prefix_delegation
@ -15,6 +14,6 @@ loc_service_prefix_delegation:
prefix: "2a0c:700:12::" prefix: "2a0c:700:12::"
length: "48" length: "48"
ldap: ldap:
server: "ldaps://172.16.10.114" server: ldaps://172.16.10.114
binddn: "{{ vault.ldap_adh_reader.binddn }}" binddn: "{{ vault.ldap_adh_reader.binddn }}"
password: "{{ vault.ldap_adh_reader.bindpass }}" password: "{{ vault.ldap_adh_reader.bindpass }}"

28
host_vars/routeur-ft.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard: loc_wireguard:
tunnels: tunnels:
- name: "boeing" - name: boeing
listen_port: 51820 listen_port: 51820
private_key: "{{ vault.wireguard.routeur_ft.privkey }}" private_key: "{{ vault.wireguard.routeur_ft.privkey }}"
table: "off" table: "off"
@ -13,25 +13,25 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}" - public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}"
allowed_ips: allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}" - "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51821" endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51821"
persistent_keepalive: 25 persistent_keepalive: 25
post_up: post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - sysctl -w net.ipv4.conf.%i.proxy_arp=1
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- "ip route add 172.16.10.1 dev %i proto proxy" - ip route add 172.16.10.1 dev %i proto proxy
- "python3 /var/local/services/proxy/proxy.py --alter" - python3 /var/local/services/proxy/proxy.py --alter
pre_down: pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0" - sysctl -w net.ipv4.conf.%i.proxy_arp=0
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" - ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
loc_service_proxy: loc_service_proxy:
config: config:
ldap: ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/" server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
protocol: "proxy" protocol: proxy
filter: "adm.crans.org" filter: adm.crans.org
proxy: proxy:
default: "boeing" default: boeing
viarezo: "ens18" viarezo: ens18

14
host_vars/routeur-jack.adm.crans.org/dhcp.yml
View File

@ -2,17 +2,17 @@
loc_dhcp: loc_dhcp:
authoritative: true authoritative: true
subnets: subnets:
- network: "185.230.78.0/24" - network: 185.230.78.0/24
deny_unknown: true deny_unknown: true
vlan: "adh" vlan: adh
default_lease_time: "600" default_lease_time: "600"
max_lease_time: "7200" max_lease_time: "7200"
routers: "185.230.78.99" routers: 185.230.78.99
dns: ["185.230.78.99"] dns: [185.230.78.99]
domain_name: "adh.crans.org" domain_name: adh.crans.org
domain_search: "adh.crans.org" domain_search: adh.crans.org
options: [] options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.adh.crans.org.list" lease_file: /var/local/services/dhcp/generated/dhcp.adh.crans.org.list
loc_service_dhcp: loc_service_dhcp:
git: git:

3
host_vars/routeur-jack.adm.crans.org/prefix_delegation.yml
View File

@ -1,5 +1,4 @@
--- ---
loc_service_prefix_delegation: loc_service_prefix_delegation:
name: prefix_delegation name: prefix_delegation
install_dir: /var/local/services/prefix_delegation install_dir: /var/local/services/prefix_delegation
@ -15,6 +14,6 @@ loc_service_prefix_delegation:
prefix: "2a0c:700:12::" prefix: "2a0c:700:12::"
length: "48" length: "48"
ldap: ldap:
server: "ldaps://172.16.10.114" server: ldaps://172.16.10.114
binddn: "{{ vault.ldap_adh_reader.binddn }}" binddn: "{{ vault.ldap_adh_reader.binddn }}"
password: "{{ vault.ldap_adh_reader.bindpass }}" password: "{{ vault.ldap_adh_reader.bindpass }}"

8
host_vars/routeur-sam.adm.crans.org/bird.yml
View File

@ -12,7 +12,7 @@ loc_bird:
- route 2a0c:700::/32 unreachable - route 2a0c:700::/32 unreachable
bgp: bgp:
- name: aurore4 - name: aurore4
description: "BGP4 session with aurore" description: BGP4 session with aurore
local: local:
asn: crans asn: crans
addr: 185.230.79.253 addr: 185.230.79.253
@ -21,7 +21,7 @@ loc_bird:
addr: 185.230.79.254 addr: 185.230.79.254
ipv4: true ipv4: true
- name: aurore6 - name: aurore6
description: "BGP6 session with aurore" description: BGP6 session with aurore
local: local:
asn: crans asn: crans
addr: 2a0c:700:28::1 addr: 2a0c:700:28::1
@ -30,7 +30,7 @@ loc_bird:
addr: 2a0c:700:28::2 addr: 2a0c:700:28::2
ipv6: true ipv6: true
- name: viarezo4 - name: viarezo4
description: "BGP4 session with viarezo" description: BGP4 session with viarezo
local: local:
asn: crans asn: crans
addr: 138.195.159.250 addr: 138.195.159.250
@ -39,7 +39,7 @@ loc_bird:
addr: 138.195.159.249 addr: 138.195.159.249
ipv4: true ipv4: true
- name: viarezo6 - name: viarezo6
description: "BGP6 session with viarezo" description: BGP6 session with viarezo
local: local:
asn: crans asn: crans
addr: 2a0c:b641:2f3::2 addr: 2a0c:b641:2f3::2

14
host_vars/routeur-sam.adm.crans.org/dhcp.yml
View File

@ -2,17 +2,17 @@
loc_dhcp: loc_dhcp:
authoritative: true authoritative: true
subnets: subnets:
- network: "185.230.78.0/24" - network: 185.230.78.0/24
deny_unknown: true deny_unknown: true
vlan: "adh" vlan: adh
default_lease_time: "600" default_lease_time: "600"
max_lease_time: "7200" max_lease_time: "7200"
routers: "185.230.78.99" routers: 185.230.78.99
dns: ["185.230.78.99"] dns: [185.230.78.99]
domain_name: "adh.crans.org" domain_name: adh.crans.org
domain_search: "adh.crans.org" domain_search: adh.crans.org
options: [] options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.adh.crans.org.list" lease_file: /var/local/services/dhcp/generated/dhcp.adh.crans.org.list
loc_service_dhcp: loc_service_dhcp:
git: git:

3
host_vars/routeur-sam.adm.crans.org/prefix_delegation.yml
View File

@ -1,5 +1,4 @@
--- ---
loc_service_prefix_delegation: loc_service_prefix_delegation:
name: prefix_delegation name: prefix_delegation
install_dir: /var/local/services/prefix_delegation install_dir: /var/local/services/prefix_delegation
@ -15,6 +14,6 @@ loc_service_prefix_delegation:
prefix: "2a0c:700:12::" prefix: "2a0c:700:12::"
length: "48" length: "48"
ldap: ldap:
server: "ldaps://172.16.10.114" server: ldaps://172.16.10.114
binddn: "{{ vault.ldap_adh_reader.binddn }}" binddn: "{{ vault.ldap_adh_reader.binddn }}"
password: "{{ vault.ldap_adh_reader.bindpass }}" password: "{{ vault.ldap_adh_reader.bindpass }}"

29
host_vars/routeur-thot.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard: loc_wireguard:
tunnels: tunnels:
- name: "boeing" - name: boeing
listen_port: 51820 listen_port: 51820
private_key: "{{ vault.wireguard.routeur_thot.privkey }}" private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
table: "off" table: "off"
@ -13,26 +13,25 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}" - public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}"
allowed_ips: allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}" - "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51822" endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51822"
persistent_keepalive: 25 persistent_keepalive: 25
post_up: post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1" - sysctl -w net.ipv4.conf.%i.proxy_arp=1
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- "ip route add 172.16.10.1 dev %i proto proxy" - ip route add 172.16.10.1 dev %i proto proxy
- "python3 /var/local/services/proxy/proxy.py --alter" - python3 /var/local/services/proxy/proxy.py --alter
pre_down: pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0" - sysctl -w net.ipv4.conf.%i.proxy_arp=0
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" - ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
loc_service_proxy: loc_service_proxy:
config: config:
ldap: ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/" server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
protocol: "proxy" protocol: proxy
filter: "adm.crans.org" filter: adm.crans.org
proxy: proxy:
default: "boeing" default: boeing
aurore: "ens18" aurore: ens18

22
host_vars/silice.adm.crans.org.yml
View File

@ -6,25 +6,25 @@ interfaces:
loc_bind: loc_bind:
options: options:
secondaries: "{{ query('ldap', 'ip', 'sputnik', 'adm') | union(query('ldap', 'ip', 'en7', 'adm')) }}" secondaries: "{{ query('ldap', 'ip', 'sputnik', 'adm') | union(query('ldap', 'ip', 'en7', 'adm')) }}"
key_directory: "/var/cache/bind/keys" key_directory: /var/cache/bind/keys
default: default:
format: 'generated/%s.db' format: generated/%s.db
type: primary type: primary
notify: 'yes' notify: "yes"
dnssec: true dnssec: true
zones: zones:
'_acme-challenge.crans.org': _acme-challenge.crans.org:
update_policy: update_policy:
- 'grant certbot_challenge. name _acme-challenge.crans.org. txt' - grant certbot_challenge. name _acme-challenge.crans.org. txt
format: 'bak.%s' format: bak.%s
'_acme-challenge.adm.crans.org': _acme-challenge.adm.crans.org:
update_policy: update_policy:
- 'grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt' - grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt
format: 'bak.%s' format: bak.%s
rfc2136_keys: rfc2136_keys:
'certbot_challenge.': certbot_challenge.:
algorithm: hmac-sha512 algorithm: hmac-sha512
secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}" secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
'certbot_adm_challenge.': certbot_adm_challenge.:
algorithm: hmac-sha512 algorithm: hmac-sha512
secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}" secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"

54
host_vars/sputnik.adm.crans.org.yml
View File

@ -10,7 +10,7 @@ postfix:
loc_wireguard: loc_wireguard:
tunnels: tunnels:
- name: "sputnik" - name: sputnik
addresses: addresses:
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}/24" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}/24"
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv6 | first }}/64" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv6 | first }}/64"
@ -20,10 +20,10 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}" - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}"
allowed_ips: allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}" - "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51820" endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51820"
post_up: post_up:
- "/sbin/ip link set sputnik alias adm" - /sbin/ip link set sputnik alias adm
loc_slapd: loc_slapd:
ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}" ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}"
@ -43,7 +43,7 @@ loc_certbot:
loc_service_certbot: loc_service_certbot:
config: config:
"crans.org": crans.org:
zone: _acme-challenge.crans.org zone: _acme-challenge.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -51,7 +51,7 @@ loc_service_certbot:
name: certbot_challenge. name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}" secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512 algorithm: HMAC-SHA512
"adm.crans.org": adm.crans.org:
zone: _acme-challenge.adm.crans.org zone: _acme-challenge.adm.crans.org
server: 172.16.10.147 server: 172.16.10.147
port: 53 port: 53
@ -73,46 +73,44 @@ loc_nginx:
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
servers: servers:
- server_name: - server_name:
- "wiki2.crans.org" - wiki2.crans.org
ssl: "crans.org" ssl: crans.org
access_log: "/var/log/nginx/wiki.log combined" access_log: /var/log/nginx/wiki.log combined
error_log: "/var/log/nginx/wiki.error.log" error_log: /var/log/nginx/wiki.error.log
additional_params: additional_params:
- "rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil" - rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil
- "client_max_body_size 15M" - client_max_body_size 15M
locations: locations:
- filter: "/wiki" - filter: /wiki
params: params:
- "alias /var/local/wiki/htdocs/" - alias /var/local/wiki/htdocs/
- filter: "/robots.txt" - filter: /robots.txt
params: params:
- "alias /var/local/wiki/robots.txt" - alias /var/local/wiki/robots.txt
- filter: "/favicon.ico" - filter: /favicon.ico
params: params:
- "alias /var/local/wiki/favicon.ico" - alias /var/local/wiki/favicon.ico
- filter: "/www-sitemap.xml" - filter: /www-sitemap.xml
params: params:
- "alias /var/local/wiki/www-sitemap.xml" - alias /var/local/wiki/www-sitemap.xml
- filter: "/" - filter: /
params: params:
- "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket" - uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket
- "include uwsgi_params" - include uwsgi_params
loc_reverseproxy: loc_reverseproxy:
reverseproxy_sites: reverseproxy_sites:
- {from: status.crans.org, to: "127.0.0.1:8080"} - { from: status.crans.org, to: 127.0.0.1:8080 }
- {from: git2.crans.org, to: "127.0.0.1:3000"} - { from: git2.crans.org, to: 127.0.0.1:3000 }
- {from: git2.adm.crans.org, to: "127.0.0.1:3000", ssl: adm.crans.org} - { from: git2.adm.crans.org, to: 127.0.0.1:3000, ssl: adm.crans.org }
redirect_sites: [] redirect_sites: []
static_sites: [] static_sites: []
loc_bind: loc_bind:
default: default:
type: slave type: slave
@ -121,4 +119,4 @@ loc_bind:
loc_service_ssh_known_hosts: loc_service_ssh_known_hosts:
config: config:
ldap: ldap:
server: "ldaps://{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}" server: ldaps://{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}

48
host_vars/tealc.adm.crans.org.yml
View File

@ -1,32 +1,32 @@
--- ---
debian_mirror: 'file:/pool/mirror/pub/debian' debian_mirror: file:/pool/mirror/pub/debian
loc_postgres: loc_postgres:
version: 13 version: 13
hosts: hosts:
- db: etherpad - db: etherpad
user: crans user: crans
map: {name: etherpad, system: etherpad, pg: crans} map: { name: etherpad, system: etherpad, pg: crans }
- db: etherpad_tmp - db: etherpad_tmp
user: crans user: crans
map: {name: etherpad_tmp, system: etherpad, pg: crans} map: { name: etherpad_tmp, system: etherpad, pg: crans }
- db: horde5 - db: horde5
user: www-data user: www-data
map: {name: horde, system: www-data, pg: www-data} map: { name: horde, system: www-data, pg: www-data }
- db: roundcube - db: roundcube
user: roundcube user: roundcube
map: {name: webmail, system: www-data, pg: roundcube} map: { name: webmail, system: www-data, pg: roundcube }
- {db: owncloud, user: owncloud} - { db: owncloud, user: owncloud }
- {db: cas, user: cas} - { db: cas, user: cas }
- {db: hedgedoc, user: hedgedoc} - { db: hedgedoc, user: hedgedoc }
- {db: sqlgrey, user: sqlgrey, method: ident} - { db: sqlgrey, user: sqlgrey, method: ident }
- {db: re2o, user: re2o} - { db: re2o, user: re2o }
- {db: re2o_test, user: re2o} - { db: re2o_test, user: re2o }
- {db: constellation-dev, user: constellation-dev} - { db: constellation-dev, user: constellation-dev }
- {db: mailman3, user: mailman3} - { db: mailman3, user: mailman3 }
- {db: mailman3web, user: mailman3web} - { db: mailman3web, user: mailman3web }
- {db: all, user: all, subnets: ['127.0.0.1/32', '::1/128'], local: true} - { db: all, user: all, subnets: [127.0.0.1/32, "::1/128"], local: true }
- {db: replication, user: replication, local: true} - { db: replication, user: replication, local: true }
addresses: "['tealc.adm.crans.org'] + {{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipaddr('address') }}" addresses: "['tealc.adm.crans.org'] + {{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipaddr('address') }}"
backup: backup:
dir: /var/local/db-backup dir: /var/local/db-backup
@ -75,13 +75,13 @@ loc_nginx:
ssl: [] ssl: []
servers: servers:
- server_name: - server_name:
- "mirror2" - mirror2
- "mirror2.*" - mirror2.*
root: "/pool/mirror/pub" root: /pool/mirror/pub
locations: locations:
- filter: "/" - filter: /
params: params:
- "autoindex on" - autoindex on
- "autoindex_exact_size off" - autoindex_exact_size off
- "add_before_body /.html/HEADER.html" - add_before_body /.html/HEADER.html
- "add_after_body /.html/FOOTER.html" - add_after_body /.html/FOOTER.html

8
host_vars/vol447.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard: loc_wireguard:
tunnels: tunnels:
- name: "gulp" - name: gulp
listen_port: 51820 listen_port: 51820
private_key: "{{ vault.wireguard.vol447.privkey }}" private_key: "{{ vault.wireguard.vol447.privkey }}"
peers: peers:
@ -14,5 +14,7 @@ loc_wireguard:
- "{{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv4 | first }}/32" - "{{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv4 | first }}/32"
- "{{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }}/128" - "{{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }}/128"
endpoint: "{{ query('ldap', 'ip', 'freebox', 'srv') | ansible.utils.ipv4 | first }}:51820" endpoint: "{{ query('ldap', 'ip', 'freebox', 'srv') | ansible.utils.ipv4 | first }}:51820"
post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18" post_up: sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1;
post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18" ip neigh add proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18
post_down: sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0;
ip neigh delete proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18

8
host_vars/zamok.adm.crans.org.yml
View File

@ -7,8 +7,8 @@ loc_borg:
- /var/lib/mysql - /var/lib/mysql
loc_thelounge: loc_thelounge:
host: "\"172.16.10.31\"" host: '"172.16.10.31"'
oidentd: "\"/usr/local/lib/thelounge/.oidentd.conf\"" oidentd: '"/usr/local/lib/thelounge/.oidentd.conf"'
reverseProxy: "true" reverseProxy: "true"
ldap_enable: "true" ldap_enable: "true"
@ -25,11 +25,11 @@ loc_nfs_mount:
name: home name: home
owner: root owner: root
group: root group: root
mode: '0755' mode: "0755"
- ip: 172.16.4.2 - ip: 172.16.4.2
mountpoint: /pool/mail mountpoint: /pool/mail
target: /var/mail target: /var/mail
name: var-mail name: var-mail
owner: root owner: root
group: mail group: mail
mode: '0755' mode: "0755"

2
plays/nginx.yml
View File

@ -4,6 +4,6 @@
- hosts: nginx,!adh_server - hosts: nginx,!adh_server
vars: vars:
nginx: "{{ glob_nginx | default({}) | combine(service_nginx | default({}) | combine(loc_nginx | default({}))) }}" nginx: "{{ glob_nginx | default({}) | combine(service_nginx | default({}) | combine(loc_nginx | default({}))) }}"
re2o_front: "{{ glob_re2o_front | default({}) | combine(loc_re2o_front | default({})) }}" # necessary for re2o-front re2o_front: "{{ glob_re2o_front | default({}) | combine(loc_re2o_front | default({})) }}"
roles: roles:
- nginx - nginx

4
roles/anope/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install Anope - name: Install Anope
apt: ansible.builtin.apt:
update_cache: true update_cache: true
install_recommends: false install_recommends: false
name: name:
@ -10,7 +10,7 @@
until: apt_result is succeeded until: apt_result is succeeded
- name: Deploy Anope configuration - name: Deploy Anope configuration
template: ansible.builtin.template:
src: anope/{{ item }}.j2 src: anope/{{ item }}.j2
dest: /etc/anope/{{ item }} dest: /etc/anope/{{ item }}
mode: 0640 mode: 0640

12
roles/apt-mirror/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install apt-mirror - name: Install apt-mirror
apt: ansible.builtin.apt:
update_cache: true update_cache: true
name: apt-mirror name: apt-mirror
register: apt_result register: apt_result
@ -8,7 +8,7 @@
until: apt_result is succeeded until: apt_result is succeeded
- name: Create mirrors directory - name: Create mirrors directory
file: ansible.builtin.file:
path: "{{ apt_mirror.root }}/{{ item.host }}" path: "{{ apt_mirror.root }}/{{ item.host }}"
owner: apt-mirror owner: apt-mirror
group: mirror group: mirror
@ -17,7 +17,7 @@
loop: "{{ apt_mirror.targets }}" loop: "{{ apt_mirror.targets }}"
- name: Create mirror symlink - name: Create mirror symlink
file: ansible.builtin.file:
# Use relative path to stay modular if the folder is mounted on multiple server at different locations # Use relative path to stay modular if the folder is mounted on multiple server at different locations
src: "{{ item.host }}/{{ item.symlink }}" src: "{{ item.host }}/{{ item.symlink }}"
dest: "{{ apt_mirror.root }}/{{ item.name }}" dest: "{{ apt_mirror.root }}/{{ item.name }}"
@ -26,17 +26,17 @@
loop: "{{ apt_mirror.targets }}" loop: "{{ apt_mirror.targets }}"
- name: Copy apt-mirror configurations - name: Copy apt-mirror configurations
template: ansible.builtin.template:
src: apt/mirror.list.j2 src: apt/mirror.list.j2
dest: /etc/apt/mirror.list dest: /etc/apt/mirror.list
- name: Configure apt-mirror cron - name: Configure apt-mirror cron
template: ansible.builtin.template:
src: cron.d/apt-mirror.j2 src: cron.d/apt-mirror.j2
dest: /etc/cron.d/apt-mirror dest: /etc/cron.d/apt-mirror
- name: Indicate role in motd - name: Indicate role in motd
template: ansible.builtin.template:
src: update-motd.d/05-service.j2 src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-apt-mirror dest: /etc/update-motd.d/05-apt-mirror
mode: 0755 mode: 0755

16
roles/arpproxy/tasks/main.yml
View File

@ -1,22 +1,22 @@
--- ---
- name: Register proto proxy - name: Register proto proxy
lineinfile: ansible.builtin.lineinfile:
path: /etc/iproute2/rt_protos.d/proxy.conf path: /etc/iproute2/rt_protos.d/proxy.conf
regexp: "^\\d+ proxy$" regexp: ^\d+ proxy$
line: "{{ service.proto_id }} {{ service.config.protocol }}" line: "{{ service.proto_id }} {{ service.config.protocol }}"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
- name: Enable IP forward and ARP and NDP proxies - name: Enable IP forward and ARP and NDP proxies
sysctl: ansible.posix.sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
value: "1" value: "1"
sysctl_file: "/etc/sysctl.d/{{ item.file }}.conf" sysctl_file: /etc/sysctl.d/{{ item.file }}.conf
sysctl_set: true sysctl_set: true
reload: true reload: true
loop: loop:
- {name: "net.ipv4.ip_forward", file: "10-forwarding"} - { name: net.ipv4.ip_forward, file: 10-forwarding }
- {name: "net.ipv6.conf.all.forwarding", file: "10-forwarding"} - { name: net.ipv6.conf.all.forwarding, file: 10-forwarding }
- {name: "net.ipv4.conf.{{ service.main_interface }}.proxy_arp", file: "11-proxy-{{ service.main_interface }}"} - { name: "net.ipv4.conf.{{ service.main_interface }}.proxy_arp", file: "11-proxy-{{ service.main_interface }}" }
- {name: "net.ipv6.conf.{{ service.main_interface }}.proxy_ndp", file: "11-proxy-{{ service.main_interface }}"} - { name: "net.ipv6.conf.{{ service.main_interface }}.proxy_ndp", file: "11-proxy-{{ service.main_interface }}" }

4
roles/autoconfig/tasks/main.yml
View File

@ -1,10 +1,10 @@
--- ---
- name: Create base directory - name: Create base directory
file: ansible.builtin.file:
path: "{{ autoconfig.path }}/mail" path: "{{ autoconfig.path }}/mail"
state: directory state: directory
- name: Deploy autoconfiguration website - name: Deploy autoconfiguration website
template: ansible.builtin.template:
src: mail/config-v1.1.xml.j2 src: mail/config-v1.1.xml.j2
dest: "{{ autoconfig.path }}/mail/config-v1.1.xml" dest: "{{ autoconfig.path }}/mail/config-v1.1.xml"

4
roles/baie/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install ZFS - name: Install ZFS
apt: ansible.builtin.apt:
update_cache: true update_cache: true
name: name:
- zfs-dkms - zfs-dkms
@ -10,7 +10,7 @@
until: apt_result is succeeded until: apt_result is succeeded
- name: Install ifenslave - name: Install ifenslave
apt: ansible.builtin.apt:
update_cache: true update_cache: true
name: name:
- ifenslave - ifenslave

8
roles/belenios/handlers/main.yml
View File

@ -1,5 +1,11 @@
--- ---
- name: Make belenios project
community.general.make:
chdir: /var/local/belenios
target: build-release-server
notify: Restart ocsigenserver
- name: Restart ocsigenserver - name: Restart ocsigenserver
systemd: ansible.builtin.systemd:
name: ocsigenserver name: ocsigenserver
state: restarted state: restarted

20
roles/belenios/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install Belenios dependencies from APT - name: Install Belenios dependencies from APT
apt: ansible.builtin.apt:
update_cache: true update_cache: true
install_recommends: false install_recommends: false
name: name:
@ -40,29 +40,23 @@
until: apt_result is succeeded until: apt_result is succeeded
- name: Start ocsigenserver at boot - name: Start ocsigenserver at boot
lineinfile: ansible.builtin.lineinfile:
path: /etc/default/ocsigenserver path: /etc/default/ocsigenserver
regexp: ^LAUNCH_AT_STARTUP= regexp: ^LAUNCH_AT_STARTUP=
line: LAUNCH_AT_STARTUP=true line: LAUNCH_AT_STARTUP=true
notify: Restart ocsigenserver notify: Restart ocsigenserver
- name: Clone belenios into /var/local/belenios - name: Clone belenios into /var/local/belenios
git: ansible.builtin.git:
repo: https://gitlab.inria.fr/belenios/belenios.git repo: https://gitlab.inria.fr/belenios/belenios.git
dest: /var/local/belenios dest: /var/local/belenios
version: "1.15" version: "1.15"
force: true force: true
notify: Make belenios project
register: git_result register: git_result
- name: Make belenios project
when: git_result.changed
make:
chdir: /var/local/belenios
target: build-release-server
notify: Restart ocsigenserver
- name: Create belenios data directories - name: Create belenios data directories
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
owner: ocsigen owner: ocsigen
group: ocsigen group: ocsigen
@ -77,7 +71,7 @@
- /var/log/belenios - /var/log/belenios
- name: Link belenios directories into proper locations - name: Link belenios directories into proper locations
file: ansible.builtin.file:
src: "{{ item.src }}" src: "{{ item.src }}"
path: "{{ item.path }}" path: "{{ item.path }}"
owner: root owner: root
@ -105,7 +99,7 @@
path: /usr/share/belenios-server path: /usr/share/belenios-server
- name: Deploy ocsigenserver configuration - name: Deploy ocsigenserver configuration
template: ansible.builtin.template:
src: ocsigenserver/conf.d/belenios.conf.j2 src: ocsigenserver/conf.d/belenios.conf.j2
dest: /etc/ocsigenserver/conf.d/belenios.conf dest: /etc/ocsigenserver/conf.d/belenios.conf
owner: root owner: root

2
roles/bind-authoritative/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: systemctl reload bind9.service - name: systemctl reload bind9.service
systemd: ansible.builtin.systemd:
name: bind9 name: bind9
state: reloaded state: reloaded

6
roles/bind-authoritative/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install Bind9 - name: Install Bind9
apt: ansible.builtin.apt:
update_cache: true update_cache: true
name: bind9 name: bind9
register: apt_result register: apt_result
@ -8,7 +8,7 @@
until: apt_result is succeeded until: apt_result is succeeded
- name: Deploy Bind9 configuration - name: Deploy Bind9 configuration
template: ansible.builtin.template:
src: bind/{{ item }}.j2 src: bind/{{ item }}.j2
dest: /etc/bind/{{ item }} dest: /etc/bind/{{ item }}
mode: 0640 mode: 0640
@ -23,7 +23,7 @@
notify: systemctl reload bind9.service notify: systemctl reload bind9.service
- name: Indicate role in motd - name: Indicate role in motd
template: ansible.builtin.template:
src: update-motd.d/05-service.j2 src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-bind dest: /etc/update-motd.d/05-bind
mode: 0755 mode: 0755

2
roles/bind-recursive/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: Reload bind9 - name: Reload bind9
systemd: ansible.builtin.systemd:
name: bind9 name: bind9
state: reloaded state: reloaded

4
roles/bind-recursive/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install Bind9 - name: Install Bind9
apt: ansible.builtin.apt:
update_cache: true update_cache: true
name: bind9 name: bind9
register: apt_result register: apt_result
@ -8,7 +8,7 @@
until: apt_result is succeeded until: apt_result is succeeded
- name: Deploy Bind9 configuration - name: Deploy Bind9 configuration
template: ansible.builtin.template:
src: bind/{{ item }}.j2 src: bind/{{ item }}.j2
dest: /etc/bind/{{ item }} dest: /etc/bind/{{ item }}
mode: 0644 mode: 0644

20
roles/bird/handlers/main.yml
View File

@ -1,20 +0,0 @@
---
- name: check bird status
service_facts:
listen: 'reload bird'
- name: reload bird
systemd:
name: bird
state: reloaded
when: not ansible_check_mode and ansible_facts.services['bird']['state'] == 'running'
- name: check bird6 status
service_facts:
listen: 'reload bird6'
- name: reload bird6
systemd:
name: bird6
state: reloaded
when: not ansible_check_mode and ansible_facts.services['bird6']['state'] == 'running'

36
roles/bird/tasks/main.yml
View File

@ -1,36 +0,0 @@
---
- name: PLEASE STOP
pause:
prompt: "{{ item }}"
loop:
- APPUIE SUR ^C TOUT DE SUITE ET LANCE LE RÔLE BIRD2 !
- NAN MAIS VRAIMENT
- GENRE ARRÈTE
- ON T'AURA PRÉVENU
#- name: Install BIRD
# apt:
# update_cache: true
# name:
# - bird
# register: apt_result
# retries: 3
# until: apt_result is succeeded
#- name: Deploy bird configuration
# template:
# src: bird/bird.conf.j2
# dest: /etc/bird/bird.conf
# mode: 0640
# owner: bird
# group: bird
# notify: reload bird
#- name: Deploy bird6 configuration
# template:
# src: bird/bird6.conf.j2
# dest: /etc/bird/bird6.conf
# mode: 0640
# owner: bird
# group: bird
# notify: reload bird6

66
roles/bird/templates/bird/bird.conf.j2
View File

@ -1,66 +0,0 @@
{{ ansible_header | comment }}
# This is a minimal configuration file, which allows the bird daemon to start
# but will not cause anything else to happen.
#
# Please refer to the documentation in the bird-doc package or BIRD User's
# Guide on http://bird.network.cz/ for more information on configuring BIRD and
# adding routing protocols.
# Change this into your BIRD router ID. It's a world-wide unique identification
# of your router, usually one of router's IPv4 addresses.
router id {{ bird.ipv4.id }};
{% for bind in bird.ipv4.binds %}
listen bgp address {{ bind }} port 179;
{% endfor %}
# The Kernel protocol is not a real routing protocol. Instead of communicating
# with other routers in the network, it performs synchronization of BIRD's
# routing tables with the OS kernel.
protocol kernel {
# persist;
scan time 60;
import none;
{% if bird.ipv4.kernel_filter is defined %}
export filter {
if ( net ~ [ {{ bird.ipv4.kernel_filter|join(', ') }} ] ) then reject;
accept;
};
{% else %}
export all;
{% endif %}
}
# The Device protocol is not a real routing protocol. It doesn't generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel.
protocol device {
scan time 60;
}
protocol static {
{% for static in bird.ipv4.statics %}
route {{ static }} reject;
{% endfor %}
}
{% for bgp in bird.ipv4.bgps %}
protocol bgp {{ bgp.name }} {
{% if bgp.local.address is defined %}
local {{ bgp.local.address }} as {{ bgp.local.as }};
{% else %}
local as {{ bgp.local.as }};
{% endif %}
{% if bgp.allow_local_as is defined %}
allow local as {{ bgp.allow_local_as }};
{% endif %}
neighbor {{ bgp.remote.address }} as {{ bgp.remote.as }};
import all;
export filter {
if ( net ~ [ {{ bgp.allow_export_prefixes|join(', ') }} ] ) then accept;
reject;
};
}
{% endfor %}

65
roles/bird/templates/bird/bird6.conf.j2
View File

@ -1,65 +0,0 @@
{{ ansible_header | comment }}
# This is a minimal configuration file, which allows the bird daemon to start
# but will not cause anything else to happen.
#
# Please refer to the documentation in the bird-doc package or BIRD User's
# Guide on http://bird.network.cz/ for more information on configuring BIRD and
# adding routing protocols.
# Change this into your BIRD router ID. It's a world-wide unique identification
# of your router, usually one of router's IPv6 addresses.
router id {{ bird.ipv6.id }};
{% for bind in bird.ipv6.binds %}
listen bgp address {{ bind }} port 179;
{% endfor %}
# The Kernel protocol is not a real routing protocol. Instead of communicating
# with other routers in the network, it performs synchronization of BIRD's
# routing tables with the OS kernel.
protocol kernel {
# persist;
scan time 60;
import none;
{% if bird.ipv6.kernel_filter is defined %}
export filter {
if ( net ~ [ {{ bird.ipv6.kernel_filter|join(', ') }} ] ) then reject;
accept;
};
{% else %}
export all;
{% endif %}
}
# The Device protocol is not a real routing protocol. It doesn't generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel.
protocol device {
scan time 60;
}
protocol static {
{% for route in bird.ipv6.statics %}
route {{ route }} reject;
{% endfor %}
}
{%for bgp in bird.ipv6.bgps %}
protocol bgp {{ bgp.name }} {
{% if bgp.local.address is defined %}
local {{ bgp.local.address }} as {{ bgp.local.as }};
{% else %}
local as {{ bgp.local.as }};
{% endif %}
{% if bgp.allow_local_as is defined %}
allow local as {{ bgp.allow_local_as }};
{% endif %}
neighbor {{ bgp.remote.address }} as {{ bgp.remote.as }};
import all;
export filter {
if ( net ~ [ {{ bgp.allow_export_prefixes|join(', ') }} ] ) then accept;
reject;
};
}
{% endfor %}

6
roles/bird2/handlers/main.yml
View File

@ -1,10 +1,10 @@
--- ---
- name: systemctl status bird.service - name: systemctl status bird.service
service_facts: ansible.builtin.service_facts:
listen: systemctl reload bird.service listen: systemctl reload bird.service
- name: systemctl reload bird.service - name: systemctl reload bird.service
pause: ansible.builtin.pause:
prompt: |- prompt: |-
On a préféré ne pas redemarrer bird automatiquement. On a préféré ne pas redemarrer bird automatiquement.
Du coup, c'est à toi de t'en occuper: Du coup, c'est à toi de t'en occuper:
@ -14,6 +14,6 @@
when: not ansible_check_mode and ansible_facts.services['bird']['state'] == 'running' when: not ansible_check_mode and ansible_facts.services['bird']['state'] == 'running'
- name: systemctl stop bird.service - name: systemctl stop bird.service
systemd: ansible.builtin.systemd:
name: bird.service name: bird.service
state: stopped state: stopped

Some files were not shown because too many files have changed in this diff Show More