crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

linter2

linter
_shirenn 2022-07-05 17:43:20 +02:00
parent a73d5892e4
commit c7068ac540
243 changed files with 1348 additions and 1547 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.yamllint.yml
View File

@ -3,4 +3,7 @@ extends: default
rules:
line-length: disable
braces:
min-spaces-inside: 0
max-spaces-inside: 1
...

2
group_vars/adh_server.yml
View File

@ -2,7 +2,7 @@
glob_adh:
apache:
listen_local:
- "127.0.0.1:80"
- 127.0.0.1:80
- "[::1]:80"
listen_network: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap }}"
club_vhosts:

27
group_vars/all/ansible-header.yml
View File

@ -1,18 +1,19 @@
---
# Custom header
dirty: "{% if template_fullpath is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_fullpath | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe', 'git diff --quiet || echo dirty') }}{% endif %}"
dirty: "{% if template_fullpath is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_fullpath | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe',\
\ 'git diff --quiet || echo dirty') }}{% endif %}"
ansible_header: |
+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
Ansible managed, don't modify the file locally.
See https://gitlab.crans.org/nounous/ansible.
{% if template_fullpath is defined %}{% set _, rpath = template_fullpath.split('roles/', 1) %}Commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_fullpath | quote) }}
{% if dirty %}Run by: {{ ansible_env.SUDO_USER }}
{% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_fullpath | quote) }}
{% endif %}Template: roles/{{ rpath }}
{% else %}
Run by: {{ ansible_env.SUDO_USER }}
Latest commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git rev-parse HEAD') }}
{% endif %}
Ansible managed, don't modify the file locally.
See https://gitlab.crans.org/nounous/ansible.
{% if template_fullpath is defined %}{% set _, rpath = template_fullpath.split('roles/', 1) %}Commit: {% if dirty %}({{ dirty }}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_fullpath | quote) }}
{% if dirty %}Run by: {{ ansible_env.SUDO_USER }}
{% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_fullpath | quote) }}
{% endif %}Template: roles/{{ rpath }}
{% else %}
Run by: {{ ansible_env.SUDO_USER }}
Latest commit: {% if dirty %}({{ dirty }}) {% endif %}{{ lookup('pipe', 'git rev-parse HEAD') }}
{% endif %}
+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

4
group_vars/all/borg.yml
View File

@ -11,8 +11,8 @@ glob_borg:
remote:
- borg@backup-ft.adm.crans.org:/backup/borg-server/{{ ansible_hostname }}
retention:
- ["daily", 4]
- ["monthly", 6]
- [daily, 4]
- [monthly, 6]
consistency_check:
- disabled
extra_init:

2
group_vars/all/home_nounou.yml
View File

@ -7,4 +7,4 @@ glob_home_nounou:
name: home_nounou
owner: root
group: _user
mode: '0750'
mode: "0750"

6
group_vars/all/ldap.yml
View File

@ -1,10 +1,10 @@
---
glob_ldap:
uri: 'ldap://re2o-ldap.adm.crans.org/'
users_base: 'cn=Utilisateurs,dc=crans,dc=org'
uri: ldap://re2o-ldap.adm.crans.org/
users_base: cn=Utilisateurs,dc=crans,dc=org
servers:
- 172.16.10.1
- 172.16.10.11
- 172.16.10.12
- 172.16.10.13
base: 'dc=crans,dc=org'
base: dc=crans,dc=org

5
group_vars/all/network_interfaces.yml
View File

@ -14,10 +14,11 @@ glob_network_interfaces:
- name: san
id: 4
extra:
- "mtu 9000"
- mtu 9000
- name: adm
id: 10
dns: "{{ query('ldap', 'ip', 'routeur-sam', 'adm') | ansible.utils.ipv4 | first }} {{ query('ldap', 'ip', 'routeur-daniel', 'adm') | ansible.utils.ipv4 | first }}"
dns: "{{ query('ldap', 'ip', 'routeur-sam', 'adm') | ansible.utils.ipv4 | first }} {{ query('ldap', 'ip', 'routeur-daniel', 'adm') | ansible.utils.ipv4 | first\
\ }}"
- name: adh
id: 12
gateway: "{{ query('ldap', 'ip', 'passerelle', 'adh') | ansible.utils.ipv4 | first }}"

2
group_vars/all/root.yml
View File

@ -1,3 +1,3 @@
---
glob_root:
passwd_hash: '{{ vault.root.passwd_hash }}'
passwd_hash: "{{ vault.root.passwd_hash }}"

2
group_vars/all/ssh_known_hosts.yml
View File

@ -12,4 +12,4 @@ glob_service_ssh_known_hosts:
frequency: "*/10 * * * *"
config:
ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}

2
group_vars/arpproxy.yml
View File

@ -8,6 +8,6 @@ glob_service_proxy:
generated: false
cron:
frequency: "* * * * *"
options: "--alter"
options: --alter
proto_id: 201
main_interface: ens18

2
group_vars/aurore/home_nounou.yml
View File

@ -7,4 +7,4 @@ loc_home_nounou:
name: home_nounou
owner: root
group: _user
mode: '0750'
mode: "0750"

2
group_vars/aurore/ssh_known_hosts.yml
View File

@ -2,4 +2,4 @@
loc_service_ssh_known_hosts:
config:
ldap:
server: "ldaps://{{ query('ldap', 'ip', 'thot', 'adm') | ansible.utils.ipv4 | first }}"
server: ldaps://{{ query('ldap', 'ip', 'thot', 'adm') | ansible.utils.ipv4 | first }}

2
group_vars/belenios.yml
View File

@ -12,4 +12,4 @@ logos:
where: /usr/share/belenios-server/logo.png
owner: root
group: root
mode: '0644'
mode: "0644"

2
group_vars/certbot.yml
View File

@ -13,7 +13,7 @@ glob_service_certbot:
remote: https://gitlab.adm.crans.org/nounous/certbot
version: main
config:
"crans.org":
crans.org:
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53

44
group_vars/constellation.yml
View File

@ -4,41 +4,41 @@ glob_constellation:
admins:
- ('Root', 'root@crans.org')
allowed_hosts:
- 'constellation.crans.org'
- 'intranet.crans.org'
- constellation.crans.org
- intranet.crans.org
email:
ssl: false
host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}"
port: 25
user: ''
password: ''
from: "root@crans.org"
from_full: "Crans <root@crans.org>"
user: ""
password: ""
from: root@crans.org
from_full: Crans <root@crans.org>
database:
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432
user: 'constellation'
user: constellation
password: "{{ vault.constellation.django_db_password }}"
name: 'constellation'
name: constellation
front: true
crontab: true
applications:
- 'access'
- 'billing'
- 'dnsmanager'
- 'firewall'
- 'layers'
- 'management'
- 'member'
- 'topography'
- 'unix'
- access
- billing
- dnsmanager
- firewall
- layers
- management
- member
- topography
- unix
stripe:
private_key: '{{ vault.constellation.stripe.live.private_key }}'
public_key: '{{ vault.constellation.stripe.live.public_key }}'
private_key: "{{ vault.constellation.stripe.live.private_key }}"
public_key: "{{ vault.constellation.stripe.live.public_key }}"
note:
url: 'https://note.crans.org/'
client_id: '{{ vault.constellation.note.client_id }}'
client_secret: '{{ vault.constellation.note.client_secret }}'
url: https://note.crans.org/
client_id: "{{ vault.constellation.note.client_id }}"
client_secret: "{{ vault.constellation.note.client_secret }}"
debug: false
owner: root
group: _nounou

26
group_vars/constellation_front.yml
View File

@ -6,25 +6,25 @@ loc_nginx:
- ssl: false
default: true
server_name:
- "constellation.crans.org"
- "intranet.crans.org"
- constellation.crans.org
- intranet.crans.org
locations:
- filter: "/static"
- filter: /static
params:
- "alias {% if constellation.version == 'main' %}/var/lib/constellation/static/{% else %}/var/local/constellation/static/{% endif %}"
- alias {% if constellation.version == 'main' %}/var/lib/constellation/static/{% else %}/var/local/constellation/static/{% endif %}
- filter: "/media"
- filter: /media
params:
- "alias {% if constellation.version == 'main' %}/var/lib/constellation/media/{% else %}/var/local/constellation/media/{% endif %}"
- alias {% if constellation.version == 'main' %}/var/lib/constellation/media/{% else %}/var/local/constellation/media/{% endif %}
- filter: "/doc"
- filter: /doc
params:
- "alias /var/www/constellation-doc/"
- alias /var/www/constellation-doc/
- filter: "/"
- filter: /
params:
- "uwsgi_pass constellation"
- "include /etc/nginx/uwsgi_params"
- uwsgi_pass constellation
- include /etc/nginx/uwsgi_params
upstreams:
- name: 'constellation'
server: 'unix:///var/run/uwsgi/app/constellation/constellation.sock'
- name: constellation
server: unix:///var/run/uwsgi/app/constellation/constellation.sock

3
group_vars/dhcp.yml
View File

@ -1,9 +1,8 @@
---
glob_dhcp:
global_options:
- {key: "interface-mtu", value: "1500"}
- { key: interface-mtu, value: "1500" }
global_parameters: []
glob_service_dhcp:
name: dhcp
install_dir: /var/local/services/dhcp

28
group_vars/django_cas.yml
View File

@ -1,23 +1,23 @@
---
glob_django_cas:
repo: 'http://gitlab.adm.crans.org/nounous/django-cas.git'
path: '/var/local/django-cas'
repo: http://gitlab.adm.crans.org/nounous/django-cas.git
path: /var/local/django-cas
ldap:
dn: 'cn=Utilisateurs,dc=crans,dc=org'
dn: cn=Utilisateurs,dc=crans,dc=org
password: "{{ vault.cas.ldap.password }}"
user: 'cn=cas,ou=service-users,dc=crans,dc=org'
user: cn=cas,ou=service-users,dc=crans,dc=org
server: 172.16.10.157
db:
host: tealc.adm.crans.org
password: "{{ vault.cas.database.password }}"
secret_key: "{{ vault.cas.secret_key }}"
mail:
address: 'root@crans.org'
address: root@crans.org
host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}"
port: 25
loc_nginx:
service_name: "cas"
service_name: cas
ssl: []
servers:
- server_name:
@ -29,16 +29,16 @@ loc_nginx:
- auth.adm.crans.org
default: true
locations:
- filter: "/cas"
- filter: /cas
params:
- "rewrite ^/cas$ / redirect"
- "rewrite ^/cas/(.*)$ /$1 redirect"
- rewrite ^/cas$ / redirect
- rewrite ^/cas/(.*)$ /$1 redirect
- filter: "/static"
- filter: /static
params:
- "alias /var/local/django-cas/cas/local_static"
- alias /var/local/django-cas/cas/local_static
- filter: "/"
- filter: /
params:
- "uwsgi_pass unix:///var/run/uwsgi/app/cas/socket"
- "include uwsgi_params"
- uwsgi_pass unix:///var/run/uwsgi/app/cas/socket
- include uwsgi_params

40
group_vars/dns_authoritative.yml
View File

@ -1,24 +1,24 @@
---
glob_bind:
default:
format: 'bak.%s'
format: bak.%s
zones:
'_acme-challenge.crans.org':
'_acme-challenge.adm.crans.org':
'adh.crans.org': {}
'adm.crans.org': {}
'cachan-adm.crans.org': {}
'crans.eu': {}
'crans.fr': {}
'crans.org': {}
'lists.crans.org': {}
'san.crans.org': {}
'renater.crans.org': {}
'ens.crans.org': {}
'lp.crans.org': {}
'admissibles.crans.org': {}
'76.230.185.in-addr.arpa': {}
'77.230.185.in-addr.arpa': {}
'78.230.185.in-addr.arpa': {}
'79.230.185.in-addr.arpa': {}
'0.0.7.0.c.0.a.2.ip6.arpa': {}
_acme-challenge.crans.org:
_acme-challenge.adm.crans.org:
adh.crans.org: {}
adm.crans.org: {}
cachan-adm.crans.org: {}
crans.eu: {}
crans.fr: {}
crans.org: {}
lists.crans.org: {}
san.crans.org: {}
renater.crans.org: {}
ens.crans.org: {}
lp.crans.org: {}
admissibles.crans.org: {}
76.230.185.in-addr.arpa: {}
77.230.185.in-addr.arpa: {}
78.230.185.in-addr.arpa: {}
79.230.185.in-addr.arpa: {}
0.0.7.0.c.0.a.2.ip6.arpa: {}

8
group_vars/dovecot.yml
View File

@ -1,9 +1,9 @@
---
glob_dovecot:
ldap:
uri: "ldap://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ansible.utils.ipv4 | first }}/"
dn: 'cn=dovecot,ou=service-users,dc=crans,dc=org'
uri: ldap://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ansible.utils.ipv4 | first }}/
dn: cn=dovecot,ou=service-users,dc=crans,dc=org
pass: "{{ vault.dovecot_dnpass }}"
users_base: 'cn=Utilisateurs,dc=crans,dc=org'
home_path: '/home_adh'
users_base: cn=Utilisateurs,dc=crans,dc=org
home_path: /home_adh
inet_listener: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap | join(', ') }}"

4
group_vars/dropbear.yml
View File

@ -1,6 +1,6 @@
---
glob_dropbear:
initramfs_ip: "::::{{ ansible_hostname }}:ens2f0:dhcp"
options: "-I 180 -j -k -p 80 -s"
initramfs_ip: ::::{{ ansible_hostname }}:ens2f0:dhcp
options: -I 180 -j -k -p 80 -s
authorized_keys:
- "{{ vault.surface.pubkey }}"

6
group_vars/etherpad.yml
View File

@ -11,7 +11,7 @@ glob_etherpad:
user: crans
host: pgsql.adm.crans.org
name: etherpad
default_pad_text: "Etherpad du Crans.\\n\\nCe pad est vide, à vous de le remplir.\\n\\nhttps:\/\/etherpad.org"
default_pad_text: Etherpad du Crans.\n\nCe pad est vide, à vous de le remplir.\n\nhttps://etherpad.org
admin:
user: admin
password: "{{ vault.etherpad.admin.password }}"
@ -28,7 +28,7 @@ glob_etherpad:
user: crans
host: pgsql.adm.crans.org
name: etherpad_tmp
default_pad_text: "Etherpad du Crans.\\n\\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\\n\\nhttps:\/\/etherpad.org"
default_pad_text: Etherpad du Crans.\n\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\n\nhttps://etherpad.org
admin:
user: admin
password: "{{ vault.etherpad.admin.password }}"
@ -38,4 +38,4 @@ glob_etherpad:
loop: true
loop_delay: 86400 # one day, in seconds
delete_at_start: true
deleted_text: "Etherpad du Crans.\\n\\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\\n\\nhttps:\/\/etherpad.org"
deleted_text: Etherpad du Crans.\n\nCe pad est vide et expirera dans 1 an, à vous de le remplir.\n\nhttps://etherpad.org

2
group_vars/framadate.yml
View File

@ -5,7 +5,7 @@ glob_framadate:
smtp_server: smtp.adm.crans.org
hostname: framadate.crans.org
repo: https://framagit.org/framasoft/framadate/framadate.git
version: "1.1.16"
version: 1.1.16
admin_username: framadate
admin_password: "{{ vault.framadate.admin_password }}"
db_password: "{{ vault.framadate.db_password }}"

24
group_vars/galene.yml
View File

@ -5,26 +5,26 @@ service_nginx:
- ssl: crans.org
default: true
server_name:
- "galene.crans.org"
- galene.crans.org
locations:
- filter: "/"
- filter: /
params:
- "include /etc/nginx/snippets/options-proxypass.conf"
- "proxy_pass http://localhost:8443"
- include /etc/nginx/snippets/options-proxypass.conf
- proxy_pass http://localhost:8443
- filter: "~ ^/(\\w+)/$"
- filter: ~ ^/(\w+)/$
params:
- "return 302 https://$host/group/$1"
- return 302 https://$host/group/$1
- ssl: crans.org
server_name:
- "neree.crans.org"
- neree.crans.org
locations:
- filter: "/"
- filter: /
params:
- "include /etc/nginx/snippets/options-proxypass.conf"
- "proxy_pass http://localhost:8443"
- include /etc/nginx/snippets/options-proxypass.conf
- proxy_pass http://localhost:8443
- filter: "~ ^/(\\w+)/$"
- filter: ~ ^/(\w+)/$
params:
- "return 302 https://$host/group/$1"
- return 302 https://$host/group/$1

24
group_vars/gitlab.yml
View File

@ -1,21 +1,21 @@
---
glob_gitlab:
url: 'https://gitlab.crans.org'
time_zone: 'Europe/Paris'
email: 'gitlab@crans.org'
email_display_name: 'Crans GitLab'
url: https://gitlab.crans.org
time_zone: Europe/Paris
email: gitlab@crans.org
email_display_name: Crans GitLab
ldap:
label: 'Crans'
label: Crans
host: "{{ query('ldap', 'ip', 're2o-ldap', 'adm') | first }}"
port: 389
uid: 'uid'
bind_dn: 'cn=gitlab,ou=service-users,dc=crans,dc=org'
uid: uid
bind_dn: cn=gitlab,ou=service-users,dc=crans,dc=org
bind_password: "{{ vault.gitlab.ldap.bind_password }}"
base: 'cn=Utilisateurs,dc=crans,dc=org'
user_filter: '(&(!(shadowExpire=0))(uid=*))'
cas_name: 'cas3'
cas_label: 'CAS Cr@ns'
cas_url: 'https://cas.crans.org'
base: cn=Utilisateurs,dc=crans,dc=org
user_filter: (&(!(shadowExpire=0))(uid=*))
cas_name: cas3
cas_label: CAS Cr@ns
cas_url: https://cas.crans.org
smtp:
address: "{{ query('ldap', 'ip', 'redisdead', 'adm') | first }}"
port: 25

10
group_vars/grafana.yml
View File

@ -3,10 +3,10 @@ glob_grafana:
root_url: https://grafana.crans.org
ldap_base: "{{ glob_ldap.base }}"
ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"
ldap_group_tree: "ou=group,{{ glob_ldap.base }}"
ldap_group_filter: "uid"
ldap_group_admin: "cn=_nounou,ou=group,{{ glob_ldap.base }}"
ldap_user_tree: ou=passwd,{{ glob_ldap.base }}
ldap_group_tree: ou=group,{{ glob_ldap.base }}
ldap_group_filter: uid
ldap_group_admin: cn=_nounou,ou=group,{{ glob_ldap.base }}
ldap_group_editor: "*" # Everyone is editor
logos:
@ -14,4 +14,4 @@ logos:
where: /usr/share/grafana/public/img/grafana_icon.svg
owner: root
group: root
mode: '0644'
mode: "0644"

2
group_vars/horde.yml
View File

@ -1,6 +1,6 @@
---
glob_horde:
secret: '{{ vault.horde.secret }}'
secret: "{{ vault.horde.secret }}"
imap: imap.adm.crans.org
smtp: smtp.adm.crans.org
maildomain: crans.org

9
group_vars/jitsi.yml
View File

@ -2,23 +2,22 @@
# We use embedded Jitsi configuration
loc_nginx:
servers: []
glob_jitsi:
ip: "{{ query('ldap', 'ip', ansible_hostname, 'srv') }}"
hostname: "{{ ansible_hostname }}.crans.org"
configuration:
- "liveStreamingEnabled"
- "prejoinPageEnabled"
- liveStreamingEnabled
- prejoinPageEnabled
logos:
- which: crans_logo_white.svg
where: /usr/share/jitsi-meet/images/watermark.svg
owner: root
group: root
mode: '0644'
mode: "0644"
- which: crans_favicon.ico
where: /usr/share/jitsi-meet/images/favicon.ico
owner: root
group: root
mode: '0644'
mode: "0644"

19
group_vars/keepalived.yml
View File

@ -14,29 +14,26 @@ glob_keepalived:
- vlan: via
ipv4: 138.195.159.250/30
ipv6:
- {ip: '2a0c:b641:2f3::2/64', scope: 'global'}
- { ip: 2a0c:b641:2f3::2/64, scope: global }
- vlan: aurore
ipv4: 185.230.79.253/29
ipv6:
- {ip: '2a0c:700:28::1/64', scope: 'global'}
- { ip: 2a0c:700:28::1/64, scope: global }
- vlan: srv
ipv4: 185.230.79.62/26
ipv6:
- {ip: '2a0c:700:2::ff:fe00:9902/64', scope: 'global'}
- {ip: 'fe80::1/64', scope: 'link'}
- { ip: 2a0c:700:2::ff:fe00:9902/64, scope: global }
- { ip: fe80::1/64, scope: link }
- vlan: srv_nat
ipv4: 172.16.3.99/24
ipv6:
- {ip: '2a0c:700:3::ff:fe00:9903/64', scope: 'global'}
- {ip: 'fe80::1/64', scope: 'link'}
- { ip: 2a0c:700:3::ff:fe00:9903/64, scope: global }
- { ip: fe80::1/64, scope: link }
- vlan: adh
ipv4: 185.230.78.99/24
ipv6:
- {ip: '2a0c:700:12::ff:fe00:9912/48', scope: 'global'}
- {ip: 'fe80::1/64', scope: 'link'}
# - vlan: ens
# ipv4: 100.84.0.99/16
# ipv6: 2a0c:700:54::ff:fe00:9954/48
- { ip: 2a0c:700:12::ff:fe00:9912/48, scope: global }
- { ip: fe80::1/64, scope: link }
glob_service_keepalived:
name: keepalived

4
group_vars/linx.yml
View File

@ -1,4 +1,4 @@
---
glob_linx:
siteurl: "https://linx.crans.org/"
name: "CRANS Linx"
siteurl: https://linx.crans.org/
name: CRANS Linx

72
group_vars/mailman.yml
View File

@ -3,83 +3,83 @@ loc_nginx:
service_name: mailman3
upstreams:
- name: mailman3
server: "unix:/run/mailman3-web/uwsgi.sock fail_timeout=0"
server: unix:/run/mailman3-web/uwsgi.sock fail_timeout=0
servers:
- ssl: false
server_name:
- "localhost"
- localhost
locations:
- filter: "/"
- filter: /
params:
- "uwsgi_pass mailman3"
- "include /etc/nginx/uwsgi_params"
- uwsgi_pass mailman3
- include /etc/nginx/uwsgi_params
- ssl: false
default: true
server_name:
- "lists.crans.org"
- lists.crans.org
locations:
- filter: "/"
- filter: /
params:
- "uwsgi_pass mailman3"
- "include /etc/nginx/uwsgi_params"
- "satisfy any"
- "allow 185.230.76.0/22"
- "allow 2a0c:700:0::/40"
- "deny all"
- "auth_basic \"On n'aime pas les spambots, donc on a mis un mot de passe. Le login est Stop et le mot de passe est Spam.\""
- "auth_basic_user_file /etc/nginx/passwd"
- "error_page 401 /error/401.html"
- uwsgi_pass mailman3
- include /etc/nginx/uwsgi_params
- satisfy any
- allow 185.230.76.0/22
- allow 2a0c:700:0::/40
- deny all
- auth_basic "On n'aime pas les spambots, donc on a mis un mot de passe. Le login est Stop et le mot de passe est Spam."
- auth_basic_user_file /etc/nginx/passwd
- error_page 401 /error/401.html
- filter: "/mailman3/static"
- filter: /mailman3/static
params:
- "alias /var/lib/mailman3/web/static"
- alias /var/lib/mailman3/web/static
- filter: "/mailman3/static/favicon.ico"
- filter: /mailman3/static/favicon.ico
params:
- "alias /var/lib/mailman3/web/static/postorius/img/favicon.ico"
- alias /var/lib/mailman3/web/static/postorius/img/favicon.ico
- filter: "/error/"
- filter: /error/
params:
- "internal"
- "alias /var/www/html/"
- internal
- alias /var/www/html/
- filter: "/robots.txt"
- filter: /robots.txt
params:
- "alias /var/www/robots.txt"
- alias /var/www/robots.txt
auth_passwd:
Stop: "$apr1$NXaV5H7Q$J3ora3Jo5h775Y1nm93PN1" # Spam
Stop: $apr1$NXaV5H7Q$J3ora3Jo5h775Y1nm93PN1 # Spam
deploy_robots_file: true
glob_mailman3:
site_owner: root@crans.org
database:
user: "mailman3"
user: mailman3
pass: "{{ vault.mailman3.database.pass }}"
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432
name: "mailman3"
name: mailman3
web_database:
user: "mailman3web"
user: mailman3web
pass: "{{ vault.mailman3.web_database.pass }}"
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432
name: "mailman3web"
name: mailman3web
restadmin_pass: "{{ vault.mailman3.restadmin_pass }}"
archiver_key: "{{ vault.mailman3.archiver_key }}"
web_secret_key: "{{ vault.mailman3.web_secret_key }}"
web_domains:
- "lists.crans.org"
default_domain: "lists.crans.org"
postfix_domain: "crans.org"
- lists.crans.org
default_domain: lists.crans.org
postfix_domain: crans.org
loc_opendkim:
domain: "lists.crans.org"
selector: "lists"
domain: lists.crans.org
selector: lists
signing:
- "*@lists.crans.org"
sender_headers: "List-Post,Sender,From"
sender_headers: List-Post,Sender,From
txt_record: |
lists._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7jkgGjxZvQDbgFIuqb59lt7O1Jg6DFTSBxFlTfBW+3MF+AFjBR3AZ/UXwDA1vH4UTZqq0fWN6y6wqE/F7+HDjpqZGGuygZWTGVbBxwiKSjc2kq2mz7kLisE3a/jP8kyQDdb7fWrtTw9fxYu+Ygs0744otjRsui/ZK6zbrO8XQfd5UYnj4IGALeIuVFVLmwTY+VL/xWR/UjcfxgAprRfH0ec8PGlrxhpeLhUSJxw3Q6QfTnDsIpWLfJdgxILGa58TmhH6d+faxa1OIP37wswPjkDykmMFsCQJX9P7mXXR0+1FIRhhNpfCRXXj37udbIezDEMfA15rWSoYinPU+x7i6LhfJD7G40p1oDBiaOimZ8D/PUDAtoWRQeFiNOOQmNqDaVwlaOMvIZH2ZFD2I0eJIDb2FBYqhTb5GVyhKPePqT5FZE0s8SXqvYRNUWHuomS79kfo4TC74UPlavIbyCVTFlLi5ujc5RANm/FuH2w3ns1+YAlCeoblzwVdgN+h4/DI5kI88+0Hf+HCfQg+rPQL7ak7Wszo0iWvYUZ8t+IPbNDcVm5YI6koqkWGgfMrC0bDI5r+ZQACK15Fi6x3tV0umhytgRQWG9MyK61diNIc1LFsyL2lD0oOAjlpDlVSpUnXKhjRPq4YdaIojlgGSsWsq8sBhQTCY5DNHUuJLL1iPqsCAwEAAQ==" ; ----- DKIM key lists for lists.crans.org
private_key: "{{ vault.opendkim['lists.crans.org'].private_key }}"

24
group_vars/mirror_backend.yml
View File

@ -10,17 +10,17 @@ glob_ftpsync:
targets:
- name: main
dest: debian
cron_time: "25 1,13"
cron_time: 25 1,13
rsync_host: ftp.fr.debian.org
rsync_path: debian
- name: security
dest: debian-security
cron_time: "40 *"
cron_time: 40 *
rsync_host: ftp.fr.debian.org
rsync_path: debian-security
- name: ubuntu
dest: ubuntu
cron_time: "43 5,17"
cron_time: 43 5,17
rsync_host: fr.archive.ubuntu.com
rsync_path: ubuntu
@ -29,49 +29,49 @@ glob_rsync_mirror:
targets:
- name: videolan
dest: videolan
cron_time: "03 10,14,18,22,2,6"
cron_time: 03 10,14,18,22,2,6
rsync_host: rsync.videolan.org
rsync_path: videolan-ftp
- name: debian
dest: distributions/linux/debian
cron_time: "00 5"
cron_time: 00 5
rsync_host: cdimage.debian.org
rsync_path: cdimage/release
- name: debian-cloud
dest: distributions/linux/debian/cloud
cron_time: "00 5"
cron_time: 00 5
rsync_host: cdimage.debian.org
rsync_path: cdimage/cloud/OpenStack
exclude:
- archive
- name: ubuntu
dest: distributions/linux/ubuntu
cron_time: "00 5"
cron_time: 00 5
rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/releases
- name: xubuntu
dest: distributions/linux/xubuntu
cron_time: "00 5"
cron_time: 00 5
rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/xubuntu/releases
- name: kubuntu
dest: distributions/linux/kubuntu
cron_time: "00 5"
cron_time: 00 5
rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/kubuntu/releases
- name: lubuntu
dest: distributions/linux/lubuntu
cron_time: "00 5"
cron_time: 00 5
rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/lubuntu/releases
- name: ubuntu-mate
dest: distributions/linux/ubuntu-mate
cron_time: "00 5"
cron_time: 00 5
rsync_host: cdimage.ubuntu.com
rsync_path: cdimage/ubuntu-mate/releases
- name: archlinux
dest: archlinux
cron_time: "08 3,15"
cron_time: 08 3,15
rsync_host: archlinux.polymorf.fr
rsync_path: archlinux/

15
group_vars/nginx.yml
View File

@ -1,7 +1,7 @@
---
glob_nginx:
contact: contact@crans.org
who: "L'équipe technique du Cr@ns"
who: L'équipe technique du Cr@ns
service_name: service
ssl:
# Add adm.crans.org if necessary
@ -13,20 +13,19 @@ glob_nginx:
- ssl: false # Replace by crans.org or adm.crans.org
default: true
server_name:
- "default"
- "_"
root: "/var/www/html"
- default
- _
root: /var/www/html
locations:
- filter: "/"
- filter: /
params: []
additional_params: []
upstreams: []
auth_passwd: []
default_server:
default_ssl_server:
default_ssl_domain: crans.org
real_ip_from:
- "172.16.0.0/16"
- "fd00::/56"
- 172.16.0.0/16
- fd00::/56
deploy_robots_file: false

22
group_vars/opendkim.yml
View File

@ -1,21 +1,21 @@
---
glob_opendkim:
domain: "crans.org"
selector: "mail"
domain: crans.org
selector: mail
signing:
- "*@crans.org"
- "*@crans.fr"
- "*@crans.eu"
trust:
- "localhost"
- "127.0.0.1"
- "::1"
- "185.230.79.0/26"
- "172.16.3.0/24"
- "172.16.10.0/24"
- "2a0c:700:0:2::/64"
- "2a0c:700:0:3::/64"
- "2a0c:700:0:10::/64"
- localhost
- 127.0.0.1
- ::1
- 185.230.79.0/26
- 172.16.3.0/24
- 172.16.10.0/24
- 2a0c:700:0:2::/64
- 2a0c:700:0:3::/64
- 2a0c:700:0:10::/64
- "*.crans.org"
- "*.crans.fr"
- "*.crans.eu"

58
group_vars/printer.yml
View File

@ -4,29 +4,29 @@ glob_printer:
admins:
- ('Root', 'root@crans.org')
allowed_hosts:
- 'helloworld.crans.org'
- 'imprimante.crans.org'
- helloworld.crans.org
- imprimante.crans.org
email:
ssl: false
host: "{{ query('ldap', 'ip', 'redisdead', 'adm') | ansible.utils.ipv4 | first }}"
port: 25
user: ''
password: ''
from: "root@crans.org"
from_full: "Crans <root@crans.org>"
user: ""
password: ""
from: root@crans.org
from_full: Crans <root@crans.org>
database:
host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
port: 5432
user: 'helloworld'
user: helloworld
password: "{{ vault.printer.django_db_password }}"
name: 'helloworld'
name: helloworld
note:
url: 'https://note.crans.org/'
client_id: '{{ vault.printer.note.client_id }}'
client_secret: '{{ vault.printer.note.client_secret }}'
url: https://note.crans.org/
client_id: "{{ vault.printer.note.client_id }}"
client_secret: "{{ vault.printer.note.client_secret }}"
note_id: 2088
note_alias: 'Crans'
printer_name: 'Lexmark_X950_Series'
note_alias: Crans
printer_name: Lexmark_X950_Series
domain: "{{ query('ldap', 'ip', 'printer', 'lp') | ansible.utils.ipv4 | first }}"
scan_server:
address: "{{ query('ldap', 'ip', ansible_hostname, 'lp') | ansible.utils.ipv4 | first }}"
@ -38,7 +38,7 @@ glob_printer:
settings_local_owner: www-data
settings_local_group: _nounou
ldap:
uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/"
uri: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
dn_template: uid=%(user)s,ou=passwd,dc=crans,dc=org
group_search: ou=group,dc=crans,dc=org
read_group: cn=_user,ou=group,dc=crans,dc=org
@ -51,28 +51,28 @@ loc_nginx:
- ssl: false
default: true
server_name:
- "helloworld.crans.org"
- "imprimante.crans.org"
- helloworld.crans.org
- imprimante.crans.org
additional_params:
- "client_max_body_size 100M"
- client_max_body_size 100M
locations:
- filter: "/static"
- filter: /static
params:
- "alias /var/lib/django-printer/static/"
- alias /var/lib/django-printer/static/
- filter: "/protected/files"
- filter: /protected/files
params:
- "internal"
- "alias /var/lib/django-printer/files/"
- internal
- alias /var/lib/django-printer/files/
- filter: "/doc"
- filter: /doc
params:
- "alias /var/www/django-printer-doc/"
- alias /var/www/django-printer-doc/
- filter: "/"
- filter: /
params:
- "uwsgi_pass printer"
- "include /etc/nginx/uwsgi_params"
- uwsgi_pass printer
- include /etc/nginx/uwsgi_params
upstreams:
- name: 'printer'
server: 'unix:///var/run/uwsgi/app/django-printer/socket'
- name: printer
server: unix:///var/run/uwsgi/app/django-printer/socket

1
group_vars/prometheus.yml
View File

@ -1,6 +1,5 @@
---
glob_prometheus: {}
glob_ninjabot:
config:
nick: monitoring

10
group_vars/radius.yml
View File

@ -2,23 +2,23 @@
glob_freeradius:
realm: crans
proxy_to: FEDEREZ
infra_switch: "172.16.33.0/24"
infra_bornes: "172.16.34.0/24"
infra_switch: 172.16.33.0/24
infra_bornes: 172.16.34.0/24
secret_switch: "{{ vault.radius.secret.switch }}"
secret_bornes: "{{ vault.radius.secret.bornes }}"
delegations:
- name: parangon
ipv4: 185.230.78.47
ipv6: 2a0c:700:12:0:67:e5ff:fee9:5
secret: '{{ vault.radius.secret.federez }}'
secret: "{{ vault.radius.secret.federez }}"
server: radius-wifi
- name: dodecagon
ipv4: 195.154.165.76
ipv6: 2001:bc8:273e::1
secret: '{{ vault.radius.secret.federez }}'
secret: "{{ vault.radius.secret.federez }}"
server: radius-wifi
loc_certbot:
- mail: root@crans.org
certname: crans.org
domains: "crans.org"
domains: crans.org

16
group_vars/re2o.yml
View File

@ -5,20 +5,20 @@ glob_re2o:
admins:
- ('Root', 'root@crans.org')
allowed_hosts:
- 're2o.adm.crans.org'
- 'intranet.adm.crans.org'
- 're2o.crans.org'
- 'intranet.crans.org'
- '172.16.10.156'
from_email: "root@crans.org"
- re2o.adm.crans.org
- intranet.adm.crans.org
- re2o.crans.org
- intranet.crans.org
- 172.16.10.156
from_email: root@crans.org
smtp_server: smtp.adm.crans.org
ldap:
master_password: "{{ vault.slapd.re2o.admin.bindpass }}"
uri: "ldap://re2o-ldap.adm.crans.org/"
uri: ldap://re2o-ldap.adm.crans.org/
dn: "{{ vault.slapd.re2o.admin.binddn }}"
database:
password: "{{ vault.re2o.database.password }}"
uri: "172.16.10.1"
uri: 172.16.10.1
optional_apps:
- api
- captcha

18
group_vars/re2o_front.yml
View File

@ -15,19 +15,19 @@ service_nginx:
- ssl: false
server_name: "{{ re2o_front.server_names }}"
locations:
- filter: "/static"
- filter: /static
params:
- "alias /var/www/re2o/static_files/"
- filter: "/javascript"
- alias /var/www/re2o/static_files/
- filter: /javascript
params:
- "alias /usr/share/javascript/"
- filter: "/media"
- alias /usr/share/javascript/
- filter: /media
params:
- "alias /var/www/re2o/media/"
- filter: "/"
- alias /var/www/re2o/media/
- filter: /
params:
- "uwsgi_pass re2o"
- "include /etc/nginx/uwsgi_params"
- uwsgi_pass re2o
- include /etc/nginx/uwsgi_params
upstreams:
- name: re2o
server: unix:///var/run/uwsgi/app/re2o/re2o.sock

2
group_vars/re2o_ldap.yml
View File

@ -1,7 +1,7 @@
---
glob_re2o_ldap:
suffix: dc=crans,dc=org
url: "ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636"
url: ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636
root_password_hash: "{{ vault.slapd.re2o.admin.bindpass_hash }}"
certificate: "{{ vault.slapd.re2o.certificate }}"
private_key: "{{ vault.slapd.re2o.private_key }}"

92
group_vars/reverseproxy.yml
View File

@ -2,11 +2,11 @@
loc_certbot:
- mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
domains: crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu
loc_service_certbot:
config:
"crans.org":
crans.org:
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
@ -14,7 +14,7 @@ loc_service_certbot:
name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512
"crans.eu":
crans.eu:
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
@ -22,7 +22,7 @@ loc_service_certbot:
name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512
"crans.fr":
crans.fr:
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
@ -39,7 +39,6 @@ loc_nginx:
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
glob_reverseproxy:
redirect_dnames:
- crans.eu
@ -47,54 +46,51 @@ glob_reverseproxy:
reverseproxy_sites:
# Services web Crans
- {from: belenios.crans.org, to: 172.16.10.111}
- {from: cas.crans.org, to: 172.16.10.120}
- {from: constellation-dev.crans.org, to: 172.16.10.167}
- {from: eclats.crans.org, to: 172.16.10.104}
- {from: ftps.crans.org, to: 172.16.10.113}
- {from: ethercalc.crans.org, to: "172.16.10.133:8000"}
- {from: framadate.crans.org, to: 172.16.10.109}
- {from: galene-token.crans.org, to: "172.16.10.115:3000"}
- {from: grafana.crans.org, to: "172.16.10.121:3000"}
- {from: hedgedoc.crans.org, to: "172.16.10.128:3000"}
- {from: helloworld.crans.org, to: 172.16.10.131}
- {from: horde.crans.org, to: 172.16.10.108}
- {from: imprimante.crans.org, to: 172.16.10.131}
- {from: intranet.crans.org, to: 172.16.10.156}
- {from: linx.crans.org, to: "172.16.10.119:8080"}
- {from: lists.crans.org, to: 172.16.10.110}
- {from: matrix.crans.org, to: "172.16.10.123:8008"}
- {from: mirrors.crans.org, to: 172.16.10.104}
- {from: owncloud.crans.org, to: 172.16.10.136}
- {from: pad.crans.org, to: "172.16.10.130:9001"}
- {from: re2o.crans.org, to: 172.16.10.156}
- {from: re2o-dev.crans.org, to: 172.16.10.166}
- {from: roundcube.crans.org, to: 172.16.10.107}
- {from: tmpad.crans.org, to: "172.16.10.130:9002"}
- {from: webirc.crans.org, to: "172.16.10.31:9000"}
- {from: webmail.crans.org, to: 172.16.10.108}
- {from: wiki.crans.org, to: 172.16.10.161}
- {from: zero.crans.org, to: 172.16.10.130}
- {from: hosts.crans.org, to: 172.16.10.114}
- { from: belenios.crans.org, to: 172.16.10.111 }
- { from: cas.crans.org, to: 172.16.10.120 }
- { from: constellation-dev.crans.org, to: 172.16.10.167 }
- { from: eclats.crans.org, to: 172.16.10.104 }
- { from: ftps.crans.org, to: 172.16.10.113 }
- { from: ethercalc.crans.org, to: 172.16.10.133:8000 }
- { from: framadate.crans.org, to: 172.16.10.109 }
- { from: galene-token.crans.org, to: 172.16.10.115:3000 }
- { from: grafana.crans.org, to: 172.16.10.121:3000 }
- { from: hedgedoc.crans.org, to: 172.16.10.128:3000 }
- { from: helloworld.crans.org, to: 172.16.10.131 }
- { from: horde.crans.org, to: 172.16.10.108 }
- { from: imprimante.crans.org, to: 172.16.10.131 }
- { from: intranet.crans.org, to: 172.16.10.156 }
- { from: linx.crans.org, to: 172.16.10.119:8080 }
- { from: lists.crans.org, to: 172.16.10.110 }
- { from: matrix.crans.org, to: 172.16.10.123:8008 }
- { from: mirrors.crans.org, to: 172.16.10.104 }
- { from: owncloud.crans.org, to: 172.16.10.136 }
- { from: pad.crans.org, to: 172.16.10.130:9001 }
- { from: re2o.crans.org, to: 172.16.10.156 }
- { from: re2o-dev.crans.org, to: 172.16.10.166 }
- { from: roundcube.crans.org, to: 172.16.10.107 }
- { from: tmpad.crans.org, to: 172.16.10.130:9002 }
- { from: webirc.crans.org, to: 172.16.10.31:9000 }
- { from: webmail.crans.org, to: 172.16.10.108 }
- { from: wiki.crans.org, to: 172.16.10.161 }
- { from: zero.crans.org, to: 172.16.10.130 }
- { from: hosts.crans.org, to: 172.16.10.114 }
# Zamok
- {from: amap.crans.org, to: 172.16.10.31}
- {from: bonvivens.crans.org, to: 172.16.10.31}
- {from: perso.crans.org, to: 172.16.10.31}
- { from: amap.crans.org, to: 172.16.10.31 }
- { from: bonvivens.crans.org, to: 172.16.10.31 }
- { from: perso.crans.org, to: 172.16.10.31 }
redirect_sites:
- {from: crans.org, to: www.crans.org}
- { from: crans.org, to: www.crans.org }
# Aliases or legacy support
- {from: adopteunpingouin.crans.org, to: install-party.crans.org}
- {from: clubs.crans.org, to: perso.crans.org}
- {from: i-p.crans.org, to: install-party.crans.org}
- {from: pot-vieux.crans.org, to: perso.crans.org/club-vieux}
- { from: adopteunpingouin.crans.org, to: install-party.crans.org }
- { from: clubs.crans.org, to: perso.crans.org }
- { from: i-p.crans.org, to: install-party.crans.org }
- { from: pot-vieux.crans.org, to: perso.crans.org/club-vieux }
# To the wiki
- {from: television.crans.org, to: wiki.crans.org/CransTv}
- {from: tv.crans.org, to: wiki.crans.org/CransTv}
- {from: wikipedia.crans.org, to: wiki.crans.org}
- { from: television.crans.org, to: wiki.crans.org/CransTv }
- { from: tv.crans.org, to: wiki.crans.org/CransTv }
- { from: wikipedia.crans.org, to: wiki.crans.org }
static_sites:
- autoconfig.crans.org

32
group_vars/roundcube.yml
View File

@ -7,16 +7,16 @@ glob_roundcube:
mail_domain: crans.org
des_key: "{{ vault.roundcube.des_key }}"
plugins:
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-intranet.git'
- repo: https://gitlab.adm.crans.org/nounous/roundcube-intranet.git
name: intranet
version: HEAD
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-plugin-filters.git'
- repo: https://gitlab.adm.crans.org/nounous/roundcube-plugin-filters.git
name: filters
version: master
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-plugin-automatic_addressbook.git'
- repo: https://gitlab.adm.crans.org/nounous/roundcube-plugin-automatic_addressbook.git
name: automatic_addressbook
version: 0.4.3
- repo: 'https://gitlab.adm.crans.org/nounous/roundcube-plugin-identity_smtp.git'
- repo: https://gitlab.adm.crans.org/nounous/roundcube-plugin-identity_smtp.git
name: identity_smtp
version: HEAD
- name: zipdownload
@ -32,22 +32,22 @@ glob_roundcube:
classic: https://www.crans.org/images/crans_banner.png
loc_nginx:
service_name: "roundcube"
service_name: roundcube
ssl: []
servers:
- server_name: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap + [ansible_hostname, ansible_hostname + '.adm.crans.org'] }}"
default: true
root: "/var/lib/roundcube"
root: /var/lib/roundcube
locations:
- filter: "~ \\.php$"
- filter: ~ \.php$
params:
- "include snippets/fastcgi-php.conf"
- "fastcgi_buffer_size 128k"
- "fastcgi_buffers 4 256k"
- "fastcgi_busy_buffers_size 256k"
- "fastcgi_pass unix:/var/run/php/php7.4-fpm.sock"
- "include fastcgi_params"
- include snippets/fastcgi-php.conf
- fastcgi_buffer_size 128k
- fastcgi_buffers 4 256k
- fastcgi_busy_buffers_size 256k
- fastcgi_pass unix:/var/run/php/php7.4-fpm.sock
- include fastcgi_params
additional_params:
- "index index.php index.htm index.html"
- "try_files $uri $uri/ /index.php?q=$uri&$args"
- "client_max_body_size 10G"
- index index.php index.htm index.html
- try_files $uri $uri/ /index.php?q=$uri&$args
- client_max_body_size 10G

4
group_vars/slapd.yml
View File

@ -1,7 +1,7 @@
---
glob_slapd:
master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*|description:.*|location:.*)$"
regex: ^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*|description:.*|location:.*)$
replication_credentials: "{{ vault.slapd.tealc.replication_credentials }}"
private_key: "{{ vault.slapd.tealc.private_key }}"
private_key: "{{ vault.slapd.tealc.private_key }}"
certificate: "{{ vault.slapd.tealc.certificate }}"

16
group_vars/sssd.yml
View File

@ -4,18 +4,18 @@ glob_sssd:
domain: tealc.adm.crans.org
enumerate: "true"
servers:
- "ldaps://{{ query('ldap','ip','tealc','adm') | ansible.utils.ipv4 | first }}/"
- "ldaps://{{ query('ldap','ip','sam','adm') | ansible.utils.ipv4 | first }}/"
- "ldaps://{{ query('ldap','ip','daniel','adm') | ansible.utils.ipv4 | first }}/"
- "ldaps://{{ query('ldap','ip','jack','adm') | ansible.utils.ipv4 | first }}/"
base: "dc=crans,dc=org"
- ldaps://{{ query('ldap','ip','tealc','adm') | ansible.utils.ipv4 | first }}/
- ldaps://{{ query('ldap','ip','sam','adm') | ansible.utils.ipv4 | first }}/
- ldaps://{{ query('ldap','ip','daniel','adm') | ansible.utils.ipv4 | first }}/
- ldaps://{{ query('ldap','ip','jack','adm') | ansible.utils.ipv4 | first }}/
base: dc=crans,dc=org
secondary:
domain: re2o-ldap.adm.crans.org
enumerate: "false"
servers:
- "ldaps://{{ query('ldap','ip','re2o-ldap','adm') | ansible.utils.ipv4 | first }}/"
- "ldaps://{{ query('ldap','ip','terenez','adm') | ansible.utils.ipv4 | first }}/"
base: "dc=crans,dc=org"
- ldaps://{{ query('ldap','ip','re2o-ldap','adm') | ansible.utils.ipv4 | first }}/
- ldaps://{{ query('ldap','ip','terenez','adm') | ansible.utils.ipv4 | first }}/
base: dc=crans,dc=org
bind:
dn: "{{ vault.sssd.secondary_ldap.binddn }}"
passwd: "{{ vault.sssd.secondary_ldap.bindpass }}"

18
group_vars/thelounge.yml
View File

@ -1,7 +1,7 @@
---
glob_thelounge:
public: "false"
host: "undefined"
host: undefined
reverseProxy: "false"
oidentd: "null"
irc:
@ -11,16 +11,16 @@ glob_thelounge:
password:
tls: "true"
rejectUnauthorized: "true"
nick: "thelounge%%"
username: "thelounge"
realname: "The Lounge User"
nick: thelounge%%
username: thelounge
realname: The Lounge User
join: "#general"
ldap_enable: "false"
ldap:
url: "ldap://172.16.10.157"
primaryKey: "cn"
url: ldap://172.16.10.157
primaryKey: cn
rootDN: "{{ vault.thelounge.ldap.rootDN }}"
rootPassword: "{{ vault.thelounge.ldap.rootPassword }}"
filter: "(objectclass=inetOrgPerson)"
base: "dc=crans,dc=org"
scope: "sub"
filter: (objectclass=inetOrgPerson)
base: dc=crans,dc=org
scope: sub

2
group_vars/viarezo/home_nounou.yml
View File

@ -7,4 +7,4 @@ loc_home_nounou:
name: home_nounou
owner: root
group: _user
mode: '0750'
mode: "0750"

2
group_vars/viarezo/ssh_known_hosts.yml
View File

@ -2,4 +2,4 @@
loc_service_ssh_known_hosts:
config:
ldap:
server: "ldaps://{{ query('ldap', 'ip', 'ft', 'adm') | ansible.utils.ipv4 | first }}"
server: ldaps://{{ query('ldap', 'ip', 'ft', 'adm') | ansible.utils.ipv4 | first }}

12
group_vars/virtu.yml
View File

@ -1,8 +1,8 @@
---
glob_debian_images:
cron_timer: '39 06 * * *'
rsync_host: 'eclat.adm.crans.org'
rsync_module: 'mirror'
cron_timer: 39 06 * * *
rsync_host: eclat.adm.crans.org
rsync_module: mirror
include_extra_images: false
glob_service_proxmox_user:
@ -18,9 +18,9 @@ glob_service_proxmox_user:
config:
ldap:
admin:
uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/"
userBase: "ou=passwd,dc=crans,dc=org"
realm: "pam"
uri: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
userBase: ou=passwd,dc=crans,dc=org
realm: pam
dependencies:
- python3-jinja2
- python3-ldap

12
group_vars/virtu_adh.yml
View File

@ -12,13 +12,13 @@ glob_service_proxmox_user:
config:
ldap:
admin:
uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/"
userBase: "ou=passwd,dc=crans,dc=org"
realm: "pam"
uri: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
userBase: ou=passwd,dc=crans,dc=org
realm: pam
user:
uri: "ldaps://{{ query('ldap', 'ip', 'flirt', 'adm') | ansible.utils.ipv4 | first }}/"
userBase: "ou=users,dc=adh,dc=crans,dc=org"
realm: "pve"
uri: ldaps://{{ query('ldap', 'ip', 'flirt', 'adm') | ansible.utils.ipv4 | first }}/
userBase: ou=users,dc=adh,dc=crans,dc=org
realm: pve
binddn: "{{ vault.ldap_adh_reader.binddn }}"
passwd: "{{ vault.ldap_adh_reader.bindpass }}"
dependencies:

2
group_vars/vsftpd_mirror.yml
View File

@ -4,4 +4,4 @@ glob_vsftpd_mirror:
cert: /etc/letsencrypt/live/crans.org/cert.pem
private_key: /etc/letsencrypt/live/crans.org/privkey.pem
anonymous: {}
passive: yes
passive: true

34
group_vars/wiki.yml
View File

@ -8,43 +8,43 @@ loc_nginx:
servers:
- server_name: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ansible.utils.ipwrap + [ansible_hostname, ansible_hostname + '.adm.crans.org'] }}"
default: true
access_log: "/var/log/nginx/wiki.log combined"
error_log: "/var/log/nginx/wiki.error.log"
access_log: /var/log/nginx/wiki.log combined
error_log: /var/log/nginx/wiki.error.log
additional_params:
- "rewrite ^/$ $scheme://wiki.crans.org/PageAccueil"
- "client_max_body_size 15M"
- rewrite ^/$ $scheme://wiki.crans.org/PageAccueil
- client_max_body_size 15M
locations:
- filter: "/wiki/"
- filter: /wiki/
params:
- "alias /var/local/wiki/htdocs/"
- alias /var/local/wiki/htdocs/
- filter: "/robots.txt"
- filter: /robots.txt
params:
- "alias /var/local/wiki/robots.txt"
- alias /var/local/wiki/robots.txt
- filter: "/favicon.ico"
- filter: /favicon.ico
params:
- "alias /var/local/wiki/favicon.ico"
- alias /var/local/wiki/favicon.ico
- filter: "/www-sitemap.xml"
- filter: /www-sitemap.xml
params:
- "alias /var/local/wiki/www-sitemap.xml"
- alias /var/local/wiki/www-sitemap.xml
- filter: "/"
- filter: /
params:
- "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket"
- "include uwsgi_params"
- uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket
- include uwsgi_params
logos:
- which: crans_logo_white.svg
where: /var/local/wiki/htdocs/logo.svg
owner: root
group: www-data
mode: '0644'
mode: "0644"
- which: crans_favicon.ico
where: /var/local/wiki/favicon.ico
owner: root
group: www-data
mode: '0644'
mode: "0644"

4
host_vars/backup-ft.adm.crans.org.yml
View File

@ -10,11 +10,11 @@ loc_home_nounou:
name: home_nounou
owner: root
group: _user
mode: '0750'
mode: "0750"
- ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ansible.utils.ipv4 | first }}"
mountpoint: /rpool/backup
target: /backup
name: backup
owner: root
group: root
mode: '0755'
mode: "0755"

4
host_vars/backup-thot.adm.crans.org.yml
View File

@ -10,11 +10,11 @@ loc_home_nounou:
name: home_nounou
owner: root
group: _user
mode: '0750'
mode: "0750"
- ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ansible.utils.ipv4 | first }}"
mountpoint: /rpool/backup
target: /backup
name: backup
owner: root
group: root
mode: '0755'
mode: "0755"

60
host_vars/boeing.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard:
tunnels:
- name: "sputnik"
- name: sputnik
listen_port: 51820
private_key: "{{ vault.wireguard.boeing.sputnik.privkey }}"
table: "off"
@ -16,14 +16,14 @@ loc_wireguard:
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv6 | first }}/128"
endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ansible.utils.ipv4 | first }}:51820"
post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
- "python3 /var/local/services/proxy/proxy.py --alter"
- sysctl -w net.ipv4.conf.%i.proxy_arp=1
- sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- python3 /var/local/services/proxy/proxy.py --alter
pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
- name: "viarezo"
- sysctl -w net.ipv4.conf.%i.proxy_arp=0
- sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
- name: viarezo
listen_port: 51821
private_key: "{{ vault.wireguard.boeing.viarezo.privkey }}"
table: "off"
@ -31,17 +31,17 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
- fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
persistent_keepalive: 25
post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
- "python3 /var/local/services/proxy/proxy.py --alter"
- sysctl -w net.ipv4.conf.%i.proxy_arp=1
- sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- python3 /var/local/services/proxy/proxy.py --alter
pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
- name: "aurore"
- sysctl -w net.ipv4.conf.%i.proxy_arp=0
- sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
- name: aurore
listen_port: 51822
private_key: "{{ vault.wireguard.boeing.aurore.privkey }}"
table: "off"
@ -49,25 +49,25 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
- fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
persistent_keepalive: 25
post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
- "python3 /var/local/services/proxy/proxy.py --alter"
- sysctl -w net.ipv4.conf.%i.proxy_arp=1
- sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- python3 /var/local/services/proxy/proxy.py --alter
pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
- sysctl -w net.ipv4.conf.%i.proxy_arp=0
- sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
loc_service_proxy:
config:
ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/"
protocol: "proxy"
filter: "adm.crans.org"
server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
protocol: proxy
filter: adm.crans.org
proxy:
default: "ens18"
viarezo: "viarezo"
aurore: "aurore"
ovh: "sputnik"
default: ens18
viarezo: viarezo
aurore: aurore
ovh: sputnik

38
host_vars/constellation-dev.adm.crans.org.yml
View File

@ -5,28 +5,28 @@ interfaces:
loc_constellation:
allowed_hosts:
- 'constellation-dev.crans.org'
- constellation-dev.crans.org
database:
host: '127.0.0.1'
user: 'constellation-dev'
name: 'constellation-dev'
host: 127.0.0.1
user: constellation-dev
name: constellation-dev
applications:
- 'access'
- 'billing'
- 'debug'
- 'dnsmanager'
- 'firewall'
- 'layers'
- 'management'
- 'member'
- 'topography'
- 'unix'
- access
- billing
- debug
- dnsmanager
- firewall
- layers
- management
- member
- topography
- unix
stripe:
private_key: '{{ vault.constellation.stripe.test.private_key }}'
public_key: '{{ vault.constellation.stripe.test.public_key }}'
private_key: "{{ vault.constellation.stripe.test.private_key }}"
public_key: "{{ vault.constellation.stripe.test.public_key }}"
note:
url: 'https://note-dev.crans.org/'
client_id: '{{ vault.constellation.note.client_id }}'
client_secret: '{{ vault.constellation.note.client_secret }}'
url: https://note-dev.crans.org/
client_id: "{{ vault.constellation.note.client_id }}"
client_secret: "{{ vault.constellation.note.client_secret }}"
debug: true
version: dev

2
host_vars/daniel.adm.crans.org.yml
View File

@ -10,4 +10,4 @@ loc_postgres:
addresses: "['daniel.adm.crans.org'] + {{ query('ldap', 'ip', 'daniel', 'adm') | ansible.utils.ipaddr('address') }}"
loc_service_proxmox_user:
cron: null
cron:

31
host_vars/eclat.adm.crans.org.yml
View File

@ -12,11 +12,10 @@ loc_nfs_mount:
name: mirror
owner: root
group: root
mode: '0755'
mode: "0755"
loc_ftpsync: {}
loc_rsync_mirror: {}
loc_rsyncd:
modules:
- name: mirror
@ -33,22 +32,22 @@ loc_nginx:
ssl: []
servers:
- server_name:
- "eclat"
- "eclat.*"
- "eclats"
- "eclats.*"
- "mirror"
- "mirror.*"
- "mirrors"
- "mirrors.*"
root: "/mirror/pub"
- eclat
- eclat.*
- eclats
- eclats.*
- mirror
- mirror.*
- mirrors
- mirrors.*
root: /mirror/pub
locations:
- filter: "/"
- filter: /
params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- autoindex on
- autoindex_exact_size off
- add_before_body /.html/HEADER.html
- add_after_body /.html/FOOTER.html
loc_vsftpd:
anonymous:

10
host_vars/gitzly.adm.crans.org.yml
View File

@ -13,7 +13,7 @@ loc_certbot:
loc_service_certbot:
config:
"crans.org":
crans.org:
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
@ -21,7 +21,7 @@ loc_service_certbot:
name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512
"adm.crans.org":
adm.crans.org:
zone: _acme-challenge.adm.crans.org
server: 172.16.10.147
port: 53
@ -41,12 +41,10 @@ loc_nginx:
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
servers: []
loc_reverseproxy:
reverseproxy_sites:
- {from: gitlab.crans.org, to: "127.0.0.1:8000"}
- {from: gitlab.adm.crans.org, to: "127.0.0.1:8000", ssl: adm.crans.org}
- { from: gitlab.crans.org, to: 127.0.0.1:8000 }
- { from: gitlab.adm.crans.org, to: 127.0.0.1:8000, ssl: adm.crans.org }
redirect_sites: []
static_sites: []

2
host_vars/gulp.adm.crans.org.yml
View File

@ -3,4 +3,4 @@ loc_debian_images:
include_extra_images: true
loc_service_proxmox_user:
cron: null
cron:

20
host_vars/irc.adm.crans.org.yml
View File

@ -4,24 +4,24 @@ interfaces:
srv: ens19
loc_nginx:
service_name: "thelounge"
service_name: thelounge
servers:
- server_name:
- "irc.crans.org"
- "irc"
- irc.crans.org
- irc
default: true
ssl: crans.org
locations:
- filter: "^~ /web/"
- filter: ^~ /web/
params:
- "proxy_pass http://localhost:9000/"
- "include \"/etc/nginx/snippets/options-proxypass.conf\""
- filter: "~ ^/$"
- proxy_pass http://localhost:9000/
- include "/etc/nginx/snippets/options-proxypass.conf"
- filter: ~ ^/$
params:
- "return 302 https://irc.crans.org/web/"
- filter: "/"
- return 302 https://irc.crans.org/web/
- filter: /
params:
- "return 302 \"https://wiki.crans.org/VieCrans/UtiliserIrc#Via_l.27interface_web\""
- return 302 "https://wiki.crans.org/VieCrans/UtiliserIrc#Via_l.27interface_web"
loc_thelounge:
public: "true"

2
host_vars/jack.adm.crans.org.yml
View File

@ -10,4 +10,4 @@ loc_postgres:
addresses: "['jack.adm.crans.org'] + {{ query('ldap', 'ip', 'jack', 'adm') | ansible.utils.ipaddr('address') }}"
loc_service_proxmox_user:
cron: null
cron:

28
host_vars/monitoring.adm.crans.org.yml
View File

@ -11,7 +11,7 @@ loc_prometheus:
- job_name: servers
file_sd_configs:
- files:
- '/etc/prometheus/targets_node.json'
- /etc/prometheus/targets_node.json
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
@ -19,7 +19,7 @@ loc_prometheus:
target_label: instance
- source_labels: [__param_target]
target_label: __address__
replacement: '$1:9100'
replacement: $1:9100
nginx:
file: targets_nginx.json
@ -28,13 +28,13 @@ loc_prometheus:
- job_name: nginx
file_sd_configs:
- files:
- '/etc/prometheus/targets_nginx.json'
- /etc/prometheus/targets_nginx.json
relabel_configs:
- source_labels: [__address__]
target_label: instance
- source_labels: [instance]
target_label: __address__
replacement: '$1:9117'
replacement: $1:9117
blackbox:
file: targets_blackbox.json
@ -64,7 +64,7 @@ loc_prometheus:
- job_name: blackbox
file_sd_configs:
- files:
- '/etc/prometheus/targets_blackbox.json'
- /etc/prometheus/targets_blackbox.json
metrics_path: /probe
params:
module: [http_2xx] # Look for a HTTP 200 response.
@ -86,7 +86,7 @@ loc_prometheus:
- job_name: blackbox_icmp
file_sd_configs:
- files:
- '/etc/prometheus/targets_icmp.json'
- /etc/prometheus/targets_icmp.json
metrics_path: /probe
params:
module: [icmp] # Look for a ICMP ping
@ -105,13 +105,13 @@ loc_prometheus:
config:
- job_name: mtail
static_configs:
- targets: ["tealc.adm.crans.org"]
- targets: [tealc.adm.crans.org]
relabel_configs:
- source_labels: [__address__]
target_label: instance
- source_labels: [instance]
target_label: __address__
replacement: '$1:3903'
replacement: $1:3903
ilo_snmp:
file: targets_ilo_snmp.json
@ -120,8 +120,8 @@ loc_prometheus:
- job_name: ilo_snmp
file_sd_configs:
- files:
- '/etc/prometheus/targets_ilo_snmp.json'
metrics_path: '/snmp'
- /etc/prometheus/targets_ilo_snmp.json
metrics_path: /snmp
params:
module:
- ilo
@ -130,17 +130,17 @@ loc_prometheus:
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- replacement: '127.0.0.1:9116'
- replacement: 127.0.0.1:9116
target_label: __address__
printer_snmp:
file: targets_printer.json
targets: ["printer.lp.crans.org"]
targets: [printer.lp.crans.org]
config:
- job_name: printer_snmp
static_configs:
- targets: ["printer.lp.crans.org"]
metrics_path: '/snmp'
- targets: [printer.lp.crans.org]
metrics_path: /snmp
params:
module:
- printer_mib

2
host_vars/odlyd.adm.crans.org.yml
View File

@ -3,4 +3,4 @@ loc_debian_images:
include_extra_images: true
loc_service_proxmox_user:
cron: null
cron:

2
host_vars/owncloud.adm.crans.org.yml
View File

@ -7,4 +7,4 @@ interfaces:
loc_ldap:
base_dn: "{{ vault.slapd.re2o.admin.binddn }}"
password: "{{ vault.slapd.re2o.admin.bindpass }}"
uri: "ldap://172.16.10.157"
uri: ldap://172.16.10.157

70
host_vars/ptf.adm.crans.org.yml
View File

@ -12,62 +12,62 @@ loc_nfs_mount:
name: ftp
owner: root
group: root
mode: '0755'
mode: "0755"
loc_nginx:
service_name: ptf
ssl: []
servers:
- server_name:
- "ptf"
- "ptf.*"
- "ftp"
- "ftp.*"
- ptf
- ptf.*
- ftp
- ftp.*
root: /ftp
locations:
- filter: "/"
- filter: /
params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- autoindex on
- autoindex_exact_size off
- add_before_body /.html/HEADER.html
- add_after_body /.html/FOOTER.html
- filter: ~ ^(\/pub)?(\/debian|\/ubuntu|\/archlinux|\/videolan|\/cdimage|\/grafana|\/proxmox|\/distributions)(.*)$
params:
- return 301 http://eclat.crans.org$2$3
- filter: "/events"
- filter: /events
params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- "mp4"
- "mp4_buffer_size 1m"
- "mp4_max_buffer_size 5m"
- autoindex on
- autoindex_exact_size off
- add_before_body /.html/HEADER.html
- add_after_body /.html/FOOTER.html
- mp4
- mp4_buffer_size 1m
- mp4_max_buffer_size 5m
- server_name:
- "ptfs"
- "ptfs.*"
- "ftps"
- "ftps.*"
- ptfs
- ptfs.*
- ftps
- ftps.*
root: /ftp
locations:
- filter: "/"
- filter: /
params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- autoindex on
- autoindex_exact_size off
- add_before_body /.html/HEADER.html
- add_after_body /.html/FOOTER.html
- filter: ~ ^(\/pub)?(\/debian|\/ubuntu|\/archlinux|\/videolan|\/cdimage|\/grafana|\/proxmox|\/distributions)(.*)$
params:
- return 301 https://eclats.crans.org$2$3
- filter: "/events"
- filter: /events
params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- "mp4"
- "mp4_buffer_size 1m"
- "mp4_max_buffer_size 5m"
- autoindex on
- autoindex_exact_size off
- add_before_body /.html/HEADER.html
- add_after_body /.html/FOOTER.html
- mp4
- mp4_buffer_size 1m
- mp4_max_buffer_size 5m
loc_vsftpd:
anonymous:

2
host_vars/re2o-dev.adm.crans.org.yml
View File

@ -4,4 +4,4 @@ interfaces:
srv_nat: eth1
loc_re2o_ldap_replica:
url: "ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636"
url: ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ansible.utils.ipv4 | first }}:636

4
host_vars/redisdead.adm.crans.org.yml
View File

@ -17,7 +17,7 @@ loc_certbot:
loc_service_certbot:
config:
"crans.org":
crans.org:
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
@ -25,7 +25,7 @@ loc_service_certbot:
name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512
"adm.crans.org":
adm.crans.org:
zone: _acme-challenge.adm.crans.org
server: 172.16.10.147
port: 53

18
host_vars/romanesco.adm.crans.org.yml
View File

@ -1,8 +1,8 @@
---
interfaces:
name: ens18
name: ens19
name: ens20
adm: ens18
srv: ens19
adh: ens20
unbound:
verbosity: 1
@ -10,32 +10,32 @@ unbound:
- 0.0.0.0
- ::0
access-control:
- name: "srv"
- name: srv
addr:
- 185.230.79.0/26
- 2a0c:700:2::/48
policy: allow
- name: "srv-nat"
- name: srv-nat
addr:
- 172.16.3.0/24
- 2a0c:700:3::/48
policy: allow
- name: "adm"
- name: adm
addr:
- 172.16.10.0/24
- fd00:0:0:10::/64
policy: allow
- name: "infra"
- name: infra
addr:
- 172.16.32.0/22
- fd00:0:0:11::/64
policy: allow
- name: "adh"
- name: adh
addr:
- 185.230.78.0/24
- 2a0c:700:12::/48
policy: allow
- name: "adh-nat"
- name: adh-nat
addr:
- 100.64.0.0/16
- 2a0c:700:13::/48

8
host_vars/routeur-daniel.adm.crans.org/bird.yml
View File

@ -12,7 +12,7 @@ loc_bird:
- route 2a0c:700::/32 unreachable
bgp:
- name: aurore4
description: "BGP4 session with aurore"
description: BGP4 session with aurore
local:
asn: crans
addr: 185.230.79.253
@ -21,7 +21,7 @@ loc_bird:
addr: 185.230.79.254
ipv4: true
- name: aurore6
description: "BGP6 session with aurore"
description: BGP6 session with aurore
local:
asn: crans
addr: 2a0c:700:28::1
@ -30,7 +30,7 @@ loc_bird:
addr: 2a0c:700:28::2
ipv6: true
- name: viarezo4
description: "BGP4 session with viarezo"
description: BGP4 session with viarezo
local:
asn: crans
addr: 138.195.159.250
@ -39,7 +39,7 @@ loc_bird:
addr: 138.195.159.249
ipv4: true
- name: viarezo6
description: "BGP6 session with viarezo"
description: BGP6 session with viarezo
local:
asn: crans
addr: 2a0c:b641:2f3::2

14
host_vars/routeur-daniel.adm.crans.org/dhcp.yml
View File

@ -2,17 +2,17 @@
loc_dhcp:
authoritative: true
subnets:
- network: "185.230.78.0/24"
- network: 185.230.78.0/24
deny_unknown: true
vlan: "adh"
vlan: adh
default_lease_time: "600"
max_lease_time: "7200"
routers: "185.230.78.99"
dns: ["185.230.78.99"]
domain_name: "adh.crans.org"
domain_search: "adh.crans.org"
routers: 185.230.78.99
dns: [185.230.78.99]
domain_name: adh.crans.org
domain_search: adh.crans.org
options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.adh.crans.org.list"
lease_file: /var/local/services/dhcp/generated/dhcp.adh.crans.org.list
loc_service_dhcp:
git:

3
host_vars/routeur-daniel.adm.crans.org/prefix_delegation.yml
View File

@ -1,5 +1,4 @@
---
loc_service_prefix_delegation:
name: prefix_delegation
install_dir: /var/local/services/prefix_delegation
@ -15,6 +14,6 @@ loc_service_prefix_delegation:
prefix: "2a0c:700:12::"
length: "48"
ldap:
server: "ldaps://172.16.10.114"
server: ldaps://172.16.10.114
binddn: "{{ vault.ldap_adh_reader.binddn }}"
password: "{{ vault.ldap_adh_reader.bindpass }}"

28
host_vars/routeur-ft.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard:
tunnels:
- name: "boeing"
- name: boeing
listen_port: 51820
private_key: "{{ vault.wireguard.routeur_ft.privkey }}"
table: "off"
@ -13,25 +13,25 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
- fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51821"
persistent_keepalive: 25
post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
- "ip route add 172.16.10.1 dev %i proto proxy"
- "python3 /var/local/services/proxy/proxy.py --alter"
- sysctl -w net.ipv4.conf.%i.proxy_arp=1
- sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- ip route add 172.16.10.1 dev %i proto proxy
- python3 /var/local/services/proxy/proxy.py --alter
pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
- sysctl -w net.ipv4.conf.%i.proxy_arp=0
- sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
loc_service_proxy:
config:
ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/"
protocol: "proxy"
filter: "adm.crans.org"
server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
protocol: proxy
filter: adm.crans.org
proxy:
default: "boeing"
viarezo: "ens18"
default: boeing
viarezo: ens18

14
host_vars/routeur-jack.adm.crans.org/dhcp.yml
View File

@ -2,17 +2,17 @@
loc_dhcp:
authoritative: true
subnets:
- network: "185.230.78.0/24"
- network: 185.230.78.0/24
deny_unknown: true
vlan: "adh"
vlan: adh
default_lease_time: "600"
max_lease_time: "7200"
routers: "185.230.78.99"
dns: ["185.230.78.99"]
domain_name: "adh.crans.org"
domain_search: "adh.crans.org"
routers: 185.230.78.99
dns: [185.230.78.99]
domain_name: adh.crans.org
domain_search: adh.crans.org
options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.adh.crans.org.list"
lease_file: /var/local/services/dhcp/generated/dhcp.adh.crans.org.list
loc_service_dhcp:
git:

3
host_vars/routeur-jack.adm.crans.org/prefix_delegation.yml
View File

@ -1,5 +1,4 @@
---
loc_service_prefix_delegation:
name: prefix_delegation
install_dir: /var/local/services/prefix_delegation
@ -15,6 +14,6 @@ loc_service_prefix_delegation:
prefix: "2a0c:700:12::"
length: "48"
ldap:
server: "ldaps://172.16.10.114"
server: ldaps://172.16.10.114
binddn: "{{ vault.ldap_adh_reader.binddn }}"
password: "{{ vault.ldap_adh_reader.bindpass }}"

8
host_vars/routeur-sam.adm.crans.org/bird.yml
View File

@ -12,7 +12,7 @@ loc_bird:
- route 2a0c:700::/32 unreachable
bgp:
- name: aurore4
description: "BGP4 session with aurore"
description: BGP4 session with aurore
local:
asn: crans
addr: 185.230.79.253
@ -21,7 +21,7 @@ loc_bird:
addr: 185.230.79.254
ipv4: true
- name: aurore6
description: "BGP6 session with aurore"
description: BGP6 session with aurore
local:
asn: crans
addr: 2a0c:700:28::1
@ -30,7 +30,7 @@ loc_bird:
addr: 2a0c:700:28::2
ipv6: true
- name: viarezo4
description: "BGP4 session with viarezo"
description: BGP4 session with viarezo
local:
asn: crans
addr: 138.195.159.250
@ -39,7 +39,7 @@ loc_bird:
addr: 138.195.159.249
ipv4: true
- name: viarezo6
description: "BGP6 session with viarezo"
description: BGP6 session with viarezo
local:
asn: crans
addr: 2a0c:b641:2f3::2

14
host_vars/routeur-sam.adm.crans.org/dhcp.yml
View File

@ -2,17 +2,17 @@
loc_dhcp:
authoritative: true
subnets:
- network: "185.230.78.0/24"
- network: 185.230.78.0/24
deny_unknown: true
vlan: "adh"
vlan: adh
default_lease_time: "600"
max_lease_time: "7200"
routers: "185.230.78.99"
dns: ["185.230.78.99"]
domain_name: "adh.crans.org"
domain_search: "adh.crans.org"
routers: 185.230.78.99
dns: [185.230.78.99]
domain_name: adh.crans.org
domain_search: adh.crans.org
options: []
lease_file: "/var/local/services/dhcp/generated/dhcp.adh.crans.org.list"
lease_file: /var/local/services/dhcp/generated/dhcp.adh.crans.org.list
loc_service_dhcp:
git:

3
host_vars/routeur-sam.adm.crans.org/prefix_delegation.yml
View File

@ -1,5 +1,4 @@
---
loc_service_prefix_delegation:
name: prefix_delegation
install_dir: /var/local/services/prefix_delegation
@ -15,6 +14,6 @@ loc_service_prefix_delegation:
prefix: "2a0c:700:12::"
length: "48"
ldap:
server: "ldaps://172.16.10.114"
server: ldaps://172.16.10.114
binddn: "{{ vault.ldap_adh_reader.binddn }}"
password: "{{ vault.ldap_adh_reader.bindpass }}"

29
host_vars/routeur-thot.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard:
tunnels:
- name: "boeing"
- name: boeing
listen_port: 51820
private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
table: "off"
@ -13,26 +13,25 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
- fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51822"
persistent_keepalive: 25
post_up:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
- "ip route add 172.16.10.1 dev %i proto proxy"
- "python3 /var/local/services/proxy/proxy.py --alter"
- sysctl -w net.ipv4.conf.%i.proxy_arp=1
- sysctl -w net.ipv6.conf.%i.proxy_ndp=1
- ip route add 172.16.10.1 dev %i proto proxy
- python3 /var/local/services/proxy/proxy.py --alter
pre_down:
- "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
- "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
- sysctl -w net.ipv4.conf.%i.proxy_arp=0
- sysctl -w net.ipv6.conf.%i.proxy_ndp=0
- ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy
loc_service_proxy:
config:
ldap:
server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/"
protocol: "proxy"
filter: "adm.crans.org"
server: ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}/
protocol: proxy
filter: adm.crans.org
proxy:
default: "boeing"
aurore: "ens18"
default: boeing
aurore: ens18

22
host_vars/silice.adm.crans.org.yml
View File

@ -6,25 +6,25 @@ interfaces:
loc_bind:
options:
secondaries: "{{ query('ldap', 'ip', 'sputnik', 'adm') | union(query('ldap', 'ip', 'en7', 'adm')) }}"
key_directory: "/var/cache/bind/keys"
key_directory: /var/cache/bind/keys
default:
format: 'generated/%s.db'
format: generated/%s.db
type: primary
notify: 'yes'
notify: "yes"
dnssec: true
zones:
'_acme-challenge.crans.org':
_acme-challenge.crans.org:
update_policy:
- 'grant certbot_challenge. name _acme-challenge.crans.org. txt'
format: 'bak.%s'
'_acme-challenge.adm.crans.org':
- grant certbot_challenge. name _acme-challenge.crans.org. txt
format: bak.%s
_acme-challenge.adm.crans.org:
update_policy:
- 'grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt'
format: 'bak.%s'
- grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt
format: bak.%s
rfc2136_keys:
'certbot_challenge.':
certbot_challenge.:
algorithm: hmac-sha512
secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
'certbot_adm_challenge.':
certbot_adm_challenge.:
algorithm: hmac-sha512
secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"

54
host_vars/sputnik.adm.crans.org.yml
View File

@ -10,7 +10,7 @@ postfix:
loc_wireguard:
tunnels:
- name: "sputnik"
- name: sputnik
addresses:
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}/24"
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv6 | first }}/64"
@ -20,10 +20,10 @@ loc_wireguard:
- public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
- fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51820"
post_up:
- "/sbin/ip link set sputnik alias adm"
- /sbin/ip link set sputnik alias adm
loc_slapd:
ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}"
@ -43,7 +43,7 @@ loc_certbot:
loc_service_certbot:
config:
"crans.org":
crans.org:
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
@ -51,7 +51,7 @@ loc_service_certbot:
name: certbot_challenge.
secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
algorithm: HMAC-SHA512
"adm.crans.org":
adm.crans.org:
zone: _acme-challenge.adm.crans.org
server: 172.16.10.147
port: 53
@ -73,46 +73,44 @@ loc_nginx:
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
servers:
- server_name:
- "wiki2.crans.org"
ssl: "crans.org"
access_log: "/var/log/nginx/wiki.log combined"
error_log: "/var/log/nginx/wiki.error.log"
- wiki2.crans.org
ssl: crans.org
access_log: /var/log/nginx/wiki.log combined
error_log: /var/log/nginx/wiki.error.log
additional_params:
- "rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil"
- "client_max_body_size 15M"
- rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil
- client_max_body_size 15M
locations:
- filter: "/wiki"
- filter: /wiki
params:
- "alias /var/local/wiki/htdocs/"
- alias /var/local/wiki/htdocs/
- filter: "/robots.txt"
- filter: /robots.txt
params:
- "alias /var/local/wiki/robots.txt"
- alias /var/local/wiki/robots.txt
- filter: "/favicon.ico"
- filter: /favicon.ico
params:
- "alias /var/local/wiki/favicon.ico"
- alias /var/local/wiki/favicon.ico
- filter: "/www-sitemap.xml"
- filter: /www-sitemap.xml
params:
- "alias /var/local/wiki/www-sitemap.xml"
- alias /var/local/wiki/www-sitemap.xml
- filter: "/"
- filter: /
params:
- "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket"
- "include uwsgi_params"
- uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket
- include uwsgi_params
loc_reverseproxy:
reverseproxy_sites:
- {from: status.crans.org, to: "127.0.0.1:8080"}
- {from: git2.crans.org, to: "127.0.0.1:3000"}
- {from: git2.adm.crans.org, to: "127.0.0.1:3000", ssl: adm.crans.org}
- { from: status.crans.org, to: 127.0.0.1:8080 }
- { from: git2.crans.org, to: 127.0.0.1:3000 }
- { from: git2.adm.crans.org, to: 127.0.0.1:3000, ssl: adm.crans.org }
redirect_sites: []
static_sites: []
loc_bind:
default:
type: slave
@ -121,4 +119,4 @@ loc_bind:
loc_service_ssh_known_hosts:
config:
ldap:
server: "ldaps://{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}"
server: ldaps://{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}

48
host_vars/tealc.adm.crans.org.yml
View File

@ -1,32 +1,32 @@
---
debian_mirror: 'file:/pool/mirror/pub/debian'
debian_mirror: file:/pool/mirror/pub/debian
loc_postgres:
version: 13
hosts:
- db: etherpad
user: crans
map: {name: etherpad, system: etherpad, pg: crans}
map: { name: etherpad, system: etherpad, pg: crans }
- db: etherpad_tmp
user: crans
map: {name: etherpad_tmp, system: etherpad, pg: crans}
map: { name: etherpad_tmp, system: etherpad, pg: crans }
- db: horde5
user: www-data
map: {name: horde, system: www-data, pg: www-data}
map: { name: horde, system: www-data, pg: www-data }
- db: roundcube
user: roundcube
map: {name: webmail, system: www-data, pg: roundcube}
- {db: owncloud, user: owncloud}
- {db: cas, user: cas}
- {db: hedgedoc, user: hedgedoc}
- {db: sqlgrey, user: sqlgrey, method: ident}
- {db: re2o, user: re2o}
- {db: re2o_test, user: re2o}
- {db: constellation-dev, user: constellation-dev}
- {db: mailman3, user: mailman3}
- {db: mailman3web, user: mailman3web}
- {db: all, user: all, subnets: ['127.0.0.1/32', '::1/128'], local: true}
- {db: replication, user: replication, local: true}
map: { name: webmail, system: www-data, pg: roundcube }
- { db: owncloud, user: owncloud }
- { db: cas, user: cas }
- { db: hedgedoc, user: hedgedoc }
- { db: sqlgrey, user: sqlgrey, method: ident }
- { db: re2o, user: re2o }
- { db: re2o_test, user: re2o }
- { db: constellation-dev, user: constellation-dev }
- { db: mailman3, user: mailman3 }
- { db: mailman3web, user: mailman3web }
- { db: all, user: all, subnets: [127.0.0.1/32, "::1/128"], local: true }
- { db: replication, user: replication, local: true }
addresses: "['tealc.adm.crans.org'] + {{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipaddr('address') }}"
backup:
dir: /var/local/db-backup
@ -75,13 +75,13 @@ loc_nginx:
ssl: []
servers:
- server_name:
- "mirror2"
- "mirror2.*"
root: "/pool/mirror/pub"
- mirror2
- mirror2.*
root: /pool/mirror/pub
locations:
- filter: "/"
- filter: /
params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- autoindex on
- autoindex_exact_size off
- add_before_body /.html/HEADER.html
- add_after_body /.html/FOOTER.html

8
host_vars/vol447.adm.crans.org.yml
View File

@ -5,7 +5,7 @@ interfaces:
loc_wireguard:
tunnels:
- name: "gulp"
- name: gulp
listen_port: 51820
private_key: "{{ vault.wireguard.vol447.privkey }}"
peers:
@ -14,5 +14,7 @@ loc_wireguard:
- "{{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv4 | first }}/32"
- "{{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }}/128"
endpoint: "{{ query('ldap', 'ip', 'freebox', 'srv') | ansible.utils.ipv4 | first }}:51820"
post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18"
post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18"
post_up: sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1;
ip neigh add proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18
post_down: sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0;
ip neigh delete proxy {{ query('ldap', 'ip', 'charybde', 'adm') | ansible.utils.ipv6 | first }} dev ens18

8
host_vars/zamok.adm.crans.org.yml
View File

@ -7,8 +7,8 @@ loc_borg:
- /var/lib/mysql
loc_thelounge:
host: "\"172.16.10.31\""
oidentd: "\"/usr/local/lib/thelounge/.oidentd.conf\""
host: '"172.16.10.31"'
oidentd: '"/usr/local/lib/thelounge/.oidentd.conf"'
reverseProxy: "true"
ldap_enable: "true"
@ -25,11 +25,11 @@ loc_nfs_mount:
name: home
owner: root
group: root
mode: '0755'
mode: "0755"
- ip: 172.16.4.2
mountpoint: /pool/mail
target: /var/mail
name: var-mail
owner: root
group: mail
mode: '0755'
mode: "0755"

2
plays/nginx.yml
View File

@ -4,6 +4,6 @@
- hosts: nginx,!adh_server
vars:
nginx: "{{ glob_nginx | default({}) | combine(service_nginx | default({}) | combine(loc_nginx | default({}))) }}"
re2o_front: "{{ glob_re2o_front | default({}) | combine(loc_re2o_front | default({})) }}" # necessary for re2o-front
re2o_front: "{{ glob_re2o_front | default({}) | combine(loc_re2o_front | default({})) }}"
roles:
- nginx

4
roles/anope/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: Install Anope
apt:
ansible.builtin.apt:
update_cache: true
install_recommends: false
name:
@ -10,7 +10,7 @@
until: apt_result is succeeded
- name: Deploy Anope configuration
template:
ansible.builtin.template:
src: anope/{{ item }}.j2
dest: /etc/anope/{{ item }}
mode: 0640

12
roles/apt-mirror/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: Install apt-mirror
apt:
ansible.builtin.apt:
update_cache: true
name: apt-mirror
register: apt_result
@ -8,7 +8,7 @@
until: apt_result is succeeded
- name: Create mirrors directory
file:
ansible.builtin.file:
path: "{{ apt_mirror.root }}/{{ item.host }}"
owner: apt-mirror
group: mirror
@ -17,7 +17,7 @@
loop: "{{ apt_mirror.targets }}"
- name: Create mirror symlink
file:
ansible.builtin.file:
# Use relative path to stay modular if the folder is mounted on multiple server at different locations
src: "{{ item.host }}/{{ item.symlink }}"
dest: "{{ apt_mirror.root }}/{{ item.name }}"
@ -26,17 +26,17 @@
loop: "{{ apt_mirror.targets }}"
- name: Copy apt-mirror configurations
template:
ansible.builtin.template:
src: apt/mirror.list.j2
dest: /etc/apt/mirror.list
- name: Configure apt-mirror cron
template:
ansible.builtin.template:
src: cron.d/apt-mirror.j2
dest: /etc/cron.d/apt-mirror
- name: Indicate role in motd
template:
ansible.builtin.template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-apt-mirror
mode: 0755

16
roles/arpproxy/tasks/main.yml
View File

@ -1,22 +1,22 @@
---
- name: Register proto proxy
lineinfile:
ansible.builtin.lineinfile:
path: /etc/iproute2/rt_protos.d/proxy.conf
regexp: "^\\d+ proxy$"
regexp: ^\d+ proxy$
line: "{{ service.proto_id }} {{ service.config.protocol }}"
owner: root
group: root
mode: 0644
- name: Enable IP forward and ARP and NDP proxies
sysctl:
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "1"
sysctl_file: "/etc/sysctl.d/{{ item.file }}.conf"
sysctl_file: /etc/sysctl.d/{{ item.file }}.conf
sysctl_set: true
reload: true
loop:
- {name: "net.ipv4.ip_forward", file: "10-forwarding"}
- {name: "net.ipv6.conf.all.forwarding", file: "10-forwarding"}
- {name: "net.ipv4.conf.{{ service.main_interface }}.proxy_arp", file: "11-proxy-{{ service.main_interface }}"}
- {name: "net.ipv6.conf.{{ service.main_interface }}.proxy_ndp", file: "11-proxy-{{ service.main_interface }}"}
- { name: net.ipv4.ip_forward, file: 10-forwarding }
- { name: net.ipv6.conf.all.forwarding, file: 10-forwarding }
- { name: "net.ipv4.conf.{{ service.main_interface }}.proxy_arp", file: "11-proxy-{{ service.main_interface }}" }
- { name: "net.ipv6.conf.{{ service.main_interface }}.proxy_ndp", file: "11-proxy-{{ service.main_interface }}" }

4
roles/autoconfig/tasks/main.yml
View File

@ -1,10 +1,10 @@
---
- name: Create base directory
file:
ansible.builtin.file:
path: "{{ autoconfig.path }}/mail"
state: directory
- name: Deploy autoconfiguration website
template:
ansible.builtin.template:
src: mail/config-v1.1.xml.j2
dest: "{{ autoconfig.path }}/mail/config-v1.1.xml"

4
roles/baie/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: Install ZFS
apt:
ansible.builtin.apt:
update_cache: true
name:
- zfs-dkms
@ -10,7 +10,7 @@
until: apt_result is succeeded
- name: Install ifenslave
apt:
ansible.builtin.apt:
update_cache: true
name:
- ifenslave

8
roles/belenios/handlers/main.yml
View File

@ -1,5 +1,11 @@
---
- name: Make belenios project
community.general.make:
chdir: /var/local/belenios
target: build-release-server
notify: Restart ocsigenserver
- name: Restart ocsigenserver
systemd:
ansible.builtin.systemd:
name: ocsigenserver
state: restarted

20
roles/belenios/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: Install Belenios dependencies from APT
apt:
ansible.builtin.apt:
update_cache: true
install_recommends: false
name:
@ -40,29 +40,23 @@
until: apt_result is succeeded
- name: Start ocsigenserver at boot
lineinfile:
ansible.builtin.lineinfile:
path: /etc/default/ocsigenserver
regexp: ^LAUNCH_AT_STARTUP=
line: LAUNCH_AT_STARTUP=true
notify: Restart ocsigenserver
- name: Clone belenios into /var/local/belenios
git:
ansible.builtin.git:
repo: https://gitlab.inria.fr/belenios/belenios.git
dest: /var/local/belenios
version: "1.15"
force: true
notify: Make belenios project
register: git_result
- name: Make belenios project
when: git_result.changed
make:
chdir: /var/local/belenios
target: build-release-server
notify: Restart ocsigenserver
- name: Create belenios data directories
file:
ansible.builtin.file:
path: "{{ item }}"
owner: ocsigen
group: ocsigen
@ -77,7 +71,7 @@
- /var/log/belenios
- name: Link belenios directories into proper locations
file:
ansible.builtin.file:
src: "{{ item.src }}"
path: "{{ item.path }}"
owner: root
@ -105,7 +99,7 @@
path: /usr/share/belenios-server
- name: Deploy ocsigenserver configuration
template:
ansible.builtin.template:
src: ocsigenserver/conf.d/belenios.conf.j2
dest: /etc/ocsigenserver/conf.d/belenios.conf
owner: root

2
roles/bind-authoritative/handlers/main.yml
View File

@ -1,5 +1,5 @@
---
- name: systemctl reload bind9.service
systemd:
ansible.builtin.systemd:
name: bind9
state: reloaded

6
roles/bind-authoritative/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: Install Bind9
apt:
ansible.builtin.apt:
update_cache: true
name: bind9
register: apt_result
@ -8,7 +8,7 @@
until: apt_result is succeeded
- name: Deploy Bind9 configuration
template:
ansible.builtin.template:
src: bind/{{ item }}.j2
dest: /etc/bind/{{ item }}
mode: 0640
@ -23,7 +23,7 @@
notify: systemctl reload bind9.service
- name: Indicate role in motd
template:
ansible.builtin.template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-bind
mode: 0755

2
roles/bind-recursive/handlers/main.yml
View File

@ -1,5 +1,5 @@
---
- name: Reload bind9
systemd:
ansible.builtin.systemd:
name: bind9
state: reloaded

4
roles/bind-recursive/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: Install Bind9
apt:
ansible.builtin.apt:
update_cache: true
name: bind9
register: apt_result
@ -8,7 +8,7 @@
until: apt_result is succeeded
- name: Deploy Bind9 configuration
template:
ansible.builtin.template:
src: bind/{{ item }}.j2
dest: /etc/bind/{{ item }}
mode: 0644

20
roles/bird/handlers/main.yml
View File

@ -1,20 +0,0 @@
---
- name: check bird status
service_facts:
listen: 'reload bird'
- name: reload bird
systemd:
name: bird
state: reloaded
when: not ansible_check_mode and ansible_facts.services['bird']['state'] == 'running'
- name: check bird6 status
service_facts:
listen: 'reload bird6'
- name: reload bird6
systemd:
name: bird6
state: reloaded
when: not ansible_check_mode and ansible_facts.services['bird6']['state'] == 'running'

36
roles/bird/tasks/main.yml
View File

@ -1,36 +0,0 @@
---
- name: PLEASE STOP
pause:
prompt: "{{ item }}"
loop:
- APPUIE SUR ^C TOUT DE SUITE ET LANCE LE RÔLE BIRD2 !
- NAN MAIS VRAIMENT
- GENRE ARRÈTE
- ON T'AURA PRÉVENU
#- name: Install BIRD
# apt:
# update_cache: true
# name:
# - bird
# register: apt_result
# retries: 3
# until: apt_result is succeeded
#- name: Deploy bird configuration
# template:
# src: bird/bird.conf.j2
# dest: /etc/bird/bird.conf
# mode: 0640
# owner: bird
# group: bird
# notify: reload bird
#- name: Deploy bird6 configuration
# template:
# src: bird/bird6.conf.j2
# dest: /etc/bird/bird6.conf
# mode: 0640
# owner: bird
# group: bird
# notify: reload bird6

66
roles/bird/templates/bird/bird.conf.j2
View File

@ -1,66 +0,0 @@
{{ ansible_header | comment }}
# This is a minimal configuration file, which allows the bird daemon to start
# but will not cause anything else to happen.
#
# Please refer to the documentation in the bird-doc package or BIRD User's
# Guide on http://bird.network.cz/ for more information on configuring BIRD and
# adding routing protocols.
# Change this into your BIRD router ID. It's a world-wide unique identification
# of your router, usually one of router's IPv4 addresses.
router id {{ bird.ipv4.id }};
{% for bind in bird.ipv4.binds %}
listen bgp address {{ bind }} port 179;
{% endfor %}
# The Kernel protocol is not a real routing protocol. Instead of communicating
# with other routers in the network, it performs synchronization of BIRD's
# routing tables with the OS kernel.
protocol kernel {
# persist;
scan time 60;
import none;
{% if bird.ipv4.kernel_filter is defined %}
export filter {
if ( net ~ [ {{ bird.ipv4.kernel_filter|join(', ') }} ] ) then reject;
accept;
};
{% else %}
export all;
{% endif %}
}
# The Device protocol is not a real routing protocol. It doesn't generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel.
protocol device {
scan time 60;
}
protocol static {
{% for static in bird.ipv4.statics %}
route {{ static }} reject;
{% endfor %}
}
{% for bgp in bird.ipv4.bgps %}
protocol bgp {{ bgp.name }} {
{% if bgp.local.address is defined %}
local {{ bgp.local.address }} as {{ bgp.local.as }};
{% else %}
local as {{ bgp.local.as }};
{% endif %}
{% if bgp.allow_local_as is defined %}
allow local as {{ bgp.allow_local_as }};
{% endif %}
neighbor {{ bgp.remote.address }} as {{ bgp.remote.as }};
import all;
export filter {
if ( net ~ [ {{ bgp.allow_export_prefixes|join(', ') }} ] ) then accept;
reject;
};
}
{% endfor %}

65
roles/bird/templates/bird/bird6.conf.j2
View File

@ -1,65 +0,0 @@
{{ ansible_header | comment }}
# This is a minimal configuration file, which allows the bird daemon to start
# but will not cause anything else to happen.
#
# Please refer to the documentation in the bird-doc package or BIRD User's
# Guide on http://bird.network.cz/ for more information on configuring BIRD and
# adding routing protocols.
# Change this into your BIRD router ID. It's a world-wide unique identification
# of your router, usually one of router's IPv6 addresses.
router id {{ bird.ipv6.id }};
{% for bind in bird.ipv6.binds %}
listen bgp address {{ bind }} port 179;
{% endfor %}
# The Kernel protocol is not a real routing protocol. Instead of communicating
# with other routers in the network, it performs synchronization of BIRD's
# routing tables with the OS kernel.
protocol kernel {
# persist;
scan time 60;
import none;
{% if bird.ipv6.kernel_filter is defined %}
export filter {
if ( net ~ [ {{ bird.ipv6.kernel_filter|join(', ') }} ] ) then reject;
accept;
};
{% else %}
export all;
{% endif %}
}
# The Device protocol is not a real routing protocol. It doesn't generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel.
protocol device {
scan time 60;
}
protocol static {
{% for route in bird.ipv6.statics %}
route {{ route }} reject;
{% endfor %}
}
{%for bgp in bird.ipv6.bgps %}
protocol bgp {{ bgp.name }} {
{% if bgp.local.address is defined %}
local {{ bgp.local.address }} as {{ bgp.local.as }};
{% else %}
local as {{ bgp.local.as }};
{% endif %}
{% if bgp.allow_local_as is defined %}
allow local as {{ bgp.allow_local_as }};
{% endif %}
neighbor {{ bgp.remote.address }} as {{ bgp.remote.as }};
import all;
export filter {
if ( net ~ [ {{ bgp.allow_export_prefixes|join(', ') }} ] ) then accept;
reject;
};
}
{% endfor %}

6
roles/bird2/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
- name: systemctl status bird.service
service_facts:
ansible.builtin.service_facts:
listen: systemctl reload bird.service
- name: systemctl reload bird.service
pause:
ansible.builtin.pause:
prompt: |-
On a préféré ne pas redemarrer bird automatiquement.
Du coup, c'est à toi de t'en occuper:
@ -14,6 +14,6 @@
when: not ansible_check_mode and ansible_facts.services['bird']['state'] == 'running'
- name: systemctl stop bird.service
systemd:
ansible.builtin.systemd:
name: bird.service
state: stopped

Some files were not shown because too many files have changed in this diff Show More