From e7226ad7a5b80832b9523162b9d0e6a0d0326612 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 16 Jan 2021 18:57:33 +0100 Subject: [PATCH 1/4] Procurve suffix for SNMP monitoring --- .../templates/prometheus/snmp.yml.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/prometheus-snmp-exporter/templates/prometheus/snmp.yml.j2 b/roles/prometheus-snmp-exporter/templates/prometheus/snmp.yml.j2 index 69770a1a..aa30bc43 100644 --- a/roles/prometheus-snmp-exporter/templates/prometheus/snmp.yml.j2 +++ b/roles/prometheus-snmp-exporter/templates/prometheus/snmp.yml.j2 @@ -80,21 +80,21 @@ procurve_switch: - 1.3.6.1.2.1.1.5.0 - 1.3.6.1.2.1.1.6.0 metrics: - - name: sysUpTime + - name: procurve_sysUpTime oid: 1.3.6.1.2.1.1.3 type: gauge help: The time (in hundredths of a second) since the network management portion of the system was last re-initialized. - 1.3.6.1.2.1.1.3 - - name: sysName + - name: procurve_sysName oid: 1.3.6.1.2.1.1.5 type: DisplayString help: An administratively-assigned name for this managed node - 1.3.6.1.2.1.1.5 - - name: sysLocation + - name: procurve_sysLocation oid: 1.3.6.1.2.1.1.6 type: DisplayString help: The physical location of this node (e.g., 'telephone closet, 3rd floor') - 1.3.6.1.2.1.1.6 - - name: ifHCOutOctets + - name: procurve_ifHCOutOctets oid: 1.3.6.1.2.1.31.1.1.1.10 type: counter help: The total number of octets transmitted out of the interface, including framing @@ -102,7 +102,7 @@ procurve_switch: indexes: - labelname: ifIndex type: gauge - - name: ifHCInOctets + - name: procurve_ifHCInOctets oid: 1.3.6.1.2.1.31.1.1.1.6 type: counter help: The total number of octets received on the interface, including framing From 82732396afe27f3e508c353593d6e0cb41ac3fa2 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 16 Jan 2021 19:13:40 +0100 Subject: [PATCH 2/4] Sync all.yml with plays --- all.yml | 22 +++++++++++----- network.yml | 57 ----------------------------------------- plays/gather_fact.yml | 3 --- plays/get_adm_iface.yml | 11 -------- plays/gitlab.yml | 14 ++++++++++ plays/unifi.yml | 6 +++++ radius.yml | 10 -------- re2o.yml | 17 +----------- services_web.yml | 15 ----------- 9 files changed, 36 insertions(+), 119 deletions(-) delete mode 100755 network.yml delete mode 100755 plays/gather_fact.yml delete mode 100755 plays/get_adm_iface.yml create mode 100755 plays/unifi.yml delete mode 100755 radius.yml delete mode 100755 services_web.yml diff --git a/all.yml b/all.yml index 6259b65a..abe59634 100755 --- a/all.yml +++ b/all.yml @@ -1,25 +1,34 @@ #!/usr/bin/env ansible-playbook --- +# This playbooks runs all playbooks +# It's a good tool for lazy administrators that just want to check that +# current running configuration matches Ansible. + # Core playboot to have minimal configuration - import_playbook: plays/root.yml +# Common configuration - import_playbook: plays/mail.yml - import_playbook: plays/nfs.yml #- import_playbook: plays/logs.yml TODO: rsyncd -- import_playbook: plays/backup.yml +- import_playbook: plays/backup.yml # import borgbackup_client/server.yml # - import_playbook: plays/network-interfaces.yml TODO: check this paybook - import_playbook: plays/monitoring.yml # Services that only apply to a subset of server -# - import_playbook: plays/cas.yml +- import_playbook: plays/cas.yml +- import_playbook: plays/certbot.yml - import_playbook: plays/dhcp.yml - import_playbook: plays/dns.yml +- import_playbook: plays/dovecot.yml +- import_playbook: plays/ethercalc.yml - import_playbook: plays/etherpad.yml - import_playbook: plays/firewall.yml - import_playbook: plays/framadate.yml - import_playbook: plays/freeradius.yml - import_playbook: plays/generate_documentation.yml - import_playbook: plays/gitlab.yml +- import_playbook: plays/home.yml - import_playbook: plays/horde.yml - import_playbook: plays/keepalived.yml - import_playbook: plays/mailman.yml @@ -28,14 +37,13 @@ - import_playbook: plays/nginx_rtmp.yml - import_playbook: plays/ntp.yml - import_playbook: plays/owncloud.yml +- import_playbook: plays/postfix.yml - import_playbook: plays/postgresql.yml - import_playbook: plays/re2o.yml - import_playbook: plays/reverse-proxy.yml - import_playbook: plays/roundcube.yml +- import_playbook: plays/ssh_known_hosts.yml - import_playbook: plays/tv.yml +- import_playbook: plays/unifi.yml - import_playbook: plays/wireguard.yml - -# FIXME: should be in plays/ directory -# Deploy LDAP replica -- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org - roles: [] # TODO +- import_playbook: plays/zamok.yml diff --git a/network.yml b/network.yml deleted file mode 100755 index a9f21b53..00000000 --- a/network.yml +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: gitzly.adm.crans.org - vars: - certbot: - dns_rfc2136_name: certbot_adm_challenge. - dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}" - mail: root@crans.org - certname: adm.crans.org - domains: "*.adm.crans.org" - bind: - masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" - roles: - - certbot - -# Deploy firewall -- hosts: gulp.adm.crans.org - roles: [] # TODO - -# Deploy Unifi Controller -- hosts: unifi.adm.crans.org - roles: - - unifi-controller - -# Configure routers -- hosts: gulp.adm.crans.org,odlyd.adm.crans.org,ipv6-zayo.adm.crans.org - roles: - - logall - - quagga - -# Deploy BGP server configuration on IPv4 routers -- hosts: gulp.adm.crans.org,odlyd.adm.crans.org - vars: - zebra: - password: "{{ vault_zebra_password }}" - bgp: - as: 204515 - router_id: 158.255.113.73 - network: 185.230.76.0/22 - neighbor: 158.255.113.72 - remote_as: 8218 - roles: - - quagga-ipv4 - -# Deploy BGP server configuration on IPv6 routers -- hosts: ipv6-zayo.adm.crans.org - vars: - zebra: - password: "{{ vault_zebra_password }}" - bgp: - as: 204515 - router_id: 138.231.136.200 - network: 2a0c:700::/32 - neighbor: 2001:1b48:2:103::bb:1 - remote_as: 8218 - roles: - - quagga-ipv6 diff --git a/plays/gather_fact.yml b/plays/gather_fact.yml deleted file mode 100755 index 29404790..00000000 --- a/plays/gather_fact.yml +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: all diff --git a/plays/get_adm_iface.yml b/plays/get_adm_iface.yml deleted file mode 100755 index 4c98d38c..00000000 --- a/plays/get_adm_iface.yml +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: server - tasks: - - name: Register adm interface in adm_iface variable - shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||" - register: adm_iface - check_mode: false - changed_when: true - args: - executable: /bin/bash diff --git a/plays/gitlab.yml b/plays/gitlab.yml index 3be109e0..1e1b6410 100755 --- a/plays/gitlab.yml +++ b/plays/gitlab.yml @@ -5,3 +5,17 @@ roles: - docker - gitlab-runner + +# This seems strange, don't know if it still used +# - hosts: gitzly.adm.crans.org +# vars: +# certbot: +# dns_rfc2136_name: certbot_adm_challenge. +# dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}" +# mail: root@crans.org +# certname: adm.crans.org +# domains: "*.adm.crans.org" +# bind: +# masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" +# roles: +# - certbot diff --git a/plays/unifi.yml b/plays/unifi.yml new file mode 100755 index 00000000..28334d98 --- /dev/null +++ b/plays/unifi.yml @@ -0,0 +1,6 @@ +#!/usr/bin/env ansible-playbook +--- +# Deploy Unifi Controller +- hosts: unifi.adm.crans.org + roles: + - unifi-controller diff --git a/radius.yml b/radius.yml deleted file mode 100755 index a26e3549..00000000 --- a/radius.yml +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: eap.adm.crans.org, odlyd.adm.crans.org, radius.adm.crans.org - vars: - certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}' - bind: - masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" - roles: - - certbot - - freeradius diff --git a/re2o.yml b/re2o.yml index 576fc219..44f085d7 100755 --- a/re2o.yml +++ b/re2o.yml @@ -1,21 +1,6 @@ #!/usr/bin/env ansible-playbook --- -# Deploy Re2o -- hosts: otis.adm.crans.org - vars: - re2o: - owner: root - group: nounou - version: dev_crans - settings_local_owner: root - settings_local_group: root - db_password: "{{ vault_re2o_db_password }}" - django_secret_key: "{{ vault_re2o_django_secret_key }}" - aes_key: "{{ vault_re2o_aes_key }}" - ldap: - master_password: "{{ vault_ldap_master_password }}" - roles: - - re2o +# THIS FILE SHOULD BE UPDATED TO NEW INFRA AND THE MERGED TO plays/ # Deploy services config on all servers - hosts: server diff --git a/services_web.yml b/services_web.yml deleted file mode 100755 index 5e45ef72..00000000 --- a/services_web.yml +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -# Deploy MoinMoin Wiki -- hosts: soyouz.adm.crans.org - roles: [] # TODO - -- hosts: cas-srv.adm.crans.org - roles: ["django-cas"] - -- hosts: ethercalc-srv.adm.crans.org - roles: ["ethercalc"] - -- import_playbook: plays/horde.yml -- import_playbook: plays/framadate.yml - From adbe58b09468a7c1f4105d93799394e48df334ef Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 16 Jan 2021 20:11:05 +0100 Subject: [PATCH 3/4] Last version of clean_servers.yml --- 70debconf | 3 +++ clean_servers.yml | 21 ++++++++++++++++----- ldap.conf | 17 +++++++++++++++++ 3 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 70debconf create mode 100644 ldap.conf diff --git a/70debconf b/70debconf new file mode 100644 index 00000000..0c8b4ca4 --- /dev/null +++ b/70debconf @@ -0,0 +1,3 @@ +// Pre-configure all packages with debconf before they are installed. +// If you don't like it, comment it out. +DPkg::Pre-Install-Pkgs {"/usr/sbin/dpkg-preconfigure --apt || true";}; diff --git a/clean_servers.yml b/clean_servers.yml index b866699a..bc639712 100755 --- a/clean_servers.yml +++ b/clean_servers.yml @@ -3,7 +3,7 @@ # This is a special playbook to clean old stuff from BCFG2 # it will disapear when BCFG2 will disapear # `apt-mark showmanual` is a good start -- hosts: server,test_vm +- hosts: server tasks: - name: Clean up unused packages apt: @@ -67,7 +67,6 @@ state: absent loop: - /etc/apt/apt.conf.d/01aptitude - - /etc/apt/apt.conf.d/70debconf - /etc/apt-dater-host.conf - /etc/bcfg2.conf - /etc/bcfg2.conf.ucf-dist @@ -93,19 +92,31 @@ - /etc/default/bcfg2.ucf-dist - /etc/icinga2 - /etc/init.d/bcfg2 - - /etc/ldap/ldap.conf - /etc/letsencrypt/conf.d/localhost.ini - /etc/monit - /etc/munin - /etc/nagios - /etc/nagios-plugins - - /etc/nginx/sites-available/status - - /etc/nginx/sites-enabled/status + #- /etc/nginx/sites-available/status + #- /etc/nginx/sites-enabled/status - /etc/nss-ldapd.conf - /etc/nut - /etc/pnp4nagios - /etc/sudoers.d/apt-dater-host - /var/local/aptdater + + - name: Copy Debian ldap.conf + template: + src: ldap.conf + dest: /etc/ldap/ldap.conf + mode: 0644 + + - name: Copy Debian 70debconf + template: + src: 70debconf + dest: /etc/apt/apt.conf.d/70debconf + mode: 0644 + # - name: Upgrade # apt: # upgrade: dist diff --git a/ldap.conf b/ldap.conf new file mode 100644 index 00000000..42d42b0d --- /dev/null +++ b/ldap.conf @@ -0,0 +1,17 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# TLS certificates (needed for GnuTLS) +TLS_CACERT /etc/ssl/certs/ca-certificates.crt + From 82c7166dfc99e525be37986a4d2593bd92246d6f Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 16 Jan 2021 20:11:20 +0100 Subject: [PATCH 4/4] Remove clean_servers.yml --- 70debconf | 3 -- clean_servers.yml | 127 ---------------------------------------------- ldap.conf | 17 ------- 3 files changed, 147 deletions(-) delete mode 100644 70debconf delete mode 100755 clean_servers.yml delete mode 100644 ldap.conf diff --git a/70debconf b/70debconf deleted file mode 100644 index 0c8b4ca4..00000000 --- a/70debconf +++ /dev/null @@ -1,3 +0,0 @@ -// Pre-configure all packages with debconf before they are installed. -// If you don't like it, comment it out. -DPkg::Pre-Install-Pkgs {"/usr/sbin/dpkg-preconfigure --apt || true";}; diff --git a/clean_servers.yml b/clean_servers.yml deleted file mode 100755 index bc639712..00000000 --- a/clean_servers.yml +++ /dev/null @@ -1,127 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -# This is a special playbook to clean old stuff from BCFG2 -# it will disapear when BCFG2 will disapear -# `apt-mark showmanual` is a good start -- hosts: server - tasks: - - name: Clean up unused packages - apt: - state: absent - name: - - acpid - - apt-dater-host - - arpwatch # old sniffing - - at - - bcfg2 - - byobu # we already have screen and tmux - - collectd - - collectd-utils # old monitoring - - debian-faq # graphical - - doc-debian # graphical - - icinga2 - - icinga2-bin - - icinga2-common - - icinga2-ido-pgsql - - icinga2-node # old monitoring - - ipython # go use ipython3! - - irqbalance # removed in newer debian - - libmonitoring-plugin-perl - - monit - - monitoring-plugins - - monitoring-plugins-basic - - monitoring-plugins-common - - monitoring-plugins-standard - - munin-common - - munin-node # old monitoring - - munin # old monitoring - - munin-plugins-core - - munin-plugins-extra - - nagios-nrpe-server - - nagios-plugins-contrib - - openbsd-inetd - - os-prober # makes grub-install lag - - popularity-contest - - python3-nagiosplugin - - python3-reportbug - - python-nagiosplugin - - ramond # remplaced by ra-guard on switchs - - snmp - - sysstat # very old monitoring - - xscreensaver # was on owncloud - register: apt_result - retries: 3 - until: apt_result is succeeded - - - name: Clean unwanted olderstuff - apt: - autoremove: true - purge: true - register: apt_result - retries: 3 - until: apt_result is succeeded - - - name: Remove old conf - file: - path: "{{ item }}" - state: absent - loop: - - /etc/apt/apt.conf.d/01aptitude - - /etc/apt-dater-host.conf - - /etc/bcfg2.conf - - /etc/bcfg2.conf.ucf-dist - - /etc/crans - - /etc/cron.daily/bcfg2 - - /etc/cron.daily/git_dirty_repo - - /etc/cron.d/autobcfg2 - - /etc/cron.d/bcfg2-run - - /etc/cron.d/comptes_inactifs - - /etc/cron.d/letsencrypt_check_cert - - /etc/cron.d/monit - - /etc/cron.d/munin-crans - - /etc/cron.d/munin-node - - /etc/cron.d/munin-node.dpkg-dist - - /etc/cron.d/printer_watch - - /etc/cron.d/pull-repos-scripts - - /etc/cron.d/pxeboot - - /etc/cron.d/re2o-services - - /etc/cron.d/sshFingerprint - - /etc/cron.hourly/bcfg2 - - /etc/cron.weekly/git_dirty_repo - - /etc/default/bcfg2 - - /etc/default/bcfg2.ucf-dist - - /etc/icinga2 - - /etc/init.d/bcfg2 - - /etc/letsencrypt/conf.d/localhost.ini - - /etc/monit - - /etc/munin - - /etc/nagios - - /etc/nagios-plugins - #- /etc/nginx/sites-available/status - #- /etc/nginx/sites-enabled/status - - /etc/nss-ldapd.conf - - /etc/nut - - /etc/pnp4nagios - - /etc/sudoers.d/apt-dater-host - - /var/local/aptdater - - - name: Copy Debian ldap.conf - template: - src: ldap.conf - dest: /etc/ldap/ldap.conf - mode: 0644 - - - name: Copy Debian 70debconf - template: - src: 70debconf - dest: /etc/apt/apt.conf.d/70debconf - mode: 0644 - -# - name: Upgrade -# apt: -# upgrade: dist -# update_cache: true -# cache_valid_time: 86400 # one day -# register: apt_result -# retries: 3 -# until: apt_result is succeeded diff --git a/ldap.conf b/ldap.conf deleted file mode 100644 index 42d42b0d..00000000 --- a/ldap.conf +++ /dev/null @@ -1,17 +0,0 @@ -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -#BASE dc=example,dc=com -#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -# TLS certificates (needed for GnuTLS) -TLS_CACERT /etc/ssl/certs/ca-certificates.crt -