crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'newinfra' into 'gitlabci' 

# Conflicts:
#   hosts
certbot_on_virtu
erdnaxe 2020-08-18 23:14:02 +02:00
parent 2e2ee3e434 1c81c5e0d3
commit f75c8231a2
15 changed files with 151 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
group_vars/reverseproxy.yml 100644
View File

@ -0,0 +1,81 @@
certbot:
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
nginx:
contact: contact@crans.org
who: "l'équipe technique du Cr@ns"
ssl:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
redirect_dnames:
- crans.eu
- crans.fr
reverseproxy_sites:
# Services web Crans
# - {from: lutim.crans.org, to: 10.231.136.69}
# - {from: zero.crans.org, to: 10.231.136.76}
# - {from: pad.crans.org, to: "10.231.136.76:9001"}
# - {from: ethercalc.crans.org, to: "10.231.136.203:8000"}
# - {from: mediadrop.crans.org, to: 10.231.136.106}
# - {from: videos.crans.org, to: 10.231.136.106}
# - {from: video.crans.org, to: 10.231.136.106}
# - {from: roundcube.crans.org, to: 10.231.136.105}
# - {from: phabricator.crans.org, to: 10.231.136.123}
# - {from: trackerusercontent.crans.org, to: 10.231.136.123}
# - {from: cas.crans.org, to: 10.231.136.18}
# - {from: auth.crans.org, to: 10.231.136.18}
# - {from: login.crans.org, to: 10.231.136.18}
# - {from: webmail.crans.org, to: 10.231.136.107}
# - {from: horde.crans.org, to: 10.231.136.107}
# - {from: owncloud.crans.org, to: 10.231.136.26}
# - {from: ftps.crans.org, to: 10.231.136.98}
# - {from: wiki.crans.org, to: 10.231.136.204}
# - {from: www.crans.org, to: 10.231.136.46}
# - {from: doc.crans.org, to: 10.231.136.46}
# - {from: limesurvey.crans.org, to: 10.231.136.253}
# - {from: perso.crans.org, to: 10.231.136.1}
# - {from: webnews.crans.org, to: 10.231.136.63}
# - {from: re2o.crans.org, to: 10.231.136.9}
# - {from: intranet.crans.org, to: 10.231.136.9}
# - {from: autoconfig.crans.org, to: 10.231.136.46}
# - {from: grafana.crans.org, to: "10.231.136.102:3000"}
# - {from: webirc.crans.org, to: "10.231.136.1:9000"}
- {from: framadate.crans.org, to: 172.16.10.109}
# - {from: mailman.crans.org, to: 10.231.136.180}
#
# # Zamok
# - {from: install-party.crans.org, to: 10.231.136.1}
# - {from: med.crans.org, to: 10.231.136.1}
# - {from: med-cartons.crans.org, to: 10.231.136.1}
# - {from: amap.crans.org, to: 10.231.136.1}
# - {from: pot-vieux.crans.org, to: 10.231.136.1}
# - {from: bonvivens.crans.org, to: 10.231.136.1}
#
redirect_sites: []
# - {from: crans.org, to: www.crans.org}
#
# # Aliases or legacy support
# - {from: factures.crans.org, to: intranet.crans.org}
# - {from: accounts.crans.org, to: intranet.crans.org}
# - {from: intranet2.crans.org, to: intranet.crans.org}
# - {from: clubs.crans.org, to: perso.crans.org}
# - {from: task.crans.org, to: phabricator.crans.org}
# - {from: adopteunpingouin.crans.org, to: install-party.crans.org}
# - {from: i-p.crans.org, to: install-party.crans.org}
#
# # To the wiki
# - {from: wikipedia.crans.org, to: wiki.crans.org}
# - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage}
# - {from: television.crans.org, to: wiki.crans.org/CransTv}
# - {from: tv.crans.org, to: wiki.crans.org/CransTv}
#
# # ENS Cachan
# - {from: crans.ens-cachan.fr, to: www.crans.org}
# - {from: install-party.ens-cachan.fr, to: install-party.crans.org}

2
host_vars/re2o-newinfra.adm.crans.org.yml
View File

@ -1,7 +1,7 @@
---
interfaces:
adm: eth0
srv-nat: eth1
srv_nat: eth1
loc_re2o:

4
host_vars/routeur-daniel.adm.crans.org.yml
View File

@ -2,10 +2,10 @@
interfaces:
adm: ens18
srv: ens19
srv-nat: ens20
srv_nat: ens20
infra: ens21
adh: ens22
adh-nat: ens23
adh_nat: ens23
loc_keepalived:

5
host_vars/routeur-sam.adm.crans.org.yml
View File

@ -2,10 +2,11 @@
interfaces:
adm: ens18
srv: ens19
srv-nat: ens20
srv_nat: ens20
infra: ens21
adh: ens22
adh-nat: ens23
adh_nat: ens23
srv_old: ens1
loc_keepalived:

6
hosts
View File

@ -25,6 +25,10 @@
# [test_vm]
# re2o-test.adm.crans.org
[reverseproxy]
hodaur.adm.crans.org
frontdaur.adm.crans.org
[radius]
routeur-sam.adm.crans.org
@ -67,12 +71,14 @@ daniel.adm.crans.org
jack.adm.crans.org
[crans_vm]
voyager.adm.crans.org
silice.adm.crans.org
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
belenios # on changera plus tard
re2o-ldap.adm.crans.org
gitlab-ci.adm.crans.org
hodaur.adm.crans.org
[ovh_physical]
sputnik.adm.crans.org

17
lookup_plugins/ldap.py
View File

@ -52,11 +52,28 @@ class LookupModule(LookupBase):
result = [res.decode('utf-8') for res in result['ipHostNumber']]
return result
def subnet_ipv4(self, subnet):
"""
Retrive used IP addresses on a subnet
query('ldap', 'subnet_ipv4', SUBNET)
"""
network_query_id = self.base.search(f"cn={subnet},ou=networks,{self.base_dn}", ldap.SCOPE_BASE)
network_result = self.base.result(network_query_id)
network = network_result[1][0][1]
network, hostmask = network['ipNetworkNumber'][0].decode('utf-8'), network['ipNetmaskNumber'][0].decode('utf-8')
subnet = ipaddress.IPv4Network(f"{network}/{hostmask}")
query_id = self.base.search(f"ou=hosts,{self.base_dn}", ldap.SCOPE_SUBTREE, "objectClass=ipHost")
result = self.base.result(query_id)
result = [ip.decode('utf-8') for dn, entry in result[1] for ip in entry['ipHostNumber'] if ipaddress.ip_address(ip.decode('utf-8')) in subnet]
return result
def run(self, terms, variables=None, **kwargs):
if terms[0] == 'query':
result = self.query(*terms[1:])
elif terms[0] == 'ip':
result = self.ip(*terms[1:])
elif terms[0] == 'subnet_ipv4':
result = self.subnet_ipv4(*terms[1:])
elif terms[0] == 'group':
query_id = self.base.search(f"ou=group,{self.base_dn}", ldap.SCOPE_SUBTREE, "objectClass=posixGroup")
result = self.base.result(query_id)

7
plays/firewall.yml
View File

@ -1,11 +1,14 @@
#!/usr/bin/env ansible-playbook
---
# Deploy iproute2 and sysctl config files
# Deploy sysctl config files
- hosts: crans_routeurs
roles:
- iproute2
- sysctl-forwarding
- hosts: routeur-sam.adm.crans.org
roles:
- arp-proxy
# Deploy firewall
- hosts: crans_routeurs
vars:

55
plays/reverse-proxy.yml
View File

@ -1,53 +1,6 @@
#!/usr/bin/env ansible-playbook
---
# Deploy reverse proxy
# Frontdaur is the backup of bakdaur (keepalived)
- hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org
vars:
certbot:
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
nginx:
ssl:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
redirect_dnames:
- crans.eu
- crans.fr
reverseproxy_sites:
# Services web Crans
- {from: lutim.crans.org, to: 10.231.136.69}
- {from: zero.crans.org, to: 10.231.136.76}
- {from: pad.crans.org, to: "10.231.136.76:9001"}
- {from: ethercalc.crans.org, to: "10.231.136.203:8000"}
- {from: mediadrop.crans.org, to: 10.231.136.106}
- {from: videos.crans.org, to: 10.231.136.106}
- {from: video.crans.org, to: 10.231.136.106}
- {from: roundcube.crans.org, to: 10.231.136.105}
- {from: phabricator.crans.org, to: 10.231.136.123}
- {from: trackerusercontent.crans.org, to: 10.231.136.123}
- {from: cas.crans.org, to: 10.231.136.18}
- {from: auth.crans.org, to: 10.231.136.18}
- {from: login.crans.org, to: 10.231.136.18}
- {from: webmail.crans.org, to: 10.231.136.107}
- {from: horde.crans.org, to: 10.231.136.107}
- {from: owncloud.crans.org, to: 10.231.136.26}
- {from: ftps.crans.org, to: 10.231.136.98}
- {from: wiki.crans.org, to: 10.231.136.204}
- {from: calendrier.crans.org, to: 10.231.136.204}
- {from: www.crans.org, to: 10.231.136.46}
- {from: doc.crans.org, to: 10.231.136.46}
- {from: limesurvey.crans.org, to: 10.231.136.253}
- {from: perso.crans.org, to: 10.231.136.1}
- {from: webnews.crans.org, to: 10.231.136.63}
- {from: re2o.crans.org, to: 10.231.136.9}
- {from: intranet.crans.org, to: 10.231.136.9}
- {from: autoconfig.crans.org, to: 10.231.136.46}
- hosts: reverseproxy
roles:
- certbot
- nginx-reverseproxy

11
roles/arp-proxy/tasks/main.yml 100644
View File

@ -0,0 +1,11 @@
---
- name: Deploy interfaces config
template:
src: network/interfaces.d/{{ item }}.j2
dest: /etc/network/interfaces.d/{{ item }}
mode: 0644
owner: root
group: root
loop:
- 02-srv
- 24-srv-old

6
roles/arp-proxy/templates/network/interfaces.d/02-srv.j2 100644
View File

@ -0,0 +1,6 @@
auto {{ interfaces.srv }}
iface {{ interfaces.srv }} inet manual
up /sbin/sysctl -w net.ipv4.conf.{{ interfaces.srv }}.proxy_arp=1
{% for ip in query('ldap', 'subnet_ipv4', 'srv') %}
up /sbin/ip route add {{ ip }}/32 dev {{ interfaces.srv }}
{% endfor %}

9
roles/arp-proxy/templates/network/interfaces.d/24-srv-old.j2 100644
View File

@ -0,0 +1,9 @@
auto {{ interfaces.srv_old }}
iface {{ interfaces.srv_old }} inet static
address 185.230.79.2/24
gateway 185.230.79.254
up /sbin/sysctl -w net.ipv4.conf.{{ interfaces.srv_old }}.proxy_arp=1
up /sbin/ip addr add 185.230.79.204/24 dev {{ interfaces.srv_old }}
up /sbin/ip addr add 185.230.79.205/24 dev {{ interfaces.srv_old }}
up /sbin/ip addr add 185.230.79.206/24 dev {{ interfaces.srv_old }}
up /sbin/ip addr add 185.230.79.207/24 dev {{ interfaces.srv_old }}

4
roles/certbot/tasks/main.yml
View File

@ -12,7 +12,9 @@
- name: Lookup DNS masters IPv4
set_fact:
dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
#dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
dns_masters_ipv4:
- "185.230.79.9"
cacheable: true
- name: Add DNS credentials

2
roles/home-nounous/tasks/main.yml
View File

@ -13,7 +13,7 @@
template:
src: systemd/system/home.mount.j2
dest: /etc/systemd/system/home.mount
mode: 0755
mode: 0644
- name: Load and activate nfs systemd mount
systemd:

7
roles/nginx-reverseproxy/tasks/main.yml
View File

@ -15,16 +15,10 @@
- options-ssl.conf
- options-proxypass.conf
- name: Has dhparam been copied?
stat:
path: /etc/letsencrypt/dhparam
register: stat_result
- name: Copy dhparam
template:
src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam
when: not stat_result.stat.exists
- name: Copy reverse proxy sites
template:
@ -46,6 +40,7 @@
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
ignore_errors: "{{ ansible_check_mode }}"
- name: Copy 50x error page
template:

2
roles/nginx-reverseproxy/templates/www/html/50x.html.j2
View File

@ -57,7 +57,7 @@
<h1>502</h1>
<p>Whoops, le service prend trop de temps à répondre…</p>
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p>
à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
</body>
</html>