#!/usr/bin/env ansible-playbook --- # Deploy tunnel - hosts: sputnik.adm.crans.org vars: debian_mirror: http://mirror.crans.org/debian wireguard: sputnik: true private_key: "{{ vault_wireguard_sputnik_private_key }}" peer_public_key: "{{ vault_wireguard_boeing_public_key }}" roles: - wireguard - hosts: boeing.adm.crans.org vars: # Debian mirror on adm debian_mirror: http://mirror.adm.crans.org/debian wireguard: sputnik: false if: ens20 private_key: "{{ vault_wireguard_boeing_private_key }}" peer_public_key: "{{ vault_wireguard_sputnik_public_key }}" roles: - wireguard # Deploy DHCP server - hosts: dhcp.adm.crans.org vars: dhcp: authoritative: true roles: - isc-dhcp-server # Deploy recursive DNS cache server - hosts: odlyd.adm.crans.org roles: - bind-recursive # Deploy authoritative DNS server - hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org vars: certbot_dns_secret: "{{ vault_certbot_dns_secret }}" certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}" zones: "{{ lookup('re2oapi', 'dnszones') }}" reverse: "{{ lookup('re2oapi', 'dnsreverse') }}" roles: - bind-authoritative # Deploy reverse proxy - hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org vars: certbot: dns_rfc2136_name: certbot_challenge. dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" mail: root@crans.org certname: crans.org domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" nginx: ssl: cert: /etc/letsencrypt/live/crans.org/fullchain.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem redirect_dnames: - crans.eu - crans.fr reverseproxy_sites: # Services web Crans - {from: lutim.crans.org, to: 10.231.136.69} - {from: zero.crans.org, to: 10.231.136.76} - {from: pad.crans.org, to: 10.231.136.76} - {from: ethercalc.crans.org, to: 10.231.136.203} - {from: mediadrop.crans.org, to: 10.231.136.106} - {from: videos.crans.org, to: 10.231.136.106} - {from: video.crans.org, to: 10.231.136.106} - {from: roundcube.crans.org, to: 10.231.136.105} - {from: phabricator.crans.org, to: 10.231.136.123} - {from: trackerusercontent.crans.org, to: 10.231.136.123} - {from: cas.crans.org, to: 10.231.136.18} - {from: auth.crans.org, to: 10.231.136.18} - {from: login.crans.org, to: 10.231.136.18} - {from: webmail.crans.org, to: 10.231.136.107} - {from: horde.crans.org, to: 10.231.136.107} - {from: owncloud.crans.org, to: 10.231.136.26} - {from: ftps.crans.org, to: 10.231.136.98} - {from: wiki.crans.org, to: 10.231.136.204} - {from: www.crans.org, to: 10.231.136.46} - {from: doc.crans.org, to: 10.231.136.46} - {from: limesurvey.crans.org, to: 10.231.136.253} - {from: perso.crans.org, to: 10.231.136.1} - {from: webnews.crans.org, to: 10.231.136.63} - {from: re2o.crans.org, to: 10.231.136.9} - {from: intranet.crans.org, to: 10.231.136.9} - {from: autoconfig.crans.org, to: 10.231.136.46} - {from: grafana.crans.org, to: 10.231.136.102} - {from: webirc.crans.org, to: "10.231.136.1:9000"} - {from: framadate.crans.org, to: 185.230.79.194} # Zamok - {from: install-party.crans.org, to: 10.231.136.1} - {from: med.crans.org, to: 10.231.136.1} - {from: med-cartons.crans.org, to: 10.231.136.1} - {from: amap.crans.org, to: 10.231.136.1} - {from: pot-vieux.crans.org, to: 10.231.136.1} - {from: bonvivens.crans.org, to: 10.231.136.1} redirect_sites: - {from: crans.org, to: www.crans.org} # Aliases or legacy support - {from: factures.crans.org, to: intranet.crans.org} - {from: accounts.crans.org, to: intranet.crans.org} - {from: intranet2.crans.org, to: intranet.crans.org} - {from: clubs.crans.org, to: perso.crans.org} - {from: task.crans.org, to: phabricator.crans.org} - {from: adopteunpingouin.crans.org, to: install-party.crans.org} - {from: i-p.crans.org, to: install-party.crans.org} # To the wiki - {from: wikipedia.crans.org, to: wiki.crans.org} - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage} - {from: television.crans.org, to: wiki.crans.org/CransTv} - {from: tv.crans.org, to: wiki.crans.org/CransTv} # ENS Cachan - {from: crans.ens-cachan.fr, to: www.crans.org} - {from: install-party.ens-cachan.fr, to: install-party.crans.org} roles: - certbot - nginx-reverseproxy - hosts: gitzly.adm.crans.org vars: certbot: dns_rfc2136_name: certbot_adm_challenge. dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}" mail: root@crans.org certname: adm.crans.org domains: "*.adm.crans.org" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" roles: - certbot # Deploy firewall - hosts: gulp.adm.crans.org roles: [] # TODO # Deploy Unifi Controller - hosts: unifi.adm.crans.org roles: - unifi-controller # Configure routers - hosts: gulp.adm.crans.org,odlyd.adm.crans.org,ipv6-zayo.adm.crans.org roles: - logall - quagga # Deploy BGP server configuration on IPv4 routers - hosts: gulp.adm.crans.org,odlyd.adm.crans.org vars: zebra: password: "{{ vault_zebra_password }}" bgp: as: 204515 router_id: 158.255.113.73 network: 185.230.76.0/22 neighbor: 158.255.113.72 remote_as: 8218 roles: - quagga-ipv4 # Deploy BGP server configuration on IPv6 routers - hosts: ipv6-zayo.adm.crans.org vars: zebra: password: "{{ vault_zebra_password }}" bgp: as: 204515 router_id: 138.231.136.200 network: 2a0c:700::/32 neighbor: 2001:1b48:2:103::bb:1 remote_as: 8218 roles: - quagga-ipv6 # Deploy postfix on mail servers - hosts: titanic.adm.crans.org vars: postfix: primary: false secondary: true public: true dkim: true mailman: false titanic: true roles: - postfix - hosts: sputnik.adm.crans.org vars: postfix: primary: false secondary: true public: true dkim: true mailman: false titanic: false roles: - postfix