kes tu es borné⋅e toi !

09820c3b · shirenn · ynerant · ab783525 · ab783525 · ab783525
Verified Commit 09820c3b authored 3 years ago by shirenn 🌊 Committed by ynerant 2 years ago
--- a/group_vars/cachan/borg.yml
+++ b/group_vars/cachan/borg.yml
---
-glob_borg:
-  to_exclude:
-    - /var/lib/lxcfs
-  to_backup:
-    - /etc
-    - /var
-  path: /backup/borg
-  remote:
-    - borg@zephir.cachan-adm.crans.org:/backup/borg/{{ ansible_hostname }}
-  retention:
-    - ["daily", 4]
-    - ["monthly", 6]
-  consistency_check:
-    - disabled
-  extra_init:
-    - make-parent-dirs
-  encryption_passphrase: "{{ vault.borgbackup_passwd }}"
-  ssh_privkey: "{{ vault.borgbackup_ssh_privkey }}"
-  ssh_options: ""
--- a/group_vars/cachan/home_nounou.yml
+++ b/group_vars/cachan/home_nounou.yml
---
-glob_home_nounou:
-  mounts:
-    - ip: "{{ query('ldap', 'ip', 'charybde', 'cachan-adm') | ipv4 | first }}"
-      mountpoint: /pool/home
-      target: /home_nounou
-      name: home_nounou
-      owner: root
-      group: _user
-      mode: '0750'
--- a/group_vars/cachan/network_interfaces.yml
+++ b/group_vars/cachan/network_interfaces.yml
---
-glob_network_interfaces:
-  vlan:
-    - name: cachan_adm
-      id: 10
-      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adm') | ipv4 | first }}"
-      extra:
-        - "post-up /sbin/ip route add 172.16.10.0/24 via {{ query('ldap', 'ip', 'terenez', 'cachan-adm') | ipv4 | first }}"
-    - name: infra
-      id: 11
-      dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}"
--- a/group_vars/cachan/ntp.yml
+++ b/group_vars/cachan/ntp.yml
---
-loc_ntp_client:
-  servers:
-    - ntp.cachan-adm.crans.org
--- a/group_vars/cachan/prometheus_node_exporter.yaml
+++ b/group_vars/cachan/prometheus_node_exporter.yaml
---
-glob_prometheus_node_exporter:
-  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'cachan-adm') | ipv4 | first }}"
--- a/group_vars/mirror_backend.yml
+++ b/group_vars/mirror_backend.yml
@@ -6,7 +6,7 @@ glob_ftpsync:
    info:
      maintainer: Les Nounous <contact@crans.org>
      country: FR
-      location: Cachan, Île-de-France
+      location: Gif-sur-Yvette, Île-de-France
  targets:
    - name: main
      dest: debian

--- a/group_vars/vsftpd_cameras.yml
+++ b/group_vars/vsftpd_cameras.yml
---
-glob_vsftpd_cameras:
-  local: yes
-  write: yes
-  userlist:
-    - cameras
--- a/host_vars/charybde.cachan-adm.crans.org.yml
+++ b/host_vars/charybde.cachan-adm.crans.org.yml
---
-debian_mirror: 'file:/pool/mirror/pub/debian'
-
-interfaces:
-  cachan_adm: eth0.10
-  infra: eth0.111
-
-loc_ntp_server:
-  open:
-    - 172.17.10.0/24
-    - 172.16.32.0/22
--- a/host_vars/codichotomie.adm.crans.org.yml
+++ b/host_vars/codichotomie.adm.crans.org.yml
---
-interfaces:
-  adm: eth0
-  srv_nat: eth1
--- a/host_vars/omnomnom.cachan-adm.crans.org.yml
+++ b/host_vars/omnomnom.cachan-adm.crans.org.yml
---
-interfaces:
-  cachan_adm: eno1.10
--- a/host_vars/zamok-tmtc.adm.crans.org.yml
+++ b/host_vars/zamok-tmtc.adm.crans.org.yml
---
-interfaces:
-  adm: eth0
-  san: eth1
--- a/host_vars/zephir.cachan-adm.crans.org.yml
+++ b/host_vars/zephir.cachan-adm.crans.org.yml
---
-interfaces:
-  cachan_adm: eno1
-
-loc_borg:
-  remote:
-    - /backup/borg/{{ ansible_hostname }}
--- a/hosts
+++ b/hosts
@@ -10,8 +10,6 @@ hodaur.adm.crans.org
 cameron.adm.crans.org

 [backups]
-zephir.cachan-adm.crans.org
-omnomnom.cachan-adm.crans.org

 [baie]
 cameron.adm.crans.org
@@ -149,7 +147,6 @@ thelounge
 wiki

 [ntp_server]
-charybde.cachan-adm.crans.org
 eclat.adm.crans.org

 [opendkim:children]
@@ -263,18 +260,9 @@ sputnik.adm.crans.org

 [wireguard]
 boeing.adm.crans.org
-charybde.cachan-adm.crans.org
 sputnik.adm.crans.org
 vol447.adm.crans.org

-[cachan:children]
-cachan_physical
-
-[cachan_physical]
-charybde.cachan-adm.crans.org
-omnomnom.cachan-adm.crans.org
-zephir.cachan-adm.crans.org
-
 [crans_routeurs:children]
 routeurs_vm

@@ -287,7 +275,6 @@ zbee.adm.crans.org
 [crans_physical:children]
 backups
 baie
-cachan_physical
 virtu

 [crans_vm]
@@ -344,115 +331,6 @@ sputnik.adm.crans.org
 crans_physical
 crans_vm

-[crans_unifi]
-0g-2.infra.crans.org
-0g-3.infra.crans.org
-0g-4.infra.crans.org
-0h-2.infra.crans.org
-0h-3.infra.crans.org
-0m-2.infra.crans.org
-1g-1.infra.crans.org
-1g-3.infra.crans.org
-1g-4.infra.crans.org
-1g-5.infra.crans.org
-1h-2.infra.crans.org
-1h-3.infra.crans.org
-1i-2.infra.crans.org
-1i-3.infra.crans.org
-1j-2.infra.crans.org
-1j-3.infra.crans.org
-1m-1.infra.crans.org
-1m-2.infra.crans.org
-1m-5.infra.crans.org
-2a-1.infra.crans.org
-2b-3.infra.crans.org
-2c-2.infra.crans.org
-2c-3.infra.crans.org
-2g-1.infra.crans.org
-2g-3.infra.crans.org
-2g-5.infra.crans.org
-2h-2.infra.crans.org
-2h-3.infra.crans.org
-2i-2.infra.crans.org
-2i-3.infra.crans.org
-2j-2.infra.crans.org
-2j-3.infra.crans.org
-2m-2.infra.crans.org
-3a-2.infra.crans.org
-3b-3.infra.crans.org
-3c-2.infra.crans.org
-3c-3.infra.crans.org
-3g-1.infra.crans.org
-3g-5.infra.crans.org
-3h-2.infra.crans.org
-3h-3.infra.crans.org
-3i-2.infra.crans.org
-3i-3.infra.crans.org
-3j-2.infra.crans.org
-3m-2.infra.crans.org
-3m-4.infra.crans.org
-3m-5.infra.crans.org
-4a-1.infra.crans.org
-4a-2.infra.crans.org
-4a-3.infra.crans.org
-4b-1.infra.crans.org
-4c-2.infra.crans.org
-4c-3.infra.crans.org
-4g-1.infra.crans.org
-4g-3.infra.crans.org
-4g-5.infra.crans.org
-4h-2.infra.crans.org
-4h-3.infra.crans.org
-4i-2.infra.crans.org
-4i-3.infra.crans.org
-4j-1.infra.crans.org
-4j-2.infra.crans.org
-4j-3.infra.crans.org
-4m-2.infra.crans.org
-4m-4.infra.crans.org
-5a-1.infra.crans.org
-5b-1.infra.crans.org
-5c-1.infra.crans.org
-5g-1.infra.crans.org
-5g-3.infra.crans.org
-5m-4.infra.crans.org
-6a-1.infra.crans.org
-6a-2.infra.crans.org
-6c-1.infra.crans.org
-adonis.infra.crans.org # 5a
-atlas.infra.crans.org # 1a
-baba-au-rhum.infra.crans.org # 3b
-bacchus.infra.crans.org # 1b
-baucis.infra.crans.org # 2b
-bellerophon.infra.crans.org # 2b
-benedict-cumberbatch.infra.crans.org # 1b
-benthesicyme.infra.crans.org # 4b
-boree.infra.crans.org # 6b
-branchos.infra.crans.org # 3b
-calypso.infra.crans.org # 4c
-chaos.infra.crans.org # 1c
-chronos.infra.crans.org # 2c
-crios.infra.crans.org # 3c
-gaia.infra.crans.org # 0g
-hades.infra.crans.org # 4h
-hephaistos.infra.crans.org # 1h
-hermes.infra.crans.org # 3h
-hypnos.infra.crans.org # 2h
-iaso.infra.crans.org # 1i
-idothee.infra.crans.org # 3i
-idyie.infra.crans.org # 0i
-ino.infra.crans.org # 2i
-ioke.infra.crans.org # 4i
-jaipudidees.infra.crans.org # 2j
-jaipudpapier.infra.crans.org # 3j
-japavolonte.infra.crans.org # 1j
-jesuischarlie.infra.crans.org # 0j
-jveuxduwifi.infra.crans.org # 0j
-mania.infra.crans.org # 2m
-marquis.infra.crans.org # manoir
-mercure.infra.crans.org # 3m
-#5m-5.infra.crans.org Déplacée au 2b
-
 [ilo_snmp]
 ilo-daniel.adm.crans.org
 ilo-ft.adm.crans.org

--- a/re2o.yml
+++ b/re2o.yml
-#!/usr/bin/env ansible-playbook
---
-# THIS FILE SHOULD BE UPDATED TO NEW INFRA AND THE MERGED TO plays/
-
-# Deploy services config on all servers
- hosts: server
-  vars:
-    re2o:
-      server: re2o.adm.crans.org
-      service_user: "{{ vault.re2o_service_user }}"
-      service_password: "{{ vault.re2o_service_password }}"
-    mail_server: smtp.adm.crans.org
-  roles:
-    - re2o-services
-
-# Deploy re2o dns service on dns server
- hosts: silice.adm.crans.org
-  roles:
-    - re2o-dns
-
-# Deploy re2o notif-users service on zamok
- hosts: zamok.adm.crans.org
-  roles:
-    - re2o-notif-users
-
-# Deploy re2o firewall on servers
- hosts: zamok.adm.crans.org
-  roles:
-    - re2o-firewall
-
-# Re2o firewall specific configuration for ipv6-zayo
- hosts: ipv6-zayo.adm.crans.org
-  roles:
-    - re2o-firewall-ipv6-zayo
-
-# Re2o firewall specific configuration for zamok
- hosts: zamok.adm.crans.org
-  roles:
-    - re2o-firewall-zamok
-
-# Deploy re2o mail-server on MTA and MDA
- hosts: titanic.adm.crans.org,sputnik.adm.crans.org
-  roles:
-    - re2o-mail-server
--- a/roles/logall-cachan/tasks/main.yml
+++ b/roles/logall-cachan/tasks/main.yml
---
- name: Deploy firewall rsyslog
-  template:
-    src: rsyslog.d/10-firewall.conf.j2
-    dest: /etc/rsyslog.d/10-firewall.conf
-    mode: 0644
-    owner: root
-    group: root
-
- name: Create firewall log directory
-  file:
-    path: /var/log/firewall
-    mode: 0755
-    owner: root
-    group: root
-    state: directory
-
- name: Deploy firewall logrotate
-  template:
-    src: logrotate.d/firewall.j2
-    dest: /etc/logrotate.d/firewall
-    mode: 0644
-    owner: root
-    group: root
--- a/roles/logall-cachan/templates/logrotate.d/firewall.j2
+++ b/roles/logall-cachan/templates/logrotate.d/firewall.j2
-{{ ansible_header | comment }}
-
-/var/log/firewall/trace.log
-/var/log/firewall/filtre.log
-/var/log/firewall/iptables.err
-/var/log/firewall/iptables.log {
-    rotate 1
-        weekly
-        missingok
-        notifempty
-        compress
-        postrotate
-        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
-    endscript
-}
-/var/log/firewall/logall.log {
-    daily
-        compress
-        compresscmd /bin/bzip2
-        uncompresscmd /bin/bunzip2
-        compressext .bz2
-        rotate 365
-        notifempty
-        sharedscripts
-        postrotate
-        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
-    endscript
-}
--- a/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
+++ b/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
-{{ ansible_header | comment }}
-#$ModLoad imklog #Déjà présent dans rsyslog.conf
-
-# Messages du firewall (ie de sa génération)
-if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
-
-if $programname == 'firewall' then /var/log/firewall/iptables.log
-
-
-# kernel (facility = 0):
-# Discard broadcast (sinon trop de spam)
-# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu
-# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux
-# pas essayer)
-if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
-
-# LOG_ALL pour … je sais plus à quoi ça sert …
-if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
-&   ~
-
-# LOG_MAC_IP pour l'association mac_ip en ipv6
-if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
-
-# TRACE
-if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
-&   ~
-
-# filtre.log était parsé par un script pour gérer les déconnexions
-#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
-#&   ~
-
-if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~
--- a/roles/unifi-controller/tasks/main.yml
+++ b/roles/unifi-controller/tasks/main.yml
---
-# Install HTTPS support for APT
- name: Install apt-transport-https
-  apt:
-    update_cache: true
-    name:
-      - apt-transport-https
-      - gpg
-      - dirmngr
-    state: present
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
-# Add the key
- name: Configure the apt key
-  apt_key:
-    keyserver: keyserver.ubuntu.com
-    id: 06E85760C0A52C50
-    state: present
-  register: apt_key_result
-  retries: 3
-  until: apt_key_result is succeeded
-  loop:
-
-# Add the repository into source list
- name: Configure unifi repository
-  apt_repository:
-    repo: "{{ item }}"
-    state: present
-  loop:
-    - deb http://www.ui.com/downloads/unifi/debian stable ubiquiti
-
- name: Install unifi
-  apt:
-    update_cache: true
-    name: unifi
-    state: present
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
- name: Indicate role in motd
-  template:
-    src: update-motd.d/05-service.j2
-    dest: /etc/update-motd.d/05-unifi-controller
-    mode: 0755
--- a/roles/unifi-controller/templates/update-motd.d/05-service.j2
+++ b/roles/unifi-controller/templates/update-motd.d/05-service.j2
-#!/usr/bin/tail +14
-{{ ansible_header | comment }}
-> Le contrôleur Unifi a été déployé sur cette machine.
--- a/upgrade.yml
+++ b/upgrade.yml
-#!/usr/bin/env ansible-playbook
---
-# This is a special playbook to upgrade a server, be careful!
- hosts: server,test_vm
-  tasks:
-    - name: Upgrade
-      apt:
-        upgrade: dist
-        update_cache: true
-      register: apt_result
-      retries: 3
-      until: apt_result is succeeded
-
-    - name: Clean unwanted olderstuff
-      apt:
-        autoremove: true
-        purge: true
-      register: apt_result
-      retries: 3
-      until: apt_result is succeeded
-
- hosts: owncloud-srv.adm.crans.org
-  become_user: www-data
-  become: true
-  vars:
-    # Owncloud command line interface
-    occ_bin: '/var/www/owncloud/occ'
-  tasks:
-    - name: Upgrade owncloud
-      command: "{{ occ_bin }} upgrade"
-      register: upgrade_owncloud
-      failed_when:
-        # occ return code is 3 when ownCloud is already latest version
-        - upgrade_owncloud.rc != 0
-        - upgrade_owncloud.rc != 3
-      changed_when:
-        - upgrade_owncloud.rc != 3
-
-    - name: Upgrade owncloud output
-      debug:
-        msg:
-          - "stdout: {{ upgrade_owncloud.stdout_lines }}"
-          - "stderr: {{ upgrade_owncloud.stderr_lines }}"
-      when: not ansible_check_mode
-
-    - name: Disable maintenance mode
-      command: "{{ occ_bin }} maintenance:mode --off"
-      when:
-        - not ansible_check_mode
-        # Maintenance mode has not been enabled.
-        - upgrade_owncloud.rc != 3