diff --git a/base.yml b/base.yml
index 4b1b5008086da797f307f10b701edaf78d9e834d..88cc11b881238348bf97a657494bc9aff2882817 100755
--- a/base.yml
+++ b/base.yml
@@ -1,52 +1,40 @@
#!/usr/bin/env ansible-playbook
---
# Set variable adm_iface for all servers
-- import_playbook: plays/get_adm_iface.yml
+# - hosts: server
+# tasks:
+# - name: Register adm interface in adm_iface variable
+# shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+# register: adm_iface
+# check_mode: false
+# changed_when: true
+# args:
+# executable: /bin/bash
-# Common CRANS configuration for all servers
-- hosts: server
- vars:
- # Debian mirror on adm
- debian_mirror: http://mirror.adm.crans.org/debian
- debian_components: main non-free
- # LDAP binding
- ldap_base: 'dc=crans,dc=org'
- ldap_master_ipv4: '10.231.136.19'
- ldap_local_replica_uri:
- - "ldap://10.231.136.38"
- - "ldap://10.231.136.4"
- ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
- ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
- ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
- ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
-
- # Group permissions
- ssh_allow_groups: ssh nounou apprenti cableur root
-
- # Scripts will tell users to go there to manage their account
- intranet_url: 'https://intranet.crans.org/'
-
- # Will be in /usr/scripts/
- crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
+- hosts: otis.adm.crans.org
+ roles:
+ - ansible
- # NTP servers
- ntp_servers:
- - charybde.adm.crans.org
- - silice.adm.crans.org
+# Tools for members
+- hosts: zamok.adm.crans.org
roles:
- - common-tools
- - debian-apt-sources
- - ldap-client
- - openssh
- - sudo
- - ntp-client
- - crans-scripts
- - root-config
+# - zamok-tools
-- import_playbook: plays/mail.yml
+# - import_playbook: plays/mail.yml
- import_playbook: plays/nfs.yml
-- import_playbook: plays/logs.yml
-- import_playbook: plays/backup.yml
-- import_playbook: plays/network-interfaces.yml
-- import_playbook: plays/monitoring.yml
+# - import_playbook: plays/logs.yml
+# - import_playbook: plays/backup.yml
+# - import_playbook: plays/network-interfaces.yml
+# - import_playbook: plays/monitoring.yml
+# - import_playbook: plays/generate_documentation.yml
+
+# Services that only apply to a subset of server
+# - import_playbook: plays/tv.yml
+# - import_playbook: plays/mailman.yml
+# - import_playbook: plays/dhcp.yml
+# - import_playbook: plays/dns.yml
+# - import_playbook: plays/wireguard.yml
+# - import_playbook: plays/mirror.yml
+# - import_playbook: plays/owncloud.yml
+# - import_playbook: plays/reverse-proxy.yml
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index 061428b9186fdea524b649e320c253695c1160e2..44aee99313dd6fc6fb6000ba16433defa7790fc6 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -16,28 +16,39 @@ ansible_header: |
# Crans subnets
adm_subnet: 10.231.136.0/24
-# Role rsync-client
-to_backup:
- - {
- name: "var",
- path: "/var",
- auth_users: "backupcrans",
- secrets_file: "/etc/rsyncd.secrets",
- hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
- }
- - {
- name: "slash",
- path: "/",
- auth_users: "backupcrans",
- secrets_file: "/etc/rsyncd.secrets",
- hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
- }
+# # Role rsync-client
+# to_backup:
+# - {
+# name: "var",
+# path: "/var",
+# auth_users: "backupcrans",
+# secrets_file: "/etc/rsyncd.secrets",
+# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
+# }
+# - {
+# name: "slash",
+# path: "/",
+# auth_users: "backupcrans",
+# secrets_file: "/etc/rsyncd.secrets",
+# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
+# }
+#
+# re2o:
+# server: re2o.adm.crans.org
+# service_user: "{{ vault_re2o_service_user }}"
+# service_password: "{{ vault_re2o_service_password }}"
+#
+#
+# # global server definitions
+# mail_server: smtp.adm.crans.org
+glob_ldap:
+ servers:
+ - 172.16.10.1
+ - 172.16.10.11
+ - 172.16.10.12
+ - 172.16.10.13
+ base: 'dc=crans,dc=org'
+ local: false # local configuration but default value
-re2o:
- server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
-
-
-# global server definitions
-mail_server: smtp.adm.crans.org
+home_nounous:
+ ip: 172.16.10.1
diff --git a/group_vars/crans_server/vars.yml b/group_vars/crans_server/vars.yml
new file mode 100644
index 0000000000000000000000000000000000000000..136ce4abe79c7efbfc9d604e595077dbfd529865
--- /dev/null
+++ b/group_vars/crans_server/vars.yml
@@ -0,0 +1,9 @@
+ldap:
+ local: False
+ servers: ["172.16.1.1"]
+ base: "dc=crans,dc=org"
+
+
+# Parameters for debian mirror
+debian_mirror: http://mirror.adm.crans.org/debian
+debian_components: main non-free
diff --git a/group_vars/dhcp.yml b/group_vars/dhcp.yml
index 5054673bcd783bd8573c0b81a4ef462889e0b1f7..f8e16fa90389c109e077bf1a4494b27a9e107bc4 100644
--- a/group_vars/dhcp.yml
+++ b/group_vars/dhcp.yml
@@ -3,80 +3,26 @@
dhcp:
authoritative: True
global_options:
- - { key: "interface-mtu", value: "1496" }
+ - { key: "interface-mtu", value: "1500" }
global_parameters: []
subnets:
- - network: "10.51.0.0/16"
- deny_unknown: False
- vlan: "accueil"
+ - network: "100.64.0.0/16"
+ deny_unknown: True
+ vlan: "adh-nat"
default_lease_time: "600"
max_lease_time: "7200"
- routers: "10.51.0.10"
- dns: ["10.51.0.152", "10.51.0.4"]
- domain_name: "accueil.crans.org"
- domain_search: "accueil.crans.org"
- options:
- - { key: "time-servers", value: "10.51.0.10" }
- - { key: "ntp-servers", value: "10.51.0.10" }
- - { key: "ip-forwarding", value: "off" }
- range: ["10.51.1.0", "10.51.255.255"]
-
- - network: "10.231.148.0/24"
- deny_unknown: False
- vlan: "bornes"
- default_lease_time: "8600"
- routers: "10.231.148.254"
- dns: ["10.231.148.152", "10.231.148.4"]
- domain_name: "borne.crans.org"
- domain_search: "borne.crans.org"
- options:
- - { key: "time-servers", value: "10.231.148.98" }
- - { key: "ntp-servers", value: "10.231.148.98" }
- - { key: "ip-forwarding", value: "off" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.borne.crans.org.list"
+ routers: "100.64.0.99"
+ dns: ["100.64.0.101", "100.64.0.102"]
+ domain_name: "adh-nat.crans.org"
+ domain_search: "adh-nat.crans.org"
+ options: []
+ lease_file: "/tmp/dhcp.list"
- - network: "185.230.78.0/24"
- deny_unknown: True
- vlan: "fil_pub"
- default_lease_time: "86400"
- routers: "185.230.78.254"
- dns: ["185.230.78.152", "185.230.78.4"]
- domain_name: "adh.crans.org"
- domain_search: "adh.crans.org"
- options:
- - { key: "time-servers", value: "185.230.79.98" }
- - { key: "ntp-servers", value: "185.230.79.98" }
- - { key: "ip-forwarding", value: "off" }
- - { key: "smtp-server", value: "185.230.79.39" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.adh.crans.org.list"
-
- - network: "10.54.0.0/19"
- deny_unknown: True
- vlan: "fil_new"
- default_lease_time: "86400"
- routers: "10.54.0.254"
- dns: ["10.54.0.152", "10.54.0.4"]
- domain_name: "fil.crans.org"
- domain_search: "fil.crans.org"
- options:
- - { key: "time-servers", value: "185.230.79.98" }
- - { key: "ntp-servers", value: "185.230.79.98" }
- - { key: "ip-forwarding", value: "off" }
- - { key: "smtp-server", value: "185.230.79.39" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.fil.crans.org.list"
+re2o:
+ server: re2o.adm.crans.org
+ service_user: "ploptotoisverysecure"
+ service_password: "ploptotoisverysecure"
+ dhcp:
+ uri: "/tmp/re2o-dhcp.git"
- - network: "10.53.0.0/19"
- deny_unknown: False # For Federez
- vlan: "wifi_new"
- default_lease_time: "86400"
- routers: "10.53.0.254"
- dns: ["10.53.0.152", "10.53.0.4"]
- domain_name: "wifi.crans.org"
- domain_search: "wifi.crans.org"
- options:
- - { key: "time-servers", value: "185.230.79.98" }
- - { key: "ntp-servers", value: "185.230.79.98" }
- - { key: "ip-forwarding", value: "off" }
- - { key: "smtp-server", value: "185.230.79.39" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.wifi.crans.org.list"
- range: ["10.53.21.0", "10.53.25.254"]
+mail_server: smtp.new-infra.adm.crans.org
diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml
index c507466e43c6fc7d5cda79a5bc099900dcfa9aed..11fe3e00ea55a2c7e730cbd6bf120e764467f38c 100644
--- a/group_vars/keepalived.yml
+++ b/group_vars/keepalived.yml
@@ -1,52 +1,16 @@
---
-keepalived:
- radius:
- password: "{{ vault_keepalived_radius_password }}"
- id: 52
- ipv6: yes
- zones:
- - vlan: adm
- ipv4: 10.231.136.11/24
- brd: 10.231.136.255
- ipv6: 2a0c:700:0:2:ad:adff:fef0:f002/64
- - vlan: bornes
- ipv4: 10.231.148.11/24
- brd: 10.231.148.255
- ipv6: fd01:240:fe3d:3:ad:adff:fef0:f003/64
- - vlan: switches
- ipv4: 10.231.100.11/24
- brd: 10.231.100.255
- ipv6: fd01:240:fe3d:c804:ad:adff:fef0:f004/64
- router:
- password: "{{ vault_keepalived_router_password }}"
- id: 53
- ipv6: no
- zones:
- - vlan: adm
- ipv4: 10.231.136.254/24
- brd: 10.231.136.255
- - vlan: fil_pub
- ipv4: 185.230.78.254/24
- brd: 185.230.78.255
- - vlan: srv
- ipv4: 185.230.79.254/24
- brd: 185.230.79.255
- - vlan: fil_new # Nat filaire
- ipv4: 10.54.0.254/16
- brd: 10.54.255.255
- - vlan: wifi_new
- ipv4: 10.53.0.254/16
- brd: 10.53.255.255
- - vlan: zayo
- ipv4: 158.255.113.73/31
- proxy:
- password: "{{ vault_keepalived_proxy_password }}"
- id: 51
- ipv6: yes
- zones:
- - vlan: srv
- ipv4: 185.230.79.194/32
- brd: 185.230.79.255
- ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00/64
-
+glob_keepalived:
+ mail_source: keepalived@crans.org
+ mail_destination: root@crans.org
+ smtp_server: smtp.adm.crans.org
+ pool:
+ dhcp:
+ password: "plopisverysecure"
+ id: 60
+ ipv6: no
+ notify: /usr/scripts/notify-dhcp
+ zones:
+ - vlan: adh-nat
+ ipv4: 100.64.0.99/16
+ brd: 100.64.255.255
diff --git a/group_vars/slapd.yml b/group_vars/slapd.yml
new file mode 100644
index 0000000000000000000000000000000000000000..19292dcf2300167b7f71bf5c01fdcfe364975c35
--- /dev/null
+++ b/group_vars/slapd.yml
@@ -0,0 +1,6 @@
+---
+
+glob_slapd:
+ master_ip: 172.16.10.1
+ replication_credentials: "{{ vault_ldap_replication_credentials }}"
+
diff --git a/host_vars/bakdaur.adm.crans.org.yml b/host_vars/bakdaur.adm.crans.org.yml
index b81d2233456766f60464fdf321ecbd28c5655180..358634070ac5fbd2cdf2fa2e8b0f34586200cecf 100644
--- a/host_vars/bakdaur.adm.crans.org.yml
+++ b/host_vars/bakdaur.adm.crans.org.yml
@@ -3,8 +3,9 @@ interfaces:
adm: eth0
srv: eth1
-keepalived_instances:
- - name: proxy
- tag: VI_DAUR
- state: MASTER
- priority: 150
+loc_keepalived:
+ instances:
+ - name: proxy
+ tag: VI_DAUR
+ state: MASTER
+ priority: 150
diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..139b9bd18d048ce5708bf3b6c6a7a7e8875fd72f
--- /dev/null
+++ b/host_vars/daniel.adm.crans.org.yml
@@ -0,0 +1,5 @@
+---
+loc_slapd:
+ ip: 172.16.10.12
+ replica: true
+ replica_rid: 2
diff --git a/host_vars/eap.adm.crans.org.yml b/host_vars/eap.adm.crans.org.yml
index 4e5e746f31b826057381d8208bea5768a51605be..31f6cfa6a623920b1a6cc50b382b8780c78dc821 100644
--- a/host_vars/eap.adm.crans.org.yml
+++ b/host_vars/eap.adm.crans.org.yml
@@ -5,8 +5,9 @@ interfaces:
bornes: eth1
switches: eth2
-keepalived_instances:
- - name: radius
- tag: VI_RAD
- state: BACKUP
- priority: 100
+loc_keepalived:
+ instances:
+ - name: radius
+ tag: VI_RAD
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/frontdaur.adm.crans.org.yml b/host_vars/frontdaur.adm.crans.org.yml
index e2fd550b48765832ad60ad53987aff140c77f435..69bfb5ea098bff534c355b7f5409ff2f90450de6 100644
--- a/host_vars/frontdaur.adm.crans.org.yml
+++ b/host_vars/frontdaur.adm.crans.org.yml
@@ -3,8 +3,9 @@ interfaces:
adm: eth1
srv: eth0
-keepalived_instances:
- - name: proxy
- tag: VI_DAUR
- state: BACKUP
- priority: 100
+loc_keepalived:
+ instances:
+ - name: proxy
+ tag: VI_DAUR
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/gulp.adm.crans.org.yml b/host_vars/gulp.adm.crans.org.yml
index 1d244937f3bbe55172460e1401a0bd5535074594..6289c70124fe3b3cc88fc17b809365d43ffb461b 100644
--- a/host_vars/gulp.adm.crans.org.yml
+++ b/host_vars/gulp.adm.crans.org.yml
@@ -7,8 +7,9 @@ interfaces:
wifi_new: ens1f0.22
zayo: ens1f0.26
-keepalived_instances:
- - name: router
- tag: VI_ROUT
- state: MASTER
- priority: 150
+loc_keepalived:
+ instances:
+ - name: router
+ tag: VI_ROUT
+ state: MASTER
+ priority: 150
diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..70c60054011cd428318f7397e7e73b185db6d5a9
--- /dev/null
+++ b/host_vars/jack.adm.crans.org.yml
@@ -0,0 +1,5 @@
+---
+loc_slapd:
+ ip: 172.16.10.13
+ replica: true
+ replica_rid: 3
diff --git a/host_vars/odlyd.adm.crans.org.yml b/host_vars/odlyd.adm.crans.org.yml
index 2e0d7c1ebe677008865d8a0a1b1d410d14e542fd..988fb0ca906e86e11fd23bd406bd23615d191ca9 100644
--- a/host_vars/odlyd.adm.crans.org.yml
+++ b/host_vars/odlyd.adm.crans.org.yml
@@ -10,12 +10,13 @@ interfaces:
srv: ens1f0.24
zayo: ens1f0.26
-keepalived_instances:
- - name: radius
- tag: VI_RAD
- state: BACKUP
- priority: 50
- - name: router
- tag: VI_ROUT
- state: BACKUP
- priority: 100
+loc_keepalived:
+ instances:
+ - name: radius
+ tag: VI_RAD
+ state: BACKUP
+ priority: 50
+ - name: router
+ tag: VI_ROUT
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/radius.adm.crans.org.yml b/host_vars/radius.adm.crans.org.yml
index b4a3a4b05845cea3d5af28bd63d0b480c3fb3dbb..da534c10e5303ebe2cb7f9546dbe8c6283733d32 100644
--- a/host_vars/radius.adm.crans.org.yml
+++ b/host_vars/radius.adm.crans.org.yml
@@ -5,8 +5,9 @@ interfaces:
bornes: eth1
switches: eth2
-keepalived_instances:
- - name: radius
- tag: VI_RAD
- state: MASTER
- priority: 150
+loc_keepalived:
+ instances:
+ - name: radius
+ tag: VI_RAD
+ state: MASTER
+ priority: 150
diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c3b93c47e9eb5bf9f19946d674621bf3eb4035ca
--- /dev/null
+++ b/host_vars/routeur-daniel.adm.crans.org.yml
@@ -0,0 +1,16 @@
+---
+interfaces:
+ adm: ens18
+ srv: ens19
+ srv-nat: ens20
+ infra: ens21
+ adh: ens22
+ adh-nat: ens23
+
+
+loc_keepalived:
+ instances:
+ - name: dhcp
+ tag: VI_DHCP
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0c4bc74b97d753449532776c60ec921da28b9008
--- /dev/null
+++ b/host_vars/routeur-sam.adm.crans.org.yml
@@ -0,0 +1,16 @@
+---
+interfaces:
+ adm: ens18
+ srv: ens19
+ srv-nat: ens20
+ infra: ens21
+ adh: ens22
+ adh-nat: ens23
+
+
+loc_keepalived:
+ instances:
+ - name: dhcp
+ tag: VI_DHCP
+ state: MASTER
+ priority: 150
diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9ed74927b90b31aebb7ae2d2f97dfb6fa230d8e7
--- /dev/null
+++ b/host_vars/sam.adm.crans.org.yml
@@ -0,0 +1,5 @@
+---
+loc_slapd:
+ ip: 172.16.10.11
+ replica: true
+ replica_rid: 1
diff --git a/hosts b/hosts
index 9a3ce0e930cbc2b6addbf1866e35dac116cf37d6..56fefdc026a0b94435a77bbab3ffb00a217b38ee 100644
--- a/hosts
+++ b/hosts
@@ -4,220 +4,74 @@
# > We name servers according to location, then type.
# > Then we regroup everything in global geographic and type groups.
-[horde]
-horde-srv.adm.crans.org
+# [horde]
+# horde-srv.adm.crans.org
+#
+# [framadate]
+# voyager.adm.crans.org
+#
+# [dhcp]
+# dhcp.adm.crans.org
+# odlyd.adm.crans.org
+#
+# [keepalived]
+# gulp.adm.crans.org
+# odlyd.adm.crans.org
+# eap.adm.crans.org
+# radius.adm.crans.org
+# frontdaur.adm.crans.org
+# bakdaur.adm.crans.org
+#
+# [test_vm]
+# re2o-test.adm.crans.org
+
+[virtu]
+sam.adm.crans.org
+daniel.adm.crans.org
+jack.adm.crans.org
+
+[slapd]
+tealc.adm.crans.org
+sam.adm.crans.org
+daniel.adm.crans.org
+jack.adm.crans.org
-[framadate]
-voyager.adm.crans.org
+[keepalived]
+routeur-sam.adm.crans.org
+routeur-daniel.adm.crans.org
[dhcp]
-dhcp.adm.crans.org
-odlyd.adm.crans.org
+routeur-sam.adm.crans.org
+routeur-daniel.adm.crans.org
-[keepalived]
-gulp.adm.crans.org
-odlyd.adm.crans.org
-eap.adm.crans.org
-radius.adm.crans.org
-frontdaur.adm.crans.org
-bakdaur.adm.crans.org
-[test_vm]
-re2o-test.adm.crans.org
+[crans_routeurs:children]
+dhcp
+keepalived
[crans_physical]
-charybde.adm.crans.org
-cochon.adm.crans.org
-ft.adm.crans.org
-fyre.adm.crans.org
-fz.adm.crans.org
-gateau.adm.crans.org
-gulp.adm.crans.org
-odlyd.adm.crans.org
-omnomnom.adm.crans.org
-stitch.adm.crans.org
-thot.adm.crans.org
-vo.adm.crans.org
-zamok.adm.crans.org
-zbee.adm.crans.org
-zephir.adm.crans.org
+tealc.adm.crans.org
+sam.adm.crans.org
+daniel.adm.crans.org
+jack.adm.crans.org
[crans_vm]
-alice.adm.crans.org
-bakdaur.adm.crans.org
-boeing.adm.crans.org
-cas-srv.adm.crans.org
-#civet.adm.crans.org
-#cups.adm.crans.org
-dhcp.adm.crans.org
-eap.adm.crans.org
-ethercalc-srv.adm.crans.org
-frontdaur.adm.crans.org
-gitzly.adm.crans.org
-horde-srv.adm.crans.org
-ipv6-zayo.adm.crans.org
-irc.adm.crans.org
-jitsi.adm.crans.org
-kenobi.adm.crans.org
-kiwi.adm.crans.org
-lutim.adm.crans.org
-#mediadrop-srv.adm.crans.org
-mailman.adm.crans.org
-nem.adm.crans.org
-#news.adm.crans.org
-otis.adm.crans.org
-owl.adm.crans.org
-owncloud-srv.adm.crans.org
-radius.adm.crans.org
-re2o-bcfg2.adm.crans.org
-re2o-ldap.adm.crans.org
-re2o-srv.adm.crans.org
-redisdead.adm.crans.org
-roundcube-srv.adm.crans.org
-routeur.adm.crans.org
-silice.adm.crans.org
-titanic.adm.crans.org
-tracker.adm.crans.org
-unifi.adm.crans.org
-voyager.adm.crans.org
-xmpp.adm.crans.org
-ytrap-llatsni.adm.crans.org
-sitesweb.adm.crans.org
-
-[crans_unifi]
-0g-2.borne.crans.org
-0g-3.borne.crans.org
-0g-4.borne.crans.org
-0h-2.borne.crans.org
-0h-3.borne.crans.org
-0m-2.borne.crans.org
-1g-1.borne.crans.org
-1g-3.borne.crans.org
-1g-4.borne.crans.org
-1g-5.borne.crans.org
-1h-2.borne.crans.org
-1h-3.borne.crans.org
-1i-2.borne.crans.org
-1i-3.borne.crans.org
-1j-2.borne.crans.org
-1j-3.borne.crans.org
-1m-1.borne.crans.org
-1m-2.borne.crans.org
-1m-5.borne.crans.org
-2a-1.borne.crans.org
-2b-3.borne.crans.org
-2c-2.borne.crans.org
-2c-3.borne.crans.org
-2g-1.borne.crans.org
-2g-3.borne.crans.org
-2g-5.borne.crans.org
-2h-2.borne.crans.org
-2h-3.borne.crans.org
-2i-2.borne.crans.org
-2i-3.borne.crans.org
-2j-2.borne.crans.org
-2j-3.borne.crans.org
-2m-2.borne.crans.org
-3a-2.borne.crans.org
-3b-3.borne.crans.org
-3c-2.borne.crans.org
-3c-3.borne.crans.org
-3g-1.borne.crans.org
-3g-5.borne.crans.org
-3h-2.borne.crans.org
-3h-3.borne.crans.org
-3i-2.borne.crans.org
-3i-3.borne.crans.org
-3j-2.borne.crans.org
-3m-2.borne.crans.org
-3m-4.borne.crans.org
-3m-5.borne.crans.org
-4a-1.borne.crans.org
-4a-2.borne.crans.org
-4a-3.borne.crans.org
-4b-1.borne.crans.org
-4c-2.borne.crans.org
-4c-3.borne.crans.org
-4g-1.borne.crans.org
-4g-3.borne.crans.org
-4g-5.borne.crans.org
-4h-2.borne.crans.org
-4h-3.borne.crans.org
-4i-2.borne.crans.org
-4i-3.borne.crans.org
-4j-1.borne.crans.org
-4j-2.borne.crans.org
-4j-3.borne.crans.org
-4m-2.borne.crans.org
-4m-4.borne.crans.org
-5a-1.borne.crans.org
-5b-1.borne.crans.org
-5c-1.borne.crans.org
-5g-1.borne.crans.org
-5g-3.borne.crans.org
-5m-4.borne.crans.org
-6a-1.borne.crans.org
-6a-2.borne.crans.org
-6c-1.borne.crans.org
-adonis.borne.crans.org # 5a
-atlas.borne.crans.org # 1a
-baba-au-rhum.borne.crans.org # 3b
-bacchus.borne.crans.org # 1b
-baucis.borne.crans.org # 2b
-bellerophon.borne.crans.org # 2b
-benedict-cumberbatch.borne.crans.org # 1b
-benthesicyme.borne.crans.org # 4b
-boree.borne.crans.org # 6b
-branchos.borne.crans.org # 3b
-calypso.borne.crans.org # 4c
-chaos.borne.crans.org # 1c
-chronos.borne.crans.org # 2c
-crios.borne.crans.org # 3c
-gaia.borne.crans.org # 0g
-hades.borne.crans.org # 4h
-hephaistos.borne.crans.org # 1h
-hermes.borne.crans.org # 3h
-hypnos.borne.crans.org # 2h
-iaso.borne.crans.org # 1i
-idothee.borne.crans.org # 3i
-idyie.borne.crans.org # 0i
-ino.borne.crans.org # 2i
-ioke.borne.crans.org # 4i
-jaipudidees.borne.crans.org # 2j
-jaipudpapier.borne.crans.org # 3j
-japavolonte.borne.crans.org # 1j
-jesuischarlie.borne.crans.org # 0j
-jveuxduwifi.borne.crans.org # 0j
-mania.borne.crans.org # 2m
-marquis.borne.crans.org # manoir
-mercure.borne.crans.org # 3m
-#5m-5.borne.crans.org Déplacée au 2b
-
-# TODO Récupérer ces bornes
-#kakia.borne.crans.org # kfet
-#koios.borne.crans.org # kfet
-#gym-1.borne.crans.org # gymnase
-#gym-2.borne.crans.org # gymnase
-#0d-1.borne.crans.org
-
-# TODO La fibre vers le resto U est coupée.
-#rhea.borne.crans.org # resto-univ
-#romulus.borne.crans.org # resto-univ
+routeur-sam.adm.crans.org
+routeur-daniel.adm.crans.org
+belenios # on changera plus tard
[ovh_physical]
-soyouz.adm.crans.org
sputnik.adm.crans.org
# every server at crans
[crans_server:children]
crans_physical
crans_vm
+crans_routeurs
# everything at crans
[crans:children]
-crans_physical
-crans_vm
-crans_unifi
+crans_server
# everything at ovh
[ovh:children]
@@ -231,6 +85,7 @@ ovh_physical
# every virtual machine
[vm:children]
crans_vm
+crans_routeurs
# every server
[server:children]
diff --git a/ldap.yml b/ldap.yml
new file mode 100755
index 0000000000000000000000000000000000000000..5a4d03f4dd019c53736c7fe242d4ffa2967ec9b0
--- /dev/null
+++ b/ldap.yml
@@ -0,0 +1,5 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: daniel
+ roles:
+ - slapd
diff --git a/plays/keepalived.yml b/plays/keepalived.yml
index dc2e7419238f1c9006274aef29acc474875c6919..7b6a6634c62521a570d913b5c96eee13555dfb56 100755
--- a/plays/keepalived.yml
+++ b/plays/keepalived.yml
@@ -1,5 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: keepalived
+ vars:
+ keepalived: "{{ glob_keepalived | combine(loc_keepalived) }}"
roles:
- keepalived
diff --git a/plays/nfs.yml b/plays/nfs.yml
index 61ccb4dabe589fb67c39df43f185d10d3cbc5f9a..e4f243ca18e78a1c6f882ff9f9cdc3eef5672cac 100755
--- a/plays/nfs.yml
+++ b/plays/nfs.yml
@@ -7,12 +7,4 @@
# Deploy NFS only on campus
- hosts: crans_server
- roles: ["nfs-common"]
-
-# Deploy autofs NFS
-- hosts: crans_server,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
- roles: ["nfs-autofs"]
-
-# Deploy home permanent
-- hosts: zamok.adm.crans.org,omnomnom.adm.crans.org,owl.adm.crans.org,owncloud-srv.adm.crans.org
- roles: ["home-permanent"]
+ roles: ["home-nounous"]
diff --git a/plays/root.yml b/plays/root.yml
new file mode 100755
index 0000000000000000000000000000000000000000..2e82cc8af671bf056a16f4152953eef1d3a91c33
--- /dev/null
+++ b/plays/root.yml
@@ -0,0 +1,42 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: virtu
+ roles:
+ - proxmox-apt-sources
+
+- hosts: server
+ vars:
+ # # Will be in /usr/scripts/
+ # crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
+
+ # NTP servers
+ ntp_servers:
+ - charybde.adm.crans.org
+ # - silice.adm.crans.org
+ roles:
+ - debian-apt-sources
+ - common-tools
+ - sudo
+ - ntp-client
+ # - crans-scripts
+ - root-config
+
+- hosts: crans_vm
+ roles:
+ - qemu-guest-agent
+
+- hosts: slapd
+ vars:
+ slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
+ ldap:
+ private_key: "{{ vault_ldap_private_key }}"
+ certificate: "{{ vault_ldap_certificate }}"
+ roles:
+ - slapd
+
+- hosts: server
+ vars:
+ ldap: '{{ glob_ldap | combine(loc_ldap | default({})) }}'
+ roles:
+ - ldap-client
+ - home-nounous
diff --git a/roles/common-tools/tasks/main.yml b/roles/common-tools/tasks/main.yml
index 7189b87211ca77b2a7cdd6b3dc72c9efc38c6127..931348a7b995a3ac7ec3885909789f82f3f25984 100644
--- a/roles/common-tools/tasks/main.yml
+++ b/roles/common-tools/tasks/main.yml
@@ -53,6 +53,7 @@
owner: root
group: utmp
mode: '4755'
+ check_mode: no
- name: Deploy screen tmpfile
template:
diff --git a/roles/home-nounous/README.md b/roles/home-nounous/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..80dddb956eb08de74fa5aa397e209975b88dc236
--- /dev/null
+++ b/roles/home-nounous/README.md
@@ -0,0 +1,8 @@
+# HOME-NOUNOUS
+
+Ce rôle permet d'exporter les homes vers les différents serveurs.
+
+## VARS
+
+home_nounous:
+ ip: l'ip du serveur nfs
diff --git a/roles/home-nounous/tasks/main.yml b/roles/home-nounous/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..25c533e04e0cb7d9db750b40e4971e3121e768b6
--- /dev/null
+++ b/roles/home-nounous/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Install NFS client
+ apt:
+ update_cache: true
+ name:
+ - nfs-common
+ state: present
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Deploy nfs systemd mount
+ template:
+ src: systemd/system/home.mount.j2
+ dest: /etc/systemd/system/home.mount
+ mode: 0755
+
+- name: Load and activate nfs systemd mount
+ systemd:
+ name: home.mount
+ daemon_reload: true
+ enabled: true
+ state: started
diff --git a/roles/home-nounous/templates/systemd/system/home.mount.j2 b/roles/home-nounous/templates/systemd/system/home.mount.j2
new file mode 100644
index 0000000000000000000000000000000000000000..b144343da5fc3ed9e9cf446f109d633d28a852ff
--- /dev/null
+++ b/roles/home-nounous/templates/systemd/system/home.mount.j2
@@ -0,0 +1,14 @@
+{{ ansible_header | comment }}
+[Unit]
+Description=Mount home
+Wants=network-online.target
+After=network-online.target
+
+[Mount]
+What={{ home_nounous.ip }}:/pool/home
+Where=/home
+Type=nfs
+Options=rw,nosuid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/keepalived/README.md b/roles/keepalived/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..884a783b117faed96012dfac29ed2aa9d4d3133e
--- /dev/null
+++ b/roles/keepalived/README.md
@@ -0,0 +1,38 @@
+# KEEPALIVED
+
+Ce rôle installe keepalived pour permettre la redondance de certain service
+entre plusieurs services.
+/!\ Ce rôle déploie un script pour relancer automatiquement le serveur dhcp /!\
+
+## VARS
+
+keepalived:
+ - mail_destination: a qui envoyé les mails en cas de switching
+ - mail_source: qui envoie les mails
+ - smtp_server: le serveur smtp par qui passer pour envoyer les mails
+ - pool: Une liste de différentes instances installable sur la machine. Les
+ instances sont des dictionnaires comprenant les champs suivant :
+ - name: le nom de l'instance
+ - password: le mot de passe que vont utilisé les marchines d'une même
+ instance pour se synchroniser
+ - id: l'indentifiant qu'elles vont utiliser pour discuter
+ - ipv6: s'il est necessaire de configurer une instance supplémentaire pour
+ de l'ipv6
+ - notify: le script a notifé en cas de switching (s'il n'est pas précisé
+ aucun script n'est utilisé)
+ - administration: le vlan d'administration sur lequel les machines d'une
+ même instances vont discuter
+ - zones: une liste de zone sur lequel vont parler les instances keepalived.
+ Chaque zone est un disctionnaire comprenant les champs suivants:
+ - vlan: le vlan sur lequel est installé la zone
+ - ipv4: l'ipv4 au format CIDR partagé par les machines
+ - brd: s'il faut préciser ou non l'interface de broadcast
+ - ipv6: une ipv6 (elle peut ne pas être précisé, si elle est présente mais
+ que l'instance ne précise pas ipv6, elle sera ignoré)
+ - instances: Une liste d'instance a déployer sur la machine. Les instances
+ sont des dictionnaires comprenant les champs suivants:
+ - name: le nom de linstance a deployer
+ - tag: le petit nom à lui donner
+ - state: l'état (entre BACKUP et MASTER)
+ - priority: la priorité (pour un MASTER on met par défaut 150 puis on reduit
+ de 50 par 50)
diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml
index 3eaa83acabef78b7745bda1b4fca2f5d6758a8e6..14fc00bd453629dbbf19b7fc8199a5bd93a2c92d 100644
--- a/roles/keepalived/tasks/main.yml
+++ b/roles/keepalived/tasks/main.yml
@@ -13,3 +13,16 @@
dest: /etc/keepalived/keepalived.conf
mode: 0644
notify: Reload keepalived.service
+
+- name: Create scripts directory
+ file:
+ path: /usr/scripts
+ state: directory
+
+- name: Deploy keepalived dhcp scripts
+ template:
+ src: bin/notify-dhcp
+ dest: /usr/scripts/notify-dhcp
+ mode: 0744
+ when: not ansible_check_mode
+ notify: Reload keepalived.service
diff --git a/roles/keepalived/templates/bin/notify-dhcp b/roles/keepalived/templates/bin/notify-dhcp
new file mode 100755
index 0000000000000000000000000000000000000000..a62ad14c109b8e4ffcc3ec32073fd15c7abd0079
--- /dev/null
+++ b/roles/keepalived/templates/bin/notify-dhcp
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+TYPE=$1
+NAME=$2
+STATE=$3
+
+case $STATE in
+ "MASTER")
+ logger -s '[DHCP-NOTIFY] Entering state MASTER, starting isc-dhcp-server.service'
+ systemctl start isc-dhcp-server.service
+ exit 0;;
+ "BACKUP")
+ logger -s '[DHCP-NOTIFY] Entering state BACKUP, stopping isc-dhcp-server.service'
+ systemctl stop isc-dhcp-server.service
+ exit 0;;
+ "FAULT")
+ logger -s '[DHCP-NOTIFY] Entering state FAULT, stopping isc-dhcp-server.service'
+ systemctl stop isc-dhcp-server.service
+ exit 0;;
+ *)
+ logger -s '[DHCP-NOTIFY] Entering UNKNOWN state, doing nothing'
+ exit 1;;
+esac
+
diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2
index f0530d8fcec43cd081854315995123e566622b6c..97c93c53b4bbe12540680a06e9bc3422f14e512a 100644
--- a/roles/keepalived/templates/keepalived/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2
@@ -1,31 +1,33 @@
{{ ansible_header | comment }}
global_defs {
- notification_email {
- root@crans.org
- }
- notification_email_from keepalived@crans.org
- smtp_server smtp.adm.crans.org
+ notification_email { {{ keepalived.mail_destination }} }
+ notification_email_from {{ keepalived.mail_source }}
+ smtp_server {{ keepalived.smtp_server }}
}
-{% for instance in keepalived_instances %}
+{% for instance in keepalived.instances %}
vrrp_instance {{ instance.tag }}4 {
state {{ instance.state }}
priority {{ instance.priority }}
smtp_alert
interface {{ interfaces.adm }}
- virtual_router_id {{ keepalived[instance.name].id }}
+ virtual_router_id {{ keepalived.pool[instance.name].id }}
advert_int 2
authentication {
auth_type PASS
- auth_pass {{ keepalived[instance.name].password }}
+ auth_pass {{ keepalived.pool[instance.name].password }}
}
+{% if keepalived.pool[instance.name].notify is defined %}
+ notify {{ keepalived.pool[instance.name].notify }}
+{% endif %}
+
virtual_ipaddress {
-{% for zone in keepalived[instance.name].zones %}
- {% if zone.brd is defined %}
- {{ zone.ipv4 }} brd {{ zone.brd }} dev {{ interfaces[zone.vlan] }} scope global
+{% for zone in keepalived.pool[instance.name].zones %}
+ {% if zone.brd %}
+ {{ zone.ipv4 }} brd {{ zone.ipv4 | ipaddr('broadcast') }} dev {{ interfaces[zone.vlan] }} scope global
{% else %}
{{ zone.ipv4 }} dev {{ interfaces[zone.vlan] }} scope global
{% endif %}
@@ -33,23 +35,25 @@ vrrp_instance {{ instance.tag }}4 {
}
}
-{% if keepalived[instance.name].ipv6 %}
+{% if keepalived.pool[instance.name].ipv6 %}
vrrp_instance {{ instance.tag }}6 {
state {{ instance.state }}
priority {{ instance.priority }}
smtp_alert
- interface {{ interfaces.adm }}
- virtual_router_id {{ keepalived[instance.name].id }}
+ interface {{ keepalived.pool[instance.name].administration }}
+ virtual_router_id {{ keepalived.pool[instance.name].id }}
advert_int 2
authentication {
auth_type PASS
- auth_pass {{ keepalived[instance.name].password }}
+ auth_pass {{ keepalived.pool[instance.name].password }}
}
virtual_ipaddress {
-{% for zone in keepalived[instance.name].zones %}
+{% for zone in keepalived.pool[instance.name].zones %}
+{% if zone.ipv6 is defined %}
{{ zone.ipv6 }} dev {{ interfaces[zone.vlan] }} scope global
+{% endif %}
{% endfor %}
}
}
diff --git a/roles/ldap-client/README.md b/roles/ldap-client/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..55811bae948b3bbacad38b07a5c4c54c9887767c
--- /dev/null
+++ b/roles/ldap-client/README.md
@@ -0,0 +1,10 @@
+# LDAP-CLIENT
+
+Configure un client ldap pour les utilisateurs
+
+## VARS
+
+ldap:
+ - local: si le serveur est installé en local
+ - servers: la liste des servers ldap a contacté
+ - base: le search term du ldap
diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml
index 8195e6f15466d713b17d160120e2fb1849892cf9..03e68841ad13fc420780b22b0faaac4310c84533 100644
--- a/roles/ldap-client/tasks/main.yml
+++ b/roles/ldap-client/tasks/main.yml
@@ -4,17 +4,14 @@
apt:
update_cache: true
name:
- - nslcd
- libnss-ldapd
- - libpam-ldapd
- - nscd # local cache
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
# Configure /etc/nslcd.conf
-- name: Configure nslcd LDAP credentials
+- name: Configure nslcd
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
@@ -26,20 +23,27 @@
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item }}:"
- line: "{{ item }}: files ldap"
+ line: "{{ item }}: files systemd ldap"
loop:
- passwd
- group
+ notify: Restart nslcd service
+
+- name: Configure NSS to use LDAP
+ lineinfile:
+ dest: /etc/nsswitch.conf
+ regexp: "^{{ item }}:"
+ line: "{{ item }}: files ldap"
+ loop:
- shadow
+ - networks
notify: Restart nslcd service
-# Disable passwd and chsh
-- name: Copy passwd and chsh scripts
- template:
- src: "bin/{{ item }}.j2"
- dest: "/usr/local/bin/{{ item }}"
- mode: 0755
+- name: Configure NSS to use LDAP
+ lineinfile:
+ dest: /etc/nsswitch.conf
+ regexp: "^{{ item }}:"
+ line: "{{ item }}: files ldap dns"
loop:
- - chsh
- - chsh.ldap
- - passwd
+ - hosts
+ notify: Restart nslcd service
diff --git a/roles/ldap-client/templates/bin/chsh.j2 b/roles/ldap-client/templates/bin/chsh.j2
deleted file mode 100644
index 37462f78382b67f62a32aae8940af8616e5d4304..0000000000000000000000000000000000000000
--- a/roles/ldap-client/templates/bin/chsh.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
-
diff --git a/roles/ldap-client/templates/bin/chsh.ldap.j2 b/roles/ldap-client/templates/bin/chsh.ldap.j2
deleted file mode 100644
index 175fdfc19db2770bf707fcbdd4dc1a638369cfa4..0000000000000000000000000000000000000000
--- a/roles/ldap-client/templates/bin/chsh.ldap.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
-echo "De toutes façons la vraie commande aurait pas marché, on installe pas nslcd-utils sur les serveurs normalement."
diff --git a/roles/ldap-client/templates/bin/passwd.j2 b/roles/ldap-client/templates/bin/passwd.j2
deleted file mode 100644
index 40b0412654d794d64ac14ae982d4ae3068c5ec07..0000000000000000000000000000000000000000
--- a/roles/ldap-client/templates/bin/passwd.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"
diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2
index e634dd23cbe1559df15a524f04001abfe5b348ad..aa1db15f97273225424ea834aef703db2da3bc02 100644
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@@ -1,35 +1,30 @@
{{ ansible_header | comment }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
-{% if ldap_local_replica_uri is defined %}
-{% for uri in ldap_local_replica_uri %}
-uri {{ uri }}
+{% if ldap.local %}
+uri ldapi:///
+{% else %}
+{% for server in ldap.servers %}
+uri ldaps://{{ server }}/
{% endfor %}
{% endif %}
-uri {{ ldap_master_uri }}
# The search base that will be used for all queries.
-base {{ ldap_base }}
-base passwd {{ ldap_user_tree }}
-base shadow {{ ldap_user_tree }}
-base group ou=posix,ou=groups,{{ ldap_base }}
+base {{ ldap.base }}
# The LDAP protocol version to use.
-ldap_version 3
-
-# Time limit to wait for an answer
-timelimit 5
-
-# Time limit to wait for a bind
-bind_timelimit 5
+#ldap_version 3
# The DN to bind with for normal lookups.
-binddn {{ ldap_nslcd_bind_dn }}
-bindpw {{ ldap_nslcd_passwd }}
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
@@ -41,4 +36,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
-
diff --git a/roles/ntp-client/tasks/main.yml b/roles/ntp-client/tasks/main.yml
index c968990b8f52e220fd8d711d24cdf352d88ba885..0bc25d2178fe0c9aaed6e14e4948d211c1c30539 100644
--- a/roles/ntp-client/tasks/main.yml
+++ b/roles/ntp-client/tasks/main.yml
@@ -12,6 +12,7 @@
path: /etc/default/ntp
regexp: '^NTPD_OPTS'
line: NTPD_OPTS='-g -x'
+ check_mode: no
- name: Configure NTP
template:
diff --git a/roles/proxmox-apt-sources/tasks/main.yml b/roles/proxmox-apt-sources/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1774927c974b4ad0585f5e85ed1318513499ee48
--- /dev/null
+++ b/roles/proxmox-apt-sources/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Configure Proxmox repositories
+ template:
+ src: apt/sources.list.d/pve-enterprise.list.j2
+ dest: /etc/apt/sources.list.d/pve-enterprise.list
diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f1a09d1ddfafd8c742aa09f723ee5fe69bcf970b
--- /dev/null
+++ b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2
@@ -0,0 +1,2 @@
+{{ ansible_header | comment }}
+deb http://download.proxmox.com/debian/pve {{ ansible_lsb.codename }} pve-no-subscription
diff --git a/roles/qemu-guest-agent/tasks/main.yml b/roles/qemu-guest-agent/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..72a322aa0ec4568eeb9e400a50c0b34d5bb2a7f2
--- /dev/null
+++ b/roles/qemu-guest-agent/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Install qemu guest agent
+ apt:
+ update_cache: true
+ install_recommends: false
+ name:
+ - qemu-guest-agent
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
diff --git a/roles/re2o-dhcp/tasks/main.yml b/roles/re2o-dhcp/tasks/main.yml
index 16c83c424203304ce791b67fcfe99c3b1c07efe4..cc11df72bfedb238676fc679d24c407295c0ecf2 100644
--- a/roles/re2o-dhcp/tasks/main.yml
+++ b/roles/re2o-dhcp/tasks/main.yml
@@ -15,10 +15,11 @@
etype: group
permissions: rwx
state: query
+ when: not ansible_check_mode
- name: Clone re2o-dhcp repository
git:
- repo: 'http://gitlab.adm.crans.org/nounous/re2o-dhcp.git'
+ repo: "{{ re2o.dhcp.uri }}"
dest: /var/local/re2o-services/dhcp
version: crans
umask: '002'
@@ -30,6 +31,7 @@
owner: root
group: root
state: link
+ force: yes
- name: Create generated directory
file:
diff --git a/roles/slapd/README.md b/roles/slapd/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..45b7b0276632bd47607abd43e63339e71abb8b29
--- /dev/null
+++ b/roles/slapd/README.md
@@ -0,0 +1,13 @@
+# SLAPD
+
+Deploie un serveur ldap master ou replica
+
+## VARS
+
+slapd:
+ - ip : l'ip sur lequel il va installer le serveur ldap
+ - replica : s'il s'agit d'un master ou d'une replica
+ - replica_rid : le numéro de replica du serveur
+ - master_ip : l'ip du master
+ - replication_credentials : les credientials pour authentifier les replicas
+ auprès du master
diff --git a/roles/slapd/handlers/main.yml b/roles/slapd/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c8b9f3c0835da417a7e441676199bafb9c61d6d0
--- /dev/null
+++ b/roles/slapd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Restart slapd
+ service:
+ name: slapd.service
+ state: restarted
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f377a77efcd73c9402c9c1d7b83cda761709c6dc
--- /dev/null
+++ b/roles/slapd/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: Install slapd
+ apt:
+ update_cache: true
+ name:
+ - slapd
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Remove slapd config directory
+ file:
+ path: /etc/ldap/slapd.d/
+ state: absent
+
+- name: Deploy slapd configuration
+ template:
+ src: "ldap/{{ item.dest }}.j2"
+ dest: "/etc/ldap/{{ item.dest }}"
+ mode: "{{ item.mode }}"
+ owner: openldap
+ group: openldap
+ loop:
+ - { dest: slapd.conf, mode: "0600" }
+ - { dest: ldap.key, mode: "0600" }
+ - { dest: ldap.pem, mode: "0644" }
+ notify: Restart slapd
+
+- name: Deploy ldap services
+ lineinfile:
+ path: /etc/default/slapd
+ regexp: '^SLAPD_SERVICES='
+ line: 'SLAPD_SERVICES="ldaps://{{ slapd.ip }}/ ldapi:///"'
+ notify: Restart slapd
+ check_mode: no
diff --git a/roles/slapd/templates/ldap/ldap.key.j2 b/roles/slapd/templates/ldap/ldap.key.j2
new file mode 100644
index 0000000000000000000000000000000000000000..926db60fe8575f27cfee06448b8a7fbd6a547f9f
--- /dev/null
+++ b/roles/slapd/templates/ldap/ldap.key.j2
@@ -0,0 +1 @@
+{{ ldap.private_key }}
diff --git a/roles/slapd/templates/ldap/ldap.pem.j2 b/roles/slapd/templates/ldap/ldap.pem.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ed4f7a5ca148f5c5d9ca80937316c2b723dbea2c
--- /dev/null
+++ b/roles/slapd/templates/ldap/ldap.pem.j2
@@ -0,0 +1 @@
+{{ ldap.certificate }}
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5c6cccab720befd6d6adc6bbf033f5c9df16a728
--- /dev/null
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -0,0 +1,196 @@
+# This is the main slapd configuration file. See slapd.conf(5) for more
+# info on the configuration options.
+
+#######################################################################
+# Global Directives:
+
+# Schema and objectClass definitions
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/nis.schema
+include /etc/ldap/schema/inetorgperson.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile /var/run/slapd/slapd.pid
+
+# List of arguments that were passed to the server
+argsfile /var/run/slapd/slapd.args
+
+# Read slapd.conf(5) for possible values
+loglevel none
+
+# Where the dynamically loaded modules are stored
+modulepath /usr/lib/ldap
+moduleload back_mdb
+{% if not slapd.replica %}
+moduleload auditlog
+
+overlay auditlog
+auditlog /var/log/openldap/auditlog.log
+
+moduleload syncprov
+{% endif %}
+
+# TODO FAIRE LES CERTIFICATS
+# TLS Certificates
+#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
+TLSCertificateFile /etc/ldap/ldap.pem
+TLSCertificateKeyFile /etc/ldap/ldap.key
+
+# The maximum number of entries that is returned for a search operation
+sizelimit 500
+
+# The tool-threads parameter sets the actual amount of cpu's that is used
+# for indexing.
+tool-threads 1
+
+#######################################################################
+# Specific Backend Directives for mdb:
+# Backend specific directives apply to this backend until another
+# 'backend' directive occurs
+backend mdb
+
+#######################################################################
+# Specific Backend Directives for 'other':
+# Backend specific directives apply to this backend until another
+# 'backend' directive occurs
+#backend <other>
+
+#######################################################################
+# Specific Directives for database #1, of type mdb:
+# Database specific directives apply to this databasse until another
+# 'database' directive occurs
+database mdb
+
+# The base of your directory in database #1
+suffix "dc=crans,dc=org"
+
+# rootdn directive for specifying a superuser on the database. This is needed
+# for syncrepl.
+rootdn "cn=admin,dc=crans,dc=org"
+
+# Where the database file are physically stored for database #1
+directory "/var/lib/ldap"
+
+# The dbconfig settings are used to generate a DB_CONFIG file the first
+# time slapd starts. They do NOT override existing an existing DB_CONFIG
+# file. You should therefore change these settings in DB_CONFIG directly
+# or remove DB_CONFIG and restart slapd for changes to take effect.
+
+# For the Debian package we use 2MB as default but be sure to update this
+# value if you have plenty of RAM
+#dbconfig set_cachesize 0 2097152 0
+
+# Sven Hartge reported that he had to set this value incredibly high
+# to get slapd running at all. See http://bugs.debian.org/303057 for more
+# information.
+
+# Number of objects that can be locked at the same time.
+#dbconfig set_lk_max_objects 1500
+# Number of locks (both requested and granted)
+#dbconfig set_lk_max_locks 1500
+# Number of lockers
+#dbconfig set_lk_max_lockers 1500
+
+# Indexing options for database #1
+index objectClass eq
+
+# Save the time that the entry gets modified, for database #1
+lastmod on
+
+# Checkpoint the BerkeleyDB database periodically in case of system
+# failure and to speed slapd shutdown.
+checkpoint 512 30
+
+{% if slapd.replica %}
+syncrepl
+ rid={{ slapd.replica_rid }}
+ provider=ldaps://{{ slapd.master_ip }}:636
+ bindmethod=simple
+ binddn="cn=replicator,dc=crans,dc=org"
+ credentials={{ slapd.replication_credentials }}
+ searchbase="dc=crans,dc=org"
+ scope=sub
+ schemachecking=on
+ type=refreshAndPersist
+ timeout=0
+ network-timeout=0
+ retry="30 20 300 +"
+ tls_reqcert=allow
+{% endif %}
+
+{% if slapd.replica %}
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+ by anonymous auth
+ by * none
+
+# Ensure read access to the base for things like
+# supportedSASLMechanisms. Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work
+# happily.
+access to dn.base="" by * read
+
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+ by * read
+{% else %}
+overlay syncprov
+
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+ by anonymous auth
+ by self write
+ by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+ by dn="cn=replicator,dc=crans,dc=org" read
+ by * none
+
+access to attrs=loginShell,mail,telephoneNumber
+ by self write
+ by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+ by dn="cn=replicator,dc=crans,dc=org" read
+ by * read
+
+# Ensure read access to the base for things like
+# supportedSASLMechanisms. Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work
+# happily.
+access to dn.base="" by * read
+
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+ by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+ by dn="cn=replicator,dc=crans,dc=org" read
+ by * read
+{% endif %}
+
+
+#######################################################################
+# Specific Directives for database #2, of type 'other' (can be mdb too):
+# Database specific directives apply to this databasse until another
+# 'database' directive occurs
+#database <other>
+
+# The base of your directory for database #2
+#suffix "dc=debian,dc=org"