group_vars/all/vars.yaml → group_vars/all/ansible-header.yml

 ---
-
 # Custom header
-dirty: "{% if template_path is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_path | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe', 'git diff --quiet || echo dirty') }}{% endif %}"
+dirty: "{% if template_fullpath is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_fullpath | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe', 'git diff --quiet || echo dirty') }}{% endif %}"
 ansible_header: |
     +++++++++++++++++++++++++++++++++++++++++++++++++++
 
        Ansible managed, don't modify the file locally.
        See https://gitlab.crans.org/nounous/ansible.
-       {% if template_path is defined %}{% set _, rpath = template_path.split('roles/', 1) %}Commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_path | quote) }}
+       {% if template_fullpath is defined %}{% set _, rpath = template_fullpath.split('roles/', 1) %}Commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_fullpath | quote) }}
        {% if dirty %}Run by: {{ ansible_env.SUDO_USER }}
-       {% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_path | quote) }}
+       {% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_fullpath | quote) }}
        {% endif %}Template: roles/{{ rpath }}
        {% else %}
        Run by: {{ ansible_env.SUDO_USER }}
@@ -17,45 +16,3 @@ ansible_header: |
        {% endif %}
 
     +++++++++++++++++++++++++++++++++++++++++++++++++++
-
-# Crans subnets
-adm_subnet: 10.231.136.0/24
-
-# # Role rsync-client
-# to_backup:
-#   - {
-#   name: "var",
-#   path: "/var",
-#   auth_users: "backupcrans",
-#   secrets_file: "/etc/rsyncd.secrets",
-#   hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
-#   }
-#   - {
-#   name: "slash",
-#   path: "/",
-#   auth_users: "backupcrans",
-#   secrets_file: "/etc/rsyncd.secrets",
-#   hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
-#   }
-#
-# re2o:
-#   server: re2o.adm.crans.org
-#   service_user: "{{ vault.re2o_service_user }}"
-#   service_password: "{{ vault.re2o_service_password }}"
-#
-#
-# # global server definitions
-glob_smtp: smtp.adm.crans.org
-glob_mirror:
-  name: mirror.adm.crans.org
-  ip: 172.16.10.30
-
-glob_ldap:
-  uri: 'ldap://re2o-ldap.adm.crans.org/'
-  users_base: 'cn=Utilisateurs,dc=crans,dc=org'
-  servers:
-    - 172.16.10.1
-    - 172.16.10.11
-    - 172.16.10.12
-    - 172.16.10.13
-  base: 'dc=crans,dc=org'

group_vars/all/borg.yml

@@ -15,3 +15,4 @@ glob_borg:
     - make-parent-dirs
   encryption_passphrase: "{{ vault.borgbackup_passwd }}"
   ssh_privkey: "{{ vault.borgbackup_ssh_privkey }}"
+  ssh_options: -4 -p 2223

group_vars/all/home_nounou.yml

 ---
 glob_home_nounou:
-  ip: 172.16.10.1
-  mountpoint: /pool/home
+  mounts:
+  - ip: 172.16.10.1
+    mountpoint: /pool/home
+    target: /home_nounou
+    name: home_nounou
+    owner: root
+    group: _user
+    mode: '0750'

group_vars/all/ldap.yml

+---
+glob_ldap:
+  uri: 'ldap://re2o-ldap.adm.crans.org/'
+  users_base: 'cn=Utilisateurs,dc=crans,dc=org'
+  servers:
+    - 172.16.10.1
+    - 172.16.10.11
+    - 172.16.10.12
+    - 172.16.10.13
+  base: 'dc=crans,dc=org'

group_vars/all/mirror.yml

+---
+glob_mirror:
+  hostname: mirror.adm.crans.org
+  ip: 172.16.10.30
+
+debian_mirror: http://mirror.adm.crans.org/debian
+debian_components: main contrib non-free

group_vars/all/prometheus_node_exporter.yaml

+---
+glob_prometheus_node_exporter:
+  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"

group_vars/all/rsyslog_client.yml

+---
+glob_rsyslog_client:
+  server: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"

group_vars/bdd.yml

-glob_postgresql:
-  hosts:
-    # Database, User, net CIDR, Method
-  - [ "etherpad", "crans", "10.231.136.76/32", "etherpad"]
-  - [ "roundcube", "roundcube", "10.231.136.73/32", "webmail"]
-  - [ "roundcube", "roundcube", "2a0c:700:0:2:200:13ff:fe03:90b/128", "webmail"]
-  - [ "all", "all", "10.231.136.73/32", null]
-  - [ "all", "all", "2a0c:700:0:2:200:13ff:fe03:90b/128", null]
-  - [ "sql grey pour zamok", "sqlgrey", "sqlgrey", "10.231.136.1/32", null ]
-  - [ "sqlgrey", "sqlgrey", "2a0c:700:0:2:1e98:ecff:fe15:2c88/128", null ]
-  
-  
-  

group_vars/bird.yml

+---
+glob_bird: {}

group_vars/dhcp.yml

 ---
 glob_dhcp:
-  authoritative: True
   global_options:
     - { key: "interface-mtu", value: "1500" }
   global_parameters: []
-  subnets:
-    - network: "185.230.78.0/24"
-      deny_unknown: True
-      vlan: "adh"
-      default_lease_time: "600"
-      max_lease_time: "7200"
-      routers: "185.230.78.99"
-      dns: ["185.230.78.99"]
-      domain_name: "adh.crans.org"
-      domain_search: "adh.crans.org"
-      options: []
-      lease_file: "/var/local/services/dhcp/generated/dhcp.adh.crans.org.list"
-    - network: "100.64.0.0/16"
-      deny_unknown: True
-      vlan: "adh_nat"
-      default_lease_time: "600"
-      max_lease_time: "7200"
-      routers: "100.64.0.99"
-      dns: ["100.64.0.99"]
-      domain_name: "adh-nat.crans.org"
-      domain_search: "adh-nat.crans.org"
-      options: []
-      lease_file: "/var/local/services/dhcp/generated/dhcp.adh-nat.crans.org.list"
-    - network: "172.16.32.0/22"
-      deny_unknown: True
-      vlan: "infra"
-      default_lease_time: "600"
-      max_lease_time: "7200"
-      dns: ["172.16.32.99"]
-      domain_name: "infra.crans.org"
-      domain_search: "infra.crans.org"
-      options: []
-      lease_file: "/var/local/services/dhcp/generated/dhcp.infra.crans.org.list"
-    - network: "172.16.14.0/24"
-      vlan: "accueil"
-      default_lease_time: "600"
-      max_lease_time: "7200"
-      dns: ["172.16.14.99"]
-      domain_name: "accueil.crans.org"
-      domain_search: "accueil.crans.org"
-      ranges:
-        - min: 172.16.14.1
-          max: 172.16.14.98
-        - min: 172.16.14.100
-          max: 172.16.14.254
-      options: []
-    - network: 100.65.0.0/16
-      vlan: "federez"
-      default_lease_time: "600"
-      max_lease_time: "7200"
-      routers: "100.65.0.99"
-      dns: ["100.65.0.99"]
-      domain_name: "federez.net"
-      domain_search: "federez.net"
-      ranges:
-        - min: 100.65.1.0
-          max: 100.65.255.254
-      options: []
 
-glob_re2o_services:
-  server: re2o.adm.crans.org
-  service:
-    user: services
-    password: "{{ vault.re2o_service_password }}"
-  mail_server: "{{ glob_smtp }}"
-
-glob_re2o_dhcp:
-  uri: "https://gitlab.adm.crans.org/nounous/dhcp.git"
+glob_service_dhcp:
+  name: dhcp
+  install_dir: /var/local/services/dhcp
+  generated: yes
+  cron:
+    frequency: "*/2 * * * *"
+    options: -q
+  dependencies:
+    - python3-jinja2

group_vars/firewall.yml

+glob_service_firewall:
+  name: firewall
+  install_dir: /var/local/services/firewall
+  cron:
+    frequency: "*/2 * * * *"
+    options: -q
+  dependencies:
+    - python3-iso8601
+    - python3-jinja2
+    - python3-ldap

group_vars/galene.yml

+---
+service_nginx:
+  service_name: galene
+  servers:
+    - ssl: crans.org
+      default: true
+      server_name:
+        - "galene.crans.org"
+      locations:
+        - filter: "/"
+          params:
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+            - "proxy_pass http://localhost:8443"
+
+    - ssl: crans.org
+      server_name:
+        - "neree.crans.org"
+      root: "/var/www/galene-stream-frontend/static"
+      locations:
+        - filter: "~ ^/(ws|public-groups.json)"
+          params:
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+            - "proxy_pass http://localhost:8443"
+
+        - filter: "~ ^\\/(?!.*\\.\\.)[^/]+$"
+          params:
+            - " add_header Content-Security-Policy \"connect-src ws: wss: 'self'; img-src data: 'self'; media-src blob: 'self'; default-src 'self';\""
+            - "try_files $uri /galene.html =404"

group_vars/grafana.yml

+---
+glob_grafana:
+  root_url: https://grafana.crans.org
+  icon: crans_icon_white.svg
+  ldap_base: "{{ glob_ldap.base }}"
+  ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
+  ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"

group_vars/keepalived.yml

 ---
-
 glob_keepalived:
   mail_source: keepalived@crans.org
-  mail_destination: root@crans.org
+  mail_destination: shirenn@crans.org
   smtp_server: smtp.adm.crans.org
   pool:
-    all:
-      password: "plopisverysecure"
+    VI_ALL:
+      password: "{{ vault.keepalived.password }}"
       id: 60
       ipv6: yes
-      notify: /usr/scripts/notify-dhcp
+      notify: /var/local/services/keepalived/keepalived.py
       zones:
-        - vlan: zayo
-          ipv4: 158.255.113.73/31
-          brd: false
-          ipv6: 2001:1b48:2:103::bb:2/126
         - vlan: srv
-          ipv4: 185.230.79.62/26
-          ipv6: 2a0c:700:2::ff:fe00:9902/64
+          ipv4: 185.230.79.61/26
+          ipv6: 2a0c:700:2::ff:fe01:9902/64
         - vlan: srv_nat
-          ipv4: 172.16.3.99/24
-          ipv6: 2a0c:700:3::ff:fe00:9903/64
-        - vlan: accueil
-          ipv4: 172.16.14.99/24
-        - vlan: infra
-          ipv4: 172.16.32.99/22
-          ipv6: fd00::11:0:ff:fe00:9911/64
+          ipv4: 172.16.3.199/24
+          ipv6: 2a0c:700:3::ff:fe01:9903/64
         - vlan: adh
-          ipv4: 185.230.78.99/24
-          ipv6: 2a0c:700:12::ff:fe00:9912/48
-        - vlan: adh_nat
-          ipv4: 100.64.0.99/16
-          ipv6: 2a0c:700:13::ff:fe00:9913/48
-        - vlan: federez
-          ipv4: 100.65.0.99/16
-          ipv6: 2a0c:700:254::ff:fe00:99fe/64
+          ipv4: 185.230.78.199/24
+          ipv6: 2a0c:700:12::ff:fe01:9912/48
+
+glob_service_keepalived:
+  name: keepalived
+  install_dir: /var/local/services/keepalived

group_vars/mirror_backend.yml

+glob_ftpsync:
+  root: /mirror/pub
+  mirror:
+    name: CRANS
+    info:
+      maintainer: Les Nounous <contact@crans.org>
+      country: FR
+      location: Cachan, Île-de-France
+  targets:
+    - name: main
+      dest: debian
+      cron_time: "25 1,13"
+      rsync_host: ftp.fr.debian.org
+      rsync_path: debian
+    - name: security
+      dest: debian-security
+      cron_time: "40    *"
+      rsync_host: ftp.fr.debian.org
+      rsync_path: debian-security
+    - name: backports
+      dest: debian-backports
+      cron_time: " 7 3,15"
+      rsync_host: ftp.fr.debian.org
+      rsync_path: debian-backports
+
+glob_rsync_mirror:
+  root: /mirror/pub
+  targets:
+    - name: videolan
+      dest: videolan
+      cron_time: "03 10,14,18,22,2,6"
+      rsync_host: rsync.videolan.org
+      rsync_path: videolan-ftp
+    - name: debian
+      dest: distributions/linux/debian
+      cron_time: "00 5"
+      rsync_host: cdimage.debian.org
+      rsync_path: cdimage/release
+    - name: debian-cloud
+      dest: distributions/linux/debian/cloud
+      cron_time: "00 5"
+      rsync_host: cdimage.debian.org
+      rsync_path: cdimage/cloud/Openstack
+      exclude:
+        - archive
+    - name: ubuntu
+      dest: distributions/linux/ubuntu
+      cron_time: "00 5"
+      rsync_host: cdimage.ubuntu.com
+      rsync_path: cdimage/releases
+    - name: xubuntu
+      dest: distributions/linux/xubuntu
+      cron_time: "00 5"
+      rsync_host: cdimage.ubuntu.com
+      rsync_path: cdimage/xubuntu/releases
+    - name: kubuntu
+      dest: distributions/linux/kubuntu
+      cron_time: "00 5"
+      rsync_host: cdimage.ubuntu.com
+      rsync_path: cdimage/kubuntu/releases
+    - name: lubuntu
+      dest: distributions/linux/lubuntu
+      cron_time: "00 5"
+      rsync_host: cdimage.ubuntu.com
+      rsync_path: cdimage/lubuntu/releases
+    - name: ubuntu-mate
+      dest: distributions/linux/ubuntu-mate
+      cron_time: "00 5"
+      rsync_host: cdimage.ubuntu.com
+      rsync_path: cdimage/ubuntu-mate/releases
+    - name: archlinux
+      dest: archlinux
+      cron_time: "08 3"
+      rsync_host: archlinux.polymorf.fr
+      rsync_path: archlinux/
+
+glob_apt_mirror:
+  root: /mirror/pub
+  targets:
+    - name: grafana
+      symlink: ""
+      scheme: https
+      host: packages.grafana.com
+      path: oss/deb
+      suite: stable
+      components:
+        - main
+    - name: proxmox
+      symlink: ""
+      scheme: http
+      host: download.proxmox.com
+      path: debian/pve
+      suite: buster
+      components:
+        - pve-no-subscription

group_vars/mtail.yml

+---
+glob_mtail:
+  config:
+    - dhcpd.mtail
+    - radiusd.mtail
+  remove: []

group_vars/nginx.yml

@@ -30,3 +30,6 @@ glob_nginx:
     - "172.16.0.0/16"
     - "fd00:0:0:10::/64"
   deploy_robots_file: false
+
+glob_prometheus_nginx_exporter:
+  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"

group_vars/ovh/vars.yml

-# Parameters for debian and ubuntu mirror
-debian_mirror: http://deb.debian.org/debian
-ubuntu_mirror: http://deb.debian.org/ubuntu
-debian_components: main contrib non-free
-ubuntu_components: main restricted universe multiverse

group_vars/postgres.yml

+glob_postgres:
+  subnets:
+    - 172.16.10.0/24
+    - fd00:0:0:10::/64

group_vars/prometheus.yml

+---
+glob_prometheus: {}
+
+glob_snmp_exporter:
+  procurve_password: "{{ vault.snmp_procurve_password }}"
+  unifi_password: "{{ vault.snmp_unifi_password }}"
+
+glob_ninjabot:
+  config:
+    nick: Prometheus
+    server: irc.adm.crans.org
+    port: 6667
+    channel: "#monitoring"