From f4326afd766daaec60da7fa340b3e28d21d98365 Mon Sep 17 00:00:00 2001
From: Bombar Maxime <bombar@crans.org>
Date: Tue, 28 Apr 2020 22:29:12 +0200
Subject: [PATCH 01/55] [re2o_lookup] Make use of cache.
---
ansible.cfg | 7 +
lookup_plugins/re2oapi.py | 287 ++++++++++++++++++++++++++++----------
2 files changed, 224 insertions(+), 70 deletions(-)
diff --git a/ansible.cfg b/ansible.cfg
index ec5d521e..5b23c72b 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -45,3 +45,10 @@ api_hostname = intranet.crans.org
# Whether or not using vault_cranspasswords
use_cpasswords = True
+
+# Specify cache plugin for re2o API. By default, cache nothing
+cache = jsonfile
+
+# Time in second before the cache expired. 0 means never expire cache.
+# Default is 120 seconds.
+timeout = 120
diff --git a/lookup_plugins/re2oapi.py b/lookup_plugins/re2oapi.py
index 9099c9e3..53d23555 100644
--- a/lookup_plugins/re2oapi.py
+++ b/lookup_plugins/re2oapi.py
@@ -7,6 +7,8 @@ For a detailed example look at https://github.com/ansible/ansible/blob/3dbf89e8a
The API Client has been adapted from https://gitlab.federez.net/re2o/re2oapi
"""
+from ansible.plugins.loader import cache_loader
+
from pathlib import Path
import datetime
import requests
@@ -340,6 +342,73 @@ class LookupModule(LookupBase):
- debug: var=dnszones
"""
+ def _readconfig(self, section="re2o", key=None, boolean=False,
+ integer=False):
+ config = self._config
+ if not config:
+ return None
+ else:
+ if config.has_option(section, key):
+ display.vvv("Found key {} in configuration file".format(key))
+ if boolean:
+ return config.getboolean(section, key)
+ elif integer:
+ return config.getint(section, key)
+ else:
+ return config.get(section, key)
+
+ def __init__(self, *args, **kwargs):
+ super().__init__(*args, **kwargs)
+
+ config_manager = ConfigManager()
+ config_file = config_manager.data.get_setting(name="CONFIG_FILE").value
+ self._config = ConfigParser()
+ self._config.read(config_file)
+
+ display.vvv("Using {} as configuration file.".format(config_file))
+
+ self._api_hostname = None
+ self._api_username = None
+ self._api_password = None
+ self._use_cpasswords = None
+ self._cache_plugin = None
+ self._cache = None
+ self._timeout = 120
+
+ if self._config.has_section("re2o"):
+ display.vvv("Found section re2o in configuration file")
+
+ self._api_hostname = self._readconfig(key="api_hostname")
+ self._use_cpasswords = self._readconfig(key="use_cpasswords",
+ boolean=True)
+ self._cache_plugin = self._readconfig(key="cache")
+ self._timeout = self._readconfig(key="timeout", integer=True)
+
+ if self._cache_plugin is not None:
+ display.vvv("Using {} as cache plugin".format(self._cache_plugin))
+
+ if self._cache_plugin == 'jsonfile':
+ self._cachedir = Path.home() / ".cache/Ansible/re2oapi"
+ display.vvv("Cache directory is {}".format(self._cachedir))
+ if not self._cachedir.exists():
+ # Creates Ansible cache directory with right permissions
+ # if it doesn't exist yet.
+ display.vvv("Cache directory doesn't exist. Creating it.")
+ try:
+ self._cachedir.mkdir(mode=0o700, parents=True)
+ except Exception as e:
+ raise AnsibleError("""Unable to create {dir}.
+ Original error was : {err}"""
+ .format(dir=self._cachedir,
+ err=to_native(e)))
+ self._cache = cache_loader.get('jsonfile',
+ _uri=self._cachedir,
+ _timeout=self._timeout,
+ )
+ else:
+ raise AnsibleError("Cache plugin {} not supported"
+ .format(self._cache_plugin))
+
def run(self, terms, variables=None, api_hostname=None, api_username=None,
api_password=None, use_tls=True):
@@ -354,33 +423,20 @@ class LookupModule(LookupBase):
:returns: A list of results to the specific queries.
"""
- config_manager = ConfigManager()
- config_file = config_manager.data.get_setting(name="CONFIG_FILE").value
- config = ConfigParser()
- config.read(config_file)
-
- use_cpasswords = False
+ # Use the hostname specified by the user if it exists.
+ if api_hostname is not None:
+ display.vvv("Overriding api_hostname with {}".format(api_hostname))
+ else:
+ api_hostname = self._api_hostname
- if config.has_section("re2o"):
- display.vvv("Found section re2o in configuration file")
- if config.has_option("re2o", "api_hostname"):
- display.vvv("Found option api_hostname in config file")
- api_hostname = config.get("re2o", "api_hostname")
- display.vvv("Override api_hostname with {} from configuration"
- .format(api_hostname))
- if config.has_option("re2o", "use_cpasswords"):
- display.vvv("Found option use_cpasswords in config file")
- use_cpasswords = config.getboolean("re2o", "use_cpasswords")
- display.vvv("Override api_hostname with {} from configuration"
- .format(use_cpasswords))
-
- if api_hostname is None:
+ if self._api_hostname is None:
raise AnsibleError(to_native(
'You must specify a hostname to contact re2oAPI'
))
- if api_username is None and api_password is None and use_cpasswords:
- display.vvv("Use cpasswords vault to get API credentials.")
+ if (api_username is None and api_password is None
+ and self._use_cpasswords):
+ display.vvv("Using cpasswords vault to get API credentials.")
api_username = variables.get('vault_re2o_service_user')
api_password = variables.get('vault_re2o_service_password')
@@ -399,7 +455,7 @@ class LookupModule(LookupBase):
res = []
dterms = collections.deque(terms)
- machines_roles = None # TODO : Cache this.
+
display.vvv("Lookup terms are {}".format(terms))
while dterms:
term = dterms.popleft()
@@ -411,10 +467,7 @@ class LookupModule(LookupBase):
elif term == 'get_role':
try:
role_name = dterms.popleft()
- roles, machines_roles = self._get_role(api_client,
- role_name,
- machines_roles,
- )
+ roles = self._get_role(api_client, role_name)
res.append(roles)
except IndexError:
display.v("Error in re2oapi : No role_name provided")
@@ -429,59 +482,153 @@ class LookupModule(LookupBase):
.format(to_native(e)))
return res
+ def _get_cache(self, key):
+ if self._cache:
+ return self._cache.get(key)
+ else:
+ return None
+
+ def _set_cache(self, key, value):
+ if self._cache:
+ return self._cache.set(key, value)
+ else:
+ return None
+
+ def _is_cached(self, key):
+ if self._cache:
+ return self._cache.contains(key)
+ else:
+ return False
+
def _getzones(self, api_client):
display.v("Getting dns zone names")
- zones = api_client.list('dns/zones')
- zones_name = [zone["name"][1:] for zone in zones]
+ zones, zones_name = None, None
+
+ if self._is_cached('dnszones'):
+ zones_name = self._get_cache('dnszones')
+
+ if zones_name is not None:
+ display.vvv("Found dnszones in cache.")
+
+ else:
+ if self._is_cached('dns_zones'):
+ zones = self._get_cache('dns_zones')
+ if zones is not None:
+ display.vvv("Found dns/zones in cache.")
+ else:
+ display.vvv("Contacting the API, endpoint dns/zones...")
+ zones = api_client.list('dns/zones')
+ display.vvv("...Done")
+ zones_name = [zone["name"][1:] for zone in zones]
+ display.vvv("Storing dnszones in cache.")
+ self._set_cache('dnszones', zones_name)
+
return zones_name
def _getreverse(self, api_client):
display.v("Getting dns reverse zones")
- display.vvv("Contacting the API, endpoint dns/reverse-zones...")
- zones = api_client.list('dns/reverse-zones')
- display.vvv("...Done")
- res = []
- for zone in zones:
- if zone['ptr_records']:
- display.vvv('Found PTR records')
- subnets = []
- for net in zone['cidrs']:
- net = netaddr.IPNetwork(net)
- if net.prefixlen > 24:
- subnets.extend(net.subnet(32))
- elif net.prefixlen > 16:
- subnets.extend(net.subnet(24))
- elif net.prefixlen > 8:
- subnets.extend(net.subnet(16))
- else:
- subnets.extend(net.subnet(8))
- for subnet in subnets:
- _address = netaddr.IPAddress(subnet.first)
- rev_dns_a = _address.reverse_dns.split('.')[:-1]
- if subnet.prefixlen == 8:
- zone_name = '.'.join(rev_dns_a[3:])
- elif subnet.prefixlen == 16:
- zone_name = '.'.join(rev_dns_a[2:])
- elif subnet.prefixlen == 24:
- zone_name = '.'.join(rev_dns_a[1:])
- res.append(zone_name)
- display.vvv("Found reverse zone {}".format(zone_name))
+
+ zones, res = None, None
+
+ if self._is_cached('dnsreverse'):
+ res = self._get_cache('dnsreverse')
+
+ if res is not None:
+ display.vvv("Found dnsreverse in cache.")
+
+ else:
+ if self._is_cached('dns_reverse-zones'):
+ zones = self._get_cache('dns_reverse-zones')
+
+ if zones is not None:
+ display.vvv("Found dns/reverse-zones in cache.")
+ else:
+ display.vvv("Contacting the API, endpoint dns/reverse-zones..")
+ zones = api_client.list('dns/reverse-zones')
+ display.vvv("...Done")
+
+ display.vvv("Trying to format dns reverse in a nice way.")
+ res = []
+ for zone in zones:
+ if zone['ptr_records']:
+ display.vvv('Found PTR records')
+ subnets = []
+ for net in zone['cidrs']:
+ net = netaddr.IPNetwork(net)
+ if net.prefixlen > 24:
+ subnets.extend(net.subnet(32))
+ elif net.prefixlen > 16:
+ subnets.extend(net.subnet(24))
+ elif net.prefixlen > 8:
+ subnets.extend(net.subnet(16))
+ else:
+ subnets.extend(net.subnet(8))
+
+ for subnet in subnets:
+ _address = netaddr.IPAddress(subnet.first)
+ rev_dns_a = _address.reverse_dns.split('.')[:-1]
+ if subnet.prefixlen == 8:
+ zone_name = '.'.join(rev_dns_a[3:])
+ elif subnet.prefixlen == 16:
+ zone_name = '.'.join(rev_dns_a[2:])
+ elif subnet.prefixlen == 24:
+ zone_name = '.'.join(rev_dns_a[1:])
+ res.append(zone_name)
+ display.vvv("Found reverse zone {}".format(zone_name))
+
if zone['ptr_v6_records']:
display.vvv("Found PTR v6 record")
- net = netaddr.IPNetwork(zone['prefix_v6']+'/'+str(zone['prefix_v6_length']))
- net_class = max(((net.prefixlen -1) // 4) +1, 1)
+ net = netaddr.IPNetwork(zone['prefix_v6']
+ + '/'
+ + str(zone['prefix_v6_length']))
+ net_class = max(((net.prefixlen - 1) // 4) + 1, 1)
zone6_name = ".".join(
- netaddr.IPAddress(net.first).reverse_dns.split('.')[32 - net_class:])[:-1]
+ netaddr.IPAddress(net.first)
+ .reverse_dns.split('.')[32 - net_class:])[:-1]
res.append(zone6_name)
display.vvv("Found reverse zone {}".format(zone6_name))
- return list(set(res))
+
+ display.vvv("Storing dns reverse zones in cache.")
+ self._set_cache('dnsreverse', list(set(res)))
+
+ return res
def _rawquery(self, api_client, endpoint):
- display.v("Make a raw query to endpoint {}".format(endpoint))
- return api_client.list(endpoint)
-
- def _get_role(self, api_client, role_name, machines_roles):
- if machines_roles is None:
- machines_roles = api_client.list("machines/role")
- return list(filter(lambda machine: machine["role_type"] == role_name,
- machines_roles)), machines_roles
+ res = None
+ if self._is_cached(endpoint.replace('/', '_')):
+ res = self._get_cache(endpoint.replace('/', '_'))
+ if res is not None:
+ display.vvv("Found {} in cache.".format(endpoint))
+ else:
+ display.v("Making a raw query {host}/api/{endpoint}"
+ .format(host=self.api_hostname, endpoint=endpoint))
+ res = api_client.list(endpoint)
+ display.vvv("Storing result in cache.")
+ self._set_cache(endpoint.replace('/', '_'), res)
+ return res
+
+ def _get_role(self, api_client, role_name):
+ res, machines_roles = None, None
+
+ if self._is_cached(role_name):
+ res = self._get_cache(role_name)
+
+ if res is not None:
+ display.vvv("Found {} in cache.".format(role_name))
+ else:
+ if self._is_cached("machines_role"):
+ machines_roles = self._get_cache("machines_role")
+
+ if machines_roles is not None:
+ display.vvv("Found machines/roles in cache.")
+ else:
+ machines_roles = api_client.list("machines/role")
+ display.vvv("Storing machines/role in cache.")
+ self._set_cache("machines_role", machines_roles)
+
+ res = list(filter(lambda m: m["role_type"] == role_name,
+ machines_roles))
+ display.vvv("Storing {} in cache.".format(role_name))
+ self._set_cache(role_name, res)
+
+ return res
--
GitLab
From c103710745a0feeb060738e6ba82223b14331330 Mon Sep 17 00:00:00 2001
From: Bombar Maxime <bombar@crans.org>
Date: Wed, 29 Apr 2020 10:53:58 +0200
Subject: [PATCH 02/55] [rsync-client] Add wireguard interface. Enable backups
on sputnik.
---
roles/rsync-client/tasks/main.yml | 4 ++++
roles/rsync-client/templates/rsyncd.conf.j2 | 5 +++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/roles/rsync-client/tasks/main.yml b/roles/rsync-client/tasks/main.yml
index 13c9f44c..2647c076 100644
--- a/roles/rsync-client/tasks/main.yml
+++ b/roles/rsync-client/tasks/main.yml
@@ -30,3 +30,7 @@
name: rsync
enabled: true
state: started
+
+- name: TODO
+ debug:
+ msg: Make use of the lookup plugin to avoid hardcoding things ?
diff --git a/roles/rsync-client/templates/rsyncd.conf.j2 b/roles/rsync-client/templates/rsyncd.conf.j2
index e3ed5ade..bea4fc7c 100644
--- a/roles/rsync-client/templates/rsyncd.conf.j2
+++ b/roles/rsync-client/templates/rsyncd.conf.j2
@@ -34,13 +34,14 @@ address = {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.ad
path = /var
auth users = backupcrans
secrets file = /etc/rsyncd.secrets
-hosts allow = zephir.adm.crans.org 10.231.136.6
+hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %}
+
[slash]
path = /
auth users = backupcrans
secrets file = /etc/rsyncd.secrets
-hosts allow = zephir.adm.crans.org 10.231.136.6
+hosts allow = zephir.adm.crans.org 10.231.136.6 {% if ansible_hostname == "sputnik" %}172.31.0.1{% endif %}
{# rsync readonly pour le miroir #}
{% if ansible_hostname == "charybde" %}
--
GitLab
From 8e1062459b38a9060d0bf3da8b4457ac7ee6131f Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 18:56:42 +0200
Subject: [PATCH 03/55] [interfaces] Deploy /etc/network/interfaces for adm
---
interfaces.yml | 12 ++++++++++++
roles/interfaces/tasks/main.yml | 7 +++++++
.../templates/network/interfaces.d/02-adm.j2 | 17 +++++++++++++++++
3 files changed, 36 insertions(+)
create mode 100755 interfaces.yml
create mode 100644 roles/interfaces/tasks/main.yml
create mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2
diff --git a/interfaces.yml b/interfaces.yml
new file mode 100755
index 00000000..0d028edc
--- /dev/null
+++ b/interfaces.yml
@@ -0,0 +1,12 @@
+#!/usr/bin/env ansible-playbook
+---
+# Set variable adm_iface for all servers
+- hosts: server
+ tasks:
+ - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: adm_iface
+ check_mode: no
+
+- hosts: boeing.adm.crans.org
+ roles:
+ - interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
new file mode 100644
index 00000000..095878e4
--- /dev/null
+++ b/roles/interfaces/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Deploy adm interface config
+ template:
+ src: network/interfaces.d/02-adm.j2
+ dest: /etc/network/interfaces.d/02-adm
+ mode: 0644
+ when: adm_iface.stdout
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
new file mode 100644
index 00000000..79cbe5fa
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ adm_iface.stdout }}
+iface {{ adm_iface.stdout }} inet static
+ address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }}
+ network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }}
+ netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }}
+ broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }}
+ dns-nameservers 10.231.136.152 10.231.136.4
+ dns-search adm.crans.org
+ up /sbin/ip link set $IFACE alias adm
+
+iface {{ adm_iface.stdout }} inet6 static
+ address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
+ autoconf 1
+ accept_ra 2
+ up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
--
GitLab
From d21a2116af4a1e24fd84df93ec1b056671915834 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 19:46:47 +0200
Subject: [PATCH 04/55] [interfaces] Deploy /etc/network/interfaces for srv and
ens
---
interfaces.yml | 12 +++++++++++
roles/interfaces/tasks/main.yml | 20 +++++++++++++++++++
.../templates/network/interfaces.d/00-srv.j2 | 19 ++++++++++++++++++
.../templates/network/interfaces.d/01-ens.j2 | 19 ++++++++++++++++++
.../templates/network/interfaces.d/02-adm.j2 | 6 ++----
.../templates/network/interfaces.j2 | 10 ++++++++++
6 files changed, 82 insertions(+), 4 deletions(-)
create mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2
create mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2
create mode 100644 roles/interfaces/templates/network/interfaces.j2
diff --git a/interfaces.yml b/interfaces.yml
index 0d028edc..872d81ee 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -6,7 +6,19 @@
- shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: adm_iface
check_mode: no
+ - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: srv_iface
+ check_mode: no
+ - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: ens_iface
+ check_mode: no
- hosts: boeing.adm.crans.org
+ vars:
+ - adm_dns: 10.231.136.152 10.231.136.4
+ - srv_gateway: 185.230.79.254
+ - srv_dns: 185.230.79.152 185.230.79.4
+ - ens_gateway: 138.231.136.254
+ - ens_dns: 138.231.136.152 138.231.136.4
roles:
- interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 095878e4..336a267d 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -1,4 +1,24 @@
---
+- name: Deploy default interfaces config
+ template:
+ src: network/interfaces.j2
+ dest: /etc/network/interfaces
+ mode: 0644
+
+- name: Deploy srv interface config
+ template:
+ src: network/interfaces.d/00-srv.j2
+ dest: /etc/network/interfaces.d/00-srv
+ mode: 0644
+ when: srv_iface.stdout
+
+- name: Deploy ens interface config
+ template:
+ src: network/interfaces.d/01-ens.j2
+ dest: /etc/network/interfaces.d/01-ens
+ mode: 0644
+ when: ens_iface.stdout
+
- name: Deploy adm interface config
template:
src: network/interfaces.d/02-adm.j2
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
new file mode 100644
index 00000000..4c7468a1
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -0,0 +1,19 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ srv_iface.stdout }}
+iface {{ srv_iface.stdout }} inet static
+ address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }}
+ network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }}
+ netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }}
+ broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }}
+ gateway {{ srv_gateway }}
+ mtu 1496
+ dns-nameservers {{ srv_dns }}
+ dns-search crans.org
+ up /sbin/ip link set $IFACE alias srv
+
+iface {{ srv_iface.stdout }} inet6 static
+ address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }}
+ autoconf 1
+ accept_ra 2
+ up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
new file mode 100644
index 00000000..d168be5d
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -0,0 +1,19 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ ens_iface.stdout }}
+iface {{ ens_iface.stdout }} inet static
+ address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }}
+ network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }}
+ netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }}
+ broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }}
+ gateway {{ ens_gateway }}
+ mtu 1496
+ dns-nameservers {{ ens_dns }}
+ dns-search crans.org
+ up /sbin/ip link set $IFACE alias ens
+
+iface {{ ens_iface.stdout }} inet6 static
+ address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }}
+ autoconf 1
+ accept_ra 2
+ up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index 79cbe5fa..d0b5b833 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -6,12 +6,10 @@ iface {{ adm_iface.stdout }} inet static
network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }}
netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }}
broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }}
- dns-nameservers 10.231.136.152 10.231.136.4
+ mtu 1496
+ dns-nameservers {{ adm_dns }}
dns-search adm.crans.org
up /sbin/ip link set $IFACE alias adm
iface {{ adm_iface.stdout }} inet6 static
address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
- autoconf 1
- accept_ra 2
- up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.j2 b/roles/interfaces/templates/network/interfaces.j2
new file mode 100644
index 00000000..0c339966
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.j2
@@ -0,0 +1,10 @@
+{{ ansible_header | comment }}
+
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
--
GitLab
From 210fc18a988f4aea5dcaadbce7cec6cccd136087 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 20:45:00 +0200
Subject: [PATCH 05/55] [interfaces] Add supplementary lines from local facts
---
.../interfaces/templates/network/interfaces.d/01-ens.j2 | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index d168be5d..c7a34671 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -11,6 +11,15 @@ iface {{ ens_iface.stdout }} inet static
dns-nameservers {{ ens_dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias ens
+{% if 'interfaces' in ansible_local %}
+{% if ens_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %}
+{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
iface {{ ens_iface.stdout }} inet6 static
address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }}
--
GitLab
From 32e24ff38a3190217497ac5cd399f5eaef1ebdf4 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Apr 2020 22:27:17 +0200
Subject: [PATCH 06/55] [interfaces] Add supplementary lines from local facts
to all interfaces
---
.../templates/network/interfaces.d/00-srv.j2 | 18 ++++++++++++++++++
.../templates/network/interfaces.d/01-ens.j2 | 9 +++++++++
.../templates/network/interfaces.d/02-adm.j2 | 18 ++++++++++++++++++
3 files changed, 45 insertions(+)
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 4c7468a1..7fc0390f 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -11,9 +11,27 @@ iface {{ srv_iface.stdout }} inet static
dns-nameservers {{ srv_dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias srv
+{% if 'interfaces' in ansible_local %}
+{% if srv_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %}
+{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
iface {{ srv_iface.stdout }} inet6 static
address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }}
autoconf 1
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
+{% if 'interfaces' in ansible_local %}
+{% if srv_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %}
+{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index c7a34671..e94243b1 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -26,3 +26,12 @@ iface {{ ens_iface.stdout }} inet6 static
autoconf 1
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
+{% if 'interfaces' in ansible_local %}
+{% if ens_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %}
+{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index d0b5b833..bd928eae 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -10,6 +10,24 @@ iface {{ adm_iface.stdout }} inet static
dns-nameservers {{ adm_dns }}
dns-search adm.crans.org
up /sbin/ip link set $IFACE alias adm
+{% if 'interfaces' in ansible_local %}
+{% if adm_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %}
+{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
iface {{ adm_iface.stdout }} inet6 static
address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if adm_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %}
+{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
--
GitLab
From 382548c6333eadd45025390d97825f962d0f4d2b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 08:50:46 +0200
Subject: [PATCH 07/55] [interfaces] Configure fil interface
---
interfaces.yml | 15 +++++---
roles/interfaces/tasks/main.yml | 7 ++++
.../templates/network/interfaces.d/00-srv.j2 | 2 +-
.../templates/network/interfaces.d/21-fil.j2 | 34 +++++++++++++++++++
4 files changed, 52 insertions(+), 6 deletions(-)
create mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2
diff --git a/interfaces.yml b/interfaces.yml
index 872d81ee..e637a5cc 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -3,22 +3,27 @@
# Set variable adm_iface for all servers
- hosts: server
tasks:
- - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: adm_iface
- check_mode: no
- shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: srv_iface
check_mode: no
- shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: ens_iface
check_mode: no
+ - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: adm_iface
+ check_mode: no
+ - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: fil_iface
+ check_mode: no
-- hosts: boeing.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org
vars:
- - adm_dns: 10.231.136.152 10.231.136.4
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
- ens_gateway: 138.231.136.254
- ens_dns: 138.231.136.152 138.231.136.4
+ - adm_dns: 10.231.136.152 10.231.136.4
+ - fil_gateway: 10.54.0.254
+ - fil_dns: 10.54.0.152 10.54.0.4
roles:
- interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 336a267d..d9751a36 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -25,3 +25,10 @@
dest: /etc/network/interfaces.d/02-adm
mode: 0644
when: adm_iface.stdout
+
+- name: Deploy fil interface config
+ template:
+ src: network/interfaces.d/21-fil.j2
+ dest: /etc/network/interfaces.d/21-fil
+ mode: 0644
+ when: fil_iface.stdout
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 7fc0390f..1367d156 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -15,7 +15,7 @@ iface {{ srv_iface.stdout }} inet static
{% if srv_iface.stdout in ansible_local.interfaces %}
{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %}
{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %}
- {{ line }}
+ {{ line }}
{% endfor %}
{% endif %}
{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
new file mode 100644
index 00000000..469f0531
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+allow-hotplug {{ fil_iface.stdout }}
+iface {{ fil_iface.stdout }} inet static
+ address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }}
+ network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }}
+ netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }}
+ broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }}
+ gateway {{ fil_gateway }}
+ mtu 1496
+ dns-nameservers {{ fil_dns }}
+ dns-search fil.crans.org
+ up /sbin/ip link set $IFACE alias fil
+{% if 'interfaces' in ansible_local %}
+{% if fil_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %}
+{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ fil_iface.stdout }} inet6 static
+ address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if fil_iface.stdout in ansible_local.interfaces %}
+{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %}
+{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
--
GitLab
From 9e263ee31bbfcac69873cd23f7aaa1e81d5ce5d3 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 09:57:02 +0200
Subject: [PATCH 08/55] [interfaces] Change interfaces.fact format
---
.../templates/network/interfaces.d/00-srv.j2 | 12 ++++++------
.../templates/network/interfaces.d/01-ens.j2 | 12 ++++++------
.../templates/network/interfaces.d/02-adm.j2 | 12 ++++++------
.../templates/network/interfaces.d/21-fil.j2 | 12 ++++++------
4 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 1367d156..9e934d98 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -12,9 +12,9 @@ iface {{ srv_iface.stdout }} inet static
dns-search crans.org
up /sbin/ip link set $IFACE alias srv
{% if 'interfaces' in ansible_local %}
-{% if srv_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[srv_iface.stdout] %}
-{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
@@ -27,9 +27,9 @@ iface {{ srv_iface.stdout }} inet6 static
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
{% if 'interfaces' in ansible_local %}
-{% if srv_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[srv_iface.stdout] %}
-{% for line in ansible_local.interfaces[srv_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index e94243b1..ac2bed20 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -12,9 +12,9 @@ iface {{ ens_iface.stdout }} inet static
dns-search crans.org
up /sbin/ip link set $IFACE alias ens
{% if 'interfaces' in ansible_local %}
-{% if ens_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[ens_iface.stdout] %}
-{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
@@ -27,9 +27,9 @@ iface {{ ens_iface.stdout }} inet6 static
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
{% if 'interfaces' in ansible_local %}
-{% if ens_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[ens_iface.stdout] %}
-{% for line in ansible_local.interfaces[ens_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index bd928eae..dce7c3e4 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -11,9 +11,9 @@ iface {{ adm_iface.stdout }} inet static
dns-search adm.crans.org
up /sbin/ip link set $IFACE alias adm
{% if 'interfaces' in ansible_local %}
-{% if adm_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[adm_iface.stdout] %}
-{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
@@ -23,9 +23,9 @@ iface {{ adm_iface.stdout }} inet static
iface {{ adm_iface.stdout }} inet6 static
address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
{% if 'interfaces' in ansible_local %}
-{% if adm_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[adm_iface.stdout] %}
-{% for line in ansible_local.interfaces[adm_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index 469f0531..f9453e0f 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -12,9 +12,9 @@ iface {{ fil_iface.stdout }} inet static
dns-search fil.crans.org
up /sbin/ip link set $IFACE alias fil
{% if 'interfaces' in ansible_local %}
-{% if fil_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_4' in ansible_local.interfaces[fil_iface.stdout] %}
-{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_4 %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
@@ -24,9 +24,9 @@ iface {{ fil_iface.stdout }} inet static
iface {{ fil_iface.stdout }} inet6 static
address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }}
{% if 'interfaces' in ansible_local %}
-{% if fil_iface.stdout in ansible_local.interfaces %}
-{% if 'sup_if_6' in ansible_local.interfaces[fil_iface.stdout] %}
-{% for line in ansible_local.interfaces[fil_iface.stdout].sup_if_6 %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
--
GitLab
From c108c019337a531235eebc2faa45e0ce578b2200 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 12:06:26 +0200
Subject: [PATCH 09/55] [interfaces] Alias ansible facts
---
.../templates/network/interfaces.d/00-srv.j2 | 11 ++++++-----
.../templates/network/interfaces.d/01-ens.j2 | 11 ++++++-----
.../templates/network/interfaces.d/02-adm.j2 | 11 ++++++-----
.../templates/network/interfaces.d/21-fil.j2 | 11 ++++++-----
4 files changed, 24 insertions(+), 20 deletions(-)
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 9e934d98..53151878 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -1,11 +1,12 @@
{{ ansible_header | comment }}
+{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %}
allow-hotplug {{ srv_iface.stdout }}
iface {{ srv_iface.stdout }} inet static
- address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.address }}
- network {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.network }}
- netmask {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.netmask }}
- broadcast {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv4.broadcast }}
+ address {{ srv.ipv4.address }}
+ network {{ srv.ipv4.network }}
+ netmask {{ srv.ipv4.netmask }}
+ broadcast {{ srv.ipv4.broadcast }}
gateway {{ srv_gateway }}
mtu 1496
dns-nameservers {{ srv_dns }}
@@ -22,7 +23,7 @@ iface {{ srv_iface.stdout }} inet static
{% endif %}
iface {{ srv_iface.stdout }} inet6 static
- address {{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + srv_iface.stdout].ipv6[0].prefix }}
+ address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
autoconf 1
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index ac2bed20..62cb77fc 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -1,11 +1,12 @@
{{ ansible_header | comment }}
+{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %}
allow-hotplug {{ ens_iface.stdout }}
iface {{ ens_iface.stdout }} inet static
- address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.address }}
- network {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.network }}
- netmask {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.netmask }}
- broadcast {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv4.broadcast }}
+ address {{ ens.ipv4.address }}
+ network {{ ens.ipv4.network }}
+ netmask {{ ens.ipv4.netmask }}
+ broadcast {{ ens.ipv4.broadcast }}
gateway {{ ens_gateway }}
mtu 1496
dns-nameservers {{ ens_dns }}
@@ -22,7 +23,7 @@ iface {{ ens_iface.stdout }} inet static
{% endif %}
iface {{ ens_iface.stdout }} inet6 static
- address {{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + ens_iface.stdout].ipv6[0].prefix }}
+ address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
autoconf 1
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index dce7c3e4..95991513 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -1,11 +1,12 @@
{{ ansible_header | comment }}
+{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %}
allow-hotplug {{ adm_iface.stdout }}
iface {{ adm_iface.stdout }} inet static
- address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.address }}
- network {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.network }}
- netmask {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.netmask }}
- broadcast {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv4.broadcast }}
+ address {{ adm.ipv4.address }}
+ network {{ adm.ipv4.network }}
+ netmask {{ adm.ipv4.netmask }}
+ broadcast {{ adm.ipv4.broadcast }}
mtu 1496
dns-nameservers {{ adm_dns }}
dns-search adm.crans.org
@@ -21,7 +22,7 @@ iface {{ adm_iface.stdout }} inet static
{% endif %}
iface {{ adm_iface.stdout }} inet6 static
- address {{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + adm_iface.stdout].ipv6[0].prefix }}
+ address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }}
{% if 'interfaces' in ansible_local %}
{% if 'sup_if_6' in ansible_local.interfaces %}
{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index f9453e0f..0e08910a 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -1,11 +1,12 @@
{{ ansible_header | comment }}
+{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %}
allow-hotplug {{ fil_iface.stdout }}
iface {{ fil_iface.stdout }} inet static
- address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.address }}
- network {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.network }}
- netmask {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.netmask }}
- broadcast {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv4.broadcast }}
+ address {{ fil.ipv4.address }}
+ network {{ fil.ipv4.network }}
+ netmask {{ fil.ipv4.netmask }}
+ broadcast {{ fil.ipv4.broadcast }}
gateway {{ fil_gateway }}
mtu 1496
dns-nameservers {{ fil_dns }}
@@ -22,7 +23,7 @@ iface {{ fil_iface.stdout }} inet static
{% endif %}
iface {{ fil_iface.stdout }} inet6 static
- address {{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].address }}/{{ hostvars[inventory_hostname]['ansible_' + fil_iface.stdout].ipv6[0].prefix }}
+ address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }}
{% if 'interfaces' in ansible_local %}
{% if 'sup_if_6' in ansible_local.interfaces %}
{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}
--
GitLab
From 1d7c6102edbb174d2957033ad0d469fc47e9bf83 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 12:07:38 +0200
Subject: [PATCH 10/55] [interfaces] Deploy interfaces on tracker
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index e637a5cc..84c59ca2 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -16,7 +16,7 @@
register: fil_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 8631a875e3976a64b5942fa2b1e764cc68796dac Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 12:20:58 +0200
Subject: [PATCH 11/55] [interfaces] Deploy interfaces on voyager
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index 84c59ca2..839423b8 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -16,7 +16,7 @@
register: fil_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 5d5a6f0b5c78c2b2230597717116820d263dbbf9 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 13:24:34 +0200
Subject: [PATCH 12/55] [interfaces] Configure adh interface
---
roles/interfaces/tasks/main.yml | 7 ++++
.../templates/network/interfaces.d/23-adh.j2 | 38 +++++++++++++++++++
2 files changed, 45 insertions(+)
create mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index d9751a36..4bf0fc42 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -32,3 +32,10 @@
dest: /etc/network/interfaces.d/21-fil
mode: 0644
when: fil_iface.stdout
+
+- name: Deploy adh interface config
+ template:
+ src: network/interfaces.d/23-adh.j2
+ dest: /etc/network/interfaces.d/23-adh
+ mode: 0644
+ when: adh_iface.stdout
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
new file mode 100644
index 00000000..bc03ccc1
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -0,0 +1,38 @@
+{{ ansible_header | comment }}
+
+{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %}
+allow-hotplug {{ adh_iface.stdout }}
+iface {{ adh_iface.stdout }} inet static
+ address {{ adh.ipv4.address }}
+ network {{ adh.ipv4.network }}
+ netmask {{ adh.ipv4.netmask }}
+ broadcast {{ adh.ipv4.broadcast }}
+ gateway {{ adh_gateway }}
+ mtu 1496
+ dns-nameservers {{ adh_dns }}
+ dns-search crans.org
+ up /sbin/ip link set $IFACE alias adh
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ adh_iface.stdout }} inet6 static
+ address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
+ autoconf 1
+ accept_ra 2
+ up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
--
GitLab
From 10bbc43ddc2678213ddc5c0efae746f653316628 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 13:25:24 +0200
Subject: [PATCH 13/55] [interfaces] Configure adh interface
---
interfaces.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/interfaces.yml b/interfaces.yml
index 839423b8..057a71e2 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -15,6 +15,9 @@
- shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: fil_iface
check_mode: no
+ - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: adh_iface
+ check_mode: no
- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org
vars:
@@ -25,5 +28,7 @@
- adm_dns: 10.231.136.152 10.231.136.4
- fil_gateway: 10.54.0.254
- fil_dns: 10.54.0.152 10.54.0.4
+ - adh_gateway: 185.230.78.254
+ - adh_dns: 185.230.78.152 185.230.78.4
roles:
- interfaces
--
GitLab
From 815f3cf086c900c3332b45ea5ba9c044c4fae917 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 13:26:47 +0200
Subject: [PATCH 14/55] [interfaces] Deploy interfaces on lutim
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index 057a71e2..2474e3bb 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -19,7 +19,7 @@
register: adh_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 97f7227a335ebc7d2c30f83d134b7bb396cd8203 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:23:42 +0200
Subject: [PATCH 15/55] [interfaces] Deploy interfaces on gateau
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index 2474e3bb..1196a291 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -19,7 +19,7 @@
register: adh_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 70b13432d3e9bde19c16c88eb8bd4eb01dd5a011 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:26:59 +0200
Subject: [PATCH 16/55] [interfaces] Deploy interfaces on owncloud-srv
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index 1196a291..f0a87578 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -19,7 +19,7 @@
register: adh_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 7f87571e17a1b7d548ae28749089d0539205ce4d Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:40:53 +0200
Subject: [PATCH 17/55] [interfaces] Deploy interfaces on charybde
---
interfaces.yml | 4 +++
roles/interfaces/tasks/main.yml | 7 ++++
.../network/interfaces.d/03-borne.j2 | 34 +++++++++++++++++++
3 files changed, 45 insertions(+)
create mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2
diff --git a/interfaces.yml b/interfaces.yml
index f0a87578..f83070ac 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -12,6 +12,9 @@
- shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: adm_iface
check_mode: no
+ - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: borne_iface
+ check_mode: no
- shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: fil_iface
check_mode: no
@@ -26,6 +29,7 @@
- ens_gateway: 138.231.136.254
- ens_dns: 138.231.136.152 138.231.136.4
- adm_dns: 10.231.136.152 10.231.136.4
+ - borne_dns: 10.231.148.4
- fil_gateway: 10.54.0.254
- fil_dns: 10.54.0.152 10.54.0.4
- adh_gateway: 185.230.78.254
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 4bf0fc42..91fe4164 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -26,6 +26,13 @@
mode: 0644
when: adm_iface.stdout
+- name: Deploy adm interface config
+ template:
+ src: network/interfaces.d/03-borne.j2
+ dest: /etc/network/interfaces.d/03-borne
+ mode: 0644
+ when: borne_iface.stdout
+
- name: Deploy fil interface config
template:
src: network/interfaces.d/21-fil.j2
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
new file mode 100644
index 00000000..0eb3ecb2
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %}
+allow-hotplug {{ borne_iface.stdout }}
+iface {{ borne_iface.stdout }} inet static
+ address {{ borne.ipv4.address }}
+ network {{ borne.ipv4.network }}
+ netmask {{ borne.ipv4.netmask }}
+ broadcast {{ borne.ipv4.broadcast }}
+ mtu 1496
+ dns-nameservers {{ borne_dns }}
+ dns-search borne.crans.org
+ up /sbin/ip link set $IFACE alias borne
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ borne_iface.stdout }} inet6 static
+ address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
--
GitLab
From 19e5074c384ae46ab0cdeb2f6b19ec19a55d9a4b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:42:58 +0200
Subject: [PATCH 18/55] [interfaces] Deploy interfaces on charybde
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index f83070ac..b6115cc5 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -22,7 +22,7 @@
register: adh_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 47d7c347d407965e14e19cae25015be04183d166 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:55:37 +0200
Subject: [PATCH 19/55] [interfaces] Fix task description
---
roles/interfaces/tasks/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 91fe4164..5b41c028 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -26,7 +26,7 @@
mode: 0644
when: adm_iface.stdout
-- name: Deploy adm interface config
+- name: Deploy borne interface config
template:
src: network/interfaces.d/03-borne.j2
dest: /etc/network/interfaces.d/03-borne
--
GitLab
From bc8430b1e59c113c800f654338ed5bc0323d0134 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 14:56:01 +0200
Subject: [PATCH 20/55] [interfaces] Deploy interfaces on cas-srv
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index b6115cc5..52b9a667 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -22,7 +22,7 @@
register: adh_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 9027b42b33a444530fb67bc7c8e6c0c5f3209ba7 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 16:50:16 +0200
Subject: [PATCH 21/55] [interfaces] Configure switch interface
---
interfaces.yml | 6 +++-
roles/interfaces/tasks/main.yml | 7 ++++
.../network/interfaces.d/04-switch.j2 | 34 +++++++++++++++++++
3 files changed, 46 insertions(+), 1 deletion(-)
create mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2
diff --git a/interfaces.yml b/interfaces.yml
index 52b9a667..1feb86ca 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -15,6 +15,9 @@
- shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: borne_iface
check_mode: no
+ - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+ register: switch_iface
+ check_mode: no
- shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: fil_iface
check_mode: no
@@ -29,7 +32,8 @@
- ens_gateway: 138.231.136.254
- ens_dns: 138.231.136.152 138.231.136.4
- adm_dns: 10.231.136.152 10.231.136.4
- - borne_dns: 10.231.148.4
+ - borne_dns: 10.231.148.52 10.231.148.4
+ - switch_dns: 10.231.100.152 10.231.100.4
- fil_gateway: 10.54.0.254
- fil_dns: 10.54.0.152 10.54.0.4
- adh_gateway: 185.230.78.254
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 5b41c028..210e3142 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -33,6 +33,13 @@
mode: 0644
when: borne_iface.stdout
+- name: Deploy switch interface config
+ template:
+ src: network/interfaces.d/04-switch.j2
+ dest: /etc/network/interfaces.d/04-switch
+ mode: 0644
+ when: switch_iface.stdout
+
- name: Deploy fil interface config
template:
src: network/interfaces.d/21-fil.j2
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
new file mode 100644
index 00000000..d8cfeb8b
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %}
+allow-hotplug {{ switch_iface.stdout }}
+iface {{ switch_iface.stdout }} inet static
+ address {{ switch.ipv4.address }}
+ network {{ switch.ipv4.network }}
+ netmask {{ switch.ipv4.netmask }}
+ broadcast {{ switch.ipv4.broadcast }}
+ mtu 1496
+ dns-nameservers {{ switch_dns }}
+ dns-search switch.crans.org
+ up /sbin/ip link set $IFACE alias switch
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+
+iface {{ switch_iface.stdout }} inet6 static
+ address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }}
+{% if 'interfaces' in ansible_local %}
+{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
--
GitLab
From bfbd14195ec55a3584aa87f96cb3cf5623f4c5ae Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 21 Apr 2020 16:55:34 +0200
Subject: [PATCH 22/55] [interfaces] Deploy interfaces on fyre
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index 1feb86ca..a17fd7f0 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -25,7 +25,7 @@
register: adh_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 08bc68aca6676054f5897c388d424a4dff382936 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Mon, 27 Apr 2020 21:28:43 +0200
Subject: [PATCH 23/55] [interfaces] allow-hotplug to auto
---
roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 2 +-
roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 2 +-
roles/interfaces/templates/network/interfaces.d/02-adm.j2 | 2 +-
roles/interfaces/templates/network/interfaces.d/03-borne.j2 | 2 +-
roles/interfaces/templates/network/interfaces.d/04-switch.j2 | 2 +-
roles/interfaces/templates/network/interfaces.d/21-fil.j2 | 2 +-
roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 53151878..a1426f64 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %}
-allow-hotplug {{ srv_iface.stdout }}
+auto {{ srv_iface.stdout }}
iface {{ srv_iface.stdout }} inet static
address {{ srv.ipv4.address }}
network {{ srv.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index 62cb77fc..4da6da89 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %}
-allow-hotplug {{ ens_iface.stdout }}
+auto {{ ens_iface.stdout }}
iface {{ ens_iface.stdout }} inet static
address {{ ens.ipv4.address }}
network {{ ens.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index 95991513..1708e777 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %}
-allow-hotplug {{ adm_iface.stdout }}
+auto {{ adm_iface.stdout }}
iface {{ adm_iface.stdout }} inet static
address {{ adm.ipv4.address }}
network {{ adm.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
index 0eb3ecb2..749f144e 100644
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %}
-allow-hotplug {{ borne_iface.stdout }}
+auto {{ borne_iface.stdout }}
iface {{ borne_iface.stdout }} inet static
address {{ borne.ipv4.address }}
network {{ borne.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
index d8cfeb8b..fb007a7b 100644
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %}
-allow-hotplug {{ switch_iface.stdout }}
+auto {{ switch_iface.stdout }}
iface {{ switch_iface.stdout }} inet static
address {{ switch.ipv4.address }}
network {{ switch.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index 0e08910a..a77e747f 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %}
-allow-hotplug {{ fil_iface.stdout }}
+auto {{ fil_iface.stdout }}
iface {{ fil_iface.stdout }} inet static
address {{ fil.ipv4.address }}
network {{ fil.ipv4.network }}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index bc03ccc1..ee1578d6 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %}
-allow-hotplug {{ adh_iface.stdout }}
+auto {{ adh_iface.stdout }}
iface {{ adh_iface.stdout }} inet static
address {{ adh.ipv4.address }}
network {{ adh.ipv4.network }}
--
GitLab
From 73df03ce90deded947375922219f4eb9025911eb Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Mon, 27 Apr 2020 21:34:41 +0200
Subject: [PATCH 24/55] [interfaces] Install vlan
---
roles/interfaces/tasks/main.yml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index 210e3142..c155fc1b 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -1,4 +1,13 @@
---
+- name: Install vlan support
+ apt:
+ update_cache: true
+ name: vlan
+ state: present
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
- name: Deploy default interfaces config
template:
src: network/interfaces.j2
--
GitLab
From 4c132e6d30f0916098149ff0ae280fa140c2b4e1 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 28 Apr 2020 18:06:07 +0200
Subject: [PATCH 25/55] [interfaces] Deploy interfaces on silice
---
interfaces.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/interfaces.yml b/interfaces.yml
index a17fd7f0..5c35aa32 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -25,7 +25,7 @@
register: adh_iface
check_mode: no
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
vars:
- srv_gateway: 185.230.79.254
- srv_dns: 185.230.79.152 185.230.79.4
--
GitLab
From 3b9b9796659b97e5d90efc4f23ea34a4b3fe61af Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 18:26:59 +0200
Subject: [PATCH 26/55] [interfaces] use is defined
---
roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 8 ++------
roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 8 ++------
roles/interfaces/templates/network/interfaces.d/02-adm.j2 | 8 ++------
.../interfaces/templates/network/interfaces.d/03-borne.j2 | 8 ++------
.../templates/network/interfaces.d/04-switch.j2 | 8 ++------
roles/interfaces/templates/network/interfaces.d/21-fil.j2 | 8 ++------
roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 8 ++------
7 files changed, 14 insertions(+), 42 deletions(-)
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index a1426f64..ba4f486c 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -12,27 +12,23 @@ iface {{ srv_iface.stdout }} inet static
dns-nameservers {{ srv_dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias srv
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %}
{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
iface {{ srv_iface.stdout }} inet6 static
address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
autoconf 1
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index 4da6da89..36e6d154 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -12,27 +12,23 @@ iface {{ ens_iface.stdout }} inet static
dns-nameservers {{ ens_dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias ens
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %}
{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
iface {{ ens_iface.stdout }} inet6 static
address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
autoconf 1
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index 1708e777..a78a660a 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -11,24 +11,20 @@ iface {{ adm_iface.stdout }} inet static
dns-nameservers {{ adm_dns }}
dns-search adm.crans.org
up /sbin/ip link set $IFACE alias adm
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %}
{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
iface {{ adm_iface.stdout }} inet6 static
address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
index 749f144e..f9996740 100644
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -11,24 +11,20 @@ iface {{ borne_iface.stdout }} inet static
dns-nameservers {{ borne_dns }}
dns-search borne.crans.org
up /sbin/ip link set $IFACE alias borne
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %}
{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
iface {{ borne_iface.stdout }} inet6 static
address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
index fb007a7b..57e6630f 100644
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -11,24 +11,20 @@ iface {{ switch_iface.stdout }} inet static
dns-nameservers {{ switch_dns }}
dns-search switch.crans.org
up /sbin/ip link set $IFACE alias switch
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %}
{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
iface {{ switch_iface.stdout }} inet6 static
address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index a77e747f..198f2ca0 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -12,24 +12,20 @@ iface {{ fil_iface.stdout }} inet static
dns-nameservers {{ fil_dns }}
dns-search fil.crans.org
up /sbin/ip link set $IFACE alias fil
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %}
{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
iface {{ fil_iface.stdout }} inet6 static
address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }}
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index ee1578d6..df9a47ad 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -12,27 +12,23 @@ iface {{ adh_iface.stdout }} inet static
dns-nameservers {{ adh_dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias adh
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_4' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %}
{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
iface {{ adh_iface.stdout }} inet6 static
address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
autoconf 1
accept_ra 2
up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
-{% if 'interfaces' in ansible_local %}
-{% if 'sup_if_6' in ansible_local.interfaces %}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}
{{ line }}
{% endfor %}
{% endif %}
{% endif %}
-{% endif %}
--
GitLab
From 358e690e4830ed722c90f00059a20690b6058aa3 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 18:46:38 +0200
Subject: [PATCH 27/55] [interfaces] Do not force autoconf
---
roles/interfaces/templates/network/interfaces.d/00-srv.j2 | 3 ---
roles/interfaces/templates/network/interfaces.d/01-ens.j2 | 3 ---
roles/interfaces/templates/network/interfaces.d/23-adh.j2 | 3 ---
3 files changed, 9 deletions(-)
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index ba4f486c..2bf4b97b 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -22,9 +22,6 @@ iface {{ srv_iface.stdout }} inet static
iface {{ srv_iface.stdout }} inet6 static
address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
- autoconf 1
- accept_ra 2
- up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index 36e6d154..e1f101e2 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -22,9 +22,6 @@ iface {{ ens_iface.stdout }} inet static
iface {{ ens_iface.stdout }} inet6 static
address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
- autoconf 1
- accept_ra 2
- up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index df9a47ad..45241e6b 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -22,9 +22,6 @@ iface {{ adh_iface.stdout }} inet static
iface {{ adh_iface.stdout }} inet6 static
address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
- autoconf 1
- accept_ra 2
- up /sbin/sysctl net/ipv6/conf/$IFACE/accept_ra_defrtr=1
{% if ansible_local.interfaces.sup_if_6 is defined %}
{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}
--
GitLab
From e4acc35c0193af493549e53047bda57b24818992 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 18:59:35 +0200
Subject: [PATCH 28/55] [interfaces] Add metrics
---
interfaces.yml | 34 +++++++++++++------
.../templates/network/interfaces.d/00-srv.j2 | 5 +--
.../templates/network/interfaces.d/01-ens.j2 | 5 +--
.../templates/network/interfaces.d/02-adm.j2 | 2 +-
.../network/interfaces.d/03-borne.j2 | 2 +-
.../network/interfaces.d/04-switch.j2 | 2 +-
.../templates/network/interfaces.d/21-fil.j2 | 5 +--
.../templates/network/interfaces.d/23-adh.j2 | 5 +--
8 files changed, 38 insertions(+), 22 deletions(-)
diff --git a/interfaces.yml b/interfaces.yml
index 5c35aa32..431b69bc 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -27,16 +27,28 @@
- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
vars:
- - srv_gateway: 185.230.79.254
- - srv_dns: 185.230.79.152 185.230.79.4
- - ens_gateway: 138.231.136.254
- - ens_dns: 138.231.136.152 138.231.136.4
- - adm_dns: 10.231.136.152 10.231.136.4
- - borne_dns: 10.231.148.52 10.231.148.4
- - switch_dns: 10.231.100.152 10.231.100.4
- - fil_gateway: 10.54.0.254
- - fil_dns: 10.54.0.152 10.54.0.4
- - adh_gateway: 185.230.78.254
- - adh_dns: 185.230.78.152 185.230.78.4
+ vlan:
+ srv:
+ metric: 100
+ gateway: 185.230.79.254
+ dns: 185.230.79.152 185.230.79.4
+ ens:
+ metric: 300
+ gateway: 138.231.136.254
+ dns: 138.231.136.152 138.231.136.4
+ adm:
+ dns: 10.231.136.152 10.231.136.4
+ borne:
+ dns: 10.231.148.52 10.231.148.4
+ switch:
+ dns: 10.231.100.152 10.231.100.4
+ fil:
+ metric: 400
+ gateway: 10.54.0.254
+ dns: 10.54.0.152 10.54.0.4
+ adh:
+ metric: 200
+ gateway: 185.230.78.254
+ dns: 185.230.78.152 185.230.78.4
roles:
- interfaces
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
index 2bf4b97b..8ac4b8a5 100644
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
@@ -7,9 +7,10 @@ iface {{ srv_iface.stdout }} inet static
network {{ srv.ipv4.network }}
netmask {{ srv.ipv4.netmask }}
broadcast {{ srv.ipv4.broadcast }}
- gateway {{ srv_gateway }}
+ gateway {{ vlan.srv.gateway }}
+ metric {{ vlan.srv.metric }}
mtu 1496
- dns-nameservers {{ srv_dns }}
+ dns-nameservers {{ vlan.srv.dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias srv
{% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
index e1f101e2..6c308f23 100644
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
@@ -7,9 +7,10 @@ iface {{ ens_iface.stdout }} inet static
network {{ ens.ipv4.network }}
netmask {{ ens.ipv4.netmask }}
broadcast {{ ens.ipv4.broadcast }}
- gateway {{ ens_gateway }}
+ gateway {{ vlan.ens.gateway }}
+ metric {{ vlan.ens.metric }}
mtu 1496
- dns-nameservers {{ ens_dns }}
+ dns-nameservers {{ vlan.ens.dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias ens
{% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
index a78a660a..62fb1f1e 100644
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
@@ -8,7 +8,7 @@ iface {{ adm_iface.stdout }} inet static
netmask {{ adm.ipv4.netmask }}
broadcast {{ adm.ipv4.broadcast }}
mtu 1496
- dns-nameservers {{ adm_dns }}
+ dns-nameservers {{ vlan.adm.dns }}
dns-search adm.crans.org
up /sbin/ip link set $IFACE alias adm
{% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
index f9996740..7db48f6a 100644
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
@@ -8,7 +8,7 @@ iface {{ borne_iface.stdout }} inet static
netmask {{ borne.ipv4.netmask }}
broadcast {{ borne.ipv4.broadcast }}
mtu 1496
- dns-nameservers {{ borne_dns }}
+ dns-nameservers {{ vlan.borne.dns }}
dns-search borne.crans.org
up /sbin/ip link set $IFACE alias borne
{% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
index 57e6630f..586adef9 100644
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
@@ -8,7 +8,7 @@ iface {{ switch_iface.stdout }} inet static
netmask {{ switch.ipv4.netmask }}
broadcast {{ switch.ipv4.broadcast }}
mtu 1496
- dns-nameservers {{ switch_dns }}
+ dns-nameservers {{ vlan.switch.dns }}
dns-search switch.crans.org
up /sbin/ip link set $IFACE alias switch
{% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
index 198f2ca0..c5bb9508 100644
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
@@ -7,9 +7,10 @@ iface {{ fil_iface.stdout }} inet static
network {{ fil.ipv4.network }}
netmask {{ fil.ipv4.netmask }}
broadcast {{ fil.ipv4.broadcast }}
- gateway {{ fil_gateway }}
+ gateway {{ vlan.fil.gateway }}
+ metric {{ vlan.fil.metric }}
mtu 1496
- dns-nameservers {{ fil_dns }}
+ dns-nameservers {{ vlan.fil.dns }}
dns-search fil.crans.org
up /sbin/ip link set $IFACE alias fil
{% if ansible_local.interfaces.sup_if_4 is defined %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
index 45241e6b..de2b21b7 100644
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
@@ -7,9 +7,10 @@ iface {{ adh_iface.stdout }} inet static
network {{ adh.ipv4.network }}
netmask {{ adh.ipv4.netmask }}
broadcast {{ adh.ipv4.broadcast }}
- gateway {{ adh_gateway }}
+ gateway {{ vlan.adh.gateway }}
+ metric {{ vlan.adh.metric }}
mtu 1496
- dns-nameservers {{ adh_dns }}
+ dns-nameservers {{ vlan.adh.dns }}
dns-search crans.org
up /sbin/ip link set $IFACE alias adh
{% if ansible_local.interfaces.sup_if_4 is defined %}
--
GitLab
From bb28a75b4eed4cfed18f9690034c1ee0291f016a Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 28 Apr 2020 20:27:58 +0200
Subject: [PATCH 29/55] [interface] Factorize
---
interfaces.yml | 72 +++++++++++--------
roles/interfaces/tasks/main.yml | 51 ++-----------
.../templates/network/interfaces.d/00-srv.j2 | 32 ---------
.../templates/network/interfaces.d/01-ens.j2 | 32 ---------
.../templates/network/interfaces.d/02-adm.j2 | 30 --------
.../network/interfaces.d/03-borne.j2 | 30 --------
.../network/interfaces.d/04-switch.j2 | 30 --------
.../templates/network/interfaces.d/21-fil.j2 | 32 ---------
.../templates/network/interfaces.d/23-adh.j2 | 32 ---------
.../templates/network/interfaces.d/ifalias.j2 | 36 ++++++++++
10 files changed, 85 insertions(+), 292 deletions(-)
delete mode 100644 roles/interfaces/templates/network/interfaces.d/00-srv.j2
delete mode 100644 roles/interfaces/templates/network/interfaces.d/01-ens.j2
delete mode 100644 roles/interfaces/templates/network/interfaces.d/02-adm.j2
delete mode 100644 roles/interfaces/templates/network/interfaces.d/03-borne.j2
delete mode 100644 roles/interfaces/templates/network/interfaces.d/04-switch.j2
delete mode 100644 roles/interfaces/templates/network/interfaces.d/21-fil.j2
delete mode 100644 roles/interfaces/templates/network/interfaces.d/23-adh.j2
create mode 100644 roles/interfaces/templates/network/interfaces.d/ifalias.j2
diff --git a/interfaces.yml b/interfaces.yml
index 431b69bc..5c7107a7 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -1,54 +1,70 @@
#!/usr/bin/env ansible-playbook
---
-# Set variable adm_iface for all servers
+# Get ifname of configured vlan for all servers
- hosts: server
tasks:
- - shell: grep srv /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: srv_iface
- check_mode: no
- - shell: grep ens /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: ens_iface
- check_mode: no
- - shell: grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: adm_iface
- check_mode: no
- - shell: grep borne /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: borne_iface
- check_mode: no
- - shell: grep switch /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: switch_iface
- check_mode: no
- - shell: grep fil /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: fil_iface
- check_mode: no
- - shell: grep adh /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
- register: adh_iface
+ - shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\""
check_mode: no
+ register: ifaces
+ loop:
+ - srv
+ - ens
+ - adm
+ - borne
+ - switch
+ - fil
- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
vars:
vlan:
- srv:
+ - name: srv
+ id: 0
metric: 100
gateway: 185.230.79.254
dns: 185.230.79.152 185.230.79.4
- ens:
+ dns_search: crans.org
+ ifnames: "{{ ifaces | json_query('results[?item==`srv`].stdout') }}"
+
+ - name: ens
+ id: 1
metric: 300
gateway: 138.231.136.254
dns: 138.231.136.152 138.231.136.4
- adm:
+ dns_search: crans.org
+ ifnames: "{{ ifaces | json_query('results[?item==`ens`].stdout') }}"
+
+ - name: adm
+ id: 2
dns: 10.231.136.152 10.231.136.4
- borne:
+ dns_search: adm.crans.org
+ ifnames: "{{ ifaces | json_query('results[?item==`adm`].stdout') }}"
+
+ - name: borne
+ id: 3
dns: 10.231.148.52 10.231.148.4
- switch:
+ dns_search: borne.crans.org
+ ifnames: "{{ ifaces | json_query('results[?item==`borne`].stdout') }}"
+
+ - name: switch
+ id: 4
dns: 10.231.100.152 10.231.100.4
- fil:
+ dns_search: switch.crans.org
+ ifnames: "{{ ifaces | json_query('results[?item==`switch`].stdout') }}"
+
+ - name: fil
+ id: 21
metric: 400
gateway: 10.54.0.254
dns: 10.54.0.152 10.54.0.4
- adh:
+ dns_search: fil.crans.org
+ ifnames: "{{ ifaces | json_query('results[?item==`fil`].stdout') }}"
+
+ - name: adh
+ id: 23
metric: 200
gateway: 185.230.78.254
dns: 185.230.78.152 185.230.78.4
+ dns_search: crans.org
+ ifnames: "{{ ifaces | json_query('results[?item==`adh`].stdout') }}"
roles:
- interfaces
diff --git a/roles/interfaces/tasks/main.yml b/roles/interfaces/tasks/main.yml
index c155fc1b..886b45d3 100644
--- a/roles/interfaces/tasks/main.yml
+++ b/roles/interfaces/tasks/main.yml
@@ -14,51 +14,10 @@
dest: /etc/network/interfaces
mode: 0644
-- name: Deploy srv interface config
+- name: Deploy interfaces config
template:
- src: network/interfaces.d/00-srv.j2
- dest: /etc/network/interfaces.d/00-srv
+ src: "network/interfaces.d/ifalias.j2"
+ dest: "/etc/network/interfaces.d/{{ '%02d' | format(item.id) }}-{{ item.name }}"
mode: 0644
- when: srv_iface.stdout
-
-- name: Deploy ens interface config
- template:
- src: network/interfaces.d/01-ens.j2
- dest: /etc/network/interfaces.d/01-ens
- mode: 0644
- when: ens_iface.stdout
-
-- name: Deploy adm interface config
- template:
- src: network/interfaces.d/02-adm.j2
- dest: /etc/network/interfaces.d/02-adm
- mode: 0644
- when: adm_iface.stdout
-
-- name: Deploy borne interface config
- template:
- src: network/interfaces.d/03-borne.j2
- dest: /etc/network/interfaces.d/03-borne
- mode: 0644
- when: borne_iface.stdout
-
-- name: Deploy switch interface config
- template:
- src: network/interfaces.d/04-switch.j2
- dest: /etc/network/interfaces.d/04-switch
- mode: 0644
- when: switch_iface.stdout
-
-- name: Deploy fil interface config
- template:
- src: network/interfaces.d/21-fil.j2
- dest: /etc/network/interfaces.d/21-fil
- mode: 0644
- when: fil_iface.stdout
-
-- name: Deploy adh interface config
- template:
- src: network/interfaces.d/23-adh.j2
- dest: /etc/network/interfaces.d/23-adh
- mode: 0644
- when: adh_iface.stdout
+ when: (item.ifnames | length > 0) and item.ifnames[0] != ''
+ loop: "{{ vlan }}"
diff --git a/roles/interfaces/templates/network/interfaces.d/00-srv.j2 b/roles/interfaces/templates/network/interfaces.d/00-srv.j2
deleted file mode 100644
index 8ac4b8a5..00000000
--- a/roles/interfaces/templates/network/interfaces.d/00-srv.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set srv = hostvars[inventory_hostname]['ansible_' + srv_iface.stdout] %}
-auto {{ srv_iface.stdout }}
-iface {{ srv_iface.stdout }} inet static
- address {{ srv.ipv4.address }}
- network {{ srv.ipv4.network }}
- netmask {{ srv.ipv4.netmask }}
- broadcast {{ srv.ipv4.broadcast }}
- gateway {{ vlan.srv.gateway }}
- metric {{ vlan.srv.metric }}
- mtu 1496
- dns-nameservers {{ vlan.srv.dns }}
- dns-search crans.org
- up /sbin/ip link set $IFACE alias srv
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if srv_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[srv_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ srv_iface.stdout }} inet6 static
- address {{ srv.ipv6[0].address }}/{{ srv.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if srv_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[srv_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/01-ens.j2 b/roles/interfaces/templates/network/interfaces.d/01-ens.j2
deleted file mode 100644
index 6c308f23..00000000
--- a/roles/interfaces/templates/network/interfaces.d/01-ens.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set ens = hostvars[inventory_hostname]['ansible_' + ens_iface.stdout] %}
-auto {{ ens_iface.stdout }}
-iface {{ ens_iface.stdout }} inet static
- address {{ ens.ipv4.address }}
- network {{ ens.ipv4.network }}
- netmask {{ ens.ipv4.netmask }}
- broadcast {{ ens.ipv4.broadcast }}
- gateway {{ vlan.ens.gateway }}
- metric {{ vlan.ens.metric }}
- mtu 1496
- dns-nameservers {{ vlan.ens.dns }}
- dns-search crans.org
- up /sbin/ip link set $IFACE alias ens
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if ens_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[ens_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ ens_iface.stdout }} inet6 static
- address {{ ens.ipv6[0].address }}/{{ ens.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if ens_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[ens_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/02-adm.j2 b/roles/interfaces/templates/network/interfaces.d/02-adm.j2
deleted file mode 100644
index 62fb1f1e..00000000
--- a/roles/interfaces/templates/network/interfaces.d/02-adm.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set adm = hostvars[inventory_hostname]['ansible_' + adm_iface.stdout] %}
-auto {{ adm_iface.stdout }}
-iface {{ adm_iface.stdout }} inet static
- address {{ adm.ipv4.address }}
- network {{ adm.ipv4.network }}
- netmask {{ adm.ipv4.netmask }}
- broadcast {{ adm.ipv4.broadcast }}
- mtu 1496
- dns-nameservers {{ vlan.adm.dns }}
- dns-search adm.crans.org
- up /sbin/ip link set $IFACE alias adm
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if adm_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[adm_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ adm_iface.stdout }} inet6 static
- address {{ adm.ipv6[0].address }}/{{ adm.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if adm_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[adm_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/03-borne.j2 b/roles/interfaces/templates/network/interfaces.d/03-borne.j2
deleted file mode 100644
index 7db48f6a..00000000
--- a/roles/interfaces/templates/network/interfaces.d/03-borne.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set borne = hostvars[inventory_hostname]['ansible_' + borne_iface.stdout] %}
-auto {{ borne_iface.stdout }}
-iface {{ borne_iface.stdout }} inet static
- address {{ borne.ipv4.address }}
- network {{ borne.ipv4.network }}
- netmask {{ borne.ipv4.netmask }}
- broadcast {{ borne.ipv4.broadcast }}
- mtu 1496
- dns-nameservers {{ vlan.borne.dns }}
- dns-search borne.crans.org
- up /sbin/ip link set $IFACE alias borne
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if borne_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[borne_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ borne_iface.stdout }} inet6 static
- address {{ borne.ipv6[0].address }}/{{ borne.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if borne_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[borne_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/04-switch.j2 b/roles/interfaces/templates/network/interfaces.d/04-switch.j2
deleted file mode 100644
index 586adef9..00000000
--- a/roles/interfaces/templates/network/interfaces.d/04-switch.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set switch = hostvars[inventory_hostname]['ansible_' + switch_iface.stdout] %}
-auto {{ switch_iface.stdout }}
-iface {{ switch_iface.stdout }} inet static
- address {{ switch.ipv4.address }}
- network {{ switch.ipv4.network }}
- netmask {{ switch.ipv4.netmask }}
- broadcast {{ switch.ipv4.broadcast }}
- mtu 1496
- dns-nameservers {{ vlan.switch.dns }}
- dns-search switch.crans.org
- up /sbin/ip link set $IFACE alias switch
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if switch_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[switch_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ switch_iface.stdout }} inet6 static
- address {{ switch.ipv6[0].address }}/{{ switch.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if switch_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[switch_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/21-fil.j2 b/roles/interfaces/templates/network/interfaces.d/21-fil.j2
deleted file mode 100644
index c5bb9508..00000000
--- a/roles/interfaces/templates/network/interfaces.d/21-fil.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set fil = hostvars[inventory_hostname]['ansible_' + fil_iface.stdout] %}
-auto {{ fil_iface.stdout }}
-iface {{ fil_iface.stdout }} inet static
- address {{ fil.ipv4.address }}
- network {{ fil.ipv4.network }}
- netmask {{ fil.ipv4.netmask }}
- broadcast {{ fil.ipv4.broadcast }}
- gateway {{ vlan.fil.gateway }}
- metric {{ vlan.fil.metric }}
- mtu 1496
- dns-nameservers {{ vlan.fil.dns }}
- dns-search fil.crans.org
- up /sbin/ip link set $IFACE alias fil
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if fil_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[fil_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ fil_iface.stdout }} inet6 static
- address {{ fil.ipv6[0].address }}/{{ fil.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if fil_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[fil_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/23-adh.j2 b/roles/interfaces/templates/network/interfaces.d/23-adh.j2
deleted file mode 100644
index de2b21b7..00000000
--- a/roles/interfaces/templates/network/interfaces.d/23-adh.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-{{ ansible_header | comment }}
-
-{% set adh = hostvars[inventory_hostname]['ansible_' + adh_iface.stdout] %}
-auto {{ adh_iface.stdout }}
-iface {{ adh_iface.stdout }} inet static
- address {{ adh.ipv4.address }}
- network {{ adh.ipv4.network }}
- netmask {{ adh.ipv4.netmask }}
- broadcast {{ adh.ipv4.broadcast }}
- gateway {{ vlan.adh.gateway }}
- metric {{ vlan.adh.metric }}
- mtu 1496
- dns-nameservers {{ vlan.adh.dns }}
- dns-search crans.org
- up /sbin/ip link set $IFACE alias adh
-{% if ansible_local.interfaces.sup_if_4 is defined %}
-{% if adh_iface.stdout in ansible_local.interfaces.sup_if_4 %}
-{% for line in ansible_local.interfaces.sup_if_4[adh_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-iface {{ adh_iface.stdout }} inet6 static
- address {{ adh.ipv6[0].address }}/{{ adh.ipv6[0].prefix }}
-{% if ansible_local.interfaces.sup_if_6 is defined %}
-{% if adh_iface.stdout in ansible_local.interfaces.sup_if_6 %}
-{% for line in ansible_local.interfaces.sup_if_6[adh_iface.stdout] %}
- {{ line }}
-{% endfor %}
-{% endif %}
-{% endif %}
diff --git a/roles/interfaces/templates/network/interfaces.d/ifalias.j2 b/roles/interfaces/templates/network/interfaces.d/ifalias.j2
new file mode 100644
index 00000000..daf6a938
--- /dev/null
+++ b/roles/interfaces/templates/network/interfaces.d/ifalias.j2
@@ -0,0 +1,36 @@
+{{ ansible_header | comment }}
+
+{% set ifconfig = hostvars[inventory_hostname]['ansible_' + item.ifnames[0]] %}
+auto {{ item.ifnames[0] }}
+iface {{ item.ifnames[0] }} inet static
+ address {{ ifconfig.ipv4.address }}
+ network {{ ifconfig.ipv4.network }}
+ netmask {{ ifconfig.ipv4.netmask }}
+ broadcast {{ ifconfig.ipv4.broadcast }}
+{% if item.gateway is defined %}
+ gateway {{ item.gateway }}
+{% endif %}
+{% if item.metric is defined %}
+ metric {{ item.metric }}
+{% endif %}
+ mtu 1496
+ dns-nameservers {{ item.dns }}
+ dns-search {{ item.dns_search }}
+ up /sbin/ip link set $IFACE alias {{ item.name }}
+{% if ansible_local.interfaces.sup_if_4 is defined %}
+{% if item.ifnames[0] in ansible_local.interfaces.sup_if_4 %}
+{% for line in ansible_local.interfaces.sup_if_4[item.ifnames[0]] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
+
+iface {{ item.ifnames[0] }} inet6 static
+ address {{ ifconfig.ipv6[0].address }}/{{ ifconfig.ipv6[0].prefix }}
+{% if ansible_local.interfaces.sup_if_6 is defined %}
+{% if item.ifnames[0] in ansible_local.interfaces.sup_if_6 %}
+{% for line in ansible_local.interfaces.sup_if_6[item.ifnames[0]] %}
+ {{ line }}
+{% endfor %}
+{% endif %}
+{% endif %}
--
GitLab
From 2c8ad8f6fd6b632647bd40bd917c212f6025b549 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 29 Apr 2020 12:15:12 +0200
Subject: [PATCH 30/55] [backuppc] Initial role
---
roles/backuppc/tasks/main.yml | 20 +++++++++++++++++++
.../templates/update-motd.d/05-service.j2 | 3 +++
services_web.yml | 4 ++++
3 files changed, 27 insertions(+)
create mode 100644 roles/backuppc/tasks/main.yml
create mode 100755 roles/backuppc/templates/update-motd.d/05-service.j2
diff --git a/roles/backuppc/tasks/main.yml b/roles/backuppc/tasks/main.yml
new file mode 100644
index 00000000..bb1e89b2
--- /dev/null
+++ b/roles/backuppc/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Install backuppc
+ apt:
+ update_cache: true
+ name: backuppc
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Disable mlocate indexation of backup files
+ lineinfile:
+ path: /etc/updatedb.conf
+ regexp: '^PRUNEPATHS'
+ line: PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph /var/lib/backuppc /backup"
+
+- name: Indicate role in motd
+ template:
+ src: update-motd.d/05-service.j2
+ dest: /etc/update-motd.d/05-backuppc
+ mode: 0755
diff --git a/roles/backuppc/templates/update-motd.d/05-service.j2 b/roles/backuppc/templates/update-motd.d/05-service.j2
new file mode 100755
index 00000000..e0e1810d
--- /dev/null
+++ b/roles/backuppc/templates/update-motd.d/05-service.j2
@@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+�[0m> �[38;5;82mBackupPC�[0m a été déployé sur cette machine. Voir �[38;5;6m/etc/backuppc/�[0m et �[38;5;6m/var/lib/backuppc/�[0m.
diff --git a/services_web.yml b/services_web.yml
index a6dbe2eb..934c70f9 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -114,3 +114,7 @@
- ftpsync
- rsync-mirror
- nginx-pubftp
+
+- hosts: zephir.adm.crans.org
+ roles:
+ - backuppc
--
GitLab
From 4d4fae85f532626c7c82edb267b78d61573276ae Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 29 Apr 2020 12:20:52 +0200
Subject: [PATCH 31/55] Let's eat some backups
---
services_web.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services_web.yml b/services_web.yml
index 934c70f9..e52e8a23 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -115,6 +115,6 @@
- rsync-mirror
- nginx-pubftp
-- hosts: zephir.adm.crans.org
+- hosts: zephir.adm.crans.org,omnomnom.adm.crans.org
roles:
- backuppc
--
GitLab
From 5406ec7a0553a4d8f230e0757960e2fa4fa7cfde Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Fri, 1 May 2020 16:59:47 +0200
Subject: [PATCH 32/55] [bind-authoritative] Add zone
_acme-challenge.adm.crans.org
---
.../templates/bind/named.conf.local.j2 | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index 9752be76..e11f50c3 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -35,6 +35,29 @@ zone "_acme-challenge.crans.org" {
file "bak._acme-challenge.crans.org";
};
+// Let's Encrypt Challenge DNS-01 zone
+zone "_acme-challenge.adm.crans.org" {
+{% if is_master %}
+ type master;
+ notify yes;
+ update-policy {
+ grant certbot_challenge. name _acme-challenge.adm.crans.org. txt;
+ };
+{% else %}
+ type slave;
+ masters {
+{% for ip in masters_ipv4 %}
+ {{ ip }};
+{% endfor -%}
+{% for ip in masters_ipv6 %}
+ {{ ip }};
+{% endfor %}
+ };
+ notify no;
+{% endif %}
+ file "bak._acme-challenge.adm.crans.org";
+};
+
zone "_acme-challenge.crans.fr" {
{% if is_master %}
type master;
--
GitLab
From 65363c64816910e594536ea6d69591fe6a83ad5a Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 1 May 2020 17:17:18 +0200
Subject: [PATCH 33/55] Certbot role for gitzly
---
network.yml | 20 ++++++++++++++++++-
roles/certbot/tasks/main.yml | 4 ++--
.../letsencrypt/conf.d/crans.org.ini.j2 | 6 +++---
.../templates/letsencrypt/rfc2136.ini.j2 | 4 ++--
4 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/network.yml b/network.yml
index b7d09a19..ed74f96c 100755
--- a/network.yml
+++ b/network.yml
@@ -51,7 +51,25 @@
# Deploy reverse proxy
- hosts: bakdaur.adm.crans.org
vars:
- certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
+ certbot:
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+ bind:
+ masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+ roles:
+ - certbot
+
+- hosts: gitzly.adm.crans.org
+ vars:
+ certbot:
+ dns_rfc2136_name: certbot_adm_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+ mail: root@crans.org
+ certname: adm.crans.org
+ domains: "*.adm.crans.org"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
roles:
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 86e7c6e3..3a862fcb 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -24,6 +24,6 @@
- name: Add Certbot configuration
template:
- src: letsencrypt/conf.d/crans.org.ini.j2
- dest: /etc/letsencrypt/conf.d/crans.org.ini
+ src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2"
+ dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
mode: 0644
diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
index d311fa76..837a60a9 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
@@ -10,7 +10,7 @@ rsa-key-size = 4096
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
-email = root@crans.org
+email = {{ certbot.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
@@ -21,5 +21,5 @@ dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
-cert-name = crans.org
-domains = crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu
+cert-name = {{ certbot.certname }}
+domains = {{ certbot.domains }}
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
index 54b272b5..a41a547d 100644
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -2,6 +2,6 @@
dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
dns_rfc2136_port = 53
-dns_rfc2136_name = certbot_challenge.
-dns_rfc2136_secret = {{ certbot_dns_secret }}
+dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512
--
GitLab
From 28595429473955aa2cd25286feca74053051e051 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 1 May 2020 17:35:27 +0200
Subject: [PATCH 34/55] New DNS key
---
network.yml | 1 +
roles/bind-authoritative/templates/bind/named.conf.local.j2 | 6 +++++-
roles/certbot/tasks/main.yml | 2 +-
.../conf.d/{crans.org.ini.j2 => certname.ini.j2} | 0
4 files changed, 7 insertions(+), 2 deletions(-)
rename roles/certbot/templates/letsencrypt/conf.d/{crans.org.ini.j2 => certname.ini.j2} (100%)
diff --git a/network.yml b/network.yml
index ed74f96c..97cc9737 100755
--- a/network.yml
+++ b/network.yml
@@ -40,6 +40,7 @@
- hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org
vars:
certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
+ certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index e11f50c3..9d76d8e8 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -10,6 +10,10 @@ key "certbot_challenge." {
algorithm hmac-sha512;
secret "{{ certbot_dns_secret }}";
};
+key "certbot_adm_challenge." {
+ algorithm hmac-sha512;
+ secret "{{ certbot_adm_dns_secret }}";
+};
{% endif %}
// Let's Encrypt Challenge DNS-01 zone
@@ -41,7 +45,7 @@ zone "_acme-challenge.adm.crans.org" {
type master;
notify yes;
update-policy {
- grant certbot_challenge. name _acme-challenge.adm.crans.org. txt;
+ grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt;
};
{% else %}
type slave;
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 3a862fcb..b32845cc 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -24,6 +24,6 @@
- name: Add Certbot configuration
template:
- src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2"
+ src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
mode: 0644
diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
similarity index 100%
rename from roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
rename to roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
--
GitLab
From fa586e9a946deb195b43d05c722d52734a79e95c Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 1 May 2020 18:37:51 +0200
Subject: [PATCH 35/55] Clean up Framadate for shireen
---
roles/framadate/tasks/main.yml | 14 +++++++-------
.../templates/update-motd.d/05-service.j2 | 3 +--
services_web.yml | 12 ++++--------
3 files changed, 12 insertions(+), 17 deletions(-)
diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index b3584f62..02c698e7 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -16,23 +16,23 @@
- name: Clone framadate project
git:
- repo: "{{ framadate_repo }}"
- dest: "{{ framadate_path }}"
- version: "{{ framadate_version }}"
+ repo: "{{ framadate.repo }}"
+ dest: "{{ framadate.path }}"
+ version: "{{ framadate.version }}"
- name: Set perms on framadate code
file:
- path: "{{ framadate_path }}"
+ path: "{{ framadate.path }}"
state: directory
- owner: "{{ framadate_user }}"
+ owner: www-data
recurse: true
- name: Install Framadate dependencies
composer:
command: install
- working_dir: "{{ framadate_path }}"
+ working_dir: "{{ framadate.path }}"
become: true
- become_user: "{{ framadate_user }}"
+ become_user: www-data
register: composer_result
retries: 3
until: composer_result is succeeded
diff --git a/roles/framadate/templates/update-motd.d/05-service.j2 b/roles/framadate/templates/update-motd.d/05-service.j2
index bf029cde..d0598362 100755
--- a/roles/framadate/templates/update-motd.d/05-service.j2
+++ b/roles/framadate/templates/update-motd.d/05-service.j2
@@ -1,4 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
-> framadate a été déployé sur cette machine.
- Voir {{ framadate_path }}
+�[0m> �[38;5;82mFramadate�[0m a été déployé sur cette machine. Voir �[38;5;6m{{ framadate.path }}�[0m.
diff --git a/services_web.yml b/services_web.yml
index e52e8a23..17515e3f 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -7,14 +7,10 @@
# Deploy FramaDate
- hosts: voyager.adm.crans.org
vars:
- # mirror on Crans GitLab because adm has no network
- framadate_repo: https://framagit.org/framasoft/framadate/framadate.git
- framadate_version: 1.1.10
-
- # User who will run framadate
- # you will have to `sudo -u THISUSER zsh` to debug
- framadate_user: www-data
- framadate_path: /var/www/framadate
+ framadate:
+ repo: https://framagit.org/framasoft/framadate/framadate.git
+ version: 1.1.10
+ path: /var/www/framadate
roles:
- framadate
--
GitLab
From 39a33bfa062f24d1ded491628ea920d92ccaad59 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 10:18:10 +0200
Subject: [PATCH 36/55] [nginx-reverseproxy] Initial role
---
network.yml | 72 ++++++++++++++++
roles/nginx-reverseproxy/handlers/main.yml | 5 ++
roles/nginx-reverseproxy/tasks/main.yml | 40 +++++++++
.../templates/nginx/redirect.j2 | 83 +++++++++++++++++++
.../templates/nginx/reverseproxy.j2 | 62 ++++++++++++++
.../nginx/reverseproxy_redirect_dname.j2 | 44 ++++++++++
.../templates/update-motd.d/05-service.j2 | 3 +
.../templates/www/html/50x.html.j2 | 63 ++++++++++++++
8 files changed, 372 insertions(+)
create mode 100644 roles/nginx-reverseproxy/handlers/main.yml
create mode 100644 roles/nginx-reverseproxy/tasks/main.yml
create mode 100644 roles/nginx-reverseproxy/templates/nginx/redirect.j2
create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
create mode 100644 roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
create mode 100755 roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
create mode 100644 roles/nginx-reverseproxy/templates/www/html/50x.html.j2
diff --git a/network.yml b/network.yml
index 97cc9737..daf70236 100755
--- a/network.yml
+++ b/network.yml
@@ -60,8 +60,80 @@
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+ nginx:
+ ssl:
+ cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+ cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+
+ redirect_dnames:
+ - crans.eu
+ - crans.fr
+
+ reverseproxy_sites:
+ # Services web Crans
+ - {from: lutim.crans.org, to: 10.231.136.69}
+ - {from: zero.crans.org, to: 10.231.136.76}
+ - {from: pad.crans.org, to: 10.231.136.76}
+ - {from: ethercalc.crans.org, to: 10.231.136.203}
+ - {from: mediadrop.crans.org, to: 10.231.136.106}
+ - {from: videos.crans.org, to: 10.231.136.106}
+ - {from: video.crans.org, to: 10.231.136.106}
+ - {from: roundcube.crans.org, to: 10.231.136.105}
+ - {from: phabricator.crans.org, to: 10.231.136.123}
+ - {from: trackerusercontent.crans.org, to: 10.231.136.123}
+ - {from: cas.crans.org, to: 10.231.136.18}
+ - {from: auth.crans.org, to: 10.231.136.18}
+ - {from: login.crans.org, to: 10.231.136.18}
+ - {from: webmail.crans.org, to: 10.231.136.107}
+ - {from: horde.crans.org, to: 10.231.136.107}
+ - {from: owncloud.crans.org, to: 10.231.136.26}
+ - {from: ftps.crans.org, to: 10.231.136.98}
+ - {from: wiki.crans.org, to: 10.231.136.204}
+ - {from: www.crans.org, to: 10.231.136.46}
+ - {from: doc.crans.org, to: 10.231.136.46}
+ - {from: limesurvey.crans.org, to: 10.231.136.253}
+ - {from: lutim.crans.org, to: 10.231.136.69}
+ - {from: perso.crans.org, to: 10.231.136.1}
+ - {from: webnews.crans.org, to: 10.231.136.63}
+ - {from: re2o.crans.org, to: 10.231.136.9}
+ - {from: intranet.crans.org, to: 10.231.136.9}
+ - {from: autoconfig.crans.org, to: 10.231.136.46}
+ - {from: grafana.crans.org, to: 10.231.136.102}
+ - {from: webirc.crans.org, to: "10.231.136.1:9000"}
+
+ # Zamok
+ - {from: install-party.crans.org, to: 10.231.136.1}
+ - {from: med.crans.org, to: 10.231.136.1}
+ - {from: med-cartons.crans.org, to: 10.231.136.1}
+ - {from: amap.crans.org, to: 10.231.136.1}
+ - {from: pot-vieux.crans.org, to: 10.231.136.1}
+ - {from: bonvivens.crans.org, to: 10.231.136.1}
+
+ redirect_sites:
+ - {from: crans.org, to: www.crans.org}
+
+ # Aliases or legacy support
+ - {from: factures.crans.org, to: intranet.crans.org}
+ - {from: accounts.crans.org, to: intranet.crans.org}
+ - {from: intranet2.crans.org, to: intranet.crans.org}
+ - {from: clubs.crans.org, to: perso.crans.org}
+ - {from: task.crans.org, to: phabricator.crans.org}
+ - {from: adopteunpingouin.crans.org, to: install-party.crans.org}
+ - {from: i-p.crans.org, to: install-party.crans.org}
+
+ # To the wiki
+ - {from: wikipedia.crans.org, to: wiki.crans.org}
+ - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage}
+ - {from: television.crans.org, to: wiki.crans.org/CransTv}
+ - {from: tv.crans.org, to: wiki.crans.org/CransTv}
+
+ # ENS Cachan
+ - {from: crans.ens-cachan.fr, to: www.crans.org}
+ - {from: install-party.ens-cachan.fr, to: install-party.crans.org}
roles:
- certbot
+ - nginx-reverseproxy
- hosts: gitzly.adm.crans.org
vars:
diff --git a/roles/nginx-reverseproxy/handlers/main.yml b/roles/nginx-reverseproxy/handlers/main.yml
new file mode 100644
index 00000000..6dfcdd76
--- /dev/null
+++ b/roles/nginx-reverseproxy/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+ systemd:
+ name: nginx
+ state: reloaded
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
new file mode 100644
index 00000000..3c95a8f7
--- /dev/null
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: Install NGINX
+ apt:
+ update_cache: true
+ name: nginx
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Copy reverse proxy sites
+ template:
+ src: "nginx/{{ item }}.j2"
+ dest: "/etc/nginx/sites-available/{{ item }}"
+ loop:
+ - reverseproxy
+ - reverseproxy_redirect_dname
+ - redirect
+ notify: Reload nginx
+
+- name: Activate sites
+ file:
+ src: "/etc/nginx/sites-available/{{ item }}"
+ dest: "/etc/nginx/sites-enabled/{{ item }}"
+ state: link
+ loop:
+ - reverseproxy
+ - reverseproxy_redirect_dname
+ - redirect
+ notify: Reload nginx
+
+- name: Copy 50x error page
+ template:
+ src: www/html/50x.html.j2
+ dest: /var/www/html/50x.html
+
+- name: Indicate role in motd
+ template:
+ src: update-motd.d/05-service.j2
+ dest: /etc/update-motd.d/05-nginx
+ mode: 0755
diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
new file mode 100644
index 00000000..fb177b9a
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
@@ -0,0 +1,83 @@
+{{ ansible_header | comment }}
+
+{% for site in nginx.redirect_sites %}
+# Redirect http://{{ site.from }} to http://{{ site.to }}
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name {{ site.from }};
+
+ location / {
+ return 302 http://{{ site.to }}$request_uri;
+ }
+}
+
+# Redirect https://{{ site.from }} to https://{{ site.to }}
+server {
+ listen 443;
+ listen [::]:443;
+
+ server_name {{ site.from }};
+
+ ssl on;
+ ssl_certificate {{ nginx.ssl.cert }};
+ ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+ # SSL ciphers updated by Debian
+ include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+ # Enable OCSP Stapling, point to certificate chain
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+ location / {
+ return 302 https://{{ site.to }}$request_uri;
+ }
+}
+
+{% endfor %}
+
+{# Also redirect for DNAMEs #}
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.redirect_sites %}
+{% set from = site.from | regex_replace('crans.org', dname) %}
+# Redirect http://{{ from }} to http://{{ site.to }}
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name {{ from }};
+
+ location / {
+ return 302 http://{{ site.to }}$request_uri;
+ }
+}
+
+# Redirect https://{{ from }} to https://{{ site.to }}
+server {
+ listen 443;
+ listen [::]:443;
+
+ server_name {{ from }};
+
+ ssl on;
+ ssl_certificate {{ nginx.ssl.cert }};
+ ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+ # SSL ciphers updated by Debian
+ include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+ # Enable OCSP Stapling, point to certificate chain
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+ location / {
+ return 302 https://{{ site.to }}$request_uri;
+ }
+}
+
+{% endfor %}
+{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
new file mode 100644
index 00000000..eab44a49
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
@@ -0,0 +1,62 @@
+{{ ansible_header | comment }}
+
+{% for site in nginx.reverseproxy_sites %}
+# Redirect http://{{ site.from }} to https://{{ site.from }}
+server {
+ listen 80;
+ listen [::]:80
+
+ server_name {{ site.from }};
+
+ location / {
+ return 302 https://$host$request_uri;
+ }
+}
+
+# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
+server {
+ listen 443;
+ listen [::]:443;
+
+ server_name {{ site.from }};
+
+ ssl on;
+ ssl_certificate {{ nginx.ssl.cert }};
+ ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+ # SSL ciphers updated by Debian
+ include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+ # Enable OCSP Stapling, point to certificate chain
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+ # Log into separate log files
+ access_log /var/log/nginx/{{ site.from }}.log;
+ error_log /var/log/nginx/{{ site.from }}_error.log;
+
+ # Keep the TCP connection open a bit for faster browsing
+ keepalive_timeout 70;
+
+ # Custom error page
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /var/www/html;
+ }
+
+ set_real_ip_from 10.231.136.0/24;
+ set_real_ip_from 2a0c:700:0:2::/64;
+ real_ip_header P-Real-Ip;
+
+ location / {
+ proxy_set_header Host {{ site.from }};
+ proxy_set_header P-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ proxy_pass http://{{ site.to }};
+ }
+}
+
+{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
new file mode 100644
index 00000000..1affe511
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
@@ -0,0 +1,44 @@
+{{ ansible_header | comment }}
+
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.reverseproxy_sites %}
+{% set from = site.from | regex_replace('crans.org', dname) %}
+{% set to = site.from %}
+# Redirect http://{{ from }} to http://{{ to }}
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name {{ from }};
+
+ location / {
+ return 302 http://{{ to }}$request_uri;
+ }
+}
+
+# Redirect https://{{ from }} to https://{{ to }}
+server {
+ listen 443;
+ listen [::]:443;
+
+ server_name {{ from }};
+
+ ssl on;
+ ssl_certificate {{ nginx.ssl.cert }};
+ ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+ # SSL ciphers updated by Debian
+ include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+ # Enable OCSP Stapling, point to certificate chain
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+ location / {
+ return 302 https://{{ to }}$request_uri;
+ }
+}
+
+{% endfor %}
+{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
new file mode 100755
index 00000000..82373d0b
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
@@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+�[0m> �[38;5;82mNGINX�[0m a été déployé sur cette machine. Voir �[38;5;6m/etc/nginx/�[0m.
diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
new file mode 100644
index 00000000..b4bde1f9
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
@@ -0,0 +1,63 @@
+<!doctype html>
+<html lang="fr">
+<head>
+ <meta charset="utf-8">
+ <title>502</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+ <style>
+ * {
+ line-height: 1.2;
+ margin: 0;
+ }
+
+ html {
+ color: #888;
+ display: table;
+ font-family: sans-serif;
+ height: 100%;
+ text-align: center;
+ width: 100%;
+ }
+
+ body {
+ display: table-cell;
+ vertical-align: middle;
+ margin: 2em auto;
+ }
+
+ a {
+ color: #888;
+ text-decoration: underline dotted;
+ }
+
+ h1 {
+ color: #555;
+ font-size: 2em;
+ font-weight: 400;
+ }
+
+ p {
+ margin: 1em auto;
+ max-width: 480px;
+ }
+
+ @media only screen and (max-width: 280px) {
+ body, p {
+ width: 95%;
+ }
+
+ h1 {
+ font-size: 1.5em;
+ margin: 0 0 0.3em;
+ }
+ }
+ </style>
+</head>
+<body>
+ <h1>502</h1>
+ <p>Whoops, le service prend trop de temps à répondre…</p>
+ <p>Essayez de rafraîchir la page. Si le problème persiste, pensez
+ à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p>
+</body>
+</html>
+
--
GitLab
From ee1cb0e86ee5240d9a61baf9f2f3bf197ed56065 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 10:39:45 +0200
Subject: [PATCH 37/55] Fix yaml syntax
---
base.yml | 4 ++--
interfaces.yml | 2 +-
network.yml | 2 +-
roles/postfix/handlers/main.yml | 1 +
upgrade.yml | 2 +-
5 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/base.yml b/base.yml
index 5bf6a4e7..1f3d6506 100755
--- a/base.yml
+++ b/base.yml
@@ -6,8 +6,8 @@
- name: Register adm interface in adm_iface variable
shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
register: adm_iface
- check_mode: no
- changed_when: True
+ check_mode: false
+ changed_when: true
args:
executable: /bin/bash
diff --git a/interfaces.yml b/interfaces.yml
index 5c7107a7..bce7ced2 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -4,7 +4,7 @@
- hosts: server
tasks:
- shell: "grep {{ item }} /sys/class/net/*/ifalias | sed \"s|/sys/class/net/||\" | sed \"s|/ifalias:.*||\""
- check_mode: no
+ check_mode: false
register: ifaces
loop:
- srv
diff --git a/network.yml b/network.yml
index daf70236..fdc49662 100755
--- a/network.yml
+++ b/network.yml
@@ -65,7 +65,7 @@
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
-
+
redirect_dnames:
- crans.eu
- crans.fr
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index 49094649..8fa449d5 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,3 +1,4 @@
+---
- name: generate postmaps
command: /usr/sbin/postmap {{ item }}
loop:
diff --git a/upgrade.yml b/upgrade.yml
index 27798c15..194f0137 100755
--- a/upgrade.yml
+++ b/upgrade.yml
@@ -21,7 +21,7 @@
- hosts: owncloud-srv.adm.crans.org
become_user: www-data
- become: yes
+ become: true
vars:
# Owncloud command line interface
occ_bin: '/var/www/owncloud/occ'
--
GitLab
From 0a16ac0b0c14b5a85b1d165a85881754227a27d8 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 13:03:29 +0200
Subject: [PATCH 38/55] Minor fixes on reverse proxy
---
network.yml | 3 +--
roles/certbot/tasks/main.yml | 5 +++++
roles/nginx-reverseproxy/tasks/main.yml | 10 +++++++++-
roles/nginx-reverseproxy/templates/nginx/redirect.j2 | 2 ++
.../nginx-reverseproxy/templates/nginx/reverseproxy.j2 | 2 +-
.../templates/nginx/reverseproxy_redirect_dname.j2 | 2 ++
6 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/network.yml b/network.yml
index fdc49662..2bde72ff 100755
--- a/network.yml
+++ b/network.yml
@@ -50,7 +50,7 @@
- bind-authoritative
# Deploy reverse proxy
-- hosts: bakdaur.adm.crans.org
+- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org
vars:
certbot:
dns_rfc2136_name: certbot_challenge.
@@ -93,7 +93,6 @@
- {from: www.crans.org, to: 10.231.136.46}
- {from: doc.crans.org, to: 10.231.136.46}
- {from: limesurvey.crans.org, to: 10.231.136.253}
- - {from: lutim.crans.org, to: 10.231.136.69}
- {from: perso.crans.org, to: 10.231.136.1}
- {from: webnews.crans.org, to: 10.231.136.63}
- {from: re2o.crans.org, to: 10.231.136.9}
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index b32845cc..2e9c8b26 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -22,6 +22,11 @@
mode: 0600
owner: root
+- name: Create /etc/letsencrypt/conf.d
+ file:
+ path: /etc/letsencrypt/conf.d
+ state: directory
+
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index 3c95a8f7..1fee6a3c 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -2,11 +2,19 @@
- name: Install NGINX
apt:
update_cache: true
- name: nginx
+ name:
+ - nginx
+ - python3-certbot-nginx # for options-ssl-nginx.conf
register: apt_result
retries: 3
until: apt_result is succeeded
+- name: Copy certbot SSL snippet
+ copy:
+ remote_src: true
+ src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf
+ dest: /etc/letsencrypt/options-ssl-nginx.conf
+
- name: Copy reverse proxy sites
template:
src: "nginx/{{ item }}.j2"
diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
index fb177b9a..4d60807e 100644
--- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
@@ -43,6 +43,7 @@ server {
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
+{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ site.to }}
server {
listen 80;
@@ -79,5 +80,6 @@ server {
}
}
+{% endif %}
{% endfor %}
{% endfor %}
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
index eab44a49..31c34462 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
@@ -4,7 +4,7 @@
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
- listen [::]:80
+ listen [::]:80;
server_name {{ site.from }};
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
index 1affe511..8fc57808 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
@@ -4,6 +4,7 @@
{% for site in nginx.reverseproxy_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% set to = site.from %}
+{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ to }}
server {
listen 80;
@@ -40,5 +41,6 @@ server {
}
}
+{% endif %}
{% endfor %}
{% endfor %}
--
GitLab
From 07a5be28d2a7c87c36815f84d716ed791e86920c Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 13:05:16 +0200
Subject: [PATCH 39/55] =?UTF-8?q?j'ai=20d=C3=A9t=C3=A9r=C3=A9=20frontdaur?=
=?UTF-8?q?=20mami!?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
network.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/network.yml b/network.yml
index 2bde72ff..a6ec7a1c 100755
--- a/network.yml
+++ b/network.yml
@@ -50,7 +50,7 @@
- bind-authoritative
# Deploy reverse proxy
-- hosts: bakdaur.adm.crans.org,sputnik.adm.crans.org
+- hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org
vars:
certbot:
dns_rfc2136_name: certbot_challenge.
--
GitLab
From 4967a5294692163dd1aa389632296e67e592444b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 2 May 2020 13:19:16 +0200
Subject: [PATCH 40/55] [keepalived] Don't hardcode proxies adm interface
---
roles/keepalived/templates/keepalived/keepalived.conf.j2 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2
index 219d6b4f..9237116f 100644
--- a/roles/keepalived/templates/keepalived/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2
@@ -20,7 +20,7 @@ vrrp_instance VI_DAUR4 {
priority 100
{% endif %}
- interface eth1
+ interface {{ keepalived.if_adm }}
virtual_router_id 51
advert_int 2
authentication {
@@ -46,7 +46,7 @@ vrrp_instance VI_DAUR6 {
priority 100
{% endif %}
- interface eth1
+ interface {{ keepalived.if_adm }}
virtual_router_id 51
advert_int 2
authentication {
--
GitLab
From 912f998168eecc10011932b446a3d1fc269de76f Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 13:29:07 +0200
Subject: [PATCH 41/55] =?UTF-8?q?Il=20=C3=A9tait=20une=20fois,=20dans=20un?=
=?UTF-8?q?=20virtu=20tr=C3=A8s=20tr=C3=A8s=20lointain?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
hosts | 2 +-
interfaces.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/hosts b/hosts
index 32248d9f..6b4c2755 100644
--- a/hosts
+++ b/hosts
@@ -34,7 +34,7 @@ cas-srv.adm.crans.org
dhcp.adm.crans.org
eap.adm.crans.org
ethercalc-srv.adm.crans.org
-#frontdaur.adm.crans.org
+frontdaur.adm.crans.org
gitzly.adm.crans.org
horde-srv.adm.crans.org
ipv6-zayo.adm.crans.org
diff --git a/interfaces.yml b/interfaces.yml
index bce7ced2..b32a9d03 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -14,7 +14,7 @@
- switch
- fil
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org
vars:
vlan:
- name: srv
--
GitLab
From d8a54c329abfc96a0ee84655c2d1831bac43076d Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 2 May 2020 14:17:00 +0200
Subject: [PATCH 42/55] [keepalived] Deploy keepalived on frontdaur
---
re2o-api.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/re2o-api.yml b/re2o-api.yml
index 0952348c..da0938f9 100755
--- a/re2o-api.yml
+++ b/re2o-api.yml
@@ -88,3 +88,20 @@
router_broadcast_wifinewserveurs: 10.53.0.255
roles:
- keepalived
+
+# Deploy keepalived on frontdaur
+- hosts: frontdaur.adm.crans.org
+ vars:
+ keepalived:
+ radius: false
+ router: false
+ proxy: true
+ proxy_primary: false
+ proxy_password: "{{ vault_keepalived_proxy_password }}"
+ if_adm: eth1
+ if_srv: eth0
+ proxy_ipv4_srv: 185.230.79.194
+ proxy_broadcast_srv: 185.230.79.255
+ proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00
+ roles:
+ - keepalived
--
GitLab
From fd6fb1cdb3e44b43628b4dbb2b965dd0b9df0782 Mon Sep 17 00:00:00 2001
From: pa <pa@crans.org>
Date: Sat, 2 May 2020 15:43:26 +0200
Subject: [PATCH 43/55] [Framadate] log file creation
---
roles/framadate/tasks/main.yml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 02c698e7..1452702c 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -37,9 +37,12 @@
retries: 3
until: composer_result is succeeded
-# cd framadate
-# sudo -u www-data touch admin/stdout.log
-# sudo chmod 600 admin/stdout.log
+- name:
+ file:
+ path: "{{ framadate.path }}/admin/stdout.log"
+ owner: www-data
+ state: touch
+ mode: 0600
- name: Indicate role in motd
template:
--
GitLab
From 660f951c41640501056509d3311c0660f3167063 Mon Sep 17 00:00:00 2001
From: pa <pa@crans.org>
Date: Sat, 2 May 2020 15:56:27 +0200
Subject: [PATCH 44/55] [Framadate] Specify commit hash of develop branch
---
services_web.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services_web.yml b/services_web.yml
index 17515e3f..283f4482 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -9,7 +9,7 @@
vars:
framadate:
repo: https://framagit.org/framasoft/framadate/framadate.git
- version: 1.1.10
+ version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd"
path: /var/www/framadate
roles:
- framadate
--
GitLab
From 0ece2dd51ca7b2ab8e012d6ab487c590062b6c0a Mon Sep 17 00:00:00 2001
From: pa <pa@crans.org>
Date: Sat, 2 May 2020 16:47:28 +0200
Subject: [PATCH 45/55] [Framdate] nginx configuration
---
roles/framadate/tasks/main.yml | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 1452702c..80de2318 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -4,8 +4,8 @@
apt:
update_cache: true
name:
- - apache2
- - libapache2-mod-php
+ - nginx
+ - php-fpm
- php-intl
- php-mbstring
- php-pgsql
@@ -37,15 +37,27 @@
retries: 3
until: composer_result is succeeded
-- name:
+- name: Create log file
file:
path: "{{ framadate.path }}/admin/stdout.log"
owner: www-data
state: touch
mode: 0600
+- name: Configure nginx site
+ template:
+ src: nginx-site.j2
+ dest: /etc/nginx/sites-available/framadate.conf
+
+- name: Enable nginx site
+ file:
+ src: /etc/nginx/sites-available/framadate.conf
+ dest: /etc/nginx/stes-enabled/framadate.conf
+ state: link
+
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-framadate
mode: 0755
+
--
GitLab
From af9d904ea30922b4ebe8265bdf0a695abfa86ddb Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 16:54:42 +0200
Subject: [PATCH 46/55] [framadate] NGINX config
---
roles/framadate/tasks/main.yml | 6 +--
roles/framadate/templates/nginx-site.j2 | 60 +++++++++++++++++++++++++
2 files changed, 63 insertions(+), 3 deletions(-)
create mode 100644 roles/framadate/templates/nginx-site.j2
diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 80de2318..507b86e2 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -47,12 +47,12 @@
- name: Configure nginx site
template:
src: nginx-site.j2
- dest: /etc/nginx/sites-available/framadate.conf
+ dest: /etc/nginx/sites-available/framadate
- name: Enable nginx site
file:
- src: /etc/nginx/sites-available/framadate.conf
- dest: /etc/nginx/stes-enabled/framadate.conf
+ src: /etc/nginx/sites-available/framadate
+ dest: /etc/nginx/sites-enabled/framadate
state: link
- name: Indicate role in motd
diff --git a/roles/framadate/templates/nginx-site.j2 b/roles/framadate/templates/nginx-site.j2
new file mode 100644
index 00000000..ef963c3e
--- /dev/null
+++ b/roles/framadate/templates/nginx-site.j2
@@ -0,0 +1,60 @@
+{{ ansible_header | comment }}
+
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name framadate.crans.org;
+
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'";
+ add_header Referrer-Policy "strict-origin";
+
+ root {{ framadate.path }};
+
+ index index.php;
+
+ location ~^/(\.git)/{
+ deny all;
+ }
+
+ location ~ /\. {
+ deny all;
+ }
+
+ location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh {
+ deny all;
+ }
+
+ location /admin/ {
+ auth_basic "Restricted access";
+ auth_basic_user_file /etc/nginx/.htpasswd;
+
+ location ~ \.php$ {
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+ }
+ try_files $uri $uri/ =401;
+ }
+
+ location / {
+ rewrite "^/admin$" "/admin/" permanent;
+
+ # Clean URL
+ rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last;
+ rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last;
+ rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last;
+ rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last;
+ rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last;
+ rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last;
+ try_files $uri /index.php;
+ }
+
+ location ~ \.php$ {
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+ }
+}
+
--
GitLab
From 628d4d08ade15f048dbf9be0606fccabe989f9fe Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 18:00:09 +0200
Subject: [PATCH 47/55] Working FramaDate
---
network.yml | 1 +
roles/framadate/tasks/main.yml | 5 +++++
services_web.yml | 2 ++
3 files changed, 8 insertions(+)
diff --git a/network.yml b/network.yml
index a6ec7a1c..16865b78 100755
--- a/network.yml
+++ b/network.yml
@@ -100,6 +100,7 @@
- {from: autoconfig.crans.org, to: 10.231.136.46}
- {from: grafana.crans.org, to: 10.231.136.102}
- {from: webirc.crans.org, to: "10.231.136.1:9000"}
+ - {from: framadate.crans.org, to: 185.230.79.194}
# Zamok
- {from: install-party.crans.org, to: 10.231.136.1}
diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 507b86e2..4c39e3d5 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -44,6 +44,11 @@
state: touch
mode: 0600
+- name: Configure admin password
+ copy:
+ content: "{{ framadate.admin_username }}:{{ framadate.admin_password_hash }}\n"
+ dest: /etc/nginx/.htpasswd
+
- name: Configure nginx site
template:
src: nginx-site.j2
diff --git a/services_web.yml b/services_web.yml
index 283f4482..4c6f7d78 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -11,6 +11,8 @@
repo: https://framagit.org/framasoft/framadate/framadate.git
version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd"
path: /var/www/framadate
+ admin_username: framadate
+ admin_password_hash: "{{ vault_framadate_password_hash }}"
roles:
- framadate
--
GitLab
From c25f1df3c0c359e226a523bb5a1b67e03b43a83e Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 10:03:12 +0200
Subject: [PATCH 48/55] Some changes in keepalived template
---
re2o-api.yml | 17 +++++---------
roles/keepalived/tasks/main.yml | 3 +--
.../templates/keepalived/keepalived.conf.j2 | 22 +++++++++----------
3 files changed, 17 insertions(+), 25 deletions(-)
diff --git a/re2o-api.yml b/re2o-api.yml
index da0938f9..2d04db0f 100755
--- a/re2o-api.yml
+++ b/re2o-api.yml
@@ -11,7 +11,6 @@
router: true
router_password: "{{ vault_keepalived_router_password }}"
router_primary: false
- proxy: false
if_serveurs: eth0.1
if_adm: eth0.2
if_bornes: eth0.3
@@ -55,11 +54,9 @@
- hosts: gulp.adm.crans.org
vars:
keepalived:
- radius: false
router: true
router_password: "{{ vault_keepalived_router_password }}"
router_primary: true
- proxy: false
if_serveurs: eno1.1
if_adm: eno1.2
if_bornes: eno1.3
@@ -93,15 +90,13 @@
- hosts: frontdaur.adm.crans.org
vars:
keepalived:
- radius: false
- router: false
- proxy: true
- proxy_primary: false
- proxy_password: "{{ vault_keepalived_proxy_password }}"
+ proxy:
+ primary: false
+ password: "{{ vault_keepalived_proxy_password }}"
+ ipv4: 185.230.79.194
+ ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00
+ broadcast: 185.230.79.255
if_adm: eth1
if_srv: eth0
- proxy_ipv4_srv: 185.230.79.194
- proxy_broadcast_srv: 185.230.79.255
- proxy_ipv6_srv: 2a0c:700:0:24:ba:ccff:feda:aa00
roles:
- keepalived
diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml
index e0678e1e..7efe258f 100644
--- a/roles/keepalived/tasks/main.yml
+++ b/roles/keepalived/tasks/main.yml
@@ -2,8 +2,7 @@
- name: Install keepalived
apt:
update_cache: true
- name:
- - keepalived
+ name: keepalived
register: apt_result
retries: 3
until: apt_result is succeeded
diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2
index 9237116f..e488e71c 100644
--- a/roles/keepalived/templates/keepalived/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2
@@ -8,11 +8,11 @@ global_defs {
smtp_server smtp.adm.crans.org
}
-{% if keepalived.proxy %}
+{% if keepalived.proxy is defined %}
vrrp_instance VI_DAUR4 {
# We don't own the IP address, which allows manual triggering of IP change when machine comes UP
# see man keepalived.conf.
-{% if keepalived.proxy_primary %}
+{% if keepalived.proxy.primary %}
state MASTER
priority 150
{% else %}
@@ -25,20 +25,18 @@ vrrp_instance VI_DAUR4 {
advert_int 2
authentication {
auth_type PASS
- auth_pass {{ keepalived.proxy_password }}
+ auth_pass {{ keepalived.proxy.password }}
}
virtual_ipaddress {
- {{ keepalived.proxy_ipv4 }}/32 brd 138.231.143.255 dev eth0 scope global
+ {{ keepalived.proxy.ipv4 }}/32 brd {{ keepalived.proxy.broadcast }} dev {{ keepalived.if_srv }} scope global
}
}
-{% endif %}
-{% if keepalived.proxy %}
vrrp_instance VI_DAUR6 {
# We don't own the IP address, which allows manual triggering of IP change when machine comes UP
# see man keepalived.conf.
-{% if keepalived.proxy_primary %}
+{% if keepalived.proxy.primary %}
state MASTER
priority 150
{% else %}
@@ -51,16 +49,16 @@ vrrp_instance VI_DAUR6 {
advert_int 2
authentication {
auth_type PASS
- auth_pass {{ keepalived.proxy_password }}
+ auth_pass {{ keepalived.proxy.password }}
}
virtual_ipaddress {
- {{ keepalived.proxy_ipv6 }}/64 dev eth0 scope global
+ {{ keepalived.proxy.ipv6 }}/64 dev {{ keepalived.if_srv }} scope global
}
}
{% endif %}
-{% if keepalived.radius %}
+{% if keepalived.radius is defined %}
vrrp_instance VI_RAD4 {
# We don't own the IP address, which allows manual triggering of IP change when machine comes UP
# see man keepalived.conf.
@@ -90,7 +88,7 @@ vrrp_instance VI_RAD4 {
}
{% endif %}
-{% if keepalived.radius %}
+{% if keepalived.radius is defined %}
vrrp_instance VI_RAD6 {
# We don't own the IP address, which allows manual triggering of IP change when machine comes UP
# see man keepalived.conf.
@@ -120,7 +118,7 @@ vrrp_instance VI_RAD6 {
}
{% endif %}
-{% if keepalived.router %}
+{% if keepalived.router is defined %}
vrrp_instance VI_ROUT {
# We don't own the IP address, which allows manual triggering of IP change when machine comes UP
# see man keepalived.conf.
--
GitLab
From 611d0e70f85b017ee5319f7ee2a6b7322a582f48 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 10:47:29 +0200
Subject: [PATCH 49/55] Ansible on bakdaur
---
clean_servers.yml | 2 ++
interfaces.yml | 2 +-
re2o-api.yml | 15 +++++++++++++++
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/clean_servers.yml b/clean_servers.yml
index e6198e87..0f68d4cc 100755
--- a/clean_servers.yml
+++ b/clean_servers.yml
@@ -45,6 +45,8 @@
- acpid
- xscreensaver # was on owncloud
- openbsd-inetd
+ - byobu # we already have screen and tmux
+ - ipython # go use ipython3!
register: apt_result
retries: 3
until: apt_result is succeeded
diff --git a/interfaces.yml b/interfaces.yml
index b32a9d03..04b2d828 100755
--- a/interfaces.yml
+++ b/interfaces.yml
@@ -14,7 +14,7 @@
- switch
- fil
-- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org
+- hosts: boeing.adm.crans.org,cochon.adm.crans.org,tracker.adm.crans.org,voyager.adm.crans.org,lutim.adm.crans.org,gateau.adm.crans.org,owncloud-srv.adm.crans.org,charybde.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,silice.adm.crans.org,frontdaur.adm.crans.org,bakdaur.adm.crans.org
vars:
vlan:
- name: srv
diff --git a/re2o-api.yml b/re2o-api.yml
index 2d04db0f..0ce54882 100755
--- a/re2o-api.yml
+++ b/re2o-api.yml
@@ -100,3 +100,18 @@
if_srv: eth0
roles:
- keepalived
+
+# Deploy keepalived on bakdaur
+- hosts: bakdaur.adm.crans.org
+ vars:
+ keepalived:
+ proxy:
+ primary: true
+ password: "{{ vault_keepalived_proxy_password }}"
+ ipv4: 185.230.79.194
+ ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00
+ broadcast: 185.230.79.255
+ if_adm: eth0
+ if_srv: eth1
+ roles:
+ - keepalived
--
GitLab
From 8de8c49f731cbd89e6d2171445490368f654c000 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 11:01:28 +0200
Subject: [PATCH 50/55] Ouspi, framdate was using srv ip
---
network.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/network.yml b/network.yml
index 16865b78..e007de0f 100755
--- a/network.yml
+++ b/network.yml
@@ -100,7 +100,7 @@
- {from: autoconfig.crans.org, to: 10.231.136.46}
- {from: grafana.crans.org, to: 10.231.136.102}
- {from: webirc.crans.org, to: "10.231.136.1:9000"}
- - {from: framadate.crans.org, to: 185.230.79.194}
+ - {from: framadate.crans.org, to: 10.231.136.153}
# Zamok
- {from: install-party.crans.org, to: 10.231.136.1}
--
GitLab
From 108884732652b08e15fc54eca2a5f40c0844b252 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 12:51:16 +0200
Subject: [PATCH 51/55] SSL snippet and drop TLS 1.0 and 1.1
---
roles/nginx-reverseproxy/tasks/main.yml | 16 +++++----
.../templates/letsencrypt/dhparam.j2 | 8 +++++
.../nginx/{ => sites-available}/redirect.j2 | 34 +++++--------------
.../{ => sites-available}/reverseproxy.j2 | 17 +++-------
.../reverseproxy_redirect_dname.j2 | 17 +++-------
.../nginx/snippets/options-ssl.conf.j2 | 17 ++++++++++
6 files changed, 51 insertions(+), 58 deletions(-)
create mode 100644 roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2
rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/redirect.j2 (58%)
rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy.j2 (75%)
rename roles/nginx-reverseproxy/templates/nginx/{ => sites-available}/reverseproxy_redirect_dname.j2 (61%)
create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index 1fee6a3c..55af7c18 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -9,15 +9,19 @@
retries: 3
until: apt_result is succeeded
-- name: Copy certbot SSL snippet
- copy:
- remote_src: true
- src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf
- dest: /etc/letsencrypt/options-ssl-nginx.conf
+- name: Copy snippets
+ template:
+ src: nginx/snippets/options-ssl.conf.j2
+ dest: /etc/nginx/snippets/options-ssl.conf
+
+- name: Copy dhparam
+ template:
+ src: letsencrypt/dhparam.j2
+ dest: /etc/letsencrypt/dhparam
- name: Copy reverse proxy sites
template:
- src: "nginx/{{ item }}.j2"
+ src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
loop:
- reverseproxy
diff --git a/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2
new file mode 100644
index 00000000..9b182b72
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/roles/nginx-reverseproxy/templates/nginx/redirect.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2
similarity index 58%
rename from roles/nginx-reverseproxy/templates/nginx/redirect.j2
rename to roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2
index 4d60807e..9cdb545b 100644
--- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2
@@ -15,22 +15,13 @@ server {
# Redirect https://{{ site.from }} to https://{{ site.to }}
server {
- listen 443;
- listen [::]:443;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name {{ site.from }};
- ssl on;
- ssl_certificate {{ nginx.ssl.cert }};
- ssl_certificate_key {{ nginx.ssl.cert_key }};
-
- # SSL ciphers updated by Debian
- include "/etc/letsencrypt/options-ssl-nginx.conf";
-
- # Enable OCSP Stapling, point to certificate chain
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ # SSL common conf
+ include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
@@ -58,22 +49,13 @@ server {
# Redirect https://{{ from }} to https://{{ site.to }}
server {
- listen 443;
- listen [::]:443;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name {{ from }};
- ssl on;
- ssl_certificate {{ nginx.ssl.cert }};
- ssl_certificate_key {{ nginx.ssl.cert_key }};
-
- # SSL ciphers updated by Debian
- include "/etc/letsencrypt/options-ssl-nginx.conf";
-
- # Enable OCSP Stapling, point to certificate chain
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ # SSL common conf
+ include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
similarity index 75%
rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
index 31c34462..50ef7b2e 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@@ -15,22 +15,13 @@ server {
# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
server {
- listen 443;
- listen [::]:443;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name {{ site.from }};
- ssl on;
- ssl_certificate {{ nginx.ssl.cert }};
- ssl_certificate_key {{ nginx.ssl.cert_key }};
-
- # SSL ciphers updated by Debian
- include "/etc/letsencrypt/options-ssl-nginx.conf";
-
- # Enable OCSP Stapling, point to certificate chain
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ # SSL common conf
+ include "/etc/nginx/snippets/options-ssl.conf";
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;
diff --git a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
similarity index 61%
rename from roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
rename to roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
index 8fc57808..db2084a4 100644
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
@@ -19,22 +19,13 @@ server {
# Redirect https://{{ from }} to https://{{ to }}
server {
- listen 443;
- listen [::]:443;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name {{ from }};
- ssl on;
- ssl_certificate {{ nginx.ssl.cert }};
- ssl_certificate_key {{ nginx.ssl.cert_key }};
-
- # SSL ciphers updated by Debian
- include "/etc/letsencrypt/options-ssl-nginx.conf";
-
- # Enable OCSP Stapling, point to certificate chain
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ # SSL common conf
+ include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ to }}$request_uri;
diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
new file mode 100644
index 00000000..c585cc26
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+ssl_certificate {{ nginx.ssl.cert }};
+ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+ssl_session_tickets off;
+ssl_dhparam /etc/letsencrypt/dhparam;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# Enable OCSP Stapling, point to certificate chain
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
--
GitLab
From 6bc22ab1165d7782c10734d43420ed2d8c8e50a4 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 14:19:00 +0200
Subject: [PATCH 52/55] Grafana on :3000
---
network.yml | 2 +-
roles/grafana/tasks/main.yml | 10 ----------
2 files changed, 1 insertion(+), 11 deletions(-)
diff --git a/network.yml b/network.yml
index e007de0f..8f70b911 100755
--- a/network.yml
+++ b/network.yml
@@ -98,7 +98,7 @@
- {from: re2o.crans.org, to: 10.231.136.9}
- {from: intranet.crans.org, to: 10.231.136.9}
- {from: autoconfig.crans.org, to: 10.231.136.46}
- - {from: grafana.crans.org, to: 10.231.136.102}
+ - {from: grafana.crans.org, to: "10.231.136.102:3000"}
- {from: webirc.crans.org, to: "10.231.136.1:9000"}
- {from: framadate.crans.org, to: 10.231.136.153}
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
index 1442c08f..1d472f15 100644
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -33,13 +33,6 @@
retries: 3
until: apt_result is succeeded
-# This capability enables grafana to bind :80
-- name: Add cap_net_bind_service to grafana
- capabilities:
- path: /usr/sbin/grafana-server
- capability: cap_net_bind_service+ep
- state: present
-
- name: Configure Grafana
ini_file:
path: /etc/grafana/grafana.ini
@@ -48,9 +41,6 @@
value: "{{ item.value }}"
mode: 0640
loop:
- - section: server
- option: http_port
- value: "80"
- section: server
option: root_url
value: "{{ grafana_root_url }}"
--
GitLab
From 80dd183a8664fc59cd59947024cc1442286c961c Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 3 May 2020 15:19:29 +0200
Subject: [PATCH 53/55] [nginx] Reverse WebSocket
---
network.yml | 2 +-
roles/nginx-reverseproxy/tasks/main.yml | 7 +++++--
.../nginx/sites-available/reverseproxy.j2 | 13 ++++++++-----
.../nginx/snippets/options-proxypass.conf.j2 | 17 +++++++++++++++++
4 files changed, 31 insertions(+), 8 deletions(-)
create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
diff --git a/network.yml b/network.yml
index 8f70b911..23160615 100755
--- a/network.yml
+++ b/network.yml
@@ -74,7 +74,7 @@
# Services web Crans
- {from: lutim.crans.org, to: 10.231.136.69}
- {from: zero.crans.org, to: 10.231.136.76}
- - {from: pad.crans.org, to: 10.231.136.76}
+ - {from: pad.crans.org, to: "10.231.136.76:9001"}
- {from: ethercalc.crans.org, to: 10.231.136.203}
- {from: mediadrop.crans.org, to: 10.231.136.106}
- {from: videos.crans.org, to: 10.231.136.106}
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index 55af7c18..5a0e298f 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -11,8 +11,11 @@
- name: Copy snippets
template:
- src: nginx/snippets/options-ssl.conf.j2
- dest: /etc/nginx/snippets/options-ssl.conf
+ src: "nginx/snippets/{{ item }}.j2"
+ dest: "/etc/nginx/snippets/{{ item }}"
+ loop:
+ - options-ssl.conf
+ - options-proxypass.conf
- name: Copy dhparam
template:
diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
index 50ef7b2e..52a278bf 100644
--- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@@ -1,5 +1,12 @@
{{ ansible_header | comment }}
+# Automatic Connection header for WebSocket support
+# See http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+
{% for site in nginx.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
@@ -41,12 +48,8 @@ server {
real_ip_header P-Real-Ip;
location / {
- proxy_set_header Host {{ site.from }};
- proxy_set_header P-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto https;
- proxy_redirect off;
proxy_pass http://{{ site.to }};
+ include "/etc/nginx/snippets/options-proxypass.conf";
}
}
diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
new file mode 100644
index 00000000..a14f3b7f
--- /dev/null
+++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+proxy_redirect off;
+proxy_set_header Host $host;
+
+# Pass the real client IP
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+# Tell proxified server that we are HTTPS, fix Wordpress
+proxy_set_header X-Forwarded-Proto https;
+
+# WebSocket support
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+
--
GitLab
From f73b136b1ec6538d395d0c1a4ff29d1e27654124 Mon Sep 17 00:00:00 2001
From: Bombar Maxime <bombar@crans.org>
Date: Sun, 3 May 2020 15:49:06 +0200
Subject: [PATCH 54/55] [re2o_lookup] Use cache_plugin if available to store
authentication token
---
ansible.cfg | 7 ++-
lookup_plugins/re2oapi.py | 112 +++++++++++++++++++++++---------------
2 files changed, 73 insertions(+), 46 deletions(-)
diff --git a/ansible.cfg b/ansible.cfg
index 5b23c72b..85718531 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -50,5 +50,8 @@ use_cpasswords = True
cache = jsonfile
# Time in second before the cache expired. 0 means never expire cache.
-# Default is 120 seconds.
-timeout = 120
+# Default is 24 hours.
+timeout = 86400
+
+# Default is 12 hours.
+timeout_token = 43200
diff --git a/lookup_plugins/re2oapi.py b/lookup_plugins/re2oapi.py
index 53d23555..e1f1041b 100644
--- a/lookup_plugins/re2oapi.py
+++ b/lookup_plugins/re2oapi.py
@@ -30,38 +30,67 @@ from ansible.config.manager import ConfigManager
# Ansible Logger to stdout
display = Display()
-# Number of seconds before expiration where renewing the token is done
-TIME_FOR_RENEW = 120
# Default name of the file to store tokens. Path $HOME/{DEFAUlt_TOKEN_FILENAME}
DEFAULT_TOKEN_FILENAME = '.re2o.token'
+# If no plugin is used, then use this as token timeout.
+# Overriden by key timeout_token from ansible configuration.
+TIME_FOR_RENEW = 43200 # 12 jours
class Client:
"""
Class based client to contact re2o API.
"""
- def __init__(self, hostname, username, password, use_tls=True):
+ def __init__(self, hostname, username, password,
+ use_tls=True, cachetoken=None):
"""
:arg hostname: The hostname of the Re2o instance to use.
:arg username: The username to use.
:arg password: The password to use.
:arg use_tls: A boolean to specify whether the client should use a
a TLS connection. Default is True. Please, keep it.
+ :arg cachetoken: The cache to use to manage authentication token.
+ If it is None, then store the token in a file.
"""
self.use_tls = use_tls
self.hostname = hostname
self._username = username
self._password = password
-
- self.token_file = Path.home() / DEFAULT_TOKEN_FILENAME
+ self._cachetoken = cachetoken
+ self.token_file = None
+ if self._cachetoken is None:
+ self.token_file = Path.home() / DEFAULT_TOKEN_FILENAME
+ display.vvv("Setting token file to {}".format(self.token_file))
+ else:
+ try:
+ display.vvv("Using {} as cache plugin"
+ .format(self._cachetoken.plugin_name))
+ except AttributeError:
+ # Happens when plugin_name is not implemented...
+ # For example with memcached
+ display.vvv("Using cache plugin specified in configuration.")
display.v("Connecting to {hostname} as user {user}".format(
hostname=to_native(self.hostname), user=to_native(self._username)))
- try:
- self.token = self._get_token_from_file()
- except AnsibleFileNotFound:
- display.vv("Force renew the token")
- self._force_renew_token()
+
+ @property
+ def token(self):
+ if self._cachetoken:
+ display.vvv("Trying to get token from cache.")
+ if self._cachetoken.contains("auth_token"):
+ display.vvv("Found token in cache.")
+ return self._cachetoken.get("auth_token")
+ else:
+ display.vvv("Token not found. Forcing renew.")
+ return self._force_renew_token()
+ else:
+ try:
+ token = self._get_token_from_file()
+ if token['expiration'] < datetime.datetime.now() + \
+ datetime.timedelta(seconds=TIME_FOR_RENEW):
+ return self._force_renew_token()
+ except AnsibleError:
+ return self._force_renew_token()
def _get_token_from_file(self):
display.vv("Trying to fetch token from {}".format(self.token_file))
@@ -95,13 +124,18 @@ class Client:
)
)
else:
- display.vv("""Token successfully retreived from
- file {token}""".format(token=self.token_file))
+ display.vv("Token successfully retreived from "
+ "file {token}".format(token=self.token_file))
return ret
def _force_renew_token(self):
- self.token = self._get_token_from_server()
- self._save_token_to_file()
+ token = self._get_token_from_server()
+ if self._cachetoken:
+ display.vvv("Storing authentication token in cache")
+ self._cachetoken.set("auth_token", token.get('token'))
+ else:
+ self._save_token_to_file(token)
+ return token.get('token')
def _get_token_from_server(self):
display.vv("Requesting a new token for {user}@{host}".format(
@@ -141,7 +175,7 @@ class Client:
def _parse_date(self, date, date_format="%Y-%m-%dT%H:%M:%S"):
return datetime.datetime.strptime(date.split('.')[0], date_format)
- def _save_token_to_file(self):
+ def _save_token_to_file(self, token):
display.vv("Saving token to file {}".format(self.token_file))
try:
# Read previous data to avoid erasures
@@ -155,8 +189,8 @@ class Client:
if self.hostname not in data.keys():
data[self.hostname] = {}
data[self.hostname][self._username] = {
- 'token': self.token['token'],
- 'expiration': self.token['expiration'].isoformat(),
+ 'token': token['token'],
+ 'expiration': token['expiration'].isoformat(),
}
try:
@@ -171,22 +205,6 @@ class Client:
display.vv("Token successfully written to file {}"
.format(self.token_file))
- def get_token(self):
- """
- Retrieves the token to use for the current connection.
- Automatically renewed if needed.
- """
- if self.need_renew_token:
- self._force_renew_token()
-
- return self.token['token']
-
- @property
- def need_renew_token(self):
- return self.token['expiration'] < \
- datetime.datetime.now() + \
- datetime.timedelta(seconds=TIME_FOR_RENEW)
-
def _request(self, method, url, headers={}, params={}, *args, **kwargs):
display.vv("Building the {method} request to {url}.".format(
method=method.upper(),
@@ -194,9 +212,9 @@ class Client:
))
# Force the 'Authorization' field with the right token.
- display.vvv("Forcing authentication token.")
+ display.vvv("Forcing authentication token in headers.")
headers.update({
- 'Authorization': 'Token {}'.format(self.get_token())
+ 'Authorization': 'Token {}'.format(self.token)
})
# Use a json format unless the user already specified something
@@ -215,10 +233,10 @@ class Client:
# Force re-login to the server (case of a wrong token but valid
# credentials) and then retry the request without catching errors.
display.vv("Token refused. Trying to refresh the token.")
- self._force_renew_token()
+ token = self._force_renew_token()
headers.update({
- 'Authorization': 'Token {}'.format(self.get_token())
+ 'Authorization': 'Token {}'.format(token)
})
display.vv("Re-performing the request {method} {url}".format(
method=method.upper(),
@@ -342,11 +360,11 @@ class LookupModule(LookupBase):
- debug: var=dnszones
"""
- def _readconfig(self, section="re2o", key=None, boolean=False,
- integer=False):
+ def _readconfig(self, section="re2o", key=None, default=None,
+ boolean=False, integer=False):
config = self._config
if not config:
- return None
+ return default
else:
if config.has_option(section, key):
display.vvv("Found key {} in configuration file".format(key))
@@ -373,7 +391,9 @@ class LookupModule(LookupBase):
self._use_cpasswords = None
self._cache_plugin = None
self._cache = None
- self._timeout = 120
+ self._timeout = 86400 # 1 day
+ self._cachetoken = None
+ self._timeouttoken = TIME_FOR_RENEW # 12 hours
if self._config.has_section("re2o"):
display.vvv("Found section re2o in configuration file")
@@ -382,7 +402,11 @@ class LookupModule(LookupBase):
self._use_cpasswords = self._readconfig(key="use_cpasswords",
boolean=True)
self._cache_plugin = self._readconfig(key="cache")
- self._timeout = self._readconfig(key="timeout", integer=True)
+ self._timeout = self._readconfig(key="timeout", integer=True,
+ default=86400)
+ self._timeouttoken = self._readconfig(key="timeout_token",
+ integer=True,
+ default=TIME_FOR_RENEW)
if self._cache_plugin is not None:
display.vvv("Using {} as cache plugin".format(self._cache_plugin))
@@ -450,8 +474,8 @@ class LookupModule(LookupBase):
'You must specify a valid password to connect to re2oAPI'
))
- api_client = Client(api_hostname, api_username,
- api_password, use_tls=True)
+ api_client = Client(api_hostname, api_username, api_password,
+ use_tls=True, cachetoken=self._cachetoken)
res = []
dterms = collections.deque(terms)
--
GitLab
From c0e02b29ba88fd25fe8bd8bb02d218238abecbb8 Mon Sep 17 00:00:00 2001
From: Bombar Maxime <bombar@crans.org>
Date: Sun, 3 May 2020 15:49:58 +0200
Subject: [PATCH 55/55] [re2o_lookup] Add support for json, yaml, pickle and
memcached cache plugins.
---
ansible.cfg | 5 +++
lookup_plugins/re2oapi.py | 68 ++++++++++++++++++++++++++++-----------
2 files changed, 55 insertions(+), 18 deletions(-)
diff --git a/ansible.cfg b/ansible.cfg
index 85718531..149b1ce6 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -49,6 +49,11 @@ use_cpasswords = True
# Specify cache plugin for re2o API. By default, cache nothing
cache = jsonfile
+# Only used for memcached plugin
+# List of connection information for the memcached DBs
+# Default is ['127.0.0.1:11211']
+# memcached_connection = ['127.0.0.1:11211']
+
# Time in second before the cache expired. 0 means never expire cache.
# Default is 24 hours.
timeout = 86400
diff --git a/lookup_plugins/re2oapi.py b/lookup_plugins/re2oapi.py
index e1f1041b..2a8b4819 100644
--- a/lookup_plugins/re2oapi.py
+++ b/lookup_plugins/re2oapi.py
@@ -374,6 +374,27 @@ class LookupModule(LookupBase):
return config.getint(section, key)
else:
return config.get(section, key)
+ else:
+ return default
+
+ def _manage_cachedir(self, cachedir=None, plugin=None):
+ try:
+ self._uri = cachedir / plugin
+ except Exception:
+ raise AnsibleError("Undefined specification for cache plugin")
+
+ display.vvv("Cache directory is {}".format(self._uri))
+ if not self._uri.exists():
+ # Creates Ansible cache directory with right permissions
+ # if it doesn't exist yet.
+ display.vvv("Cache directory doesn't exist. Creating it.")
+ try:
+ self._uri.mkdir(mode=0o700, parents=True)
+ except Exception as e:
+ raise AnsibleError("""Unable to create {dir}.
+ Original error was : {err}""".format(dir=self._uri,
+ err=to_native(e)))
+
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
@@ -410,29 +431,36 @@ class LookupModule(LookupBase):
if self._cache_plugin is not None:
display.vvv("Using {} as cache plugin".format(self._cache_plugin))
+ cachedir = Path.home() / ".cache/ansible/re2oapi"
if self._cache_plugin == 'jsonfile':
- self._cachedir = Path.home() / ".cache/Ansible/re2oapi"
- display.vvv("Cache directory is {}".format(self._cachedir))
- if not self._cachedir.exists():
- # Creates Ansible cache directory with right permissions
- # if it doesn't exist yet.
- display.vvv("Cache directory doesn't exist. Creating it.")
- try:
- self._cachedir.mkdir(mode=0o700, parents=True)
- except Exception as e:
- raise AnsibleError("""Unable to create {dir}.
- Original error was : {err}"""
- .format(dir=self._cachedir,
- err=to_native(e)))
- self._cache = cache_loader.get('jsonfile',
- _uri=self._cachedir,
- _timeout=self._timeout,
- )
+ self._manage_cachedir(cachedir=cachedir, plugin='json')
+ elif self._cache_plugin == 'yaml':
+ self._manage_cachedir(cachedir=cachedir, plugin='yaml')
+ elif self._cache_plugin == 'pickle':
+ self._manage_cachedir(cachedir=cachedir, plugin='pickle')
+ elif self._cache_plugin == 'memcached':
+ # requires packages python3-memcache and memcached
+ display.vvvv("Please make sure you have installed packages"
+ "python3-memcache and memcached"
+ )
+ self._uri = self._readconfig(key='memcached_connection',
+ default=['127.0.0.1:11211'],
+ )
else:
raise AnsibleError("Cache plugin {} not supported"
.format(self._cache_plugin))
+ self._cache = cache_loader.get(self._cache_plugin,
+ _uri=self._uri,
+ _timeout=self._timeout,
+ )
+ self._cachetoken = cache_loader.get(self._cache_plugin,
+ _uri=self._uri,
+ _timeout=self._timeouttoken,
+ )
+
+
def run(self, terms, variables=None, api_hostname=None, api_username=None,
api_password=None, use_tls=True):
@@ -546,7 +574,7 @@ class LookupModule(LookupBase):
zones_name = [zone["name"][1:] for zone in zones]
display.vvv("Storing dnszones in cache.")
self._set_cache('dnszones', zones_name)
-
+ display.vvv('\n')
return zones_name
def _getreverse(self, api_client):
@@ -615,6 +643,7 @@ class LookupModule(LookupBase):
display.vvv("Storing dns reverse zones in cache.")
self._set_cache('dnsreverse', list(set(res)))
+ display.vvv('\n')
return res
def _rawquery(self, api_client, endpoint):
@@ -629,6 +658,8 @@ class LookupModule(LookupBase):
res = api_client.list(endpoint)
display.vvv("Storing result in cache.")
self._set_cache(endpoint.replace('/', '_'), res)
+
+ display.vvv('\n')
return res
def _get_role(self, api_client, role_name):
@@ -655,4 +686,5 @@ class LookupModule(LookupBase):
display.vvv("Storing {} in cache.".format(role_name))
self._set_cache(role_name, res)
+ display.vvv('\n')
return res
--
GitLab