From 3dfdf5cb4fa039eae9af253c101bc1abc18ad7eb Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 27 Jun 2022 20:02:04 +0200
Subject: [PATCH 01/13] [borg] Backups are now managed by backup-ft

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/all/borg.yml | 4 ++--
 hosts                   | 4 +---
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/group_vars/all/borg.yml b/group_vars/all/borg.yml
index c133bc14..e99c419d 100644
--- a/group_vars/all/borg.yml
+++ b/group_vars/all/borg.yml
@@ -7,7 +7,7 @@ glob_borg:
     - /var
   path: /backup/borg
   remote:
-    - borg@zephir-c.adm.crans.org:/backup/borg/{{ ansible_hostname }}
+    - borg@backup-ft.adm.crans.org:/backup/borg-server/{{ ansible_hostname }}
   retention:
     - ["daily", 4]
     - ["monthly", 6]
@@ -17,4 +17,4 @@ glob_borg:
     - make-parent-dirs
   encryption_passphrase: "{{ vault.borg.encryption_passphrase }}"
   ssh_privkey: "{{ vault.borg.ssh.privkey }}"
-  ssh_options: -4 -p 2223
+  ssh_options: ""
diff --git a/hosts b/hosts
index 55963056..fb376282 100644
--- a/hosts
+++ b/hosts
@@ -256,7 +256,6 @@ sputnik.adm.crans.org
 [wireguard]
 boeing.adm.crans.org
 sputnik.adm.crans.org
-vol447.adm.crans.org
 
 [crans_routeurs:children]
 routeurs_vm
@@ -265,7 +264,7 @@ routeurs_vm
 ft.adm.crans.org
 thot.adm.crans.org
 zamok.adm.crans.org
-zbee.adm.crans.org
+#zbee.adm.crans.org
 
 [crans_physical:children]
 backups
@@ -308,7 +307,6 @@ roundcube.adm.crans.org
 routeur-2754.adm.crans.org
 silice.adm.crans.org
 trinity.adm.crans.org
-vol447.adm.crans.org
 voyager.adm.crans.org
 yson-partou.adm.crans.org
 
-- 
GitLab


From 991f49aa574a00b8ce562632e6400189514f4e11 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 09:46:01 +0200
Subject: [PATCH 02/13] [backup-ft] Hello backup-ft!

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/all/borg.yml                                     | 5 ++++-
 host_vars/backup-ft.adm.crans.org.yml                       | 3 +++
 host_vars/ft.adm.crans.org.yml                              | 6 ++++++
 hosts                                                       | 2 ++
 roles/borgbackup-server/templates/authorized_keys.j2        | 2 +-
 .../borgbackup-server/templates/update-motd.d/05-service.j2 | 2 +-
 6 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 host_vars/backup-ft.adm.crans.org.yml
 create mode 100644 host_vars/ft.adm.crans.org.yml

diff --git a/group_vars/all/borg.yml b/group_vars/all/borg.yml
index e99c419d..abf2aa78 100644
--- a/group_vars/all/borg.yml
+++ b/group_vars/all/borg.yml
@@ -5,7 +5,9 @@ glob_borg:
   to_backup:
     - /etc
     - /var
-  path: /backup/borg
+  paths:
+    - /backup/borg-server
+    - /backup/borg-adh
   remote:
     - borg@backup-ft.adm.crans.org:/backup/borg-server/{{ ansible_hostname }}
   retention:
@@ -17,4 +19,5 @@ glob_borg:
     - make-parent-dirs
   encryption_passphrase: "{{ vault.borg.encryption_passphrase }}"
   ssh_privkey: "{{ vault.borg.ssh.privkey }}"
+  ssh_pubkey: "{{ vault.borg.ssh.pubkey }}"
   ssh_options: ""
diff --git a/host_vars/backup-ft.adm.crans.org.yml b/host_vars/backup-ft.adm.crans.org.yml
new file mode 100644
index 00000000..dc2ef382
--- /dev/null
+++ b/host_vars/backup-ft.adm.crans.org.yml
@@ -0,0 +1,3 @@
+---
+interfaces:
+  adm: ens18
diff --git a/host_vars/ft.adm.crans.org.yml b/host_vars/ft.adm.crans.org.yml
new file mode 100644
index 00000000..9bb00abd
--- /dev/null
+++ b/host_vars/ft.adm.crans.org.yml
@@ -0,0 +1,6 @@
+---
+loc_borg:
+  to_backup:
+    - /etc
+    - /home_nounou
+    - /var
diff --git a/hosts b/hosts
index fb376282..b1e7e660 100644
--- a/hosts
+++ b/hosts
@@ -10,6 +10,7 @@ hodaur.adm.crans.org
 cameron.adm.crans.org
 
 [backups]
+backup-ft.adm.crans.org
 
 [baie]
 cameron.adm.crans.org
@@ -272,6 +273,7 @@ baie
 virtu
 
 [crans_vm]
+backup-ft.adm.crans.org
 belenios.adm.crans.org
 boeing.adm.crans.org
 cas.adm.crans.org
diff --git a/roles/borgbackup-server/templates/authorized_keys.j2 b/roles/borgbackup-server/templates/authorized_keys.j2
index 3504fcf9..80d0e785 100644
--- a/roles/borgbackup-server/templates/authorized_keys.j2
+++ b/roles/borgbackup-server/templates/authorized_keys.j2
@@ -1,3 +1,3 @@
 {{ ansible_header | comment }}
 
-command="borg serve --restrict-to-path {{ borg.path }}",restrict {{ vault.borgbackup_ssh_pubkey }}
+command="borg serve{% for path in borg.paths %} --restrict-to-path {{ path }}{% endfor %}",restrict {{ borg.ssh_pubkey }}
diff --git a/roles/borgbackup-server/templates/update-motd.d/05-service.j2 b/roles/borgbackup-server/templates/update-motd.d/05-service.j2
index f27119aa..b2f35c2f 100755
--- a/roles/borgbackup-server/templates/update-motd.d/05-service.j2
+++ b/roles/borgbackup-server/templates/update-motd.d/05-service.j2
@@ -1,3 +1,3 @@
 #!/usr/bin/tail +14
 {{ ansible_header | comment }}
-> Borgbackup (Serveur) a été déployé sur cette machine. Les backups sont situés dans {{ borg.path }}.
+> Borgbackup (Serveur) a été déployé sur cette machine. Les backups sont situés dans {{ borg.paths|join(', ') }}.
-- 
GitLab


From b34a5ceb154e930f2691edb316f8712373870841 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 10:17:56 +0200
Subject: [PATCH 03/13] Drop unusued networks

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/all/network_interfaces.yml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/group_vars/all/network_interfaces.yml b/group_vars/all/network_interfaces.yml
index d0560363..33772410 100644
--- a/group_vars/all/network_interfaces.yml
+++ b/group_vars/all/network_interfaces.yml
@@ -18,19 +18,13 @@ glob_network_interfaces:
     - name: adm
       id: 10
       dns: "{{ query('ldap', 'ip', 'routeur-sam', 'adm') | ipv4 | first }} {{ query('ldap', 'ip', 'routeur-daniel', 'adm') | ipv4 | first }}"
-    - name: infra
-      id: 11
-      dns: "{{ query('ldap', 'ip', 'passerelle', 'infra') | ipv4 | first }}"
     - name: adh
       id: 12
       gateway: "{{ query('ldap', 'ip', 'passerelle', 'adh') | ipv4 | first }}"
       dns: "{{ query('ldap', 'ip', 'passerelle', 'adh') | ipv4 | first }}"
       gateway_v6: "{{ query('ldap', 'ip', 'passerelle', 'adh') | ipv6 | first }}"
-    - name: adh_nat
+    - name: adh_adm
       id: 13
-      gateway: "{{ query('ldap', 'ip', 'passerelle', 'adh-nat') | ipv4 | first }}"
-      dns: "{{ query('ldap', 'ip', 'passerelle', 'adh-nat') | ipv4 | first }}"
-      gateway_v6: "{{ query('ldap', 'ip', 'passerelle', 'adh-nat') | ipv6 | first }}"
     - name: renater
       id: 38
       gateway: "{{ query('ldap', 'ip', 'dsi', 'renater') | ipv4 | first }}"
-- 
GitLab


From eec977ebe8d862cc9532299b056fbf6e585c2fbe Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 10:27:01 +0200
Subject: [PATCH 04/13] Add specific configuration for ft and ViaRezo

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/all/home_nounou.yml        |  2 +-
 group_vars/viarezo/home_nounou.yml    | 10 ++++++++++
 group_vars/viarezo/ldap.yml           |  4 ++++
 host_vars/backup-ft.adm.crans.org.yml | 17 +++++++++++++++++
 hosts                                 | 18 ++++++++++++++----
 5 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 group_vars/viarezo/home_nounou.yml
 create mode 100644 group_vars/viarezo/ldap.yml

diff --git a/group_vars/all/home_nounou.yml b/group_vars/all/home_nounou.yml
index 4839e1fe..d4b16d6d 100644
--- a/group_vars/all/home_nounou.yml
+++ b/group_vars/all/home_nounou.yml
@@ -1,7 +1,7 @@
 ---
 glob_home_nounou:
   mounts:
-    - ip: 172.16.10.1
+    - ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
       mountpoint: /pool/home
       target: /home_nounou
       name: home_nounou
diff --git a/group_vars/viarezo/home_nounou.yml b/group_vars/viarezo/home_nounou.yml
new file mode 100644
index 00000000..461b21b2
--- /dev/null
+++ b/group_vars/viarezo/home_nounou.yml
@@ -0,0 +1,10 @@
+---
+loc_home_nounou:
+  mounts:
+    - ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}"
+      mountpoint: /home_nounou
+      target: /home_nounou
+      name: home_nounou
+      owner: root
+      group: _user
+      mode: '0750'
diff --git a/group_vars/viarezo/ldap.yml b/group_vars/viarezo/ldap.yml
new file mode 100644
index 00000000..148b6ed7
--- /dev/null
+++ b/group_vars/viarezo/ldap.yml
@@ -0,0 +1,4 @@
+---
+loc_ldap:
+  servers:
+    - "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}"
diff --git a/host_vars/backup-ft.adm.crans.org.yml b/host_vars/backup-ft.adm.crans.org.yml
index dc2ef382..c0cea06d 100644
--- a/host_vars/backup-ft.adm.crans.org.yml
+++ b/host_vars/backup-ft.adm.crans.org.yml
@@ -1,3 +1,20 @@
 ---
 interfaces:
   adm: ens18
+
+loc_home_nounou:
+  mounts:
+    - ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}"
+      mountpoint: /home_nounou
+      target: /home_nounou
+      name: home_nounou
+      owner: root
+      group: _user
+      mode: '0750'
+    - ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}"
+      mountpoint: /rpool/backup
+      target: /backup
+      name: backup
+      owner: root
+      group: root
+      mode: '0755'
diff --git a/hosts b/hosts
index b1e7e660..c40512cf 100644
--- a/hosts
+++ b/hosts
@@ -262,18 +262,16 @@ sputnik.adm.crans.org
 routeurs_vm
 
 [crans_physical]
-ft.adm.crans.org
 thot.adm.crans.org
 zamok.adm.crans.org
 #zbee.adm.crans.org
 
 [crans_physical:children]
-backups
 baie
 virtu
+viarezo_physical
 
 [crans_vm]
-backup-ft.adm.crans.org
 belenios.adm.crans.org
 boeing.adm.crans.org
 cas.adm.crans.org
@@ -312,6 +310,17 @@ trinity.adm.crans.org
 voyager.adm.crans.org
 yson-partou.adm.crans.org
 
+[viarezo_physical]
+ft.adm.crans.org
+
+[viarezo_vm]
+backup-ft.adm.crans.org
+routeur-ft.adm.crans.org
+
+[viarezo:children]
+viarezo_physical
+viarezo_vm
+
 [forget_me]
 ceph-controller-a.adm.crans.org
 ceph-controller-b.adm.crans.org
@@ -321,8 +330,9 @@ ceph-storage-b.adm.crans.org
 tilque.adm.crans.org
 
 [crans_vm:children]
-routeurs_vm
 forget_me
+routeurs_vm
+viarezo_vm
 
 [ovh_physical]
 sputnik.adm.crans.org
-- 
GitLab


From 0f84e0da18002af82db46d3e41333a55c4afbe30 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 11:32:59 +0200
Subject: [PATCH 05/13] [ft] Deploy root playbook on ft

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/slapd.yml           | 2 +-
 host_vars/ft.adm.crans.org.yml | 5 +++++
 hosts                          | 9 +++++++--
 plays/root.yml                 | 2 +-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/group_vars/slapd.yml b/group_vars/slapd.yml
index e82aa8c5..48ebdc81 100644
--- a/group_vars/slapd.yml
+++ b/group_vars/slapd.yml
@@ -2,6 +2,6 @@
 glob_slapd:
   master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
   regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*|description:.*|location:.*)$"
-  replication_credentials: "{{ vault.sldap.tealc.replication_credentials }}"
+  replication_credentials: "{{ vault.slapd.tealc.replication_credentials }}"
   private_key: "{{ vault.slapd.tealc.private_key }}"
   certificate: "{{ vault.slapd.tealc.certificate }}"
diff --git a/host_vars/ft.adm.crans.org.yml b/host_vars/ft.adm.crans.org.yml
index 9bb00abd..95d02a50 100644
--- a/host_vars/ft.adm.crans.org.yml
+++ b/host_vars/ft.adm.crans.org.yml
@@ -4,3 +4,8 @@ loc_borg:
     - /etc
     - /home_nounou
     - /var
+
+loc_slapd:
+  ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}"
+  replica: true
+  replica_rid: 6
diff --git a/hosts b/hosts
index c40512cf..9c8c10ee 100644
--- a/hosts
+++ b/hosts
@@ -219,11 +219,12 @@ monitoring.adm.crans.org
 helloworld.adm.crans.org
 
 [slapd]
-tealc.adm.crans.org
-sam.adm.crans.org
 daniel.adm.crans.org
+ft.adm.crans.org
 jack.adm.crans.org
+sam.adm.crans.org
 sputnik.adm.crans.org
+tealc.adm.crans.org
 
 [sssd]
 zamok.adm.crans.org
@@ -242,9 +243,13 @@ daniel.adm.crans.org
 jack.adm.crans.org
 sam.adm.crans.org
 
+[virtu_backup]
+ft.adm.crans.org
+
 [virtu:children]
 virtu_adh
 virtu_adm
+virtu_backup
 
 [vsftpd_mirror]
 eclat.adm.crans.org
diff --git a/plays/root.yml b/plays/root.yml
index 999bf68f..e9d7d0ad 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -21,7 +21,7 @@
   roles:
     - ldap-client
 
-- hosts: server,!ovh_physical,!tealc.adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org
+- hosts: server,!ovh_physical,!tealc.adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org,!ft.adm.crans.org
   vars:
     nfs_mount: "{{ glob_home_nounou | default({}) | combine(loc_home_nounou | default({})) }}"
   roles:
-- 
GitLab


From 070e69cccdd5c37b2590a5ed65e981db365de191 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 11:35:20 +0200
Subject: [PATCH 06/13] [proxmox] Deploy service-proxmox-user on virtus to sync
 the list of users

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/virtu.yml               | 20 ++++++++++++++++++++
 group_vars/virtu_adh.yml           | 25 +++++++++++++++++++++++++
 host_vars/daniel.adm.crans.org.yml |  3 +++
 host_vars/gulp.adm.crans.org.yml   |  3 +++
 host_vars/jack.adm.crans.org.yml   |  3 +++
 host_vars/odlyd.adm.crans.org.yml  |  3 +++
 plays/root.yml                     |  3 +++
 roles/service/tasks/main.yml       |  2 +-
 8 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 group_vars/virtu_adh.yml

diff --git a/group_vars/virtu.yml b/group_vars/virtu.yml
index 570a04cb..3db203e8 100644
--- a/group_vars/virtu.yml
+++ b/group_vars/virtu.yml
@@ -4,3 +4,23 @@ glob_debian_images:
   rsync_host: 'eclat.adm.crans.org'
   rsync_module: 'mirror'
   include_extra_images: false
+
+glob_service_proxmox_user:
+  git:
+    remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git
+    version: main
+  name: proxmox-user
+  install_dir: /var/local/services/proxmox-user
+  generated: false
+  cron:
+    frequency: "*/2 * * * *"
+    options: ""
+  config:
+    ldap:
+      admin:
+        uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}/"
+        userBase: "ou=passwd,dc=crans,dc=org"
+        realm: "pam"
+  dependencies:
+    - python3-jinja2
+    - python3-ldap
diff --git a/group_vars/virtu_adh.yml b/group_vars/virtu_adh.yml
new file mode 100644
index 00000000..d3a5f3e9
--- /dev/null
+++ b/group_vars/virtu_adh.yml
@@ -0,0 +1,25 @@
+glob_service_proxmox_user:
+  git:
+    remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git
+    version: main
+  name: proxmox-user
+  install_dir: /var/local/services/proxmox-user
+  generated: false
+  cron:
+    frequency: "*/2 * * * *"
+    options: ""
+  config:
+    ldap:
+      admin:
+        uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}/"
+        userBase: "ou=passwd,dc=crans,dc=org"
+        realm: "pam"
+      user:
+        uri: "ldaps://{{ query('ldap', 'ip', 'flirt', 'adm') | ipv4 | first }}/"
+        userBase: "ou=users,dc=adh,dc=crans,dc=org"
+        realm: "pve"
+        binddn: "{{ vault.ldap_adh_reader.binddn }}"
+        passwd: "{{ vault.ldap_adh_reader.bindpass }}"
+  dependencies:
+    - python3-jinja2
+    - python3-ldap
diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml
index fe23407a..96967505 100644
--- a/host_vars/daniel.adm.crans.org.yml
+++ b/host_vars/daniel.adm.crans.org.yml
@@ -8,3 +8,6 @@ loc_postgres:
   version: 13
   replica: true
   addresses: "['daniel.adm.crans.org'] + {{ query('ldap', 'ip', 'daniel', 'adm') | ipaddr('address') }}"
+
+loc_service_proxmox_user:
+  cron: null
diff --git a/host_vars/gulp.adm.crans.org.yml b/host_vars/gulp.adm.crans.org.yml
index 119fa7ab..4c4ef29d 100644
--- a/host_vars/gulp.adm.crans.org.yml
+++ b/host_vars/gulp.adm.crans.org.yml
@@ -1,3 +1,6 @@
 ---
 loc_debian_images:
   include_extra_images: true
+
+loc_service_proxmox_user:
+  cron: null
diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml
index 7a83dd68..ac4ac7e0 100644
--- a/host_vars/jack.adm.crans.org.yml
+++ b/host_vars/jack.adm.crans.org.yml
@@ -8,3 +8,6 @@ loc_postgres:
   version: 13
   replica: true
   addresses: "['jack.adm.crans.org'] + {{ query('ldap', 'ip', 'jack', 'adm') | ipaddr('address') }}"
+
+loc_service_proxmox_user:
+  cron: null
diff --git a/host_vars/odlyd.adm.crans.org.yml b/host_vars/odlyd.adm.crans.org.yml
index 119fa7ab..4c4ef29d 100644
--- a/host_vars/odlyd.adm.crans.org.yml
+++ b/host_vars/odlyd.adm.crans.org.yml
@@ -1,3 +1,6 @@
 ---
 loc_debian_images:
   include_extra_images: true
+
+loc_service_proxmox_user:
+  cron: null
diff --git a/plays/root.yml b/plays/root.yml
index e9d7d0ad..6a632c76 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -3,8 +3,11 @@
 # root is the first playbook to launch (as root) whe initiation a new server
 
 - hosts: virtu
+  vars:
+    service: "{{ glob_service_proxmox_user | default({}) | combine(loc_service_proxmox_user | default({})) }}"
   roles:
     - proxmox-apt-sources
+    - service
 
 - hosts: server
   roles:
diff --git a/roles/service/tasks/main.yml b/roles/service/tasks/main.yml
index 78c40fa8..11525d34 100644
--- a/roles/service/tasks/main.yml
+++ b/roles/service/tasks/main.yml
@@ -55,7 +55,7 @@
   template:
     src: cron.d/service.j2
     dest: "/etc/cron.d/services-{{ service.name }}"
-  when: service.cron is defined
+  when: service.cron is defined and service.cron.frequency is defined
 
 - name: Deploy service configuration
   template:
-- 
GitLab


From f28bfa3bfb0f835c23483a0313cc9d477ca837be Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 11:35:55 +0200
Subject: [PATCH 07/13] Backup homes on sam and routeur-sam

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 host_vars/routeur-sam.adm.crans.org/borg.yml | 6 ++++++
 host_vars/sam.adm.crans.org.yml              | 6 ++++++
 2 files changed, 12 insertions(+)
 create mode 100644 host_vars/routeur-sam.adm.crans.org/borg.yml

diff --git a/host_vars/routeur-sam.adm.crans.org/borg.yml b/host_vars/routeur-sam.adm.crans.org/borg.yml
new file mode 100644
index 00000000..9bb00abd
--- /dev/null
+++ b/host_vars/routeur-sam.adm.crans.org/borg.yml
@@ -0,0 +1,6 @@
+---
+loc_borg:
+  to_backup:
+    - /etc
+    - /home_nounou
+    - /var
diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml
index fcc22925..ea05b3ac 100644
--- a/host_vars/sam.adm.crans.org.yml
+++ b/host_vars/sam.adm.crans.org.yml
@@ -1,4 +1,10 @@
 ---
+loc_borg:
+  to_backup:
+    - /etc
+    - /home_nounou
+    - /var
+
 loc_slapd:
   ip: "{{ query('ldap', 'ip', 'sam', 'adm') | ipv4 | first }}"
   replica: true
-- 
GitLab


From 34ee6d2eef27708c388a14185db00dc1f18aac4e Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 11:41:14 +0200
Subject: [PATCH 08/13] [thot] Prepare Ansible configuration for thot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/aurore/home_nounou.yml       | 10 ++++++++++
 group_vars/aurore/ldap.yml              |  4 ++++
 host_vars/backup-thot.adm.crans.org.yml | 20 ++++++++++++++++++++
 host_vars/thot.adm.crans.org.yml        | 11 +++++++++++
 hosts                                   | 15 +++++++++++++++
 5 files changed, 60 insertions(+)
 create mode 100644 group_vars/aurore/home_nounou.yml
 create mode 100644 group_vars/aurore/ldap.yml
 create mode 100644 host_vars/backup-thot.adm.crans.org.yml
 create mode 100644 host_vars/thot.adm.crans.org.yml

diff --git a/group_vars/aurore/home_nounou.yml b/group_vars/aurore/home_nounou.yml
new file mode 100644
index 00000000..462cc0f6
--- /dev/null
+++ b/group_vars/aurore/home_nounou.yml
@@ -0,0 +1,10 @@
+---
+loc_home_nounou:
+  mounts:
+    - ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ipv4 | first }}"
+      mountpoint: /home_nounou
+      target: /home_nounou
+      name: home_nounou
+      owner: root
+      group: _user
+      mode: '0750'
diff --git a/group_vars/aurore/ldap.yml b/group_vars/aurore/ldap.yml
new file mode 100644
index 00000000..a2160a48
--- /dev/null
+++ b/group_vars/aurore/ldap.yml
@@ -0,0 +1,4 @@
+---
+loc_ldap:
+  servers:
+    - "{{ query('ldap', 'ip', 'thot', 'adm') | ipv4 | first }}"
diff --git a/host_vars/backup-thot.adm.crans.org.yml b/host_vars/backup-thot.adm.crans.org.yml
new file mode 100644
index 00000000..75cd112f
--- /dev/null
+++ b/host_vars/backup-thot.adm.crans.org.yml
@@ -0,0 +1,20 @@
+---
+interfaces:
+  adm: ens18
+
+loc_home_nounou:
+  mounts:
+    - ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ipv4 | first }}"
+      mountpoint: /home_nounou
+      target: /home_nounou
+      name: home_nounou
+      owner: root
+      group: _user
+      mode: '0750'
+    - ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ipv4 | first }}"
+      mountpoint: /rpool/backup
+      target: /backup
+      name: backup
+      owner: root
+      group: root
+      mode: '0755'
diff --git a/host_vars/thot.adm.crans.org.yml b/host_vars/thot.adm.crans.org.yml
new file mode 100644
index 00000000..efe08b40
--- /dev/null
+++ b/host_vars/thot.adm.crans.org.yml
@@ -0,0 +1,11 @@
+---
+loc_borg:
+  to_backup:
+    - /etc
+    - /home_nounou
+    - /var
+
+loc_slapd:
+  ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}"
+  replica: true
+  replica_rid: 5
diff --git a/hosts b/hosts
index 9c8c10ee..20038cb8 100644
--- a/hosts
+++ b/hosts
@@ -11,6 +11,7 @@ cameron.adm.crans.org
 
 [backups]
 backup-ft.adm.crans.org
+#backup-thot.adm.crans.org
 
 [baie]
 cameron.adm.crans.org
@@ -225,6 +226,7 @@ jack.adm.crans.org
 sam.adm.crans.org
 sputnik.adm.crans.org
 tealc.adm.crans.org
+thot.adm.crans.org
 
 [sssd]
 zamok.adm.crans.org
@@ -245,6 +247,7 @@ sam.adm.crans.org
 
 [virtu_backup]
 ft.adm.crans.org
+thot.adm.crans.org
 
 [virtu:children]
 virtu_adh
@@ -272,6 +275,7 @@ zamok.adm.crans.org
 #zbee.adm.crans.org
 
 [crans_physical:children]
+aurore_physical
 baie
 virtu
 viarezo_physical
@@ -326,6 +330,17 @@ routeur-ft.adm.crans.org
 viarezo_physical
 viarezo_vm
 
+[aurore_physical]
+thot.adm.crans.org
+
+[aurore_vm]
+#backup-thot.adm.crans.org
+#routeur-thot.adm.crans.org
+
+[aurore:children]
+aurore_physical
+aurore_vm
+
 [forget_me]
 ceph-controller-a.adm.crans.org
 ceph-controller-b.adm.crans.org
-- 
GitLab


From f7a2b1174b264793538baa663770be1fb41b334a Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 12:01:01 +0200
Subject: [PATCH 09/13] [network_interfaces] Allow having auto-configurated
 interfaces

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/all/network_interfaces.yml                       | 2 ++
 host_vars/routeur-ft.adm.crans.org.yml                      | 4 ++++
 host_vars/routeur-thot.adm.crans.org.yml                    | 4 ++++
 .../templates/network/interfaces.d/ifalias.j2               | 6 ++++++
 4 files changed, 16 insertions(+)
 create mode 100644 host_vars/routeur-ft.adm.crans.org.yml
 create mode 100644 host_vars/routeur-thot.adm.crans.org.yml

diff --git a/group_vars/all/network_interfaces.yml b/group_vars/all/network_interfaces.yml
index 33772410..a86a9ed8 100644
--- a/group_vars/all/network_interfaces.yml
+++ b/group_vars/all/network_interfaces.yml
@@ -30,3 +30,5 @@ glob_network_interfaces:
       gateway: "{{ query('ldap', 'ip', 'dsi', 'renater') | ipv4 | first }}"
     - name: lp
       id: 56
+    - name: auto
+      id: 0
diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml
new file mode 100644
index 00000000..307e18eb
--- /dev/null
+++ b/host_vars/routeur-ft.adm.crans.org.yml
@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  auto: ens19
diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml
new file mode 100644
index 00000000..307e18eb
--- /dev/null
+++ b/host_vars/routeur-thot.adm.crans.org.yml
@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  auto: ens19
diff --git a/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2 b/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2
index a28afab7..ada7a9f9 100644
--- a/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2
+++ b/roles/network-interfaces/templates/network/interfaces.d/ifalias.j2
@@ -1,6 +1,11 @@
 {{ ansible_header | comment }}
 
 {% set vlan_name = (item.name | replace('_', '-')) %}
+{% if vlan_name == "auto" %}
+auto {{ interfaces[item.name] }}
+iface {{ interfaces[item.name] }} inet dhcp
+iface {{ interfaces[item.name] }} inet6 auto
+{% else %}
 {% set subnet_network = (query('ldap', 'network', vlan_name) | ipaddr('network')) %}
 {% set subnet_netmask = (query('ldap', 'network', vlan_name) | ipaddr('netmask')) %}
 {% set ips = query('ldap', 'ip', ansible_hostname, vlan_name) %}
@@ -63,3 +68,4 @@ iface {{ interfaces[item.name] }} inet6 static
 {% endfor %}
 {% endif %}
 {% endif %}
+{% endif %}
-- 
GitLab


From bac8ffdc72f89e628c29d5c6b6245690b238788a Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 13:39:34 +0200
Subject: [PATCH 10/13] Deploy arpproxy service

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/arpproxy.yml                  | 11 +++++++++++
 host_vars/boeing.adm.crans.org.yml       | 12 ++++++++++++
 host_vars/routeur-ft.adm.crans.org.yml   | 10 ++++++++++
 host_vars/routeur-thot.adm.crans.org.yml | 10 ++++++++++
 hosts                                    |  5 +++++
 plays/arpproxy.yml                       |  7 +++++++
 6 files changed, 55 insertions(+)
 create mode 100644 group_vars/arpproxy.yml
 create mode 100755 plays/arpproxy.yml

diff --git a/group_vars/arpproxy.yml b/group_vars/arpproxy.yml
new file mode 100644
index 00000000..172e0743
--- /dev/null
+++ b/group_vars/arpproxy.yml
@@ -0,0 +1,11 @@
+---
+glob_service_proxy:
+  git:
+    remote: https://gitlab.adm.crans.org/nounous/proxy.git
+    version: main
+  name: proxy
+  install_dir: /var/local/services/proxy
+  generated: false
+  cron:
+    frequency: "* * * * *"
+    options: "--alter"
diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml
index ef288088..e7a38043 100644
--- a/host_vars/boeing.adm.crans.org.yml
+++ b/host_vars/boeing.adm.crans.org.yml
@@ -16,3 +16,15 @@ loc_wireguard:
           endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
       post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
       post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
+
+loc_service_proxy:
+  config:
+    ldap:
+      server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}/"
+    protocol: "proxy"
+    filter: "adm.crans.org"
+    proxy:
+      default: "ens18"
+      viarezo: "sputnik"
+      aurore: "sputnik"
+      ovh: "sputnik"
diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml
index 307e18eb..ecd69b9f 100644
--- a/host_vars/routeur-ft.adm.crans.org.yml
+++ b/host_vars/routeur-ft.adm.crans.org.yml
@@ -2,3 +2,13 @@
 interfaces:
   adm: ens18
   auto: ens19
+
+loc_service_proxy:
+  config:
+    ldap:
+      server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}/"
+    protocol: "proxy"
+    filter: "adm.crans.org"
+    proxy:
+      default: "wg0"
+      viarezo: "ens18"
diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml
index 307e18eb..3d46351a 100644
--- a/host_vars/routeur-thot.adm.crans.org.yml
+++ b/host_vars/routeur-thot.adm.crans.org.yml
@@ -2,3 +2,13 @@
 interfaces:
   adm: ens18
   auto: ens19
+
+loc_service_proxy:
+  config:
+    ldap:
+      server: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}/"
+    protocol: "proxy"
+    filter: "adm.crans.org"
+    proxy:
+      default: "wg0"
+      aurore: "ens18"
diff --git a/hosts b/hosts
index 20038cb8..110bedc9 100644
--- a/hosts
+++ b/hosts
@@ -3,6 +3,11 @@
 [adh_server]
 zamok.adm.crans.org
 
+[arpproxy]
+boeing.adm.crans.org
+routeur-ft.adm.crans.org
+#routeur-thot.adm.crans.org
+
 [autoconfig]
 hodaur.adm.crans.org
 
diff --git a/plays/arpproxy.yml b/plays/arpproxy.yml
new file mode 100755
index 00000000..ddc4fdd2
--- /dev/null
+++ b/plays/arpproxy.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: arpproxy
+  vars:
+    service: "{{ glob_service_proxy | default({}) | combine(loc_service_proxy | default({})) }}"
+  roles:
+    - service
-- 
GitLab


From 80db7ec7aa953ff96a0d09ab5cca37eb6f0824fa Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 14:19:21 +0200
Subject: [PATCH 11/13] Add wireguard peers between boeing and routeur-ft/thot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 host_vars/boeing.adm.crans.org.yml            | 21 +++++++++++++--
 host_vars/routeur-ft.adm.crans.org.yml        | 23 ++++++++++++++++
 host_vars/routeur-thot.adm.crans.org.yml      | 23 ++++++++++++++++
 host_vars/sputnik.adm.crans.org.yml           |  3 ++-
 hosts                                         |  2 ++
 roles/wireguard/tasks/main.yml                |  1 -
 .../templates/wireguard/tunnel.conf.j2        | 26 +++++++++++++++++--
 7 files changed, 93 insertions(+), 6 deletions(-)

diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml
index e7a38043..e945734b 100644
--- a/host_vars/boeing.adm.crans.org.yml
+++ b/host_vars/boeing.adm.crans.org.yml
@@ -8,14 +8,31 @@ loc_wireguard:
     - name: "sputnik"
       listen_port: 51820
       private_key: "{{ vault.wireguard.boeing.privkey }}"
+      table: "off"
       peers:
         - public_key: "{{ vault.wireguard.sputnik.pubkey }}"
           allowed_ips:
             - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
             - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
           endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
-      post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
-      post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
+        - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          persistent_keepalive: 25
+        - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
 
 loc_service_proxy:
   config:
diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml
index ecd69b9f..7b5b403f 100644
--- a/host_vars/routeur-ft.adm.crans.org.yml
+++ b/host_vars/routeur-ft.adm.crans.org.yml
@@ -3,6 +3,29 @@ interfaces:
   adm: ens18
   auto: ens19
 
+loc_wireguard:
+  tunnels:
+    - name: "wg0"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard.routeur_ft.privkey }}"
+      table: "off"
+      peers:
+        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+
 loc_service_proxy:
   config:
     ldap:
diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml
index 3d46351a..d5c81610 100644
--- a/host_vars/routeur-thot.adm.crans.org.yml
+++ b/host_vars/routeur-thot.adm.crans.org.yml
@@ -3,6 +3,29 @@ interfaces:
   adm: ens18
   auto: ens19
 
+loc_wireguard:
+  tunnels:
+    - name: "wg0"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
+      table: "off"
+      peers:
+        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+
 loc_service_proxy:
   config:
     ldap:
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index f9bd8666..356ff00d 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -22,7 +22,8 @@ loc_wireguard:
             - "{{ query('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
           endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
-      post_up: "/sbin/ip link set sputnik alias adm"
+      post_up:
+        - "/sbin/ip link set sputnik alias adm"
 
 loc_slapd:
   ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}"
diff --git a/hosts b/hosts
index 110bedc9..3f3f03b3 100644
--- a/hosts
+++ b/hosts
@@ -269,6 +269,8 @@ sputnik.adm.crans.org
 
 [wireguard]
 boeing.adm.crans.org
+routeur-ft.adm.crans.org
+#routeur-thot.adm.crans.org
 sputnik.adm.crans.org
 
 [crans_routeurs:children]
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index c9f9d293..905cbfce 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -5,7 +5,6 @@
     name:
       - wireguard
       - resolvconf
-      - linux-headers-amd64
   register: apt_result
   retries: 3
   until: apt_result is succeeded
diff --git a/roles/wireguard/templates/wireguard/tunnel.conf.j2 b/roles/wireguard/templates/wireguard/tunnel.conf.j2
index e8682637..17aacb31 100644
--- a/roles/wireguard/templates/wireguard/tunnel.conf.j2
+++ b/roles/wireguard/templates/wireguard/tunnel.conf.j2
@@ -8,18 +8,40 @@ Address = {{ item.addresses | join(", ") }}
 ListenPort = {{ item.listen_port }}
 {% endif %}
 PrivateKey = {{ item.private_key }}
+{% if item.table is defined %}
+Table = {{ item.table }}
+{% endif %}
 
+{% if item.pre_up is defined %}
+{% for command in item.pre_up %}
+PreUp = {{ command }}
+{% endfor %}
+{% endif %}
 {% if item.post_up is defined %}
-PostUp = {{ item.post_up }}
+{% for command in item.post_up %}
+PostUp = {{ command }}
+{% endfor %}
+{% endif %}
+{% if item.pre_down is defined %}
+{% for command in item.pre_down %}
+PreDown = {{ command }}
+{% endfor %}
 {% endif %}
 {% if item.post_down is defined %}
-PostDown = {{ item.post_down }}
+{% for command in item.post_down %}
+PostDown = {{ command }}
+{% endfor %}
 {% endif %}
 
 {% for peer in item.peers %}
 [Peer]
 PublicKey = {{ peer.public_key }}
 AllowedIPs = {{ peer.allowed_ips | join(", ") }}
+{% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
 
 {% endfor -%}
-- 
GitLab


From 3422500024f0bcadd846998f63e88f4628d6ab6a Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 14:20:51 +0200
Subject: [PATCH 12/13] Move the proxmox user service in the proxmox playbook

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 plays/proxmox.yml | 2 ++
 plays/root.yml    | 3 ---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/plays/proxmox.yml b/plays/proxmox.yml
index cc44d139..70d55ed0 100755
--- a/plays/proxmox.yml
+++ b/plays/proxmox.yml
@@ -3,6 +3,8 @@
 - hosts: virtu
   vars:
     debian_images: '{{ glob_debian_images | default({}) | combine(loc_debian_images | default({})) }}'
+    service: "{{ glob_service_proxmox_user | default({}) | combine(loc_service_proxmox_user | default({})) }}"
   roles:
     - proxmox-apt-sources
     - proxmox-debian-images
+    - service
diff --git a/plays/root.yml b/plays/root.yml
index 6a632c76..e9d7d0ad 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -3,11 +3,8 @@
 # root is the first playbook to launch (as root) whe initiation a new server
 
 - hosts: virtu
-  vars:
-    service: "{{ glob_service_proxmox_user | default({}) | combine(loc_service_proxmox_user | default({})) }}"
   roles:
     - proxmox-apt-sources
-    - service
 
 - hosts: server
   roles:
-- 
GitLab


From f375458aed382ae59f4995430e822c62c1bf1621 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 14:34:07 +0200
Subject: [PATCH 13/13] Don't mount homes on thot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 plays/root.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plays/root.yml b/plays/root.yml
index e9d7d0ad..5b92d4fc 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -21,7 +21,7 @@
   roles:
     - ldap-client
 
-- hosts: server,!ovh_physical,!tealc.adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org,!ft.adm.crans.org
+- hosts: server,!ovh_physical,!tealc.adm.crans.org,!sam.adm.crans.org,!routeur-sam.adm.crans.org,!ft.adm.crans.org,!thot.adm.crans.org
   vars:
     nfs_mount: "{{ glob_home_nounou | default({}) | combine(loc_home_nounou | default({})) }}"
   roles:
-- 
GitLab