From 9a01dd59fdf4517b6cbcd489c47421b5fd1f23ee Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 18 Aug 2020 17:13:44 +0200
Subject: [PATCH 1/4] [reverse_proxy] Adds hodaur and clean role
---
group_vars/reverse_proxy.yml | 42 +++++++++++
group_vars/reverseproxy.yml | 74 +++++++++++++++++++
hosts | 5 ++
plays/reverse-proxy.yml | 54 +-------------
roles/nginx-reverseproxy/tasks/main.yml | 7 +-
.../templates/www/html/50x.html.j2 | 2 +-
6 files changed, 126 insertions(+), 58 deletions(-)
create mode 100644 group_vars/reverse_proxy.yml
create mode 100644 group_vars/reverseproxy.yml
diff --git a/group_vars/reverse_proxy.yml b/group_vars/reverse_proxy.yml
new file mode 100644
index 00000000..2951fe30
--- /dev/null
+++ b/group_vars/reverse_proxy.yml
@@ -0,0 +1,42 @@
+reverse_proxy:
+ contact: "contact@crans.org"
+ who: "l'équipe technique du Cr@ns"
+ ssl:
+ cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+ cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+
+ redirect_dnames:
+ - crans.org
+ - crans.eu
+ - crans.fr
+
+ reverseproxy_sites:
+ # Services web Crans
+ - {from: lutim, to: 10.231.136.69}
+ # - {from: zero, to: 10.231.136.76}
+ # - {from: pad, to: "10.231.136.76:9001"}
+ # - {from: ethercalc, to: "10.231.136.203:8000"}
+ # - {from: mediadrop, to: 10.231.136.106}
+ # - {from: videos, to: 10.231.136.106}
+ # - {from: video, to: 10.231.136.106}
+ # - {from: roundcube, to: 10.231.136.105}
+ # - {from: phabricator, to: 10.231.136.123}
+ # - {from: trackerusercontent, to: 10.231.136.123}
+ # - {from: cas, to: 10.231.136.18}
+ # - {from: auth, to: 10.231.136.18}
+ # - {from: login, to: 10.231.136.18}
+ # - {from: webmail, to: 10.231.136.107}
+ # - {from: horde, to: 10.231.136.107}
+ # - {from: owncloud, to: 10.231.136.26}
+ # - {from: ftps, to: 10.231.136.98}
+ # - {from: wiki, to: 10.231.136.204}
+ # - {from: calendrier, to: 10.231.136.204}
+ # - {from: www, to: 10.231.136.46}
+ # - {from: doc, to: 10.231.136.46}
+ # - {from: limesurvey, to: 10.231.136.253}
+ # - {from: perso, to: 10.231.136.1}
+ # - {from: webnews, to: 10.231.136.63}
+ # - {from: re2o, to: 10.231.136.9}
+ # - {from: intranet, to: 10.231.136.9}
+ # - {from: autoconfig, to: 10.231.136.46}
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
new file mode 100644
index 00000000..0ad542a9
--- /dev/null
+++ b/group_vars/reverseproxy.yml
@@ -0,0 +1,74 @@
+nginx:
+ contact: contact@crans.org
+ who: "l'équipe technique du Cr@ns"
+ ssl:
+ cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+ cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+
+ redirect_dnames:
+ - crans.eu
+ - crans.fr
+
+ reverseproxy_sites: []
+ # # Services web Crans
+ # - {from: lutim.crans.org, to: 10.231.136.69}
+ # - {from: zero.crans.org, to: 10.231.136.76}
+ # - {from: pad.crans.org, to: "10.231.136.76:9001"}
+ # - {from: ethercalc.crans.org, to: "10.231.136.203:8000"}
+ # - {from: mediadrop.crans.org, to: 10.231.136.106}
+ # - {from: videos.crans.org, to: 10.231.136.106}
+ # - {from: video.crans.org, to: 10.231.136.106}
+ # - {from: roundcube.crans.org, to: 10.231.136.105}
+ # - {from: phabricator.crans.org, to: 10.231.136.123}
+ # - {from: trackerusercontent.crans.org, to: 10.231.136.123}
+ # - {from: cas.crans.org, to: 10.231.136.18}
+ # - {from: auth.crans.org, to: 10.231.136.18}
+ # - {from: login.crans.org, to: 10.231.136.18}
+ # - {from: webmail.crans.org, to: 10.231.136.107}
+ # - {from: horde.crans.org, to: 10.231.136.107}
+ # - {from: owncloud.crans.org, to: 10.231.136.26}
+ # - {from: ftps.crans.org, to: 10.231.136.98}
+ # - {from: wiki.crans.org, to: 10.231.136.204}
+ # - {from: www.crans.org, to: 10.231.136.46}
+ # - {from: doc.crans.org, to: 10.231.136.46}
+ # - {from: limesurvey.crans.org, to: 10.231.136.253}
+ # - {from: perso.crans.org, to: 10.231.136.1}
+ # - {from: webnews.crans.org, to: 10.231.136.63}
+ # - {from: re2o.crans.org, to: 10.231.136.9}
+ # - {from: intranet.crans.org, to: 10.231.136.9}
+ # - {from: autoconfig.crans.org, to: 10.231.136.46}
+ # - {from: grafana.crans.org, to: "10.231.136.102:3000"}
+ # - {from: webirc.crans.org, to: "10.231.136.1:9000"}
+ # - {from: framadate.crans.org, to: 10.231.136.153}
+ # - {from: mailman.crans.org, to: 10.231.136.180}
+ #
+ # # Zamok
+ # - {from: install-party.crans.org, to: 10.231.136.1}
+ # - {from: med.crans.org, to: 10.231.136.1}
+ # - {from: med-cartons.crans.org, to: 10.231.136.1}
+ # - {from: amap.crans.org, to: 10.231.136.1}
+ # - {from: pot-vieux.crans.org, to: 10.231.136.1}
+ # - {from: bonvivens.crans.org, to: 10.231.136.1}
+ #
+ redirect_sites: []
+ # - {from: crans.org, to: www.crans.org}
+ #
+ # # Aliases or legacy support
+ # - {from: factures.crans.org, to: intranet.crans.org}
+ # - {from: accounts.crans.org, to: intranet.crans.org}
+ # - {from: intranet2.crans.org, to: intranet.crans.org}
+ # - {from: clubs.crans.org, to: perso.crans.org}
+ # - {from: task.crans.org, to: phabricator.crans.org}
+ # - {from: adopteunpingouin.crans.org, to: install-party.crans.org}
+ # - {from: i-p.crans.org, to: install-party.crans.org}
+ #
+ # # To the wiki
+ # - {from: wikipedia.crans.org, to: wiki.crans.org}
+ # - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage}
+ # - {from: television.crans.org, to: wiki.crans.org/CransTv}
+ # - {from: tv.crans.org, to: wiki.crans.org/CransTv}
+ #
+ # # ENS Cachan
+ # - {from: crans.ens-cachan.fr, to: www.crans.org}
+ # - {from: install-party.ens-cachan.fr, to: install-party.crans.org}
diff --git a/hosts b/hosts
index 50f5c5f2..328a1f21 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,10 @@
# [test_vm]
# re2o-test.adm.crans.org
+[reverseproxy]
+hodaur.adm.crans.org
+frontdaur.adm.crans.org
+
[radius]
routeur-sam.adm.crans.org
@@ -72,6 +76,7 @@ routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
belenios # on changera plus tard
re2o-ldap.adm.crans.org
+hodaur.adm.crans.org
[ovh_physical]
sputnik.adm.crans.org
diff --git a/plays/reverse-proxy.yml b/plays/reverse-proxy.yml
index 5daf6670..413dc690 100755
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@@ -1,53 +1,5 @@
#!/usr/bin/env ansible-playbook
---
-# Deploy reverse proxy
-# Frontdaur is the backup of bakdaur (keepalived)
-- hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org
- vars:
- certbot:
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
- mail: root@crans.org
- certname: crans.org
- domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
- bind:
- masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
- nginx:
- ssl:
- cert: /etc/letsencrypt/live/crans.org/fullchain.pem
- cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
- trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
-
- redirect_dnames:
- - crans.eu
- - crans.fr
-
- reverseproxy_sites:
- # Services web Crans
- - {from: lutim.crans.org, to: 10.231.136.69}
- - {from: zero.crans.org, to: 10.231.136.76}
- - {from: pad.crans.org, to: "10.231.136.76:9001"}
- - {from: ethercalc.crans.org, to: "10.231.136.203:8000"}
- - {from: mediadrop.crans.org, to: 10.231.136.106}
- - {from: videos.crans.org, to: 10.231.136.106}
- - {from: video.crans.org, to: 10.231.136.106}
- - {from: roundcube.crans.org, to: 10.231.136.105}
- - {from: phabricator.crans.org, to: 10.231.136.123}
- - {from: trackerusercontent.crans.org, to: 10.231.136.123}
- - {from: cas.crans.org, to: 10.231.136.18}
- - {from: auth.crans.org, to: 10.231.136.18}
- - {from: login.crans.org, to: 10.231.136.18}
- - {from: webmail.crans.org, to: 10.231.136.107}
- - {from: horde.crans.org, to: 10.231.136.107}
- - {from: owncloud.crans.org, to: 10.231.136.26}
- - {from: ftps.crans.org, to: 10.231.136.98}
- - {from: wiki.crans.org, to: 10.231.136.204}
- - {from: calendrier.crans.org, to: 10.231.136.204}
- - {from: www.crans.org, to: 10.231.136.46}
- - {from: doc.crans.org, to: 10.231.136.46}
- - {from: limesurvey.crans.org, to: 10.231.136.253}
- - {from: perso.crans.org, to: 10.231.136.1}
- - {from: webnews.crans.org, to: 10.231.136.63}
- - {from: re2o.crans.org, to: 10.231.136.9}
- - {from: intranet.crans.org, to: 10.231.136.9}
- - {from: autoconfig.crans.org, to: 10.231.136.46}
+- hosts: reverseproxy
+ roles:
+ - nginx-reverseproxy
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index c021eef7..5a23f992 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -15,16 +15,10 @@
- options-ssl.conf
- options-proxypass.conf
-- name: Has dhparam been copied?
- stat:
- path: /etc/letsencrypt/dhparam
- register: stat_result
-
- name: Copy dhparam
template:
src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam
- when: not stat_result.stat.exists
- name: Copy reverse proxy sites
template:
@@ -46,6 +40,7 @@
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
+ ignore_errors: "{{ ansible_check_mode }}"
- name: Copy 50x error page
template:
diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
index b4bde1f9..078e2de2 100644
--- a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
+++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
@@ -57,7 +57,7 @@
<h1>502</h1>
<p>Whoops, le service prend trop de temps à répondre…</p>
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
- à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p>
+ Ã contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
</body>
</html>
--
GitLab
From 54efaddadbf77a029a99974fc2b78a58368d9dc6 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 18 Aug 2020 17:57:27 +0200
Subject: [PATCH 2/4] [reverseproxy] installs certbot
---
group_vars/reverseproxy.yml | 7 +++++++
plays/reverse-proxy.yml | 1 +
2 files changed, 8 insertions(+)
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index 0ad542a9..eae6745f 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -1,3 +1,10 @@
+certbot:
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+
nginx:
contact: contact@crans.org
who: "l'équipe technique du Cr@ns"
diff --git a/plays/reverse-proxy.yml b/plays/reverse-proxy.yml
index 413dc690..b7a8d3ad 100755
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@@ -2,4 +2,5 @@
---
- hosts: reverseproxy
roles:
+ - certbot
- nginx-reverseproxy
--
GitLab
From 1f16dc88b61f7c596f36ee9de78f78a7dc6d7971 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 18 Aug 2020 19:09:19 +0200
Subject: [PATCH 3/4] [reverseproxy] variables and dirty things
---
group_vars/reverse_proxy.yml | 42 ------------------------------------
group_vars/reverseproxy.yml | 6 +++---
roles/certbot/tasks/main.yml | 4 +++-
3 files changed, 6 insertions(+), 46 deletions(-)
delete mode 100644 group_vars/reverse_proxy.yml
diff --git a/group_vars/reverse_proxy.yml b/group_vars/reverse_proxy.yml
deleted file mode 100644
index 2951fe30..00000000
--- a/group_vars/reverse_proxy.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-reverse_proxy:
- contact: "contact@crans.org"
- who: "l'équipe technique du Cr@ns"
- ssl:
- cert: /etc/letsencrypt/live/crans.org/fullchain.pem
- cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
- trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
-
- redirect_dnames:
- - crans.org
- - crans.eu
- - crans.fr
-
- reverseproxy_sites:
- # Services web Crans
- - {from: lutim, to: 10.231.136.69}
- # - {from: zero, to: 10.231.136.76}
- # - {from: pad, to: "10.231.136.76:9001"}
- # - {from: ethercalc, to: "10.231.136.203:8000"}
- # - {from: mediadrop, to: 10.231.136.106}
- # - {from: videos, to: 10.231.136.106}
- # - {from: video, to: 10.231.136.106}
- # - {from: roundcube, to: 10.231.136.105}
- # - {from: phabricator, to: 10.231.136.123}
- # - {from: trackerusercontent, to: 10.231.136.123}
- # - {from: cas, to: 10.231.136.18}
- # - {from: auth, to: 10.231.136.18}
- # - {from: login, to: 10.231.136.18}
- # - {from: webmail, to: 10.231.136.107}
- # - {from: horde, to: 10.231.136.107}
- # - {from: owncloud, to: 10.231.136.26}
- # - {from: ftps, to: 10.231.136.98}
- # - {from: wiki, to: 10.231.136.204}
- # - {from: calendrier, to: 10.231.136.204}
- # - {from: www, to: 10.231.136.46}
- # - {from: doc, to: 10.231.136.46}
- # - {from: limesurvey, to: 10.231.136.253}
- # - {from: perso, to: 10.231.136.1}
- # - {from: webnews, to: 10.231.136.63}
- # - {from: re2o, to: 10.231.136.9}
- # - {from: intranet, to: 10.231.136.9}
- # - {from: autoconfig, to: 10.231.136.46}
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index eae6745f..cd01d6a3 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -17,8 +17,8 @@ nginx:
- crans.eu
- crans.fr
- reverseproxy_sites: []
- # # Services web Crans
+ reverseproxy_sites:
+ # Services web Crans
# - {from: lutim.crans.org, to: 10.231.136.69}
# - {from: zero.crans.org, to: 10.231.136.76}
# - {from: pad.crans.org, to: "10.231.136.76:9001"}
@@ -47,7 +47,7 @@ nginx:
# - {from: autoconfig.crans.org, to: 10.231.136.46}
# - {from: grafana.crans.org, to: "10.231.136.102:3000"}
# - {from: webirc.crans.org, to: "10.231.136.1:9000"}
- # - {from: framadate.crans.org, to: 10.231.136.153}
+ - {from: framadate.crans.org, to: 172.16.10.109}
# - {from: mailman.crans.org, to: 10.231.136.180}
#
# # Zamok
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 2e9c8b26..377a0ad2 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -12,7 +12,9 @@
- name: Lookup DNS masters IPv4
set_fact:
- dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
+ #dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
+ dns_masters_ipv4:
+ - "185.230.79.9"
cacheable: true
- name: Add DNS credentials
--
GitLab
From 16d05e9789870495fbee0069e258fa65121c582e Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 18 Aug 2020 19:10:00 +0200
Subject: [PATCH 4/4] [hosts] tu as bien voyager(.adm.crans.org)
---
hosts | 1 +
1 file changed, 1 insertion(+)
diff --git a/hosts b/hosts
index 328a1f21..f333d410 100644
--- a/hosts
+++ b/hosts
@@ -71,6 +71,7 @@ daniel.adm.crans.org
jack.adm.crans.org
[crans_vm]
+voyager.adm.crans.org
silice.adm.crans.org
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
--
GitLab