From 76421036b2fc160d1d71f92775400f1ffd60eaac Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 19 Jul 2020 14:57:32 +0200
Subject: [PATCH 01/56] [home-nounous] added home-nounous role
---
roles/home-nounous/tasks/main.yml | 13 +++++++++++++
.../templates/systemd/system/home.mount.j2 | 14 ++++++++++++++
2 files changed, 27 insertions(+)
create mode 100644 roles/home-nounous/tasks/main.yml
create mode 100644 roles/home-nounous/templates/systemd/system/home.mount.j2
diff --git a/roles/home-nounous/tasks/main.yml b/roles/home-nounous/tasks/main.yml
new file mode 100644
index 00000000..41e03224
--- /dev/null
+++ b/roles/home-nounous/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Deploy nfs systemd mount
+ template:
+ src: systemd/system/home.mount.j2
+ dest: /etc/systemd/system/home.mount
+ mode: 0755
+
+- name: Load and activate nfs systemd mount
+ systemd:
+ name: home.mount
+ daemon_reload: true
+ enabled: true
+ state: started
diff --git a/roles/home-nounous/templates/systemd/system/home.mount.j2 b/roles/home-nounous/templates/systemd/system/home.mount.j2
new file mode 100644
index 00000000..8f9babaf
--- /dev/null
+++ b/roles/home-nounous/templates/systemd/system/home.mount.j2
@@ -0,0 +1,14 @@
+{{ ansible_header | comment }}
+[Unit]
+Description=Mount home
+Wants=network-online.target
+After=network-online.target
+
+[Mount]
+What=tealc.adm.crans.org:/pool/home
+Where=/home
+Type=nfs
+Options=rw,nosuid
+
+[Install]
+WantedBy=multi-user.target
--
GitLab
From 391d855fa7c697d241c11f33388903609c3f84ec Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 19 Jul 2020 15:30:38 +0200
Subject: [PATCH 02/56] [ldap-client] use nounous ldap
---
roles/ldap-client/tasks/main.yml | 32 +++++++++++---------
roles/ldap-client/templates/bin/chsh.j2 | 4 ---
roles/ldap-client/templates/bin/chsh.ldap.j2 | 4 ---
roles/ldap-client/templates/bin/passwd.j2 | 3 --
roles/ldap-client/templates/nslcd.conf.j2 | 30 ++++++++----------
5 files changed, 30 insertions(+), 43 deletions(-)
delete mode 100644 roles/ldap-client/templates/bin/chsh.j2
delete mode 100644 roles/ldap-client/templates/bin/chsh.ldap.j2
delete mode 100644 roles/ldap-client/templates/bin/passwd.j2
diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml
index 8195e6f1..f03a809f 100644
--- a/roles/ldap-client/tasks/main.yml
+++ b/roles/ldap-client/tasks/main.yml
@@ -4,17 +4,14 @@
apt:
update_cache: true
name:
- - nslcd
- libnss-ldapd
- - libpam-ldapd
- - nscd # local cache
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
# Configure /etc/nslcd.conf
-- name: Configure nslcd LDAP credentials
+- name: Configure nslcd
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
@@ -26,20 +23,27 @@
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item }}:"
- line: "{{ item }}: files ldap"
+ line: "{{ item }}: files systemd ldap"
loop:
- passwd
- group
+ notify: Restart nslcd service
+
+- name: Configure NSS to use LDAP
+ lineinfile:
+ dest: /etc/nsswitch.conf
+ regexp: "^{{ item }}:"
+ line: "{{ item }}: files ldap"
+ loop:
- shadow
+ - networks
notify: Restart nslcd service
-# Disable passwd and chsh
-- name: Copy passwd and chsh scripts
- template:
- src: "bin/{{ item }}.j2"
- dest: "/usr/local/bin/{{ item }}"
- mode: 0755
+- name: Configure NSS to use LDAP
+ lineinfile:
+ dest: /etc/nsswitch.conf
+ regexp: "^{{ item }}:"
+ line: "{{ item }}: files dns ldap"
loop:
- - chsh
- - chsh.ldap
- - passwd
+ - hosts
+ notify: Restart nslcd service
diff --git a/roles/ldap-client/templates/bin/chsh.j2 b/roles/ldap-client/templates/bin/chsh.j2
deleted file mode 100644
index 37462f78..00000000
--- a/roles/ldap-client/templates/bin/chsh.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
-
diff --git a/roles/ldap-client/templates/bin/chsh.ldap.j2 b/roles/ldap-client/templates/bin/chsh.ldap.j2
deleted file mode 100644
index 175fdfc1..00000000
--- a/roles/ldap-client/templates/bin/chsh.ldap.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
-echo "De toutes façons la vraie commande aurait pas marché, on installe pas nslcd-utils sur les serveurs normalement."
diff --git a/roles/ldap-client/templates/bin/passwd.j2 b/roles/ldap-client/templates/bin/passwd.j2
deleted file mode 100644
index 40b04126..00000000
--- a/roles/ldap-client/templates/bin/passwd.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"
diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2
index e634dd23..f55c1a67 100644
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@@ -1,35 +1,30 @@
{{ ansible_header | comment }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
-{% if ldap_local_replica_uri is defined %}
-{% for uri in ldap_local_replica_uri %}
-uri {{ uri }}
+{% if ldap.local %}
+uri ldapi:///
+{% else %}
+{% for server in ldap.servers %}
+uri ldaps://{{ server }}/
{% endfor %}
{% endif %}
-uri {{ ldap_master_uri }}
# The search base that will be used for all queries.
-base {{ ldap_base }}
-base passwd {{ ldap_user_tree }}
-base shadow {{ ldap_user_tree }}
-base group ou=posix,ou=groups,{{ ldap_base }}
+base dc=crans,dc=org
# The LDAP protocol version to use.
-ldap_version 3
-
-# Time limit to wait for an answer
-timelimit 5
-
-# Time limit to wait for a bind
-bind_timelimit 5
+#ldap_version 3
# The DN to bind with for normal lookups.
-binddn {{ ldap_nslcd_bind_dn }}
-bindpw {{ ldap_nslcd_passwd }}
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
@@ -41,4 +36,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
-
--
GitLab
From 2310a08594f88bc5541688ddada90d95d6a37205 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 19 Jul 2020 18:04:59 +0200
Subject: [PATCH 03/56] [home-nounous] install nfs-common
---
roles/home-nounous/tasks/main.yml | 10 ++++++++++
.../templates/systemd/system/home.mount.j2 | 2 +-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/roles/home-nounous/tasks/main.yml b/roles/home-nounous/tasks/main.yml
index 41e03224..25c533e0 100644
--- a/roles/home-nounous/tasks/main.yml
+++ b/roles/home-nounous/tasks/main.yml
@@ -1,4 +1,14 @@
---
+- name: Install NFS client
+ apt:
+ update_cache: true
+ name:
+ - nfs-common
+ state: present
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
- name: Deploy nfs systemd mount
template:
src: systemd/system/home.mount.j2
diff --git a/roles/home-nounous/templates/systemd/system/home.mount.j2 b/roles/home-nounous/templates/systemd/system/home.mount.j2
index 8f9babaf..d0464e90 100644
--- a/roles/home-nounous/templates/systemd/system/home.mount.j2
+++ b/roles/home-nounous/templates/systemd/system/home.mount.j2
@@ -5,7 +5,7 @@ Wants=network-online.target
After=network-online.target
[Mount]
-What=tealc.adm.crans.org:/pool/home
+What=172.16.1.1:/pool/home
Where=/home
Type=nfs
Options=rw,nosuid
--
GitLab
From 52e237b0cf71de6feb07b251a01235241bf07f6c Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Mon, 27 Jul 2020 23:08:27 +0200
Subject: [PATCH 04/56] [New-infra] Deploy ldap and nfs with base system.
---
base.yml | 59 ++++--
group_vars/crans_vm/vars.yml | 4 +
hosts | 220 +++-------------------
plays/nfs.yml | 10 +-
roles/ldap-client/templates/nslcd.conf.j2 | 2 +-
5 files changed, 74 insertions(+), 221 deletions(-)
create mode 100644 group_vars/crans_vm/vars.yml
diff --git a/base.yml b/base.yml
index 4b1b5008..f1d27d16 100755
--- a/base.yml
+++ b/base.yml
@@ -1,13 +1,20 @@
#!/usr/bin/env ansible-playbook
---
# Set variable adm_iface for all servers
-- import_playbook: plays/get_adm_iface.yml
+# - hosts: server
+# tasks:
+# - name: Register adm interface in adm_iface variable
+# shell: set -o pipefail && grep adm /sys/class/net/*/ifalias | sed "s|/sys/class/net/||" | sed "s|/ifalias:.*||"
+# register: adm_iface
+# check_mode: false
+# changed_when: true
+# args:
+# executable: /bin/bash
# Common CRANS configuration for all servers
- hosts: server
vars:
- # Debian mirror on adm
- debian_mirror: http://mirror.adm.crans.org/debian
+ debian_mirror: http://mirror.crans.org/debian # tmp
debian_components: main non-free
# LDAP binding
@@ -30,23 +37,47 @@
# Will be in /usr/scripts/
crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
- # NTP servers
- ntp_servers:
- - charybde.adm.crans.org
- - silice.adm.crans.org
+ # # NTP servers
+ # ntp_servers:
+ # - charybde.adm.crans.org
+ # - silice.adm.crans.org
roles:
- common-tools
- debian-apt-sources
- ldap-client
- openssh
- sudo
- - ntp-client
- - crans-scripts
+ # - ntp-client
+ # - crans-scripts
- root-config
-- import_playbook: plays/mail.yml
+# Deploy LDAP replica
+- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org
+ roles: [] # TODO
+
+- hosts: otis.adm.crans.org
+ roles:
+ - ansible
+
+# Tools for members
+- hosts: zamok.adm.crans.org
+ roles:
+ - zamok-tools
+
+# - import_playbook: plays/mail.yml
- import_playbook: plays/nfs.yml
-- import_playbook: plays/logs.yml
-- import_playbook: plays/backup.yml
-- import_playbook: plays/network-interfaces.yml
-- import_playbook: plays/monitoring.yml
+# - import_playbook: plays/logs.yml
+# - import_playbook: plays/backup.yml
+# - import_playbook: plays/network-interfaces.yml
+# - import_playbook: plays/monitoring.yml
+# - import_playbook: plays/generate_documentation.yml
+
+# Services that only apply to a subset of server
+- import_playbook: plays/tv.yml
+- import_playbook: plays/mailman.yml
+- import_playbook: plays/dhcp.yml
+- import_playbook: plays/dns.yml
+- import_playbook: plays/wireguard.yml
+- import_playbook: plays/mirror.yml
+- import_playbook: plays/owncloud.yml
+- import_playbook: plays/reverse-proxy.yml
diff --git a/group_vars/crans_vm/vars.yml b/group_vars/crans_vm/vars.yml
new file mode 100644
index 00000000..6c6608cb
--- /dev/null
+++ b/group_vars/crans_vm/vars.yml
@@ -0,0 +1,4 @@
+ldap:
+ local: False
+ servers: ["172.16.1.1"]
+ base: "dc=crans,dc=org"
diff --git a/hosts b/hosts
index 9a3ce0e9..1c74dfbe 100644
--- a/hosts
+++ b/hosts
@@ -4,208 +4,35 @@
# > We name servers according to location, then type.
# > Then we regroup everything in global geographic and type groups.
-[horde]
-horde-srv.adm.crans.org
-
-[framadate]
-voyager.adm.crans.org
-
-[dhcp]
-dhcp.adm.crans.org
-odlyd.adm.crans.org
-
-[keepalived]
-gulp.adm.crans.org
-odlyd.adm.crans.org
-eap.adm.crans.org
-radius.adm.crans.org
-frontdaur.adm.crans.org
-bakdaur.adm.crans.org
-
-[test_vm]
-re2o-test.adm.crans.org
+# [horde]
+# horde-srv.adm.crans.org
+#
+# [framadate]
+# voyager.adm.crans.org
+#
+# [dhcp]
+# dhcp.adm.crans.org
+# odlyd.adm.crans.org
+#
+# [keepalived]
+# gulp.adm.crans.org
+# odlyd.adm.crans.org
+# eap.adm.crans.org
+# radius.adm.crans.org
+# frontdaur.adm.crans.org
+# bakdaur.adm.crans.org
+#
+# [test_vm]
+# re2o-test.adm.crans.org
[crans_physical]
-charybde.adm.crans.org
-cochon.adm.crans.org
-ft.adm.crans.org
-fyre.adm.crans.org
-fz.adm.crans.org
-gateau.adm.crans.org
-gulp.adm.crans.org
-odlyd.adm.crans.org
-omnomnom.adm.crans.org
-stitch.adm.crans.org
-thot.adm.crans.org
-vo.adm.crans.org
-zamok.adm.crans.org
-zbee.adm.crans.org
-zephir.adm.crans.org
+tealc
+daniel
[crans_vm]
-alice.adm.crans.org
-bakdaur.adm.crans.org
-boeing.adm.crans.org
-cas-srv.adm.crans.org
-#civet.adm.crans.org
-#cups.adm.crans.org
-dhcp.adm.crans.org
-eap.adm.crans.org
-ethercalc-srv.adm.crans.org
-frontdaur.adm.crans.org
-gitzly.adm.crans.org
-horde-srv.adm.crans.org
-ipv6-zayo.adm.crans.org
-irc.adm.crans.org
-jitsi.adm.crans.org
-kenobi.adm.crans.org
-kiwi.adm.crans.org
-lutim.adm.crans.org
-#mediadrop-srv.adm.crans.org
-mailman.adm.crans.org
-nem.adm.crans.org
-#news.adm.crans.org
-otis.adm.crans.org
-owl.adm.crans.org
-owncloud-srv.adm.crans.org
-radius.adm.crans.org
-re2o-bcfg2.adm.crans.org
-re2o-ldap.adm.crans.org
-re2o-srv.adm.crans.org
-redisdead.adm.crans.org
-roundcube-srv.adm.crans.org
-routeur.adm.crans.org
-silice.adm.crans.org
-titanic.adm.crans.org
-tracker.adm.crans.org
-unifi.adm.crans.org
-voyager.adm.crans.org
-xmpp.adm.crans.org
-ytrap-llatsni.adm.crans.org
-sitesweb.adm.crans.org
-
-[crans_unifi]
-0g-2.borne.crans.org
-0g-3.borne.crans.org
-0g-4.borne.crans.org
-0h-2.borne.crans.org
-0h-3.borne.crans.org
-0m-2.borne.crans.org
-1g-1.borne.crans.org
-1g-3.borne.crans.org
-1g-4.borne.crans.org
-1g-5.borne.crans.org
-1h-2.borne.crans.org
-1h-3.borne.crans.org
-1i-2.borne.crans.org
-1i-3.borne.crans.org
-1j-2.borne.crans.org
-1j-3.borne.crans.org
-1m-1.borne.crans.org
-1m-2.borne.crans.org
-1m-5.borne.crans.org
-2a-1.borne.crans.org
-2b-3.borne.crans.org
-2c-2.borne.crans.org
-2c-3.borne.crans.org
-2g-1.borne.crans.org
-2g-3.borne.crans.org
-2g-5.borne.crans.org
-2h-2.borne.crans.org
-2h-3.borne.crans.org
-2i-2.borne.crans.org
-2i-3.borne.crans.org
-2j-2.borne.crans.org
-2j-3.borne.crans.org
-2m-2.borne.crans.org
-3a-2.borne.crans.org
-3b-3.borne.crans.org
-3c-2.borne.crans.org
-3c-3.borne.crans.org
-3g-1.borne.crans.org
-3g-5.borne.crans.org
-3h-2.borne.crans.org
-3h-3.borne.crans.org
-3i-2.borne.crans.org
-3i-3.borne.crans.org
-3j-2.borne.crans.org
-3m-2.borne.crans.org
-3m-4.borne.crans.org
-3m-5.borne.crans.org
-4a-1.borne.crans.org
-4a-2.borne.crans.org
-4a-3.borne.crans.org
-4b-1.borne.crans.org
-4c-2.borne.crans.org
-4c-3.borne.crans.org
-4g-1.borne.crans.org
-4g-3.borne.crans.org
-4g-5.borne.crans.org
-4h-2.borne.crans.org
-4h-3.borne.crans.org
-4i-2.borne.crans.org
-4i-3.borne.crans.org
-4j-1.borne.crans.org
-4j-2.borne.crans.org
-4j-3.borne.crans.org
-4m-2.borne.crans.org
-4m-4.borne.crans.org
-5a-1.borne.crans.org
-5b-1.borne.crans.org
-5c-1.borne.crans.org
-5g-1.borne.crans.org
-5g-3.borne.crans.org
-5m-4.borne.crans.org
-6a-1.borne.crans.org
-6a-2.borne.crans.org
-6c-1.borne.crans.org
-adonis.borne.crans.org # 5a
-atlas.borne.crans.org # 1a
-baba-au-rhum.borne.crans.org # 3b
-bacchus.borne.crans.org # 1b
-baucis.borne.crans.org # 2b
-bellerophon.borne.crans.org # 2b
-benedict-cumberbatch.borne.crans.org # 1b
-benthesicyme.borne.crans.org # 4b
-boree.borne.crans.org # 6b
-branchos.borne.crans.org # 3b
-calypso.borne.crans.org # 4c
-chaos.borne.crans.org # 1c
-chronos.borne.crans.org # 2c
-crios.borne.crans.org # 3c
-gaia.borne.crans.org # 0g
-hades.borne.crans.org # 4h
-hephaistos.borne.crans.org # 1h
-hermes.borne.crans.org # 3h
-hypnos.borne.crans.org # 2h
-iaso.borne.crans.org # 1i
-idothee.borne.crans.org # 3i
-idyie.borne.crans.org # 0i
-ino.borne.crans.org # 2i
-ioke.borne.crans.org # 4i
-jaipudidees.borne.crans.org # 2j
-jaipudpapier.borne.crans.org # 3j
-japavolonte.borne.crans.org # 1j
-jesuischarlie.borne.crans.org # 0j
-jveuxduwifi.borne.crans.org # 0j
-mania.borne.crans.org # 2m
-marquis.borne.crans.org # manoir
-mercure.borne.crans.org # 3m
-#5m-5.borne.crans.org Déplacée au 2b
-
-# TODO Récupérer ces bornes
-#kakia.borne.crans.org # kfet
-#koios.borne.crans.org # kfet
-#gym-1.borne.crans.org # gymnase
-#gym-2.borne.crans.org # gymnase
-#0d-1.borne.crans.org
-
-# TODO La fibre vers le resto U est coupée.
-#rhea.borne.crans.org # resto-univ
-#romulus.borne.crans.org # resto-univ
+belenios # on changera plus tard
[ovh_physical]
-soyouz.adm.crans.org
sputnik.adm.crans.org
# every server at crans
@@ -217,7 +44,6 @@ crans_vm
[crans:children]
crans_physical
crans_vm
-crans_unifi
# everything at ovh
[ovh:children]
diff --git a/plays/nfs.yml b/plays/nfs.yml
index 61ccb4da..e4f243ca 100755
--- a/plays/nfs.yml
+++ b/plays/nfs.yml
@@ -7,12 +7,4 @@
# Deploy NFS only on campus
- hosts: crans_server
- roles: ["nfs-common"]
-
-# Deploy autofs NFS
-- hosts: crans_server,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
- roles: ["nfs-autofs"]
-
-# Deploy home permanent
-- hosts: zamok.adm.crans.org,omnomnom.adm.crans.org,owl.adm.crans.org,owncloud-srv.adm.crans.org
- roles: ["home-permanent"]
+ roles: ["home-nounous"]
diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2
index f55c1a67..aa1db15f 100644
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@@ -17,7 +17,7 @@ uri ldaps://{{ server }}/
{% endif %}
# The search base that will be used for all queries.
-base dc=crans,dc=org
+base {{ ldap.base }}
# The LDAP protocol version to use.
#ldap_version 3
--
GitLab
From 7011f816efaad7690cb494e653829e19341f1bb6 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Mon, 27 Jul 2020 23:09:10 +0200
Subject: [PATCH 05/56] [ldap-client] host looks into ldap before making a dns
request
---
roles/ldap-client/tasks/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml
index f03a809f..03e68841 100644
--- a/roles/ldap-client/tasks/main.yml
+++ b/roles/ldap-client/tasks/main.yml
@@ -43,7 +43,7 @@
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item }}:"
- line: "{{ item }}: files dns ldap"
+ line: "{{ item }}: files ldap dns"
loop:
- hosts
notify: Restart nslcd service
--
GitLab
From f071959bd8a085cff0f793213027a76bd6933b66 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Tue, 28 Jul 2020 11:19:56 +0200
Subject: [PATCH 06/56] [New-infra] Restruture hosts file
---
group_vars/crans_server/vars.yml | 9 +++++++++
group_vars/crans_vm/vars.yml | 4 ----
hosts | 8 ++++++--
3 files changed, 15 insertions(+), 6 deletions(-)
create mode 100644 group_vars/crans_server/vars.yml
delete mode 100644 group_vars/crans_vm/vars.yml
diff --git a/group_vars/crans_server/vars.yml b/group_vars/crans_server/vars.yml
new file mode 100644
index 00000000..75c8f4d8
--- /dev/null
+++ b/group_vars/crans_server/vars.yml
@@ -0,0 +1,9 @@
+ldap:
+ local: False
+ servers: ["172.16.1.1"]
+ base: "dc=crans,dc=org"
+
+
+# Parameters for debian mirror
+debian_mirror: http://mirror.adm.crans.org/debian
+debian_components: main non_free
diff --git a/group_vars/crans_vm/vars.yml b/group_vars/crans_vm/vars.yml
deleted file mode 100644
index 6c6608cb..00000000
--- a/group_vars/crans_vm/vars.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-ldap:
- local: False
- servers: ["172.16.1.1"]
- base: "dc=crans,dc=org"
diff --git a/hosts b/hosts
index 1c74dfbe..4948050b 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,9 @@
# [test_vm]
# re2o-test.adm.crans.org
+[crans_routeurs]
+routeur-daniel
+
[crans_physical]
tealc
daniel
@@ -39,11 +42,11 @@ sputnik.adm.crans.org
[crans_server:children]
crans_physical
crans_vm
+crans_routeurs
# everything at crans
[crans:children]
-crans_physical
-crans_vm
+crans_server
# everything at ovh
[ovh:children]
@@ -57,6 +60,7 @@ ovh_physical
# every virtual machine
[vm:children]
crans_vm
+crans_routeurs
# every server
[server:children]
--
GitLab
From ae189b7b775559d2c03412b3929cc33701915871 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Tue, 28 Jul 2020 11:20:15 +0200
Subject: [PATCH 07/56] [new-infra] base.yml
---
base.yml | 44 +++++++++++++++-----------------------------
1 file changed, 15 insertions(+), 29 deletions(-)
diff --git a/base.yml b/base.yml
index f1d27d16..48ce4654 100755
--- a/base.yml
+++ b/base.yml
@@ -14,32 +14,18 @@
# Common CRANS configuration for all servers
- hosts: server
vars:
- debian_mirror: http://mirror.crans.org/debian # tmp
- debian_components: main non-free
-
- # LDAP binding
- ldap_base: 'dc=crans,dc=org'
- ldap_master_ipv4: '10.231.136.19'
- ldap_local_replica_uri:
- - "ldap://10.231.136.38"
- - "ldap://10.231.136.4"
- ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
- ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
- ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
- ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
-
# Group permissions
ssh_allow_groups: ssh nounou apprenti cableur root
# Scripts will tell users to go there to manage their account
intranet_url: 'https://intranet.crans.org/'
- # Will be in /usr/scripts/
- crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
+ # # Will be in /usr/scripts/
+ # crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
- # # NTP servers
- # ntp_servers:
- # - charybde.adm.crans.org
+ # NTP servers
+ ntp_servers:
+ - charybde.adm.crans.org
# - silice.adm.crans.org
roles:
- common-tools
@@ -47,7 +33,7 @@
- ldap-client
- openssh
- sudo
- # - ntp-client
+ - ntp-client
# - crans-scripts
- root-config
@@ -62,7 +48,7 @@
# Tools for members
- hosts: zamok.adm.crans.org
roles:
- - zamok-tools
+# - zamok-tools
# - import_playbook: plays/mail.yml
- import_playbook: plays/nfs.yml
@@ -73,11 +59,11 @@
# - import_playbook: plays/generate_documentation.yml
# Services that only apply to a subset of server
-- import_playbook: plays/tv.yml
-- import_playbook: plays/mailman.yml
-- import_playbook: plays/dhcp.yml
-- import_playbook: plays/dns.yml
-- import_playbook: plays/wireguard.yml
-- import_playbook: plays/mirror.yml
-- import_playbook: plays/owncloud.yml
-- import_playbook: plays/reverse-proxy.yml
+# - import_playbook: plays/tv.yml
+# - import_playbook: plays/mailman.yml
+# - import_playbook: plays/dhcp.yml
+# - import_playbook: plays/dns.yml
+# - import_playbook: plays/wireguard.yml
+# - import_playbook: plays/mirror.yml
+# - import_playbook: plays/owncloud.yml
+# - import_playbook: plays/reverse-proxy.yml
--
GitLab
From 19685dc466fcf14936a3fe262f3f484804f01211 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Fri, 17 Jul 2020 22:32:14 +0200
Subject: [PATCH 08/56] [slapd] added slapd role
---
ldap.yml | 11 ++
roles/slapd/handlers/main.yml | 6 +
roles/slapd/tasks/main.yml | 30 ++++
roles/slapd/templates/ldap/slapd.conf.j2 | 195 +++++++++++++++++++++++
4 files changed, 242 insertions(+)
create mode 100755 ldap.yml
create mode 100644 roles/slapd/handlers/main.yml
create mode 100644 roles/slapd/tasks/main.yml
create mode 100644 roles/slapd/templates/ldap/slapd.conf.j2
diff --git a/ldap.yml b/ldap.yml
new file mode 100755
index 00000000..04c56eaf
--- /dev/null
+++ b/ldap.yml
@@ -0,0 +1,11 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: daniel.adm.crans.org
+ vars:
+ ldap:
+ replica: true
+ master_ip: 172.16.1.1 # faire une query pour l'adresse de tealc sur le ldap
+ replica_rid: 2
+ ip: 172.16.1.12
+ roles:
+ - slapd
diff --git a/roles/slapd/handlers/main.yml b/roles/slapd/handlers/main.yml
new file mode 100644
index 00000000..c8b9f3c0
--- /dev/null
+++ b/roles/slapd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Restart slapd
+ service:
+ name: slapd.service
+ state: restarted
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
new file mode 100644
index 00000000..f1ff8b87
--- /dev/null
+++ b/roles/slapd/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Install slapd
+ apt:
+ update_cache: true
+ name:
+ - slapd
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Remove slapd config directory
+ files:
+ path: /etc/ldap/slapd.d/
+ state: absent
+
+- name: Deploy slapd configuration
+ template:
+ src: ldap/slapd.conf.j2
+ dest: /etc/slapd/slapd.conf
+ mode: 0600
+ owner: openldap
+ group: openldap
+ notify: Restart slapd
+
+- name: Deploy ldap services
+ lineinfile:
+ path: /etc/default/slapd
+ regexp: '^SLAPD_SERVICES='
+ line: 'SLAPD_SERVICES="ldaps://{{ ldap.ip }}/ ldapi:///"'
+ notify: Restart slapd
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
new file mode 100644
index 00000000..95f92a54
--- /dev/null
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -0,0 +1,195 @@
+# This is the main slapd configuration file. See slapd.conf(5) for more
+# info on the configuration options.
+
+#######################################################################
+# Global Directives:
+
+# Schema and objectClass definitions
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/nis.schema
+include /etc/ldap/schema/inetorgperson.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile /var/run/slapd/slapd.pid
+
+# List of arguments that were passed to the server
+argsfile /var/run/slapd/slapd.args
+
+# Read slapd.conf(5) for possible values
+loglevel none
+
+# Where the dynamically loaded modules are stored
+modulepath /usr/lib/ldap
+moduleload back_mdb
+{% if not ldap.replica %}
+moduleload auditlog
+
+overlay auditlog
+auditlog /var/log/openldap/auditlog.log
+
+moduleload syncprov
+{% endif %}
+
+# TODO FAIRE LES CERTIFICATS
+# TLS Certificates
+#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
+#TLSCACertificateFile /etc/ssl/certs/ServENS.crt
+#TLSCertificateFile /etc/ldap/ldap.pem
+#TLSCertificateKeyFile /etc/ldap/ldap.key
+
+# The maximum number of entries that is returned for a search operation
+sizelimit 500
+
+# The tool-threads parameter sets the actual amount of cpu's that is used
+# for indexing.
+tool-threads 1
+
+#######################################################################
+# Specific Backend Directives for mdb:
+# Backend specific directives apply to this backend until another
+# 'backend' directive occurs
+backend mdb
+
+#######################################################################
+# Specific Backend Directives for 'other':
+# Backend specific directives apply to this backend until another
+# 'backend' directive occurs
+#backend <other>
+
+#######################################################################
+# Specific Directives for database #1, of type mdb:
+# Database specific directives apply to this databasse until another
+# 'database' directive occurs
+database mdb
+
+# The base of your directory in database #1
+suffix "dc=crans,dc=org"
+
+# rootdn directive for specifying a superuser on the database. This is needed
+# for syncrepl.
+rootdn "cn=admin,dc=crans,dc=org"
+
+# Where the database file are physically stored for database #1
+directory "/var/lib/ldap"
+
+# The dbconfig settings are used to generate a DB_CONFIG file the first
+# time slapd starts. They do NOT override existing an existing DB_CONFIG
+# file. You should therefore change these settings in DB_CONFIG directly
+# or remove DB_CONFIG and restart slapd for changes to take effect.
+
+# For the Debian package we use 2MB as default but be sure to update this
+# value if you have plenty of RAM
+#dbconfig set_cachesize 0 2097152 0
+
+# Sven Hartge reported that he had to set this value incredibly high
+# to get slapd running at all. See http://bugs.debian.org/303057 for more
+# information.
+
+# Number of objects that can be locked at the same time.
+#dbconfig set_lk_max_objects 1500
+# Number of locks (both requested and granted)
+#dbconfig set_lk_max_locks 1500
+# Number of lockers
+#dbconfig set_lk_max_lockers 1500
+
+# Indexing options for database #1
+index objectClass eq
+
+# Save the time that the entry gets modified, for database #1
+lastmod on
+
+# Checkpoint the BerkeleyDB database periodically in case of system
+# failure and to speed slapd shutdown.
+checkpoint 512 30
+
+{% if ldap.replica %}
+syncrepl
+ rid={{ ldap.replica_rid }}
+ provider=ldaps://{{ ldap.master_ip }}:636
+ bindmethod=simple
+ binddn="cn=replicator,dc=crans,dc=org"
+ credentials=test1234 # TODO cranspasswords
+ searchbase="dc=crans,dc=org"
+ schemachecking=on
+ type=refreshOnly
+ interval=00:00:10:00
+ scope=sub
+ tls_reqcert=allow
+{% endif %}
+
+{% if ldap.replica %}
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+ by anonymous auth
+ by * none
+
+# Ensure read access to the base for things like
+# supportedSASLMechanisms. Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work
+# happily.
+access to dn.base="" by * read
+
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+ by * read
+{% else %}
+overlay syncprov
+
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+ by anonymous auth
+ by self write
+ by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+ by dn="cn=replicator,dc=crans,dc=org" read
+ by * none
+
+access to attrs=loginShell,mail,telephoneNumber
+ by self write
+ by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+ by dn="cn=replicator,dc=crans,dc=org" read
+ by * read
+
+# Ensure read access to the base for things like
+# supportedSASLMechanisms. Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work
+# happily.
+access to dn.base="" by * read
+
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+ by set="[cn=nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+ by dn="cn=replicator,dc=crans,dc=org" read
+ by * read
+{% endif %}
+
+
+#######################################################################
+# Specific Directives for database #2, of type 'other' (can be mdb too):
+# Database specific directives apply to this databasse until another
+# 'database' directive occurs
+#database <other>
+
+# The base of your directory for database #2
+#suffix "dc=debian,dc=org"
--
GitLab
From 8bbec6135028b3ff10105d0727bc0239c02deb5a Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 28 Jul 2020 11:40:23 +0200
Subject: [PATCH 09/56] [slapd] Change replication settings
---
roles/slapd/tasks/main.yml | 2 +-
roles/slapd/templates/ldap/slapd.conf.j2 | 8 +++++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
index f1ff8b87..111d98ff 100644
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@@ -21,7 +21,7 @@
owner: openldap
group: openldap
notify: Restart slapd
-
+
- name: Deploy ldap services
lineinfile:
path: /etc/default/slapd
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 95f92a54..3e539f01 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -112,10 +112,12 @@ syncrepl
binddn="cn=replicator,dc=crans,dc=org"
credentials=test1234 # TODO cranspasswords
searchbase="dc=crans,dc=org"
- schemachecking=on
- type=refreshOnly
- interval=00:00:10:00
scope=sub
+ schemachecking=on
+ type=refreshAndPersist
+ timeout=0
+ network-timeout=0
+ retry="30 20 300 +"
tls_reqcert=allow
{% endif %}
--
GitLab
From 2d1a5211c123aa3e53a4774bd74746264bf8bc99 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 28 Jul 2020 11:46:04 +0200
Subject: [PATCH 10/56] [slapd] Use password from vault
---
roles/slapd/templates/ldap/slapd.conf.j2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 3e539f01..0db098b6 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -110,7 +110,7 @@ syncrepl
provider=ldaps://{{ ldap.master_ip }}:636
bindmethod=simple
binddn="cn=replicator,dc=crans,dc=org"
- credentials=test1234 # TODO cranspasswords
+ credentials={{ ldap.replication_credentials }}
searchbase="dc=crans,dc=org"
scope=sub
schemachecking=on
--
GitLab
From 9619f3433525acda03cb00d57605b6f33bfe32c6 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 28 Jul 2020 17:11:38 +0200
Subject: [PATCH 11/56] Use host_vars for daniel
---
host_vars/daniel | 7 +++++++
ldap.yml | 8 +-------
2 files changed, 8 insertions(+), 7 deletions(-)
create mode 100644 host_vars/daniel
diff --git a/host_vars/daniel b/host_vars/daniel
new file mode 100644
index 00000000..fb2e9883
--- /dev/null
+++ b/host_vars/daniel
@@ -0,0 +1,7 @@
+---
+ldap:
+ ip: 172.16.1.12
+ replica: true
+ replica_rid: 2
+ master_ip: 172.16.1.1
+ replication_credentials: "{{ vault_ldap_replication_credentials }}"
diff --git a/ldap.yml b/ldap.yml
index 04c56eaf..5a4d03f4 100755
--- a/ldap.yml
+++ b/ldap.yml
@@ -1,11 +1,5 @@
#!/usr/bin/env ansible-playbook
---
-- hosts: daniel.adm.crans.org
- vars:
- ldap:
- replica: true
- master_ip: 172.16.1.1 # faire une query pour l'adresse de tealc sur le ldap
- replica_rid: 2
- ip: 172.16.1.12
+- hosts: daniel
roles:
- slapd
--
GitLab
From 70f180e9a96e4fdb15e5fe3b7d7522b8fe17a304 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 28 Jul 2020 17:12:40 +0200
Subject: [PATCH 12/56] [slapd] fix role
---
roles/slapd/tasks/main.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
index 111d98ff..fb082ac1 100644
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@@ -9,14 +9,14 @@
until: apt_result is succeeded
- name: Remove slapd config directory
- files:
+ file:
path: /etc/ldap/slapd.d/
state: absent
- name: Deploy slapd configuration
template:
src: ldap/slapd.conf.j2
- dest: /etc/slapd/slapd.conf
+ dest: /etc/ldap/slapd.conf
mode: 0600
owner: openldap
group: openldap
--
GitLab
From e0e908fe13e0a79283879c2c9e70bc3c8da9b947 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Thu, 6 Aug 2020 14:34:15 +0200
Subject: [PATCH 13/56] [base] Nouveaux plans de vlans
---
base.yml | 9 +++++----
host_vars/{daniel => daniel.adm.crans.org} | 4 ++--
hosts | 4 ++--
3 files changed, 9 insertions(+), 8 deletions(-)
rename host_vars/{daniel => daniel.adm.crans.org} (71%)
diff --git a/base.yml b/base.yml
index 48ce4654..f3fa47c9 100755
--- a/base.yml
+++ b/base.yml
@@ -31,15 +31,16 @@
- common-tools
- debian-apt-sources
- ldap-client
- - openssh
+ # - openssh
- sudo
- ntp-client
# - crans-scripts
- root-config
-# Deploy LDAP replica
-- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org
- roles: [] # TODO
+# Deploy LDAP master and replica
+- hosts: daniel.adm.crans.org
+ roles:
+ - slapd
- hosts: otis.adm.crans.org
roles:
diff --git a/host_vars/daniel b/host_vars/daniel.adm.crans.org
similarity index 71%
rename from host_vars/daniel
rename to host_vars/daniel.adm.crans.org
index fb2e9883..2ecabb43 100644
--- a/host_vars/daniel
+++ b/host_vars/daniel.adm.crans.org
@@ -1,7 +1,7 @@
---
ldap:
- ip: 172.16.1.12
+ ip: 172.16.10.12
replica: true
replica_rid: 2
- master_ip: 172.16.1.1
+ master_ip: 172.16.10.1
replication_credentials: "{{ vault_ldap_replication_credentials }}"
diff --git a/hosts b/hosts
index 4948050b..6f299cc4 100644
--- a/hosts
+++ b/hosts
@@ -29,8 +29,8 @@
routeur-daniel
[crans_physical]
-tealc
-daniel
+tealc.adm.crans.org
+daniel.adm.crans.org
[crans_vm]
belenios # on changera plus tard
--
GitLab
From 8f0f082139741ab4fc0756e769c1ebe85ab3fee2 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 15:54:17 +0200
Subject: [PATCH 14/56] [proxmox] Role for proxmox repositories
---
roles/proxmox-apt-sources/tasks/main.yml | 5 +++++
.../templates/apt/sources.list.d/sources.list.j2 | 2 ++
2 files changed, 7 insertions(+)
create mode 100644 roles/proxmox-apt-sources/tasks/main.yml
create mode 100644 roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2
diff --git a/roles/proxmox-apt-sources/tasks/main.yml b/roles/proxmox-apt-sources/tasks/main.yml
new file mode 100644
index 00000000..4d66e393
--- /dev/null
+++ b/roles/proxmox-apt-sources/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Configure Proxmox repositories
+ template:
+ src: apt/sources.list.d/pve-entreprise.list.j2
+ dest: /etc/apt/sources.list.d/pve-entreprise.list
diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2
new file mode 100644
index 00000000..f1a09d1d
--- /dev/null
+++ b/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2
@@ -0,0 +1,2 @@
+{{ ansible_header | comment }}
+deb http://download.proxmox.com/debian/pve {{ ansible_lsb.codename }} pve-no-subscription
--
GitLab
From aa552f55b6b922d982321845cad0b87e26d9ce43 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 15:58:46 +0200
Subject: [PATCH 15/56] [common-tools] Check-mode safe
---
roles/common-tools/tasks/main.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/roles/common-tools/tasks/main.yml b/roles/common-tools/tasks/main.yml
index 7189b872..931348a7 100644
--- a/roles/common-tools/tasks/main.yml
+++ b/roles/common-tools/tasks/main.yml
@@ -53,6 +53,7 @@
owner: root
group: utmp
mode: '4755'
+ check_mode: no
- name: Deploy screen tmpfile
template:
--
GitLab
From 0b47e83b2858093c96bec641c3d531a04706c58f Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 15:59:15 +0200
Subject: [PATCH 16/56] [ntp-client] Check-mode safe
---
roles/ntp-client/tasks/main.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/roles/ntp-client/tasks/main.yml b/roles/ntp-client/tasks/main.yml
index c968990b..0bc25d21 100644
--- a/roles/ntp-client/tasks/main.yml
+++ b/roles/ntp-client/tasks/main.yml
@@ -12,6 +12,7 @@
path: /etc/default/ntp
regexp: '^NTPD_OPTS'
line: NTPD_OPTS='-g -x'
+ check_mode: no
- name: Configure NTP
template:
--
GitLab
From 34985f55587e1a523c7029ed1abef15417bd23e1 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:00:31 +0200
Subject: [PATCH 17/56] [slapd] Check-mode safe
---
roles/slapd/tasks/main.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
index fb082ac1..d39f9502 100644
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@@ -28,3 +28,4 @@
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldaps://{{ ldap.ip }}/ ldapi:///"'
notify: Restart slapd
+ check_mode: no
--
GitLab
From 3c1a94822b4951910820fecc976c1096e8dc76f2 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:24:56 +0200
Subject: [PATCH 18/56] [slapd][unsafe] Rennomage variables et doc
---
...aniel.adm.crans.org => daniel.adm.crans.org.yml} | 0
roles/slapd/README.md | 13 +++++++++++++
roles/slapd/tasks/main.yml | 2 +-
roles/slapd/templates/ldap/slapd.conf.j2 | 12 ++++++------
4 files changed, 20 insertions(+), 7 deletions(-)
rename host_vars/{daniel.adm.crans.org => daniel.adm.crans.org.yml} (100%)
create mode 100644 roles/slapd/README.md
diff --git a/host_vars/daniel.adm.crans.org b/host_vars/daniel.adm.crans.org.yml
similarity index 100%
rename from host_vars/daniel.adm.crans.org
rename to host_vars/daniel.adm.crans.org.yml
diff --git a/roles/slapd/README.md b/roles/slapd/README.md
new file mode 100644
index 00000000..45b7b027
--- /dev/null
+++ b/roles/slapd/README.md
@@ -0,0 +1,13 @@
+# SLAPD
+
+Deploie un serveur ldap master ou replica
+
+## VARS
+
+slapd:
+ - ip : l'ip sur lequel il va installer le serveur ldap
+ - replica : s'il s'agit d'un master ou d'une replica
+ - replica_rid : le numéro de replica du serveur
+ - master_ip : l'ip du master
+ - replication_credentials : les credientials pour authentifier les replicas
+ auprès du master
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
index d39f9502..84599aa2 100644
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@@ -26,6 +26,6 @@
lineinfile:
path: /etc/default/slapd
regexp: '^SLAPD_SERVICES='
- line: 'SLAPD_SERVICES="ldaps://{{ ldap.ip }}/ ldapi:///"'
+ line: 'SLAPD_SERVICES="ldaps://{{ slapd.ip }}/ ldapi:///"'
notify: Restart slapd
check_mode: no
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 0db098b6..762756b8 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -23,7 +23,7 @@ loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_mdb
-{% if not ldap.replica %}
+{% if not slapd.replica %}
moduleload auditlog
overlay auditlog
@@ -104,13 +104,13 @@ lastmod on
# failure and to speed slapd shutdown.
checkpoint 512 30
-{% if ldap.replica %}
+{% if slapd.replica %}
syncrepl
- rid={{ ldap.replica_rid }}
- provider=ldaps://{{ ldap.master_ip }}:636
+ rid={{ slapd.replica_rid }}
+ provider=ldaps://{{ slapd.master_ip }}:636
bindmethod=simple
binddn="cn=replicator,dc=crans,dc=org"
- credentials={{ ldap.replication_credentials }}
+ credentials={{ slapd.replication_credentials }}
searchbase="dc=crans,dc=org"
scope=sub
schemachecking=on
@@ -121,7 +121,7 @@ syncrepl
tls_reqcert=allow
{% endif %}
-{% if ldap.replica %}
+{% if slapd.replica %}
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
--
GitLab
From 194a7252281d8990a16711e44cf18f43cda9a8a0 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:27:16 +0200
Subject: [PATCH 19/56] [ldap][unsafe] Documentation
---
roles/ldap-client/README.md | 10 ++++++++++
1 file changed, 10 insertions(+)
create mode 100644 roles/ldap-client/README.md
diff --git a/roles/ldap-client/README.md b/roles/ldap-client/README.md
new file mode 100644
index 00000000..55811bae
--- /dev/null
+++ b/roles/ldap-client/README.md
@@ -0,0 +1,10 @@
+# LDAP-CLIENT
+
+Configure un client ldap pour les utilisateurs
+
+## VARS
+
+ldap:
+ - local: si le serveur est installé en local
+ - servers: la liste des servers ldap a contacté
+ - base: le search term du ldap
--
GitLab
From e1d2528879f95ae9c765cf197361aa1233c7e5a5 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:28:17 +0200
Subject: [PATCH 20/56] [slapd][ldap] Configuration CRANS
---
group_vars/all/vars.yaml | 57 +++++++++++++++++-------------
group_vars/slapd.yml | 6 ++++
host_vars/daniel.adm.crans.org.yml | 7 ++--
3 files changed, 42 insertions(+), 28 deletions(-)
create mode 100644 group_vars/slapd.yml
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index 061428b9..328bc71d 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -16,28 +16,35 @@ ansible_header: |
# Crans subnets
adm_subnet: 10.231.136.0/24
-# Role rsync-client
-to_backup:
- - {
- name: "var",
- path: "/var",
- auth_users: "backupcrans",
- secrets_file: "/etc/rsyncd.secrets",
- hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
- }
- - {
- name: "slash",
- path: "/",
- auth_users: "backupcrans",
- secrets_file: "/etc/rsyncd.secrets",
- hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
- }
-
-re2o:
- server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
-
-
-# global server definitions
-mail_server: smtp.adm.crans.org
+# # Role rsync-client
+# to_backup:
+# - {
+# name: "var",
+# path: "/var",
+# auth_users: "backupcrans",
+# secrets_file: "/etc/rsyncd.secrets",
+# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
+# }
+# - {
+# name: "slash",
+# path: "/",
+# auth_users: "backupcrans",
+# secrets_file: "/etc/rsyncd.secrets",
+# hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
+# }
+#
+# re2o:
+# server: re2o.adm.crans.org
+# service_user: "{{ vault_re2o_service_user }}"
+# service_password: "{{ vault_re2o_service_password }}"
+#
+#
+# # global server definitions
+# mail_server: smtp.adm.crans.org
+glob_ldap:
+ servers:
+ - 172.16.10.1
+ - 172.16.10.11
+ - 172.16.10.12
+ - 172.16.10.13
+ base: 'dc=crans,dc=org'
diff --git a/group_vars/slapd.yml b/group_vars/slapd.yml
new file mode 100644
index 00000000..19292dcf
--- /dev/null
+++ b/group_vars/slapd.yml
@@ -0,0 +1,6 @@
+---
+
+glob_slapd:
+ master_ip: 172.16.10.1
+ replication_credentials: "{{ vault_ldap_replication_credentials }}"
+
diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml
index 2ecabb43..a7405b4d 100644
--- a/host_vars/daniel.adm.crans.org.yml
+++ b/host_vars/daniel.adm.crans.org.yml
@@ -1,7 +1,8 @@
---
-ldap:
+loc_slapd:
ip: 172.16.10.12
replica: true
replica_rid: 2
- master_ip: 172.16.10.1
- replication_credentials: "{{ vault_ldap_replication_credentials }}"
+
+loc_ldap:
+ local: false
--
GitLab
From b6ec09061306f3f7915ad55f55839f4b5d1c31dd Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:30:03 +0200
Subject: [PATCH 21/56] [plays][safe] Playbook to run as root
---
hosts | 6 ++++++
plays/root.yml | 31 +++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+)
create mode 100644 plays/root.yml
diff --git a/hosts b/hosts
index 6f299cc4..61ce6616 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,12 @@
# [test_vm]
# re2o-test.adm.crans.org
+[slapd]
+tealc.adm.crans.org
+sam.adm.crans.org
+daniel.adm.crans.org
+jack.adm.crans.org
+
[crans_routeurs]
routeur-daniel
diff --git a/plays/root.yml b/plays/root.yml
new file mode 100644
index 00000000..2efca8d6
--- /dev/null
+++ b/plays/root.yml
@@ -0,0 +1,31 @@
+#!/usr/bin/env ansible-playbook
+---
+
+- hosts: server
+ vars:
+ # # Will be in /usr/scripts/
+ # crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
+
+ # NTP servers
+ ntp_servers:
+ - charybde.adm.crans.org
+ # - silice.adm.crans.org
+ roles:
+ - debian-apt-sources
+ - common-tools
+ - sudo
+ - ntp-client
+ # - crans-scripts
+ - root-config
+
+- hosts: slapd
+ vars:
+ slapd: '{{ glob_slapd | combine(loc_slapd) }}'
+ roles:
+ - slapd
+
+- hosts: server
+ vars:
+ ldap: '{{ glob_ldap | combine(loc_ldap) }}'
+ roles:
+ - ldap-client
--
GitLab
From 6879e2ce4674c76dfe8b4fb1b4647e37e6928095 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:30:33 +0200
Subject: [PATCH 22/56] [plays] base.yml shrinking
---
base.yml | 30 ------------------------------
1 file changed, 30 deletions(-)
diff --git a/base.yml b/base.yml
index f3fa47c9..88cc11b8 100755
--- a/base.yml
+++ b/base.yml
@@ -11,36 +11,6 @@
# args:
# executable: /bin/bash
-# Common CRANS configuration for all servers
-- hosts: server
- vars:
- # Group permissions
- ssh_allow_groups: ssh nounou apprenti cableur root
-
- # Scripts will tell users to go there to manage their account
- intranet_url: 'https://intranet.crans.org/'
-
- # # Will be in /usr/scripts/
- # crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
-
- # NTP servers
- ntp_servers:
- - charybde.adm.crans.org
- # - silice.adm.crans.org
- roles:
- - common-tools
- - debian-apt-sources
- - ldap-client
- # - openssh
- - sudo
- - ntp-client
- # - crans-scripts
- - root-config
-
-# Deploy LDAP master and replica
-- hosts: daniel.adm.crans.org
- roles:
- - slapd
- hosts: otis.adm.crans.org
roles:
--
GitLab
From 7024617206068c656707476e3258d29ee4ea1aaa Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:38:07 +0200
Subject: [PATCH 23/56] [home-nounous][unsafe] Documentation + rennomage
variables
---
roles/home-nounous/README.md | 8 ++++++++
roles/home-nounous/templates/systemd/system/home.mount.j2 | 2 +-
2 files changed, 9 insertions(+), 1 deletion(-)
create mode 100644 roles/home-nounous/README.md
diff --git a/roles/home-nounous/README.md b/roles/home-nounous/README.md
new file mode 100644
index 00000000..80dddb95
--- /dev/null
+++ b/roles/home-nounous/README.md
@@ -0,0 +1,8 @@
+# HOME-NOUNOUS
+
+Ce rôle permet d'exporter les homes vers les différents serveurs.
+
+## VARS
+
+home_nounous:
+ ip: l'ip du serveur nfs
diff --git a/roles/home-nounous/templates/systemd/system/home.mount.j2 b/roles/home-nounous/templates/systemd/system/home.mount.j2
index d0464e90..b144343d 100644
--- a/roles/home-nounous/templates/systemd/system/home.mount.j2
+++ b/roles/home-nounous/templates/systemd/system/home.mount.j2
@@ -5,7 +5,7 @@ Wants=network-online.target
After=network-online.target
[Mount]
-What=172.16.1.1:/pool/home
+What={{ home_nounous.ip }}:/pool/home
Where=/home
Type=nfs
Options=rw,nosuid
--
GitLab
From 07b05b99062311235c1a8118c494d6cb7b28f6fe Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 16:39:11 +0200
Subject: [PATCH 24/56] [home-nounous] Configuration crans
---
group_vars/all/vars.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index 328bc71d..dba06cb7 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -48,3 +48,6 @@ glob_ldap:
- 172.16.10.12
- 172.16.10.13
base: 'dc=crans,dc=org'
+
+home-nounous:
+ ip: 172.16.10.1
--
GitLab
From 5c7569cce25bf5caf7df2c3dcc4abc2db2fd2ebe Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 17:00:03 +0200
Subject: [PATCH 25/56] [proxmox][safe] Configuration CRANS
---
hosts | 5 +++++
plays/root.yml | 3 +++
.../{sources.list.j2 => pve-entreprise.list.j2} | 0
3 files changed, 8 insertions(+)
mode change 100644 => 100755 plays/root.yml
rename roles/proxmox-apt-sources/templates/apt/sources.list.d/{sources.list.j2 => pve-entreprise.list.j2} (100%)
diff --git a/hosts b/hosts
index 61ce6616..a7cd86a1 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,11 @@
# [test_vm]
# re2o-test.adm.crans.org
+[virtu]
+sam.adm.crans.org
+daniel.adm.crans.org
+jack.adm.crans.org
+
[slapd]
tealc.adm.crans.org
sam.adm.crans.org
diff --git a/plays/root.yml b/plays/root.yml
old mode 100644
new mode 100755
index 2efca8d6..ac0de129
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -1,5 +1,8 @@
#!/usr/bin/env ansible-playbook
---
+- hosts: virtu
+ roles:
+ - proxmox-apt-sources
- hosts: server
vars:
diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2
similarity index 100%
rename from roles/proxmox-apt-sources/templates/apt/sources.list.d/sources.list.j2
rename to roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2
--
GitLab
From 2c72c8c6c950377cfae4171d4b27bb58bedcefe8 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 6 Aug 2020 19:36:34 +0200
Subject: [PATCH 26/56] [proxmox] tout pleins de nouveaux copains
---
group_vars/all/vars.yaml | 2 +-
host_vars/jack.adm.crans.org.yml | 8 ++++++++
host_vars/sam.adm.crans.org.yml | 8 ++++++++
hosts | 2 ++
plays/root.yml | 1 +
roles/proxmox-apt-sources/tasks/main.yml | 4 ++--
.../{pve-entreprise.list.j2 => pve-enterprise.list.j2} | 0
7 files changed, 22 insertions(+), 3 deletions(-)
create mode 100644 host_vars/jack.adm.crans.org.yml
create mode 100644 host_vars/sam.adm.crans.org.yml
rename roles/proxmox-apt-sources/templates/apt/sources.list.d/{pve-entreprise.list.j2 => pve-enterprise.list.j2} (100%)
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index dba06cb7..b33dd868 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -49,5 +49,5 @@ glob_ldap:
- 172.16.10.13
base: 'dc=crans,dc=org'
-home-nounous:
+home_nounous:
ip: 172.16.10.1
diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml
new file mode 100644
index 00000000..bfca9922
--- /dev/null
+++ b/host_vars/jack.adm.crans.org.yml
@@ -0,0 +1,8 @@
+---
+loc_slapd:
+ ip: 172.16.10.13
+ replica: true
+ replica_rid: 3
+
+loc_ldap:
+ local: false
diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml
new file mode 100644
index 00000000..5d5fde7e
--- /dev/null
+++ b/host_vars/sam.adm.crans.org.yml
@@ -0,0 +1,8 @@
+---
+loc_slapd:
+ ip: 172.16.10.11
+ replica: true
+ replica_rid: 1
+
+loc_ldap:
+ local: false
diff --git a/hosts b/hosts
index a7cd86a1..7a3e9cc5 100644
--- a/hosts
+++ b/hosts
@@ -41,7 +41,9 @@ routeur-daniel
[crans_physical]
tealc.adm.crans.org
+sam.adm.crans.org
daniel.adm.crans.org
+jack.adm.crans.org
[crans_vm]
belenios # on changera plus tard
diff --git a/plays/root.yml b/plays/root.yml
index ac0de129..06188c07 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -32,3 +32,4 @@
ldap: '{{ glob_ldap | combine(loc_ldap) }}'
roles:
- ldap-client
+ - home-nounous
diff --git a/roles/proxmox-apt-sources/tasks/main.yml b/roles/proxmox-apt-sources/tasks/main.yml
index 4d66e393..1774927c 100644
--- a/roles/proxmox-apt-sources/tasks/main.yml
+++ b/roles/proxmox-apt-sources/tasks/main.yml
@@ -1,5 +1,5 @@
---
- name: Configure Proxmox repositories
template:
- src: apt/sources.list.d/pve-entreprise.list.j2
- dest: /etc/apt/sources.list.d/pve-entreprise.list
+ src: apt/sources.list.d/pve-enterprise.list.j2
+ dest: /etc/apt/sources.list.d/pve-enterprise.list
diff --git a/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2 b/roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2
similarity index 100%
rename from roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-entreprise.list.j2
rename to roles/proxmox-apt-sources/templates/apt/sources.list.d/pve-enterprise.list.j2
--
GitLab
From 56acc3b293ebb47cf130258a7071eed7df8f0d2c Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Fri, 7 Aug 2020 00:04:53 +0200
Subject: [PATCH 27/56] [ldap][slapd] Variable merge
---
group_vars/all/vars.yaml | 1 +
host_vars/daniel.adm.crans.org.yml | 3 ---
host_vars/jack.adm.crans.org.yml | 3 ---
host_vars/sam.adm.crans.org.yml | 3 ---
plays/root.yml | 4 ++--
5 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index b33dd868..44aee993 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -48,6 +48,7 @@ glob_ldap:
- 172.16.10.12
- 172.16.10.13
base: 'dc=crans,dc=org'
+ local: false # local configuration but default value
home_nounous:
ip: 172.16.10.1
diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml
index a7405b4d..139b9bd1 100644
--- a/host_vars/daniel.adm.crans.org.yml
+++ b/host_vars/daniel.adm.crans.org.yml
@@ -3,6 +3,3 @@ loc_slapd:
ip: 172.16.10.12
replica: true
replica_rid: 2
-
-loc_ldap:
- local: false
diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml
index bfca9922..70c60054 100644
--- a/host_vars/jack.adm.crans.org.yml
+++ b/host_vars/jack.adm.crans.org.yml
@@ -3,6 +3,3 @@ loc_slapd:
ip: 172.16.10.13
replica: true
replica_rid: 3
-
-loc_ldap:
- local: false
diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml
index 5d5fde7e..9ed74927 100644
--- a/host_vars/sam.adm.crans.org.yml
+++ b/host_vars/sam.adm.crans.org.yml
@@ -3,6 +3,3 @@ loc_slapd:
ip: 172.16.10.11
replica: true
replica_rid: 1
-
-loc_ldap:
- local: false
diff --git a/plays/root.yml b/plays/root.yml
index 06188c07..e07668ed 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -23,13 +23,13 @@
- hosts: slapd
vars:
- slapd: '{{ glob_slapd | combine(loc_slapd) }}'
+ slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
roles:
- slapd
- hosts: server
vars:
- ldap: '{{ glob_ldap | combine(loc_ldap) }}'
+ ldap: '{{ glob_ldap | combine(loc_ldap | default({})) }}'
roles:
- ldap-client
- home-nounous
--
GitLab
From 7d8131555f18280ed9ed54043664108ea306d4d6 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Fri, 7 Aug 2020 00:08:09 +0200
Subject: [PATCH 28/56] coucou les copains (les routeurs)
---
hosts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hosts b/hosts
index 7a3e9cc5..ca40c986 100644
--- a/hosts
+++ b/hosts
@@ -46,6 +46,8 @@ daniel.adm.crans.org
jack.adm.crans.org
[crans_vm]
+routeur-sam.adm.crans.org
+routeur-daniel.adm.crans.org
belenios # on changera plus tard
[ovh_physical]
--
GitLab
From dc17f75f902af5f4320b11e51deda375a0058d36 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Fri, 7 Aug 2020 12:59:56 +0200
Subject: [PATCH 29/56] Merge Pollion cherry pick
---
group_vars/dhcp.yml | 88 +++++-----------------
group_vars/keepalived.yml | 53 ++-----------
host_vars/routeur-daniel.adm.crans.org.yml | 15 ++++
host_vars/routeur-sam.adm.crans.org.yml | 15 ++++
hosts | 14 +++-
roles/re2o-dhcp/tasks/main.yml | 4 +-
6 files changed, 68 insertions(+), 121 deletions(-)
create mode 100644 host_vars/routeur-daniel.adm.crans.org.yml
create mode 100644 host_vars/routeur-sam.adm.crans.org.yml
diff --git a/group_vars/dhcp.yml b/group_vars/dhcp.yml
index 5054673b..f8e16fa9 100644
--- a/group_vars/dhcp.yml
+++ b/group_vars/dhcp.yml
@@ -3,80 +3,26 @@
dhcp:
authoritative: True
global_options:
- - { key: "interface-mtu", value: "1496" }
+ - { key: "interface-mtu", value: "1500" }
global_parameters: []
subnets:
- - network: "10.51.0.0/16"
- deny_unknown: False
- vlan: "accueil"
+ - network: "100.64.0.0/16"
+ deny_unknown: True
+ vlan: "adh-nat"
default_lease_time: "600"
max_lease_time: "7200"
- routers: "10.51.0.10"
- dns: ["10.51.0.152", "10.51.0.4"]
- domain_name: "accueil.crans.org"
- domain_search: "accueil.crans.org"
- options:
- - { key: "time-servers", value: "10.51.0.10" }
- - { key: "ntp-servers", value: "10.51.0.10" }
- - { key: "ip-forwarding", value: "off" }
- range: ["10.51.1.0", "10.51.255.255"]
-
- - network: "10.231.148.0/24"
- deny_unknown: False
- vlan: "bornes"
- default_lease_time: "8600"
- routers: "10.231.148.254"
- dns: ["10.231.148.152", "10.231.148.4"]
- domain_name: "borne.crans.org"
- domain_search: "borne.crans.org"
- options:
- - { key: "time-servers", value: "10.231.148.98" }
- - { key: "ntp-servers", value: "10.231.148.98" }
- - { key: "ip-forwarding", value: "off" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.borne.crans.org.list"
+ routers: "100.64.0.99"
+ dns: ["100.64.0.101", "100.64.0.102"]
+ domain_name: "adh-nat.crans.org"
+ domain_search: "adh-nat.crans.org"
+ options: []
+ lease_file: "/tmp/dhcp.list"
- - network: "185.230.78.0/24"
- deny_unknown: True
- vlan: "fil_pub"
- default_lease_time: "86400"
- routers: "185.230.78.254"
- dns: ["185.230.78.152", "185.230.78.4"]
- domain_name: "adh.crans.org"
- domain_search: "adh.crans.org"
- options:
- - { key: "time-servers", value: "185.230.79.98" }
- - { key: "ntp-servers", value: "185.230.79.98" }
- - { key: "ip-forwarding", value: "off" }
- - { key: "smtp-server", value: "185.230.79.39" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.adh.crans.org.list"
-
- - network: "10.54.0.0/19"
- deny_unknown: True
- vlan: "fil_new"
- default_lease_time: "86400"
- routers: "10.54.0.254"
- dns: ["10.54.0.152", "10.54.0.4"]
- domain_name: "fil.crans.org"
- domain_search: "fil.crans.org"
- options:
- - { key: "time-servers", value: "185.230.79.98" }
- - { key: "ntp-servers", value: "185.230.79.98" }
- - { key: "ip-forwarding", value: "off" }
- - { key: "smtp-server", value: "185.230.79.39" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.fil.crans.org.list"
+re2o:
+ server: re2o.adm.crans.org
+ service_user: "ploptotoisverysecure"
+ service_password: "ploptotoisverysecure"
+ dhcp:
+ uri: "/tmp/re2o-dhcp.git"
- - network: "10.53.0.0/19"
- deny_unknown: False # For Federez
- vlan: "wifi_new"
- default_lease_time: "86400"
- routers: "10.53.0.254"
- dns: ["10.53.0.152", "10.53.0.4"]
- domain_name: "wifi.crans.org"
- domain_search: "wifi.crans.org"
- options:
- - { key: "time-servers", value: "185.230.79.98" }
- - { key: "ntp-servers", value: "185.230.79.98" }
- - { key: "ip-forwarding", value: "off" }
- - { key: "smtp-server", value: "185.230.79.39" }
- lease_file: "/var/local/re2o-services/dhcp/generated/dhcp.wifi.crans.org.list"
- range: ["10.53.21.0", "10.53.25.254"]
+mail_server: smtp.new-infra.adm.crans.org
diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml
index c507466e..e23f30b7 100644
--- a/group_vars/keepalived.yml
+++ b/group_vars/keepalived.yml
@@ -1,52 +1,11 @@
---
keepalived:
- radius:
- password: "{{ vault_keepalived_radius_password }}"
- id: 52
- ipv6: yes
- zones:
- - vlan: adm
- ipv4: 10.231.136.11/24
- brd: 10.231.136.255
- ipv6: 2a0c:700:0:2:ad:adff:fef0:f002/64
- - vlan: bornes
- ipv4: 10.231.148.11/24
- brd: 10.231.148.255
- ipv6: fd01:240:fe3d:3:ad:adff:fef0:f003/64
- - vlan: switches
- ipv4: 10.231.100.11/24
- brd: 10.231.100.255
- ipv6: fd01:240:fe3d:c804:ad:adff:fef0:f004/64
- router:
- password: "{{ vault_keepalived_router_password }}"
- id: 53
+ dhcp:
+ password: "plopisverysecure"
+ id: 60
ipv6: no
zones:
- - vlan: adm
- ipv4: 10.231.136.254/24
- brd: 10.231.136.255
- - vlan: fil_pub
- ipv4: 185.230.78.254/24
- brd: 185.230.78.255
- - vlan: srv
- ipv4: 185.230.79.254/24
- brd: 185.230.79.255
- - vlan: fil_new # Nat filaire
- ipv4: 10.54.0.254/16
- brd: 10.54.255.255
- - vlan: wifi_new
- ipv4: 10.53.0.254/16
- brd: 10.53.255.255
- - vlan: zayo
- ipv4: 158.255.113.73/31
- proxy:
- password: "{{ vault_keepalived_proxy_password }}"
- id: 51
- ipv6: yes
- zones:
- - vlan: srv
- ipv4: 185.230.79.194/32
- brd: 185.230.79.255
- ipv6: 2a0c:700:0:24:ba:ccff:feda:aa00/64
-
+ - vlan: adh-nat
+ ipv4: 100.64.0.99/16
+ brd: 100.64.255.255
diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml
new file mode 100644
index 00000000..3b942bc7
--- /dev/null
+++ b/host_vars/routeur-daniel.adm.crans.org.yml
@@ -0,0 +1,15 @@
+---
+interfaces:
+ adm: ens18
+ srv: ens19
+ srv-nat: ens20
+ infra: ens21
+ adh: ens22
+ adh-nat: ens23
+
+
+keepalived_instances:
+ - name: dhcp
+ tag: VI_DHCP
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml
new file mode 100644
index 00000000..bec03731
--- /dev/null
+++ b/host_vars/routeur-sam.adm.crans.org.yml
@@ -0,0 +1,15 @@
+---
+interfaces:
+ adm: ens18
+ srv: ens19
+ srv-nat: ens20
+ infra: ens21
+ adh: ens22
+ adh-nat: ens23
+
+
+keepalived_instances:
+ - name: dhcp
+ tag: VI_DHCP
+ state: MASTER
+ priority: 150
diff --git a/hosts b/hosts
index ca40c986..56fefdc0 100644
--- a/hosts
+++ b/hosts
@@ -36,8 +36,18 @@ sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
-[crans_routeurs]
-routeur-daniel
+[keepalived]
+routeur-sam.adm.crans.org
+routeur-daniel.adm.crans.org
+
+[dhcp]
+routeur-sam.adm.crans.org
+routeur-daniel.adm.crans.org
+
+
+[crans_routeurs:children]
+dhcp
+keepalived
[crans_physical]
tealc.adm.crans.org
diff --git a/roles/re2o-dhcp/tasks/main.yml b/roles/re2o-dhcp/tasks/main.yml
index 16c83c42..cc11df72 100644
--- a/roles/re2o-dhcp/tasks/main.yml
+++ b/roles/re2o-dhcp/tasks/main.yml
@@ -15,10 +15,11 @@
etype: group
permissions: rwx
state: query
+ when: not ansible_check_mode
- name: Clone re2o-dhcp repository
git:
- repo: 'http://gitlab.adm.crans.org/nounous/re2o-dhcp.git'
+ repo: "{{ re2o.dhcp.uri }}"
dest: /var/local/re2o-services/dhcp
version: crans
umask: '002'
@@ -30,6 +31,7 @@
owner: root
group: root
state: link
+ force: yes
- name: Create generated directory
file:
--
GitLab
From f93829267d4629445acca8f956f973632efcd88b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Fri, 7 Aug 2020 16:52:26 +0200
Subject: [PATCH 30/56] [qemu-guest-agent] Install qemu-guest-agent on VMs
---
plays/root.yml | 4 ++++
roles/qemu-guest-agent/tasks/main.yml | 10 ++++++++++
2 files changed, 14 insertions(+)
create mode 100644 roles/qemu-guest-agent/tasks/main.yml
diff --git a/plays/root.yml b/plays/root.yml
index e07668ed..aa4b9b81 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -21,6 +21,10 @@
# - crans-scripts
- root-config
+- hosts: crans_vm
+ roles:
+ - qemu-guest-agent
+
- hosts: slapd
vars:
slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
diff --git a/roles/qemu-guest-agent/tasks/main.yml b/roles/qemu-guest-agent/tasks/main.yml
new file mode 100644
index 00000000..72a322aa
--- /dev/null
+++ b/roles/qemu-guest-agent/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Install qemu guest agent
+ apt:
+ update_cache: true
+ install_recommends: false
+ name:
+ - qemu-guest-agent
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
--
GitLab
From ea0d140a6633e4f23321c2bf423634e154f6499e Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Fri, 7 Aug 2020 17:30:20 +0200
Subject: [PATCH 31/56] [keepalived][unsafe] PEP CRANS + dhcp notify
---
roles/keepalived/README.md | 38 +++++++++++++++++++
roles/keepalived/tasks/main.yml | 13 +++++++
roles/keepalived/templates/bin/notify-dhcp | 24 ++++++++++++
.../templates/keepalived/keepalived.conf.j2 | 36 ++++++++++--------
4 files changed, 95 insertions(+), 16 deletions(-)
create mode 100644 roles/keepalived/README.md
create mode 100755 roles/keepalived/templates/bin/notify-dhcp
diff --git a/roles/keepalived/README.md b/roles/keepalived/README.md
new file mode 100644
index 00000000..884a783b
--- /dev/null
+++ b/roles/keepalived/README.md
@@ -0,0 +1,38 @@
+# KEEPALIVED
+
+Ce rôle installe keepalived pour permettre la redondance de certain service
+entre plusieurs services.
+/!\ Ce rôle déploie un script pour relancer automatiquement le serveur dhcp /!\
+
+## VARS
+
+keepalived:
+ - mail_destination: a qui envoyé les mails en cas de switching
+ - mail_source: qui envoie les mails
+ - smtp_server: le serveur smtp par qui passer pour envoyer les mails
+ - pool: Une liste de différentes instances installable sur la machine. Les
+ instances sont des dictionnaires comprenant les champs suivant :
+ - name: le nom de l'instance
+ - password: le mot de passe que vont utilisé les marchines d'une même
+ instance pour se synchroniser
+ - id: l'indentifiant qu'elles vont utiliser pour discuter
+ - ipv6: s'il est necessaire de configurer une instance supplémentaire pour
+ de l'ipv6
+ - notify: le script a notifé en cas de switching (s'il n'est pas précisé
+ aucun script n'est utilisé)
+ - administration: le vlan d'administration sur lequel les machines d'une
+ même instances vont discuter
+ - zones: une liste de zone sur lequel vont parler les instances keepalived.
+ Chaque zone est un disctionnaire comprenant les champs suivants:
+ - vlan: le vlan sur lequel est installé la zone
+ - ipv4: l'ipv4 au format CIDR partagé par les machines
+ - brd: s'il faut préciser ou non l'interface de broadcast
+ - ipv6: une ipv6 (elle peut ne pas être précisé, si elle est présente mais
+ que l'instance ne précise pas ipv6, elle sera ignoré)
+ - instances: Une liste d'instance a déployer sur la machine. Les instances
+ sont des dictionnaires comprenant les champs suivants:
+ - name: le nom de linstance a deployer
+ - tag: le petit nom à lui donner
+ - state: l'état (entre BACKUP et MASTER)
+ - priority: la priorité (pour un MASTER on met par défaut 150 puis on reduit
+ de 50 par 50)
diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml
index 3eaa83ac..14fc00bd 100644
--- a/roles/keepalived/tasks/main.yml
+++ b/roles/keepalived/tasks/main.yml
@@ -13,3 +13,16 @@
dest: /etc/keepalived/keepalived.conf
mode: 0644
notify: Reload keepalived.service
+
+- name: Create scripts directory
+ file:
+ path: /usr/scripts
+ state: directory
+
+- name: Deploy keepalived dhcp scripts
+ template:
+ src: bin/notify-dhcp
+ dest: /usr/scripts/notify-dhcp
+ mode: 0744
+ when: not ansible_check_mode
+ notify: Reload keepalived.service
diff --git a/roles/keepalived/templates/bin/notify-dhcp b/roles/keepalived/templates/bin/notify-dhcp
new file mode 100755
index 00000000..a62ad14c
--- /dev/null
+++ b/roles/keepalived/templates/bin/notify-dhcp
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+TYPE=$1
+NAME=$2
+STATE=$3
+
+case $STATE in
+ "MASTER")
+ logger -s '[DHCP-NOTIFY] Entering state MASTER, starting isc-dhcp-server.service'
+ systemctl start isc-dhcp-server.service
+ exit 0;;
+ "BACKUP")
+ logger -s '[DHCP-NOTIFY] Entering state BACKUP, stopping isc-dhcp-server.service'
+ systemctl stop isc-dhcp-server.service
+ exit 0;;
+ "FAULT")
+ logger -s '[DHCP-NOTIFY] Entering state FAULT, stopping isc-dhcp-server.service'
+ systemctl stop isc-dhcp-server.service
+ exit 0;;
+ *)
+ logger -s '[DHCP-NOTIFY] Entering UNKNOWN state, doing nothing'
+ exit 1;;
+esac
+
diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2
index f0530d8f..97c93c53 100644
--- a/roles/keepalived/templates/keepalived/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2
@@ -1,31 +1,33 @@
{{ ansible_header | comment }}
global_defs {
- notification_email {
- root@crans.org
- }
- notification_email_from keepalived@crans.org
- smtp_server smtp.adm.crans.org
+ notification_email { {{ keepalived.mail_destination }} }
+ notification_email_from {{ keepalived.mail_source }}
+ smtp_server {{ keepalived.smtp_server }}
}
-{% for instance in keepalived_instances %}
+{% for instance in keepalived.instances %}
vrrp_instance {{ instance.tag }}4 {
state {{ instance.state }}
priority {{ instance.priority }}
smtp_alert
interface {{ interfaces.adm }}
- virtual_router_id {{ keepalived[instance.name].id }}
+ virtual_router_id {{ keepalived.pool[instance.name].id }}
advert_int 2
authentication {
auth_type PASS
- auth_pass {{ keepalived[instance.name].password }}
+ auth_pass {{ keepalived.pool[instance.name].password }}
}
+{% if keepalived.pool[instance.name].notify is defined %}
+ notify {{ keepalived.pool[instance.name].notify }}
+{% endif %}
+
virtual_ipaddress {
-{% for zone in keepalived[instance.name].zones %}
- {% if zone.brd is defined %}
- {{ zone.ipv4 }} brd {{ zone.brd }} dev {{ interfaces[zone.vlan] }} scope global
+{% for zone in keepalived.pool[instance.name].zones %}
+ {% if zone.brd %}
+ {{ zone.ipv4 }} brd {{ zone.ipv4 | ipaddr('broadcast') }} dev {{ interfaces[zone.vlan] }} scope global
{% else %}
{{ zone.ipv4 }} dev {{ interfaces[zone.vlan] }} scope global
{% endif %}
@@ -33,23 +35,25 @@ vrrp_instance {{ instance.tag }}4 {
}
}
-{% if keepalived[instance.name].ipv6 %}
+{% if keepalived.pool[instance.name].ipv6 %}
vrrp_instance {{ instance.tag }}6 {
state {{ instance.state }}
priority {{ instance.priority }}
smtp_alert
- interface {{ interfaces.adm }}
- virtual_router_id {{ keepalived[instance.name].id }}
+ interface {{ keepalived.pool[instance.name].administration }}
+ virtual_router_id {{ keepalived.pool[instance.name].id }}
advert_int 2
authentication {
auth_type PASS
- auth_pass {{ keepalived[instance.name].password }}
+ auth_pass {{ keepalived.pool[instance.name].password }}
}
virtual_ipaddress {
-{% for zone in keepalived[instance.name].zones %}
+{% for zone in keepalived.pool[instance.name].zones %}
+{% if zone.ipv6 is defined %}
{{ zone.ipv6 }} dev {{ interfaces[zone.vlan] }} scope global
+{% endif %}
{% endfor %}
}
}
--
GitLab
From dfa8f6059b8e436386d3a283143240d62b5c84b2 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Fri, 7 Aug 2020 17:31:02 +0200
Subject: [PATCH 32/56] [keepalived] Crans configuration
---
group_vars/keepalived.yml | 23 +++++++++++++---------
host_vars/bakdaur.adm.crans.org.yml | 11 ++++++-----
host_vars/eap.adm.crans.org.yml | 11 ++++++-----
host_vars/frontdaur.adm.crans.org.yml | 11 ++++++-----
host_vars/gulp.adm.crans.org.yml | 11 ++++++-----
host_vars/odlyd.adm.crans.org.yml | 19 +++++++++---------
host_vars/radius.adm.crans.org.yml | 11 ++++++-----
host_vars/routeur-daniel.adm.crans.org.yml | 11 ++++++-----
host_vars/routeur-sam.adm.crans.org.yml | 11 ++++++-----
plays/keepalived.yml | 2 ++
10 files changed, 68 insertions(+), 53 deletions(-)
diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml
index e23f30b7..11fe3e00 100644
--- a/group_vars/keepalived.yml
+++ b/group_vars/keepalived.yml
@@ -1,11 +1,16 @@
---
-keepalived:
- dhcp:
- password: "plopisverysecure"
- id: 60
- ipv6: no
- zones:
- - vlan: adh-nat
- ipv4: 100.64.0.99/16
- brd: 100.64.255.255
+glob_keepalived:
+ mail_source: keepalived@crans.org
+ mail_destination: root@crans.org
+ smtp_server: smtp.adm.crans.org
+ pool:
+ dhcp:
+ password: "plopisverysecure"
+ id: 60
+ ipv6: no
+ notify: /usr/scripts/notify-dhcp
+ zones:
+ - vlan: adh-nat
+ ipv4: 100.64.0.99/16
+ brd: 100.64.255.255
diff --git a/host_vars/bakdaur.adm.crans.org.yml b/host_vars/bakdaur.adm.crans.org.yml
index b81d2233..9ef2268d 100644
--- a/host_vars/bakdaur.adm.crans.org.yml
+++ b/host_vars/bakdaur.adm.crans.org.yml
@@ -3,8 +3,9 @@ interfaces:
adm: eth0
srv: eth1
-keepalived_instances:
- - name: proxy
- tag: VI_DAUR
- state: MASTER
- priority: 150
+lco_keepalived:
+ instances:
+ - name: proxy
+ tag: VI_DAUR
+ state: MASTER
+ priority: 150
diff --git a/host_vars/eap.adm.crans.org.yml b/host_vars/eap.adm.crans.org.yml
index 4e5e746f..31f6cfa6 100644
--- a/host_vars/eap.adm.crans.org.yml
+++ b/host_vars/eap.adm.crans.org.yml
@@ -5,8 +5,9 @@ interfaces:
bornes: eth1
switches: eth2
-keepalived_instances:
- - name: radius
- tag: VI_RAD
- state: BACKUP
- priority: 100
+loc_keepalived:
+ instances:
+ - name: radius
+ tag: VI_RAD
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/frontdaur.adm.crans.org.yml b/host_vars/frontdaur.adm.crans.org.yml
index e2fd550b..69bfb5ea 100644
--- a/host_vars/frontdaur.adm.crans.org.yml
+++ b/host_vars/frontdaur.adm.crans.org.yml
@@ -3,8 +3,9 @@ interfaces:
adm: eth1
srv: eth0
-keepalived_instances:
- - name: proxy
- tag: VI_DAUR
- state: BACKUP
- priority: 100
+loc_keepalived:
+ instances:
+ - name: proxy
+ tag: VI_DAUR
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/gulp.adm.crans.org.yml b/host_vars/gulp.adm.crans.org.yml
index 1d244937..6289c701 100644
--- a/host_vars/gulp.adm.crans.org.yml
+++ b/host_vars/gulp.adm.crans.org.yml
@@ -7,8 +7,9 @@ interfaces:
wifi_new: ens1f0.22
zayo: ens1f0.26
-keepalived_instances:
- - name: router
- tag: VI_ROUT
- state: MASTER
- priority: 150
+loc_keepalived:
+ instances:
+ - name: router
+ tag: VI_ROUT
+ state: MASTER
+ priority: 150
diff --git a/host_vars/odlyd.adm.crans.org.yml b/host_vars/odlyd.adm.crans.org.yml
index 2e0d7c1e..988fb0ca 100644
--- a/host_vars/odlyd.adm.crans.org.yml
+++ b/host_vars/odlyd.adm.crans.org.yml
@@ -10,12 +10,13 @@ interfaces:
srv: ens1f0.24
zayo: ens1f0.26
-keepalived_instances:
- - name: radius
- tag: VI_RAD
- state: BACKUP
- priority: 50
- - name: router
- tag: VI_ROUT
- state: BACKUP
- priority: 100
+loc_keepalived:
+ instances:
+ - name: radius
+ tag: VI_RAD
+ state: BACKUP
+ priority: 50
+ - name: router
+ tag: VI_ROUT
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/radius.adm.crans.org.yml b/host_vars/radius.adm.crans.org.yml
index b4a3a4b0..da534c10 100644
--- a/host_vars/radius.adm.crans.org.yml
+++ b/host_vars/radius.adm.crans.org.yml
@@ -5,8 +5,9 @@ interfaces:
bornes: eth1
switches: eth2
-keepalived_instances:
- - name: radius
- tag: VI_RAD
- state: MASTER
- priority: 150
+loc_keepalived:
+ instances:
+ - name: radius
+ tag: VI_RAD
+ state: MASTER
+ priority: 150
diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml
index 3b942bc7..c3b93c47 100644
--- a/host_vars/routeur-daniel.adm.crans.org.yml
+++ b/host_vars/routeur-daniel.adm.crans.org.yml
@@ -8,8 +8,9 @@ interfaces:
adh-nat: ens23
-keepalived_instances:
- - name: dhcp
- tag: VI_DHCP
- state: BACKUP
- priority: 100
+loc_keepalived:
+ instances:
+ - name: dhcp
+ tag: VI_DHCP
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml
index bec03731..0c4bc74b 100644
--- a/host_vars/routeur-sam.adm.crans.org.yml
+++ b/host_vars/routeur-sam.adm.crans.org.yml
@@ -8,8 +8,9 @@ interfaces:
adh-nat: ens23
-keepalived_instances:
- - name: dhcp
- tag: VI_DHCP
- state: MASTER
- priority: 150
+loc_keepalived:
+ instances:
+ - name: dhcp
+ tag: VI_DHCP
+ state: MASTER
+ priority: 150
diff --git a/plays/keepalived.yml b/plays/keepalived.yml
index dc2e7419..7b6a6634 100755
--- a/plays/keepalived.yml
+++ b/plays/keepalived.yml
@@ -1,5 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: keepalived
+ vars:
+ keepalived: "{{ glob_keepalived | combine(loc_keepalived) }}"
roles:
- keepalived
--
GitLab
From 1c47cce83dfc2d845623c54f402a250245bba2c8 Mon Sep 17 00:00:00 2001
From: pa <pa@crans.org>
Date: Fri, 7 Aug 2020 17:35:17 +0200
Subject: [PATCH 33/56] [keepalived] Typo bakdaur.adm.crans.org.yml
---
host_vars/bakdaur.adm.crans.org.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/host_vars/bakdaur.adm.crans.org.yml b/host_vars/bakdaur.adm.crans.org.yml
index 9ef2268d..35863407 100644
--- a/host_vars/bakdaur.adm.crans.org.yml
+++ b/host_vars/bakdaur.adm.crans.org.yml
@@ -3,7 +3,7 @@ interfaces:
adm: eth0
srv: eth1
-lco_keepalived:
+loc_keepalived:
instances:
- name: proxy
tag: VI_DAUR
--
GitLab
From 3587d0ab2d988af619e3e4c521092c247ca8dee7 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 8 Aug 2020 14:56:55 +0200
Subject: [PATCH 34/56] Pollion you're drunk
---
group_vars/crans_server/vars.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/group_vars/crans_server/vars.yml b/group_vars/crans_server/vars.yml
index 75c8f4d8..136ce4ab 100644
--- a/group_vars/crans_server/vars.yml
+++ b/group_vars/crans_server/vars.yml
@@ -6,4 +6,4 @@ ldap:
# Parameters for debian mirror
debian_mirror: http://mirror.adm.crans.org/debian
-debian_components: main non_free
+debian_components: main non-free
--
GitLab
From dc35709d862bf63f67025958c1f12d4697d28861 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 8 Aug 2020 14:57:43 +0200
Subject: [PATCH 35/56] [slapd] Deploy LDAP certificate
---
plays/root.yml | 3 +++
roles/slapd/tasks/main.yml | 10 +++++++---
roles/slapd/templates/ldap/ldap.key.j2 | 1 +
roles/slapd/templates/ldap/ldap.pem.j2 | 1 +
roles/slapd/templates/ldap/slapd.conf.j2 | 5 ++---
5 files changed, 14 insertions(+), 6 deletions(-)
create mode 100644 roles/slapd/templates/ldap/ldap.key.j2
create mode 100644 roles/slapd/templates/ldap/ldap.pem.j2
diff --git a/plays/root.yml b/plays/root.yml
index aa4b9b81..2e82cc8a 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -28,6 +28,9 @@
- hosts: slapd
vars:
slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
+ ldap:
+ private_key: "{{ vault_ldap_private_key }}"
+ certificate: "{{ vault_ldap_certificate }}"
roles:
- slapd
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
index 84599aa2..f377a77e 100644
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@@ -15,11 +15,15 @@
- name: Deploy slapd configuration
template:
- src: ldap/slapd.conf.j2
- dest: /etc/ldap/slapd.conf
- mode: 0600
+ src: "ldap/{{ item.dest }}.j2"
+ dest: "/etc/ldap/{{ item.dest }}"
+ mode: "{{ item.mode }}"
owner: openldap
group: openldap
+ loop:
+ - { dest: slapd.conf, mode: "0600" }
+ - { dest: ldap.key, mode: "0600" }
+ - { dest: ldap.pem, mode: "0644" }
notify: Restart slapd
- name: Deploy ldap services
diff --git a/roles/slapd/templates/ldap/ldap.key.j2 b/roles/slapd/templates/ldap/ldap.key.j2
new file mode 100644
index 00000000..926db60f
--- /dev/null
+++ b/roles/slapd/templates/ldap/ldap.key.j2
@@ -0,0 +1 @@
+{{ ldap.private_key }}
diff --git a/roles/slapd/templates/ldap/ldap.pem.j2 b/roles/slapd/templates/ldap/ldap.pem.j2
new file mode 100644
index 00000000..ed4f7a5c
--- /dev/null
+++ b/roles/slapd/templates/ldap/ldap.pem.j2
@@ -0,0 +1 @@
+{{ ldap.certificate }}
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 762756b8..5c6cccab 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -35,9 +35,8 @@ moduleload syncprov
# TODO FAIRE LES CERTIFICATS
# TLS Certificates
#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
-#TLSCACertificateFile /etc/ssl/certs/ServENS.crt
-#TLSCertificateFile /etc/ldap/ldap.pem
-#TLSCertificateKeyFile /etc/ldap/ldap.key
+TLSCertificateFile /etc/ldap/ldap.pem
+TLSCertificateKeyFile /etc/ldap/ldap.key
# The maximum number of entries that is returned for a search operation
sizelimit 500
--
GitLab
From b14088da0b91284f68b3070c0f3f28a37798cf7c Mon Sep 17 00:00:00 2001
From: vulcain <vulcain@mercure.adh.crans.org>
Date: Sat, 8 Aug 2020 15:19:16 +0200
Subject: [PATCH 36/56] patch source of python.nanorc
---
roles/root-config/templates/nanorc.j2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/root-config/templates/nanorc.j2 b/roles/root-config/templates/nanorc.j2
index d6c3b174..0a24621d 100644
--- a/roles/root-config/templates/nanorc.j2
+++ b/roles/root-config/templates/nanorc.j2
@@ -285,7 +285,7 @@ include "/usr/share/nano/groff.nanorc"
include "/usr/share/nano/perl.nanorc"
## Python
-include "/usr/local/share/nano/python.nanorc"
+include "/usr//share/nano/python.nanorc"
## Ruby
include "/usr/share/nano/ruby.nanorc"
--
GitLab
From d7483f5d9ca8c44ce356283fed423c06f850bb4d Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 9 Aug 2020 15:00:13 +0200
Subject: [PATCH 37/56] [ldap.py] LDAP lookup plugin
---
lookup_plugins/ldap.py | 101 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 lookup_plugins/ldap.py
diff --git a/lookup_plugins/ldap.py b/lookup_plugins/ldap.py
new file mode 100644
index 00000000..87cee458
--- /dev/null
+++ b/lookup_plugins/ldap.py
@@ -0,0 +1,101 @@
+import ipaddress
+
+from ansible.errors import AnsibleError, AnsibleParserError
+from ansible.plugins.lookup import LookupBase
+from ansible.utils.display import Display
+
+import ldap
+
+display = Display()
+
+def decode_object(object):
+ return {attribute: [value.decode('utf-8') for value in object[attribute]] for attribute in object}
+
+class LookupModule(LookupBase):
+
+ def __init__(self, **kwargs):
+ self.base = ldap.initialize('ldaps://localhost:1636/')
+ self.base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
+ self.base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+ self.base_dn = 'dc=crans,dc=org'
+
+ def query(self, base, scope, filter='(objectClass=*)', attr=None):
+ """
+ Make a LDAP query
+ query('ldap', 'query', BASE, SCOPE[, FILTER[, ATTR]])
+ BASE: base dn
+ SCOPE: 'base', 'one' or 'sub'
+ FILTER: ldap filter (optional)
+ ATTR: list of attributes (optional)
+ """
+ scope = { 'base': ldap.SCOPE_BASE, 'one': ldap.SCOPE_ONELEVEL, 'sub': ldap.SCOPE_SUBTREE }[scope]
+ query_id = self.base.search(f"{base}", scope, filter, attr)
+ result = self.base.result(query_id)[1]
+ result = { dn: decode_object(entry) for dn, entry in result }
+ return result
+
+ def ip(self, host, vlan):
+ """
+ Retrieve IP addresses of an interface of a device
+ query('ldap', 'ip', HOST, VLAN)
+ """
+ if isinstance(vlan, int):
+ network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
+ network_result = self.base.result(network_query_id)
+ vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
+ if vlan == 'srv':
+ query_id = self.base.search(f"cn={host}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+ else:
+ query_id = self.base.search(f"cn={host}.{vlan}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+ result = self.base.result(query_id)
+ result = result[1][0][1]
+ result = [res.decode('utf-8') for res in result['ipHostNumber']]
+ return result
+
+ def run(self, terms, variables=None, **kwargs):
+ if terms[0] == 'query':
+ result = self.query(*terms[1:])
+ elif terms[0] == 'ip':
+ result = self.ip(*terms[1:])
+ elif terms[0] == 'group':
+ query_id = self.base.search(f"ou=group,{self.base_dn}", ldap.SCOPE_SUBTREE, "objectClass=posixGroup")
+ result = self.base.result(query_id)
+ result = result[1]
+ # query interface attribute
+ # query('ldap', 'hosts', HOST, VLAN, ATTR)
+ # HOST: device name
+ # VLAN: vlan name
+ # ATTR: attribute
+ elif terms[0] == 'hosts':
+ host = terms[1]
+ vlan = terms[2]
+ attr = terms[3]
+ if isinstance(vlan, int):
+ network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
+ network_result = self.base.result(network_query_id)
+ vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
+ if vlan == 'srv':
+ query_id = self.base.search(f"cn={host}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+ else:
+ query_id = self.base.search(f"cn={host}.{vlan}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+ result = self.base.result(query_id)
+ result = result[1][0][1]
+ result = [res.decode('utf-8') for res in result[attr]]
+ elif terms[0] == 'networks':
+ network = terms[1]
+ query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
+ result = self.base.result(query_id)
+ result = result[1][0][1]
+ return [str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))]
+ elif terms[0] == 'vlanid':
+ network = terms[1]
+ query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
+ result = self.base.result(query_id)
+ result = result[1][0][1]
+ return int(result['description'][0])
+ elif terms[0] == 'role':
+ role = terms[1]
+ query_id = self.base.search(f"ou=hosts,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={role}")
+ result = self.base.result(query_id)
+ result = [cn.decode('utf-8') for res in result[1] for cn in res[1]['cn']]
+ return result
--
GitLab
From 756f2e35b1a4e137ba90b14685b4b5b64d6bebaf Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Sun, 9 Aug 2020 18:36:17 +0200
Subject: [PATCH 38/56] Add lookup_plugins path in ansible.cfg
---
ansible.cfg | 1 +
1 file changed, 1 insertion(+)
diff --git a/ansible.cfg b/ansible.cfg
index 7a2e7b37..4dd2dddf 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,6 +5,7 @@
# Explicitely redefined some defaults to make play execution work
roles_path = ./roles
vars_plugins = ./vars_plugins
+lookup_plugins = ./lookup_plugins
# Do not create .retry files
retry_files_enabled = False
--
GitLab
From 84fc337722c553f77036ca83c53cc4b0e07dfccf Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Sun, 9 Aug 2020 19:39:48 +0200
Subject: [PATCH 39/56] [postgresql] Configure psql database
---
group_vars/bdd.yml | 13 +
host_vars/tealc.adm.crans.org.yml | 2 +
hosts | 3 +
plays/postgresql.yml | 10 +
roles/postgresql/handlers/main.yml | 6 +
roles/postgresql/tasks/main.yml | 43 ++
.../templates/postgresql/pg_hba.conf.j2 | 103 +++
.../templates/postgresql/pg_ident.conf.j2 | 44 ++
.../templates/postgresql/postgresql.conf.j2 | 695 ++++++++++++++++++
9 files changed, 919 insertions(+)
create mode 100644 group_vars/bdd.yml
create mode 100644 host_vars/tealc.adm.crans.org.yml
create mode 100755 plays/postgresql.yml
create mode 100644 roles/postgresql/handlers/main.yml
create mode 100644 roles/postgresql/tasks/main.yml
create mode 100644 roles/postgresql/templates/postgresql/pg_hba.conf.j2
create mode 100644 roles/postgresql/templates/postgresql/pg_ident.conf.j2
create mode 100644 roles/postgresql/templates/postgresql/postgresql.conf.j2
diff --git a/group_vars/bdd.yml b/group_vars/bdd.yml
new file mode 100644
index 00000000..bd8c2dba
--- /dev/null
+++ b/group_vars/bdd.yml
@@ -0,0 +1,13 @@
+glob_postgresql:
+ hosts:
+ # Database, User, net CIDR, Method
+ - [ "etherpad", "crans", "10.231.136.76/32", "etherpad"]
+ - [ "roundcube", "roundcube", "10.231.136.73/32", "webmail"]
+ - [ "roundcube", "roundcube", "2a0c:700:0:2:200:13ff:fe03:90b/128", "webmail"]
+ - [ "all", "all", "10.231.136.73/32", null]
+ - [ "all", "all", "2a0c:700:0:2:200:13ff:fe03:90b/128", null]
+ - [ "sql grey pour zamok", "sqlgrey", "sqlgrey", "10.231.136.1/32", null ]
+ - [ "sqlgrey", "sqlgrey", "2a0c:700:0:2:1e98:ecff:fe15:2c88/128", null ]
+
+
+
diff --git a/host_vars/tealc.adm.crans.org.yml b/host_vars/tealc.adm.crans.org.yml
new file mode 100644
index 00000000..b0641952
--- /dev/null
+++ b/host_vars/tealc.adm.crans.org.yml
@@ -0,0 +1,2 @@
+loc_postgresql:
+ version: 11
diff --git a/hosts b/hosts
index 56fefdc0..10cf9866 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,9 @@
# [test_vm]
# re2o-test.adm.crans.org
+[bdd]
+tealc.adm.crans.org
+
[virtu]
sam.adm.crans.org
daniel.adm.crans.org
diff --git a/plays/postgresql.yml b/plays/postgresql.yml
new file mode 100755
index 00000000..009b8125
--- /dev/null
+++ b/plays/postgresql.yml
@@ -0,0 +1,10 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy postgresql server
+- hosts: bdd
+ vars:
+ postgresql:
+ version: "{{ loc_postgresql.version }}"
+ hosts: "{{ glob_postgresql.hosts }}"
+ roles:
+ - postgresql
diff --git a/roles/postgresql/handlers/main.yml b/roles/postgresql/handlers/main.yml
new file mode 100644
index 00000000..13e25336
--- /dev/null
+++ b/roles/postgresql/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart postgresql
+ systemd:
+ name: postgresql
+ state: restarted
+ enabled: true
diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml
new file mode 100644
index 00000000..a8979b2c
--- /dev/null
+++ b/roles/postgresql/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: Install postgresql
+ apt:
+ update_cache: true
+ name: postgresql
+ state: present
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Ensure main postgresql directory exists
+ file:
+ path: /etc/postgresql/{{ postgresql.version }}/main/
+ state: directory
+ owner: postgres
+ group: postgres
+ mode: 0755
+ recurse: yes
+
+- name: Ensure configuration directory exists
+ file:
+ path: /etc/postgresql/{{ postgresql.version }}/main/conf.d
+ state: directory
+ owner: postgres
+ group: postgres
+ mode: 0755
+
+- name: Configuration of postgresql {{ postgresql.version }}
+ template:
+ src: postgresql/{{ item }}.j2
+ dest: /etc/postgresql/{{ postgresql.version }}/main/{{ item }}
+ mode: 0640
+ owner: postgres
+ group: postgres
+ loop:
+ - pg_hba.conf
+ - pg_ident.conf
+ - postgresql.conf
+ notify:
+ - restart postgresql
+
+
+
diff --git a/roles/postgresql/templates/postgresql/pg_hba.conf.j2 b/roles/postgresql/templates/postgresql/pg_hba.conf.j2
new file mode 100644
index 00000000..96d07142
--- /dev/null
+++ b/roles/postgresql/templates/postgresql/pg_hba.conf.j2
@@ -0,0 +1,103 @@
+{{ ansible_header | comment }}
+
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file. A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access. Records take one of these forms:
+#
+# local DATABASE USER METHOD [OPTIONS]
+# host DATABASE USER ADDRESS METHOD [OPTIONS]
+# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
+# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof. In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches. It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask. A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts. Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE. The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted. Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal. If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+
+
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by Unix domain socket
+local all postgres peer
+
+# TYPE DATABASE USER ADDRESS METHOD
+
+# "local" is for Unix domain socket connections only
+local all all peer
+
+{% for host in postgresql.hosts %}
+host {{ host[0] }} {{ host[1] }} {{ host[2] }} ident {% if host[3] %}map={{ host[3] }}{% endif %}
+{% endfor %}
+
+
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local replication all peer
+host replication all 127.0.0.1/32 md5
+host replication all ::1/128 md5
diff --git a/roles/postgresql/templates/postgresql/pg_ident.conf.j2 b/roles/postgresql/templates/postgresql/pg_ident.conf.j2
new file mode 100644
index 00000000..1047e976
--- /dev/null
+++ b/roles/postgresql/templates/postgresql/pg_ident.conf.j2
@@ -0,0 +1,44 @@
+{{ ansible_header | comment }}
+
+# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL documentation, chapter "Client
+# Authentication" for a complete description. A short synopsis
+# follows.
+#
+# This file controls PostgreSQL user name mapping. It maps external
+# user names to their corresponding PostgreSQL user names. Records
+# are of the form:
+#
+# MAPNAME SYSTEM-USERNAME PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the
+# client. PG-USERNAME is the requested PostgreSQL user name. The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
+# regular expression. Optionally this can contain a capture (a
+# parenthesized subexpression). The substring matching the capture
+# will be substituted for \1 (backslash-one) if present in
+# PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration. If all
+# system user names and PostgreSQL user names are the same, you don't
+# need anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal. If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect. You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+
+# MAPNAME SYSTEM-USERNAME PG-USERNAME
diff --git a/roles/postgresql/templates/postgresql/postgresql.conf.j2 b/roles/postgresql/templates/postgresql/postgresql.conf.j2
new file mode 100644
index 00000000..c5a09617
--- /dev/null
+++ b/roles/postgresql/templates/postgresql/postgresql.conf.j2
@@ -0,0 +1,695 @@
+{{ ansible_header | comment }}
+
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+# name = value
+#
+# (The "=" is optional.) Whitespace may be used. Comments are introduced with
+# "#" anywhere on a line. The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal. If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()". Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on". Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units: kB = kilobytes Time units: ms = milliseconds
+# MB = megabytes s = seconds
+# GB = gigabytes min = minutes
+# TB = terabytes h = hours
+# d = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+data_directory = '/var/lib/postgresql/{{ postgresql.version }}/main' # use data in another directory
+ # (change requires restart)
+hba_file = '/etc/postgresql/{{ postgresql.version }}/main/pg_hba.conf' # host-based authentication file
+ # (change requires restart)
+ident_file = '/etc/postgresql/{{ postgresql.version }}/main/pg_ident.conf' # ident configuration file
+ # (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+external_pid_file = '/var/run/postgresql/{{ postgresql.version }}-main.pid' # write an extra PID file
+ # (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+#listen_addresses = 'localhost' # what IP address(es) to listen on;
+ # comma-separated list of addresses;
+ # defaults to 'localhost'; use '*' for all
+ # (change requires restart)
+port = 5432 # (change requires restart)
+max_connections = 100 # (change requires restart)
+#superuser_reserved_connections = 3 # (change requires restart)
+unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
+ # (change requires restart)
+#unix_socket_group = '' # (change requires restart)
+#unix_socket_permissions = 0777 # begin with 0 to use octal notation
+ # (change requires restart)
+#bonjour = off # advertise server via Bonjour
+ # (change requires restart)
+#bonjour_name = '' # defaults to the computer name
+ # (change requires restart)
+
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
+ # 0 selects the system default
+#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
+ # 0 selects the system default
+#tcp_keepalives_count = 0 # TCP_KEEPCNT;
+ # 0 selects the system default
+
+
+# - Authentication -
+
+#authentication_timeout = 1min # 1s-600s
+#password_encryption = md5 # md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+ssl = on
+#ssl_ca_file = ''
+ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+#ssl_crl_file = ''
+ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = 128MB # min 128kB
+ # (change requires restart)
+#huge_pages = try # on, off, or try
+ # (change requires restart)
+#temp_buffers = 8MB # min 800kB
+#max_prepared_transactions = 0 # zero disables the feature
+ # (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB # min 64kB
+#maintenance_work_mem = 64MB # min 1MB
+#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB # min 100kB
+dynamic_shared_memory_type = posix # the default is the first option
+ # supported by the operating system:
+ # posix
+ # sysv
+ # windows
+ # mmap
+ # (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1 # limits per-process temp file space
+ # in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000 # min 25
+ # (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1 # 0-10000 credits
+#vacuum_cost_page_miss = 10 # 0-10000 credits
+#vacuum_cost_page_dirty = 20 # 0-10000 credits
+#vacuum_cost_limit = 200 # 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms # 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 512kB # measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
+#max_worker_processes = 8 # (change requires restart)
+#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8 # maximum number of max_worker_processes that
+ # can be used in parallel operations
+#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
+ # (change requires restart)
+#backend_flush_after = 0 # measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica # minimal, replica, or logical
+ # (change requires restart)
+#fsync = on # flush data to disk for crash safety
+ # (turning this off can cause
+ # unrecoverable data corruption)
+#synchronous_commit = on # synchronization level;
+ # off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync # the default is the first option
+ # supported by the operating system:
+ # open_datasync
+ # fdatasync (default on Linux)
+ # fsync
+ # fsync_writethrough
+ # open_sync
+#full_page_writes = on # recover from partial page writes
+#wal_compression = off # enable compression of full-page writes
+#wal_log_hints = off # also do full page writes of non-critical updates
+ # (change requires restart)
+#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
+ # (change requires restart)
+#wal_writer_delay = 200ms # 1-10000 milliseconds
+#wal_writer_flush_after = 1MB # measured in pages, 0 disables
+
+#commit_delay = 0 # range 0-100000, in microseconds
+#commit_siblings = 5 # range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min # range 30s-1d
+max_wal_size = 1GB
+min_wal_size = 80MB
+#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 256kB # measured in pages, 0 disables
+#checkpoint_warning = 30s # 0 disables
+
+# - Archiving -
+
+#archive_mode = off # enables archiving; off, on, or always
+ # (change requires restart)
+#archive_command = '' # command to use to archive a logfile segment
+ # placeholders: %p = path of file to archive
+ # %f = file name only
+ # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0 # force a logfile segment switch after this
+ # number of seconds; 0 disables
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10 # max number of walsender processes
+ # (change requires restart)
+#wal_keep_segments = 0 # in logfile segments; 0 disables
+#wal_sender_timeout = 60s # in milliseconds; 0 disables
+
+#max_replication_slots = 10 # max number of replication slots
+ # (change requires restart)
+#track_commit_timestamp = off # collect timestamp of transaction commit
+ # (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = '' # standby servers that provide sync rep
+ # method to choose sync standbys, number of sync standbys,
+ # and comma-separated list of application_name
+ # from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#hot_standby = on # "off" disallows queries during recovery
+ # (change requires restart)
+#max_standby_archive_delay = 30s # max delay before canceling queries
+ # when reading WAL from archive;
+ # -1 allows indefinite delay
+#max_standby_streaming_delay = 30s # max delay before canceling queries
+ # when reading streaming WAL;
+ # -1 allows indefinite delay
+#wal_receiver_status_interval = 10s # send replies at least this often
+ # 0 disables
+#hot_standby_feedback = off # send info from standby to prevent
+ # query conflicts
+#wal_receiver_timeout = 60s # time that receiver waits for
+ # communication from master
+ # in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s # time to wait before retrying to
+ # retrieve WAL after a failed attempt
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4 # taken from max_worker_processes
+ # (change requires restart)
+#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0 # measured on an arbitrary scale
+#random_page_cost = 4.0 # same scale as above
+#cpu_tuple_cost = 0.01 # same scale as above
+#cpu_index_tuple_cost = 0.005 # same scale as above
+#cpu_operator_cost = 0.0025 # same scale as above
+#parallel_tuple_cost = 0.1 # same scale as above
+#parallel_setup_cost = 1000.0 # same scale as above
+
+#jit_above_cost = 100000 # perform JIT compilation if available
+ # and query more expensive than this;
+ # -1 disables
+#jit_inline_above_cost = 500000 # inline small functions if query is
+ # more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
+ # query is more expensive than this;
+ # -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5 # range 1-10
+#geqo_pool_size = 0 # selects default based on effort
+#geqo_generations = 0 # selects default based on effort
+#geqo_selection_bias = 2.0 # range 1.5-2.0
+#geqo_seed = 0.0 # range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100 # range 1-10000
+#constraint_exclusion = partition # on, off, or partition
+#cursor_tuple_fraction = 0.1 # range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8 # 1 disables collapsing of explicit
+ # JOIN clauses
+#force_parallel_mode = off
+#jit = on # allow JIT compilation
+#plan_cache_mode = auto # auto, force_generic_plan or
+ # force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr' # Valid values are combinations of
+ # stderr, csvlog, syslog, and eventlog,
+ # depending on platform. csvlog
+ # requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off # Enable capturing of stderr and csvlog
+ # into log files. Required to be on for
+ # csvlogs.
+ # (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log' # directory where log files are written,
+ # can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
+ # can include strftime() escapes
+#log_file_mode = 0600 # creation mode for log files,
+ # begin with 0 to use octal notation
+#log_truncate_on_rotation = off # If on, an existing log file with the
+ # same name as the new log file will be
+ # truncated rather than appended to.
+ # But such truncation only occurs on
+ # time-driven rotation, not on restarts
+ # or size-driven rotation. Default is
+ # off, meaning append to existing files
+ # in all cases.
+#log_rotation_age = 1d # Automatic rotation of logfiles will
+ # happen after that time. 0 disables.
+#log_rotation_size = 10MB # Automatic rotation of logfiles will
+ # happen after that much log output.
+ # 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning # values in order of decreasing detail:
+ # debug5
+ # debug4
+ # debug3
+ # debug2
+ # debug1
+ # info
+ # notice
+ # warning
+ # error
+ # log
+ # fatal
+ # panic
+
+#log_min_error_statement = error # values in order of decreasing detail:
+ # debug5
+ # debug4
+ # debug3
+ # debug2
+ # debug1
+ # info
+ # notice
+ # warning
+ # error
+ # log
+ # fatal
+ # panic (effectively off)
+
+#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
+ # and their durations, > 0 logs only
+ # statements running at least this number
+ # of milliseconds
+
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default # terse, default, or verbose messages
+#log_hostname = off
+log_line_prefix = '%m [%p] %q%u@%d ' # special values:
+ # %a = application name
+ # %u = user name
+ # %d = database name
+ # %r = remote host and port
+ # %h = remote host
+ # %p = process ID
+ # %t = timestamp without milliseconds
+ # %m = timestamp with milliseconds
+ # %n = timestamp with milliseconds (as a Unix epoch)
+ # %i = command tag
+ # %e = SQL state
+ # %c = session ID
+ # %l = session line number
+ # %s = session start timestamp
+ # %v = virtual transaction ID
+ # %x = transaction ID (0 if none)
+ # %q = stop here in non-session
+ # processes
+ # %% = '%'
+ # e.g. '<%u%%%d> '
+#log_lock_waits = off # log lock waits >= deadlock_timeout
+#log_statement = 'none' # none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1 # log temporary files equal or larger
+ # than the specified size in kilobytes;
+ # -1 disables, 0 logs all temp files
+log_timezone = 'Europe/Paris'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+cluster_name = '{{ postgresql.version }}/main' # added to process titles if nonempty
+ # (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none # none, pl, all
+#track_activity_query_size = 1024 # (change requires restart)
+stats_temp_directory = '/var/run/postgresql/{{ postgresql.version }}-main.pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on # Enable autovacuum subprocess? 'on'
+ # requires track_counts to also be on.
+#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
+ # their durations, > 0 logs only
+ # actions running at least this number
+ # of milliseconds.
+#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
+ # (change requires restart)
+#autovacuum_naptime = 1min # time between autovacuum runs
+#autovacuum_vacuum_threshold = 50 # min number of row updates before
+ # vacuum
+#autovacuum_analyze_threshold = 50 # min number of row updates before
+ # analyze
+#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
+ # (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
+ # before forced vacuum
+ # (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
+ # autovacuum, in milliseconds;
+ # -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
+ # autovacuum, -1 means use
+ # vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice # values in order of decreasing detail:
+ # debug5
+ # debug4
+ # debug3
+ # debug2
+ # debug1
+ # log
+ # notice
+ # warning
+ # error
+#search_path = '"$user", public' # schema names
+#row_security = on
+#default_tablespace = '' # a tablespace name, '' uses the default
+#temp_tablespaces = '' # a list of tablespace names, '' uses
+ # only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0 # in milliseconds, 0 is disabled
+#lock_timeout = 0 # in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
+ # before index cleanup, 0 always performs
+ # index cleanup
+#bytea_output = 'hex' # hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+datestyle = 'iso, dmy'
+#intervalstyle = 'postgres'
+timezone = 'Europe/Paris'
+#timezone_abbreviations = 'Default' # Select the set of available time zone
+ # abbreviations. Currently, there are
+ # Default
+ # Australia (historical usage)
+ # India
+ # You can create your own file in
+ # share/timezonesets/.
+#extra_float_digits = 1 # min -15, max 3; any value >0 actually
+ # selects precise output mode
+#client_encoding = sql_ascii # actually, defaults to database
+ # encoding
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = 'fr_FR.UTF-8' # locale for system error message
+ # strings
+lc_monetary = 'fr_FR.UTF-8' # locale for monetary formatting
+lc_numeric = 'fr_FR.UTF-8' # locale for number formatting
+lc_time = 'fr_FR.UTF-8' # locale for time formatting
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.french'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = '' # (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit' # JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64 # min 10
+ # (change requires restart)
+#max_pred_locks_per_transaction = 64 # min 10
+ # (change requires restart)
+#max_pred_locks_per_relation = -2 # negative values mean
+ # (max_pred_locks_per_transaction
+ # / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2 # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding # on, off, or safe_encoding
+#default_with_oids = off
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off # terminate session on any error?
+#restart_after_crash = on # reinitialize after backend crash?
+#data_sync_retry = off # retry or panic on failure to fsync
+ # data?
+ # (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf. Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+include_dir = 'conf.d' # include files ending in '.conf' from
+ # a directory, e.g., 'conf.d'
+#include_if_exists = '...' # include file only if it exists
+#include = '...' # include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
--
GitLab
From aacd9e1e3149a18ef737a989dcaf5642f3356bb4 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Mon, 10 Aug 2020 02:25:54 +0200
Subject: [PATCH 40/56] Install re2o on new infra
---
group_vars/all/vars.yaml | 4 +-
group_vars/re2o.yml | 17 +++++++++
host_vars/re2o-newinfra.adm.crans.org.yml | 12 ++++++
hosts | 4 ++
plays/re2o.yml | 7 ++++
roles/re2o/tasks/main.yml | 5 ++-
.../re2o/templates/re2o/settings_local.py.j2 | 37 ++++++++++---------
7 files changed, 66 insertions(+), 20 deletions(-)
create mode 100644 group_vars/re2o.yml
create mode 100644 host_vars/re2o-newinfra.adm.crans.org.yml
create mode 100755 plays/re2o.yml
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index 44aee993..defee09c 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -1,4 +1,5 @@
---
+
# Custom header
dirty: "{{lookup('pipe', 'git diff --quiet || echo dirty')}}"
ansible_header: |
@@ -40,7 +41,8 @@ adm_subnet: 10.231.136.0/24
#
#
# # global server definitions
-# mail_server: smtp.adm.crans.org
+glob_smtp: smtp.adm.crans.org
+
glob_ldap:
servers:
- 172.16.10.1
diff --git a/group_vars/re2o.yml b/group_vars/re2o.yml
new file mode 100644
index 00000000..63ed9d98
--- /dev/null
+++ b/group_vars/re2o.yml
@@ -0,0 +1,17 @@
+---
+glob_re2o:
+ django_secret_key: "{{ vault_re2o_django_secret_key }}"
+ aes_key: "{{ vault_re2o_aes_key }}"
+ admins:
+ - ('Root', 'root@crans.org')
+ allowed_hosts:
+ - 're2o.adm.crans.org'
+ - 'intranet.adm.crans.org'
+ from_email: "root@crans.org"
+ ldap:
+ master_password: "{{ vault_ldap_master_password }}"
+ uri: "ldap://re2o-ldap.adm.crans.org/"
+ dn: "cn=admin,dc=crans,dc=org"
+ database:
+ password: "{{ vault_re2o_db_password }}"
+ uri: "tealc.adm.crans.org"
diff --git a/host_vars/re2o-newinfra.adm.crans.org.yml b/host_vars/re2o-newinfra.adm.crans.org.yml
new file mode 100644
index 00000000..9a00f5a1
--- /dev/null
+++ b/host_vars/re2o-newinfra.adm.crans.org.yml
@@ -0,0 +1,12 @@
+---
+interfaces:
+ adm: eth0
+ srv-nat: eth1
+
+
+loc_re2o:
+ owner: root
+ group: nounou
+ version: master
+ settings_local_owner: root
+ settings_local_group: nounou
diff --git a/hosts b/hosts
index 10cf9866..a875a9ee 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,9 @@
# [test_vm]
# re2o-test.adm.crans.org
+[re2o]
+re2o-newinfra.adm.crans.org
+
[bdd]
tealc.adm.crans.org
@@ -62,6 +65,7 @@ jack.adm.crans.org
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
belenios # on changera plus tard
+re2o-ldap.adm.crans.org
[ovh_physical]
sputnik.adm.crans.org
diff --git a/plays/re2o.yml b/plays/re2o.yml
new file mode 100755
index 00000000..1aff13b2
--- /dev/null
+++ b/plays/re2o.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: re2o
+ vars:
+ re2o: "{{ glob_re2o | combine(loc_re2o) }}"
+ roles:
+ - re2o
diff --git a/roles/re2o/tasks/main.yml b/roles/re2o/tasks/main.yml
index 7ec7c9a4..b16c0b55 100644
--- a/roles/re2o/tasks/main.yml
+++ b/roles/re2o/tasks/main.yml
@@ -14,7 +14,9 @@
- python3-dateutil
- python3-djangorestframework
- python3-django-reversion
+ - python3-django-ldapdb
- python3-pip
+ - python3-pil
- python3-crypto
- python3-git
- python3-psycopg2
@@ -32,7 +34,7 @@
executable: pip2
name:
- django-bootstrap3
- - django-ldapdb==0.9.0
+ - django-ldapdb==1.3.0
- django-macaddress
- name: Install re2o pip3 dependancies
@@ -40,7 +42,6 @@
executable: pip3
name:
- django-bootstrap3
- - django-ldapdb==0.9.0
- django-macaddress
- name: Create re2o directory
diff --git a/roles/re2o/templates/re2o/settings_local.py.j2 b/roles/re2o/templates/re2o/settings_local.py.j2
index a11c957f..4c45eed1 100644
--- a/roles/re2o/templates/re2o/settings_local.py.j2
+++ b/roles/re2o/templates/re2o/settings_local.py.j2
@@ -7,7 +7,7 @@ from __future__ import unicode_literals
SECRET_KEY = '{{ re2o.django_secret_key }}'
# The password to access the project database
-DB_PASSWORD = '{{ re2o.db_password }}'
+DB_PASSWORD = '{{ re2o.database.password }}'
# AES key for secret key encryption.
# The length must be a multiple of 16
@@ -18,10 +18,10 @@ AES_KEY = '{{ re2o.aes_key }}'
DEBUG = False
# A list of admins of the services. Receive mails when an error occurs
-ADMINS = [('Root', 'root@crans.org')]
+ADMINS = [{% for admin in re2o.admins %}{{ admin }}, {% endfor %}]
# The list of hostname the server will respond to.
-ALLOWED_HOSTS = ['re2o.crans.org', 're2o.adm.crans.org', 'intranet.crans.org', 'intranet.adm.crans.org', 're2o-srv.crans.org', 're2o-srv.adm.crans.org', 'intranet.switches.crans.org', 're2o.switches.crans.org', 're2o-srv.switches.crans.org']
+ALLOWED_HOSTS = [{% for host in re2o.allowed_hosts %}'{{ host }}', {% endfor %}]
# The time zone the server is runned in
TIME_ZONE = 'Europe/Paris'
@@ -33,7 +33,7 @@ DATABASES = {
'NAME': 're2o',
'USER': 're2o',
'PASSWORD': DB_PASSWORD,
- 'HOST': 'pgsql.adm.crans.org',
+ 'HOST': '{{ re2o.database.uri }}',
'TEST': {
'CHARSET': 'utf8',
'COLLATION': 'utf8_general_ci'
@@ -41,10 +41,10 @@ DATABASES = {
},
'ldap': { # The LDAP
'ENGINE': 'ldapdb.backends.ldap',
- 'NAME': 'ldap://re2o-ldap.adm.crans.org/',
- 'USER': 'cn=admin,dc=crans,dc=org',
+ 'NAME': '{{ re2o.ldap.uri }}',
+ 'USER': 'cn=admin,{{ glob_ldap.base }}',
'TLS': False,
- 'PASSWORD': '{{ ldap.master_password }}',
+ 'PASSWORD': '{{ re2o.ldap.master_password }}',
}
}
@@ -62,19 +62,19 @@ SESSION_COOKIE_AGE = 60 * 60 * 3
LOGO_PATH = "static_files/logo.png"
# The mail configuration for Re2o to send mails
-SERVER_EMAIL = 'root@crans.org' # The mail address to use
-EMAIL_HOST = 'smtp.adm.crans.org' # The host to use
+SERVER_EMAIL = '{{ re2o.from_email }}' # The mail address to use
+EMAIL_HOST = '{{ glob_smtp }}' # The host to use
EMAIL_PORT = 25 # The port to use
# Settings of the LDAP structure
LDAP = {
- 'base_user_dn' : u'cn=Utilisateurs,dc=crans,dc=org',
- 'base_userservice_dn' : u'ou=service-users,dc=crans,dc=org',
- 'base_usergroup_dn' : u'ou=posix,ou=groups,dc=crans,dc=org',
- 'base_userservicegroup_dn' : u'ou=services,ou=groups,dc=crans,dc=org',
- 'base_dn' : 'dc=crans,dc=org',
+ 'base_user_dn': u'cn=Utilisateurs,{{ glob_ldap.base }}',
+ 'base_userservice_dn': u'ou=service-users,{{ glob_ldap.base }}',
+ 'base_usergroup_dn': u'ou=posix,ou=groups,{{ glob_ldap.base }}',
+ 'base_userservicegroup_dn': u'ou=services,ou=groups,{{ glob_ldap.base }}',
+ 'base_dn': '{{ glob_ldap.base }}',
'user_gid': 500,
- }
+}
# A range of UID to use. Used in linux environement
UID_RANGES = {
@@ -87,7 +87,10 @@ GID_RANGES = {
'posix': [501, 600],
}
-CAPTIVE_IP_RANGE = "10.51.0.0/16"
+# CAPTIVE_IP_RANGE = "10.51.0.0/16"
+
+# Some optionnal Re2o Apps
+OPTIONNAL_APPS_RE2O = ()
# Some Django apps you want to add in you local project
-OPTIONNAL_APPS = ('api',)
+OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ('api',)
--
GitLab
From eb84bca7a8bc15095df55e637a3fca264d07c7c4 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 10 Aug 2020 03:48:24 +0200
Subject: [PATCH 41/56] [firewall] Deploy firewall
---
plays/firewall.yml | 11 ++++++
roles/firewall/tasks/main.yml | 36 +++++++++++++++++++
roles/firewall/templates/cron.d/firewall.j2 | 2 ++
.../templates/firewall/re2o-config.ini.j2 | 5 +++
4 files changed, 54 insertions(+)
create mode 100755 plays/firewall.yml
create mode 100644 roles/firewall/tasks/main.yml
create mode 100644 roles/firewall/templates/cron.d/firewall.j2
create mode 100644 roles/firewall/templates/firewall/re2o-config.ini.j2
diff --git a/plays/firewall.yml b/plays/firewall.yml
new file mode 100755
index 00000000..c015c7cd
--- /dev/null
+++ b/plays/firewall.yml
@@ -0,0 +1,11 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy firewall
+- hosts: crans_routeurs
+ vars:
+ re2o:
+ server: re2o.adm.crans.org
+ service_user: "{{ vault_re2o_service_user }}"
+ service_password: "{{ vault_re2o_service_password }}"
+ roles:
+ - firewall
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
new file mode 100644
index 00000000..3faaef2d
--- /dev/null
+++ b/roles/firewall/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: Create firewall directory
+ file:
+ path: /var/local/firewall
+ state: directory
+ mode: '2775'
+ owner: root
+ group: nounou
+
+- name: Set ACL for firewall directory
+ acl:
+ path: /var/local/firewall
+ default: true
+ entity: nounou
+ etype: group
+ permissions: rwx
+ state: query
+
+- name: Clone firewall repository
+ git:
+ repo: 'http://gitlab.adm.crans.org/nounous/firewall.git'
+ dest: /var/local/firewall
+ umask: '002'
+
+- name: Deploy re2o config
+ template:
+ src: firewall/re2o-config.ini.j2
+ dest: /var/local/firewall/re2o-config.ini
+ mode: 0600
+ owner: root
+ group: root
+
+- name: Deploy cron for firewall
+ template:
+ src: cron.d/firewall.j2
+ dest: /etc/cron.d/firewall
diff --git a/roles/firewall/templates/cron.d/firewall.j2 b/roles/firewall/templates/cron.d/firewall.j2
new file mode 100644
index 00000000..5d6a897b
--- /dev/null
+++ b/roles/firewall/templates/cron.d/firewall.j2
@@ -0,0 +1,2 @@
+{{ ansible_header | comment }}
+*/2 * * * * root /usr/bin/python3 /var/local/firewall/firewall.py -q
diff --git a/roles/firewall/templates/firewall/re2o-config.ini.j2 b/roles/firewall/templates/firewall/re2o-config.ini.j2
new file mode 100644
index 00000000..7bf9a4ca
--- /dev/null
+++ b/roles/firewall/templates/firewall/re2o-config.ini.j2
@@ -0,0 +1,5 @@
+{{ ansible_header | comment(decoration='; ') }}
+[Re2o]
+hostname = {{ re2o.server }}
+username = {{ re2o.service_user }}
+password = {{ re2o.service_password }}
--
GitLab
From c7a4049903227cebbf5b7b8fdf65bdcec61937f6 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Mon, 10 Aug 2020 04:56:14 +0200
Subject: [PATCH 42/56] [Draft] Install freeradius with rlm_python3
---
host_vars/re2o-newinfra.adm.crans.org.yml | 2 +-
host_vars/routeur-sam.adm.crans.org.yml | 7 ++++++
hosts | 1 +
roles/freeradius/tasks/main.yml | 24 +++++++++++++++++++
.../apt/preferences.d/freeradius_python3.j2 | 5 ++++
roles/re2o/tasks/main.yml | 17 +------------
6 files changed, 39 insertions(+), 17 deletions(-)
create mode 100644 roles/freeradius/template/apt/preferences.d/freeradius_python3.j2
diff --git a/host_vars/re2o-newinfra.adm.crans.org.yml b/host_vars/re2o-newinfra.adm.crans.org.yml
index 9a00f5a1..92db5fa6 100644
--- a/host_vars/re2o-newinfra.adm.crans.org.yml
+++ b/host_vars/re2o-newinfra.adm.crans.org.yml
@@ -7,6 +7,6 @@ interfaces:
loc_re2o:
owner: root
group: nounou
- version: master
+ version: master_freeradius_python3
settings_local_owner: root
settings_local_group: nounou
diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml
index 0c4bc74b..08f96f3e 100644
--- a/host_vars/routeur-sam.adm.crans.org.yml
+++ b/host_vars/routeur-sam.adm.crans.org.yml
@@ -14,3 +14,10 @@ loc_keepalived:
tag: VI_DHCP
state: MASTER
priority: 150
+
+loc_re2o:
+ owner: freerad
+ group: nounou
+ version: master_freeradius_python3
+ settings_local_owner: freerad
+ settings_local_group: nounou
diff --git a/hosts b/hosts
index a875a9ee..d1d3fb60 100644
--- a/hosts
+++ b/hosts
@@ -27,6 +27,7 @@
[re2o]
re2o-newinfra.adm.crans.org
+routeur-sam.adm.crans.org
[bdd]
tealc.adm.crans.org
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index 36df1917..033cf907 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -1,4 +1,28 @@
---
+- name: Add buster-backports to apt sources
+ apt_repository:
+ repo: deb http://{{ mirror }}/debian buster-backports main
+ state: present
+
+- name: Pin freeradius from backports
+ template:
+ src: apt/preferences.d/freeradius_python3.j2
+ dest: /etc/apt/prefederences.d/freeradius_python3
+
+- name: Install freeradius
+ apt:
+ update_cache: true
+ install_recommends: false
+ name:
+ - freeradius
+ - freeradius-common
+ - freeradius-utils
+ - freeradius-python3
+ - libfreeradius3
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
- name: Symlink radius certificates
file:
src: /etc/letsencrypt/live/crans.org/{{ item }}
diff --git a/roles/freeradius/template/apt/preferences.d/freeradius_python3.j2 b/roles/freeradius/template/apt/preferences.d/freeradius_python3.j2
new file mode 100644
index 00000000..5e0e1e89
--- /dev/null
+++ b/roles/freeradius/template/apt/preferences.d/freeradius_python3.j2
@@ -0,0 +1,5 @@
+{{ ansible_header | comment }}
+
+Package: *freeradius*
+Pin: release a=buster-backports
+Pin-Priority: 990
diff --git a/roles/re2o/tasks/main.yml b/roles/re2o/tasks/main.yml
index b16c0b55..dcf13f81 100644
--- a/roles/re2o/tasks/main.yml
+++ b/roles/re2o/tasks/main.yml
@@ -1,15 +1,8 @@
---
-- name: Install re2o dependancies
+- name: Install re2o dependencies
apt:
update_cache: true
name:
- - python-django
- - python-dateutil
- - python-djangorestframework
- - python-django-reversion
- - python-pip
- - python-psycopg2
- - ipython
- python3-django
- python3-dateutil
- python3-djangorestframework
@@ -29,14 +22,6 @@
retries: 3
until: apt_result is succeeded
-- name: Install re2o pip dependancies
- pip:
- executable: pip2
- name:
- - django-bootstrap3
- - django-ldapdb==1.3.0
- - django-macaddress
-
- name: Install re2o pip3 dependancies
pip:
executable: pip3
--
GitLab
From 57fda15ef4ea0e56159933feedae90c8db18b5d7 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 11 Aug 2020 01:32:16 +0200
Subject: [PATCH 43/56] [hosts] o/ silice et cameron
---
hosts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hosts b/hosts
index a875a9ee..e15de58e 100644
--- a/hosts
+++ b/hosts
@@ -56,12 +56,14 @@ dhcp
keepalived
[crans_physical]
+cameron.adm.crans.org
tealc.adm.crans.org
sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
[crans_vm]
+silice.adm.crans.org
routeur-sam.adm.crans.org
routeur-daniel.adm.crans.org
belenios # on changera plus tard
--
GitLab
From 44a602288589dfe7957dffa3f1e5bb7905825b87 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Tue, 11 Aug 2020 02:31:42 +0200
Subject: [PATCH 44/56] Configure freeradius
---
group_vars/freeradius.yml | 4 +
roles/freeradius/handlers/main.yml | 5 +
roles/freeradius/tasks/main.yml | 22 +
.../template/freeradius/3.0/clients.conf.j2 | 44 +
.../freeradius/3.0/mods-enabled/eap.j2 | 927 ++++++++++++++++++
.../freeradius/3.0/mods-enabled/python3.j2 | 67 ++
.../template/freeradius/3.0/radiusd.conf.j2 | 896 +++++++++++++++++
.../freeradius/3.0/sites-enabled/default.j2 | 741 ++++++++++++++
.../3.0/sites-enabled/inner-tunnel.j2 | 306 ++++++
9 files changed, 3012 insertions(+)
create mode 100644 group_vars/freeradius.yml
create mode 100644 roles/freeradius/handlers/main.yml
create mode 100644 roles/freeradius/template/freeradius/3.0/clients.conf.j2
create mode 100644 roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2
create mode 100644 roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2
create mode 100644 roles/freeradius/template/freeradius/3.0/radiusd.conf.j2
create mode 100644 roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2
create mode 100644 roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2
diff --git a/group_vars/freeradius.yml b/group_vars/freeradius.yml
new file mode 100644
index 00000000..c51d5aa8
--- /dev/null
+++ b/group_vars/freeradius.yml
@@ -0,0 +1,4 @@
+---
+glob_freeradius:
+ realm: crans
+ proxy_to: FEDEREZ
diff --git a/roles/freeradius/handlers/main.yml b/roles/freeradius/handlers/main.yml
new file mode 100644
index 00000000..127e032e
--- /dev/null
+++ b/roles/freeradius/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart freeradius
+ systemd:
+ name: freeradius
+ state: restarted
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index 033cf907..40ba0ad3 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -23,6 +23,28 @@
retries: 3
until: apt_result is succeeded
+- name: Deploy freeradius configuration
+ template:
+ src: "freeradius/3.0/{{ item }}.j2"
+ dest: "/etc/freeradius/3.0/{{ item }}"
+ owner: freerad
+ group: freerad
+ mode: '0640'
+ loop:
+ - radiusd.conf
+ - clients.conf
+ - sites-enabled/default
+ - sites-enabled/inner-tunnel
+ - mods-enabled/eap
+ - mods-enabled/python3
+ notify: Restart freeradius
+
+- name: Bring auth.py from re2o
+ file:
+ src: /var/www/re2o/freeradius_utils/auth.py
+ dest: /etc/freeradius/3.0/auth.py
+ notify: Restart freeradius
+
- name: Symlink radius certificates
file:
src: /etc/letsencrypt/live/crans.org/{{ item }}
diff --git a/roles/freeradius/template/freeradius/3.0/clients.conf.j2 b/roles/freeradius/template/freeradius/3.0/clients.conf.j2
new file mode 100644
index 00000000..8a2b8173
--- /dev/null
+++ b/roles/freeradius/template/freeradius/3.0/clients.conf.j2
@@ -0,0 +1,44 @@
+{{ ansible_header | comment }}
+
+# -*- text -*-
+##
+## clients.conf -- client configuration directives
+##
+## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $
+
+#######################################################################
+#
+# Define RADIUS clients (usually a NAS, Access Point, etc.).
+
+#
+# Defines a RADIUS client.
+#
+# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
+# to allow testing of the server after an initial installation. If you
+# are not going to be permitting RADIUS queries from localhost, we suggest
+# that you delete, or comment out, this entry.
+#
+#
+
+#
+# Each client has a "short name" that is used to distinguish it from
+# other clients.
+#
+# In version 1.x, the string after the word "client" was the IP
+# address of the client. In 2.0, the IP address is configured via
+# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
+# format is still accepted.
+#
+
+client switches_v4 {
+ ipaddr = {{ freeradius.infra_switch }}
+ secret = {{ freeradius.secret_switch }}
+ virtual_server = radius-filaire
+}
+
+client bornes_v4 {
+ ipaddr = {{ freeradius.infra_bornes }}
+ secret = {{ freeradius.secret_bornes }}
+ virtual_server = radius-wifi
+
+}
diff --git a/roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2 b/roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2
new file mode 100644
index 00000000..880dd902
--- /dev/null
+++ b/roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2
@@ -0,0 +1,927 @@
+{{ ansible_header | comment }}
+
+# -*- text -*-
+##
+## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
+##
+## $Id: f67cbdbff9b6560cec9f68da1adb82b59723d2ef $
+
+#######################################################################
+#
+# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
+# is smart enough to figure this out on its own. The most
+# common side effect of setting 'Auth-Type := EAP' is that the
+# users then cannot use ANY other authentication method.
+#
+eap {
+ # Invoke the default supported EAP type when
+ # EAP-Identity response is received.
+ #
+ # The incoming EAP messages DO NOT specify which EAP
+ # type they will be using, so it MUST be set here.
+ #
+ # For now, only one default EAP type may be used at a time.
+ #
+ # If the EAP-Type attribute is set by another module,
+ # then that EAP type takes precedence over the
+ # default type configured here.
+ #
+ default_eap_type = md5
+
+ # A list is maintained to correlate EAP-Response
+ # packets with EAP-Request packets. After a
+ # configurable length of time, entries in the list
+ # expire, and are deleted.
+ #
+ timer_expire = 60
+
+ # There are many EAP types, but the server has support
+ # for only a limited subset. If the server receives
+ # a request for an EAP type it does not support, then
+ # it normally rejects the request. By setting this
+ # configuration to "yes", you can tell the server to
+ # instead keep processing the request. Another module
+ # MUST then be configured to proxy the request to
+ # another RADIUS server which supports that EAP type.
+ #
+ # If another module is NOT configured to handle the
+ # request, then the request will still end up being
+ # rejected.
+ ignore_unknown_eap_types = no
+
+ # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
+ # a User-Name attribute in an Access-Accept, it copies one
+ # more byte than it should.
+ #
+ # We can work around it by configurably adding an extra
+ # zero byte.
+ cisco_accounting_username_bug = no
+
+ #
+ # Help prevent DoS attacks by limiting the number of
+ # sessions that the server is tracking. For simplicity,
+ # this is taken from the "max_requests" directive in
+ # radiusd.conf.
+ max_sessions = ${max_requests}
+
+ # Supported EAP-types
+
+ #
+ # We do NOT recommend using EAP-MD5 authentication
+ # for wireless connections. It is insecure, and does
+ # not provide for dynamic WEP keys.
+ #
+ md5 {
+ }
+
+ #
+ # EAP-pwd -- secure password-based authentication
+ #
+# pwd {
+# group = 19
+
+ #
+# server_id = theserver@example.com
+
+ # This has the same meaning as for TLS.
+# fragment_size = 1020
+
+ # The virtual server which determines the
+ # "known good" password for the user.
+ # Note that unlike TLS, only the "authorize"
+ # section is processed. EAP-PWD requests can be
+ # distinguished by having a User-Name, but
+ # no User-Password, CHAP-Password, EAP-Message, etc.
+# virtual_server = "inner-tunnel"
+# }
+
+ # Cisco LEAP
+ #
+ # We do not recommend using LEAP in new deployments. See:
+ # http://www.securiteam.com/tools/5TP012ACKE.html
+ #
+ # Cisco LEAP uses the MS-CHAP algorithm (but not
+ # the MS-CHAP attributes) to perform it's authentication.
+ #
+ # As a result, LEAP *requires* access to the plain-text
+ # User-Password, or the NT-Password attributes.
+ # 'System' authentication is impossible with LEAP.
+ #
+ leap {
+ }
+
+ # Generic Token Card.
+ #
+ # Currently, this is only permitted inside of EAP-TTLS,
+ # or EAP-PEAP. The module "challenges" the user with
+ # text, and the response from the user is taken to be
+ # the User-Password.
+ #
+ # Proxying the tunneled EAP-GTC session is a bad idea,
+ # the users password will go over the wire in plain-text,
+ # for anyone to see.
+ #
+ gtc {
+ # The default challenge, which many clients
+ # ignore..
+ #challenge = "Password: "
+
+ # The plain-text response which comes back
+ # is put into a User-Password attribute,
+ # and passed to another module for
+ # authentication. This allows the EAP-GTC
+ # response to be checked against plain-text,
+ # or crypt'd passwords.
+ #
+ # If you say "Local" instead of "PAP", then
+ # the module will look for a User-Password
+ # configured for the request, and do the
+ # authentication itself.
+ #
+ auth_type = PAP
+ }
+
+ ## Common TLS configuration for TLS-based EAP types
+ #
+ # See raddb/certs/README for additional comments
+ # on certificates.
+ #
+ # If OpenSSL was not found at the time the server was
+ # built, the "tls", "ttls", and "peap" sections will
+ # be ignored.
+ #
+ # If you do not currently have certificates signed by
+ # a trusted CA you may use the 'snakeoil' certificates.
+ # Included with the server in raddb/certs.
+ #
+ # If these certificates have not been auto-generated:
+ # cd raddb/certs
+ # make
+ #
+ # These test certificates SHOULD NOT be used in a normal
+ # deployment. They are created only to make it easier
+ # to install the server, and to perform some simple
+ # tests with EAP-TLS, TTLS, or PEAP.
+ #
+ # See also:
+ #
+ # http://www.dslreports.com/forum/remark,9286052~mode=flat
+ #
+ # Note that you should NOT use a globally known CA here!
+ # e.g. using a Verisign cert as a "known CA" means that
+ # ANYONE who has a certificate signed by them can
+ # authenticate via EAP-TLS! This is likely not what you want.
+ tls-config tls-common {
+ private_key_file = ${certdir}/letsencrypt/privkey.pem
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+ # certificate_file must contain the same file
+ # name.
+ #
+ # If ca_file (below) is not used, then the
+ # certificate_file below MUST include not
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+ certificate_file = ${certdir}/letsencrypt/privkey.pem
+
+ # Trusted Root CA list
+ #
+ # ALL of the CA's in this list will be trusted
+ # to issue client certificates for authentication.
+ #
+ # In general, you should use self-signed
+ # certificates for 802.1x (EAP) authentication.
+ # In that case, this CA file should contain
+ # *one* CA certificate.
+ #
+ ca_file = ${certdir}/ca.crt
+
+ # OpenSSL will automatically create certificate chains,
+ # unless we tell it to not do that. The problem is that
+ # it sometimes gets the chains right from a certificate
+ # signature view, but wrong from the clients view.
+ #
+ # When setting "auto_chain = no", the server certificate
+ # file MUST include the full certificate chain.
+ # auto_chain = yes
+
+ #
+ # If OpenSSL supports TLS-PSK, then we can use
+ # a PSK identity and (hex) password. When the
+ # following two configuration items are specified,
+ # then certificate-based configuration items are
+ # not allowed. e.g.:
+ #
+ # private_key_password
+ # private_key_file
+ # certificate_file
+ # ca_file
+ # ca_path
+ #
+ # For now, the identity is fixed, and must be the
+ # same on the client. The passphrase must be a hex
+ # value, and can be up to 256 hex digits.
+ #
+ # Future versions of the server may be able to
+ # look up the shared key (hexphrase) based on the
+ # identity.
+ #
+ # psk_identity = "test"
+ # psk_hexphrase = "036363823"
+
+ #
+ # For DH cipher suites to work, you have to
+ # run OpenSSL to create the DH file first:
+ #
+ # openssl dhparam -out certs/dh 2048
+ #
+ dh_file = ${certdir}/dh
+
+ #
+ # If your system doesn't have /dev/urandom,
+ # you will need to create this file, and
+ # periodically change its contents.
+ #
+ # For security reasons, FreeRADIUS doesn't
+ # write to files in its configuration
+ # directory.
+ #
+ # random_file = /dev/urandom
+
+ #
+ # This can never exceed the size of a RADIUS
+ # packet (4096 bytes), and is preferably half
+ # that, to accommodate other attributes in
+ # RADIUS packet. On most APs the MAX packet
+ # length is configured between 1500 - 1600
+ # In these cases, fragment size should be
+ # 1024 or less.
+ #
+ # fragment_size = 1024
+
+ # include_length is a flag which is
+ # by default set to yes If set to
+ # yes, Total Length of the message is
+ # included in EVERY packet we send.
+ # If set to no, Total Length of the
+ # message is included ONLY in the
+ # First packet of a fragment series.
+ #
+ # include_length = yes
+
+
+ # Check the Certificate Revocation List
+ #
+ # 1) Copy CA certificates and CRLs to same directory.
+ # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+ # 'c_rehash' is OpenSSL's command.
+ # 3) uncomment the lines below.
+ # 5) Restart radiusd
+ # check_crl = yes
+
+ # Check if intermediate CAs have been revoked.
+ # check_all_crl = yes
+
+ ca_path = ${cadir}
+
+ # Accept an expired Certificate Revocation List
+ #
+# allow_expired_crl = no
+
+ #
+ # If check_cert_issuer is set, the value will
+ # be checked against the DN of the issuer in
+ # the client certificate. If the values do not
+ # match, the certificate verification will fail,
+ # rejecting the user.
+ #
+ # This check can be done more generally by checking
+ # the value of the TLS-Client-Cert-Issuer attribute.
+ # This check can be done via any mechanism you
+ # choose.
+ #
+ # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+
+ #
+ # If check_cert_cn is set, the value will
+ # be xlat'ed and checked against the CN
+ # in the client certificate. If the values
+ # do not match, the certificate verification
+ # will fail rejecting the user.
+ #
+ # This check is done only if the previous
+ # "check_cert_issuer" is not set, or if
+ # the check succeeds.
+ #
+ # In 2.1.10 and later, this check can be done
+ # more generally by checking the value of the
+ # TLS-Client-Cert-CN attribute. This check
+ # can be done via any mechanism you choose.
+ #
+ # check_cert_cn = %{User-Name}
+ #
+ # Set this option to specify the allowed
+ # TLS cipher suites. The format is listed
+ # in "man 1 ciphers".
+ #
+ # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ #
+ cipher_list = "DEFAULT"
+
+ # If enabled, OpenSSL will use server cipher list
+ # (possibly defined by cipher_list option above)
+ # for choosing right cipher suite rather than
+ # using client-specified list which is OpenSSl default
+ # behavior. Having it set to yes is a current best practice
+ # for TLS
+ cipher_server_preference = no
+
+ #
+ # You can selectively disable TLS versions for
+ # compatability with old client devices.
+ #
+ # If your system has OpenSSL 1.1.0 or greater, do NOT
+ # use these. Instead, set tls_min_version and
+ # tls_max_version.
+ #
+# disable_tlsv1_2 = no
+# disable_tlsv1_1 = no
+# disable_tlsv1 = no
+
+ #
+ # Set min / max TLS version. Mainly for Debian
+ # "trusty", which disables older versions of TLS, and
+ # requires the application to manually enable them.
+ #
+ # If you are running Debian trusty, you should set
+ # these options, otherwise older clients will not be
+ # able to connect.
+ #
+ # Allowed values are "1.0", "1.1", and "1.2".
+ #
+ # The values must be in quotes.
+ #
+ tls_min_version = "1.0"
+ tls_max_version = "1.2"
+
+
+ #
+ # Elliptical cryptography configuration
+ #
+ # Only for OpenSSL >= 0.9.8.f
+ #
+ ecdh_curve = "prime256v1"
+
+ #
+ # Session resumption / fast reauthentication
+ # cache.
+ #
+ # The cache contains the following information:
+ #
+ # session Id - unique identifier, managed by SSL
+ # User-Name - from the Access-Accept
+ # Stripped-User-Name - from the Access-Request
+ # Cached-Session-Policy - from the Access-Accept
+ #
+ # The "Cached-Session-Policy" is the name of a
+ # policy which should be applied to the cached
+ # session. This policy can be used to assign
+ # VLANs, IP addresses, etc. It serves as a useful
+ # way to re-apply the policy from the original
+ # Access-Accept to the subsequent Access-Accept
+ # for the cached session.
+ #
+ # On session resumption, these attributes are
+ # copied from the cache, and placed into the
+ # reply list.
+ #
+ # You probably also want "use_tunneled_reply = yes"
+ # when using fast session resumption.
+ #
+ cache {
+ #
+ # Enable it. The default is "no". Deleting the entire "cache"
+ # subsection also disables caching.
+ #
+ # As of version 3.0.14, the session cache requires the use
+ # of the "name" and "persist_dir" configuration items, below.
+ #
+ # The internal OpenSSL session cache has been permanently
+ # disabled.
+ #
+ # You can disallow resumption for a particular user by adding the
+ # following attribute to the control item list:
+ #
+ # Allow-Session-Resumption = No
+ #
+ # If "enable = no" below, you CANNOT enable resumption for just one
+ # user by setting the above attribute to "yes".
+ #
+ enable = no
+
+ #
+ # Lifetime of the cached entries, in hours. The sessions will be
+ # deleted/invalidated after this time.
+ #
+ lifetime = 1 # hours
+
+ #
+ # Internal "name" of the session cache. Used to
+ # distinguish which TLS context sessions belong to.
+ #
+ # The server will generate a random value if unset.
+ # This will change across server restart so you MUST
+ # set the "name" if you want to persist sessions (see
+ # below).
+ #
+ #name = "EAP module"
+
+ #
+ # Simple directory-based storage of sessions.
+ # Two files per session will be written, the SSL
+ # state and the cached VPs. This will persist session
+ # across server restarts.
+ #
+ # The default directory is ${logdir}, for historical
+ # reasons. You should ${db_dir} instead. And check
+ # the value of db_dir in the main radiusd.conf file.
+ # It should not point to ${raddb}
+ #
+ # The server will need write perms, and the directory
+ # should be secured from anyone else. You might want
+ # a script to remove old files from here periodically:
+ #
+ # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+ #
+ # This feature REQUIRES "name" option be set above.
+ #
+ #persist_dir = "${logdir}/tlscache"
+ }
+
+ #
+ # As of version 2.1.10, client certificates can be
+ # validated via an external command. This allows
+ # dynamic CRLs or OCSP to be used.
+ #
+ # This configuration is commented out in the
+ # default configuration. Uncomment it, and configure
+ # the correct paths below to enable it.
+ #
+ # If OCSP checking is enabled, and the OCSP checks fail,
+ # the verify section is not run.
+ #
+ # If OCSP checking is disabled, the verify section is
+ # run on successful certificate validation.
+ #
+ verify {
+ # If the OCSP checks succeed, the verify section
+ # is run to allow additional checks.
+ #
+ # If you want to skip verify on OCSP success,
+ # uncomment this configuration item, and set it
+ # to "yes".
+ # skip_if_ocsp_ok = no
+
+ # A temporary directory where the client
+ # certificates are stored. This directory
+ # MUST be owned by the UID of the server,
+ # and MUST not be accessible by any other
+ # users. When the server starts, it will do
+ # "chmod go-rwx" on the directory, for
+ # security reasons. The directory MUST
+ # exist when the server starts.
+ #
+ # You should also delete all of the files
+ # in the directory when the server starts.
+ # tmpdir = /tmp/radiusd
+
+ # The command used to verify the client cert.
+ # We recommend using the OpenSSL command-line
+ # tool.
+ #
+ # The ${..ca_path} text is a reference to
+ # the ca_path variable defined above.
+ #
+ # The %{TLS-Client-Cert-Filename} is the name
+ # of the temporary file containing the cert
+ # in PEM format. This file is automatically
+ # deleted by the server when the command
+ # returns.
+ # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ }
+
+ #
+ # OCSP Configuration
+ # Certificates can be verified against an OCSP
+ # Responder. This makes it possible to immediately
+ # revoke certificates without the distribution of
+ # new Certificate Revocation Lists (CRLs).
+ #
+ ocsp {
+ #
+ # Enable it. The default is "no".
+ # Deleting the entire "ocsp" subsection
+ # also disables ocsp checking
+ #
+ enable = no
+
+ #
+ # The OCSP Responder URL can be automatically
+ # extracted from the certificate in question.
+ # To override the OCSP Responder URL set
+ # "override_cert_url = yes".
+ #
+ override_cert_url = yes
+
+ #
+ # If the OCSP Responder address is not extracted from
+ # the certificate, the URL can be defined here.
+ #
+ url = "http://127.0.0.1/ocsp/"
+
+ #
+ # If the OCSP Responder can not cope with nonce
+ # in the request, then it can be disabled here.
+ #
+ # For security reasons, disabling this option
+ # is not recommended as nonce protects against
+ # replay attacks.
+ #
+ # Note that Microsoft AD Certificate Services OCSP
+ # Responder does not enable nonce by default. It is
+ # more secure to enable nonce on the responder than
+ # to disable it in the query here.
+ # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+ #
+ # use_nonce = yes
+
+ #
+ # Number of seconds before giving up waiting
+ # for OCSP response. 0 uses system default.
+ #
+ # timeout = 0
+
+ #
+ # Normally an error in querying the OCSP
+ # responder (no response from server, server did
+ # not understand the request, etc) will result in
+ # a validation failure.
+ #
+ # To treat these errors as 'soft' failures and
+ # still accept the certificate, enable this
+ # option.
+ #
+ # Warning: this may enable clients with revoked
+ # certificates to connect if the OCSP responder
+ # is not available. Use with caution.
+ #
+ # softfail = no
+ }
+ }
+
+ ## EAP-TLS
+ #
+ # As of Version 3.0, the TLS configuration for TLS-based
+ # EAP types is above in the "tls-config" section.
+ #
+ tls {
+ # Point to the common TLS configuration
+ tls = tls-common
+
+ #
+ # As part of checking a client certificate, the EAP-TLS
+ # sets some attributes such as TLS-Client-Cert-CN. This
+ # virtual server has access to these attributes, and can
+ # be used to accept or reject the request.
+ #
+ # virtual_server = check-eap-tls
+ }
+
+
+ ## EAP-TTLS
+ #
+ # The TTLS module implements the EAP-TTLS protocol,
+ # which can be described as EAP inside of Diameter,
+ # inside of TLS, inside of EAP, inside of RADIUS...
+ #
+ # Surprisingly, it works quite well.
+ #
+ ttls {
+ # Which tls-config section the TLS negotiation parameters
+ # are in - see EAP-TLS above for an explanation.
+ #
+ # In the case that an old configuration from FreeRADIUS
+ # v2.x is being used, all the options of the tls-config
+ # section may also appear instead in the 'tls' section
+ # above. If that is done, the tls= option here (and in
+ # tls above) MUST be commented out.
+ #
+ tls = tls-common
+
+ # The tunneled EAP session needs a default EAP type
+ # which is separate from the one for the non-tunneled
+ # EAP module. Inside of the TTLS tunnel, we recommend
+ # using EAP-MD5. If the request does not contain an
+ # EAP conversation, then this configuration entry is
+ # ignored.
+ #
+ default_eap_type = md5
+
+ # The tunneled authentication request does not usually
+ # contain useful attributes like 'Calling-Station-Id',
+ # etc. These attributes are outside of the tunnel,
+ # and normally unavailable to the tunneled
+ # authentication request.
+ #
+ # By setting this configuration entry to 'yes',
+ # any attribute which is NOT in the tunneled
+ # authentication request, but which IS available
+ # outside of the tunnel, is copied to the tunneled
+ # request.
+ #
+ # allowed values: {no, yes}
+ #
+ copy_request_to_tunnel = yes
+
+ #
+ # As of version 3.0.5, this configuration item
+ # is deprecated. Instead, you should use
+ #
+ # update outer.session-state {
+ # ...
+ #
+ # }
+ #
+ # This will cache attributes for the final Access-Accept.
+ #
+ # The reply attributes sent to the NAS are usually
+ # based on the name of the user 'outside' of the
+ # tunnel (usually 'anonymous'). If you want to send
+ # the reply attributes based on the user name inside
+ # of the tunnel, then set this configuration entry to
+ # 'yes', and the reply to the NAS will be taken from
+ # the reply to the tunneled request.
+ #
+ # allowed values: {no, yes}
+ #
+ use_tunneled_reply = no
+
+ #
+ # The inner tunneled request can be sent
+ # through a virtual server constructed
+ # specifically for this purpose.
+ #
+ # If this entry is commented out, the inner
+ # tunneled request will be sent through
+ # the virtual server that processed the
+ # outer requests.
+ #
+ virtual_server = "inner-tunnel"
+
+ # This has the same meaning, and overwrites, the
+ # same field in the "tls" configuration, above.
+ # The default value here is "yes".
+ #
+ # include_length = yes
+
+ #
+ # Unlike EAP-TLS, EAP-TTLS does not require a client
+ # certificate. However, you can require one by setting the
+ # following option. You can also override this option by
+ # setting
+ #
+ # EAP-TLS-Require-Client-Cert = Yes
+ #
+ # in the control items for a request.
+ #
+ # Note that the majority of supplicants do not support using a
+ # client certificate with EAP-TTLS, so this option is unlikely
+ # to be usable for most people.
+ #
+ # require_client_cert = yes
+ }
+
+
+ ## EAP-PEAP
+ #
+
+ ##################################################
+ #
+ # !!!!! WARNINGS for Windows compatibility !!!!!
+ #
+ ##################################################
+ #
+ # If you see the server send an Access-Challenge,
+ # and the client never sends another Access-Request,
+ # then
+ #
+ # STOP!
+ #
+ # The server certificate has to have special OID's
+ # in it, or else the Microsoft clients will silently
+ # fail. See the "scripts/xpextensions" file for
+ # details, and the following page:
+ #
+ # http://support.microsoft.com/kb/814394/en-us
+ #
+ # For additional Windows XP SP2 issues, see:
+ #
+ # http://support.microsoft.com/kb/885453/en-us
+ #
+ #
+ # If is still doesn't work, and you're using Samba,
+ # you may be encountering a Samba bug. See:
+ #
+ # https://bugzilla.samba.org/show_bug.cgi?id=6563
+ #
+ # Note that we do not necessarily agree with their
+ # explanation... but the fix does appear to work.
+ #
+ ##################################################
+
+ #
+ # The tunneled EAP session needs a default EAP type
+ # which is separate from the one for the non-tunneled
+ # EAP module. Inside of the TLS/PEAP tunnel, we
+ # recommend using EAP-MS-CHAPv2.
+ #
+ peap {
+ # Which tls-config section the TLS negotiation parameters
+ # are in - see EAP-TLS above for an explanation.
+ #
+ # In the case that an old configuration from FreeRADIUS
+ # v2.x is being used, all the options of the tls-config
+ # section may also appear instead in the 'tls' section
+ # above. If that is done, the tls= option here (and in
+ # tls above) MUST be commented out.
+ #
+ tls = tls-common
+
+ # The tunneled EAP session needs a default
+ # EAP type which is separate from the one for
+ # the non-tunneled EAP module. Inside of the
+ # PEAP tunnel, we recommend using MS-CHAPv2,
+ # as that is the default type supported by
+ # Windows clients.
+ #
+ default_eap_type = mschapv2
+
+ # The PEAP module also has these configuration
+ # items, which are the same as for TTLS.
+ #
+ copy_request_to_tunnel = yes
+
+ #
+ # As of version 3.0.5, this configuration item
+ # is deprecated. Instead, you should use
+ #
+ # update outer.session-state {
+ # ...
+ #
+ # }
+ #
+ # This will cache attributes for the final Access-Accept.
+ #
+ use_tunneled_reply = no
+
+ # When the tunneled session is proxied, the
+ # home server may not understand EAP-MSCHAP-V2.
+ # Set this entry to "no" to proxy the tunneled
+ # EAP-MSCHAP-V2 as normal MSCHAPv2.
+ #
+ # proxy_tunneled_request_as_eap = yes
+
+ #
+ # The inner tunneled request can be sent
+ # through a virtual server constructed
+ # specifically for this purpose.
+ #
+ # If this entry is commented out, the inner
+ # tunneled request will be sent through
+ # the virtual server that processed the
+ # outer requests.
+ #
+ virtual_server = "inner-tunnel"
+
+ # This option enables support for MS-SoH
+ # see doc/SoH.txt for more info.
+ # It is disabled by default.
+ #
+ # soh = yes
+
+ #
+ # The SoH reply will be turned into a request which
+ # can be sent to a specific virtual server:
+ #
+ # soh_virtual_server = "soh-server"
+
+ #
+ # Unlike EAP-TLS, PEAP does not require a client certificate.
+ # However, you can require one by setting the following
+ # option. You can also override this option by setting
+ #
+ # EAP-TLS-Require-Client-Cert = Yes
+ #
+ # in the control items for a request.
+ #
+ # Note that the majority of supplicants do not support using a
+ # client certificate with PEAP, so this option is unlikely to
+ # be usable for most people.
+ #
+ # require_client_cert = yes
+ }
+
+ #
+ # This takes no configuration.
+ #
+ # Note that it is the EAP MS-CHAPv2 sub-module, not
+ # the main 'mschap' module.
+ #
+ # Note also that in order for this sub-module to work,
+ # the main 'mschap' module MUST ALSO be configured.
+ #
+ # This module is the *Microsoft* implementation of MS-CHAPv2
+ # in EAP. There is another (incompatible) implementation
+ # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
+ # currently support.
+ #
+ mschapv2 {
+ # Prior to version 2.1.11, the module never
+ # sent the MS-CHAP-Error message to the
+ # client. This worked, but it had issues
+ # when the cached password was wrong. The
+ # server *should* send "E=691 R=0" to the
+ # client, which tells it to prompt the user
+ # for a new password.
+ #
+ # The default is to behave as in 2.1.10 and
+ # earlier, which is known to work. If you
+ # set "send_error = yes", then the error
+ # message will be sent back to the client.
+ # This *may* help some clients work better,
+ # but *may* also cause other clients to stop
+ # working.
+ #
+ send_error = yes
+
+ # Server identifier to send back in the challenge.
+ # This should generally be the host name of the
+ # RADIUS server. Or, some information to uniquely
+ # identify it.
+# identity = "FreeRADIUS"
+ }
+
+ ## EAP-FAST
+ #
+ # The FAST module implements the EAP-FAST protocol
+ #
+# fast {
+ # Point to the common TLS configuration
+ #
+# tls = tls-common
+
+ #
+ # If 'cipher_list' is set here, it will over-ride the
+ # 'cipher_list' configuration from the 'tls-common'
+ # configuration. The EAP-FAST module has it's own
+ # over-ride for 'cipher_list' because the
+ # specifications mandata a different set of ciphers
+ # than are used by the other EAP methods.
+ #
+ # cipher_list though must include "ADH" for anonymous provisioning.
+ # This is not as straight forward as appending "ADH" alongside
+ # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+ #
+ # Note - for OpenSSL 1.1.0 and above you may need
+ # to add ":@SECLEVEL=0"
+ #
+# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+
+ # PAC lifetime in seconds (default: seven days)
+ #
+# pac_lifetime = 604800
+
+ # Authority ID of the server
+ #
+ # if you are running a cluster of RADIUS servers, you should make
+ # the value chosen here (and for "pac_opaque_key") the same on all
+ # your RADIUS servers. This value should be unique to your
+ # installation. We suggest using a domain name.
+ #
+# authority_identity = "1234"
+
+ # PAC Opaque encryption key (must be exactly 32 bytes in size)
+ #
+ # This value MUST be secret, and MUST be generated using
+ # a secure method, such as via 'openssl rand -hex 32'
+ #
+# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+
+ # Same as for TTLS, PEAP, etc.
+ #
+# virtual_server = inner-tunnel
+# }
+}
diff --git a/roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2 b/roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2
new file mode 100644
index 00000000..7701c28c
--- /dev/null
+++ b/roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2
@@ -0,0 +1,67 @@
+{{ ansible_header | comment }}
+
+#
+# Make sure the PYTHONPATH environmental variable contains the
+# directory(s) for the modules listed below.
+#
+# Uncomment any func_* which are included in your module. If
+# rlm_python is called for a section which does not have
+# a function defined, it will return NOOP.
+#
+python3 re2o {
+
+ # Path to the python modules
+ #
+ # Note that due to limitations on Python, this configuration
+ # item is GLOBAL TO THE SERVER. That is, you cannot have two
+ # instances of the python module, each with a different path.
+ #
+ python_path = /etc/freeradius/3.0:/usr/lib/python3.7:/usr/lib/python3.7/dist-packages:/usr/local/lib/python3.7/site-packages:/usr/lib/python3.7/lib-dynload:/usr/local/lib/python3.7/dist-packages
+
+ module = auth
+
+
+ # Pass all VPS lists as a 6-tuple to the callbacks
+ # (request, reply, config, state, proxy_req, proxy_reply)
+ # pass_all_vps = no
+
+ # Pass all VPS lists as a dictionary to the callbacks
+ # Keys: "request", "reply", "config", "session-state", "proxy-request",
+ # "proxy-reply"
+ # This option prevales over "pass_all_vps"
+ # pass_all_vps_dict = no
+
+
+ mod_instantiate = ${.module}
+ func_instantiate = instantiate
+
+ mod_detach = ${.module}
+ func_detach = detach
+
+ mod_authorize = ${.module}
+ func_authorize = authorize
+
+ mod_preacct = ${.module}
+ func_preacct = dummy_fun
+
+ mod_accounting = ${.module}
+ func_accounting = dummy_fun
+
+ mod_checksimul = ${.module}
+ func_checksimul = dummy_fun
+
+ mod_pre_proxy = ${.module}
+ func_pre_proxy = dummy_fun
+
+ mod_post_proxy = ${.module}
+ func_post_proxy = dummy_fun
+
+ mod_post_auth = ${.module}
+ func_post_auth = post_auth
+
+ mod_recv_coa = ${.module}
+ func_recv_coa = dummy_fun
+
+ mod_send_coa = ${.module}
+ func_send_coa = dummy_fun
+}
diff --git a/roles/freeradius/template/freeradius/3.0/radiusd.conf.j2 b/roles/freeradius/template/freeradius/3.0/radiusd.conf.j2
new file mode 100644
index 00000000..a6ad1137
--- /dev/null
+++ b/roles/freeradius/template/freeradius/3.0/radiusd.conf.j2
@@ -0,0 +1,896 @@
+{{ ansible_header | comment }}
+
+# -*- text -*-
+##
+## radiusd.conf -- FreeRADIUS server configuration file - 3.0.21
+##
+## http://www.freeradius.org/
+## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $
+##
+
+######################################################################
+#
+# The format of this (and other) configuration file is
+# documented in "man unlang". There are also READMEs in many
+# subdirectories:
+#
+# raddb/README.rst
+# How to upgrade from v2.
+#
+# raddb/mods-available/README.rst
+# How to use mods-available / mods-enabled.
+# All of the modules are in individual files,
+# along with configuration items and full documentation.
+#
+# raddb/sites-available/README
+# virtual servers, "listen" sections, clients, etc.
+# The "sites-available" directory contains many
+# worked examples of common configurations.
+#
+# raddb/certs/README
+# How to create certificates for EAP or RadSec.
+#
+# Every configuration item in the server is documented
+# extensively in the comments in the example configuration
+# files.
+#
+# Before editing this (or any other) configuration file, PLEASE
+# read "man radiusd". See the section titled DEBUGGING. It
+# outlines a method where you can quickly create the
+# configuration you want, with minimal effort.
+#
+# Run the server in debugging mode, and READ the output.
+#
+# $ radiusd -X
+#
+# We cannot emphasize this point strongly enough. The vast
+# majority of problems can be solved by carefully reading the
+# debugging output, which includes warnings about common issues,
+# and suggestions for how they may be fixed.
+#
+# There may be a lot of output, but look carefully for words like:
+# "warning", "error", "reject", or "failure". The messages there
+# will usually be enough to guide you to a solution.
+#
+# More documentation on "radiusd -X" is available on the wiki:
+# https://wiki.freeradius.org/radiusd-X
+#
+# If you are going to ask a question on the mailing list, then
+# explain what you are trying to do, and include the output from
+# debugging mode (radiusd -X). Failure to do so means that all
+# of the responses to your question will be people telling you
+# to "post the output of radiusd -X".
+#
+# Guidelines for posting to the mailing list are on the wiki:
+# https://wiki.freeradius.org/list-help
+#
+# Please read those guidelines before posting to the list.
+#
+# Further documentation is available in the "doc" directory
+# of the server distribution, or on the wiki at:
+# https://wiki.freeradius.org/
+#
+# New users to RADIUS should read the Technical Guide. That guide
+# explains how RADIUS works, how FreeRADIUS works, and what each
+# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
+# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
+#
+# More documentation on dictionaries, modules, unlang, etc. is also
+# available on the Network RADIUS web site:
+# https://networkradius.com/freeradius-documentation/
+#
+
+######################################################################
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius/3.0
+radacctdir = ${logdir}/radacct
+
+#
+# name of the running server. See also the "-n" command-line option.
+name = freeradius
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+#
+# libdir: Where to find the rlm_* modules.
+#
+# This should be automatically set at configuration time.
+#
+# If the server builds and installs, but fails at execution time
+# with an 'undefined symbol' error, then you can use the libdir
+# directive to work around the problem.
+#
+# The cause is usually that a library has been installed on your
+# system in a place where the dynamic linker CANNOT find it. When
+# executing as root (or another user), your personal environment MAY
+# be set up to allow the dynamic linker to find the library. When
+# executing as a daemon, FreeRADIUS MAY NOT have the same
+# personalized configuration.
+#
+# To work around the problem, find out which library contains that symbol,
+# and add the directory containing that library to the end of 'libdir',
+# with a colon separating the directory names. NO spaces are allowed.
+#
+# e.g. libdir = /usr/local/lib:/opt/package/lib
+#
+# You can also try setting the LD_LIBRARY_PATH environment variable
+# in a script which starts the server.
+#
+# If that does not work, then you can re-configure and re-build the
+# server to NOT use shared libraries, via:
+#
+# ./configure --disable-shared
+# make
+# make install
+#
+libdir = /usr/lib/freeradius
+
+# pidfile: Where to place the PID of the RADIUS server.
+#
+# The server may be signalled while it's running by using this
+# file.
+#
+# This file is written when ONLY running in daemon mode.
+#
+# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
+#
+pidfile = ${run_dir}/${name}.pid
+
+#
+# correct_escapes: use correct backslash escaping
+#
+# Prior to version 3.0.5, the handling of backslashes was a little
+# awkward, i.e. "wrong". In some cases, to get one backslash into
+# a regex, you had to put 4 in the config files.
+#
+# Version 3.0.5 fixes that. However, for backwards compatibility,
+# the new method of escaping is DISABLED BY DEFAULT. This means
+# that upgrading to 3.0.5 won't break your configuration.
+#
+# If you don't have double backslashes (i.e. \\) in your configuration,
+# this won't matter to you. If you do have them, fix that to use only
+# one backslash, and then set "correct_escapes = true".
+#
+# You can check for this by doing:
+#
+# $ grep '\\\\' $(find raddb -type f -print)
+#
+correct_escapes = true
+
+# panic_action: Command to execute if the server dies unexpectedly.
+#
+# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
+# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
+# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
+#
+# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
+# PATTACH CAN BE USED AS AN ATTACK VECTOR.
+#
+# The panic action is a command which will be executed if the server
+# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
+# SIGABRT or SIGFPE.
+#
+# This can be used to start an interactive debugging session so
+# that information regarding the current state of the server can
+# be acquired.
+#
+# The following string substitutions are available:
+# - %e The currently executing program e.g. /sbin/radiusd
+# - %p The PID of the currently executing program e.g. 12345
+#
+# Standard ${} substitutions are also allowed.
+#
+# An example panic action for opening an interactive session in GDB would be:
+#
+#panic_action = "gdb %e %p"
+#
+# Again, don't use that on a production system.
+#
+# An example panic action for opening an automated session in GDB would be:
+#
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
+#
+# That command can be used on a production system.
+#
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+#
+# Requests which take more time than this to process may be killed, and
+# a REJECT message is returned.
+#
+# WARNING: If you notice that requests take a long time to be handled,
+# then this MAY INDICATE a bug in the server, in one of the modules
+# used to handle a request, OR in your local configuration.
+#
+# This problem is most often seen when using an SQL database. If it takes
+# more than a second or two to receive an answer from the SQL database,
+# then it probably means that you haven't indexed the database. See your
+# SQL server documentation for more information.
+#
+# Useful range of values: 5 to 120
+#
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+# a reply which was sent to the NAS.
+#
+# The RADIUS request is normally cached internally for a short period
+# of time, after the reply is sent to the NAS. The reply packet may be
+# lost in the network, and the NAS will not see it. The NAS will then
+# re-send the request, and the server will respond quickly with the
+# cached reply.
+#
+# If this value is set too low, then duplicate requests from the NAS
+# MAY NOT be detected, and will instead be handled as separate requests.
+#
+# If this value is set too high, then the server will cache too many
+# requests, and some new requests may get blocked. (See 'max_requests'.)
+#
+# Useful range of values: 2 to 30
+#
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+# track of. This should be 256 multiplied by the number of clients.
+# e.g. With 4 clients, this number should be 1024.
+#
+# If this number is too low, then when the server becomes busy,
+# it will not respond to any new requests, until the 'cleanup_delay'
+# time has passed, and it has removed the old requests.
+#
+# If this number is set too high, then the server will use a bit more
+# memory for no real benefit.
+#
+# If you aren't sure what it should be set to, it's better to set it
+# too high than too low. Setting it to 1000 per client is probably
+# the highest it should be.
+#
+# Useful range of values: 256 to infinity
+#
+max_requests = 16384
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
+#
+# The default is 'off' because it would be overall better for the net
+# if people had to knowingly turn this feature on, since enabling it
+# means that each client request will result in AT LEAST one lookup
+# request to the nameserver. Enabling hostname_lookups will also
+# mean that your server may stop randomly for 30 seconds from time
+# to time, if the DNS requests take too long.
+#
+# Turning hostname lookups off also means that the server won't block
+# for 30 seconds, if it sees an IP address which has no name associated
+# with it.
+#
+# allowed values: {no, yes}
+#
+hostname_lookups = no
+
+#
+# Logging section. The various "log_*" configuration items
+# will eventually be moved here.
+#
+log {
+ #
+ # Destination for log messages. This can be one of:
+ #
+ # files - log to "file", as defined below.
+ # syslog - to syslog (see also the "syslog_facility", below.
+ # stdout - standard output
+ # stderr - standard error.
+ #
+ # The command-line option "-X" over-rides this option, and forces
+ # logging to go to stdout.
+ #
+ destination = syslog
+
+ #
+ # Highlight important messages sent to stderr and stdout.
+ #
+ # Option will be ignored (disabled) if output if TERM is not
+ # an xterm or output is not to a TTY.
+ #
+ colourise = yes
+
+ #
+ # The logging messages for the server are appended to the
+ # tail of this file if destination == "files"
+ #
+ # If the server is running in debugging mode, this file is
+ # NOT used.
+ #
+ file = ${logdir}/radius.log
+
+ #
+ # Which syslog facility to use, if ${destination} == "syslog"
+ #
+ # The exact values permitted here are OS-dependent. You probably
+ # don't want to change this.
+ #
+ syslog_facility = daemon
+
+ # Log the full User-Name attribute, as it was found in the request.
+ #
+ # allowed values: {no, yes}
+ #
+ stripped_names = no
+
+ # Log all (accept and reject) authentication results to the log file.
+ #
+ # This is the same as setting "auth_accept = yes" and
+ # "auth_reject = yes"
+ #
+ # allowed values: {no, yes}
+ #
+ auth = yes
+
+ # Log Access-Accept results to the log file.
+ #
+ # This is only used if "auth = no"
+ #
+ # allowed values: {no, yes}
+ #
+# auth_accept = no
+
+ # Log Access-Reject results to the log file.
+ #
+ # This is only used if "auth = no"
+ #
+ # allowed values: {no, yes}
+ #
+# auth_reject = no
+
+ # Log passwords with the authentication requests.
+ # auth_badpass - logs password if it's rejected
+ # auth_goodpass - logs password if it's correct
+ #
+ # allowed values: {no, yes}
+ #
+ auth_badpass = yes
+ auth_goodpass = yes
+
+ # Log additional text at the end of the "Login OK" messages.
+ # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
+ # configurations above have to be set to "yes".
+ #
+ # The strings below are dynamically expanded, which means that
+ # you can put anything you want in them. However, note that
+ # this expansion can be slow, and can negatively impact server
+ # performance.
+ #
+ msg_goodpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
+ msg_badpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
+
+ # The message when the user exceeds the Simultaneous-Use limit.
+ #
+ msg_denied = "You are already logged in - access denied"
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#
+# ENVIRONMENT VARIABLES
+#
+# You can reference environment variables using an expansion like
+# `$ENV{PATH}`. However it is sometimes useful to be able to also set
+# environment variables. This section lets you do that.
+#
+# The main purpose of this section is to allow administrators to keep
+# RADIUS-specific configuration in the RADIUS configuration files.
+# For example, if you need to set an environment variable which is
+# used by a module. You could put that variable into a shell script,
+# but that's awkward. Instead, just list it here.
+#
+# Note that these environment variables are set AFTER the
+# configuration file is loaded. So you cannot set FOO here, and
+# expect to reference it via `$ENV{FOO}` in another configuration file.
+# You should instead just use a normal configuration variable for
+# that.
+#
+ENV {
+ #
+ # Set environment varable `FOO` to value '/bar/baz'.
+ #
+ # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
+ # values.
+ #
+# FOO = '/bar/baz'
+
+ #
+ # Delete environment variable `BAR`.
+ #
+# BAR
+
+ #
+ # `LD_PRELOAD` is special. It is normally set before the
+ # application runs, and is interpreted by the dynamic linker.
+ # Which means you cannot set it inside of an application, and
+ # expect it to load libraries.
+ #
+ # Since this functionality is useful, we extend it here.
+ #
+ # You can set
+ #
+ # LD_PRELOAD = /path/to/library.so
+ #
+ # and the server will load the named libraries. Multiple
+ # libraries can be loaded by specificing multiple individual
+ # `LD_PRELOAD` entries.
+ #
+ #
+# LD_PRELOAD = /path/to/library1.so
+# LD_PRELOAD = /path/to/library2.so
+}
+
+# SECURITY CONFIGURATION
+#
+# There may be multiple methods of attacking on the server. This
+# section holds the configuration items which minimize the impact
+# of those attacks
+#
+security {
+ # chroot: directory where the server does "chroot".
+ #
+ # The chroot is done very early in the process of starting
+ # the server. After the chroot has been performed it
+ # switches to the "user" listed below (which MUST be
+ # specified). If "group" is specified, it switches to that
+ # group, too. Any other groups listed for the specified
+ # "user" in "/etc/group" are also added as part of this
+ # process.
+ #
+ # The current working directory (chdir / cd) is left
+ # *outside* of the chroot until all of the modules have been
+ # initialized. This allows the "raddb" directory to be left
+ # outside of the chroot. Once the modules have been
+ # initialized, it does a "chdir" to ${logdir}. This means
+ # that it should be impossible to break out of the chroot.
+ #
+ # If you are worried about security issues related to this
+ # use of chdir, then simply ensure that the "raddb" directory
+ # is inside of the chroot, end be sure to do "cd raddb"
+ # BEFORE starting the server.
+ #
+ # If the server is statically linked, then the only files
+ # that have to exist in the chroot are ${run_dir} and
+ # ${logdir}. If you do the "cd raddb" as discussed above,
+ # then the "raddb" directory has to be inside of the chroot
+ # directory, too.
+ #
+# chroot = /path/to/chroot/directory
+
+ # user/group: The name (or #number) of the user/group to run radiusd as.
+ #
+ # If these are commented out, the server will run as the
+ # user/group that started it. In order to change to a
+ # different user/group, you MUST be root ( or have root
+ # privileges ) to start the server.
+ #
+ # We STRONGLY recommend that you run the server with as few
+ # permissions as possible. That is, if you're not using
+ # shadow passwords, the user and group items below should be
+ # set to radius'.
+ #
+ # NOTE that some kernels refuse to setgid(group) when the
+ # value of (unsigned)group is above 60000; don't use group
+ # "nobody" on these systems!
+ #
+ # On systems with shadow passwords, you might have to set
+ # 'group = shadow' for the server to be able to read the
+ # shadow password file. If you can authenticate users while
+ # in debug mode, but not in daemon mode, it may be that the
+ # debugging mode server is running as a user that can read
+ # the shadow info, and the user listed below can not.
+ #
+ # The server will also try to use "initgroups" to read
+ # /etc/groups. It will join all groups where "user" is a
+ # member. This can allow for some finer-grained access
+ # controls.
+ #
+ user = freerad
+ group = freerad
+
+ # Core dumps are a bad thing. This should only be set to
+ # 'yes' if you're debugging a problem with the server.
+ #
+ # allowed values: {no, yes}
+ #
+ allow_core_dumps = no
+
+ #
+ # max_attributes: The maximum number of attributes
+ # permitted in a RADIUS packet. Packets which have MORE
+ # than this number of attributes in them will be dropped.
+ #
+ # If this number is set too low, then no RADIUS packets
+ # will be accepted.
+ #
+ # If this number is set too high, then an attacker may be
+ # able to send a small number of packets which will cause
+ # the server to use all available memory on the machine.
+ #
+ # Setting this number to 0 means "allow any number of attributes"
+ max_attributes = 200
+
+ #
+ # reject_delay: When sending an Access-Reject, it can be
+ # delayed for a few seconds. This may help slow down a DoS
+ # attack. It also helps to slow down people trying to brute-force
+ # crack a users password.
+ #
+ # Setting this number to 0 means "send rejects immediately"
+ #
+ # If this number is set higher than 'cleanup_delay', then the
+ # rejects will be sent at 'cleanup_delay' time, when the request
+ # is deleted from the internal cache of requests.
+ #
+ # As of Version 3.0.5, "reject_delay" has sub-second resolution.
+ # e.g. "reject_delay = 1.4" seconds is possible.
+ #
+ # Useful ranges: 1 to 5
+ reject_delay = 1
+
+ #
+ # status_server: Whether or not the server will respond
+ # to Status-Server requests.
+ #
+ # When sent a Status-Server message, the server responds with
+ # an Access-Accept or Accounting-Response packet.
+ #
+ # This is mainly useful for administrators who want to "ping"
+ # the server, without adding test users, or creating fake
+ # accounting packets.
+ #
+ # It's also useful when a NAS marks a RADIUS server "dead".
+ # The NAS can periodically "ping" the server with a Status-Server
+ # packet. If the server responds, it must be alive, and the
+ # NAS can start using it for real requests.
+ #
+ # See also raddb/sites-available/status
+ #
+ status_server = yes
+
+
+}
+
+# PROXY CONFIGURATION
+#
+# proxy_requests: Turns proxying of RADIUS requests on or off.
+#
+# The server has proxying turned on by default. If your system is NOT
+# set up to proxy requests to another server, then you can turn proxying
+# off here. This will save a small amount of resources on the server.
+#
+# If you have proxying turned off, and your configuration files say
+# to proxy a request, then an error message will be logged.
+#
+# To disable proxying, change the "yes" to "no", and comment the
+# $INCLUDE line.
+#
+# allowed values: {no, yes}
+#
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+
+# CLIENTS CONFIGURATION
+#
+# Client configuration is defined in "clients.conf".
+#
+
+# The 'clients.conf' file contains all of the information from the old
+# 'clients' and 'naslist' configuration files. We recommend that you
+# do NOT use 'client's or 'naslist', although they are still
+# supported.
+#
+# Anything listed in 'clients.conf' will take precedence over the
+# information from the old-style configuration files.
+#
+$INCLUDE clients.conf
+
+
+# THREAD POOL CONFIGURATION
+#
+# The thread pool is a long-lived group of threads which
+# take turns (round-robin) handling any incoming requests.
+#
+# You probably want to have a few spare threads around,
+# so that high-load situations can be handled immediately. If you
+# don't have any spare threads, then the request handling will
+# be delayed while a new thread is created, and added to the pool.
+#
+# You probably don't want too many spare threads around,
+# otherwise they'll be sitting there taking up resources, and
+# not doing anything productive.
+#
+# The numbers given below should be adequate for most situations.
+#
+thread pool {
+ # Number of servers to start initially --- should be a reasonable
+ # ballpark figure.
+ start_servers = 5
+
+ # Limit on the total number of servers running.
+ #
+ # If this limit is ever reached, clients will be LOCKED OUT, so it
+ # should NOT BE SET TOO LOW. It is intended mainly as a brake to
+ # keep a runaway server from taking the system with it as it spirals
+ # down...
+ #
+ # You may find that the server is regularly reaching the
+ # 'max_servers' number of threads, and that increasing
+ # 'max_servers' doesn't seem to make much difference.
+ #
+ # If this is the case, then the problem is MOST LIKELY that
+ # your back-end databases are taking too long to respond, and
+ # are preventing the server from responding in a timely manner.
+ #
+ # The solution is NOT do keep increasing the 'max_servers'
+ # value, but instead to fix the underlying cause of the
+ # problem: slow database, or 'hostname_lookups=yes'.
+ #
+ # For more information, see 'max_request_time', above.
+ #
+ max_servers = 32
+
+ # Server-pool size regulation. Rather than making you guess
+ # how many servers you need, FreeRADIUS dynamically adapts to
+ # the load it sees, that is, it tries to maintain enough
+ # servers to handle the current load, plus a few spare
+ # servers to handle transient load spikes.
+ #
+ # It does this by periodically checking how many servers are
+ # waiting for a request. If there are fewer than
+ # min_spare_servers, it creates a new spare. If there are
+ # more than max_spare_servers, some of the spares die off.
+ # The default values are probably OK for most sites.
+ #
+ min_spare_servers = 3
+ max_spare_servers = 10
+
+ # When the server receives a packet, it places it onto an
+ # internal queue, where the worker threads (configured above)
+ # pick it up for processing. The maximum size of that queue
+ # is given here.
+ #
+ # When the queue is full, any new packets will be silently
+ # discarded.
+ #
+ # The most common cause of the queue being full is that the
+ # server is dependent on a slow database, and it has received
+ # a large "spike" of traffic. When that happens, there is
+ # very little you can do other than make sure the server
+ # receives less traffic, or make sure that the database can
+ # handle the load.
+ #
+# max_queue_size = 65536
+
+ # Clean up old threads periodically. For no reason other than
+ # it might be useful.
+ #
+ # '0' is a special value meaning 'infinity', or 'the servers never
+ # exit'
+ max_requests_per_server = 0
+
+ # Automatically limit the number of accounting requests.
+ # This configuration item tracks how many requests per second
+ # the server can handle. It does this by tracking the
+ # packets/s received by the server for processing, and
+ # comparing that to the packets/s handled by the child
+ # threads.
+ #
+
+ # If the received PPS is larger than the processed PPS, *and*
+ # the queue is more than half full, then new accounting
+ # requests are probabilistically discarded. This lowers the
+ # number of packets that the server needs to process. Over
+ # time, the server will "catch up" with the traffic.
+ #
+ # Throwing away accounting packets is usually safe and low
+ # impact. The NAS will retransmit them in a few seconds, or
+ # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
+ # to see how accounting packets should be retransmitted. Using
+ # any other method is likely to cause network meltdowns.
+ #
+ auto_limit_acct = no
+}
+
+######################################################################
+#
+# SNMP notifications. Uncomment the following line to enable
+# snmptraps. Note that you MUST also configure the full path
+# to the "snmptrap" command in the "trigger.conf" file.
+#
+#$INCLUDE trigger.conf
+
+# MODULE CONFIGURATION
+#
+# The names and configuration of each module is located in this section.
+#
+# After the modules are defined here, they may be referred to by name,
+# in other sections of this configuration file.
+#
+modules {
+ #
+ # Each module has a configuration as follows:
+ #
+ # name [ instance ] {
+ # config_item = value
+ # ...
+ # }
+ #
+ # The 'name' is used to load the 'rlm_name' library
+ # which implements the functionality of the module.
+ #
+ # The 'instance' is optional. To have two different instances
+ # of a module, it first must be referred to by 'name'.
+ # The different copies of the module are then created by
+ # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+ #
+ # The instance names can then be used in later configuration
+ # INSTEAD of the original 'name'. See the 'radutmp' configuration
+ # for an example.
+ #
+
+ #
+ # Some modules have ordering issues. e.g. "sqlippool" uses
+ # the configuration from "sql". In that case, the "sql"
+ # module must be read off of disk before the "sqlippool".
+ # However, the directory inclusion below just reads the
+ # directory from start to finish. Which means that the
+ # modules are read off of disk randomly.
+ #
+ # As of 3.0.18, you can list individual modules *before* the
+ # directory inclusion. Those modules will be loaded first.
+ # Then, when the directory is read, those modules will be
+ # skipped and not read twice.
+ #
+# $INCLUDE mods-enabled/sql
+
+ #
+ # As of 3.0, modules are in mods-enabled/. Files matching
+ # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
+ # initialized ONLY if they are referenced in a processing
+ # section, such as authorize, authenticate, accounting,
+ # pre/post-proxy, etc.
+ #
+ $INCLUDE mods-enabled/
+}
+
+# Instantiation
+#
+# This section sets the instantiation order of the modules. listed
+# here will get started up BEFORE the sections like authorize,
+# authenticate, etc. get examined.
+#
+# This section is not strictly needed. When a section like authorize
+# refers to a module, the module is automatically loaded and
+# initialized. However, some modules may not be listed in any of the
+# processing sections, so they should be listed here.
+#
+# Also, listing modules here ensures that you have control over
+# the order in which they are initialized. If one module needs
+# something defined by another module, you can list them in order
+# here, and ensure that the configuration will be OK.
+#
+# After the modules listed here have been loaded, all of the modules
+# in the "mods-enabled" directory will be loaded. Loading the
+# "mods-enabled" directory means that unlike Version 2, you usually
+# don't need to list modules here.
+#
+instantiate {
+ #
+ # We list the counter module here so that it registers
+ # the check_name attribute before any module which sets
+ # it
+# daily
+
+ # subsections here can be thought of as "virtual" modules.
+ #
+ # e.g. If you have two redundant SQL servers, and you want to
+ # use them in the authorize and accounting sections, you could
+ # place a "redundant" block in each section, containing the
+ # exact same text. Or, you could uncomment the following
+ # lines, and list "redundant_sql" in the authorize and
+ # accounting sections.
+ #
+ # The "virtual" module defined here can also be used with
+ # dynamic expansions, under a few conditions:
+ #
+ # * The section is "redundant", or "load-balance", or
+ # "redundant-load-balance"
+ # * The section contains modules ONLY, and no sub-sections
+ # * all modules in the section are using the same rlm_
+ # driver, e.g. They are all sql, or all ldap, etc.
+ #
+ # When those conditions are satisfied, the server will
+ # automatically register a dynamic expansion, using the
+ # name of the "virtual" module. In the example below,
+ # it will be "redundant_sql". You can then use this expansion
+ # just like any other:
+ #
+ # update reply {
+ # Filter-Id := "%{redundant_sql: ... }"
+ # }
+ #
+ # In this example, the expansion is done via module "sql1",
+ # and if that expansion fails, using module "sql2".
+ #
+ # For best results, configure the "pool" subsection of the
+ # module so that "retry_delay" is non-zero. That will allow
+ # the redundant block to quickly ignore all "down" SQL
+ # databases. If instead we have "retry_delay = 0", then
+ # every time the redundant block is used, the server will try
+ # to open a connection to every "down" database, causing
+ # problems.
+ #
+ #redundant redundant_sql {
+ # sql1
+ # sql2
+ #}
+}
+
+######################################################################
+#
+# Policies are virtual modules, similar to those defined in the
+# "instantiate" section above.
+#
+# Defining a policy in one of the policy.d files means that it can be
+# referenced in multiple places as a *name*, rather than as a series of
+# conditions to match, and actions to take.
+#
+# Policies are something like subroutines in a normal language, but
+# they cannot be called recursively. They MUST be defined in order.
+# If policy A calls policy B, then B MUST be defined before A.
+#
+######################################################################
+policy {
+ $INCLUDE policy.d/
+}
+
+######################################################################
+#
+# Load virtual servers.
+#
+# This next $INCLUDE line loads files in the directory that
+# match the regular expression: /[a-zA-Z0-9_.]+/
+#
+# It allows you to define new virtual servers simply by placing
+# a file into the raddb/sites-enabled/ directory.
+#
+$INCLUDE sites-enabled/
+
+######################################################################
+#
+# All of the other configuration sections like "authorize {}",
+# "authenticate {}", "accounting {}", have been moved to the
+# the file:
+#
+# raddb/sites-available/default
+#
+# This is the "default" virtual server that has the same
+# configuration as in version 1.0.x and 1.1.x. The default
+# installation enables this virtual server. You should
+# edit it to create policies for your local site.
+#
+# For more documentation on virtual servers, see:
+#
+# raddb/sites-available/README
+#
+######################################################################
diff --git a/roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2 b/roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2
new file mode 100644
index 00000000..77ef9cf3
--- /dev/null
+++ b/roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2
@@ -0,0 +1,741 @@
+{{ ansible_header | comment }}
+
+######################################################################
+#
+# As of 2.0.0, FreeRADIUS supports virtual hosts using the
+# "server" section, and configuration directives.
+#
+# Virtual hosts should be put into the "sites-available"
+# directory. Soft links should be created in the "sites-enabled"
+# directory to these files. This is done in a normal installation.
+#
+# If you are using 802.1X (EAP) authentication, please see also
+# the "inner-tunnel" virtual server. You will likely have to edit
+# that, too, for authentication to work.
+#
+# $Id: c60c0ba4c8728fac10b190dbb3b752f9df317c07 $
+#
+######################################################################
+#
+# Read "man radiusd" before editing this file. See the section
+# titled DEBUGGING. It outlines a method where you can quickly
+# obtain the configuration you want, without running into
+# trouble. See also "man unlang", which documents the format
+# of this file.
+#
+# This configuration is designed to work in the widest possible
+# set of circumstances, with the widest possible number of
+# authentication methods. This means that in general, you should
+# need to make very few changes to this file.
+#
+# The best way to configure the server for your local system
+# is to CAREFULLY edit this file. Most attempts to make large
+# edits to this file will BREAK THE SERVER. Any edits should
+# be small, and tested by running the server with "radiusd -X".
+# Once the edits have been verified to work, save a copy of these
+# configuration files somewhere. (e.g. as a "tar" file). Then,
+# make more edits, and test, as above.
+#
+# There are many "commented out" references to modules such
+# as ldap, sql, etc. These references serve as place-holders.
+# If you need the functionality of that module, then configure
+# it in radiusd.conf, and un-comment the references to it in
+# this file. In most cases, those small changes will result
+# in the server being able to connect to the DB, and to
+# authenticate users.
+#
+######################################################################
+
+server default {
+#
+# If you want the server to listen on additional addresses, or on
+# additional ports, you can use multiple "listen" sections.
+#
+# Each section make the server listen for only one type of packet,
+# therefore authentication and accounting have to be configured in
+# different sections.
+#
+# The server ignore all "listen" section if you are using '-i' and '-p'
+# on the command line.
+#
+listen {
+ # Type of packets to listen for.
+ # Allowed values are:
+ # auth listen for authentication packets
+ # acct listen for accounting packets
+ # proxy IP to use for sending proxied packets
+ # detail Read from the detail file. For examples, see
+ # raddb/sites-available/copy-acct-to-home-server
+ # status listen for Status-Server packets. For examples,
+ # see raddb/sites-available/status
+ # coa listen for CoA-Request and Disconnect-Request
+ # packets. For examples, see the file
+ # raddb/sites-available/coa
+ #
+ type = auth
+
+ # Note: "type = proxy" lets you control the source IP used for
+ # proxying packets, with some limitations:
+ #
+ # * A proxy listener CANNOT be used in a virtual server section.
+ # * You should probably set "port = 0".
+ # * Any "clients" configuration will be ignored.
+ #
+ # See also proxy.conf, and the "src_ipaddr" configuration entry
+ # in the sample "home_server" section. When you specify the
+ # source IP address for packets sent to a home server, the
+ # proxy listeners are automatically created.
+
+ # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
+ # If multiple ones are listed, only the first one will
+ # be used, and the others will be ignored.
+ #
+ # The configuration options accept the following syntax:
+ #
+ # ipv4addr - IPv4 address (e.g.192.0.2.3)
+ # - wildcard (i.e. *)
+ # - hostname (radius.example.com)
+ # Only the A record for the host name is used.
+ # If there is no A record, an error is returned,
+ # and the server fails to start.
+ #
+ # ipv6addr - IPv6 address (e.g. 2001:db8::1)
+ # - wildcard (i.e. *)
+ # - hostname (radius.example.com)
+ # Only the AAAA record for the host name is used.
+ # If there is no AAAA record, an error is returned,
+ # and the server fails to start.
+ #
+ # ipaddr - IPv4 address as above
+ # - IPv6 address as above
+ # - wildcard (i.e. *), which means IPv4 wildcard.
+ # - hostname
+ # If there is only one A or AAAA record returned
+ # for the host name, it is used.
+ # If multiple A or AAAA records are returned
+ # for the host name, only the first one is used.
+ # If both A and AAAA records are returned
+ # for the host name, only the A record is used.
+ #
+ # ipv4addr = *
+ # ipv6addr = *
+ ipaddr = *
+
+ # Port on which to listen.
+ # Allowed values are:
+ # integer port number (1812)
+ # 0 means "use /etc/services for the proper port"
+ port = 0
+
+ # Some systems support binding to an interface, in addition
+ # to the IP address. This feature isn't strictly necessary,
+ # but for sites with many IP addresses on one interface,
+ # it's useful to say "listen on all addresses for eth0".
+ #
+ # If your system does not support this feature, you will
+ # get an error if you try to use it.
+ #
+# interface = eth0
+
+ # Per-socket lists of clients. This is a very useful feature.
+ #
+ # The name here is a reference to a section elsewhere in
+ # radiusd.conf, or clients.conf. Having the name as
+ # a reference allows multiple sockets to use the same
+ # set of clients.
+ #
+ # If this configuration is used, then the global list of clients
+ # is IGNORED for this "listen" section. Take care configuring
+ # this feature, to ensure you don't accidentally disable a
+ # client you need.
+ #
+ # See clients.conf for the configuration of "per_socket_clients".
+ #
+# clients = per_socket_clients
+
+ #
+ # Set the default UDP receive buffer size. In most cases,
+ # the default values set by the kernel are fine. However, in
+ # some cases the NASes will send large packets, and many of
+ # them at a time. It is then possible to overflow the
+ # buffer, causing the kernel to drop packets before they
+ # reach FreeRADIUS. Increasing the size of the buffer will
+ # avoid these packet drops.
+ #
+# recv_buff = 65536
+
+ #
+ # Connection limiting for sockets with "proto = tcp".
+ #
+ # This section is ignored for other kinds of sockets.
+ #
+ limit {
+ #
+ # Limit the number of simultaneous TCP connections to the socket
+ #
+ # The default is 16.
+ # Setting this to 0 means "no limit"
+ max_connections = 16
+
+ # The per-socket "max_requests" option does not exist.
+
+ #
+ # The lifetime, in seconds, of a TCP connection. After
+ # this lifetime, the connection will be closed.
+ #
+ # Setting this to 0 means "forever".
+ lifetime = 0
+
+ #
+ # The idle timeout, in seconds, of a TCP connection.
+ # If no packets have been received over the connection for
+ # this time, the connection will be closed.
+ #
+ # Setting this to 0 means "no timeout".
+ #
+ # We STRONGLY RECOMMEND that you set an idle timeout.
+ #
+ idle_timeout = 30
+ }
+}
+
+#
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ ipaddr = *
+# ipv6addr = ::
+ port = 0
+ type = acct
+# interface = eth0
+# clients = per_socket_clients
+
+ limit {
+ # The number of packets received can be rate limited via the
+ # "max_pps" configuration item. When it is set, the server
+ # tracks the total number of packets received in the previous
+ # second. If the count is greater than "max_pps", then the
+ # new packet is silently discarded. This helps the server
+ # deal with overload situations.
+ #
+ # The packets/s counter is tracked in a sliding window. This
+ # means that the pps calculation is done for the second
+ # before the current packet was received. NOT for the current
+ # wall-clock second, and NOT for the previous wall-clock second.
+ #
+ # Useful values are 0 (no limit), or 100 to 10000.
+ # Values lower than 100 will likely cause the server to ignore
+ # normal traffic. Few systems are capable of handling more than
+ # 10K packets/s.
+ #
+ # It is most useful for accounting systems. Set it to 50%
+ # more than the normal accounting load, and you can be sure that
+ # the server will never get overloaded
+ #
+# max_pps = 0
+
+ # Only for "proto = tcp". These are ignored for "udp" sockets.
+ #
+# idle_timeout = 0
+# lifetime = 0
+# max_connections = 0
+ }
+}
+
+# IPv6 versions of the above - read their full config to understand options
+listen {
+ type = auth
+ ipv6addr = :: # any. ::1 == localhost
+ port = 0
+# interface = eth0
+# clients = per_socket_clients
+ limit {
+ max_connections = 16
+ lifetime = 0
+ idle_timeout = 30
+ }
+}
+
+listen {
+ ipv6addr = ::
+ port = 0
+ type = acct
+# interface = eth0
+# clients = per_socket_clients
+
+ limit {
+# max_pps = 0
+# idle_timeout = 0
+# lifetime = 0
+# max_connections = 0
+ }
+}
+}
+
+
+# Virtual server to handle RADIUS queries from a wifi AP. It is well commented out
+# to understand exactly what it does by reading this configuration file.
+# The virtual server to handle RADIUS queries from switches won't be as commented.
+
+server radius-wifi {
+
+# Authorization. First preprocess (hints and huntgroups files),
+# then realms, and finally look in the "users" file.
+#
+# Any changes made here should also be made to the "inner-tunnel"
+# virtual server.
+#
+# The order of the realm modules will determine the order that
+# we try to find a matching realm.
+#
+# Make *sure* that 'preprocess' comes before any realm if you
+# need to setup hints for the remote radius server
+authorize {
+
+
+ # Makes Calling-Station-ID conform to what RFC3580 says should
+ # be provided by 802.1X authenticators.
+ # See policy.d/canonicalization for the definition of the rewrite_calling_station_id policy
+ rewrite_calling_station_id
+
+{% if freeradius.proxy_to is defined %}
+ # Handles RADIUS Proxy to {{ freeradius.proxy_to }} REALM
+ if (User-Name =~ /^(.*)@(.*)/){
+ if (User-Name !~ /^(.*)@(.*){{ freeradius.realm }}(.*)/){
+ update control{
+ Proxy-To-Realm := '{{ freeradius.proxy_to }}'
+ }
+ }
+
+ # If the User-Name has {{ freeradius.realm }} realm, then do not proxy.
+ if ("%{request:User-Name}" =~ /^(.*)@(.*){{ freeradius.realm }}(.*)/){
+ update request{
+ Stripped-User-Name := "%{1}"
+ }
+ }
+ }
+{% endif %}
+
+ #
+ # Take a User-Name, and perform some checks on it, for spaces and other
+ # invalid characters. If the User-Name appears invalid, reject the
+ # request.
+ #
+ # See policy.d/filter for the definition of the filter_username policy.
+ #
+ filter_username
+
+ #
+ # The preprocess module takes care of sanitizing some bizarre
+ # attributes in the request, and turning them into attributes
+ # which are more standard.
+ #
+ # It takes care of processing the 'raddb/mods-config/preprocess/hints'
+ # and the 'raddb/mods-config/preprocess/huntgroups' files.
+ preprocess
+
+ #
+ # Look for realms in user@domain format
+ suffix
+
+ #
+ # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
+ # authentication.
+ #
+ # It also sets the EAP-Type attribute in the request
+ # attribute list to the EAP type from the packet.
+ #
+ # The EAP module returns "ok" or "updated" if it is not yet ready
+ # to authenticate the user. The configuration below checks for
+ # "ok", and stops processing the "authorize" section if so.
+ #
+ # Any LDAP and/or SQL servers will not be queried for the
+ # initial set of packets that go back and forth to set up
+ # TTLS or PEAP.
+ #
+ # The "updated" check is commented out for compatibility with
+ # previous versions of this configuration, but you may wish to
+ # uncomment it as well; this will further reduce the number of
+ # LDAP and/or SQL queries for TTLS or PEAP.
+ #
+ eap {
+ ok = return
+# updated = return
+ }
+
+ #
+ expiration
+ logintime
+
+ #
+ # If no other module has claimed responsibility for
+ # authentication, then try to use PAP. This allows the
+ # other modules listed above to add a "known good" password
+ # to the request, and to do nothing else. The PAP module
+ # will then see that password, and use it to do PAP
+ # authentication.
+ #
+ # This module should be listed last, so that the other modules
+ # get a chance to set Auth-Type for themselves.
+ #
+ pap
+
+}
+
+# Authentication.
+#
+#
+# This section lists which modules are available for authentication.
+# Note that it does NOT mean 'try each module in order'. It means
+# that a module from the 'authorize' section adds a configuration
+# attribute 'Auth-Type := FOO'. That authentication type is then
+# used to pick the appropriate module from the list below.
+#
+
+# In general, you SHOULD NOT set the Auth-Type attribute. The server
+# will figure it out on its own, and will do the right thing. The
+# most common side effect of erroneously setting the Auth-Type
+# attribute is that one authentication method will work, but the
+# others will not.
+#
+# The common reasons to set the Auth-Type attribute by hand
+# is to either forcibly reject the user (Auth-Type := Reject),
+# or to or forcibly accept the user (Auth-Type := Accept).
+#
+# Note that Auth-Type := Accept will NOT work with EAP.
+#
+# Please do not put "unlang" configurations into the "authenticate"
+# section. Put them in the "post-auth" section instead. That's what
+# the post-auth section is for.
+#
+authenticate {
+ #
+ # PAP authentication, when a back-end database listed
+ # in the 'authorize' section supplies a password. The
+ # password can be clear-text, or encrypted.
+ Auth-Type PAP {
+ pap
+ }
+
+ #
+ # Most people want CHAP authentication
+ # A back-end database listed in the 'authorize' section
+ # MUST supply a CLEAR TEXT password. Encrypted passwords
+ # won't work.
+ Auth-Type CHAP {
+ chap
+ }
+
+ #
+ # MSCHAP authentication.
+ Auth-Type MS-CHAP {
+ mschap
+ }
+
+ #
+ # For old names, too.
+ #
+ mschap
+
+ #
+ # Allow EAP authentication.
+ eap
+
+ #
+ # The older configurations sent a number of attributes in
+ # Access-Challenge packets, which wasn't strictly correct.
+ # If you want to filter out these attributes, uncomment
+ # the following lines.
+ #
+# Auth-Type eap {
+# eap {
+# handled = 1
+# }
+# if (handled && (Response-Packet-Type == Access-Challenge)) {
+# attr_filter.access_challenge.post-auth
+# handled # override the "updated" code from attr_filter
+# }
+# }
+}
+
+#
+# Pre-accounting. Decide which accounting type to use.
+#
+preacct {
+ preprocess
+
+ #
+ # Session start times are *implied* in RADIUS.
+ # The NAS never sends a "start time". Instead, it sends
+ # a start packet, *possibly* with an Acct-Delay-Time.
+ # The server is supposed to conclude that the start time
+ # was "Acct-Delay-Time" seconds in the past.
+ #
+ # The code below creates an explicit start time, which can
+ # then be used in other modules. It will be *mostly* correct.
+ # Any errors are due to the 1-second resolution of RADIUS,
+ # and the possibility that the time on the NAS may be off.
+ #
+ # The start time is: NOW - delay - session_length
+ #
+
+# update request {
+# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
+# }
+
+
+ #
+ # Ensure that we have a semi-unique identifier for every
+ # request, and many NAS boxes are broken.
+ acct_unique
+
+ #
+ # Look for IPASS-style 'realm/', and if not found, look for
+ # '@realm', and decide whether or not to proxy, based on
+ # that.
+ #
+ # Accounting requests are generally proxied to the same
+ # home server as authentication requests.
+# IPASS
+ suffix
+# ntdomain
+
+ #
+ # Read the 'acct_users' file
+ files
+}
+
+#
+# Accounting. Log the accounting data.
+#
+accounting {
+ #
+ # Create a 'detail'ed log of the packets.
+ # Note that accounting requests which are proxied
+ # are also logged in the detail file.
+ detail
+
+ # Update the wtmp file
+ #
+ # If you don't use "radlast", you can delete this line.
+ unix
+
+ # For Exec-Program and Exec-Program-Wait
+ exec
+}
+
+
+# Session database, used for checking Simultaneous-Use. Either the radutmp
+# or rlm_sql module can handle this.
+# The rlm_sql module is *much* faster
+session {
+}
+
+
+# Post-Authentication
+# Once we KNOW that the user has been authenticated, there are
+# additional steps we can take.
+post-auth {
+ #
+ # If you need to have a State attribute, you can
+ # add it here. e.g. for later CoA-Request with
+ # State, and Service-Type = Authorize-Only.
+ #
+# if (!&reply:State) {
+# update reply {
+# State := "0x%{randstr:16h}"
+# }
+# }
+
+ #
+ # For EAP-TTLS and PEAP, add the cached attributes to the reply.
+ # The "session-state" attributes are automatically cached when
+ # an Access-Challenge is sent, and automatically retrieved
+ # when an Access-Request is received.
+ #
+ # The session-state attributes are automatically deleted after
+ # an Access-Reject or Access-Accept is sent.
+ #
+ # If both session-state and reply contain a User-Name attribute, remove
+ # the one in the reply if it is just a copy of the one in the request, so
+ # we don't end up with two User-Name attributes.
+
+ if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
+ update reply {
+ &User-Name !* ANY
+ }
+ }
+ update {
+ &reply: += &session-state:
+ }
+
+ #
+ # If you want to have a log of authentication replies,
+ # un-comment the following line, and enable the
+ # 'detail reply_log' module.
+# reply_log
+
+ #
+ # Un-comment the following if you want to modify the user's object
+ # in LDAP after a successful login.
+ #
+# ldap
+
+ # For Exec-Program and Exec-Program-Wait
+ exec
+
+
+ # If there is a client certificate (EAP-TLS, sometimes PEAP
+ # and TTLS), then some attributes are filled out after the
+ # certificate verification has been performed. These fields
+ # MAY be available during the authentication, or they may be
+ # available only in the "post-auth" section.
+ #
+ # The first set of attributes contains information about the
+ # issuing certificate which is being used. The second
+ # contains information about the client certificate (if
+ # available).
+#
+# update reply {
+# Reply-Message += "%{TLS-Cert-Serial}"
+# Reply-Message += "%{TLS-Cert-Expiration}"
+# Reply-Message += "%{TLS-Cert-Subject}"
+# Reply-Message += "%{TLS-Cert-Issuer}"
+# Reply-Message += "%{TLS-Cert-Common-Name}"
+# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
+#
+# Reply-Message += "%{TLS-Client-Cert-Serial}"
+# Reply-Message += "%{TLS-Client-Cert-Expiration}"
+# Reply-Message += "%{TLS-Client-Cert-Subject}"
+# Reply-Message += "%{TLS-Client-Cert-Issuer}"
+# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
+# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
+# }
+
+ # Remove reply message if the response contains an EAP-Message
+ remove_reply_message_if_eap
+
+ #
+ # Access-Reject packets are sent through the REJECT sub-section of the
+ # post-auth section.
+ #
+ # Add the ldap module name (or instance) if you have set
+ # 'edir = yes' in the ldap module configuration
+ #
+ # The "session-state" attributes are not available here.
+ #
+ Post-Auth-Type REJECT {
+ # TO REMOVE ?
+ # log failed authentications in SQL, too.
+ -sql
+ attr_filter.access_reject
+
+ # Insert EAP-Failure message if the request was
+ # rejected by policy instead of because of an
+ # authentication failure
+ eap
+
+ # Remove reply message if the response contains an EAP-Message
+ remove_reply_message_if_eap
+ }
+
+ #
+ # Filter access challenges.
+ #
+ Post-Auth-Type Challenge {
+# remove_reply_message_if_eap
+# attr_filter.access_challenge.post-auth
+ }
+
+}
+
+#
+# When the server decides to proxy a request to a home server,
+# the proxied request is first passed through the pre-proxy
+# stage. This stage can re-write the request, or decide to
+# cancel the proxy.
+#
+# Only a few modules currently have this method.
+#
+pre-proxy {
+}
+
+#
+# When the server receives a reply to a request it proxied
+# to a home server, the request may be massaged here, in the
+# post-proxy stage.
+#
+post-proxy {
+
+ # If you want to have a log of replies from a home server,
+ # un-comment the following line, and the 'detail post_proxy_log'
+ # section, above.
+# post_proxy_log
+
+ # Uncomment the following line if you want to filter replies from
+ # remote proxies based on the rules defined in the 'attrs' file.
+# attr_filter.post-proxy
+
+ #
+ # If you are proxying LEAP, you MUST configure the EAP
+ # module, and you MUST list it here, in the post-proxy
+ # stage.
+ #
+ # You MUST also use the 'nostrip' option in the 'realm'
+ # configuration. Otherwise, the User-Name attribute
+ # in the proxied request will not match the user name
+ # hidden inside of the EAP packet, and the end server will
+ # reject the EAP request.
+ #
+ eap
+
+}
+
+}
+
+
+# Virtual server to handle RADIUS queries from a switch. See the above virtual server
+# to have precise comments about what it does.
+server radius-filaire{
+ authorize{
+ # Call the re2o module to authorize the request
+ re2o
+ expiration
+ logintime
+ pap
+ }
+ authenticate{
+ Auth-Type PAP{
+ pap
+ }
+ Auth-Type CHAP{
+ chap
+ }
+ Auth-Type MS-CHAP{
+ mschap
+ }
+ digest
+ eap
+
+ }
+ preacct{
+ preprocess
+ acct_unique
+ suffix
+ files
+ }
+ accounting{
+ }
+ session{
+ }
+ post-auth{
+ re2o
+ exec
+ }
+ pre-proxy{
+ }
+ post-proxy{
+ eap
+ }
+}
diff --git a/roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2 b/roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2
new file mode 100644
index 00000000..28626115
--- /dev/null
+++ b/roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2
@@ -0,0 +1,306 @@
+{{ ansible_header | comment }}
+
+# -*- text -*-
+######################################################################
+#
+# This is a virtual server that handles *only* inner tunnel
+# requests for EAP-TTLS and PEAP types.
+#
+# $Id: 10eeb55db7a1129ea62f2195c17b286eb4acd1d2 $
+#
+######################################################################
+
+server inner-tunnel {
+
+#
+# This next section is here to allow testing of the "inner-tunnel"
+# authentication methods, independently from the "default" server.
+# It is listening on "localhost", so that it can only be used from
+# the same machine.
+#
+# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
+#
+# If it works, you have configured the inner tunnel correctly. To check
+# if PEAP will work, use:
+#
+# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
+#
+# If that works, PEAP should work. If that command doesn't work, then
+#
+# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
+#
+# Do NOT do any PEAP tests. It won't help. Instead, concentrate
+# on fixing the inner tunnel configuration. DO NOTHING ELSE.
+#
+listen {
+ ipaddr = 127.0.0.1
+ port = 18120
+ type = auth
+}
+
+
+# Authorization. First preprocess (hints and huntgroups files),
+# then realms, and finally look in the "users" file.
+#
+# The order of the realm modules will determine the order that
+# we try to find a matching realm.
+#
+# Make *sure* that 'preprocess' comes before any realm if you
+# need to setup hints for the remote radius server
+
+# See sites-enabled/default for the comments
+authorize {
+ # Get rid of the realm part
+ if ("%{request:User-Name}" =~ /^(.*)@{{ freeradius.realm }}(.*)/){
+ update request{
+ Stripped-User-Name := "%{1}"
+ }
+ }
+ #
+ # Take a User-Name, and perform some checks on it, for spaces and other
+ # invalid characters. If the User-Name appears invalid, reject the
+ # request.
+ #
+ # See policy.d/filter for the definition of the filter_username policy.
+ #
+ filter_username
+
+ # Call the authorize function from re2o module
+ re2o
+
+ #
+ # Do checks on outer / inner User-Name, so that users
+ # can't spoof us by using incompatible identities
+ #
+# filter_inner_identity
+
+ #
+ # The chap module will set 'Auth-Type := CHAP' if we are
+ # handling a CHAP request and Auth-Type has not already been set
+ chap
+
+ #
+ # If the users are logging in with an MS-CHAP-Challenge
+ # attribute for authentication, the mschap module will find
+ # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+ # to the request, which will cause the server to then use
+ # the mschap module for authentication.
+ mschap
+
+
+ #
+ # Look for realms in user@domain format
+ #
+ # Note that proxying the inner tunnel authentication means
+ # that the user MAY use one identity in the outer session
+ # (e.g. "anonymous", and a different one here
+ # (e.g. "user@example.com"). The inner session will then be
+ # proxied elsewhere for authentication. If you are not
+ # careful, this means that the user can cause you to forward
+ # the authentication to another RADIUS server, and have the
+ # accounting logs *not* sent to the other server. This makes
+ # it difficult to bill people for their network activity.
+ #
+ suffix
+# ntdomain
+
+ #
+ # The "suffix" module takes care of stripping the domain
+ # (e.g. "@example.com") from the User-Name attribute, and the
+ # next few lines ensure that the request is not proxied.
+ #
+ # If you want the inner tunnel request to be proxied, delete
+ # the next few lines.
+ #
+ update control {
+ &Proxy-To-Realm := LOCAL
+ }
+
+ #
+ # This module takes care of EAP-MSCHAPv2 authentication.
+ #
+ # It also sets the EAP-Type attribute in the request
+ # attribute list to the EAP type from the packet.
+ #
+ # The example below uses module failover to avoid querying all
+ # of the following modules if the EAP module returns "ok".
+ # Therefore, your LDAP and/or SQL servers will not be queried
+ # for the many packets that go back and forth to set up TTLS
+ # or PEAP. The load on those servers will therefore be reduced.
+ #
+ eap {
+ ok = return
+ }
+
+ expiration
+ logintime
+
+ #
+ # If no other module has claimed responsibility for
+ # authentication, then try to use PAP. This allows the
+ # other modules listed above to add a "known good" password
+ # to the request, and to do nothing else. The PAP module
+ # will then see that password, and use it to do PAP
+ # authentication.
+ #
+ # This module should be listed last, so that the other modules
+ # get a chance to set Auth-Type for themselves.
+ #
+ pap
+}
+
+
+# Authentication.
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+
+ Auth-Type CHAP {
+ chap
+ }
+
+ Auth-Type MS-CHAP {
+ mschap
+ }
+
+ mschap
+
+ #
+ # Allow EAP authentication.
+ eap
+}
+
+######################################################################
+#
+# There are no accounting requests inside of EAP-TTLS or PEAP
+# tunnels.
+#
+######################################################################
+
+
+# Session database, used for checking Simultaneous-Use. Either the radutmp
+# or rlm_sql module can handle this.
+# The rlm_sql module is *much* faster
+session {
+ radutmp
+
+ #
+ # See "Simultaneous Use Checking Queries" in `mods-config/sql/main/$driver/queries.conf`
+# sql
+}
+
+
+# Post-Authentication
+# Once we KNOW that the user has been authenticated, there are
+# additional steps we can take.
+#
+# Note that the last packet of the inner-tunnel authentication
+# MAY NOT BE the last packet of the outer session. So updating
+# the outer reply MIGHT work, and sometimes MIGHT NOT. The
+# exact functionality depends on both the inner and outer
+# authentication methods.
+#
+# If you need to send a reply attribute in the outer session,
+# the ONLY safe way is to set "use_tunneled_reply = yes", and
+# then update the inner-tunnel reply.
+post-auth {
+ # If you want privacy to remain, see the
+ # Chargeable-User-Identity attribute from RFC 4372.
+ # If you want to use it just uncomment the line below.
+# cui-inner
+
+ #
+ # If you want the Access-Accept to contain the inner
+ # User-Name, uncomment the following lines.
+ #
+# update outer.session-state {
+# User-Name := &User-Name
+# }
+
+ #
+ # If you want to have a log of authentication replies,
+ # un-comment the following line, and enable the
+ # 'detail reply_log' module.
+# reply_log
+
+ #
+ # After authenticating the user, do another SQL query.
+ #
+ # See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
+ -sql
+
+
+ #
+ # Instead of "use_tunneled_reply", change this "if (0)" to an
+ # "if (1)".
+ #
+ if (0) {
+ #
+ # These attributes are for the inner-tunnel only,
+ # and MUST NOT be copied to the outer reply.
+ #
+ update reply {
+ User-Name !* ANY
+ Message-Authenticator !* ANY
+ EAP-Message !* ANY
+ Proxy-State !* ANY
+ MS-MPPE-Encryption-Types !* ANY
+ MS-MPPE-Encryption-Policy !* ANY
+ MS-MPPE-Send-Key !* ANY
+ MS-MPPE-Recv-Key !* ANY
+ }
+
+ #
+ # Copy the inner reply attributes to the outer
+ # session-state list. The post-auth policy will take
+ # care of copying the outer session-state list to the
+ # outer reply.
+ #
+ update {
+ &outer.session-state: += &reply:
+ }
+ }
+
+ #
+ # Access-Reject packets are sent through the REJECT sub-section of the
+ # post-auth section.
+ #
+ # Add the ldap module name (or instance) if you have set
+ # 'edir = yes' in the ldap module configuration
+ #
+ Post-Auth-Type REJECT {
+ # log failed authentications in SQL, too.
+ -sql
+ attr_filter.access_reject
+
+ #
+ # Let the outer session know which module failed, and why.
+ #
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+#
+# When the server decides to proxy a request to a home server,
+# the proxied request is first passed through the pre-proxy
+# stage. This stage can re-write the request, or decide to
+# cancel the proxy.
+#
+# Only a few modules currently have this method.
+#
+pre-proxy {
+}
+
+#
+# When the server receives a reply to a request it proxied
+# to a home server, the request may be massaged here, in the
+# post-proxy stage.
+#
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
--
GitLab
From a7d67b1f870de592998bebf73cd27d73b23c8238 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Tue, 11 Aug 2020 04:04:41 +0200
Subject: [PATCH 45/56] Role freeradius
---
group_vars/all/vars.yaml | 1 +
group_vars/freeradius.yml | 4 ----
group_vars/radius.yml | 8 ++++++++
hosts | 3 +++
plays/freeradius.yml | 9 +++++++++
roles/freeradius/tasks/main.yml | 10 +++++++++-
.../apt/preferences.d/freeradius_python3.j2 | 0
.../freeradius/3.0/clients.conf.j2 | 0
.../freeradius/3.0/mods-enabled/eap.j2 | 6 +++---
.../freeradius/3.0/mods-enabled/python3.j2 | 0
.../freeradius/3.0/radiusd.conf.j2 | 3 ++-
.../freeradius/3.0/sites-enabled/default.j2 | 7 ++-----
.../freeradius/3.0/sites-enabled/inner-tunnel.j2 | 4 ++--
13 files changed, 39 insertions(+), 16 deletions(-)
delete mode 100644 group_vars/freeradius.yml
create mode 100644 group_vars/radius.yml
create mode 100755 plays/freeradius.yml
rename roles/freeradius/{template => templates}/apt/preferences.d/freeradius_python3.j2 (100%)
rename roles/freeradius/{template => templates}/freeradius/3.0/clients.conf.j2 (100%)
rename roles/freeradius/{template => templates}/freeradius/3.0/mods-enabled/eap.j2 (99%)
rename roles/freeradius/{template => templates}/freeradius/3.0/mods-enabled/python3.j2 (100%)
rename roles/freeradius/{template => templates}/freeradius/3.0/radiusd.conf.j2 (99%)
rename roles/freeradius/{template => templates}/freeradius/3.0/sites-enabled/default.j2 (99%)
rename roles/freeradius/{template => templates}/freeradius/3.0/sites-enabled/inner-tunnel.j2 (99%)
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index defee09c..f2276672 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -42,6 +42,7 @@ adm_subnet: 10.231.136.0/24
#
# # global server definitions
glob_smtp: smtp.adm.crans.org
+glob_mirror: mirror.adm.crans.org
glob_ldap:
servers:
diff --git a/group_vars/freeradius.yml b/group_vars/freeradius.yml
deleted file mode 100644
index c51d5aa8..00000000
--- a/group_vars/freeradius.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-glob_freeradius:
- realm: crans
- proxy_to: FEDEREZ
diff --git a/group_vars/radius.yml b/group_vars/radius.yml
new file mode 100644
index 00000000..2ea7d95d
--- /dev/null
+++ b/group_vars/radius.yml
@@ -0,0 +1,8 @@
+---
+glob_freeradius:
+ realm: crans
+ proxy_to: FEDEREZ
+ infra_switch: "172.16.33.0/24"
+ infra_bornes: "172.16.34.0/24"
+ secret_switch: "ploptotoswitch"
+ secret_bornes: "ploptotobornes"
diff --git a/hosts b/hosts
index d1d3fb60..42571ba7 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,9 @@
# [test_vm]
# re2o-test.adm.crans.org
+[radius]
+routeur-sam.adm.crans.org
+
[re2o]
re2o-newinfra.adm.crans.org
routeur-sam.adm.crans.org
diff --git a/plays/freeradius.yml b/plays/freeradius.yml
new file mode 100755
index 00000000..f2c4e3d7
--- /dev/null
+++ b/plays/freeradius.yml
@@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy radius server
+- hosts: radius
+ vars:
+ freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
+ mirror: '{{ glob_mirror }}'
+ roles:
+ - freeradius
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index 40ba0ad3..f6b76b91 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -7,7 +7,7 @@
- name: Pin freeradius from backports
template:
src: apt/preferences.d/freeradius_python3.j2
- dest: /etc/apt/prefederences.d/freeradius_python3
+ dest: /etc/apt/preferences.d/freeradius_python3
- name: Install freeradius
apt:
@@ -43,8 +43,16 @@
file:
src: /var/www/re2o/freeradius_utils/auth.py
dest: /etc/freeradius/3.0/auth.py
+ state: link
+ force: yes
notify: Restart freeradius
+- name: Ensure ${certdir}/letsencrypt directory exists
+ file:
+ path: /etc/freeradius/3.0/certs/letsencrypt
+ state: directory
+ recurse: yes
+
- name: Symlink radius certificates
file:
src: /etc/letsencrypt/live/crans.org/{{ item }}
diff --git a/roles/freeradius/template/apt/preferences.d/freeradius_python3.j2 b/roles/freeradius/templates/apt/preferences.d/freeradius_python3.j2
similarity index 100%
rename from roles/freeradius/template/apt/preferences.d/freeradius_python3.j2
rename to roles/freeradius/templates/apt/preferences.d/freeradius_python3.j2
diff --git a/roles/freeradius/template/freeradius/3.0/clients.conf.j2 b/roles/freeradius/templates/freeradius/3.0/clients.conf.j2
similarity index 100%
rename from roles/freeradius/template/freeradius/3.0/clients.conf.j2
rename to roles/freeradius/templates/freeradius/3.0/clients.conf.j2
diff --git a/roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2 b/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2
rename to roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
index 880dd902..b615f9c8 100644
--- a/roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2
+++ b/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
@@ -184,7 +184,7 @@ eap {
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/letsencrypt/privkey.pem
+ certificate_file = ${certdir}/letsencrypt/fullchain.pem
# Trusted Root CA list
#
@@ -196,7 +196,7 @@ eap {
# In that case, this CA file should contain
# *one* CA certificate.
#
- ca_file = ${certdir}/ca.crt
+ # ca_file = ${certdir}/ca.crt
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
@@ -363,7 +363,7 @@ eap {
#
# The values must be in quotes.
#
- tls_min_version = "1.0"
+ tls_min_version = "1.2"
tls_max_version = "1.2"
diff --git a/roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2 b/roles/freeradius/templates/freeradius/3.0/mods-enabled/python3.j2
similarity index 100%
rename from roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2
rename to roles/freeradius/templates/freeradius/3.0/mods-enabled/python3.j2
diff --git a/roles/freeradius/template/freeradius/3.0/radiusd.conf.j2 b/roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/radiusd.conf.j2
rename to roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
index a6ad1137..68305530 100644
--- a/roles/freeradius/template/freeradius/3.0/radiusd.conf.j2
+++ b/roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
@@ -373,9 +373,10 @@ log {
# this expansion can be slow, and can negatively impact server
# performance.
#
+{% raw %}
msg_goodpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
msg_badpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
-
+{% endraw %}
# The message when the user exceeds the Simultaneous-Use limit.
#
msg_denied = "You are already logged in - access denied"
diff --git a/roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2 b/roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2
rename to roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
index 77ef9cf3..415bc758 100644
--- a/roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2
+++ b/roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
@@ -479,11 +479,11 @@ preacct {
#
# The start time is: NOW - delay - session_length
#
-
+{% raw %}
# update request {
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }
-
+{% endraw %}
#
# Ensure that we have a semi-unique identifier for every
@@ -626,9 +626,6 @@ post-auth {
# The "session-state" attributes are not available here.
#
Post-Auth-Type REJECT {
- # TO REMOVE ?
- # log failed authentications in SQL, too.
- -sql
attr_filter.access_reject
# Insert EAP-Failure message if the request was
diff --git a/roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2 b/roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2
rename to roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
index 28626115..2552a4fb 100644
--- a/roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2
+++ b/roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
@@ -228,7 +228,7 @@ post-auth {
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
- -sql
+ # -sql
#
@@ -271,7 +271,7 @@ post-auth {
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
- -sql
+ # -sql
attr_filter.access_reject
#
--
GitLab
From c0140d5911fa27f7a0b9dab5bd14ca4b93fddaab Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 08:29:29 +0200
Subject: [PATCH 46/56] [re2o-services] Fix config file header
---
roles/re2o-services/templates/re2o-services/config.ini.j2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/re2o-services/templates/re2o-services/config.ini.j2 b/roles/re2o-services/templates/re2o-services/config.ini.j2
index 8e464dfc..38cbd755 100644
--- a/roles/re2o-services/templates/re2o-services/config.ini.j2
+++ b/roles/re2o-services/templates/re2o-services/config.ini.j2
@@ -1,4 +1,4 @@
-; {{ ansible_header | comment }}
+{{ ansible_header | comment(decoration='; ') }}
[Re2o]
hostname = {{ re2o.server }}
username = {{ re2o.service_user }}
--
GitLab
From a27a641ab8514cc08b21a20e20f39e51807891b2 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 08:37:56 +0200
Subject: [PATCH 47/56] [dns] Deploy dns
---
roles/dns/tasks/main.yml | 36 +++++++++++++++++++
roles/dns/templates/cron.d/firewall.j2 | 2 ++
.../dns/templates/firewall/re2o-config.ini.j2 | 5 +++
3 files changed, 43 insertions(+)
create mode 100644 roles/dns/tasks/main.yml
create mode 100644 roles/dns/templates/cron.d/firewall.j2
create mode 100644 roles/dns/templates/firewall/re2o-config.ini.j2
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
new file mode 100644
index 00000000..791ec82c
--- /dev/null
+++ b/roles/dns/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: Create dns directory
+ file:
+ path: /var/local/dns
+ state: directory
+ mode: '2775'
+ owner: root
+ group: nounou
+
+- name: Set ACL for dns directory
+ acl:
+ path: /var/local/dns
+ default: true
+ entity: nounou
+ etype: group
+ permissions: rwx
+ state: query
+
+- name: Clone dns repository
+ git:
+ repo: 'http://gitlab.adm.crans.org/nounous/dns.git'
+ dest: /var/local/dns
+ umask: '002'
+
+- name: Deploy re2o config
+ template:
+ src: dns/re2o-config.ini.j2
+ dest: /var/local/dns/re2o-config.ini
+ mode: 0600
+ owner: root
+ group: root
+
+- name: Deploy cron for dns
+ template:
+ src: cron.d/dns.j2
+ dest: /etc/cron.d/dns
diff --git a/roles/dns/templates/cron.d/firewall.j2 b/roles/dns/templates/cron.d/firewall.j2
new file mode 100644
index 00000000..1fe89fad
--- /dev/null
+++ b/roles/dns/templates/cron.d/firewall.j2
@@ -0,0 +1,2 @@
+{{ ansible_header | comment }}
+*/2 * * * * root /usr/bin/python3 /var/local/dns/dns.py -q
diff --git a/roles/dns/templates/firewall/re2o-config.ini.j2 b/roles/dns/templates/firewall/re2o-config.ini.j2
new file mode 100644
index 00000000..7bf9a4ca
--- /dev/null
+++ b/roles/dns/templates/firewall/re2o-config.ini.j2
@@ -0,0 +1,5 @@
+{{ ansible_header | comment(decoration='; ') }}
+[Re2o]
+hostname = {{ re2o.server }}
+username = {{ re2o.service_user }}
+password = {{ re2o.service_password }}
--
GitLab
From 1f9e65e6fbcab53bf091735b4f915816001b1503 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 08:44:15 +0200
Subject: [PATCH 48/56] [dns] Deploy dns on silice
---
plays/dns.yml | 9 +++++++++
roles/dns/tasks/main.yml | 16 ++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/plays/dns.yml b/plays/dns.yml
index 7f133c1a..aa9b0a56 100755
--- a/plays/dns.yml
+++ b/plays/dns.yml
@@ -15,3 +15,12 @@
zones: "{{ lookup('re2oapi', 'dnszones') }}"
reverse: "{{ lookup('re2oapi', 'dnsreverse') }}"
roles: ["bind-authoritative"]
+
+- hosts: silice.adm.crans.org
+ vars:
+ re2o:
+ server: re2o.adm.crans.org
+ service_user: "{{ vault_re2o_service_user }}"
+ service_password: "{{ vault_re2o_service_password }}"
+ roles:
+ - dns
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 791ec82c..1c1e16d8 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -30,6 +30,22 @@
owner: root
group: root
+- name: Create generated directory
+ file:
+ path: /var/cache/bind/generated
+ state: directory
+ mode: 0655
+ owner: bind
+ group: bind
+
+- name: Create symbolic link to generated
+ file:
+ src: /var/cache/bind/generated
+ dest: /var/local/dns/generated
+ owner: root
+ group: root
+ state: link
+
- name: Deploy cron for dns
template:
src: cron.d/dns.j2
--
GitLab
From a5f5a6a52a18e3887dadfeac94686d49d932b9a2 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 11:44:58 +0200
Subject: [PATCH 49/56] [vm] Activate serial tty
---
plays/root.yml | 1 +
roles/serial-tty/tasks/main.yml | 6 ++++++
2 files changed, 7 insertions(+)
create mode 100644 roles/serial-tty/tasks/main.yml
diff --git a/plays/root.yml b/plays/root.yml
index 2e82cc8a..342024a9 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -24,6 +24,7 @@
- hosts: crans_vm
roles:
- qemu-guest-agent
+ - serial-tty
- hosts: slapd
vars:
diff --git a/roles/serial-tty/tasks/main.yml b/roles/serial-tty/tasks/main.yml
new file mode 100644
index 00000000..1a7cd278
--- /dev/null
+++ b/roles/serial-tty/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Load and activate getty service for ttyS0
+ systemd:
+ name: getty@ttyS0
+ enabled: true
+ state: started
--
GitLab
From 7c0cdb4e5a045b827f77f4c2b79e58cf294a29ba Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 13:57:17 +0200
Subject: [PATCH 50/56] [firewall] Install python dependencies
---
roles/firewall/tasks/main.yml | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 3faaef2d..b5801290 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -1,4 +1,16 @@
---
+- name: Install firewall dependencies
+ apt:
+ update_cache: true
+ install_recommends: false
+ name:
+ - python3-iso8601
+ - python3-jinja2
+ - python3-ldap
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
- name: Create firewall directory
file:
path: /var/local/firewall
--
GitLab
From 1837c85b3af5ebd331db819f8ad36eb613d6dc94 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 14:09:41 +0200
Subject: [PATCH 51/56] [root-config] tabs are tabs
---
roles/root-config/templates/nanorc.j2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/root-config/templates/nanorc.j2 b/roles/root-config/templates/nanorc.j2
index 9f4dd6c9..af141755 100644
--- a/roles/root-config/templates/nanorc.j2
+++ b/roles/root-config/templates/nanorc.j2
@@ -158,7 +158,7 @@ set suspend
set tabsize 4
## Convert typed tabs to spaces.
-set tabstospaces
+# set tabstospaces
## Save automatically on exit, don't prompt.
# set tempfile
--
GitLab
From 2c427576203636b3747c6588cb5832a36ff97f8a Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 14:22:37 +0200
Subject: [PATCH 52/56] [iproute2] name table 26
---
plays/firewall.yml | 5 +++++
roles/iproute2/tasks/main.yml | 8 ++++++++
roles/iproute2/templates/iproute2/rt_tables.j2 | 13 +++++++++++++
3 files changed, 26 insertions(+)
create mode 100644 roles/iproute2/tasks/main.yml
create mode 100644 roles/iproute2/templates/iproute2/rt_tables.j2
diff --git a/plays/firewall.yml b/plays/firewall.yml
index c015c7cd..7f489e63 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -1,5 +1,10 @@
#!/usr/bin/env ansible-playbook
---
+# Deploy iproute2 config file
+- hosts: crans_routeurs
+ roles:
+ - iproute2
+
# Deploy firewall
- hosts: crans_routeurs
vars:
diff --git a/roles/iproute2/tasks/main.yml b/roles/iproute2/tasks/main.yml
new file mode 100644
index 00000000..073cfe54
--- /dev/null
+++ b/roles/iproute2/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Deploy table names configuration
+ template:
+ src: iproute2/rt_tables.j2
+ dest: /etc/iproute2/rt_tables
+ mode: 0644
+ owner: root
+ group: root
diff --git a/roles/iproute2/templates/iproute2/rt_tables.j2 b/roles/iproute2/templates/iproute2/rt_tables.j2
new file mode 100644
index 00000000..aea599bc
--- /dev/null
+++ b/roles/iproute2/templates/iproute2/rt_tables.j2
@@ -0,0 +1,13 @@
+{{ ansible_header | comment }}
+#
+# reserved values
+#
+255 local
+254 main
+253 default
+0 unspec
+#
+# local
+#
+#1 inr.ruhep
+26 zayo
--
GitLab
From 297cef0453b0c20b2e932ec75a1b649d5c7aebcf Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 17:00:28 +0200
Subject: [PATCH 53/56] [baie] Playbook pour setup la baie
---
plays/root.yml | 4 +++
roles/baie/tasks/main.yml | 25 +++++++++++++++++++
.../templates/apt/sources.list.d/backports.j2 | 1 +
3 files changed, 30 insertions(+)
create mode 100644 roles/baie/tasks/main.yml
create mode 100644 roles/baie/templates/apt/sources.list.d/backports.j2
diff --git a/plays/root.yml b/plays/root.yml
index 342024a9..cae8d873 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -1,5 +1,9 @@
#!/usr/bin/env ansible-playbook
---
+- hosts: tealc.adm.crans.org
+ roles:
+ - baie
+
- hosts: virtu
roles:
- proxmox-apt-sources
diff --git a/roles/baie/tasks/main.yml b/roles/baie/tasks/main.yml
new file mode 100644
index 00000000..45a7aa84
--- /dev/null
+++ b/roles/baie/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: Configure Debian backports repository
+ template:
+ src: apt/sources.list.d/backports.j2
+ dest: /etc/apt/sources.list.d/backports
+
+- name: Install ZFS
+ apt:
+ update_cache: true
+ default_release: "{{ ansible_lsb.codename }}-backports"
+ name:
+ - zfs-dkms
+ - zfsutils-linux
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Install ifenslave
+ apt:
+ update_cache: true
+ name:
+ - ifenslave
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
diff --git a/roles/baie/templates/apt/sources.list.d/backports.j2 b/roles/baie/templates/apt/sources.list.d/backports.j2
new file mode 100644
index 00000000..6326b3e4
--- /dev/null
+++ b/roles/baie/templates/apt/sources.list.d/backports.j2
@@ -0,0 +1 @@
+deb {{ debian_mirror }} {{ ansible_lsb.codename }}-backports main contrib non-free
--
GitLab
From f962efdcb91c277354fe0d9ec71f8b23151cdc5b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 17:14:46 +0200
Subject: [PATCH 54/56] [slapd] host_vars for tealc
---
host_vars/tealc.adm.crans.org.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/host_vars/tealc.adm.crans.org.yml b/host_vars/tealc.adm.crans.org.yml
index b0641952..8a6ac0ae 100644
--- a/host_vars/tealc.adm.crans.org.yml
+++ b/host_vars/tealc.adm.crans.org.yml
@@ -1,2 +1,6 @@
loc_postgresql:
version: 11
+
+loc_slapd:
+ ip: 172.16.10.1
+ replica: false
--
GitLab
From 80f0d3686fed6d8b0c495fbddf0c5edef3c3b61d Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 11 Aug 2020 18:43:39 +0200
Subject: [PATCH 55/56] [quagga] Merge ipv4 and ipv6
---
plays/firewall.yml | 17 ++++++++++++
roles/quagga-ipv4/tasks/main.yml | 16 ------------
.../quagga-ipv4/templates/quagga/bgpd.conf.j2 | 11 --------
roles/quagga-ipv6/tasks/main.yml | 16 ------------
.../quagga-ipv6/templates/quagga/bgpd.conf.j2 | 13 ----------
.../templates/quagga/zebra.conf.j2 | 10 -------
roles/quagga/tasks/main.yml | 26 +++++++++++++++----
roles/quagga/templates/quagga/bgpd.conf.j2 | 16 ++++++++++++
.../templates/quagga/zebra.conf.j2 | 0
9 files changed, 54 insertions(+), 71 deletions(-)
delete mode 100644 roles/quagga-ipv4/tasks/main.yml
delete mode 100644 roles/quagga-ipv4/templates/quagga/bgpd.conf.j2
delete mode 100644 roles/quagga-ipv6/tasks/main.yml
delete mode 100644 roles/quagga-ipv6/templates/quagga/bgpd.conf.j2
delete mode 100644 roles/quagga-ipv6/templates/quagga/zebra.conf.j2
create mode 100644 roles/quagga/templates/quagga/bgpd.conf.j2
rename roles/{quagga-ipv4 => quagga}/templates/quagga/zebra.conf.j2 (100%)
diff --git a/plays/firewall.yml b/plays/firewall.yml
index 7f489e63..37f9c396 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -14,3 +14,20 @@
service_password: "{{ vault_re2o_service_password }}"
roles:
- firewall
+
+# Deploy BGP server configuration on IPv4 routers
+- hosts: crans_routeurs
+ vars:
+ zebra:
+ password: "{{ vault_zebra_password }}"
+ bgp:
+ as: 204515
+ router_id_v4: 158.255.113.73
+ network_v4: 185.230.76.0/22
+ neighbor_v4: 158.255.113.72
+ router_id_v6: 138.231.136.200
+ network_v6: 2a0c:700::/32
+ neighbor_v6: 2001:1b48:2:103::bb:1
+ remote_as: 8218
+ roles:
+ - quagga
diff --git a/roles/quagga-ipv4/tasks/main.yml b/roles/quagga-ipv4/tasks/main.yml
deleted file mode 100644
index 1da2c63b..00000000
--- a/roles/quagga-ipv4/tasks/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- name: Deploy quagga bgpd configuration
- template:
- src: quagga/bgpd.conf.j2
- dest: /etc/quagga/bgpd.conf
- mode: 0640
- owner: quagga
- group: quagga
-
-- name: Deploy quagga zabra configuration
- template:
- src: quagga/zebra.conf.j2
- dest: /etc/quagga/zebra.conf
- mode: 0640
- owner: quagga
- group: quagga
diff --git a/roles/quagga-ipv4/templates/quagga/bgpd.conf.j2 b/roles/quagga-ipv4/templates/quagga/bgpd.conf.j2
deleted file mode 100644
index d87269e3..00000000
--- a/roles/quagga-ipv4/templates/quagga/bgpd.conf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-{{ ansible_header | comment(decoration='! ') }}
-
-router bgp {{ bgp.as }}
-no synchronization
-bgp router-id {{ bgp.router_id }}
-network {{ bgp.network }}
-neighbor {{ bgp.neighbor }} remote-as {{ bgp.remote_as }}
-
-!
-log file /var/log/quagga/bgpd.log
-log stdout
diff --git a/roles/quagga-ipv6/tasks/main.yml b/roles/quagga-ipv6/tasks/main.yml
deleted file mode 100644
index 1da2c63b..00000000
--- a/roles/quagga-ipv6/tasks/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- name: Deploy quagga bgpd configuration
- template:
- src: quagga/bgpd.conf.j2
- dest: /etc/quagga/bgpd.conf
- mode: 0640
- owner: quagga
- group: quagga
-
-- name: Deploy quagga zabra configuration
- template:
- src: quagga/zebra.conf.j2
- dest: /etc/quagga/zebra.conf
- mode: 0640
- owner: quagga
- group: quagga
diff --git a/roles/quagga-ipv6/templates/quagga/bgpd.conf.j2 b/roles/quagga-ipv6/templates/quagga/bgpd.conf.j2
deleted file mode 100644
index 5021cade..00000000
--- a/roles/quagga-ipv6/templates/quagga/bgpd.conf.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-{{ ansible_header | comment(decoration='! ') }}
-
-router bgp {{ bgp.as }}
-no synchronization
-bgp router-id {{ bgp.router_id }}
-neighbor {{ bgp.neighbor }} remote-as {{ bgp.remote_as }}
-address-family ipv6
-network {{ bgp.network }}
-neighbor {{ bgp.neighbor }} activate
-exit-address-family
-!
-log file /var/log/quagga/bgpd.log
-log stdout
diff --git a/roles/quagga-ipv6/templates/quagga/zebra.conf.j2 b/roles/quagga-ipv6/templates/quagga/zebra.conf.j2
deleted file mode 100644
index 1db5e12d..00000000
--- a/roles/quagga-ipv6/templates/quagga/zebra.conf.j2
+++ /dev/null
@@ -1,10 +0,0 @@
-{{ ansible_header | comment(decoration='! ') }}
-
-hostname zebra
-password {{ zebra.password }}
-enable password {{ zebra.password }}
-log file /var/log/quagga/zebra.log
-
-
-interface lo
-line vty
diff --git a/roles/quagga/tasks/main.yml b/roles/quagga/tasks/main.yml
index 054401f1..42fff5d4 100644
--- a/roles/quagga/tasks/main.yml
+++ b/roles/quagga/tasks/main.yml
@@ -8,6 +8,14 @@
retries: 3
until: apt_result is succeeded
+- name: Create quagga log directory
+ file:
+ path: /var/log/quagga
+ state: directory
+ mode: 0755
+ owner: quagga
+ group: quagga
+
- name: Deploy quagga daemons configuration
template:
src: quagga/daemons.j2
@@ -24,10 +32,18 @@
owner: quagga
group: quagga
-- name: Create quagga log directory
- file:
- path: /var/log/quagga
- state: directory
- mode: 0755
+- name: Deploy quagga bgpd configuration
+ template:
+ src: quagga/bgpd.conf.j2
+ dest: /etc/quagga/bgpd.conf
+ mode: 0640
+ owner: quagga
+ group: quagga
+
+- name: Deploy quagga zabra configuration
+ template:
+ src: quagga/zebra.conf.j2
+ dest: /etc/quagga/zebra.conf
+ mode: 0640
owner: quagga
group: quagga
diff --git a/roles/quagga/templates/quagga/bgpd.conf.j2 b/roles/quagga/templates/quagga/bgpd.conf.j2
new file mode 100644
index 00000000..cde7878b
--- /dev/null
+++ b/roles/quagga/templates/quagga/bgpd.conf.j2
@@ -0,0 +1,16 @@
+{{ ansible_header | comment(decoration='! ') }}
+!
+router bgp {{ bgp.as }}
+ no synchronization
+ bgp router-id {{ bgp.router_id_v4 }}
+ network {{ bgp.network_v4 }}
+ neighbor {{ bgp.neighbor_v4 }} remote-as {{ bgp.remote_as }}
+!
+router bgp {{ bgp.as }}
+ no synchronization
+ bgp router-id {{ bgp.router_id_v6 }}
+ network {{ bgp.network_v6 }}
+ neighbor {{ bgp.neighbor_v6 }} remote-as {{ bgp.remote_as }}
+!
+log file /var/log/quagga/bgpd.log
+log stdout
diff --git a/roles/quagga-ipv4/templates/quagga/zebra.conf.j2 b/roles/quagga/templates/quagga/zebra.conf.j2
similarity index 100%
rename from roles/quagga-ipv4/templates/quagga/zebra.conf.j2
rename to roles/quagga/templates/quagga/zebra.conf.j2
--
GitLab
From f66236282240294dd4eae7943789d725d2ad5964 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 11 Aug 2020 23:31:38 +0200
Subject: [PATCH 56/56] [keepalived] radius
---
group_vars/keepalived.yml | 10 +++++++++-
host_vars/routeur-daniel.adm.crans.org.yml | 4 ++++
host_vars/routeur-sam.adm.crans.org.yml | 4 ++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml
index 11fe3e00..09db9c26 100644
--- a/group_vars/keepalived.yml
+++ b/group_vars/keepalived.yml
@@ -13,4 +13,12 @@ glob_keepalived:
zones:
- vlan: adh-nat
ipv4: 100.64.0.99/16
- brd: 100.64.255.255
+ brd: true
+ radius:
+ password: 'plopisverysecure'
+ id: 61
+ ipv6: no
+ zones:
+ - vlan: infra
+ ipv4: 172.16.32.99/22
+ brd: true
diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml
index c3b93c47..555ebd7d 100644
--- a/host_vars/routeur-daniel.adm.crans.org.yml
+++ b/host_vars/routeur-daniel.adm.crans.org.yml
@@ -14,3 +14,7 @@ loc_keepalived:
tag: VI_DHCP
state: BACKUP
priority: 100
+ - name: radius
+ tag: VI_RAD
+ state: BACKUP
+ priority: 100
diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml
index 08f96f3e..bf3d8f77 100644
--- a/host_vars/routeur-sam.adm.crans.org.yml
+++ b/host_vars/routeur-sam.adm.crans.org.yml
@@ -14,6 +14,10 @@ loc_keepalived:
tag: VI_DHCP
state: MASTER
priority: 150
+ - name: radius
+ tag: VI_RAD
+ state: MASTER
+ priority: 150
loc_re2o:
owner: freerad
--
GitLab