Lot of stuff

Signed-off-by: Emmy D'Anello <ynerant@crans.org>
2023-01-12 12:36:32 +01:00 · 2023-01-12 12:36:32 +01:00 · 7f4f846408
parent de76ae0085
commit 7f4f846408
27 changed files with 103 additions and 47 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
+__pycache__
 debug.yml
--- a/group_vars/all/home.yml
+++ b/group_vars/all/home.yml
@ -1,4 +1,4 @@
 ---
 glob_home:
  ip: 172.16.42.1
-  mountpoint: /rpool/home
+  mountpoint: /vm/home
--- a/group_vars/all/network_interfaces.yml
+++ b/group_vars/all/network_interfaces.yml
@ -1,10 +1,10 @@
 glob_network_interfaces:
  vlan:
-    - name: srv
-      id: 1
-      gateway: "185.230.76.62"
-      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'srv') | ipv4 | first }}"
-      gateway_v6: "2a0c:700:3012::ff:fe02:112"
+    - name: adh
+      id: 12
+      gateway: "185.230.78.99"
+      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adh') | ipv4 | first }}"
+      gateway_v6: "2a0c:700:12::ff:fe00:9912"
    - name: adm
      id: 42
      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adm') | ipv4 | first }}"
--- a/group_vars/debian.yml
+++ b/group_vars/debian.yml
@ -3,8 +3,7 @@ glob_apt:
  mirror: "http://mirror.adm.ynerant.fr/"
  backports: false
  extra_repositories: []
-  pin:
-    bullseye: []
+  pin: {}

 glob_root:
  passwd_hash: '{{ vault.root_passwd_hash }}'
--- a/host_vars/an.adm.ynerant.fr.yml
+++ b/host_vars/an.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/borg.adm.ynerant.fr.yml
+++ b/host_vars/borg.adm.ynerant.fr.yml
@ -0,0 +1,3 @@
+---
+interfaces:
+  adm: ens18
--- a/host_vars/cemantix.adm.ynerant.fr.yml
+++ b/host_vars/cemantix.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/dendrite.adm.ynerant.fr.yml
+++ b/host_vars/dendrite.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/dgac.adm.ynerant.fr.yml
+++ b/host_vars/dgac.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/excalidraw.adm.ynerant.fr.yml
+++ b/host_vars/excalidraw.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/fosscord.adm.ynerant.fr.yml
+++ b/host_vars/fosscord.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/mastodon.adm.ynerant.fr.yml
+++ b/host_vars/mastodon.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/minecraft.adm.ynerant.fr.yml
+++ b/host_vars/minecraft.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/nupes.adm.ynerant.fr.yml
+++ b/host_vars/nupes.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  adh: ens19
--- a/host_vars/pad.adm.ynerant.fr.yml
+++ b/host_vars/pad.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/peertube.adm.ynerant.fr.yml
+++ b/host_vars/peertube.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/routeur-templier.adm.ynerant.fr.yml
+++ b/host_vars/routeur-templier.adm.ynerant.fr.yml
@ -1,5 +1,5 @@
 ---
 interfaces:
  adm: ens18
-  srv: ens19
+  adh: ens19
  srv_nat: ens20
--- a/host_vars/templier.adh.crans.org.yml
+++ b/host_vars/templier.adh.crans.org.yml
@ -2,3 +2,11 @@
 user:
  name: ynerant
  root: yes
+
+loc_certbot:
+  - dns_rfc2136_server: '172.16.42.103'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: ynerant@crans.org
+    certname: adm.ynerant.fr
+    domains: "*.adm.ynerant.fr"
--- a/host_vars/testing.adm.ynerant.fr.yml
+++ b/host_vars/testing.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/wireguard.adm.ynerant.fr.yml
+++ b/host_vars/wireguard.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
--- a/host_vars/zemour.adm.ynerant.fr.yml
+++ b/host_vars/zemour.adm.ynerant.fr.yml
@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  adh: ens19
--- a/35
+++ b/35
@ -1,20 +1,13 @@
 [archlinux:children]
 perso

-[babel]
-babel0.adm.ynerant.fr
-babel1.adm.ynerant.fr
-babel2.adm.ynerant.fr
-babel3.adm.ynerant.fr
-babel4.adm.ynerant.fr
-babel5.adm.ynerant.fr
-babel6.adm.ynerant.fr
-
 [blackbox]
 monitoring.adm.ynerant.fr

 [certbot]
+nupes.adm.ynerant.fr
 proxy.adm.ynerant.fr
+templier.adm.ynerant.fr

 [debian:children]
 server
@ -22,6 +15,9 @@ server
 [grafana]
 monitoring.adm.ynerant.fr

+[nginx]
+nupes.adm.ynerant.fr
+
 [nginx:children]
 reverseproxy

@ -57,22 +53,25 @@ templier.adm.ynerant.fr
 templier.adm.ynerant.fr

 [vm]
-# candilib.adm.ynerant.fr
+an.adm.ynerant.fr
+borg.adm.ynerant.fr
+dendrite.adm.ynerant.fr
 docker.adm.ynerant.fr
 dns.adm.ynerant.fr
+excalidraw.adm.ynerant.fr
+fosscord.adm.ynerant.fr
 gitea.adm.ynerant.fr
 mailu.adm.ynerant.fr
+mastodon.adm.ynerant.fr
+minecraft.adm.ynerant.fr
 monitoring.adm.ynerant.fr
 nextcloud.adm.ynerant.fr
+nupes.adm.ynerant.fr
+pad.adm.ynerant.fr
+peertube.adm.ynerant.fr
 psql.adm.ynerant.fr
 proxy.adm.ynerant.fr
-re6st.adm.ynerant.fr
 routeur-templier.adm.ynerant.fr
 synapse.adm.ynerant.fr
-
-[vm:children]
-babel
-
-[all:vars]
-# Force remote to use Python 3
-ansible_python_interpreter=/usr/bin/env python3
+testing.adm.ynerant.fr
+wireguard.adm.ynerant.fr
--- a/lookup_plugins/ldap.py
+++ b/lookup_plugins/ldap.py
@ -51,7 +51,7 @@ class LookupModule(LookupBase):
            network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
            network_result = self.base.result(network_query_id)
            vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
-        if vlan == 'srv':
+        if vlan == 'adh':
            query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
        else:
            query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@ -82,7 +82,7 @@ class LookupModule(LookupBase):
            network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
            network_result = self.base.result(network_query_id)
            vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
-        if vlan == 'srv':
+        if vlan == 'adh':
            query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
        else:
            query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@ -168,7 +168,7 @@ class LookupModule(LookupBase):
                network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
                network_result = self.base.result(network_query_id)
                vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
-            if vlan == 'srv':
+            if vlan == 'adh':
                query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
            else:
                query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@ -187,7 +187,7 @@ class LookupModule(LookupBase):
            res = []
            for _, network in result[1]:
                network = network['cn'][0].decode('utf-8')
-                if network == 'srv':
+                if network == 'adh':
                    res.append('ynerant.fr')
                else:
                    res.append(f"{network}.ynerant.fr")
--- a/plays/base.yml
+++ b/plays/base.yml
@ -8,6 +8,7 @@
 - import_playbook: ldap-client.yml
 - import_playbook: home.yml
 - import_playbook: nullmailer.yml
+- import_playbook: monitoring.yml

 - hosts: debian
  roles:
--- a/roles/cli-utils/tasks/main.yml
+++ b/roles/cli-utils/tasks/main.yml
@ -9,6 +9,8 @@
      - "{% if ansible_os_family == 'Debian' %}dnsutils{% else %}bind-tools{% endif %}"
      - git
      - man
+      - molly-guard
+      - needrestart
      - "mtr{% if ansible_os_family == 'Debian' %}-tiny{% endif %}"
      - sl
      - htop
@ -17,6 +19,7 @@
      - tmux
      - traceroute
      - tree
+      - unattended-upgrades
      - vim
  register: pkg_result
  retries: 3
--- a/roles/ntp-client/tasks/main.yml
+++ b/roles/ntp-client/tasks/main.yml
@ -9,7 +9,7 @@
  until: apt_result is succeeded
  when: "'ntp_server' not in group_names"

- name: Install systemd-timesyncd (bullseye)
+- name: Install systemd-timesyncd
  apt:
    name: systemd-timesyncd
    update_cache: true
@ -19,7 +19,6 @@
  until: apt_result is succeeded
  when:
    - "'ntp_server' not in group_names"
-    - ansible_distribution_release == "bullseye"

 - name: Configure NTP
  template:
--- a/roles/prometheus-node-exporter/tasks/main.yml
+++ b/roles/prometheus-node-exporter/tasks/main.yml
@ -8,7 +8,7 @@
  retries: 3
  until: apt_result is succeeded

- name: Install Prometheus node-exporter-collectors (bullseye)
+- name: Install Prometheus node-exporter-collectors
  apt:
    update_cache: true
    name: prometheus-node-exporter-collectors
@ -16,8 +16,6 @@
  register: apt_result
  retries: 3
  until: apt_result is succeeded
-  when:
-    - ansible_lsb.codename == 'bullseye'

 - name: Make Prometheus node-exporter listen on adm only
  lineinfile:
@ -32,14 +30,3 @@
    name: prometheus-node-exporter
    enabled: true
    state: started
-
-# Install new APT textfile collector, it might be upstreamed one day
-# https://github.com/prometheus-community/node-exporter-textfile-collector-scripts/pull/35
- name: Patch APT textfile collector
-  copy:
-    src: apt.sh
-    dest: /usr/share/prometheus-node-exporter/apt.sh
-    owner: root
-    group: root
-    mode: 0755
-  when: ansible_distribution_release != "bullseye"