Unattend-upgrades upgrade also debian-updates and debian-backports

Signed-off-by: Emmy D'Anello <ynerant@emy.lu>

.gitignore

@@ -0,0 +1,2 @@
+__pycache__
+debug.yml

ansible.cfg

@@ -1,10 +1,16 @@
 [defaults]
+# Explicitely redefined some defaults to make play execution work
+roles_path = ./roles
+lookup_plugins = ./lookup_plugins
+vars_plugins = ./vars_plugins
+
 inventory = ./hosts
 timeout = 60
-# ask_vault_pass = True
 
 [privilege_escalation]
-# become_ask_pass = True
+become = True
+# Use a separate module to read passwords from pass
+become_ask_pass = False
 
 [ssh_connection]
 pipelining = True

base.yml

@@ -1,32 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-
-- hosts: all
-  roles:
-    - cli-utils
-    - vim
-    - ssh
-
-- hosts: templier.adh.crans.org
-  roles:
-    - bind
-    - docker
-  become: yes
-
-- hosts: perso
-  roles:
-    - sudo
-    - systemd
-    - ntp
-    - texlive
-    - xorg
-    - i3
-    - terminal
-    - notification
-    - mime
-    - audio
-    - multimedia
-    - pass
-    - communication
-    - navigateur
-  # - scripts

group_vars/all.yml

@@ -1,22 +0,0 @@
----
-
-pass:
-  upstream: 'ssh://git@git.ynerant.fr:2222/ynerant/pass'
-  dest: '.password-store/'
-
-cliutils:
-  bash:
-    bogus_dirs: []
-  git:
-    email: ynerant@crans.org
-    name: ynerant
-    signingkey: 3A75C55819C8CF85
-
-bind:
-  domains:
-    - name: ynerant.fr
-      administrator: ynerant.crans.org
-      ipv4: 185.230.78.178
-      ipv6: 2a0c:700:12:0:f21f:afff:fee5:34ca
-      slave: 51.15.199.212
-      aliases: []

group_vars/all/all.yml

@@ -0,0 +1,45 @@
+---
+# Custom header
+dirty: "{% if template_fullpath is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_fullpath | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe', 'git diff --quiet || echo dirty') }}{% endif %}"
+ansible_header: |
+    +++++++++++++++++++++++++++++++++++++++++++++++++++
+
+       Ansible managed, don't modify the file locally.
+       See https://git.ynerant.fr/ynerant/templier-ansible.
+       {% if template_fullpath is defined %}{% set _, rpath = template_fullpath.split('roles/', 1) %}Commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_fullpath | quote) }}
+       {% if dirty %}Run by: {{ ansible_env.SUDO_USER }}
+       {% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_fullpath | quote) }}
+       {% endif %}Template: roles/{{ rpath }}
+       {% else %}
+       Run by: {{ ansible_env.SUDO_USER }}
+       Latest commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git rev-parse HEAD') }}
+       {% endif %}
+
+    +++++++++++++++++++++++++++++++++++++++++++++++++++
+
+glob_ldap:
+  servers:
+    - 172.16.42.1
+  base: 'dc=ynerant,dc=fr'
+
+
+bind:
+  domains:
+    - name: ynerant.fr
+      administrator: ynerant.crans.org
+      ipv4: 185.230.78.178
+      ipv6: 2a0c:700:12:0:f21f:afff:fee5:34ca
+      slave: ""  # 51.15.199.212
+      aliases:
+        - cloud
+        - element
+        - git
+        - hydrogen
+        - mailu
+        - notls
+        - synapse
+        - thelounge
+        - traefik
+        - translate
+        - whoami
+        - www

group_vars/all/home.yml

@@ -0,0 +1,4 @@
+---
+glob_home:
+  ip: 172.16.42.1
+  mountpoint: /vm/home

group_vars/all/network_interfaces.yml

@@ -0,0 +1,20 @@
+glob_network_interfaces:
+  vlan:
+    - name: adh
+      id: 12
+      gateway: "185.230.78.99"
+      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adh') | ipv4 | first }}"
+      gateway_v6: "2a0c:700:12::ff:fe00:9912"
+    - name: adm
+      id: 42
+      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adm') | ipv4 | first }}"
+    - name: srv_nat
+      id: 43
+      gateway: "{{ query('ldap', 'ip', 'routeur-templier', 'srv-nat') | ipv4 | first }}"
+      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'srv-nat') | ipv4 | first }}"
+      gateway_v6: "{{ query('ldap', 'ip', 'routeur-templier', 'srv-nat') | ipv6 | first }}"
+
+
+# Deploy only adm by default
+interfaces:
+  adm: eth0

group_vars/all/ntp.yml

@@ -0,0 +1,3 @@
+glob_ntp_client:
+  servers:
+    - ntp.adm.ynerant.fr

group_vars/all/nullmailer.yml

@@ -0,0 +1,6 @@
+---
+glob_nullmailer:
+  root: root@ynerant.fr
+  smtp_server: smtp.adm.ynerant.fr
+  defaulthost: ynerant.fr
+  allmailfrom: root@ynerant.fr

group_vars/all/prometheus_node_exporter.yaml

@@ -0,0 +1,3 @@
+---
+glob_prometheus_node_exporter:
+  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"

group_vars/certbot.yml

@@ -0,0 +1,8 @@
+---
+glob_certbot:
+  - dns_rfc2136_server: '172.16.42.103'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: ynerant@crans.org
+    certname: ynerant.fr
+    domains: "*.ynerant.fr"

group_vars/debian.yml

@@ -0,0 +1,10 @@
+---
+glob_apt:
+  mirror: "http://mirror.adm.ynerant.fr/"
+  backports: false
+  monitoring_mail: "ynerant+apt@emy.lu"
+  extra_repositories: []
+  pin: {}
+
+glob_root:
+  passwd_hash: '{{ vault.root_passwd_hash }}'

group_vars/grafana.yml

@@ -0,0 +1,7 @@
+---
+glob_grafana:
+  root_url: https://grafana.ynerant.fr
+  icon: crans_icon_white.svg
+  ldap_base: "{{ glob_ldap.base }}"
+  ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
+  ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"

group_vars/laptop.yml

@@ -1,4 +0,0 @@
----
-user:
-  name: ynerant
-  root: yes

group_vars/nginx.yml

@@ -0,0 +1,35 @@
+---
+glob_nginx:
+  contact: ynerant@crans.org
+  who: "Ÿnérant"
+  service_name: service
+  ssl:
+    # Add adm.ynerant.fr if necessary
+    - name: ynerant.fr
+      cert: /etc/letsencrypt/live/ynerant.fr/fullchain.pem
+      cert_key: /etc/letsencrypt/live/ynerant.fr/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/ynerant.fr/chain.pem
+  servers:
+    - ssl: false  # Replace by crans.org or adm.crans.org
+      default: true
+      server_name:
+        - "default"
+        - "_"
+      root: "/var/www/html"
+      locations:
+        - filter: "/"
+          params: []
+      additional_params: []
+  upstreams: []
+
+  auth_passwd: []
+  default_server:
+  default_ssl_server:
+  default_ssl_domain: ynerant.fr
+  real_ip_from:
+    - "172.16.0.0/16"
+    - "fd00:0:0:42::/64"
+  deploy_robots_file: false
+
+glob_prometheus_nginx_exporter:
+  listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"

group_vars/prometheus.yml

@@ -0,0 +1,9 @@
+---
+glob_prometheus: {}
+
+glob_ninjabot:
+  config:
+    nick: templier
+    server: irc.crans.org
+    port: 6667
+    channel: "#/dev/null"

group_vars/reverseproxy.yml

@@ -0,0 +1,46 @@
+loc_certbot:
+  - dns_rfc2136_server: '172.16.42.103'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: ynerant@crans.org
+    certname: ynerant.fr
+    domains: "ynerant.fr, *.ynerant.fr, ens.kitchen, *.ens.kitchen, ananas.paris, *.ananas.paris, saperlistpopette.fr, *.saperlistpopette.fr"
+
+loc_nginx:
+  servers: []
+  ssl:
+    - name: ynerant.fr
+      cert: /etc/letsencrypt/live/ynerant.fr/fullchain.pem
+      cert_key: /etc/letsencrypt/live/ynerant.fr/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/ynerant.fr/chain.pem
+
+
+glob_reverseproxy:
+  redirect_dnames: []
+
+  reverseproxy_sites:
+    - {from: mailu.ynerant.fr, to: 172.16.42.104}
+  # - {from: mirror.adm.ynerant.fr, to: "https://ftps.crans.org"}
+
+    - {from: element.ynerant.fr, to: "172.16.42.199:8002"}
+    - {from: hydrogen.ynerant.fr, to: "172.16.42.199:8003"}
+    - {from: git.ynerant.fr, to: "172.16.42.199:8007"}
+    - {from: cloud.ynerant.fr, to: "172.16.42.199:8007"}
+      # - {from: notls.adh.crans.org, to: "172.16.42.199:8011"}
+    - {from: thelounge.ynerant.fr, to: "172.16.42.199:8012"}
+    - {from: bibliogram.ynerant.fr, to: "172.16.42.199:8014"}
+    - {from: reddit.ynerant.fr, to: "172.16.42.199:8015"}
+    - {from: teddit.ynerant.fr, to: "172.16.42.199:8015"}
+    - {from: whoami.ynerant.fr, to: "172.16.42.199:8016"}
+
+    - {from: saperlistpopette.fr, to: "172.16.42.199:8010"}
+    - {from: kfet.saperlistpopette.fr, to: "172.16.42.199:8010"}
+
+    - {from: ens.kitchen, to: "https://perso.crans.org/club-kitchens/"}
+
+  redirect_sites: []
+  # - {from: machin.ynerant.fr, to: truc.ynerant.fr}
+
+  static_sites:
+    - ynerant.fr
+    - thelounge.ynerant.fr

group_vars/slapd.yml

@@ -0,0 +1,10 @@
+---
+glob_slapd:
+  master_ip: "172.16.42.1"
+  ip: "172.16.42.1"
+  replica: false
+  # master_ip: "{{ query('ldap', 'ip', 'templier', 'adm') | ipv6 | first }}"
+  regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
+  replication_credentials: "{{ vault.ldap_replication_credentials }}"
+  private_key: "{{ vault.ldap_private_key }}"
+  certificate: "{{ vault.ldap_certificate }}"

group_vars/virtu.yml

@@ -0,0 +1,8 @@
+---
+service_apt:
+  extra_repositories:
+    - name: pve-entreprise
+      repositories:
+        - url: "{{ glob_apt.mirror }}proxmox/debian/pve"
+          version: "{{ ansible_distribution_release }}"
+          tags: "pve-no-subscription"

host_vars/belenios.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/borg.adm.ynerant.fr.yml

@@ -0,0 +1,3 @@
+---
+interfaces:
+  adm: ens18

host_vars/dendrite.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/dns.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: eth0
+  srv_nat: eth1

host_vars/docker.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: eth0
+  srv_nat: eth1

host_vars/dt.adh.crans.org.yml

@@ -1,4 +0,0 @@
----
-user:
-  name: ynerant
-  root: yes

host_vars/fosscord.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/galene.adm.ynerant.fr.yml

@@ -0,0 +1,7 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
+
+loc_apt:
+  backports: true

host_vars/gitea.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: eth0
+  srv_nat: eth1

host_vars/localhost

@@ -1 +0,0 @@
-ynerant-thinkpad.wifi.sand.auro.re.yml

host_vars/mailu.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: eth0
+  srv_nat: eth1

host_vars/mastodon.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/minecraft.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/monitoring.adm.ynerant.fr.yml

@@ -0,0 +1,70 @@
+---
+interfaces:
+  adm: eth0
+  srv_nat: eth1
+
+loc_prometheus:
+  node:
+    file: targets_node.json
+    targets: "{{ groups['server'] | select('match', '^.*\\.adm\\.ynerant\\.fr$')  | list | sort }}"
+    config:
+      - job_name: servers
+        file_sd_configs:
+          - files:
+            - '/etc/prometheus/targets_node.json'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - source_labels: [__param_target]
+            target_label: __address__
+            replacement: '$1:9100'
+
+  nginx:
+    file: targets_nginx.json
+    targets:
+      - proxy.adm.ynerant.fr
+    config:
+      - job_name: nginx
+        file_sd_configs:
+          - files:
+            - '/etc/prometheus/targets_nginx.json'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: instance
+          - source_labels: [instance]
+            target_label: __address__
+            replacement: '$1:9117'
+
+  blackbox:
+    file: targets_blackbox.json
+    targets:
+      - https://ynerant.fr/
+      - https://bibliogram.ynerant.fr/
+      - https://element.ynerant.fr/
+      - https://gitea.ynerant.fr/
+      - https://grafana.ynerant.fr/
+      - https://hydrogen.ynerant.fr/
+      - https://nextcloud.ynerant.fr/
+      - https://mailu.ynerant.fr/
+      - http://notls.ynerant.fr/
+      - https://reddit.ynerant.fr/
+      - https://thelounge.ynerant.fr/
+      - https://translate.ynerant.fr/
+      - https://kfet.saperlistpopette.fr/
+    config:
+      - job_name: blackbox
+        file_sd_configs:
+          - files:
+            - '/etc/prometheus/targets_blackbox.json'
+        metrics_path: /probe
+        params:
+          module: [http_2xx]  # Look for a HTTP 200 response.
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - target_label: __address__
+            replacement: 127.0.0.1:9115

host_vars/nextcloud.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: eth0
+  srv_nat: eth1

host_vars/nupes.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/pad.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/peertube.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/proxy.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: eth0
+  srv_nat: eth1

host_vars/psql.adm.ynerant.fr.yml

@@ -0,0 +1,3 @@
+---
+interfaces:
+  adm: eth0

host_vars/routeur-templier.adm.ynerant.fr.yml

@@ -0,0 +1,5 @@
+---
+interfaces:
+  adm: ens18
+  adh: ens19
+  srv_nat: ens20

host_vars/tealc.crans.org.yml

@@ -1,4 +0,0 @@
----
-user:
-  name: ynerant
-  root: no

host_vars/templier.adh.crans.org.yml

@@ -1,4 +0,0 @@
----
-user:
-  name: ynerant
-  root: yes

host_vars/templier.adm.ynerant.fr.yml

@@ -0,0 +1,8 @@
+---
+loc_certbot:
+  - dns_rfc2136_server: '172.16.42.103'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: ynerant@crans.org
+    certname: adm.ynerant.fr
+    domains: "*.adm.ynerant.fr"

host_vars/tgvmax.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/wireguard.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/ynerant-pc.fil.sand.auro.re.yml

@@ -1,9 +0,0 @@
----
-user:
-  name: ynerant
-  root: yes
-
-laptop:
-  numpad: true
-  resolution: 1440p
-  gpu: true

host_vars/ynerant-thinkpad.wifi.sand.auro.re.yml

@@ -1,9 +0,0 @@
----
-user:
-  name: ynerant
-  root: yes
-
-laptop:
-  numpad: false
-  resolution: 1080p
-  gpu: false

host_vars/zamok.crans.org.yml

@@ -1,4 +0,0 @@
----
-user:
-  name: ynerant
-  root: no

hosts

@@ -1,17 +1,67 @@
-[server]
+[blackbox]
-templier.adh.crans.org
+monitoring.adm.ynerant.fr
-dt.adh.crans.org
 
-[perso]
+[certbot]
-ynerant-pc.fil.sand.auro.re
+proxy.adm.ynerant.fr
-ynerant-thinkpad.wifi.sand.auro.re
+templier.adm.ynerant.fr
-localhost
 
-[crans]
+[debian:children]
-odlyd.crans.org
+server
-tealc.crans.org
-zamok.crans.org
 
-[all:vars]
+[grafana]
-# Force remote to use Python 3
+monitoring.adm.ynerant.fr
-ansible_python_interpreter=/usr/bin/env python3
+
+[nginx]
+nupes.adm.ynerant.fr
+tgvmax.adm.ynerant.fr
+
+[nginx:children]
+reverseproxy
+
+[ntp_server]
+routeur-templier.adm.ynerant.fr
+
+[postfix]
+mailu.adm.ynerant.fr
+
+[prometheus]
+monitoring.adm.ynerant.fr
+
+[reverseproxy]
+proxy.adm.ynerant.fr
+
+[routeur]
+routeur-templier.adm.ynerant.fr
+
+[server:children]
+virtu
+vm
+
+[slapd]
+templier.adm.ynerant.fr
+
+[virtu]
+templier.adm.ynerant.fr
+
+[vm]
+belenios.adm.ynerant.fr
+borg.adm.ynerant.fr
+dendrite.adm.ynerant.fr
+docker.adm.ynerant.fr
+dns.adm.ynerant.fr
+fosscord.adm.ynerant.fr
+galene.adm.ynerant.fr
+gitea.adm.ynerant.fr
+mailu.adm.ynerant.fr
+mastodon.adm.ynerant.fr
+#minecraft.adm.ynerant.fr
+monitoring.adm.ynerant.fr
+nextcloud.adm.ynerant.fr
+nupes.adm.ynerant.fr
+pad.adm.ynerant.fr
+peertube.adm.ynerant.fr
+psql.adm.ynerant.fr
+proxy.adm.ynerant.fr
+routeur-templier.adm.ynerant.fr
+tgvmax.adm.ynerant.fr
+wireguard.adm.ynerant.fr

lookup_plugins/ldap.py

@@ -0,0 +1,206 @@
+"""
+To use this lookup plugin, you need to pass ldap:
+ssh -L 1636:172.16.10.1:636 172.16.10.1
+"""
+
+import ipaddress
+
+from ansible.errors import AnsibleError, AnsibleParserError
+from ansible.plugins.lookup import LookupBase
+from ansible.utils.display import Display
+
+try:
+    import ldap
+except ImportError:
+    raise AnsibleError("You need to install python3-ldap")
+
+display = Display()
+
+def decode_object(object):
+    return {attribute: [value.decode('utf-8') for value in object[attribute]] for attribute in object}
+
+class LookupModule(LookupBase):
+
+    def __init__(self, **kwargs):
+        self.base = ldap.initialize('ldaps://localhost:1636/')
+        self.base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
+        self.base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+        self.base_dn = 'dc=ynerant,dc=fr'
+
+    def query(self, base, scope, filter='(objectClass=*)', attr=None):
+        """
+        Make a LDAP query
+        query('ldap', 'query', BASE, SCOPE[, FILTER[, ATTR]])
+           BASE: base dn
+           SCOPE: 'base', 'one' or 'sub'
+           FILTER: ldap filter (optional)
+           ATTR: list of attributes (optional)
+        """
+        scope = { 'base': ldap.SCOPE_BASE, 'one': ldap.SCOPE_ONELEVEL, 'sub': ldap.SCOPE_SUBTREE }[scope]
+        query_id = self.base.search(f"{base}", scope, filter, attr)
+        result = self.base.result(query_id)[1]
+        result = { dn: decode_object(entry) for dn, entry in result }
+        return result
+
+    def ip(self, host, vlan):
+        """
+        Retrieve IP addresses of an interface of a device
+        query('ldap', 'ip', HOST, VLAN)
+        """
+        if isinstance(vlan, int):
+            network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
+            network_result = self.base.result(network_query_id)
+            vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
+        if vlan == 'adh':
+            query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+        else:
+            query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+        result = self.base.result(query_id)
+        result = result[1][0][1]
+        result = [res.decode('utf-8') for res in result['ipHostNumber']]
+        return result
+
+    def all_ip(self, host):
+        """
+        Retrieve all IP addresses of a device
+        query('ldap', 'all_ip', HOST)
+        """
+        interfaces_query_id = self.base.search(f"cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_ONELEVEL)
+        interfaces_result = self.base.result(interfaces_query_id)
+        result = []
+        for dn, interface in interfaces_result[1]:
+            for ip in interface['ipHostNumber']:
+                result.append(ip.decode('utf-8'))
+        return result
+
+    def cn(self, host, vlan):
+        """
+        Retrieve aliases of an interface of a device
+        query('ldap', 'cn', HOST, VLAN)
+        """
+        if isinstance(vlan, int):
+            network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
+            network_result = self.base.result(network_query_id)
+            vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
+        if vlan == 'adh':
+            query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+        else:
+            query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+        result = self.base.result(query_id)
+        result = result[1][0][1]
+        result = [res.decode('utf-8') for res in result['cn']]
+        return result
+
+    def all_cn(self, host):
+        """
+        Retrieve all aliases addresses of a device
+        query('ldap', 'all_cn', HOST)
+        """
+        interfaces_query_id = self.base.search(f"cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_ONELEVEL)
+        interfaces_result = self.base.result(interfaces_query_id)
+        result = []
+        for dn, interface in interfaces_result[1]:
+            for cn in interface['cn']:
+                result.append(cn.decode('utf-8'))
+        return result
+
+    def ssh_keys(self, host):
+        """
+        Retrieve SSH keys of a host
+        query('ldap', 'ssh_keys', HOST)
+        """
+        host_query_id = self.base.search(f"cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+        host_result = self.base.result(host_query_id)[1][0][1]
+        result = []
+        if 'description' not in host_result:
+            return result
+        for description in host_result['description']:
+            description = description.decode('utf-8')
+            key, value = description.split(':', 1)
+            if key in {'ecdsa-sha2-nistp256', 'ssh-ed25519', 'ssh-dss', 'ssh-rsa'}:
+                result.append(f'{key} {value}')
+        return result
+
+    def subnet_ipv4(self, subnet):
+        """
+        Retrieve used IP addresses on a subnet
+        query('ldap', 'subnet_ipv4', SUBNET)
+        """
+        network_query_id = self.base.search(f"cn={subnet},ou=networks,{self.base_dn}", ldap.SCOPE_BASE)
+        network_result = self.base.result(network_query_id)
+        network = network_result[1][0][1]
+        network, hostmask = network['ipNetworkNumber'][0].decode('utf-8'), network['ipNetmaskNumber'][0].decode('utf-8')
+        subnet = ipaddress.IPv4Network(f"{network}/{hostmask}")
+        query_id = self.base.search(f"ou=hosts,{self.base_dn}", ldap.SCOPE_SUBTREE, "objectClass=ipHost")
+        result = self.base.result(query_id)
+        result = [ip.decode('utf-8') for dn, entry in result[1] for ip in entry['ipHostNumber'] if ipaddress.ip_address(ip.decode('utf-8')) in subnet]
+        return result
+
+    def run(self, terms, variables=None, **kwargs):
+        if terms[0] == 'query':
+            result = self.query(*terms[1:])
+        elif terms[0] == 'ip':
+            result = self.ip(*terms[1:])
+        elif terms[0] == 'all_ip':
+            result = self.all_ip(*terms[1:])
+        elif terms[0] == 'cn':
+            result = self.cn(*terms[1:])
+        elif terms[0] == 'all_cn':
+            result = self.all_cn(*terms[1:])
+        elif terms[0] == 'subnet_ipv4':
+            result = self.subnet_ipv4(*terms[1:])
+        elif terms[0] == 'ssh_keys':
+            result = self.ssh_keys(*terms[1:])
+        elif terms[0] == 'group':
+            query_id = self.base.search(f"ou=group,{self.base_dn}", ldap.SCOPE_SUBTREE, "objectClass=posixGroup")
+            result = self.base.result(query_id)
+            result = result[1]
+        # query interface attribute
+        # query('ldap', 'hosts', HOST, VLAN, ATTR)
+        #   HOST: device name
+        #   VLAN: vlan name
+        #   ATTR: attribute
+        elif terms[0] == 'hosts':
+            host = terms[1]
+            vlan = terms[2]
+            attr = terms[3]
+            if isinstance(vlan, int):
+                network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
+                network_result = self.base.result(network_query_id)
+                vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
+            if vlan == 'adh':
+                query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+            else:
+                query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+            result = self.base.result(query_id)
+            result = result[1][0][1]
+            result = [res.decode('utf-8') for res in result[attr]]
+        elif terms[0] == 'network':
+            network = terms[1]
+            query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
+            result = self.base.result(query_id)
+            result = result[1][0][1]
+            return str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))
+        elif terms[0] == 'zones':
+            query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, "objectClass=ipNetwork")
+            result = self.base.result(query_id)
+            res = []
+            for _, network in result[1]:
+                network = network['cn'][0].decode('utf-8')
+                if network == 'adh':
+                    res.append('ynerant.fr')
+                else:
+                    res.append(f"{network}.ynerant.fr")
+            result = res
+        elif terms[0] == 'vlanid':
+            network = terms[1]
+            query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork")
+            result = self.base.result(query_id)
+            result = result[1][0][1]
+            return int(result['description'][0])
+        elif terms[0] == 'role':
+            role = terms[1]
+            query_id = self.base.search(f"ou=hosts,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description=role:{role}")
+            result = self.base.result(query_id)
+            result = [cn.decode('utf-8') for res in result[1] for cn in res[1]['cn']]
+        return result

plays/apt.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian
+  vars:
+    apt: "{{ glob_apt | default({}) | combine(service_apt | default({})) | combine(loc_apt | default({})) }}"
+  roles:
+    - apt

plays/base.yml

@@ -0,0 +1,23 @@
+#!/usr/bin/env ansible-playbook
+---
+
+- import_playbook: root.yml
+- import_playbook: apt.yml
+- import_playbook: network_interfaces.yml
+- import_playbook: ntp.yml
+- import_playbook: ldap-client.yml
+- import_playbook: home.yml
+- import_playbook: nullmailer.yml
+- import_playbook: monitoring.yml
+
+- hosts: debian
+  roles:
+    - sudo
+    - qemu-guest-agent
+    - cli-utils
+
+#- hosts: templier.adh.crans.org
+#  roles:
+#    - bind
+#    - docker
+#  become: yes

plays/certbot.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: certbot
+  vars:
+    certbot: "{{ glob_certbot | default(service_certbot | default(loc_certbot | default([]))) }}"
+  roles:
+    - certbot

plays/home.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian
+  vars:
+    home: '{{ glob_home | combine(loc_home | default({})) }}'
+  roles:
+    - home

plays/ldap-client.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian
+  vars:
+    ldap: '{{ glob_ldap | combine(loc_ldap | default({})) }}'
+  roles:
+    - ldap-client

plays/monitoring.yml

@@ -0,0 +1,38 @@
+#!/usr/bin/env ansible-playbook
+---
+
+# Deploy Prometheus on monitoring server
+- hosts: prometheus
+  vars:
+    prometheus: "{{ glob_prometheus | default({}) | combine(loc_prometheus | default({})) }}"
+    alertmanager: "{{ glob_alertmanager | default({}) | combine(loc_alertmanager | default({})) }}"
+    ninjabot: "{{ glob_ninjabot | default({}) | combine(loc_ninjabot | default({})) }}"
+  roles:
+    - prometheus
+    - prometheus-alertmanager
+    - ninjabot
+
+# Deploy Grafana on monitoring server
+- hosts: grafana
+  vars:
+    grafana: "{{ glob_grafana | default({}) | combine(loc_grafana | default({})) }}"
+  roles:
+    - grafana
+
+- hosts: blackbox
+  roles:
+    - prometheus-blackbox-exporter
+
+# Monitor all hosts
+- hosts: server
+  vars:
+    prometheus_node_exporter: "{{ glob_prometheus_node_exporter | default({}) | combine(loc_prometheus_node_exporter | default({})) }}"
+  roles:
+    - prometheus-node-exporter
+
+# Export nginx metrics
+- hosts: nginx
+  vars:
+    prometheus_nginx_exporter: "{{ glob_prometheus_nginx_exporter | default({}) | combine(loc_prometheus_nginx_exporter | default({})) }}"
+  roles:
+    - prometheus-nginx-exporter

plays/network_interfaces.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: vm
+  vars:
+   network_interfaces: "{{ glob_network_interfaces | default({}) | combine(loc_network_interfaces | default({})) }}"
+  roles:
+    - network-interfaces

plays/nginx.yml

@@ -0,0 +1,14 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: nginx,!reverseproxy
+  vars:
+    nginx: "{{ glob_nginx | default({}) | combine(service_nginx | default({})) | combine(loc_nginx | default({})) }}"
+  roles:
+    - nginx
+
+- hosts: reverseproxy
+  vars:
+    nginx: "{{ glob_nginx | default({}) | combine(service_nginx | default({})) | combine(loc_nginx | default({})) }}"
+    reverseproxy: "{{ glob_reverseproxy | default({}) | combine(service_reverseproxy | default({})) | combine(loc_reverseproxy | default({})) }}"
+  roles:
+    - nginx

plays/ntp.yml

@@ -0,0 +1,13 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: ntp_server
+  vars:
+    ntp_server: '{{ glob_ntp_server | combine(loc_ntp_server | default({})) }}'
+  roles:
+    - ntp-server
+
+- hosts: debian
+  vars:
+    ntp_client: '{{ glob_ntp_client | combine(loc_ntp_client | default({})) }}'
+  roles:
+    - ntp-client

plays/nullmailer.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian,!postfix
+  vars:
+    nullmailer: "{{ glob_nullmailer | default({}) | combine(loc_nullmailer | default({})) }}"
+  roles:
+    - nullmailer

plays/root.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian
+  vars:
+    root: "{{ glob_root | default({}) | combine(loc_root | default({})) }}"
+  roles:
+    - root

plays/slapd.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: slapd
+  vars:
+    slapd: "{{ glob_slapd | default({}) | combine(service_slapd | default({})) | combine(loc_slapd | default({})) }}"
+  roles:
+    - slapd

roles/apt/tasks/apt-listchanges.yml

@@ -0,0 +1,32 @@
+---
+# Install apt-listchanges
+- name: Install apt-listchanges
+  when: ansible_os_family == "Debian"
+  apt:
+    name: apt-listchanges
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Send email when there is something new
+- name: Configure apt-listchanges
+  ini_file:
+    path: /etc/apt/listchanges.conf
+    no_extra_spaces: true
+    section: apt
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    state: present
+    mode: 0644
+  loop:
+    - option: confirm
+      value: "true"
+
+    - option: email_address
+      value: "{{ apt.monitoring_mail }}"
+
+    - option: which
+      value: both
+...

roles/apt/tasks/apt-unattended.yml

@@ -0,0 +1,20 @@
+---
+- name: Install unattended-upgrades
+  when: ansible_os_family == "Debian"
+  apt:
+    name: unattended-upgrades
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure unattended-upgrades
+  template:
+    src: "apt/apt.conf.d/{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    mode: u=rw,g=r,o=r
+  loop:
+    - 50unattended-upgrades
+    - 20auto-upgrades

roles/apt/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+- name: Add mirror.adm.ynerant.fr in /etc/hosts
+  lineinfile:
+    state: present
+    path: /etc/hosts
+    regex: "^{{ item }}"
+    line: "{{ item }} mirror.adm.ynerant.fr"
+  loop:
+    - "172.16.42.102"
+    - "fd00::42:4000:ff:fe01:242"
+
+- name: Configure Debian repositories
+  template:
+    src: apt/sources.list.j2
+    dest: /etc/apt/sources.list
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Configure extra repositories
+  template:
+    src: apt/sources.list.d/sources.list.j2
+    dest: "/etc/apt/sources.list.d/{{ item.name }}.list"
+    owner: root
+    group: root
+    mode: 0644
+  loop: "{{ apt.extra_repositories }}"
+
+- name: Configure pin from future distributions
+  when: item[2].key != ansible_distribution_release
+  template:
+    src: "apt/{{ item[0] }}.d/pin{{ item[1] }}.j2"
+    dest: "/etc/apt/{{ item[0] }}.d/{{ item[2].key }}{{ item[1] }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_nested:
+    - [["sources.list", ".list"], ["preferences", ""]]
+    - "{{ apt.pin|dict2items }}"
+
+- name: Clear useless pinned configuration
+  when: item[2].key == ansible_distribution_release
+  file:
+    path: "/etc/apt/{{ item[0] }}.d/{{ item[2].key }}{{ item[1] }}"
+    state: absent
+  with_nested:
+    - [["sources.list", ".list"], ["preferences", ""]]
+    - "{{ apt.pin|dict2items }}"
+
+- name: Update APT cache
+  apt:
+    update_cache: true
+
+# APT-List Changes : send email with changelog
+- include_tasks: apt-listchanges.yml
+
+# APT Unattended upgrades
+- include_tasks: apt-unattended.yml

roles/apt/templates/apt/apt.conf.d/20auto-upgrades.j2

@@ -0,0 +1,4 @@
+{{ ansible_header | comment }}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

roles/apt/templates/apt/apt.conf.d/50unattended-upgrades.j2

@@ -0,0 +1,175 @@
+{{ ansible_header | comment }}
+
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// Lines below have the format "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "buster")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+        // Software will be the latest available for the named release,
+        // but the Debian release itself will not be automatically upgraded.
+        "origin=Debian,codename=${distro_codename},label=Debian";
+        "origin=Debian,codename=${distro_codename}-updates";
+        "origin=Debian,codename=${distro_codename}-proposed-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
+        "origin=Debian Backports,codename=${distro_codename}-backports,label=Debian Backports"
+
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+//      "o=Debian,a=stable";
+//      "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
+};
+
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+    // The following matches all packages starting with linux-
+//  "linux-";
+
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::MinimalSteps "true";
+
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+//Unattended-Upgrade::Mail "";
+Unattended-Upgrade::Mail "{{ apt.monitoring_mail }}";
+
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+//Unattended-Upgrade::MailReport "on-change";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+//Unattended-Upgrade::Automatic-Reboot "false";
+Unattended-Upgrade::Automatic-Reboot "true";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+Unattended-Upgrade::SyslogEnable "true";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

roles/apt/templates/apt/preferences.d/pin.j2

@@ -0,0 +1,12 @@
+{{ ansible_header | comment }}
+
+
+Package: *
+Pin: release n={{ item[2].key }}
+Pin-Priority: 1
+{% for package in item[2].value -%}
+
+Package: {{ package }}
+Pin: release n={{ item[2].key }}
+Pin-Priority: 900
+{% endfor -%}

roles/apt/templates/apt/sources.list.d/pin.list.j2

@@ -0,0 +1,3 @@
+{{ ansible_header | comment }}
+
+deb {{ apt.mirror }}debian {{ item[2].key }} main contrib non-free

roles/apt/templates/apt/sources.list.d/sources.list.j2

@@ -0,0 +1,8 @@
+{{ ansible_header | comment }}
+
+{% for repo in item.repositories -%}
+deb {{ repo.url }} {{ repo.version }} {{ repo.tags }}
+{% if repo.src is defined and repo.src -%}
+deb-src {{ repo.url }} {{ repo.version }} {{ repo.tags }}
+{% endif -%}
+{% endfor -%}

roles/apt/templates/apt/sources.list.j2

@@ -0,0 +1,15 @@
+{{ ansible_header | comment }}
+
+# Mises à jour de sécurité
+deb     {{ apt.mirror }}debian-security {{ ansible_distribution_release }}-security main contrib non-free
+
+# Dépôt classique
+deb     {{ apt.mirror }}debian {{ ansible_distribution_release }} main contrib non-free
+
+# Dépôt pour mises à jour fréquentes (volatile)
+deb     {{ apt.mirror }}debian {{ ansible_distribution_release }}-updates main contrib non-free
+
+{% if apt.backports | default(false) %}
+# Backports
+deb     {{ apt.mirror }}debian {{ ansible_distribution_release }}-backports main contrib non-free
+{% endif %}

roles/audio/tasks/main.yml

@@ -1,12 +0,0 @@
----
-
-- name: Queries package manager for audio installation
-  package:
-    name:
-      - alsa-utils
-      - pulseaudio
-      - pulsemixer
-  register: pkg_result
-  retries: 3
-  until: pkg_result is succeeded
-  become: yes

roles/bind/templates/named.conf.local.j2

@@ -1,3 +1,5 @@
+{{ ansible_header | comment(decoration='//') }}
+
 //
 // Do any local configuration here
 //

roles/certbot/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Install certbot and RFC2136 plugin
+  apt:
+    update_cache: true
+    name:
+      - certbot
+      - python3-certbot-dns-rfc2136
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
+    mode: 0600
+    owner: root
+  loop: "{{ certbot }}"
+
+- name: Add dhparam
+  template:
+    src: "letsencrypt/dhparam.j2"
+    dest: "/etc/letsencrypt/dhparam"
+    mode: 0600
+
+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+
+- name: Add Certbot configuration
+  template:
+    src: "letsencrypt/conf.d/certname.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
+    mode: 0644
+  loop: "{{ certbot }}"
+
+- name: Run certbot
+  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+  register: certbot_output
+  changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout
+  loop: "{{ certbot }}"
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/letsencrypt/options-ssl-nginx.conf"
+    - "/etc/letsencrypt/ssl-dhparams.pem"
+    - "/etc/letsencrypt/rfc2136.ini"

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -0,0 +1,28 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = {{ item.mail }}
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Yes I want to sell my soul and my guinea pig.
+agree-tos = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
+dns-rfc2136-propagation-seconds = 30
+
+# Wildcard the domain
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}

roles/certbot/templates/letsencrypt/dhparam.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -0,0 +1,7 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512

roles/cli-utils/tasks/main.yml

@@ -1,36 +1,26 @@
 ---
-- name: Install cli utilities
+- name: Install useful utilities
   package:
     name:
       - bash
       - bash-completion
       - bat
+      - curl
+      - dnsutils
       - git
-      - sl
       - htop
+      - man
+      - molly-guard
+      - mtr-tiny
+      - needrestart
+      - patch
+      - rsync
+      - sl
+      - sudo
       - tmux
+      - traceroute
       - tree
+      - vim
   register: pkg_result
   retries: 3
   until: pkg_result is succeeded
-  become: yes
-  when: user.root
-
-- name: Create directory hierarchy
-  file:
-    path: '.config/{{ item }}'
-    state: directory
-  with_items:
-    - 'git/'
-    - 'bash/'
-
-- name: Deploying config files
-  template:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-  with_items:
-    - { src: bashrc.j2, dest: .bashrc }
-    - { src: inputrc.j2, dest: .inputrc }
-    - { src: bash_aliases.j2, dest: .config/bash/bash_aliases }
-    - { src: gitconfig.j2, dest: .config/git/config }
-    - { src: tmux.conf.j2, dest: .tmux.conf }

roles/cli-utils/templates/bash_aliases.j2

@@ -1,41 +0,0 @@
-#!/bin/bash
-
-# enable color support of ls and also add handy aliases
-if [ -x /usr/bin/dircolors ]; then
-    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
-    alias ls='ls --color=auto'
-
-    alias grep='grep --color=always'
-    alias fgrep='fgrep --color=always'
-    alias egrep='egrep --color=always'
-fi
-
-# some more ls aliases
-alias ll='ls -alF'
-alias la='ls -A'
-alias l='ls -CF'
-
-alias cd='cd -P'
-alias ip='ip -c'
-
-alias less='less -R'
-
-alias toilet='toilet -f mono12 --rainbow'
-
-alias startx='exec startx'
-
-alias gst='git status -s'
-
-alias proxy='ssh -q -C -N -D 8080'
-alias wip='watch -c ip -c'
-
-alias vi=vim
-alias cat=bat
-
-# Add some emoji aliases
-alias 🦇=bat
-alias 🐈=cat
-alias 🚆=sl
-alias 🚂=sl
-alias 🚅=sl
-alias 💿=cd

roles/cli-utils/templates/bashrc.j2

@@ -1,57 +0,0 @@
-[ -z "$PS1" ] && return
-
-HISTCONTROL=ignoredups:ignorespace
-HISTFILE=/dev/null
-
-# check the window size after each command and, if necessary,
-# update the values of LINES and COLUMNS.
-shopt -s checkwinsize
-
-# make less more friendly for non-text input files, see lesspipe(1)
-[ -x /usr/bin/lesspipe.sh ] && eval "$(SHELL=/bin/sh lesspipe.sh)"
-
-
-PROMPT_COMMAND=__prompt
-
-__prompt() {
-  retline=$?
-  gitline=$(git branch 2> /dev/null | grep '^*' | awk '{print $2}')
-
-  # COLORS
-  RED='\[\e[01;31m\]'
-  GREEN='\[\e[01;32m\]'
-  ORANGE='\[\e[01;33m\]'
-  BLUE='\[\e[01;34m\]'
-  NC='\[\e[0m\]'
-
-  PS1=""
-  PS1+="$GREEN\u@\h$NC" # user@host
-  PS1+=" $BLUE\W$NC" # pwd
-  [ -z $gitline ] || PS1+=" $ORANGE$gitline$NC"
-  PS1="[ $PS1 ]"
-  [ $retline -ne 0 ] && PS1+=" $RED$retline$NC "
-  PS1+="\$ "
-  return $ret
-}
-
-if [ -f ~/.config/bash/bash_aliases ]; then
-    . ~/.config/bash/bash_aliases
-fi
-
-rm -rf {{ cliutils.bash.bogus_dirs | join(" ") }}
-
-
-if [ -f /usr/share/bash-completion/bash_completion ]; then
-  . /usr/share/bash-completion/bash_completion
-fi
-
-export XDG_CONFIG_HOME=~/.config/
-grep -q '/\.local/bin'<<<$PATH || export PATH=$PATH:~/.local/bin/
-
-## REMOVING LESSHST
-LESSHISTFILE=/dev/null
-
-export EDITOR='vim'
-
-export PASSWORD_STORE_ENABLE_EXTENSIONS=true
-

roles/cli-utils/templates/gitconfig.j2

@@ -1,13 +0,0 @@
-[user]
-    email = {{ cliutils.git.email }}
-    name = {{ cliutils.git.name }}
-    signingkey = {{ cliutils.git.signingkey }}
-[commit]
-    gpgsign = true
-[core]
-    autocrlf = input
-    editor = vim
-[format]
-    signoff = true
-[pull]
-    ff = only

roles/cli-utils/templates/inputrc.j2

@@ -1 +0,0 @@
-set mark-symlinked-directories on

roles/cli-utils/templates/tmux.conf.j2

@@ -1,25 +0,0 @@
-unbind r
-bind r source-file ~/.tmux.conf
-
-set -g mouse on
-
-
-# use the vim motion keys to move between panes
-bind h select-pane -L
-bind j select-pane -D
-bind k select-pane -U
-bind l select-pane -R
-
-setw -g mode-keys vi
-bind < resize-pane -L 10
-bind > resize-pane -R 10
-bind - resize-pane -D 10
-bind + resize-pane -U 10
-
-bind-key -T copy-mode-vi 'v' send -X begin-selection;
-bind-key -T copy-mode-vi 'V' send -X select-line;
-bind-key -T copy-mode-vi 'r' send -X rectangle-toggle;
-bind-key -T copy-mode-vi 'y' send -X copy-pipe-and-cancel 'xclip -in -selection clipboard'
-
-set -g base-index 1
-set -g status-bg colour41

roles/communication/tasks/main.yml

@@ -1,40 +0,0 @@
----
-- name: Queries package manager for communication installation
-  package:
-    name:
-      - discord
-      - element-desktop
-      - evolution
-      - gnome-keyring
-      - gnome-themes-extra
-      - lxappearance
-      - seahorse
-  register: pkg_result
-  retries: 3
-  until: pkg_result is succeeded
-  become: yes
-
-- name: Create lxappearance directory hierarchy
-  file:
-    path: '{{ item }}'
-    state: directory
-  with_items:
-    - '.config/gtk-3.0/'
-    - '.icons/default/'
-
-- name: Enable dark mode for evolution
-  template:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-  with_items:
-    - { src: 'gtkrc.j2', dest: '.gtkrc-2.0' }
-    - { src: 'settings.ini.j2', dest: '.config/gtk-3.0/settings.ini' }
-    - { src: 'index.theme.j2', dest: '.icons/default/index.theme'}
-
-- name: Create evolution config and cache parent directories
-  file:
-    path: '{{ item }}'
-    state: directory
-  with_items:
-    - '.config/'
-    - '.local/share/'

roles/communication/templates/gtkrc.j2

@@ -1,19 +0,0 @@
-# DO NOT EDIT! This file will be overwritten by LXAppearance.
-# Any customization should be done in ~/.gtkrc-2.0.mine instead.
-
-include "/home/ynerant/.gtkrc-2.0.mine"
-gtk-theme-name="Adwaita-dark"
-gtk-icon-theme-name="Adwaita"
-gtk-font-name="Monospace 8"
-gtk-cursor-theme-name="Adwaita"
-gtk-cursor-theme-size=0
-gtk-toolbar-style=GTK_TOOLBAR_TEXT
-gtk-toolbar-icon-size=GTK_ICON_SIZE_SMALL_TOOLBAR
-gtk-button-images=0
-gtk-menu-images=0
-gtk-enable-event-sounds=0
-gtk-enable-input-feedback-sounds=0
-gtk-xft-antialias=1
-gtk-xft-hinting=0
-gtk-xft-hintstyle="hintnone"
-gtk-xft-rgba="none"

roles/communication/templates/index.theme.j2

@@ -1,4 +0,0 @@
-[Icon Theme]
-Name=Default
-Comment=Default Cursor Theme
-Inherits=Adwaita

roles/communication/templates/settings.ini.j2

@@ -1,16 +0,0 @@
-[Settings]
-gtk-theme-name=Adwaita-dark
-gtk-icon-theme-name=Adwaita
-gtk-font-name=Monospace 8
-gtk-cursor-theme-name=Adwaita
-gtk-cursor-theme-size=0
-gtk-toolbar-style=GTK_TOOLBAR_TEXT
-gtk-toolbar-icon-size=GTK_ICON_SIZE_SMALL_TOOLBAR
-gtk-button-images=0
-gtk-menu-images=0
-gtk-enable-event-sounds=0
-gtk-enable-input-feedback-sounds=0
-gtk-xft-antialias=1
-gtk-xft-hinting=0
-gtk-xft-hintstyle=hintnone
-gtk-xft-rgba=none

roles/docker/tasks/main.yml

@@ -15,4 +15,6 @@
   template:
     src: update-motd.d/05-service.j2
     dest: /etc/update-motd.d/05-docker
+    owner: root
+    group: root
     mode: 0755

roles/docker/templates/update-motd.d/05-service.j2

@@ -1,3 +1,3 @@
 #!/bin/sh
-# {{ ansible_managed }}
+{{ ansible_header | comment }}
 echo "> Les recettes Docker-compose se trouvent dans /var/local/ansible-docker"

roles/grafana/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart grafana
+  service:
+    name: grafana-server
+    state: restarted

roles/grafana/tasks/main.yml

@@ -0,0 +1,100 @@
+---
+- name: Install GPG
+  apt:
+    name: gnupg
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Import Grafana GPG signing key
+  apt_key:
+    url: https://packages.grafana.com/gpg.key
+    state: present
+    validate_certs: false
+  register: apt_key_result
+  retries: 3
+  until: apt_key_result is succeeded
+
+- name: Add Grafana repository
+  apt_repository:
+    repo: deb http://mirror.adm.ynerant.fr/grafana/oss/deb stable main
+    state: present
+    update_cache: true
+
+- name: Install Grafana
+  apt:
+    name: grafana
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure Grafana
+  ini_file:
+    path: /etc/grafana/grafana.ini
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    mode: 0640
+  loop:
+    - section: server
+      option: root_url
+      value: "{{ grafana.root_url }}"
+    - section: analytics
+      option: reporting_enabled
+      value: "false"
+    - section: analytics
+      option: check_for_updates
+      value: "false"
+    - section: security
+      option: disable_initial_admin_creation
+      value: "true"
+    - section: security
+      option: cookie_secure
+      value: "true"
+    - section: snapshots
+      option: external_enabled
+      value: "false"
+    - section: users
+      option: allow_sign_up
+      value: "false"
+    - section: users
+      option: allow_org_create
+      value: "false"
+    - section: auth.anonymous
+      option: enabled
+      value: "true"
+    - section: auth.anonymous
+      option: hide_version
+      value: "true"
+    - section: auth.basic  # Only LDAP auth
+      option: enabled
+      value: "false"
+    - section: auth.ldap
+      option: enabled
+      value: "true"
+    - section: alerting
+      option: enabled
+      value: "false"
+  notify: Restart grafana
+
+- name: Configure Grafana LDAP
+  template:
+    src: ldap.toml.j2
+    dest: /etc/grafana/ldap.toml
+    mode: 0640
+  notify: Restart grafana
+
+- name: Enable and start Grafana
+  systemd:
+    name: grafana-server
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-grafana
+    mode: 0755

roles/grafana/templates/ldap.toml.j2

@@ -0,0 +1,47 @@
+{{ ansible_header | comment }}
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
+# [log]
+# filters = ldap:debug
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "{{ grafana.ldap_master_ipv4 }}"
+# Default port is 389 or 636 if use_ssl = true
+port = 636
+# Set to true if ldap server supports TLS
+use_ssl = true
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = true
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
+
+# Use direct bind
+bind_dn = "uid=%s,{{ grafana.ldap_user_tree }}"
+
+# Useless as we are doing direct bind,
+# but without LDAP auth hang
+search_filter = "(uid=%s)"
+search_base_dns = ["ou=passwd,dc=ynerant,dc=fr"]
+
+## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
+## Please check grafana LDAP docs for examples
+group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"]
+group_search_filter_user_attribute = "cn"
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "uid"
+email =  "mail"
+
+# All LDAP members can edit
+[[servers.group_mappings]]
+group_dn = "*"
+org_role = "Admin"

roles/grafana/templates/update-motd.d/05-service.j2

@@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+> grafana a été déployé sur cette machine. Voir /etc/grafana/.

roles/home/README.md

@@ -0,0 +1,8 @@
+# HOME-NOUNOUS
+
+Ce rôle permet d'exporter les homes vers les différents serveurs.
+
+## VARS
+
+home_nounous:
+  ip: l'ip du serveur nfs

roles/home/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Install NFS client
+  apt:
+    update_cache: true
+    name:
+      - nfs-common
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Create directory home
+  file:
+    path: /home
+    state: directory
+    owner: root
+    group: user
+    mode: 0750
+
+- name: Deploy nfs systemd mount
+  template:
+    src: systemd/system/home.mount.j2
+    dest: /etc/systemd/system/home.mount
+    mode: 0644
+
+- name: Load and activate nfs systemd mount
+  systemd:
+    name: home.mount
+    daemon_reload: true
+    enabled: true
+    state: started

roles/home/templates/systemd/system/home.mount.j2

@@ -0,0 +1,14 @@
+{{ ansible_header | comment }}
+[Unit]
+Description=Mount home
+Wants=network-online.target
+After=network-online.target
+
+[Mount]
+What={{ home.ip }}:{{ home.mountpoint }}
+Where=/home
+Type=nfs
+Options=rw,nosuid
+
+[Install]
+WantedBy=multi-user.target

roles/i3/tasks/main.yml

@@ -1,28 +0,0 @@
----
-
-- name: Queries package manager for graphical instalation
-  package:
-    name:
-      - i3-wm
-      - i3blocks
-      - i3status
-  register: pkg_result
-  become: yes
-  retries: 3
-  until: pkg_result is succeeded
-
-- name: Create i3 configuration folder hierarchy
-  file:
-    path: '.config/{{ item }}'
-    state: directory
-  with_items:
-    - i3/
-    - i3status/
-
-- name: Copy i3 configuration files
-  template:
-    src: '{{ item }}.j2'
-    dest: '.config/{{ item }}/config'
-  with_items:
-    - i3
-    - i3status

roles/i3/templates/i3.j2

@@ -1,231 +0,0 @@
-# This file has been auto-generated by i3-config-wizard(1).
-# It will not be overwritten, so edit it as you like.
-#
-# Should you change your keyboard layout some time, delete
-# this file and re-run i3-config-wizard(1).
-#
-
-# i3 config file (v4)
-#
-# Please see https://i3wm.org/docs/userguide.html for a complete reference!
-
-
-exec /home/ynerant/.fehbg
-exec dunst
-exec nm-applet
-exec battery
-exec mpd
-exec mpd_reader
-{% if laptop.numpad %}
-exec numlockx
-{% endif %}
-
-set $mod Mod4
-set $refresh killall -SIGUSR1 i3status
-floating_modifier $mod
-
-# Font for window titles. Will also be used by the bar unless a different font
-# is used in the bar {} block below.
-font pango:monospace 8
-
-# Center window title and remove edges from windows
-title_align center
-hide_edge_borders both
-
-# Bindings for volume and light
-bindsym XF86MonBrightnessDown exec light -U 10
-bindsym XF86MonBrightnessUp exec light -A 10
-bindsym XF86AudioRaiseVolume exec volume -A 5 && $refresh
-bindsym XF86AudioLowerVolume exec volume -U 5 && $refresh
-bindsym Shift+XF86MonBrightnessDown exec light -U 1
-bindsym Shift+XF86MonBrightnessUp exec light -A 1
-bindsym Shift+XF86AudioRaiseVolume exec volume -A 1 && $refresh
-bindsym Shift+XF86AudioLowerVolume exec volume -U 1 && $refresh
-bindsym XF86AudioMute exec volume -T && $refresh
-bindsym XF86AudioMicMute exec volume -M && $refresh
-
-{% if not laptop.numpad %}
-# Binding for mpd
-bindsym KP_Add exec mpc next && $refresh
-bindsym KP_Subtract exec mpc prev && $refresh
-bindsym KP_Multiply exec mpc toggle && $refresh
-bindsym $mod+F3 exec mpc volume +5
-bindsym $mod+F2 exec mpc volume -5
-{% endif %}
-
-# Binding to toggle mouse tapping
-bindsym XF86TouchpadToggle exec mouse_tap toggle
-
-# start a terminal
-bindsym $mod+Return exec xfce4-terminal -x tmux
-bindsym $mod+Shift+Return exec xfce4-terminal
-
-# kill focused window
-bindsym $mod+Shift+q kill
-
-# start dmenu (a program launcher)
-bindsym $mod+d exec dmenu_run -l 1 -p '[ ynerant@morgoth ~ ]'
-bindsym XF86Search exec dmenu_run -l 1
-
-# Screenshots
-bindsym Print exec scrot 'Pictures/Screenshots/%Y-%m-%d-%s.jpg'
-bindsym --release Shift+Print exec scrot -s "Pictures/Screenshots/$(ls Pictures/Screenshots/ | dmenu)"
-
-
-# Binding to lock screen
-bindsym $mod+Escape exec physlock
-
-# alternatively, you can use the cursor keys:
-bindsym $mod+Left focus left
-bindsym $mod+h focus left
-bindsym $mod+Down focus down
-bindsym $mod+Up focus up
-bindsym $mod+Right focus right
-bindsym $mod+l focus right
-
-# Move through output
-bindsym $mod+j focus output down
-bindsym $mod+k focus output up
-
-# alternatively, you can use the cursor keys:
-bindsym $mod+Shift+Left move left
-bindsym $mod+Shift+h move left
-bindsym $mod+Shift+Down move down
-bindsym $mod+Shift+Up move up
-bindsym $mod+Shift+Right move right
-bindsym $mod+Shift+l move right
-
-# Move workspace between output
-bindsym $mod+Shift+j move workspace to output down
-bindsym $mod+Shift+k move workspace to output up
-
-# split in horizontal orientation
-bindsym $mod+s split h
-
-# split in vertical orientation
-bindsym $mod+v split v
-
-# enter fullscreen mode for the focused container
-bindsym $mod+f fullscreen toggle
-
-# change container layout (stacked, tabbed, toggle split)
-bindsym $mod+w layout tabbed
-bindsym $mod+e layout toggle split
-
-# focus the parent container
-bindsym $mod+a focus parent
-
-# focus the child container
-bindsym $mod+y focus child
-
-# Define names for default workspaces for which we configure key bindings later on.
-# We use variables to avoid repeating the names in multiple places.
-set $ws0 "0"
-set $ws1 "1"
-set $ws2 "2"
-set $ws3 "3"
-set $ws4 "4"
-set $ws5 "5"
-set $ws6 "6"
-set $ws7 "7"
-set $ws8 "8"
-set $ws9 "9"
-set $ws10 "10"
-
-# Screen workspace
-workspace $ws0 output eDP-1
-workspace $ws1 output eDP-1
-workspace $ws2 output eDP-1
-workspace $ws3 output eDP-1
-workspace $ws4 output eDP-1
-workspace $ws5 output eDP-1
-workspace $ws6 output eDP-1
-workspace $ws7 output eDP-1
-workspace $ws8 output eDP-1
-workspace $ws9 output eDP-1
-workspace $ws10 output eDP-1
-
-# switch to workspace
-bindsym $mod+0xb2 workspace $ws0
-bindsym $mod+1 workspace $ws1
-bindsym $mod+2 workspace $ws2
-bindsym $mod+3 workspace $ws3
-bindsym $mod+4 workspace $ws4
-bindsym $mod+5 workspace $ws5
-bindsym $mod+6 workspace $ws6
-bindsym $mod+7 workspace $ws7
-bindsym $mod+8 workspace $ws8
-bindsym $mod+9 workspace $ws9
-bindsym $mod+0 workspace $ws10
-
-# move focused container to workspace
-bindsym $mod+Shift+0xb2 move container to workspace $ws0
-bindsym $mod+Shift+1 move container to workspace $ws1
-bindsym $mod+Shift+2 move container to workspace $ws2
-bindsym $mod+Shift+3 move container to workspace $ws3
-bindsym $mod+Shift+4 move container to workspace $ws4
-bindsym $mod+Shift+5 move container to workspace $ws5
-bindsym $mod+Shift+6 move container to workspace $ws6
-bindsym $mod+Shift+7 move container to workspace $ws7
-bindsym $mod+Shift+8 move container to workspace $ws8
-bindsym $mod+Shift+9 move container to workspace $ws9
-bindsym $mod+Shift+0 move container to workspace $ws10
-
-# Leave fullscreen on new window
-popup_during_fullscreen leave_fullscreen
-
-# Cycle through workspace
-bindsym $mod+Tab workspace next_on_output
-bindsym $mod+Shift+Tab workspace prev_on_output
-
-# Dont focus discord (for thunderbird passwd)
-no_focus [class="(?i)discord"]
-
-# reload the configuration file
-bindsym $mod+Shift+c reload
-
-# restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
-bindsym $mod+Shift+r restart
-
-# exit i3 (logs you out of your X session)
-bindsym $mod+Shift+e exec "i3-msg exit"
-
-# resize window (you can also use the mouse for that)
-mode "resize" {
-  bindsym Left resize shrink width 1 px or 1 ppt
-  bindsym Down resize grow height 1 px or 1 ppt
-  bindsym Up resize shrink height 1 px or 1 ppt
-  bindsym Right resize grow width 1 px or 1 ppt
-
-  # back to normal: Enter or Escape or $mod+r
-  bindsym Return mode "default"
-  bindsym Escape mode "default"
-  bindsym $mod+r mode "default"
-}
-
-bindsym $mod+r mode "resize"
-
-# Window thickness
-new_window 1pixel
-
-# Toogle bar-1 visibility
-bindsym $mod+x bar mode invisible bar-1
-bindsym $mod+Shift+x bar mode toggle bar-1
-
-
-# Start i3bar to display a workspace bar (plus the system information i3status
-# finds out, if available)
-bar {
-  output eDP-1
-  tray_output eDP-1
-  mode hide
-  status_command i3status
-  strip_workspace_numbers yes
-}
-
-bar {
-  output HDMI-2
-  mode hide
-  status_command i3status
-  strip_workspace_numbers yes
-}

roles/i3/templates/i3status.j2

@@ -1,61 +0,0 @@
-# i3status configuration file.
-# see "man i3status" for documentation.
-
-# It is important that this file is edited as UTF-8.
-# The following line should contain a sharp s:
-# ß
-# If the above line is not correctly displayed, fix your editor first!
-
-general {
-  output_format="i3bar"
-  colors = true
-  interval = 1
-}
-
-# order += "ipv6"
-order += "read_file mpd"
-order += "volume master"
-order+= "ipv6"
-order += "wireless _first_"
-order += "ethernet _first_"
-order += "battery all"
-order += "tztime local"
-
-
-ipv6 {
- format_up = "IPV6"
- format_down = ""
-}
-
-wireless _first_ {
-  format_up = "W:%essid"
-  format_down = ""
-}
-
-ethernet _first_ {
-  format_up = "E: %speed"
-  format_down = ""
-}
-
-battery all {
-  format = "%status %percentage %remaining"
-  last_full_capacity = true
-  color_good="#00FFFF"
-  color_bad="#00FFFF"
-}
-
-tztime local {
-  format = "%d-%m %H:%M"
-}
-
-volume master {
-  format = "♪: %volume"
-  format_muted = "♪: muted (%volume)"
-  device = "pulse"
-}
-
-read_file mpd {
-  path = "/tmp/mpd.current"
-  color_good = "#00FF99"
-  format_bad = ""
-}