Lot of stuff

Signed-off-by: Emmy D'Anello <ynerant@crans.org>

.gitignore

@@ -1 +1,2 @@
+__pycache__
 debug.yml

group_vars/all/home.yml

@@ -1,4 +1,4 @@
 ---
 glob_home:
   ip: 172.16.42.1
-  mountpoint: /rpool/home
+  mountpoint: /vm/home

group_vars/all/network_interfaces.yml

@@ -1,10 +1,10 @@
 glob_network_interfaces:
   vlan:
-    - name: srv
+    - name: adh
-      id: 1
+      id: 12
-      gateway: "185.230.76.62"
+      gateway: "185.230.78.99"
-      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'srv') | ipv4 | first }}"
+      dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adh') | ipv4 | first }}"
-      gateway_v6: "2a0c:700:3012::ff:fe02:112"
+      gateway_v6: "2a0c:700:12::ff:fe00:9912"
     - name: adm
       id: 42
       dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adm') | ipv4 | first }}"

group_vars/debian.yml

@@ -3,8 +3,7 @@ glob_apt:
   mirror: "http://mirror.adm.ynerant.fr/"
   backports: false
   extra_repositories: []
-  pin:
+  pin: {}
-    bullseye: []
 
 glob_root:
   passwd_hash: '{{ vault.root_passwd_hash }}'

host_vars/an.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/borg.adm.ynerant.fr.yml

@@ -0,0 +1,3 @@
+---
+interfaces:
+  adm: ens18

host_vars/cemantix.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/dendrite.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/dgac.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/excalidraw.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/fosscord.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/mastodon.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/minecraft.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/nupes.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  adh: ens19

host_vars/pad.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/peertube.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/routeur-templier.adm.ynerant.fr.yml

@@ -1,5 +1,5 @@
 ---
 interfaces:
   adm: ens18
-  srv: ens19
+  adh: ens19
   srv_nat: ens20

host_vars/synapse.adm.ynerant.fr.yml

@@ -2,3 +2,6 @@
 interfaces:
   adm: eth0
   srv_nat: eth1
+
+loc_apt:
+  backports: true

host_vars/templier.adh.crans.org.yml

@@ -2,3 +2,11 @@
 user:
   name: ynerant
   root: yes
+
+loc_certbot:
+  - dns_rfc2136_server: '172.16.42.103'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: ynerant@crans.org
+    certname: adm.ynerant.fr
+    domains: "*.adm.ynerant.fr"

host_vars/testing.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/wireguard.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19

host_vars/zemour.adm.ynerant.fr.yml

@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  adh: ens19

hosts

@@ -1,20 +1,13 @@
 [archlinux:children]
 perso
 
-[babel]
-babel0.adm.ynerant.fr
-babel1.adm.ynerant.fr
-babel2.adm.ynerant.fr
-babel3.adm.ynerant.fr
-babel4.adm.ynerant.fr
-babel5.adm.ynerant.fr
-babel6.adm.ynerant.fr
-
 [blackbox]
 monitoring.adm.ynerant.fr
 
 [certbot]
+nupes.adm.ynerant.fr
 proxy.adm.ynerant.fr
+templier.adm.ynerant.fr
 
 [debian:children]
 server
@@ -22,6 +15,9 @@ server
 [grafana]
 monitoring.adm.ynerant.fr
 
+[nginx]
+nupes.adm.ynerant.fr
+
 [nginx:children]
 reverseproxy
 
@@ -57,22 +53,25 @@ templier.adm.ynerant.fr
 templier.adm.ynerant.fr
 
 [vm]
-# candilib.adm.ynerant.fr
+an.adm.ynerant.fr
+borg.adm.ynerant.fr
+dendrite.adm.ynerant.fr
 docker.adm.ynerant.fr
 dns.adm.ynerant.fr
+excalidraw.adm.ynerant.fr
+fosscord.adm.ynerant.fr
 gitea.adm.ynerant.fr
 mailu.adm.ynerant.fr
+mastodon.adm.ynerant.fr
+minecraft.adm.ynerant.fr
 monitoring.adm.ynerant.fr
 nextcloud.adm.ynerant.fr
+nupes.adm.ynerant.fr
+pad.adm.ynerant.fr
+peertube.adm.ynerant.fr
 psql.adm.ynerant.fr
 proxy.adm.ynerant.fr
-re6st.adm.ynerant.fr
 routeur-templier.adm.ynerant.fr
 synapse.adm.ynerant.fr
-
+testing.adm.ynerant.fr
-[vm:children]
+wireguard.adm.ynerant.fr
-babel
-
-[all:vars]
-# Force remote to use Python 3
-ansible_python_interpreter=/usr/bin/env python3

lookup_plugins/ldap.py

@@ -51,7 +51,7 @@ class LookupModule(LookupBase):
             network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
             network_result = self.base.result(network_query_id)
             vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
-        if vlan == 'srv':
+        if vlan == 'adh':
             query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
         else:
             query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@@ -82,7 +82,7 @@ class LookupModule(LookupBase):
             network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
             network_result = self.base.result(network_query_id)
             vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
-        if vlan == 'srv':
+        if vlan == 'adh':
             query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
         else:
             query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@@ -168,7 +168,7 @@ class LookupModule(LookupBase):
                 network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
                 network_result = self.base.result(network_query_id)
                 vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
-            if vlan == 'srv':
+            if vlan == 'adh':
                 query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
             else:
                 query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@@ -187,7 +187,7 @@ class LookupModule(LookupBase):
             res = []
             for _, network in result[1]:
                 network = network['cn'][0].decode('utf-8')
-                if network == 'srv':
+                if network == 'adh':
                     res.append('ynerant.fr')
                 else:
                     res.append(f"{network}.ynerant.fr")

plays/base.yml

@@ -8,6 +8,7 @@
 - import_playbook: ldap-client.yml
 - import_playbook: home.yml
 - import_playbook: nullmailer.yml
+- import_playbook: monitoring.yml
 
 - hosts: debian
   roles:

roles/apt/tasks/main.yml

@@ -8,7 +8,7 @@
     - "185.230.79.30"
     - "2a0c:700:2:0:ea39:35ff:fef0:48c9"
 
-- name: Add mirror.crans.org in /etc/hosts
+- name: Add mirror.adm.ynerant.fr in /etc/hosts
   lineinfile:
     state: present
     path: /etc/hosts
@@ -36,6 +36,7 @@
   loop: "{{ apt.extra_repositories }}"
 
 - name: Configure pin from future distributions
+  when: item[2].key != ansible_distribution_release
   template:
     src: "apt/{{ item[0] }}.d/pin{{ item[1] }}.j2"
     dest: "/etc/apt/{{ item[0] }}.d/{{ item[2].key }}{{ item[1] }}"
@@ -46,6 +47,15 @@
     - [["sources.list", ".list"], ["preferences", ""]]
     - "{{ apt.pin|dict2items }}"
 
+- name: Clear useless pinned configuration
+  when: item[2].key == ansible_distribution_release
+  file:
+    path: "/etc/apt/{{ item[0] }}.d/{{ item[2].key }}{{ item[1] }}"
+    state: absent
+  with_nested:
+    - [["sources.list", ".list"], ["preferences", ""]]
+    - "{{ apt.pin|dict2items }}"
+
 - name: Update APT cache
   apt:
     update_cache: true

roles/apt/templates/apt/sources.list.j2

@@ -1,11 +1,8 @@
 {{ ansible_header | comment }}
 
-{% if ansible_distribution_release != "bullseye" %}
-{# Debian security does not exist yet for bullseye #}
 # Mises à jour de sécurité
-deb     {{ apt.mirror }}debian-security {{ ansible_distribution_release }}/updates main contrib non-free
+deb     {{ apt.mirror }}debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
-{% endif %}
 # Dépôt classique
 deb     {{ apt.mirror }}debian {{ ansible_distribution_release }} main contrib non-free
 

roles/cli-utils/tasks/main.yml

@@ -9,6 +9,8 @@
       - "{% if ansible_os_family == 'Debian' %}dnsutils{% else %}bind-tools{% endif %}"
       - git
       - man
+      - molly-guard
+      - needrestart
       - "mtr{% if ansible_os_family == 'Debian' %}-tiny{% endif %}"
       - sl
       - htop
@@ -17,6 +19,7 @@
       - tmux
       - traceroute
       - tree
+      - unattended-upgrades
       - vim
   register: pkg_result
   retries: 3

roles/ntp-client/tasks/main.yml

@@ -9,7 +9,7 @@
   until: apt_result is succeeded
   when: "'ntp_server' not in group_names"
 
-- name: Install systemd-timesyncd (bullseye)
+- name: Install systemd-timesyncd
   apt:
     name: systemd-timesyncd
     update_cache: true
@@ -19,7 +19,6 @@
   until: apt_result is succeeded
   when:
     - "'ntp_server' not in group_names"
-    - ansible_distribution_release == "bullseye"
 
 - name: Configure NTP
   template:

roles/prometheus-node-exporter/tasks/main.yml

@@ -8,7 +8,7 @@
   retries: 3
   until: apt_result is succeeded
 
-- name: Install Prometheus node-exporter-collectors (bullseye)
+- name: Install Prometheus node-exporter-collectors
   apt:
     update_cache: true
     name: prometheus-node-exporter-collectors
@@ -16,8 +16,6 @@
   register: apt_result
   retries: 3
   until: apt_result is succeeded
-  when:
-    - ansible_lsb.codename == 'bullseye'
 
 - name: Make Prometheus node-exporter listen on adm only
   lineinfile:
@@ -32,14 +30,3 @@
     name: prometheus-node-exporter
     enabled: true
     state: started
-
-# Install new APT textfile collector, it might be upstreamed one day
-# https://github.com/prometheus-community/node-exporter-textfile-collector-scripts/pull/35
-- name: Patch APT textfile collector
-  copy:
-    src: apt.sh
-    dest: /usr/share/prometheus-node-exporter/apt.sh
-    owner: root
-    group: root
-    mode: 0755
-  when: ansible_distribution_release != "bullseye"

roles/sudo/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: Install sudo
+  apt:
+    name: sudo
+
 - name: Configure sudoers
   template:
     src: "{{ item }}.j2"

roles/sudo/templates/sudoers.j2

@@ -22,6 +22,6 @@ root	ALL=(ALL:ALL) ALL
 USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list
 
 {% endif %}
-# See sudoers(5) for more information on "#include" directives:
+# See sudoers(5) for more information on "@include" directives:
 
-#includedir /etc/sudoers.d
+@includedir /etc/sudoers.d