catgrl/ansible
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add metz backends for everything except postgres and mail

Browse source
This commit is contained in:
chapeau 2025-06-12 21:34:55 +02:00
parent d7213f6c16
commit 2816bc5665
17 changed files with 122 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1 +1 @@
.vault.key
.vault.key

BIN
filter_plugins/__pycache__/catgrl_filters.cpython-311.pyc
View file

Binary file not shown.

4
group_vars/all.yml
View file

@ -15,10 +15,10 @@ tsig_secret: !vault |
3035303566313166630a663231373163323039343865646339343962626234656238356530363938
39326330353066376232623564333062336161333666393664646464353231323733656431366637
3563616366316165393463343662373862306238313237633437
certbot_dns_server: 10.90.20.101
certbot_dns_server: 10.90.30.101
ldap_base_dn: dc=catgrl,dc=org
php_version: "8.2" # debian 12
postgres_master: pg.chapoline.intra.catgrl.org
postgres_master: pg.britaliope.intra.catgrl.org

6
group_vars/dns.yml
View file

@ -1,7 +1,7 @@
soa: dns.chapoline.intra.catgrl.org.
soa: dns.metz.intra.catgrl.org.
dns_mail: me.chapoline.me
master: 10.90.20.100
master: 10.90.30.100
secondaries:
- 10.90.10.100
@ -15,6 +15,8 @@ reverse_list:
records: []
- name: "10.90.20"
records: []
- name: "10.90.30"
records: []
mail_master: mail.chapoline.intra.catgrl.org.
mail_slave: mail.britaliope.intra.catgrl.org.

6
group_vars/dns_ext.yml
View file

@ -1,6 +1,6 @@
dns_mail: me.chapoline.me
master: 10.90.20.101
master: 10.90.30.101
secondaries:
- 10.90.10.101
@ -93,3 +93,7 @@ zone_list:
- name: front1.faimaison
ip: 31.220.79.204
type: A
- name: abanatae.metz
ip: 193.48.225.90
type: A

2
group_vars/ilb.yml
View file

@ -11,7 +11,7 @@ haproxy_services:
protocol: tcp
primaries:
- "{{ postgres_master }}"
secondaries: ['pg.britaliope.intra.catgrl.org']
secondaries: ['pg.metz.intra.catgrl.org']
- name: ldap
port: 389

3
group_vars/postgres.yml
View file

@ -2,7 +2,8 @@ postgres:
version: 15
master: "{{ postgres_master }}"
replicas:
- pg.britaliope.intra.catgrl.org
- pg.chapoline.intra.catgrl.org
- pg.metz.intra.catgrl.org
replication_user: replicator
replication_password: !vault |
$ANSIBLE_VAULT;1.1;AES256

2
group_vars/vps.yml
View file

@ -6,6 +6,7 @@ haproxy_services:
loadbalance:
- rp.chapoline.intra.catgrl.org
- rp.britaliope.intra.catgrl.org
- rp.metz.intra.catgrl.org
send_proxy: True
- name: https
@ -15,6 +16,7 @@ haproxy_services:
loadbalance:
- rp.chapoline.intra.catgrl.org
- rp.britaliope.intra.catgrl.org
- rp.metz.intra.catgrl.org
send_proxy: True
- name: imaps

5
group_vars/wireguard.yml
View file

@ -22,6 +22,11 @@ peers:
public_key: D70qjoVI3SZxbqqhMTRdpN3nsxYUKKriSKZTQM1IeWU=
ip: 10.90.200.10
subnet: 10.90.10.0/24
- name: gw.metz.intra.catgrl.org
public_key: ncfaH+5ZXSkgNi6ukVw5E3Y5NLynZpSsSmtVLElEWWc=
ip: 10.90.200.30
subnet: 10.90.30.0/24
standalone:
- name: backup.faercol.intra.catgrl.org

15
host_vars/gw.metz.intra.catgrl.org.yml Normal file
View file

@ -0,0 +1,15 @@
host:
external: False
interface_dmz: eth0
local_gateway: 10.90.0.254
wireguard_privkey: !vault |
$ANSIBLE_VAULT;1.1;AES256
64333665346432343234633735386263633663623361346538373532346435323230653431616266
3137623031646531356233656636613864313837623731390a613633653333633332653365366165
66333866626662643930363239626663326633363839396238346230633163393039333430613739
6634636466303631350a323836636366653461393136663537626239393431366133633163613139
30383065613661636465356636313266383839336435306364326133353736393332373432333831
3437396366646464386363373366356636346334343034313361
address: 10.90.200.30/24

1
host_vars/prom.metz.intra.catgrl.org.yml Normal file
View file

@ -0,0 +1 @@
monitors_group: metz

86
inventory.yml
View file

@ -13,7 +13,7 @@ vps:
# The order is important!
dns_servers:
- 10.90.10.100
- 10.90.20.100
- 10.90.30.100
- 1.1.1.1
chapoline:
@ -51,7 +51,7 @@ chapoline:
vars:
# The order is important!
dns_servers:
- 10.90.20.100
- 10.90.30.100
- 10.90.10.100
- 1.1.1.1
local_ilb: ilb.chapoline.intra.catgrl.org
@ -96,7 +96,7 @@ britaliope:
# The order is important!
dns_servers:
- 10.90.10.100
- 10.90.20.100
- 10.90.30.100
- 1.1.1.1
local_ilb: ilb.britaliope.intra.catgrl.org
local_ldap: ldap.britaliope.intra.catgrl.org
@ -104,12 +104,51 @@ britaliope:
local_monitoring: prom.britaliope.intra.catgrl.org
zone: britaliope
metz:
hosts:
gw.metz.intra.catgrl.org:
ansible_host: 10.90.30.254
rp.metz.intra.catgrl.org:
ansible_host: 10.90.30.1
web.metz.intra.catgrl.org:
ansible_host: 10.90.30.2
sso.metz.intra.catgrl.org:
ansible_host: 10.90.30.4
vault.metz.intra.catgrl.org:
ansible_host: 10.90.30.7
ansible_user: root
dns.metz.intra.catgrl.org:
ansible_host: 10.90.30.100
dns-ext.metz.intra.catgrl.org:
ansible_host: 10.90.30.101
pg.metz.intra.catgrl.org:
ansible_host: 10.90.30.102
ldap.metz.intra.catgrl.org:
ansible_host: 10.90.30.103
ilb.metz.intra.catgrl.org:
ansible_host: 10.90.30.104
prom.metz.intra.catgrl.org:
ansible_host: 10.90.30.105
vars:
# The order is important!
dns_servers:
- 10.90.30.100
- 10.90.10.100
- 1.1.1.1
local_ilb: ilb.metz.intra.catgrl.org
local_ldap: ldap.metz.intra.catgrl.org
local_alias: web.metz.intra.catgrl.org
local_monitoring: prom.metz.intra.catgrl.org
zone: metz
wg:
hosts:
gw.chapoline.wg.intra.catgrl.org:
ansible_host: 10.90.200.20
gw.britaliope.wg.intra.catgrl.org:
ansible_host: 10.90.200.10
gw.metz.wg.intra.catgrl.org:
ansible_host: 10.90.200.30
front1.contabo.wg.intra.catgrl.org:
ansible_host: 10.90.200.120
backup.faercol.wg.intra.catgrl.org:
@ -117,19 +156,35 @@ wg:
backup:
hosts:
backup.faercol.wg.intra.catgrl.org:
backup.faercol.intra.catgrl.org:
vars:
# The order is important!
dns_servers:
- 10.90.10.100
- 10.90.20.100
- 10.90.30.100
- 1.1.1.1
zone: faercol
metz-hw:
hosts:
nya.metz.intra.catgrl.org:
ansible_host: 10.90.0.1
abanatae.metz.catgrl.org:
ansible_host: 193.48.225.90
vars:
# The order is important!
dns_servers:
- 10.90.10.100
- 10.90.30.100
- 1.1.1.1
zone: metz
lxc:
children:
chapoline:
britaliope:
metz:
backup:
vars:
ansible_ssh_common_args: '-J front1.contabo.catgrl.org'
@ -139,50 +194,61 @@ managed:
vps:
lxc:
backup:
metz-hw:
ilb:
hosts:
ilb.chapoline.intra.catgrl.org:
ilb.britaliope.intra.catgrl.org:
ilb.metz.intra.catgrl.org:
docker:
hosts:
ldap.chapoline.intra.catgrl.org:
ldap.britaliope.intra.catgrl.org:
ldap.metz.intra.catgrl.org:
git.chapoline.intra.catgrl.org:
vault.chapoline.intra.catgrl.org:
vault.britaliope.intra.catgrl.org:
vault.metz.intra.catgrl.org:
wireguard:
hosts:
front1.contabo.catgrl.org:
gw.chapoline.intra.catgrl.org:
gw.britaliope.intra.catgrl.org:
gw.metz.intra.catgrl.org:
backup.faercol.intra.catgrl.org:
dns:
hosts:
dns.chapoline.intra.catgrl.org:
is_master: True
is_master: False
dns.britaliope.intra.catgrl.org:
is_master: False
dns.metz.intra.catgrl.org:
is_master: True
dns_ext:
hosts:
dns-ext.chapoline.intra.catgrl.org:
is_master: True
is_master: False
dns-ext.britaliope.intra.catgrl.org:
is_master: False
dns-ext.metz.intra.catgrl.org:
is_master: True
rp:
hosts:
rp.chapoline.intra.catgrl.org:
rp.britaliope.intra.catgrl.org:
rp.metz.intra.catgrl.org:
website:
hosts:
web.chapoline.intra.catgrl.org:
web.britaliope.intra.catgrl.org:
web.metz.intra.catgrl.org:
acme:
children:
@ -229,16 +295,20 @@ postgres:
is_master: False
pg.britaliope.intra.catgrl.org:
is_master: True
pg.metz.intra.catgrl.org:
is_master: False
ldap:
hosts:
ldap.chapoline.intra.catgrl.org:
ldap.britaliope.intra.catgrl.org:
ldap.metz.intra.catgrl.org:
sso:
hosts:
sso.chapoline.intra.catgrl.org:
sso.britaliope.intra.catgrl.org:
sso.metz.intra.catgrl.org:
forgejo:
hosts:
@ -262,6 +332,7 @@ vault:
hosts:
vault.chapoline.intra.catgrl.org:
vault.britaliope.intra.catgrl.org:
vault.metz.intra.catgrl.org:
webmail:
hosts:
@ -272,3 +343,4 @@ monitoring:
hosts:
# prom.chapoline.intra.catgrl.org:
prom.britaliope.intra.catgrl.org:
prom.metz.intra.catgrl.org:

2
roles/forgejo/templates/docker-compose.yml.j2
View file

@ -6,7 +6,7 @@ services:
- USER_UID=2000
- USER_GID=2000
- FORGEJO__database__DB_TYPE=postgres
- FORGEJO__database__HOST={{ local_ilb }}:5432
- FORGEJO__database__HOST={{ local_ilb }}:5433
- FORGEJO__database__NAME=forgejo
- FORGEJO__database__USER=forgejo
- FORGEJO__database__PASSWD={{ postgres_password }}

2
roles/ldap/templates/docker-compose.yml.j2
View file

@ -26,7 +26,7 @@ services:
# - LLDAP_LDAPS_OPTIONS__KEY_FILE=/path/to/keyfile.key
# You can also set a different database:
# - LLDAP_DATABASE_URL=mysql://mysql-user:password@mysql-server/my-database
- LLDAP_DATABASE_URL=postgres://lldap:{{ postgres_password }}@{{ local_ilb }}/lldap
- LLDAP_DATABASE_URL=postgres://lldap:{{ postgres_password }}@{{ local_ilb }}:5433/lldap
# If using SMTP, set the following variables
# - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true
# - LLDAP_SMTP_OPTIONS__SERVER=smtp.example.com

2
roles/nftables/templates/nftables.conf.j2
View file

@ -60,7 +60,7 @@ table inet filter {
chain prerouting {
type nat hook prerouting priority 0
ip saddr != @local_subnets udp dport 53 dnat to {{ hostvars['dns-ext.chapoline.intra.catgrl.org'].ansible_host }}:53
ip saddr != @local_subnets udp dport 53 dnat to {{ hostvars['dns-ext.metz.intra.catgrl.org'].ansible_host }}:53
ip saddr != @local_subnets tcp dport 2222 dnat to {{ hostvars['git.chapoline.intra.catgrl.org'].ansible_host }}:222
}

2
roles/wireguard/templates/wg-start.j2
View file

@ -10,8 +10,8 @@ ip route add {{ peer.endpoint }}/32 via {{ local_gateway }} dev {{ interface_dmz
{% endfor %}
{% for peer in peers.front %}
{% if peer.backend is defined %}
{% set local = (peers.backend|selectattr('name', 'equalto', inventory_hostname))[0]%}
{% if local is defined %}
iptables -t nat -A POSTROUTING -o {{ interface_dmz }} -s {{ local.subnet }} -d {{ peer.endpoint }}/32 -j MASQUERADE
{% endif %}
{% endfor %}

2
roles/wireguard/templates/wg-stop.j2
View file

@ -11,8 +11,8 @@ ip route add default dev {{ interface_dmz }}
{% for peer in peers.front %}
{% if peer.backend is defined %}
{% set local = (peers.backend|selectattr('name', 'equalto', inventory_hostname))[0]%}
{% if local is defined %}
iptables -t nat -D POSTROUTING -o {{ interface_dmz }} -s {{ local.subnet }} -d {{ peer.endpoint }}/32 -j MASQUERADE
{% endif %}
{% endfor %}