LQDN Adminsys issueshttps://git.laquadrature.net/groups/lqdn-interne/-/issues2023-04-20T09:46:03+02:00https://git.laquadrature.net/lqdn-interne/piops/-/issues/14Update hedgedocs service2023-04-20T09:46:03+02:00nonoUpdate hedgedocs serviceWith the update of https://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs, we can update the playbookWith the update of https://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs, we can update the playbookNouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/12Fix idempotence of role2023-04-17T14:35:15+02:00nonoFix idempotence of role```
CRITICAL Idempotence test failed because of the following tasks:
* => ansible-role-hedgedocs : Download archive from github
* => ansible-role-hedgedocs : Extract archive to home diretory
* => ansible-role-hedgedocs : Delete downlo...```
CRITICAL Idempotence test failed because of the following tasks:
* => ansible-role-hedgedocs : Download archive from github
* => ansible-role-hedgedocs : Extract archive to home diretory
* => ansible-role-hedgedocs : Delete downloaded archive
* => ansible-role-hedgedocs : Make script and dependencies executable by all users
* => ansible-role-hedgedocs : Configure dependencies
* => ansible-role-hedgedocs : Remove script and dependencies execute right for all users
* => ansible-role-hedgedocs : Push Hedgedocs service configuration file
* => ansible-role-hedgedocs : Set safe permission recursively for Hedgedocs folder
* => ansible-role-hedgedocs : Reload nginx
```Version 0.1.0https://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/11Add extra options to the configuration of Hedgedocs2023-04-20T16:44:45+02:00nonoAdd extra options to the configuration of HedgedocsSee https://docs.hedgedoc.org/configuration/
Related to #8 , if we run the hedgedoc service on a localhost, it's service file needs to be modified to deactivate the options for HTTPS upgrade, CSP and HSTS security, otherwise it doesn't ...See https://docs.hedgedoc.org/configuration/
Related to #8 , if we run the hedgedoc service on a localhost, it's service file needs to be modified to deactivate the options for HTTPS upgrade, CSP and HSTS security, otherwise it doesn't work because no JS nor CSS is loaded.
Related to #9 also.nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/10Cleanup the role and remove unsued parts2023-03-24T12:18:19+01:00nonoCleanup the role and remove unsued partsThe role was originally written to install all of it's dependencies, including nginx for example. This is not the way it's supposed to be installed currently, but there are leftover files we should remove.The role was originally written to install all of it's dependencies, including nginx for example. This is not the way it's supposed to be installed currently, but there are leftover files we should remove.Version 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/9Add options to configure SAML connection in the role.2023-04-17T15:51:43+02:00nonoAdd options to configure SAML connection in the role.Linked to https://forum.laquadrature.net/t/sso-md-lqdn-fr/222
And https://git.laquadrature.net/lqdn-interne/equipe_technique/-/issues/14
The documentation is here ; https://docs.hedgedoc.org/configuration/#saml-login
- [ ] Add variab...Linked to https://forum.laquadrature.net/t/sso-md-lqdn-fr/222
And https://git.laquadrature.net/lqdn-interne/equipe_technique/-/issues/14
The documentation is here ; https://docs.hedgedoc.org/configuration/#saml-login
- [ ] Add variables for configuring the role
- [ ] Add installation option to take into account the SSO config
- [ ] Add testsVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/12Reorganise playbooks for test & prod2023-10-19T15:42:34+02:00nonoReorganise playbooks for test & prodThanks to discussions with Fanch, it would be wise to fuse the two playbooks, and reorganise the *groups* to apply the variables in a similar way and define them depending on the context.
It's linked to !8Thanks to discussions with Fanch, it would be wise to fuse the two playbooks, and reorganise the *groups* to apply the variables in a similar way and define them depending on the context.
It's linked to !8Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/11Add backups to every service2024-01-18T12:33:32+01:00nonoAdd backups to every serviceCloses https://git.laquadrature.net/lqdn-interne/equipe_technique/-/issues/222Closes https://git.laquadrature.net/lqdn-interne/equipe_technique/-/issues/222Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/10Add CI/CD pipeline to deploy playbook2023-11-10T11:44:00+01:00nonoAdd CI/CD pipeline to deploy playbookSee
- https://stackoverflow.com/questions/63266075/how-to-run-ansible-playbook-from-gitlab-ci
- https://framagit.org/ploc/home-hosting-ansible
- https://about.gitlab.com/blog/2020/12/10/basics-of-gitlab-ci-updated/
- https://docs.gitlab...See
- https://stackoverflow.com/questions/63266075/how-to-run-ansible-playbook-from-gitlab-ci
- https://framagit.org/ploc/home-hosting-ansible
- https://about.gitlab.com/blog/2020/12/10/basics-of-gitlab-ci-updated/
- https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
- https://blog.callr.tech/gitlab-ansible-docker-ci-cd/
- https://www.bevuta.com/en/blog/continuous-delivery-with-gitlab-ci-and-ansible-part-1/
- https://medium.com/@keirwhitlock/use-molecule-gitlab-ci-to-automate-testing-of-ansible-roles-9d745cd89db1Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/6Rename role to ansible-role-hedgedocs2023-01-24T15:27:58+01:00nonoRename role to ansible-role-hedgedocsIn line with common naming of rolesIn line with common naming of rolesVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/5Add testing via molecule2023-03-30T17:06:20+02:00nonoAdd testing via molecule- [x] Add molecule folder
- [x] Add create role
- [x] Update the Vagrant VM for testing
- [ ] Check omnipotence
- [x] Check installation
- [x] Check that the service is well running after role completion- [x] Add molecule folder
- [x] Add create role
- [x] Update the Vagrant VM for testing
- [ ] Check omnipotence
- [x] Check installation
- [x] Check that the service is well running after role completionVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/2Translate the tasks to english2023-04-17T12:00:21+02:00nonoTranslate the tasks to englishVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/1Write the README in english2023-01-20T11:29:39+01:00nonoWrite the README in englishVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/9Add tests via molecule2023-09-21T13:56:56+02:00nonoAdd tests via molecule- [x] Configure tests via molecule
- [x] Add localhost inventory to molecule
- [x] Lint playbook
- [x] Verify inventory
- [x] Assert playbook configuration
- [x] Verify coverage
- [x] Add tests to be executed via CI/CD- [x] Configure tests via molecule
- [x] Add localhost inventory to molecule
- [x] Lint playbook
- [x] Verify inventory
- [x] Assert playbook configuration
- [x] Verify coverage
- [x] Add tests to be executed via CI/CDNouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/issues/2Erreur dans les handlers2021-10-17T12:24:09+02:00nonoErreur dans les handlersLes handlers de https://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/blob/master/handlers/main.yml#L4 ne sont pas les bons.
Soucis repéré par @daftaupe , merci à lui !Les handlers de https://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/blob/master/handlers/main.yml#L4 ne sont pas les bons.
Soucis repéré par @daftaupe , merci à lui !nonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/8Mettre à jour le README2022-01-14T10:54:58+01:00nonoMettre à jour le READMELa procédure d'ajout d'un rôle et la configuration des groupes n'est pas exactement celle décrite dans le README. On utilise notamment deux playbook ( production et test ) au lieu d'un seul, et on utilise des groupes pour définir les hôt...La procédure d'ajout d'un rôle et la configuration des groupes n'est pas exactement celle décrite dans le README. On utilise notamment deux playbook ( production et test ) au lieu d'un seul, et on utilise des groupes pour définir les hôtes auquels les rôles s'appliquent au lieu de tout appliquer à chaque hôte.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/6Redirection des adresses en lqdn.fr en laquadrature.net et vice-versa2024-02-15T11:40:29+01:00nonoRedirection des adresses en lqdn.fr en laquadrature.net et vice-versaÀ l'heure actuelle, certains services sont disponible sous une URL, mais pas l'autre. Et la redirection ne semble pas fonctionner à chaque fois.À l'heure actuelle, certains services sont disponible sous une URL, mais pas l'autre. Et la redirection ne semble pas fonctionner à chaque fois.https://git.laquadrature.net/lqdn-interne/piops/-/issues/5Gestion des certificats SSL2021-11-22T10:25:13+01:00nonoGestion des certificats SSLÀ l'heure actuelle, la gestion des certificats SSL n'est pas claire. Ils semblent être géré par let'sencrypt. Toutefois, selon les archives :
> C'est le bordel, y'a des pointages de "/.wel-known/acme-challenge" partout :/ toutça. Benja...À l'heure actuelle, la gestion des certificats SSL n'est pas claire. Ils semblent être géré par let'sencrypt. Toutefois, selon les archives :
> C'est le bordel, y'a des pointages de "/.wel-known/acme-challenge" partout :/ toutça. Benjamin Sonntag : Je propose qu'on s'interdise de faire des certificats MULTIDOMAINES, ainsi c'est moins le bazar pour les humains.https://git.laquadrature.net/lqdn-interne/piops/-/issues/4Remplacer toutes les IPs dans le fichier hosts par une URL2022-01-14T10:54:40+01:00nonoRemplacer toutes les IPs dans le fichier hosts par une URLPour l'heure, certains serveurs sont décrit par leur URL dans le fichier host, dû à une adresse qui est déjà prise, ou parce qu'il n'existe pas d'url sous la forme *.lqdn.fr pour le moment.Pour l'heure, certains serveurs sont décrit par leur URL dans le fichier host, dû à une adresse qui est déjà prise, ou parce qu'il n'existe pas d'url sous la forme *.lqdn.fr pour le moment.Nouvelle infrahttps://git.laquadrature.net/lqdn-interne/piops/-/issues/2Old Octopuce SSH keys still around2022-01-20T20:00:14+01:00axelOld Octopuce SSH keys still aroundI just realised `/root/.ssh/authorized_keys` on Pi still has keys of people who appear to have left Octopuce, such as Skhaen :
```
environment="SSHCLIENTUSER=Guillaume Lecoquierre",environment="EDITOR=/usr/bin/vim" ssh-rsa AAAAB3NzaC1yc2...I just realised `/root/.ssh/authorized_keys` on Pi still has keys of people who appear to have left Octopuce, such as Skhaen :
```
environment="SSHCLIENTUSER=Guillaume Lecoquierre",environment="EDITOR=/usr/bin/vim" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKlModVGvtRDjgMJes165L8RsOhOrHkzh2kkE8x9VIGZkFplRK8ZSO46xHpJgLnbAd9WSakCld+tZd6U0j2PCYUbTx0Eeo5GeKg6wMhdaJZ1S9Ci66YJidXGbYW5wvPK2kbjOIFxZWzpLl36i34FXNcJ0Z8K2YIfova5OhMR0xke/Y/MfjnoAe8653dxqlDK0BZwuu16MTerj2QxC7vkRdMkux2R7dldd+LeD31OMUFJzPz+8spzzr9s1nIarshhoRo19s/jmModyq5694QHcq6Ex+O6AB43jEBiKpOMfaD9bM6sloLYbMPZKiTXXg+nAx0A3m+pn1BBf82Qc0i83d guillaume@octopuce.fr root
```
There is also a key for François Dupont, who doesn't appear to be part of Octopuce, if [this page](https://www.octopuce.fr/Equipe/) is up to date.
They should be removed on the Octopuce side, given that file is managed by their Puppet.https://git.laquadrature.net/lqdn-interne/piops/-/issues/1Manage SSH keys through Ansible2022-01-14T10:52:23+01:00PorkepixManage SSH keys through AnsibleSSH authorized keys should be managed through Ansible.
I plan on adding it.
Current state is to use `authorized_keys2` because `authorized_keys` is managed by Octopuce's Puppet, therefore any modification would be erased. Everything is ...SSH authorized keys should be managed through Ansible.
I plan on adding it.
Current state is to use `authorized_keys2` because `authorized_keys` is managed by Octopuce's Puppet, therefore any modification would be erased. Everything is on `root` account, we don't have personal accounts.
For now we'll keep working with it.
As for the question:
I'll do a `common` role in the repository. As it's not the kind of role you keep generic, I don't think having it in a separate repository is the way to go.
Now two questions:
- Current files seems to have been modified, people in the files are not the same as those in the pad. Do I refer to the server file as the truth and use this?
- Do you prefer to keep it as simple as possible and just do a bare copy of the file, or a template and configure every user and parameters in a config file instead?PorkepixPorkepix