initial commit: migrate all `MatthieuCoder/pantheon-ansible` files to the oss repo

author: Matthieu Pignolet <m@mpgn.dev> 2025-03-17 14:18:03 +0400
committer: Matthieu Pignolet <m@mpgn.dev> 2025-03-17 14:18:03 +0400
commit: 5098223d5c81fac49ded8e555ba629281b06d425 (patch)
tree: 451988b8a7287735ac98704c5f2b1783fd837666
parent: 63efaaf0ba315a9af837d9e9016d331a1327e5e5 (diff)
54 files changed, 1189 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..feacde3
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,3 @@
+ansible-galaxy-deps: roles/requirements.yml
+	ansible-galaxy install -r ./roles/requirements.yml --force
+.PHONY: ansible-galaxy-deps
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..de77a25
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,11 @@
+[defaults]
+roles_path=roles
+inventory=inventory
+nocows=1
+host_key_checking = False
+
+[inventory_plugin_script]
+always_show_stderr = true
+
+[inventory]
+enable_plugins = script
+\ No newline at end of file
diff --git a/group_vars/vms b/group_vars/vms
new file mode 100644
index 0000000..6d826b3
--- /dev/null
+++ b/group_vars/vms
@@ -0,0 +1,2 @@
+kerberos_user: "ansible/admin@LAB.MPGN.DEV"
+kerberos_password: "superpassword123"
+\ No newline at end of file
diff --git a/guest-firewall.yml b/guest-firewall.yml
new file mode 100644
index 0000000..eab04ec
--- /dev/null
+++ b/guest-firewall.yml
@@ -0,0 +1,18 @@
+- hosts: vms
+  become: true
+  vars:
+      nft_enabled: true
+      nft_main_conf_content: "templates/etc/nftables.conf.j2"
+      nft_flush_table_target: 'inet filter'
+      nft_output_default_rules:
+        000 policy:
+          - type filter hook output priority 0; policy accept;
+      nft_input_rules:
+        014 allow snmp:
+          - udp dport 161 accept
+          - tcp dport 161 accept
+        014 allow icmp ping:
+          - meta l4proto icmp icmp type { echo-request, echo-reply } counter accept
+          - meta l4proto ipv6-icmp icmpv6 type { echo-request, echo-reply } counter accept
+  roles:
+    - role: ipr-cnrs.nftables
diff --git a/guest-librenms.yml b/guest-librenms.yml
new file mode 100644
index 0000000..b3bd70f
--- /dev/null
+++ b/guest-librenms.yml
@@ -0,0 +1,36 @@
+---
+- name: Setup SNMPv3 and add the vm to LibreNMS
+  hosts: vms
+  become: true
+  gather_facts: true
+  pre_tasks:
+    - set_fact:
+        snmp_user_internal: "{{ snmp_user_internal | default(lookup('password', '/dev/null length=15 chars=ascii_letters')) }}"
+        snmp_user_password_auth: "{{ snmp_user_password_auth | default(lookup('password', '/dev/null length=15 chars=ascii_letters')) }}"
+        snmp_user_password_privacy: "{{ snmp_user_password_privacy | default(lookup('password', '/dev/null length=15 chars=ascii_letters')) }}"
+  roles:
+    - role: oefenweb.snmpd
+      snmpd_sys_description: "{{ inventory_hostname }}"
+      snmpd_sys_contact: "Matthieu <m@mpgn.dev>"
+      snmpd_opts: "-LSwd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid"
+      snmpd_internal_user:
+        username: administrator
+        password: "{{ snmp_user_internal }}"
+        auth_protocol: SHA
+      snmpd_install: []
+      snmpd_agent_address:
+        - "udp:161"
+        - "udp6:[::]:161"
+      snmpd_mibs: "SNMPv2-TC:SNMPv2-MIB:IF-MIB:IP-MIB:TCP-MIB:UDP-MIB:SNMP-VACM-MIB"
+      snmpd_users:
+        - username: librenms
+          password: "{{ snmp_user_password_auth }}"
+          type: rouser
+          auth_protocol: SHA
+          privacy_passphrase: "{{ snmp_user_password_privacy }}"
+          privacy_protocol: AES
+  post_tasks:
+    - name: update the librenms configuration
+      ansible.builtin.command: ./script/librenms-provision.py -auth-algo SHA -auth-secret {{ snmp_user_password_auth }} -auth-name librenms -crypto-algo AES -crypto-secret {{ snmp_user_password_privacy }} -hostname {{ ansible_host }}
+      delegate_to: 127.0.0.1
+      chdir: "{{ playbook_dir }}"
diff --git a/guest-repos.yml b/guest-repos.yml
new file mode 100644
index 0000000..bb07df0
--- /dev/null
+++ b/guest-repos.yml
@@ -0,0 +1,14 @@
+---
+- name: Setup apt repos on guests
+  hosts: vms
+  become: true
+  gather_facts: true
+  roles:
+    - role: oefenweb.apt
+      apt_debian_contrib_nonfree_enable: true
+      apt_manage_sources_list: true
+      apt_src_enable: false
+      apt_backports_enable: false
+      apt_debian_mirror: "http://debian.mithril.re/debian"
+      apt_install:
+        - snmp-mibs-downloader
diff --git a/guest-sysctl.yml b/guest-sysctl.yml
new file mode 100644
index 0000000..33bf0fa
--- /dev/null
+++ b/guest-sysctl.yml
@@ -0,0 +1,56 @@
+- hosts: vms
+  become: true
+  roles:
+    - oefenweb.sysctl
+  vars:
+    sysctl_settings:
+        - name: net.ipv4.conf.default.accept_source_route
+          value: 0
+        - name: net.ipv4.tcp_syncookies
+          value: 1
+        - name: net.ipv4.tcp_synack_retries
+          value: 5
+        - name: net.ipv4.conf.all.send_redirects
+          value: 0
+        - name: net.ipv4.conf.default.send_redirects
+          value: 0
+        - name: net.ipv4.conf.all.accept_source_route
+          value: 0
+        - name: net.ipv4.conf.all.accept_redirects
+          value: 0
+        - name: net.ipv4.conf.all.secure_redirects
+          value: 0
+        - name: net.ipv4.conf.default.accept_source_route
+          value: 0
+        - name: net.ipv4.conf.default.accept_redirects
+          value: 0
+        - name: net.ipv4.conf.default.secure_redirects
+          value: 0
+        - name: net.ipv4.icmp_echo_ignore_broadcasts
+          value: 1
+        - name: net.ipv4.tcp_syncookies
+          value: 1
+        - name: net.ipv4.conf.all.rp_filter
+          value: 1
+        - name: net.ipv4.conf.default.rp_filter
+          value: 1
+        - name: net.ipv6.conf.default.router_solicitations
+          value: 0
+        - name: net.ipv6.conf.default.accept_ra_rtr_pref
+          value: 0
+        - name: net.ipv6.conf.default.accept_ra_pinfo
+          value: 0
+        - name: net.ipv6.conf.default.accept_ra_defrtr
+          value: 0
+        - name: net.ipv6.conf.default.autoconf
+          value: 0
+        - name: net.ipv6.conf.default.dad_transmits
+          value: 0
+        - name: net.ipv6.conf.default.max_addresses
+          value: 1
+        - name: net.ipv4.tcp_timestamps
+          value: 0
+        - name: net.ipv4.ip_local_port_range
+          value: "2000 65000"
+        - name: net.ipv4.tcp_rfc1337
+          value: 1
+\ No newline at end of file
diff --git a/guest-syslog.yml b/guest-syslog.yml
new file mode 100644
index 0000000..31fd7ee
--- /dev/null
+++ b/guest-syslog.yml
@@ -0,0 +1,10 @@
+- name: Apply syslog settings on pve hosts
+  hosts: vms
+  become: true
+  gather_facts: true
+  roles:
+    - role: robertdebock.bootstrap
+    - role: robertdebock.rsyslog
+      rsyslog_remote_selector: "*.*"
+      rsyslog_remote_tcp: no
+      rsyslog_remote: "10.80.50.122"
diff --git a/guest-upgrade.yml b/guest-upgrade.yml
new file mode 100644
index 0000000..4d3ce52
--- /dev/null
+++ b/guest-upgrade.yml
@@ -0,0 +1,14 @@
+---
+- name: Upgrade all vms to the latest version
+  hosts: vms
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Update all packages to their latest version
+      ansible.builtin.apt:
+        name: "*"
+        state: latest
+        autoremove: yes
+        purge: true
+        clean: yes
+        update_cache: true
diff --git a/host-librenms.yml b/host-librenms.yml
new file mode 100644
index 0000000..b7b4d66
--- /dev/null
+++ b/host-librenms.yml
@@ -0,0 +1,45 @@
+- name: Setup LibreNMS to handle
+  hosts: pve
+  become: true
+  gather_facts: true
+  pre_tasks:
+    - set_fact:
+        snmp_user_internal: "{{ snmp_user_internal | default(lookup('password', '/dev/null length=15 chars=ascii_letters')) }}"
+        snmp_user_password_auth: "{{ snmp_user_password_auth | default(lookup('password', '/dev/null length=15 chars=ascii_letters')) }}"
+        snmp_user_password_privacy: "{{ snmp_user_password_privacy | default(lookup('password', '/dev/null length=15 chars=ascii_letters')) }}"
+  roles:
+    - role: oefenweb.apt
+      apt_debian_contrib_nonfree_enable: true
+      apt_manage_sources_list: true
+      apt_src_enable: false
+      apt_backports_enable: false
+      apt_debian_mirror: "http://debian.mithril.re/debian"
+      apt_install:
+        - snmp-mibs-downloader
+    - role: oefenweb.snmpd
+      snmpd_sys_description: "{{ inventory_hostname }}"
+      snmpd_sys_contact: "Matthieu <m@mpgn.dev>"
+      snmpd_opts: "-LSwd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid"
+      snmpd_internal_user:
+        username: administrator
+        password: "{{ snmp_user_internal }}"
+        auth_protocol: SHA
+      snmpd_install: []
+      snmpd_agent_address:
+        - "udp:@struct:161"
+        - "udp:@lan:161"
+        - "udp:@cluster:161"
+        - "udp:@vrfbr_pantheon:161"
+      snmpd_mibs: "SNMPv2-TC:SNMPv2-MIB:IF-MIB:IP-MIB:TCP-MIB:UDP-MIB:SNMP-VACM-MIB"
+      snmpd_users:
+        - username: librenms
+          password: "{{ snmp_user_password_auth }}"
+          type: rouser
+          auth_protocol: SHA
+          privacy_passphrase: "{{ snmp_user_password_privacy }}"
+          privacy_protocol: AES
+  post_tasks:
+    - name: update the librenms configuration
+      ansible.builtin.command: ./script/librenms-provision.py -auth-algo SHA -auth-secret {{ snmp_user_password_auth }} -auth-name librenms -crypto-algo AES -crypto-secret {{ snmp_user_password_privacy }} -hostname {{ ansible_hostname }}
+      delegate_to: 127.0.0.1
+      chdir: "{{ playbook_dir }}"
diff --git a/host-security.yml b/host-security.yml
new file mode 100644
index 0000000..baa641e
--- /dev/null
+++ b/host-security.yml
@@ -0,0 +1,18 @@
+- name: Set sysctl values for host (proxmox)
+  hosts: pve
+  become: true
+  gather_facts: false
+  roles:
+    - role: robertdebock.bootstrap
+    - role: robertdebock.sysctl
+      sysctl_items:
+        - name: net.ipv6.conf.all.forwarding
+          value: 1
+  tasks:
+    - name: generate proxmox repo files
+      ansible.builtin.template:
+        src: "templates/proxmox_sources.j2"
+        dest: "/etc/apt/sources.list.d/proxmox.list"
+        owner: root
+        group: root
+        mode: "0644"
diff --git a/host-syslog.yml b/host-syslog.yml
new file mode 100644
index 0000000..c30382d
--- /dev/null
+++ b/host-syslog.yml
@@ -0,0 +1,10 @@
+- name: Apply syslog settings on pve hosts
+  hosts: pve
+  become: true
+  gather_facts: true
+  roles:
+    - role: robertdebock.bootstrap
+    - role: robertdebock.rsyslog
+      rsyslog_remote_selector: "*.*"
+      rsyslog_remote_tcp: no
+      rsyslog_remote: "10.80.50.122"
diff --git a/host-upgrade.yml b/host-upgrade.yml
new file mode 100644
index 0000000..e16be43
--- /dev/null
+++ b/host-upgrade.yml
@@ -0,0 +1,13 @@
+- name: Upgrade all proxmox hosts
+  hosts: pve
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Update all packages to their latest version
+      ansible.builtin.apt:
+        name: "*"
+        state: latest
+        autoremove: yes
+        purge: true
+        clean: yes
+        update_cache: true
diff --git a/host_vars/adguard1.pantheon.lab.mpgn.dev.yml b/host_vars/adguard1.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..f6c6462
--- /dev/null
+++ b/host_vars/adguard1.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,19 @@
+---
+nft_input_host_rules:
+  400 allow dns:
+    - tcp dport { 53 } ct state new accept
+    - udp dport { 53 } ct state new accept
+  401 allow adguard webui:
+    - tcp dport { 80 } ct state new accept
+  402 allow adguard-sync webui:
+    - tcp dport { 8080 } ct state new accept
+
+# Nmap scan report for adguard1.pantheon.lab.mpgn.dev (10.80.50.111)
+# Host is up (0.00014s latency).
+# Not shown: 996 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 53/tcp   open  domain
+# 80/tcp   open  http
+# 8080/tcp open  http-proxy
+# MAC Address: BC:24:11:11:32:49 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/authelia.pantheon.lab.mpgn.dev.yml b/host_vars/authelia.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..6cb17e7
--- /dev/null
+++ b/host_vars/authelia.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,12 @@
+---
+nft_input_host_rules:
+  400 allow authelia https:
+    - tcp dport { 443 } ct state new accept
+
+# Nmap scan report for authelia.pantheon.lab.mpgn.dev (10.80.50.127)
+# Host is up (0.00012s latency).
+# Not shown: 998 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 443/tcp open  https
+# MAC Address: BC:24:11:5F:E4:44 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/bastion-kerberos.pantheon.lab.mpgn.dev.yml b/host_vars/bastion-kerberos.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..822c94e
--- /dev/null
+++ b/host_vars/bastion-kerberos.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,10 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for bastion-kerberos.pantheon.lab.mpgn.dev (10.80.50.123)
+# Host is up (0.000083s latency).
+# Not shown: 998 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 111/tcp open  rpcbind
+# MAC Address: BC:24:11:CD:A2:3E (Unknown)
+\ No newline at end of file
diff --git a/host_vars/factorio.pantheon.lab.mpgn.dev.yml b/host_vars/factorio.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..f276084
--- /dev/null
+++ b/host_vars/factorio.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,9 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for factorio.pantheon.lab.mpgn.dev (10.80.50.107)
+# Host is up (0.00014s latency).
+# Not shown: 999 closed tcp ports (reset)
+# PORT   STATE SERVICE
+# 22/tcp open  ssh
+# MAC Address: BC:24:11:BE:E3:D8 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/falco-sidekick.pantheon.lab.mpgn.dev.yml b/host_vars/falco-sidekick.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..06b8145
--- /dev/null
+++ b/host_vars/falco-sidekick.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,9 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for falco-sidekick.pantheon.lab.mpgn.dev (10.80.50.126)
+# Host is up (0.000050s latency).
+# Not shown: 999 closed tcp ports (reset)
+# PORT   STATE SERVICE
+# 22/tcp open  ssh
+# MAC Address: BC:24:11:6B:82:51 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/freepbx.pantheon.lab.mpgn.dev.yml b/host_vars/freepbx.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..a866fd3
--- /dev/null
+++ b/host_vars/freepbx.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,14 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for freepbx.pantheon.lab.mpgn.dev (10.80.50.131)
+# Host is up (0.00013s latency).
+# Not shown: 994 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 80/tcp   open  http
+# 443/tcp  open  https
+# 1720/tcp open  h323q931
+# 8001/tcp open  vcom-tunnel
+# 8089/tcp open  unknown
+# MAC Address: BC:24:11:1A:DD:10 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/gns3.pantheon.lab.mpgn.dev.yml b/host_vars/gns3.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..c8b5798
--- /dev/null
+++ b/host_vars/gns3.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,10 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for gns3.pantheon.lab.mpgn.dev (10.80.50.112)
+# Host is up (0.000047s latency).
+# Not shown: 998 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 179/tcp open  bgp
+# MAC Address: BC:24:11:0A:CE:00 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/homarr.pantheon.lab.mpgn.dev.yml b/host_vars/homarr.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..3af1633
--- /dev/null
+++ b/host_vars/homarr.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,10 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for homarr.pantheon.lab.mpgn.dev (10.80.50.106)
+# Host is up (0.00015s latency).
+# Not shown: 998 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 443/tcp open  https
+# MAC Address: BC:24:11:03:8F:A1 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/influxdb.pantheon.lab.mpgn.dev.yml b/host_vars/influxdb.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..35c6f92
--- /dev/null
+++ b/host_vars/influxdb.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,15 @@
+---
+nft_input_host_rules:
+  400 librenms web interface:
+    - tcp dport { 443 } ct state new accept
+
+# Nmap scan report for influxdb.pantheon.lab.mpgn.dev (10.80.50.108)
+# Host is up (0.00014s latency).
+# Not shown: 995 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 443/tcp  open  https
+# 8086/tcp open  d-s-n
+# 9090/tcp open  zeus-admin
+# 9100/tcp open  jetdirect
+# MAC Address: BC:24:11:94:27:2E (Unknown)
+\ No newline at end of file
diff --git a/host_vars/iredmail.pantheon.lab.mpgn.dev.yml b/host_vars/iredmail.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..9219ecb
--- /dev/null
+++ b/host_vars/iredmail.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,9 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for iredmail.pantheon.lab.mpgn.dev (10.80.50.132)
+# Host is up (0.000043s latency).
+# Not shown: 999 closed tcp ports (reset)
+# PORT   STATE SERVICE
+# 22/tcp open  ssh
+# MAC Address: BC:24:11:E3:A3:F3 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/kali.pantheon.lab.mpgn.dev.yml b/host_vars/kali.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..2ff86d8
--- /dev/null
+++ b/host_vars/kali.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,12 @@
+---
+nft_input_host_rules:
+  400 allow greenbone:
+    - tcp dport { 9392 } ct state new accept
+
+# Nmap scan report for kali.pantheon.lab.mpgn.dev (10.80.50.119)
+# Host is up (0.0000050s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 80/tcp   open  http
+# 3389/tcp open  ms-wbt-server
+\ No newline at end of file
diff --git a/host_vars/krb-fs.pantheon.lab.mpgn.dev.yml b/host_vars/krb-fs.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..0dc41ce
--- /dev/null
+++ b/host_vars/krb-fs.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,11 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for krb-fs.pantheon.lab.mpgn.dev (10.80.50.133)
+# Host is up (0.000063s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 111/tcp  open  rpcbind
+# 2049/tcp open  nfs
+# MAC Address: BC:24:11:FB:94:B8 (Unknown)
diff --git a/host_vars/ldap.pantheon.lab.mpgn.dev.yml b/host_vars/ldap.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..b9aa457
--- /dev/null
+++ b/host_vars/ldap.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,22 @@
+---
+nft_input_host_rules:
+  400 allow kerberos:
+    - udp dport { 88, 749, 111, 464 } ct state new accept
+    - tcp dport { 88, 749, 111, 464 } ct state new accept
+
+  401 allow ldap:
+    - udp dport { 389, 636 } ct state new accept
+    - tcp dport { 389, 636 } ct state new accept
+
+# Nmap scan report for ldap.pantheon.lab.mpgn.dev (10.80.50.104)
+# Host is up (0.00013s latency).
+# Not shown: 993 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 88/tcp  open  kerberos-sec
+# 111/tcp open  rpcbind
+# 389/tcp open  ldap
+# 464/tcp open  kpasswd5
+# 636/tcp open  ldapssl
+# 749/tcp open  kerberos-adm
+# MAC Address: BC:24:11:D5:84:08 (Unknown)
diff --git a/host_vars/librenms-web.pantheon.lab.mpgn.dev.yml b/host_vars/librenms-web.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..9f7ef82
--- /dev/null
+++ b/host_vars/librenms-web.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,13 @@
+---
+nft_input_host_rules:
+  400 librenms web interface:
+    - tcp dport { 80, 443, 42217 } ct state new accept
+
+# Nmap scan report for librenms-web.pantheon.lab.mpgn.dev (10.80.50.109)
+# Host is up (0.00013s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 80/tcp  open  http
+# 443/tcp open  https
+# MAC Address: BC:24:11:BA:22:D0 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/librenms.pantheon.lab.mpgn.dev.yml b/host_vars/librenms.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..4984ce4
--- /dev/null
+++ b/host_vars/librenms.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,13 @@
+---
+nft_input_host_rules:
+  400 librenms backend services:
+    - tcp dport { 3306, 11211, 6379 } ct state new accept
+    
+# Nmap scan report for librenms.pantheon.lab.mpgn.dev (10.80.50.105)
+# Host is up (0.00013s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 111/tcp  open  rpcbind
+# 3306/tcp open  mysql
+# MAC Address: BC:24:11:67:B1:2C (Unknown)
+\ No newline at end of file
diff --git a/host_vars/loki.pantheon.lab.mpgn.dev.yml b/host_vars/loki.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..4981bb8
--- /dev/null
+++ b/host_vars/loki.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,16 @@
+---
+nft_input_host_rules:
+  400 allow loki api:
+    - tcp dport { 9080, 3100 } ct state new accept
+  401 allow syslog:
+    - tcp dport { 514 } ct state new accept
+    - udp dport { 514 } ct state new accept
+
+# Nmap scan report for loki.pantheon.lab.mpgn.dev (10.80.50.122)
+# Host is up (0.00019s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 514/tcp  open  shell
+# 9080/tcp open  glrpc
+# MAC Address: BC:24:11:34:5A:7D (Unknown)
+\ No newline at end of file
diff --git a/host_vars/media.pantheon.lab.mpgn.dev.yml b/host_vars/media.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..edd9ca3
--- /dev/null
+++ b/host_vars/media.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,17 @@
+---
+nft_input_host_rules:
+  400 allow bittorrent access:
+    - iif "eth0" tcp dport { 8080 } ct state new accept
+  400 input torrent accepted:
+    - udp dport 6881 ct state new accept
+  400 allow access to sonarr:
+    - iif "eth0" tcp dport { 8989 } ct state new accept
+
+# Nmap scan report for media.pantheon.lab.mpgn.dev (10.80.50.103)
+# Host is up (0.000037s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 21/tcp   open  ftp
+# 22/tcp   open  ssh
+# 8080/tcp open  http-proxy
+# MAC Address: BC:24:11:47:18:60 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/ollama.pantheon.lab.mpgn.dev.yml b/host_vars/ollama.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..9d0ab1e
--- /dev/null
+++ b/host_vars/ollama.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,13 @@
+---
+nft_input_host_rules:
+  400 allow ollama access:
+    - tcp dport { 3000 } ct state new accept
+
+# Nmap scan report for ollama.pantheon.lab.mpgn.dev (10.80.50.114)
+# Host is up (0.000060s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 3000/tcp open  ppp
+# 8000/tcp open  http-alt
+# MAC Address: BC:24:11:39:D0:15 (Unknown)
diff --git a/host_vars/orion.pantheon.lab.mpgn.dev.yml b/host_vars/orion.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..e1cf35e
--- /dev/null
+++ b/host_vars/orion.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,12 @@
+---
+nft_input_host_rules:
+  400 allow bgp:
+    - tcp dport { 179 } ct state new accept
+
+# Nmap scan report for orion.pantheon.lab.mpgn.dev (10.80.50.118)
+# Host is up (0.00013s latency).
+# Not shown: 998 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 179/tcp open  bgp
+# MAC Address: BC:24:11:C6:A2:70 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/ovpn.pantheon.lab.mpgn.dev.yml b/host_vars/ovpn.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..dc58141
--- /dev/null
+++ b/host_vars/ovpn.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,13 @@
+---
+nft_input_host_rules:
+  400 allow bgp:
+    - tcp dport { 179 } ct state new accept
+
+# Nmap scan report for ovpn.pantheon.lab.mpgn.dev (10.80.50.125)
+# Host is up (0.00013s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 53/tcp  open  domain
+# 179/tcp open  bgp
+# MAC Address: BC:24:11:BA:CF:86 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/pantheon-lb.pantheon.lab.mpgn.dev.yml b/host_vars/pantheon-lb.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..0166125
--- /dev/null
+++ b/host_vars/pantheon-lb.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,16 @@
+---
+nft_input_host_rules:
+  400 allow loadbalancer access:
+    - tcp dport { 80, 443 } ct state new accept
+  401 allow haproxy stats:
+    - tcp dport { 8443 } ct state new accept
+
+# Nmap scan report for pantheon-lb.pantheon.lab.mpgn.dev (10.80.50.102)
+# Host is up (0.00013s latency).
+# Not shown: 996 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 80/tcp   open  http
+# 443/tcp  open  https
+# 8443/tcp open  https-alt
+# MAC Address: BC:24:11:C6:8F:6B (Unknown)
+\ No newline at end of file
diff --git a/host_vars/pdm.pantheon.lab.mpgn.dev.yml b/host_vars/pdm.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..bc19343
--- /dev/null
+++ b/host_vars/pdm.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,13 @@
+---
+nft_input_host_rules:
+  400 allow proxmox datacenter manager ui:
+    - tcp dport { 443, 8443 } ct state new accept
+
+# Nmap scan report for pdm.pantheon.lab.mpgn.dev (10.80.50.113)
+# Host is up (0.00021s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 443/tcp  open  https
+# 8443/tcp open  https-alt
+# MAC Address: BC:24:11:4D:A1:CA (Unknown)
+\ No newline at end of file
diff --git a/host_vars/postgresql.pantheon.lab.mpgn.dev.yml b/host_vars/postgresql.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..52578c0
--- /dev/null
+++ b/host_vars/postgresql.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,12 @@
+---
+nft_input_host_rules:
+  400 allow postgres from other VMs:
+    - tcp dport { 5432 } ct state new accept
+
+# Nmap scan report for postgresql.pantheon.lab.mpgn.dev (10.80.50.100)
+# Host is up (0.00014s latency).
+# Not shown: 998 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 5432/tcp open  postgresql
+# MAC Address: BC:24:11:51:61:34 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/powerdns-webui.pantheon.lab.mpgn.dev.yml b/host_vars/powerdns-webui.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..55dd0b2
--- /dev/null
+++ b/host_vars/powerdns-webui.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,13 @@
+---
+nft_input_host_rules:
+  400 allow powerdns ui:
+    - tcp dport { 80, 443 } ct state new accept
+
+# Nmap scan report for powerdns-webui.pantheon.lab.mpgn.dev (10.80.50.116)
+# Host is up (0.00012s latency).
+# Not shown: 997 closed tcp ports (reset)
+# PORT    STATE SERVICE
+# 22/tcp  open  ssh
+# 80/tcp  open  http
+# 443/tcp open  https
+# MAC Address: BC:24:11:66:97:71 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/pufferpanel.pantheon.lab.mpgn.dev.yml b/host_vars/pufferpanel.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..bf8230b
--- /dev/null
+++ b/host_vars/pufferpanel.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,12 @@
+---
+nft_input_host_rules:
+  400 allow pufferpanel admin interface:
+    - tcp dport 8080 ct state new accept
+
+# Nmap scan report for pufferpanel.pantheon.lab.mpgn.dev (10.80.50.110)
+# Host is up (0.000048s latency).
+# Not shown: 998 closed tcp ports (reset)
+# PORT     STATE SERVICE
+# 22/tcp   open  ssh
+# 8080/tcp open  http-proxy
+# MAC Address: BC:24:11:FF:DD:3F (Unknown)
diff --git a/host_vars/reflector.pantheon.lab.mpgn.dev.yml b/host_vars/reflector.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..970e9a5
--- /dev/null
+++ b/host_vars/reflector.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,9 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for reflector.pantheon.lab.mpgn.dev (10.80.50.101)
+# Host is up (0.00014s latency).
+# Not shown: 999 closed tcp ports (reset)
+# PORT   STATE SERVICE
+# 22/tcp open  ssh
+# MAC Address: BC:24:11:80:3F:30 (Unknown)
+\ No newline at end of file
diff --git a/host_vars/toan-box.pantheon.lab.mpgn.dev.yml b/host_vars/toan-box.pantheon.lab.mpgn.dev.yml
new file mode 100644
index 0000000..6f98ba6
--- /dev/null
+++ b/host_vars/toan-box.pantheon.lab.mpgn.dev.yml
@@ -0,0 +1,9 @@
+---
+nft_input_host_rules: []
+
+# Nmap scan report for toan-box.pantheon.lab.mpgn.dev (10.80.50.117)
+# Host is up (0.000061s latency).
+# Not shown: 999 closed tcp ports (reset)
+# PORT   STATE SERVICE
+# 22/tcp open  ssh
+# MAC Address: BC:24:11:65:1D:A9 (Unknown)
diff --git a/inventory/.gitignore b/inventory/.gitignore
new file mode 100644
index 0000000..2eea525
--- /dev/null
+++ b/inventory/.gitignore
@@ -0,0 +1 @@
+.env
+\ No newline at end of file
diff --git a/inventory/proxmox-ipam-inventory.py b/inventory/proxmox-ipam-inventory.py
new file mode 100755
index 0000000..cb0daf7
--- /dev/null
+++ b/inventory/proxmox-ipam-inventory.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+
+import requests
+import ipaddress
+import json
+import dotenv
+
+def main():
+    pass
+
+config = dotenv.dotenv_values()
+proxmox_host = config["PROXMOX_URL"]
+api_key = config["PROXMOX_API_KEY"]
+reqs = requests.Session()
+reqs.headers.update(
+    {"Authorization": api_key},
+)
+
+
+def do_req(request):
+    request.raise_for_status()
+    return request
+
+
+vms, ipam = [
+    do_req(request).json()
+    for request in [
+        reqs.get(f"{proxmox_host}/api2/json/cluster/resources"),
+        reqs.get(f"{proxmox_host}/api2/json/cluster/sdn/ipams/pve/status"),
+    ]
+]
+
+inventory = {
+    "_meta": {
+        "hostvars": {},
+    },
+    "lxc": {"hosts": [], "vars": {"ansible_user": "root"}},
+    "qemu": {"hosts": [], "vars": {"ansible_user": "matthieu"}},
+    "vms": {
+        "children": ["lxc", "qemu"],
+    },
+    "pve": {
+        "hosts": ["10.80.255.2", "10.80.255.200", "10.80.255.201", "10.80.255.202"],
+        "vars": {"ansible_connection": "ssh", "ansible_user": "root"},
+    },
+}
+
+vmIpamDict = {}
+for record in ipam["data"]:
+    valid = "vmid" in record and "ip" in record
+    if not valid:
+        continue
+    if record["vmid"] in vmIpamDict:
+        vmIpamDict[record["vmid"]].append(record["ip"])
+    else:
+        vmIpamDict[record["vmid"]] = [record["ip"]]
+
+for vm in vms["data"]:
+    valid = (
+        "type" in vm
+        and vm["type"] in ["lxc", "qemu"]
+        and "status" in vm
+        and vm["status"] == "running"
+        and "name" in vm
+    )
+    if not valid:
+        continue
+
+    # We only use the IPv4 IPs for Ansible since the IPv6 evpn fabric is still unstable
+    # because of the evpn redistribution issue.
+
+    if f"{vm['vmid']}" in vmIpamDict:
+        ipamIPs = [
+            ip
+            for ip in [ipaddress.ip_address(ip) for ip in vmIpamDict[f"{vm['vmid']}"]]
+            if ip.version == 4
+        ]
+        fqdn = f"{vm['name']}.pantheon.lab.mpgn.dev"
+        type_ = vm["type"]
+
+        for ip in ipamIPs:
+            inventory[type_]["hosts"].append(fqdn)
+            inventory["_meta"]["hostvars"][fqdn] = {
+                "ansible_host": str(ip),
+            }
+
+print(json.dumps(inventory))
diff --git a/kerberos.yml b/kerberos.yml
new file mode 100644
index 0000000..d78b4de
--- /dev/null
+++ b/kerberos.yml
@@ -0,0 +1,99 @@
+- hosts: vms
+  become: true
+
+  tasks:
+  - name: Install required packages
+    ansible.builtin.apt:
+      pkg:
+      - krb5-user
+      - sssd-krb5
+      - sssd-tools
+      - libsss-sudo
+      - ldap-utils
+      - libldap-common
+
+  - name: Install sudo-ldap
+    apt: name=sudo-ldap state=present
+    environment:
+      SUDO_FORCE_REMOVE: "yes"
+    
+  - name: Configuring krb5.conf
+    when: inventory_hostname != "ldap.pantheon.lab.mpgn.dev"
+    template:
+      src: templates/etc/krb5.j2
+      dest: /etc/krb5.conf
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Configuring ldap.conf
+    template:
+      src: templates/etc/ldap/ldap.conf.j2
+      dest: /etc/ldap/ldap.conf
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Check that the keytab exists
+    stat:
+      path: /etc/krb5.keytab
+    register: keytab_exists
+
+  - name: Generate kerberos keytab
+    when: not keytab_exists.stat.exists
+    shell: |
+      kadmin -p "{{ kerberos_user }}" -w "{{ kerberos_password }}" addprinc -x containerdn=ou=machines,dc=lab,dc=mpgn,dc=dev -randkey host/{{ inventory_hostname }}@LAB.MPGN.DEV
+      kadmin -p "{{ kerberos_user }}" -w "{{ kerberos_password }}" ktadd -k /etc/krb5.keytab host/{{ inventory_hostname }}@LAB.MPGN.DEV
+      chown root:root /etc/krb5.keytab
+      chmod 0600 /etc/krb5.keytab
+
+  - name: Configuring sssd.conf
+    template:
+      src: templates/etc/sssd/sssd.conf.j2
+      dest: /etc/sssd/sssd.conf
+      owner: root
+      group: root
+      mode: 0600
+
+  - name: Remove motd
+    ansible.builtin.file:
+      path: /etc/motd
+      state: absent
+
+  - name: Edit /etc/nsswitch.conf to enable sss sudo
+    lineinfile: 
+      path: /etc/nsswitch.conf 
+      regexp: 'sudoers: files ldap' 
+      line: 'sudoers: files sss'
+      backrefs: yes
+  
+  - name: Configuring /etc/ssh/sshd_config
+    template:
+      src: templates/etc/ssh/sshd_config.j2
+      dest: /etc/ssh/sshd_config
+      owner: root
+      group: root
+      mode: 0644
+  
+  - name: Configuring /etc/ssh/ssh_config.d/kerberos.conf
+    template:
+      src: templates/etc/ssh/ssh_config.d/kerberos.conf.j2
+      dest: /etc/ssh/ssh_config.d/kerberos.conf
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Restart the ssh service
+    ansible.builtin.service:
+      name: "sshd"
+      state: restarted
+      enabled: true
+
+  - name: Start and enable sssd
+    ansible.builtin.service:
+      name: "sssd"
+      state: restarted
+      enabled: true
+
+  - name: Enable homedir
+    shell: pam-auth-update --enable mkhomedir
+\ No newline at end of file
diff --git a/roles/requirements.yml b/roles/requirements.yml
new file mode 100644
index 0000000..313ad56
--- /dev/null
+++ b/roles/requirements.yml
@@ -0,0 +1,10 @@
+---
+- name: robertdebock.bootstrap
+- name: oefenweb.snmpd
+- name: oefenweb.apt
+- name: robertdebock.rsyslog
+- name: oefenweb.sysctl
+- name: ipr-cnrs.nftables
+  src: git@github.com:ipr-cnrs/nftables.git
+  scm: git
+  version: master
+\ No newline at end of file
diff --git a/script/.gitignore b/script/.gitignore
new file mode 100644
index 0000000..4c49bd7
--- /dev/null
+++ b/script/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/script/example.env b/script/example.env
new file mode 100644
index 0000000..d796d72
--- /dev/null
+++ b/script/example.env
@@ -0,0 +1,2 @@
+LIBRENMS_API_KEY=yourapikey
+LIBRENMS_ENDPOINT=https://mylibrenms.fun
diff --git a/script/librenms-provision.py b/script/librenms-provision.py
new file mode 100755
index 0000000..fde3818
--- /dev/null
+++ b/script/librenms-provision.py
@@ -0,0 +1,139 @@
+#!/usr/bin/env python3
+
+import argparse
+import sys
+import requests
+import dotenv
+
+AUTH_ALGO = "-auth-algo"
+AUTH_NAME = "-auth-name"
+AUTH_SECRET = "-auth-secret"
+CRYPT_ALGO = "-crypto-algo"
+CRYPT_SECRET = "-crypto-secret"
+HOSTNAME = "-hostname"
+
+config = dotenv.dotenv_values()
+api_key = config["LIBRENMS_API_KEY"]
+LIBRENMS = config["LIBRENMS_ENDPOINT"]
+reqs = requests.Session()
+reqs.headers.update(
+    {"X-Auth-Token": api_key},
+)
+
+def main():
+    parser = argparse.ArgumentParser(sys.argv[0])
+    parser.add_argument(
+        AUTH_ALGO,
+        nargs=1,
+        type=str,
+        required=True,
+        help="The authentication algorithm to be used",
+    )
+    parser.add_argument(
+        AUTH_NAME,
+        nargs=1,
+        type=str,
+        required=True,
+        help="The authentication name to be used",
+    )
+    parser.add_argument(
+        AUTH_SECRET,
+        nargs=1,
+        type=str,
+        required=True,
+        help="The authentication secret to be used",
+    )
+    parser.add_argument(
+        CRYPT_ALGO,
+        nargs=1,
+        type=str,
+        required=True,
+        help="The authentication algorithm to be used",
+    )
+    parser.add_argument(
+        CRYPT_SECRET,
+        nargs=1,
+        type=str,
+        required=True,
+        help="The authentication secret to be used",
+    )
+    parser.add_argument(
+        HOSTNAME,
+        nargs=1,
+        type=str,
+        required=True,
+        help="The hostname of the device in librenms",
+    )
+
+    arguments = parser.parse_args()
+    arguments_dict = arguments.__dict__
+    get_value = lambda name: arguments_dict[name[1:].replace("-", "_")][0]
+
+    auth_algo = get_value(AUTH_ALGO)
+    auth_secret = get_value(AUTH_SECRET)
+    auth_name = get_value(AUTH_NAME)
+    crypto_algo = get_value(CRYPT_ALGO)
+    crypt_secret = get_value(CRYPT_SECRET)
+    hostname = get_value(HOSTNAME)
+
+    response = reqs.get(f"{LIBRENMS}/api/v0/devices/{hostname}")
+    response = response.json()
+    if response["status"] == "error":
+        print("Device doesn't exist, creating it.")
+        # the device doesn't exist
+        reqs.post(
+            f"{LIBRENMS}/api/v0/devices",
+            json={
+                "hostname": hostname,
+                "snmpver": "v3",
+                "authlevel": "authPriv",
+                "authname": auth_name,
+                "transport": "udp",
+                "authpass": auth_secret,
+                "authalgo": auth_algo,
+                "cryptopass": crypt_secret,
+                "cryptoalgo": crypto_algo,
+                "force_add": True,
+            },
+        ).raise_for_status()
+    elif response["status"] == "ok":
+        device = response["devices"][0]
+
+        is_different = (
+            device["authlevel"] != "authPriv"
+            or device["snmpver"] != "v3"
+            or device["authname"] != auth_name
+            or device["authpass"] != auth_secret
+            or device["authalgo"] != auth_algo
+            or device["cryptopass"] != crypt_secret
+            or device["cryptoalgo"] != crypto_algo
+        )
+
+        if is_different:
+            reqs.patch(
+                f"{LIBRENMS}/api/v0/devices/{hostname}",
+                json={
+                    "field": [
+                        "authlevel",
+                        "snmpver",
+                        "authname",
+                        "authpass",
+                        "authalgo",
+                        "cryptopass",
+                        "crytoalgo",
+                    ],
+                    "data": [
+                        "authPriv",
+                        "v3",
+                        auth_name,
+                        auth_secret,
+                        auth_algo,
+                        crypt_secret,
+                        crypto_algo,
+                    ],
+                },
+            ).raise_for_status()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/templates/etc/krb5.j2 b/templates/etc/krb5.j2
new file mode 100644
index 0000000..af18b6f
--- /dev/null
+++ b/templates/etc/krb5.j2
@@ -0,0 +1,16 @@
+[libdefaults]
+    default_realm = LAB.MPGN.DEV
+    kdc_timesync = 1
+    ccache_type = 4 
+    forwardable = true
+    proxiable = true
+
+[realms]
+    LAB.MPGN.DEV = {
+            kdc = ldap.lab.mpgn.dev
+            admin_server = ldap.lab.mpgn.dev
+    }
+
+[domain_realm]
+    lab.mpgn.dev = LAB.MPGN.DEV
+    .lab.mpgn.dev = LAB.MPGN.DEV
+\ No newline at end of file
diff --git a/templates/etc/ldap/ldap.conf.j2 b/templates/etc/ldap/ldap.conf.j2
new file mode 100644
index 0000000..fb0bff8
--- /dev/null
+++ b/templates/etc/ldap/ldap.conf.j2
@@ -0,0 +1,2 @@
+BASE dc=lab,dc=mpgn,dc=dev
+URI ldap://ldap.lab.mpgn.dev
+\ No newline at end of file
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
new file mode 100644
index 0000000..ae5a516
--- /dev/null
+++ b/templates/etc/nftables.conf.j2
@@ -0,0 +1,64 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+#!{{ nft__bin_location }} -f
+{{ ansible_managed | comment }}
+{% set globalmerged = nft_global_default_rules.copy() %}
+{% set _ = globalmerged.update(nft_global_rules) %}
+{% set _ = globalmerged.update(nft_global_group_rules) %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}
+  {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %}
+{% endif %}
+{% set _ = globalmerged.update(nft_global_host_rules) %}
+
+# clean
+table {{ nft_flush_table_target }}
+flush table {{ nft_flush_table_target }}
+
+include "{{ nft_define_conf_path }}"
+
+table inet filter {
+	chain global {
+{% for group, rules in globalmerged|dictsort  %}
+		# {{ group }}
+  {% if not rules %}
+		# (none)
+  {% endif %}
+  {% for rule in rules %}
+		{{ rule }}
+  {% endfor %}
+{% endfor %}
+	}
+	include "{{ nft_conntrack_conf_path }}"
+	include "{{ nft_set_conf_path }}"
+	include "{{ nft_input_conf_path }}"
+	include "{{ nft_output_conf_path }}"
+{% if nft__forward_table_manage %}
+	include "{{ nft_forward_conf_path }}"
+{% endif %}
+{% if nft__mangle_table_manage %}
+	include "{{ nft_mangle_conf_path }}"
+{% endif %}
+{% if nft_custom_includes | default() %}
+  {% if nft_custom_includes is string %}
+	include "{{ nft_custom_includes }}"
+  {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %}
+    {% for include in nft_custom_includes %}
+	include "{{ include }}"
+    {% endfor %}
+  {% endif %}
+{% endif %}
+}
+
+{% if nft__nat_table_manage %}
+# Additionnal table for Network Address Translation (NAT)
+table ip nat {
+	include "{{ nft_conntrack_conf_path }}"
+	include "{{ nft_set_conf_path }}"
+	include "{{ nft__nat_prerouting_conf_path }}"
+	include "{{ nft__nat_postrouting_conf_path }}"
+}
+{% endif %}
+
+{% if nft__custom_content|d() %}
+# Custom content from ipr-cnrs.nftables
+{{ nft__custom_content }}
+{% endif %}
diff --git a/templates/etc/ssh/ssh_config.d/kerberos.conf.j2 b/templates/etc/ssh/ssh_config.d/kerberos.conf.j2
new file mode 100644
index 0000000..b7c3dda
--- /dev/null
+++ b/templates/etc/ssh/ssh_config.d/kerberos.conf.j2
@@ -0,0 +1,5 @@
+Host *
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials yes
diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2
new file mode 100644
index 0000000..7036710
--- /dev/null
+++ b/templates/etc/ssh/sshd_config.j2
@@ -0,0 +1,125 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+KerberosAuthentication yes
+#KerberosOrLocalPasswd yes
+KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+
+Ciphers aes256-gcm@openssh.com
+KexAlgorithms curve25519-sha256
+MACs hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+\ No newline at end of file
diff --git a/templates/etc/sssd/sssd.conf.j2 b/templates/etc/sssd/sssd.conf.j2
new file mode 100644
index 0000000..9dbdfbb
--- /dev/null
+++ b/templates/etc/sssd/sssd.conf.j2
@@ -0,0 +1,39 @@
+[sssd]
+config_file_version = 2
+domains = lab.mpgn.dev
+services = nss, pam, autofs, sudo
+full_name_format = %1$s
+
+[nss]
+
+[pam]
+
+[sudo]
+
+[domain/lab.mpgn.dev]
+id_provider = ldap
+auth_provider = krb5
+sudo_provider = ldap
+chpass_provider = krb5
+resolver_provider = ldap
+
+cache_credentials = True
+ldap_uri = ldaps://ldap.lab.mpgn.dev
+ldap_search_base = dc=lab,dc=mpgn,dc=dev
+ldap_sasl_mech = gssapi
+
+ldap_user_search_base = ou=users,dc=lab,dc=mpgn,dc=dev
+ldap_group_search_base = ou=groups,dc=lab,dc=mpgn,dc=dev
+ldap_group_nesting_level = 10
+ldap_sudo_search_base = ou=sudo,dc=lab,dc=mpgn,dc=dev
+
+krb5_server = ldap.lab.mpgn.dev
+krb5_kpasswd = ldap.lab.mpgn.dev
+krb5_realm = LAB.MPGN.DEV
+
+access_provider = permit
+krb5_validate = True
+override_homedir = /home/%u
+default_shell = /bin/bash
+
+enumerate = true
diff --git a/templates/proxmox_sources.j2 b/templates/proxmox_sources.j2
new file mode 100644
index 0000000..1e19eac
--- /dev/null
+++ b/templates/proxmox_sources.j2
@@ -0,0 +1,6 @@
+{{ ansible_managed | comment }}
+deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+deb http://debian.mithril.re/debian bookworm main
+deb https://security.debian.org/debian-security bookworm-security main
+deb http://debian.mithril.re/debian bookworm-updates main
+deb http://debian.mithril.re/debian bookworm contrib non-free non-free-firmware
author	Matthieu Pignolet <m@mpgn.dev>	2025-03-17 14:18:03 +0400
committer	Matthieu Pignolet <m@mpgn.dev>	2025-03-17 14:18:03 +0400
commit	5098223d5c81fac49ded8e555ba629281b06d425 (patch)
tree	451988b8a7287735ac98704c5f2b1783fd837666
parent	63efaaf0ba315a9af837d9e9016d331a1327e5e5 (diff)