Plein de modif de partout pour être certain que ça va bien se passer lors des différentes màj des playbooks qui vont bien

2024-07-05 11:53:04 +02:00
parent cb25dc05ef
commit ccb15983b1
28 changed files with 130 additions and 176 deletions
--- a/bittorrent.yml
+++ b/bittorrent.yml
@@ -1,3 +1,4 @@
 - hosts: transmission
  diff: yes
  roles:
    - bittorrent
--- a/borgbackup.yml
+++ b/borgbackup.yml
@@ -1,9 +1,12 @@
 - hosts: borgbackup
  diff: yes
  roles:
      - borgbackup
 - hosts: borg_client
  diff: yes
  roles:
      - borg-client
 - hosts: borg_server
  diff: yes
  roles:
      - borg-server
--- a/docker.yml
+++ b/docker.yml
@@ -1,3 +1,4 @@
 - hosts: dockerservers
  diff: yes
  roles:
      - docker
--- a/firewall.yml
+++ b/firewall.yml
@@ -1,5 +1,6 @@
 - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-macbookair.lan
  tasks: []
 - hosts: router
  diff: yes
  roles:
      - firewall
--- a/icecast2.yml
+++ b/icecast2.yml
@@ -1,3 +1,4 @@
 - hosts: icecastservers
  diff: yes
  roles:
      - icecast2
--- a/loadbalancinghttp.yml
+++ b/loadbalancinghttp.yml
@@ -1,3 +1,4 @@
 - hosts: loadbalancers
  diff: yes
  roles:
    - haproxy
--- a/mail.yml
+++ b/mail.yml
@@ -1,4 +1,5 @@
 - hosts: mailservers
  diff: yes
  roles:
      - postfix
      - dovecot
--- a/mariadb.yml
+++ b/mariadb.yml
@@ -1,3 +1,4 @@
 - hosts: mariadbservers
  diff: yes
  roles:
      - mariadb
--- a/mumble.yml
+++ b/mumble.yml
@@ -1,3 +1,4 @@
 - hosts: mumbleservers
  diff: yes
  roles:
      - mumble
--- a/munin.yml
+++ b/munin.yml
@@ -1,7 +1,9 @@
 - hosts: all:!baybay-ponay.mateu.be:!muse-macbookair.lan
  diff: yes
  roles:
      - munin-client
 - hosts: muninservers
  diff: yes
  roles:
      - munin-server
--- a/nut.yml
+++ b/nut.yml
@@ -1,6 +1,8 @@
 - hosts: nut_client
  diff: yes
  roles:
      - nut-client
 - hosts: nut_server
  diff: yes
  roles:
      - nut-server
--- a/pgsql.yml
+++ b/pgsql.yml
@@ -1,3 +1,4 @@
 - hosts: pgsqlservers
  diff: yes
  roles:
      - postgres
--- a/php.yml
+++ b/php.yml
@@ -1,3 +1,4 @@
 - hosts: phpservers
  diff: yes
  roles:
    - php
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -2,7 +2,7 @@
 config rule
 	option name 'Allow-DHCP-Renew'
 	option src 'wan'
-	option proto 'udp'
+	list proto 'udp'
 	option dest_port '68'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -10,7 +10,7 @@ config rule
 config rule
 	option name 'Allow-Ping'
 	option src 'wan'
-	option proto 'icmp'
+	list proto 'icmp'
 	option icmp_type 'echo-request'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -20,7 +20,7 @@ config rule
 	option src 'wan'
 	option src_ip 'fe80::/10'
 	option src_port '547'
-	option proto 'udp'
+	list proto 'udp'
 	option dest_ip 'fe80::/10'
 	option dest_port '546'
 	option target 'ACCEPT'
@@ -29,7 +29,7 @@ config rule
 config rule
 	option name 'Allow-ICMPv6-Input'
 	option src 'wan'
-	option proto 'icmp'
+	list proto 'icmp'
 	list icmp_type 'echo-request'
 	list icmp_type 'echo-reply'
 	list icmp_type 'destination-unreachable'
@@ -49,7 +49,7 @@ config rule
 	option name 'Allow-ICMPv6-Forward'
 	option src 'wan'
 	option dest '*'
-	option proto 'icmp'
+	list proto 'icmp'
 	list icmp_type 'echo-request'
 	list icmp_type 'echo-reply'
 	list icmp_type 'destination-unreachable'
@@ -61,25 +61,32 @@ config rule
 	option family 'ipv6'
 	option limit '1000/sec'
 config rule
 	option name 'Allow-INPUT-SSH'
 	option src 'wan'
 	list proto 'tcp'
 	option dest_port '22'
 	option target 'ACCEPT'
 ### DMZ Rules
 ## General Rules
 # ICMP
 config rule
 	option name 'Allow-ICMP'
 	option dest 'dmz'
-	option proto 'icmp'
+	list proto 'icmp'
 	option target 'ACCEPT'
 config rule
 	option name 'Allow-ICMP'
 	option src 'dmz'
-	option proto 'icmp'
+	list proto 'icmp'
 	option target 'ACCEPT'
 config rule
 	option name 'Allow-ICMP'
 	option src 'dmz'
-	option proto 'icmp'
+	list proto 'icmp'
 	option dest '*'
 	option target 'ACCEPT'
@@ -88,23 +95,42 @@ config rule
 	option name 'Allow-DMZ-DHCP'
 	option dest 'dmz'
 	option dest_port '67-68'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option target 'ACCEPT'
 	option family 'ipv4'
 config rule
 	option name 'Allow-DMZ-DHCP'
 	option src 'dmz'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest_port '67-68'
 	option target 'ACCEPT'
 	option family 'ipv4'
 # SSH rules
 config rule
 	option name 'Allow-DMZ-SSH'
 	option dest 'dmz'
 	list proto 'tcp'
 	option dest_port '22'
 	option target 'ACCEPT'
 config rule
 	option name 'Allow-DMZ-Syslog'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['syslog.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '514'
 	list proto 'udp'
 	option target 'ACCEPT'
 # DNS Resolution
 config rule
 	option name 'Allow-INPUT-DNS'
 	option src 'dmz'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest_port '53'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -113,7 +139,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-NTP'
 	option src 'dmz'
-	option proto 'udp'
+	list proto 'udp'
 	option dest 'wan'
 	option dest_port '123'
 	option target 'ACCEPT'
@@ -122,7 +148,8 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-Web'
 	option src 'dmz'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
 	option dest_port '80 443'
 	option target 'ACCEPT'
@@ -131,7 +158,7 @@ config rule
 config rule
 	option name 'Allow-INPUT-SSH'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_port '22'
 	option target 'ACCEPT'
@@ -143,7 +170,8 @@ config redirect
 	option name 'Allow-INPUT-v4-HTTP'
 	option src 'wan'
 	option src_dport '80'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '80'
@@ -153,7 +181,8 @@ config redirect
 	option name 'Allow-INPUT-v4-HTTPS'
 	option src 'wan'
 	option src_dport '443'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '443'
@@ -164,7 +193,8 @@ config redirect
 config rule
 	option name 'Allow-INPUT-{{ host }}-Web'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
 	option dest_port '80 443'
@@ -177,7 +207,8 @@ config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
 	option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -186,7 +217,8 @@ config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
 	option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -194,7 +226,8 @@ config rule
 config rule
 	option name 'Allow-INPUT-BT'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '10010'
@@ -205,7 +238,8 @@ config redirect
 	option name 'Allow-INPUT-BT'
 	option src 'wan'
 	option src_dport '10010'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '10010'
@@ -216,7 +250,7 @@ config redirect
 config rule
 	option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
 	option dest_port '8006'
@@ -229,7 +263,8 @@ config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
 	option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address']}}'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
 	option dest_port '5269'
 	option target 'ACCEPT'
@@ -239,7 +274,8 @@ config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
 	option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
 	option dest_port '5269'
 	option target 'ACCEPT'
@@ -249,7 +285,8 @@ config redirect
 	option name 'Allow-INPUT-XMPP-c2s'
 	option src 'wan'
 	option src_dport '5222'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '5222'
@@ -259,7 +296,8 @@ config redirect
 	option name 'Allow-INPUT-XMPP-s2s'
 	option src 'wan'
 	option src_dport '5269'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '5269'
@@ -268,7 +306,8 @@ config redirect
 config rule
 	option name 'Allow-INPUT-XMPP-c2s+s2s'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '5222 5269'
@@ -279,7 +318,8 @@ config rule
 config rule
 	option name 'Allow-INPUT-mumble'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '64738'
@@ -290,7 +330,8 @@ config redirect
 	option name 'Allow-INPUT-mumble'
 	option src 'wan'
 	option src_dport '64738'
-	option proto 'tcpudp'
+	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '64738'
@@ -301,7 +342,7 @@ config rule
 	option name 'Allow-OUTPUT-SMTP'
 	option src 'dmz'
 	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'wan'
 	option dst_port '25'
 	option target 'ACCEPT'
@@ -310,7 +351,7 @@ config rule
 config rule
 	option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '25 465 587'
@@ -320,7 +361,7 @@ config rule
 config rule
 	option name 'Allow-INPUT-IMAP+IMAPS'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '143 993'
@@ -331,7 +372,7 @@ config redirect
 	option name 'Allow-INPUT-SMTP'
 	option src 'wan'
 	option src_dport '25'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '25'
@@ -341,7 +382,7 @@ config redirect
 	option name 'Allow-INPUT-SMTPS'
 	option src 'wan'
 	option src_dport '465'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '465'
@@ -351,7 +392,7 @@ config redirect
 	option name 'Allow-INPUT-SUBMISSION'
 	option src 'wan'
 	option src_dport '587'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '587'
@@ -361,7 +402,7 @@ config redirect
 	option name 'Allow-INPUT-IMAP'
 	option src 'wan'
 	option src_dport '143'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '143'
@@ -371,7 +412,7 @@ config redirect
 	option name 'Allow-INPUT-IMAPS'
 	option src 'wan'
 	option src_dport '993'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'lan'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '993'
@@ -382,7 +423,7 @@ config rule
 	option name 'Allow-INPUT-Munin'
 	option src 'dmz'
 	option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest_port '4949'
 	option target 'ACCEPT'
 	option family 'ipv4'
--- a/roles/mariadb/files/50-server.cnf
+++ b/roles/mariadb/files/50-server.cnf
@@ -1,137 +0,0 @@
 #
 # These groups are read by MariaDB server.
 # Use it for options that only the server (but not clients) should see
 #
 # See the examples of server my.cnf files in /usr/share/mysql
 # this is read by the standalone daemon and embedded servers
 [server]
 # this is only for the mysqld standalone daemon
 [mysqld]
 #
 # * Basic Settings
 #
 user                    = mysql
 pid-file                = /run/mysqld/mysqld.pid
 socket                  = /run/mysqld/mysqld.sock
 #port                   = 3306
 basedir                 = /usr
 datadir                 = /srv/mysql
 tmpdir                  = /tmp
 lc-messages-dir         = /usr/share/mysql
 default-storage-engine  = InnoDB
 #skip-external-locking
 # Instead of skip-networking the default is now to listen only on
 # localhost which is more compatible and is not less secure.
 bind-address            = 127.0.0.1
 #
 # * Fine Tuning
 #
 key_buffer_size        = 32M
 max_allowed_packet     = 64M
 thread_stack           = 256K
 thread_cache_size      = 8
 # This replaces the startup script and checks MyISAM tables if needed
 # the first time they are touched
 myisam_recover_options = BACKUP
 #max_connections        = 100
 #table_cache            = 64
 #thread_concurrency     = 10
 #
 # * Query Cache Configuration
 #
 query_cache_limit       = 16M
 query_cache_size        = 64M
 #
 # * Logging and Replication
 #
 # Both location gets rotated by the cronjob.
 # Be aware that this log type is a performance killer.
 # As of 5.1 you can enable the log at runtime!
 #general_log_file       = /var/log/mysql/mysql.log
 #general_log            = 1
 #
 # Error log - should be very few entries.
 #
 log_error = /var/log/mysql/error.log
 #
 # Enable the slow query log to see queries with especially long duration
 #slow_query_log_file    = /var/log/mysql/mariadb-slow.log
 #long_query_time        = 10
 #log_slow_rate_limit    = 1000
 #log_slow_verbosity     = query_plan
 #log-queries-not-using-indexes
 #
 # The following can be used as easy to replay backup logs or for replication.
 # note: if you are setting up a replication slave, see README.Debian about
 #       other settings you may need to change.
 #server-id              = 1
 #log_bin                = /var/log/mysql/mysql-bin.log
 expire_logs_days        = 10
 max_binlog_size        = 100M
 #binlog_do_db           = include_database_name
 #binlog_ignore_db       = exclude_database_name
 #
 # * Security Features
 #
 # Read the manual, too, if you want chroot!
 #chroot = /srv/mysql/
 #
 # For generating SSL certificates you can use for example the GUI tool "tinyca".
 #
 #ssl-ca = /etc/mysql/cacert.pem
 #ssl-cert = /etc/mysql/server-cert.pem
 #ssl-key = /etc/mysql/server-key.pem
 #
 # Accept only connections using the latest and most secure TLS protocol version.
 # ..when MariaDB is compiled with OpenSSL:
 #ssl-cipher = TLSv1.2
 # ..when MariaDB is compiled with YaSSL (default in Debian):
 #ssl = on
 #
 # * Character sets
 #
 # MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
 # utf8 4-byte character set. See also client.cnf
 #
 character-set-server  = utf8mb4
 collation-server      = utf8mb4_general_ci
 #
 # * InnoDB
 #
 # InnoDB is enabled by default with a 10MB datafile in /srv/mysql/.
 # Read the manual for more InnoDB related options. There are many!
 innodb_file_per_table
 innodb_data_file_path=ibdata1:10M:autoextend
 #
 # * Unix socket authentication plugin is built-in since 10.0.22-6
 #
 # Needed so the root database user can authenticate without a password but
 # only when running as the unix root user.
 #
 # Also available for other users if required.
 # See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
 # this is only for embedded server
 [embedded]
 # This group is only read by MariaDB servers, not by MySQL.
 # If you use the same .cnf file for MySQL and MariaDB,
 # you can put MariaDB-only options here
 [mariadb]
 # This group is only read by MariaDB-10.3 servers.
 # If you use the same .cnf file for MariaDB of different versions,
 # use this group for options that older servers don't understand
 [mariadb-10.3]
--- a/roles/mariadb/files/override.conf
+++ b/roles/mariadb/files/override.conf
@@ -0,0 +1,2 @@
 [Service]
 LimitNOFILE=infinity
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -2,3 +2,6 @@
  service:
      name: mariadb
      state: restarted
 - name: daemon-reload
  command: systemctl daemon-reload
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -72,6 +72,20 @@
      - "mysql -e \"FLUSH PRIVILEGES;\""
      - touch ~/mysql_secure_installation
 - name: Create MariaDB service dir
  file:
    path: /etc/systemd/system/mariadb.service.d/
    state: directory
    mode: 0755
 - name: Create MariaDB service override
  copy:
    src: files/override.conf
    dest: /etc/systemd/system/mariadb.service.d/override.conf
  notify:
    - restart mariadb
    - daemon-reload
 - name: install backup script
  copy:
      src: files/backup_mysql.sh
--- a/roles/spamassassin/files/local.cf
+++ b/roles/spamassassin/files/local.cf
@@ -97,6 +97,7 @@ score		LOCAL_BITCOIN	10.0
 whitelist_from *@chichiclothing.com
 # Blacklist manuel
 blacklist_from *@sintoskym.es
 blacklist_from *@comention.ch
 blacklist_from *@tipontale.it
 blacklist_from *@totalshape.com
--- a/roles/system/files/ssh/work.id_rsa.pub
+++ b/roles/system/files/ssh/work.id_rsa.pub
@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkSaRN59sJo1ncJekhBpRjn5NzeHa+VJpT1M/3ypmRtDbkRz6GOFArOL0yPVnHhLNuO/9gueBGB0MNnt7+2be5S5XfsiNHXMB5D+omgH+nu1DR773Rm65SdduLShW8bIyg37WMP5sssi9C5uYr5QJcgrKzYDf715HQazvcKD0zdYJWKd/AwbsuouB2FzTMNxv1nmH6DiPFmTzlVei/HN1CHapQPPGnsNyG3JdaS6aUC88HpYrX/ALOEPsrsdc5HXtuCM+qkCHNHtejBhEniKcBj2ijJa8j9z+FUenNtIIIkDw1SfjzmH/1pmd9HOQlLaahiwBpbZ93mvBk0QoxvRGMjPdhPsVfbJk4NJceCv6FUrsfNa2kMHKCGd7KY6DLo1nUg6EBuYM3KxBp/ZWdMdFlnYLst2kDHNikbO8TzK4aU/9XZhmclwbsAVDQM8GDZvf1el+nN/qQr8WlxFBOSmqPqFQfpxBJgS8oJmCK+42IQcr+YSk+8or0OhI4jnOTlaM= cveret@scaleway.com
--- a/roles/system/files/ssh/work_old.id_rsa.pub
+++ b/roles/system/files/ssh/work_old.id_rsa.pub
@@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib
--- a/roles/system/tasks/sshd.yml
+++ b/roles/system/tasks/sshd.yml
@@ -16,3 +16,9 @@
      user: root
      state: present
      key: "{{ lookup('file', 'ssh/work.id_rsa.pub') }}"
 - name: remove old work key
  authorized_key:
    user: root
    state: absent
    key: "{{ lookup('file', 'ssh/work_old.id_rsa.pub')}}"
--- a/smtprelay.yml
+++ b/smtprelay.yml
@@ -1,3 +1,4 @@
 - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!mail.dmz.mateu.be:!muse-macbookair.lan
  diff: yes
  roles:
    - smtprelay
--- a/syslog.yml
+++ b/syslog.yml
@@ -1,3 +1,4 @@
 - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-macbookair.lan
  diff: yes
  roles:
      - rsyslog
--- a/system.yml
+++ b/system.yml
@@ -1,4 +1,5 @@
 - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-macbookair.lan
  diff: yes
  roles:
    - system
    - x509
--- a/unifi.yml
+++ b/unifi.yml
@@ -1,3 +1,4 @@
 - hosts: unifiservers
  diff: yes
  roles:
    - unifi
--- a/webservers.yml
+++ b/webservers.yml
@@ -1,4 +1,5 @@
 - hosts: webservers
  diff: yes
  roles:
    - nginx
    - webapps
--- a/xmpp.yml
+++ b/xmpp.yml
@@ -1,3 +1,4 @@
 - hosts: xmppservers
  diff: yes
  roles:
      - xmpp
`@@ -1 +1 @@`
	`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib`	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkSaRN59sJo1ncJekhBpRjn5NzeHa+VJpT1M/3ypmRtDbkRz6GOFArOL0yPVnHhLNuO/9gueBGB0MNnt7+2be5S5XfsiNHXMB5D+omgH+nu1DR773Rm65SdduLShW8bIyg37WMP5sssi9C5uYr5QJcgrKzYDf715HQazvcKD0zdYJWKd/AwbsuouB2FzTMNxv1nmH6DiPFmTzlVei/HN1CHapQPPGnsNyG3JdaS6aUC88HpYrX/ALOEPsrsdc5HXtuCM+qkCHNHtejBhEniKcBj2ijJa8j9z+FUenNtIIIkDw1SfjzmH/1pmd9HOQlLaahiwBpbZ93mvBk0QoxvRGMjPdhPsVfbJk4NJceCv6FUrsfNa2kMHKCGd7KY6DLo1nUg6EBuYM3KxBp/ZWdMdFlnYLst2kDHNikbO8TzK4aU/9XZhmclwbsAVDQM8GDZvf1el+nN/qQr8WlxFBOSmqPqFQfpxBJgS8oJmCK+42IQcr+YSk+8or0OhI4jnOTlaM= cveret@scaleway.com
		`@@ -0,0 +1 @@`
							`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib`